From 9ad0e9a1675af3dde613cdfb60c370d5ca6c128f Mon Sep 17 00:00:00 2001
From: Pavan <pavan.nayak@sap.com>
Date: Fri, 18 Aug 2023 11:40:57 +0200
Subject: [PATCH] CAP Operator: Initial open source version created

Initial Open Source version

Change-Id: I51258701067d3b05b9a79dbff0d37101c2dac1e8
---
 .dockerignore                                 |    4 +
 .github/workflows/go.yml                      |   32 +
 .github/workflows/publish-website.yaml        |   79 +
 .gitignore                                    |   24 +
 .reuse/dep5                                   |   20 +-
 .vscode/launch.json                           |   15 +
 LICENSE                                       |   27 +-
 README.md                                     |   32 +-
 build/controller/Dockerfile                   |   15 +
 build/mtx-job/Dockerfile                      |   15 +
 build/server/Dockerfile                       |   15 +
 build/web-hooks/Dockerfile                    |   15 +
 cmd/controller/main.go                        |  129 +
 cmd/controller/temp.go                        |  371 +++
 cmd/mtx-job/main.go                           |  543 ++++
 cmd/mtx-job/main_test.go                      |  510 ++++
 cmd/server/internal/client.go                 |   19 +
 cmd/server/internal/handler.go                |  585 +++++
 cmd/server/internal/handler_test.go           |  663 +++++
 cmd/server/internal/jwt.go                    |  235 ++
 cmd/server/internal/jwt_test.go               |  360 +++
 .../internal/testdata/auth.service.local.crt  |   30 +
 .../internal/testdata/auth.service.local.key  |   28 +
 cmd/server/internal/testdata/rootCA.pem       |   23 +
 cmd/server/server.go                          |   71 +
 cmd/web-hooks/internal/handler/handler.go     |  629 +++++
 .../internal/handler/handler_test.go          | 1164 +++++++++
 cmd/web-hooks/main.go                         |   77 +
 crds/capapplication.yaml                      |  133 +
 crds/capapplicationversion.yaml               |  755 ++++++
 crds/captenant.yaml                           |   95 +
 crds/captenantoperation.yaml                  |  106 +
 go.mod                                        |   79 +
 go.sum                                        |  251 ++
 hack/LICENSE_BOILERPLATE.txt                  |    4 +
 hack/api-reference/config.json                |   20 +
 hack/api-reference/generate.sh                |   14 +
 hack/api-reference/template/members.tpl       |   48 +
 hack/api-reference/template/pkg.tpl           |   49 +
 hack/api-reference/template/placeholder.go    |    2 +
 hack/api-reference/template/type.tpl          |   81 +
 hack/generate.sh                              |   65 +
 hack/helm-reference/generate.sh               |   22 +
 hack/tools.go                                 |    8 +
 internal/controller/common_test.go            |  638 +++++
 internal/controller/controller.go             |  281 +++
 internal/controller/controller_test.go        |  292 +++
 internal/controller/informers.go              |  244 ++
 internal/controller/informers_test.go         |  149 ++
 .../controller/reconcile-capapplication.go    |  408 +++
 .../reconcile-capapplication_test.go          | 1128 +++++++++
 .../reconcile-capapplicationversion.go        |  838 +++++++
 .../reconcile-capapplicationversion_test.go   |  540 ++++
 internal/controller/reconcile-captenant.go    |  697 +++++
 .../controller/reconcile-captenant_test.go    |  595 +++++
 .../reconcile-captenantoperation.go           |  682 +++++
 .../reconcile-captenantoperation_test.go      |  655 +++++
 internal/controller/reconcile-domains.go      | 1274 ++++++++++
 internal/controller/reconcile-domains_test.go |  284 +++
 internal/controller/reconcile.go              |  523 ++++
 internal/controller/reconcile_test.go         |  585 +++++
 internal/controller/reconciliation-result.go  |   46 +
 .../capapplication/ca-01.expected.yaml        |   42 +
 .../capapplication/ca-01.initial.yaml         |   38 +
 .../capapplication/ca-02.expected.yaml        |   49 +
 .../capapplication/ca-02.initial.yaml         |   42 +
 .../capapplication/ca-03.expected.yaml        |   52 +
 .../capapplication/ca-03.initial.yaml         |   42 +
 .../capapplication/ca-04.expected.yaml        |   50 +
 .../capapplication/ca-04.initial.yaml         |   43 +
 .../capapplication/ca-05.expected.yaml        |   52 +
 .../capapplication/ca-05.initial.yaml         |   42 +
 .../capapplication/ca-06.expected.yaml        |   57 +
 .../capapplication/ca-06.initial.yaml         |   43 +
 .../capapplication/ca-07.expected.yaml        |   49 +
 .../capapplication/ca-07.initial.yaml         |   42 +
 .../capapplication/ca-08.expected.yaml        |   49 +
 .../capapplication/ca-08.initial.yaml         |   42 +
 .../capapplication/ca-09.expected.yaml        |   50 +
 .../capapplication/ca-09.initial.yaml         |   43 +
 .../capapplication/ca-10.expected.yaml        |   50 +
 .../capapplication/ca-10.initial.yaml         |   43 +
 .../capapplication/ca-11.expected.yaml        |   50 +
 .../capapplication/ca-11.initial.yaml         |   43 +
 .../capapplication/ca-12.expected.yaml        |   50 +
 .../capapplication/ca-12.initial.yaml         |   43 +
 .../capapplication/ca-13.expected.yaml        |   42 +
 .../capapplication/ca-13.initial.yaml         |   40 +
 .../capapplication/ca-14.expected.yaml        |   41 +
 .../capapplication/ca-14.initial.yaml         |   41 +
 .../capapplication/ca-15.expected.yaml        |   50 +
 .../capapplication/ca-15.initial.yaml         |   43 +
 .../capapplication/ca-16.expected.yaml        |   46 +
 .../capapplication/ca-16.initial.yaml         |   47 +
 .../capapplication/ca-17.expected.yaml        |   47 +
 .../capapplication/ca-17.initial.yaml         |   47 +
 .../capapplication/ca-18.expected.yaml        |   47 +
 .../capapplication/ca-18.initial.yaml         |   47 +
 .../capapplication/ca-19.expected.yaml        |   46 +
 .../capapplication/ca-19.initial.yaml         |   47 +
 .../capapplication/ca-20.expected.yaml        |   47 +
 .../capapplication/ca-20.initial.yaml         |   47 +
 .../capapplication/ca-21.expected.yaml        |   50 +
 .../capapplication/ca-21.initial.yaml         |   43 +
 .../capapplication/ca-22.expected.yaml        |   53 +
 .../capapplication/ca-22.initial.yaml         |   42 +
 .../capapplication/ca-23.expected.yaml        |   58 +
 .../capapplication/ca-23.initial.yaml         |   43 +
 .../capapplication/ca-24.expected.yaml        |   50 +
 .../capapplication/ca-24.initial.yaml         |   42 +
 .../capapplication/ca-25.expected.yaml        |   50 +
 .../capapplication/ca-25.initial.yaml         |   43 +
 .../capapplication/ca-26.expected.yaml        |   50 +
 .../capapplication/ca-26.initial.yaml         |   43 +
 .../capapplication/ca-27.expected.yaml        |   50 +
 .../capapplication/ca-27.initial.yaml         |   43 +
 .../capapplication/ca-28.expected.yaml        |   50 +
 .../capapplication/ca-28.initial.yaml         |   43 +
 .../capapplication/ca-29.expected.yaml        |   55 +
 .../capapplication/ca-29.initial.yaml         |   52 +
 .../capapplication/ca-30.expected.yaml        |   50 +
 .../capapplication/ca-30.initial.yaml         |   45 +
 .../capapplication/ca-31.expected.yaml        |   58 +
 .../capapplication/ca-31.initial.yaml         |   44 +
 .../capapplication/ca-32.expected.yaml        |   58 +
 .../capapplication/ca-32.initial.yaml         |   44 +
 .../capapplication/ca-33.expected.yaml        |   58 +
 .../capapplication/ca-33.initial.yaml         |   44 +
 .../capapplication/ca-34.expected.yaml        |   43 +
 .../capapplication/ca-34.initial.yaml         |   41 +
 .../capapplication/ca-35.expected.yaml        |   47 +
 .../capapplication/ca-35.initial.yaml         |   46 +
 .../capapplication/ca-36.expected.yaml        |   50 +
 .../capapplication/ca-36.initial.yaml         |   44 +
 .../capapplication/ca-37.expected.yaml        |   48 +
 .../capapplication/ca-37.initial.yaml         |   48 +
 .../capapplication/ca-38.expected.yaml        |   49 +
 .../capapplication/ca-38.initial.yaml         |   48 +
 .../capapplication/ca-39.expected.yaml        |   49 +
 .../capapplication/ca-39.initial.yaml         |   48 +
 .../capapplication/ca-40.expected.yaml        |   48 +
 .../capapplication/ca-40.initial.yaml         |   48 +
 .../capapplication/ca-41.expected.yaml        |   49 +
 .../capapplication/ca-41.initial.yaml         |   48 +
 .../capapplication/ca-42.expected.yaml        |   48 +
 .../capapplication/ca-42.initial.yaml         |   42 +
 .../capapplication/ca-43.expected.yaml        |   50 +
 .../capapplication/ca-43.initial.yaml         |   48 +
 .../capapplication/ca-44.expected.yaml        |   49 +
 .../capapplication/ca-45.expected.yaml        |   55 +
 .../capapplication/ca-45.initial.yaml         |   52 +
 .../testdata/capapplication/ca-dns-error.yaml |   27 +
 .../capapplication/ca-dns-not-ready.yaml      |   23 +
 .../testdata/capapplication/ca-dns.yaml       |   26 +
 .../cat-consumer-no-finalizers-ready.yaml     |   35 +
 .../capapplication/cat-consumer-ready.yaml    |   38 +
 .../cat-consumer-upg-never-deleting.yaml      |   37 +
 .../cat-consumer-upg-never-ready.yaml         |   37 +
 .../capapplication/cat-provider-error.yaml    |   37 +
 .../cat-provider-no-finalizers-error.yaml     |   35 +
 .../cat-provider-no-finalizers-ready.yaml     |   35 +
 .../cat-provider-upgrade-error.yaml           |   37 +
 .../cav-33-version-updated-ready.yaml         |   67 +
 .../testdata/capapplication/cav-error.yaml    |   67 +
 .../cav-name-modified-ready.yaml              |   67 +
 .../testdata/capapplication/gateway.yaml      |   30 +
 .../istio-ingress-with-cert-error.yaml        |   65 +
 ...istio-ingress-with-cert-no-finalizers.yaml |   62 +
 .../istio-ingress-with-cert.yaml              |   64 +
 .../istio-ingress-with-certManager-error.yaml |   68 +
 ...ngress-with-certManager-no-finalizers.yaml |   66 +
 .../istio-ingress-with-certManager.yaml       |   68 +
 .../istio-ingress-with-no-cert.yaml           |   46 +
 .../cat-provider-version.yaml                 |   31 +
 .../cav-annotations.yaml                      |  170 ++
 .../cav-cluster-netpol-port.yaml              |  153 ++
 .../cav-custom-destination-config.yaml        |   71 +
 .../cav-custom-labels.yaml                    |  101 +
 .../cav-empty-status.yaml                     |   48 +
 .../cav-error-condition-status.yaml           |   55 +
 .../cav-error-status.yaml                     |   50 +
 .../cav-failed-content-job.yaml               |   70 +
 .../capapplicationversion/cav-invalid-ca.yaml |   44 +
 .../cav-invalid-env-cap.yaml                  |   69 +
 .../cav-invalid-env-content.yaml              |   63 +
 .../cav-invalid-env-job-worker.yaml           |   80 +
 .../cav-merged-destinations-router.yaml       |   66 +
 .../cav-pod-security-context.yaml             |  167 ++
 .../cav-probes-and-resources.yaml             |  143 ++
 .../cav-processing-job-finished.yaml          |   67 +
 .../capapplicationversion/cav-processing.yaml |   66 +
 .../cav-ready-deleting.yaml                   |   68 +
 .../cav-security-context.yaml                 |  156 ++
 .../cav-unknown-deleting.yaml                 |   59 +
 .../cav-valid-env-config.yaml                 |   91 +
 .../content-job-completed.yaml                |   71 +
 .../content-job-failed.yaml                   |   72 +
 .../content-job-pending.yaml                  |   69 +
 .../expected/cav-deleted-unknown.yaml         |   67 +
 .../expected/cav-deleted.yaml                 |   68 +
 .../expected/cav-deleting.yaml                |   69 +
 .../cav-error-condition-processing.yaml       |   68 +
 .../expected/cav-error-processing.yaml        |   68 +
 .../expected/cav-failed-content-job.yaml      |   71 +
 .../expected/cav-failed-env-cap.yaml          |   78 +
 .../expected/cav-failed-env-content.yaml      |   72 +
 .../expected/cav-failed-env-job-worker.yaml   |   89 +
 .../expected/cav-missing-content-job.yaml     |   69 +
 .../expected/cav-missing-secrets.yaml         |   68 +
 .../expected/cav-processing.yaml              |   68 +
 .../expected/cav-ready-annotations.yaml       |  449 ++++
 .../expected/cav-ready-app-netpol.yaml        |  308 +++
 .../cav-ready-cluster-netpol-port.yaml        |  349 +++
 .../expected/cav-ready-content-job.yaml       |   70 +
 .../cav-ready-custom-destination-config.yaml  |  153 ++
 .../cav-ready-custom-labels-config.yaml       |  189 ++
 .../cav-ready-merged-destinations-router.yaml |  142 ++
 .../cav-ready-pod-security-context.yaml       |  399 +++
 .../cav-ready-probes-and-resources.yaml       |  248 ++
 .../expected/cav-ready-security-context.yaml  |  355 +++
 .../expected/cav-ready-valid-env-config.yaml  |  174 ++
 .../expected/cav-ready.yaml                   |   68 +
 .../testdata/captenant/cat-01.initial.yaml    |   11 +
 .../testdata/captenant/cat-02.expected.yaml   |   36 +
 .../testdata/captenant/cat-02.initial.yaml    |   11 +
 .../testdata/captenant/cat-03.expected.yaml   |   89 +
 .../testdata/captenant/cat-03.initial.yaml    |   36 +
 .../testdata/captenant/cat-04.expected.yaml   |   99 +
 .../testdata/captenant/cat-04.initial.yaml    |   72 +
 .../testdata/captenant/cat-05.expected.yaml   |   36 +
 .../testdata/captenant/cat-05.initial.yaml    |   72 +
 .../testdata/captenant/cat-06.expected.yaml   |   36 +
 .../testdata/captenant/cat-06.initial.yaml    |   69 +
 .../testdata/captenant/cat-07.expected.yaml   |   67 +
 .../testdata/captenant/cat-07.initial.yaml    |   37 +
 .../testdata/captenant/cat-08.expected.yaml   |   37 +
 .../testdata/captenant/cat-08.initial.yaml    |   37 +
 .../testdata/captenant/cat-09.expected.yaml   |   67 +
 .../testdata/captenant/cat-09.initial.yaml    |   38 +
 .../testdata/captenant/cat-10.expected.yaml   |   37 +
 .../testdata/captenant/cat-10.initial.yaml    |   74 +
 .../testdata/captenant/cat-11.expected.yaml   |   36 +
 .../testdata/captenant/cat-11.initial.yaml    |   37 +
 .../testdata/captenant/cat-13.expected.yaml   |  105 +
 .../testdata/captenant/cat-13.initial.yaml    |   75 +
 .../testdata/captenant/cat-14.initial.yaml    |   29 +
 .../testdata/captenant/cat-15.expected.yaml   |  102 +
 .../testdata/captenant/cat-15.initial.yaml    |   74 +
 .../testdata/captenant/cat-16.expected.yaml   |   74 +
 .../testdata/captenant/cat-17.expected.yaml   |  124 +
 .../testdata/captenant/cat-17.initial.yaml    |  101 +
 .../testdata/captenant/cat-20.expected.yaml   |   36 +
 .../testdata/captenant/cat-20.initial.yaml    |   36 +
 .../testdata/captenant/cat-21.expected.yaml   |   78 +
 .../testdata/captenant/cat-21.initial.yaml    |  109 +
 .../testdata/captenant/cat-22.initial.yaml    |  106 +
 .../testdata/captenant/cat-23.expected.yaml   |   40 +
 .../testdata/captenant/cat-23.initial.yaml    |   75 +
 .../testdata/captenant/cat-24.expected.yaml   |   70 +
 .../testdata/captenant/cat-24.initial.yaml    |   74 +
 .../testdata/captenant/cat-25.expected.yaml   |   70 +
 .../testdata/captenant/cat-25.initial.yaml    |   39 +
 .../testdata/captenant/cat-26.initial.yaml    |   72 +
 .../testdata/captenant/cat-27.expected.yaml   |   67 +
 .../testdata/captenant/cat-28.expected.yaml   |   91 +
 .../testdata/captenant/cat-28.initial.yaml    |   36 +
 .../testdata/captenant/cat-29.expected.yaml   |   44 +
 .../testdata/captenant/cat-29.initial.yaml    |   79 +
 .../captenant/cat-with-no-version.yaml        |   35 +
 .../changed-provider-tenant-dnsentry.yaml     |   27 +
 .../provider-tenant-dnsentry-not-ready.yaml   |   27 +
 .../captenant/provider-tenant-dnsentry.yaml   |   27 +
 .../captenant/provider-tenant-dr-v1.yaml      |   27 +
 .../captenant/provider-tenant-vs-v1.yaml      |   34 +
 ...o-be-updated-provider-tenant-dnsentry.yaml |   27 +
 .../captenantoperation/ctop-01.expected.yaml  |   30 +
 .../captenantoperation/ctop-01.initial.yaml   |   13 +
 .../captenantoperation/ctop-02.expected.yaml  |   31 +
 .../captenantoperation/ctop-02.initial.yaml   |   30 +
 .../captenantoperation/ctop-03.expected.yaml  |   34 +
 .../captenantoperation/ctop-03.initial.yaml   |   28 +
 .../captenantoperation/ctop-04.expected.yaml  |  129 +
 .../captenantoperation/ctop-04.initial.yaml   |   32 +
 .../captenantoperation/ctop-05.expected.yaml  |   31 +
 .../captenantoperation/ctop-05.initial.yaml   |   13 +
 .../captenantoperation/ctop-06.expected.yaml  |  134 +
 .../captenantoperation/ctop-06.initial.yaml   |   33 +
 .../captenantoperation/ctop-07.expected.yaml  |  114 +
 .../captenantoperation/ctop-07.initial.yaml   |   37 +
 .../captenantoperation/ctop-08.expected.yaml  |  119 +
 .../captenantoperation/ctop-08.initial.yaml   |  119 +
 .../captenantoperation/ctop-09.expected.yaml  |  138 +
 .../captenantoperation/ctop-09.initial.yaml   |   42 +
 .../captenantoperation/ctop-10.expected.yaml  |   42 +
 .../captenantoperation/ctop-10.initial.yaml   |  141 ++
 .../captenantoperation/ctop-11.expected.yaml  |   42 +
 .../captenantoperation/ctop-11.initial.yaml   |  118 +
 .../captenantoperation/ctop-12.expected.yaml  |   44 +
 .../captenantoperation/ctop-12.initial.yaml   |  119 +
 .../captenantoperation/ctop-13.expected.yaml  |   43 +
 .../captenantoperation/ctop-13.initial.yaml   |  142 ++
 .../captenantoperation/ctop-14.expected.yaml  |   42 +
 .../captenantoperation/ctop-14.initial.yaml   |   43 +
 .../captenantoperation/ctop-15.expected.yaml  |   16 +
 .../captenantoperation/ctop-15.initial.yaml   |   13 +
 .../captenantoperation/ctop-16.expected.yaml  |  129 +
 .../captenantoperation/ctop-16.initial.yaml   |   32 +
 .../captenantoperation/ctop-17.expected.yaml  |  129 +
 .../captenantoperation/ctop-17.initial.yaml   |  128 +
 .../captenantoperation/ctop-18.expected.yaml  |  110 +
 .../captenantoperation/ctop-18.initial.yaml   |   32 +
 .../captenantoperation/ctop-19.expected.yaml  |  109 +
 .../captenantoperation/ctop-19.initial.yaml   |   32 +
 .../captenantoperation/ctop-20.expected.yaml  |  109 +
 .../captenantoperation/ctop-20.initial.yaml   |   32 +
 .../captenantoperation/ctop-21.expected.yaml  |  115 +
 .../captenantoperation/ctop-21.initial.yaml   |   32 +
 .../captenantoperation/ctop-22.expected.yaml  |  118 +
 .../captenantoperation/ctop-22.initial.yaml   |   32 +
 .../captenantoperation/ctop-23.expected.yaml  |  119 +
 .../captenantoperation/ctop-23.initial.yaml   |   37 +
 .../captenantoperation/ctop-24.expected.yaml  |  110 +
 .../captenantoperation/ctop-24.initial.yaml   |   32 +
 .../captenantoperation/ctop-25.expected.yaml  |  123 +
 .../captenantoperation/ctop-25.initial.yaml   |   37 +
 .../captenantoperation/ctop-26.expected.yaml  |  134 +
 .../captenantoperation/ctop-26.initial.yaml   |   33 +
 .../common/capapplication-multi-xsuaa.yaml    |   41 +
 .../testdata/common/capapplication.yaml       |   39 +
 .../capapplicationversion-invalid-env.yaml    |   78 +
 ...applicationversion-v1-mtxs-custom-cmd.yaml |   72 +
 .../common/capapplicationversion-v1-mtxs.yaml |   68 +
 .../capapplicationversion-v1-not-ready.yaml   |   65 +
 .../capapplicationversion-v1-resources.yaml   |   74 +
 ...pplicationversion-v1-security-context.yaml |   77 +
 .../common/capapplicationversion-v1.yaml      |   70 +
 .../capapplicationversion-v2-annotations.yaml |  104 +
 .../capapplicationversion-v2-multi-xsuaa.yaml |   78 +
 ...icationversion-v2-multiple-tenant-ops.yaml |   98 +
 ...applicationversion-v2-no-mtx-workload.yaml |   63 +
 ...cationversion-v2-pod-security-context.yaml |  101 +
 .../common/capapplicationversion-v2.yaml      |   66 +
 .../common/capapplicationversion-v3.yaml      |   66 +
 .../common/captenant-provider-ready.yaml      |   37 +
 .../captenant-provider-upgraded-ready.yaml    |   37 +
 .../testdata/common/credential-secrets.yaml   |   35 +
 .../testdata/common/istio-ingress.yaml        |   46 +
 .../testdata/common/operator-gateway.yaml     |   26 +
 internal/controller/utils.go                  |  222 ++
 internal/util/config.go                       |   59 +
 internal/util/types.go                        |   42 +
 internal/util/uaa.go                          |   40 +
 internal/util/uaa_test.go                     |   97 +
 internal/util/vcap-credentials.go             |  153 ++
 internal/util/vcap-credentials_test.go        |  215 ++
 pkg/apis/sme.sap.com/v1alpha1/doc.go          |    8 +
 pkg/apis/sme.sap.com/v1alpha1/register.go     |   57 +
 pkg/apis/sme.sap.com/v1alpha1/types.go        |  475 ++++
 pkg/apis/sme.sap.com/v1alpha1/utils.go        |   93 +
 .../v1alpha1/zz_generated.deepcopy.go         |  793 ++++++
 .../applyconfiguration/internal/internal.go   |   50 +
 .../v1alpha1/applicationdomains.go            |   61 +
 .../sme.sap.com/v1alpha1/btp.go               |   32 +
 .../v1alpha1/btptenantidentification.go       |   36 +
 .../sme.sap.com/v1alpha1/capapplication.go    |  207 ++
 .../v1alpha1/capapplicationspec.go            |   63 +
 .../v1alpha1/capapplicationstatus.go          |   69 +
 .../v1alpha1/capapplicationversion.go         |  207 ++
 .../v1alpha1/capapplicationversionspec.go     |   70 +
 .../v1alpha1/capapplicationversionstatus.go   |   62 +
 .../sme.sap.com/v1alpha1/captenant.go         |  207 ++
 .../v1alpha1/captenantoperation.go            |  207 ++
 .../v1alpha1/captenantoperationspec.go        |   71 +
 .../v1alpha1/captenantoperationstatus.go      |   69 +
 .../v1alpha1/captenantoperationstep.go        |   49 +
 .../sme.sap.com/v1alpha1/captenantspec.go     |   66 +
 .../sme.sap.com/v1alpha1/captenantstatus.go   |   80 +
 .../sme.sap.com/v1alpha1/containerdetails.go  |   89 +
 .../sme.sap.com/v1alpha1/deploymentdetails.go |  134 +
 .../sme.sap.com/v1alpha1/genericstatus.go     |   42 +
 .../sme.sap.com/v1alpha1/jobdetails.go        |  111 +
 .../sme.sap.com/v1alpha1/namevalue.go         |   36 +
 .../sme.sap.com/v1alpha1/ports.go             |   67 +
 .../sme.sap.com/v1alpha1/serviceinfo.go       |   45 +
 .../sme.sap.com/v1alpha1/tenantoperations.go  |   60 +
 .../tenantoperationworkloadreference.go       |   36 +
 .../sme.sap.com/v1alpha1/workloaddetails.go   |   86 +
 pkg/client/applyconfiguration/utils.go        |   75 +
 pkg/client/clientset/versioned/clientset.go   |  108 +
 .../versioned/fake/clientset_generated.go     |   73 +
 pkg/client/clientset/versioned/fake/doc.go    |    8 +
 .../clientset/versioned/fake/register.go      |   44 +
 pkg/client/clientset/versioned/scheme/doc.go  |    8 +
 .../clientset/versioned/scheme/register.go    |   44 +
 .../sme.sap.com/v1alpha1/capapplication.go    |  244 ++
 .../v1alpha1/capapplicationversion.go         |  244 ++
 .../typed/sme.sap.com/v1alpha1/captenant.go   |  244 ++
 .../v1alpha1/captenantoperation.go            |  244 ++
 .../typed/sme.sap.com/v1alpha1/doc.go         |    8 +
 .../typed/sme.sap.com/v1alpha1/fake/doc.go    |    8 +
 .../v1alpha1/fake/fake_capapplication.go      |  177 ++
 .../fake/fake_capapplicationversion.go        |  177 ++
 .../v1alpha1/fake/fake_captenant.go           |  177 ++
 .../v1alpha1/fake/fake_captenantoperation.go  |  177 ++
 .../v1alpha1/fake/fake_sme.sap.com_client.go  |   40 +
 .../v1alpha1/generated_expansion.go           |   15 +
 .../v1alpha1/sme.sap.com_client.go            |  110 +
 .../informers/externalversions/factory.go     |  239 ++
 .../informers/externalversions/generic.go     |   56 +
 .../internalinterfaces/factory_interfaces.go  |   28 +
 .../externalversions/sme.sap.com/interface.go |   34 +
 .../sme.sap.com/v1alpha1/capapplication.go    |   78 +
 .../v1alpha1/capapplicationversion.go         |   78 +
 .../sme.sap.com/v1alpha1/captenant.go         |   78 +
 .../v1alpha1/captenantoperation.go            |   78 +
 .../sme.sap.com/v1alpha1/interface.go         |   54 +
 .../sme.sap.com/v1alpha1/capapplication.go    |   87 +
 .../v1alpha1/capapplicationversion.go         |   87 +
 .../listers/sme.sap.com/v1alpha1/captenant.go |   87 +
 .../v1alpha1/captenantoperation.go            |   87 +
 .../v1alpha1/expansion_generated.go           |   39 +
 website/archetypes/default.md                 |    6 +
 website/content/en/_index.md                  |   17 +
 website/content/en/docs/_index.md             |   25 +
 website/content/en/docs/concepts/_index.md    |   16 +
 .../concepts/cap-application-components.md    |   30 +
 .../concepts/operator-components/_index.md    |   23 +
 .../operator-components/controller.md         |   23 +
 .../concepts/operator-components/mtx-job.md   |   16 +
 .../subscription-server.md                    |   26 +
 .../content/en/docs/configuration/_index.md   |   20 +
 .../content/en/docs/installation/_index.md    |   10 +
 .../en/docs/installation/helm-install.md      |   56 +
 .../en/docs/installation/prerequisites.md     |   30 +
 website/content/en/docs/reference/_index.md   |   10 +
 website/content/en/docs/support/_index.md     |   19 +
 .../content/en/docs/troubleshoot/_index.md    |   80 +
 website/content/en/docs/usage/_index.md       |    8 +
 .../en/docs/usage/deploying-application.md    |  127 +
 .../content/en/docs/usage/prerequisites.md    |  105 +
 .../content/en/docs/usage/resources/_index.md |    8 +
 .../en/docs/usage/resources/capapplication.md |   67 +
 .../usage/resources/capapplicationversion.md  |  318 +++
 .../en/docs/usage/resources/captenant.md      |   32 +
 .../usage/resources/captenantoperation.md     |   44 +
 .../en/docs/usage/tenant-provisioning.md      |   65 +
 .../content/en/docs/usage/version-upgrade.md  |  120 +
 website/go.mod                                |    5 +
 website/go.sum                                |    5 +
 website/hugo.yaml                             |  167 ++
 website/includes/api-reference.html           | 2234 +++++++++++++++++
 website/includes/chart-values.md              |   67 +
 website/layouts/shortcodes/include.html       |    1 +
 website/package-lock.json                     | 1611 ++++++++++++
 website/package.json                          |    7 +
 .../img/activity-tenantprovisioning.png       |  Bin 0 -> 113312 bytes
 website/static/img/block-cluster.png          |  Bin 0 -> 73905 bytes
 website/static/img/block-controller.png       |  Bin 0 -> 40858 bytes
 website/static/img/block-subscription.png     |  Bin 0 -> 88912 bytes
 website/static/img/logo.png                   |  Bin 0 -> 7522 bytes
 website/static/img/workflow.png               |  Bin 0 -> 256756 bytes
 461 files changed, 49705 insertions(+), 62 deletions(-)
 create mode 100644 .dockerignore
 create mode 100644 .github/workflows/go.yml
 create mode 100644 .github/workflows/publish-website.yaml
 create mode 100644 .gitignore
 create mode 100644 .vscode/launch.json
 create mode 100644 build/controller/Dockerfile
 create mode 100644 build/mtx-job/Dockerfile
 create mode 100644 build/server/Dockerfile
 create mode 100644 build/web-hooks/Dockerfile
 create mode 100644 cmd/controller/main.go
 create mode 100644 cmd/controller/temp.go
 create mode 100644 cmd/mtx-job/main.go
 create mode 100644 cmd/mtx-job/main_test.go
 create mode 100644 cmd/server/internal/client.go
 create mode 100644 cmd/server/internal/handler.go
 create mode 100644 cmd/server/internal/handler_test.go
 create mode 100644 cmd/server/internal/jwt.go
 create mode 100644 cmd/server/internal/jwt_test.go
 create mode 100644 cmd/server/internal/testdata/auth.service.local.crt
 create mode 100644 cmd/server/internal/testdata/auth.service.local.key
 create mode 100644 cmd/server/internal/testdata/rootCA.pem
 create mode 100644 cmd/server/server.go
 create mode 100644 cmd/web-hooks/internal/handler/handler.go
 create mode 100644 cmd/web-hooks/internal/handler/handler_test.go
 create mode 100644 cmd/web-hooks/main.go
 create mode 100644 crds/capapplication.yaml
 create mode 100644 crds/capapplicationversion.yaml
 create mode 100644 crds/captenant.yaml
 create mode 100644 crds/captenantoperation.yaml
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 hack/LICENSE_BOILERPLATE.txt
 create mode 100644 hack/api-reference/config.json
 create mode 100644 hack/api-reference/generate.sh
 create mode 100644 hack/api-reference/template/members.tpl
 create mode 100644 hack/api-reference/template/pkg.tpl
 create mode 100644 hack/api-reference/template/placeholder.go
 create mode 100644 hack/api-reference/template/type.tpl
 create mode 100644 hack/generate.sh
 create mode 100644 hack/helm-reference/generate.sh
 create mode 100644 hack/tools.go
 create mode 100644 internal/controller/common_test.go
 create mode 100644 internal/controller/controller.go
 create mode 100644 internal/controller/controller_test.go
 create mode 100644 internal/controller/informers.go
 create mode 100644 internal/controller/informers_test.go
 create mode 100644 internal/controller/reconcile-capapplication.go
 create mode 100644 internal/controller/reconcile-capapplication_test.go
 create mode 100644 internal/controller/reconcile-capapplicationversion.go
 create mode 100644 internal/controller/reconcile-capapplicationversion_test.go
 create mode 100644 internal/controller/reconcile-captenant.go
 create mode 100644 internal/controller/reconcile-captenant_test.go
 create mode 100644 internal/controller/reconcile-captenantoperation.go
 create mode 100644 internal/controller/reconcile-captenantoperation_test.go
 create mode 100644 internal/controller/reconcile-domains.go
 create mode 100644 internal/controller/reconcile-domains_test.go
 create mode 100644 internal/controller/reconcile.go
 create mode 100644 internal/controller/reconcile_test.go
 create mode 100644 internal/controller/reconciliation-result.go
 create mode 100644 internal/controller/testdata/capapplication/ca-01.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-01.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-02.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-02.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-03.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-03.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-04.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-04.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-05.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-05.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-06.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-06.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-07.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-07.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-08.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-08.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-09.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-09.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-10.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-10.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-11.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-11.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-12.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-12.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-13.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-13.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-14.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-14.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-15.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-15.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-16.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-16.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-17.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-17.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-18.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-18.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-19.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-19.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-20.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-20.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-21.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-21.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-22.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-22.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-23.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-23.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-24.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-24.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-25.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-25.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-26.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-26.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-27.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-27.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-28.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-28.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-29.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-29.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-30.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-30.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-31.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-31.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-32.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-32.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-33.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-33.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-34.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-34.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-35.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-35.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-36.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-36.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-37.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-37.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-38.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-38.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-39.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-39.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-40.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-40.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-41.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-41.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-42.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-42.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-43.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-43.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-44.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-45.expected.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-45.initial.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-dns-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-dns-not-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/ca-dns.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-consumer-no-finalizers-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-consumer-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-consumer-upg-never-deleting.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-consumer-upg-never-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-provider-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-provider-no-finalizers-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-provider-no-finalizers-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/cat-provider-upgrade-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/cav-33-version-updated-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/cav-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/cav-name-modified-ready.yaml
 create mode 100644 internal/controller/testdata/capapplication/gateway.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-cert-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-cert.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-certManager-error.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-certManager.yaml
 create mode 100644 internal/controller/testdata/capapplication/istio-ingress-with-no-cert.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cat-provider-version.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-annotations.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-cluster-netpol-port.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-custom-destination-config.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-custom-labels.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-empty-status.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-error-condition-status.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-error-status.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-failed-content-job.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-invalid-ca.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-invalid-env-cap.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-invalid-env-content.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-invalid-env-job-worker.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-merged-destinations-router.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-pod-security-context.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-probes-and-resources.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-processing-job-finished.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-processing.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-ready-deleting.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-security-context.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-unknown-deleting.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/cav-valid-env-config.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/content-job-completed.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/content-job-failed.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/content-job-pending.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-deleted-unknown.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-deleted.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-deleting.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-error-condition-processing.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-error-processing.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-failed-content-job.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-failed-env-cap.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-failed-env-content.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-failed-env-job-worker.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-missing-content-job.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-missing-secrets.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-processing.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-annotations.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-app-netpol.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-cluster-netpol-port.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-content-job.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-destination-config.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-labels-config.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-merged-destinations-router.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-pod-security-context.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-probes-and-resources.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-security-context.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready-valid-env-config.yaml
 create mode 100644 internal/controller/testdata/capapplicationversion/expected/cav-ready.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-01.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-02.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-02.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-03.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-03.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-04.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-04.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-05.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-05.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-06.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-06.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-07.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-07.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-08.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-08.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-09.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-09.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-10.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-10.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-11.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-11.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-13.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-13.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-14.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-15.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-15.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-16.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-17.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-17.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-20.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-20.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-21.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-21.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-22.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-23.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-23.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-24.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-24.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-25.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-25.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-26.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-27.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-28.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-28.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-29.expected.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-29.initial.yaml
 create mode 100644 internal/controller/testdata/captenant/cat-with-no-version.yaml
 create mode 100644 internal/controller/testdata/captenant/changed-provider-tenant-dnsentry.yaml
 create mode 100644 internal/controller/testdata/captenant/provider-tenant-dnsentry-not-ready.yaml
 create mode 100644 internal/controller/testdata/captenant/provider-tenant-dnsentry.yaml
 create mode 100644 internal/controller/testdata/captenant/provider-tenant-dr-v1.yaml
 create mode 100644 internal/controller/testdata/captenant/provider-tenant-vs-v1.yaml
 create mode 100644 internal/controller/testdata/captenant/to-be-updated-provider-tenant-dnsentry.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-01.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-01.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-02.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-02.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-03.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-03.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-04.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-04.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-05.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-05.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-06.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-06.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-07.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-07.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-08.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-08.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-09.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-09.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-10.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-10.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-11.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-11.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-12.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-12.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-13.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-13.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-14.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-14.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-15.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-15.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-16.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-16.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-17.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-17.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-18.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-18.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-19.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-19.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-20.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-20.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-21.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-21.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-22.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-22.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-23.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-23.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-24.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-24.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-25.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-25.initial.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-26.expected.yaml
 create mode 100644 internal/controller/testdata/captenantoperation/ctop-26.initial.yaml
 create mode 100644 internal/controller/testdata/common/capapplication-multi-xsuaa.yaml
 create mode 100644 internal/controller/testdata/common/capapplication.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-invalid-env.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1-mtxs-custom-cmd.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1-mtxs.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1-not-ready.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1-resources.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1-security-context.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v1.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2-annotations.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2-multi-xsuaa.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2-no-mtx-workload.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2-pod-security-context.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v2.yaml
 create mode 100644 internal/controller/testdata/common/capapplicationversion-v3.yaml
 create mode 100644 internal/controller/testdata/common/captenant-provider-ready.yaml
 create mode 100644 internal/controller/testdata/common/captenant-provider-upgraded-ready.yaml
 create mode 100644 internal/controller/testdata/common/credential-secrets.yaml
 create mode 100644 internal/controller/testdata/common/istio-ingress.yaml
 create mode 100644 internal/controller/testdata/common/operator-gateway.yaml
 create mode 100644 internal/controller/utils.go
 create mode 100644 internal/util/config.go
 create mode 100644 internal/util/types.go
 create mode 100644 internal/util/uaa.go
 create mode 100644 internal/util/uaa_test.go
 create mode 100644 internal/util/vcap-credentials.go
 create mode 100644 internal/util/vcap-credentials_test.go
 create mode 100644 pkg/apis/sme.sap.com/v1alpha1/doc.go
 create mode 100644 pkg/apis/sme.sap.com/v1alpha1/register.go
 create mode 100644 pkg/apis/sme.sap.com/v1alpha1/types.go
 create mode 100644 pkg/apis/sme.sap.com/v1alpha1/utils.go
 create mode 100644 pkg/apis/sme.sap.com/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 pkg/client/applyconfiguration/internal/internal.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/applicationdomains.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btp.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btptenantidentification.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplication.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationspec.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationstatus.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversion.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionspec.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionstatus.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenant.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperation.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationspec.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstatus.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstep.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantspec.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantstatus.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/containerdetails.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/deploymentdetails.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/genericstatus.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/jobdetails.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/namevalue.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/ports.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/serviceinfo.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperations.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperationworkloadreference.go
 create mode 100644 pkg/client/applyconfiguration/sme.sap.com/v1alpha1/workloaddetails.go
 create mode 100644 pkg/client/applyconfiguration/utils.go
 create mode 100644 pkg/client/clientset/versioned/clientset.go
 create mode 100644 pkg/client/clientset/versioned/fake/clientset_generated.go
 create mode 100644 pkg/client/clientset/versioned/fake/doc.go
 create mode 100644 pkg/client/clientset/versioned/fake/register.go
 create mode 100644 pkg/client/clientset/versioned/scheme/doc.go
 create mode 100644 pkg/client/clientset/versioned/scheme/register.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplication.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplicationversion.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenant.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenantoperation.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/doc.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/doc.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplication.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplicationversion.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenant.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenantoperation.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_sme.sap.com_client.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/generated_expansion.go
 create mode 100644 pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/sme.sap.com_client.go
 create mode 100644 pkg/client/informers/externalversions/factory.go
 create mode 100644 pkg/client/informers/externalversions/generic.go
 create mode 100644 pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/interface.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplication.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplicationversion.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenant.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenantoperation.go
 create mode 100644 pkg/client/informers/externalversions/sme.sap.com/v1alpha1/interface.go
 create mode 100644 pkg/client/listers/sme.sap.com/v1alpha1/capapplication.go
 create mode 100644 pkg/client/listers/sme.sap.com/v1alpha1/capapplicationversion.go
 create mode 100644 pkg/client/listers/sme.sap.com/v1alpha1/captenant.go
 create mode 100644 pkg/client/listers/sme.sap.com/v1alpha1/captenantoperation.go
 create mode 100644 pkg/client/listers/sme.sap.com/v1alpha1/expansion_generated.go
 create mode 100644 website/archetypes/default.md
 create mode 100644 website/content/en/_index.md
 create mode 100644 website/content/en/docs/_index.md
 create mode 100644 website/content/en/docs/concepts/_index.md
 create mode 100644 website/content/en/docs/concepts/cap-application-components.md
 create mode 100644 website/content/en/docs/concepts/operator-components/_index.md
 create mode 100644 website/content/en/docs/concepts/operator-components/controller.md
 create mode 100644 website/content/en/docs/concepts/operator-components/mtx-job.md
 create mode 100644 website/content/en/docs/concepts/operator-components/subscription-server.md
 create mode 100644 website/content/en/docs/configuration/_index.md
 create mode 100644 website/content/en/docs/installation/_index.md
 create mode 100644 website/content/en/docs/installation/helm-install.md
 create mode 100644 website/content/en/docs/installation/prerequisites.md
 create mode 100644 website/content/en/docs/reference/_index.md
 create mode 100644 website/content/en/docs/support/_index.md
 create mode 100644 website/content/en/docs/troubleshoot/_index.md
 create mode 100644 website/content/en/docs/usage/_index.md
 create mode 100644 website/content/en/docs/usage/deploying-application.md
 create mode 100644 website/content/en/docs/usage/prerequisites.md
 create mode 100644 website/content/en/docs/usage/resources/_index.md
 create mode 100644 website/content/en/docs/usage/resources/capapplication.md
 create mode 100644 website/content/en/docs/usage/resources/capapplicationversion.md
 create mode 100644 website/content/en/docs/usage/resources/captenant.md
 create mode 100644 website/content/en/docs/usage/resources/captenantoperation.md
 create mode 100644 website/content/en/docs/usage/tenant-provisioning.md
 create mode 100644 website/content/en/docs/usage/version-upgrade.md
 create mode 100644 website/go.mod
 create mode 100644 website/go.sum
 create mode 100644 website/hugo.yaml
 create mode 100644 website/includes/api-reference.html
 create mode 100644 website/includes/chart-values.md
 create mode 100644 website/layouts/shortcodes/include.html
 create mode 100644 website/package-lock.json
 create mode 100644 website/package.json
 create mode 100644 website/static/img/activity-tenantprovisioning.png
 create mode 100644 website/static/img/block-cluster.png
 create mode 100644 website/static/img/block-controller.png
 create mode 100644 website/static/img/block-subscription.png
 create mode 100644 website/static/img/logo.png
 create mode 100644 website/static/img/workflow.png

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..0f04682
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,4 @@
+# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Ignore build and test binaries.
+bin/
+testbin/
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
new file mode 100644
index 0000000..3b06548
--- /dev/null
+++ b/.github/workflows/go.yml
@@ -0,0 +1,32 @@
+name: Go (Build & Unit test)
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ^1.21
+        cache: true
+
+    - name: Get dependencies
+      run: go get -v -t -d ./...
+
+    - name: Build all relevant packages
+      run:  CGO_ENABLED=0 go build -v ./cmd/...
+
+    - name: Test relevant packages
+      run:  CGO_ENABLED=0 go test -v ./...
\ No newline at end of file
diff --git a/.github/workflows/publish-website.yaml b/.github/workflows/publish-website.yaml
new file mode 100644
index 0000000..35a60dd
--- /dev/null
+++ b/.github/workflows/publish-website.yaml
@@ -0,0 +1,79 @@
+name: Publish Website
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - website/**
+      - .github/workflows/publish-website.yaml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+          fetch-depth: 0
+      - name: Setup Pages
+        id: pages
+        uses: actions/configure-pages@v3
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ^1.21
+      - name: Setup Hugo
+        uses: peaceiris/actions-hugo@v2
+        with:
+          hugo-version: "0.115.2"
+          extended: true
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "18.x"
+      - name: Update dependencies
+        run: |
+          cd website
+          npm ci
+      - name: Build with Hugo
+        env:
+          HUGO_ENVIRONMENT: production
+          HUGO_ENV: production
+        run: |
+          cd website
+          hugo \
+            --gc \
+            --minify \
+            --baseURL "${{ steps.pages.outputs.base_url }}/"            
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v2
+        with:
+          path: website/public
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-22.04
+    needs: build
+
+    steps:
+    - name: Deploy to GitHub Pages
+      id: deployment
+      uses: actions/deploy-pages@v2
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..391564d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,24 @@
+local/
+.kubeconfig
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+bin
+testbin/*
+
+# Test binary, build with `go test -c`
+*.test
+
+# OS specific
+.DS_Store
+
+# Hugo artifacts
+.hugo_build.lock
+/website/resources
+/website/node_modules
+/website/public
+
+# /tmp
+tmp/
\ No newline at end of file
diff --git a/.reuse/dep5 b/.reuse/dep5
index 96d499f..3891e91 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -1,7 +1,7 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: <YOUR-REPO-NAME>
-Upstream-Contact: <YOUR-CONTACT (MAIL ADDRESS ETC.)>
-Source: <https://github.com/sap/YOUR-REPO-NAME>
+Upstream-Name: cap-operator
+Upstream-Contact: cap-operator@sap.com
+Source: <https://github.com/sap/cap-operator>
 Disclaimer: The code in this project may include calls to APIs ("API Calls") of
  SAP or third-party products or services developed outside of this project
  ("External Products").
@@ -24,14 +24,6 @@ Disclaimer: The code in this project may include calls to APIs ("API Calls") of
  you any rights to use or access any SAP External Product, or provide any third
  parties the right to use of access any SAP External Product, through API Calls.
 
-Files: <YOUR-FILE-OR-FOLDER-LIST>
-Copyright:  <YEARS-RELEVANT-FOR-YOUR-PROJECT> SAP SE or an SAP affiliate company and <YOUR-PROJECT-NAME> contributors
-License: Apache-2.0
-
-Files: <THIRD-PARTY-FILE-OR-FOLDER-LIST>
-Copyright: <COPYRIGHT-OF-THIRD-PARTY-CODE>
-License: <LICENSE-OF-THIRD-PARTY-CODE>
-
-Files: <ANOTHER-THIRD-PARTY-FILE-OR-FOLDER-LIST>
-Copyright: <COPYRIGHT-OF-ANOTHER-THIRD-PARTY-CODE>
-License: <LICENSE-OF-ANOTHER- THIRD-PARTY-CODE>
\ No newline at end of file
+Files: **
+Copyright:  2023 SAP SE or an SAP affiliate company and cap-operator contributors
+License: Apache-2.0
\ No newline at end of file
diff --git a/.vscode/launch.json b/.vscode/launch.json
new file mode 100644
index 0000000..0ffb9a0
--- /dev/null
+++ b/.vscode/launch.json
@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch Controller",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/controller"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
index 261eeb9..2bb9ad2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -173,29 +173,4 @@
       incurred by, or claims asserted against, such Contributor by reason
       of your accepting any such warranty or additional liability.
 
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+   END OF TERMS AND CONDITIONS
\ No newline at end of file
diff --git a/README.md b/README.md
index 9721fd8..c39bdb0 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,20 @@
-# SAP Repository Template
+# [CAP Operator](https://sap.github.io/cap-operator/)
 
-Default templates for SAP open source repositories, including LICENSE, .reuse/dep5, Code of Conduct, etc... All repositories on github.com/SAP will be created based on this template.
+CAP Operator manages the lifecycle operations involved in running multi-tenant CAP applications on Kubernetes clusters, primarily SAP Gardener managed clusters.
 
-## To-Do
+#### Documentation
+Visit the [Documentation](https://sap.github.io/cap-operator/docs) to find out how to install and use the CAP Operator
 
-In case you are the maintainer of a new SAP open source project, these are the steps to do with the template files:
+#### Helm Chart
+The local version of the [helm chart](https://github.com/sap/cap-operator-lifecycle/tree/release/chart) is now part of [CAP Operator Lifecycle](https://github.com/sap/cap-operator-lifecycle) repo.
 
-- Check if the default license (Apache 2.0) also applies to your project. A license change should only be required in exceptional cases. If this is the case, please change the [license file](LICENSE).
-- Enter the correct metadata for the REUSE tool. See our [wiki page](https://wiki.wdf.sap.corp/wiki/display/ospodocs/Using+the+Reuse+Tool+of+FSFE+for+Copyright+and+License+Information) for details how to do it. You can find an initial .reuse/dep5 file to build on. Please replace the parts inside the single angle quotation marks < > by the specific information for your repository and be sure to run the REUSE tool to validate that the metadata is correct.
-- Adjust the contribution guidelines (e.g. add coding style guidelines, pull request checklists, different license if needed etc.)
-- Add information about your project to this README (name, description, requirements etc). Especially take care for the <your-project> placeholders - those ones need to be replaced with your project name. See the sections below the horizontal line and [our guidelines on our wiki page](https://wiki.wdf.sap.corp/wiki/display/ospodocs/Guidelines+for+README.md+file) what is required and recommended.
-- Remove all content in this README above and including the horizontal line ;)
+#### CRDs
+CRDs for the CAP Operator can be applied from the [./crds](./crds) folder, these are also copied over to the [helm chart](https://github.com/sap/cap-operator-lifecycle/tree/main/chart) when updated.
 
-***
-
-# Our new open source project
-
-## About this project
-
-*Insert a short description of your project here...*
-
-## Requirements and Setup
-
-*Insert a short description what is required to get your project running...*
 
 ## Support, Feedback, Contributing
 
-This project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/SAP/<your-project>/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).
+This project is open to feature requests/suggestions, bug reports etc. via [GitHub issues](https://github.com/SAP/cap-operator/issues). Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our [Contribution Guidelines](CONTRIBUTING.md).
 
 ## Code of Conduct
 
@@ -34,4 +22,4 @@ We as members, contributors, and leaders pledge to make participation in our com
 
 ## Licensing
 
-Copyright (20xx-)20xx SAP SE or an SAP affiliate company and <your-project> contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/SAP/<your-project>).
+Copyright 2023 SAP SE or an SAP affiliate company and cap-operator contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/SAP/cap-operator).
diff --git a/build/controller/Dockerfile b/build/controller/Dockerfile
new file mode 100644
index 0000000..0920f0e
--- /dev/null
+++ b/build/controller/Dockerfile
@@ -0,0 +1,15 @@
+# Build stage for go modules
+FROM golang:1.21-alpine as build
+
+WORKDIR /build
+
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o bin/controller ./cmd/controller/
+
+# Run Stage
+FROM gcr.io/distroless/static AS final
+
+ENTRYPOINT ["/app/controller"]
+
+COPY --from=build /build/bin/controller /app/controller
\ No newline at end of file
diff --git a/build/mtx-job/Dockerfile b/build/mtx-job/Dockerfile
new file mode 100644
index 0000000..348daf2
--- /dev/null
+++ b/build/mtx-job/Dockerfile
@@ -0,0 +1,15 @@
+# Build stage for go modules
+FROM golang:1.21-alpine as build
+
+WORKDIR /build
+
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o ./bin/mtx-job ./cmd/mtx-job/main.go
+
+# Run Stage
+FROM gcr.io/distroless/static AS final
+
+ENTRYPOINT ["/app/mtx-job"]
+
+COPY --from=build /build/bin/mtx-job /app/mtx-job
\ No newline at end of file
diff --git a/build/server/Dockerfile b/build/server/Dockerfile
new file mode 100644
index 0000000..4c92101
--- /dev/null
+++ b/build/server/Dockerfile
@@ -0,0 +1,15 @@
+# Build stage for go modules
+FROM golang:1.21-alpine as build
+
+WORKDIR /build
+
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o bin/server ./cmd/server/
+
+# Run Stage
+FROM gcr.io/distroless/static AS final
+
+ENTRYPOINT ["/app/server"]
+
+COPY --from=build /build/bin/server /app/server
\ No newline at end of file
diff --git a/build/web-hooks/Dockerfile b/build/web-hooks/Dockerfile
new file mode 100644
index 0000000..356fb13
--- /dev/null
+++ b/build/web-hooks/Dockerfile
@@ -0,0 +1,15 @@
+# Build stage for go modules
+FROM golang:1.21-alpine as build
+
+WORKDIR /build
+
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o ./bin/webhook ./cmd/web-hooks/main.go
+
+# Run Stage
+FROM gcr.io/distroless/static AS final
+
+ENTRYPOINT ["/app/webhook"]
+
+COPY --from=build /build/bin/webhook /app/webhook
\ No newline at end of file
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
new file mode 100644
index 0000000..cbe1341
--- /dev/null
+++ b/cmd/controller/main.go
@@ -0,0 +1,129 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/leaderelection"
+	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	"k8s.io/klog/v2"
+
+	certManager "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
+	gardenerCert "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned"
+	dns "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned"
+	"github.com/google/uuid"
+	"github.com/sap/cap-operator/internal/controller"
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	istio "istio.io/client-go/pkg/clientset/versioned"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	LeaseLockName = "capoperator-lease-lock"
+)
+
+func main() {
+	config := util.GetConfig()
+	if config == nil {
+		klog.Fatal("Config not found")
+	}
+
+	leaseLockNamespace := util.GetNamespace()
+	leaseLockId := uuid.New().String()
+
+	coreClient, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("Could not create kubernetes core client: ", err.Error())
+	}
+
+	crdClient, err := versioned.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for custom resources: ", err.Error())
+	}
+
+	istioClient, err := istio.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for istio resources: ", err.Error())
+	}
+
+	certClient, err := gardenerCert.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for certificate resources: ", err.Error())
+	}
+
+	certManagerClient, err := certManager.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for certManager certificate resources: ", err.Error())
+	}
+
+	dnsClient, err := dns.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for dns resources: ", err.Error())
+	}
+
+	// context for the reconciliation controller
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Handle sys exits to ensure cleanup of controller code before stopping leading
+	leaseCh := make(chan os.Signal, 1)
+	signal.Notify(leaseCh, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-leaseCh
+		klog.Info("Interrupt received, shutting down operator context")
+		cancel()
+	}()
+
+	// Create a LeaseLock resource
+	leaseLock := &resourcelock.LeaseLock{
+		LeaseMeta: metav1.ObjectMeta{
+			Name:      LeaseLockName,
+			Namespace: leaseLockNamespace,
+		},
+		Client: coreClient.CoordinationV1(),
+		LockConfig: resourcelock.ResourceLockConfig{
+			Identity: leaseLockId,
+		},
+	}
+
+	// Run leader election
+	leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
+		Lock:            leaseLock,
+		LeaseDuration:   15 * time.Second,
+		RenewDeadline:   10 * time.Second,
+		RetryPeriod:     5 * time.Second,
+		ReleaseOnCancel: true,
+		Callbacks: leaderelection.LeaderCallbacks{
+			OnStartedLeading: func(ctx context.Context) {
+				klog.Infof("Started leading: %s - %s", LeaseLockName, leaseLockId)
+
+				checkDone := make(chan bool, 1)
+				go checkHashedLabels(checkDone, coreClient, crdClient, istioClient, certClient, certManagerClient, dnsClient)
+				<-checkDone
+				klog.Info("check & update of hashed labels done")
+
+				c := controller.NewController(coreClient, crdClient, istioClient, certClient, certManagerClient, dnsClient)
+				go c.Start(ctx)
+			},
+			OnStoppedLeading: func() {
+				klog.Infof("Stopped leading: %s - %s", LeaseLockName, leaseLockId)
+				os.Exit(0)
+			},
+			OnNewLeader: func(id string) {
+				if id == leaseLockId {
+					return
+				}
+				klog.Infof("Leader exists: %s", id)
+			},
+		},
+	})
+}
diff --git a/cmd/controller/temp.go b/cmd/controller/temp.go
new file mode 100644
index 0000000..9dd8562
--- /dev/null
+++ b/cmd/controller/temp.go
@@ -0,0 +1,371 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"context"
+	"crypto/sha1"
+	"fmt"
+	"strings"
+
+	certManager "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
+	gardenerCert "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned"
+	gardenerDNS "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	istio "istio.io/client-go/pkg/clientset/versioned"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+)
+
+type ownerInfo struct {
+	kind           string
+	ownerNamespace string
+	ownerName      string
+}
+
+type appIdentifier struct {
+	globalAccountId string
+	appName         string
+}
+
+const (
+	AnnotationOwnerIdentifier          = "sme.sap.com/owner-identifier"
+	AnnotationBTPApplicationIdentifier = "sme.sap.com/btp-app-identifier"
+	LabelOwnerIdentifierHash           = "sme.sap.com/owner-identifier-hash"
+	LabelBTPApplicationIdentifierHash  = "sme.sap.com/btp-app-identifier-hash"
+	CAPApplication                     = "CAPApplication"
+	CAPApplicationVersion              = "CAPApplicationVersion"
+	CAPTenant                          = "CAPTenant"
+	CAPTenantOperation                 = "CAPTenantOperation"
+	CAPOperator                        = "CAPOperator"
+	OperatorDomains                    = "OperatorDomains"
+)
+
+var btpAppIdMap map[string]*appIdentifier
+var ownerMap map[string]*ownerInfo
+
+func checkHashedLabels(checkDone chan bool, client kubernetes.Interface, crdClient versioned.Interface, istioClient istio.Interface, gardenerCertificateClient gardenerCert.Interface, certManagerCertificateClient certManager.Interface, gardenerDNSClient gardenerDNS.Interface) {
+	btpAppIdMap = map[string]*appIdentifier{}
+	ownerMap = map[string]*ownerInfo{}
+	// Always set the channel to true in the end
+	defer func() {
+		checkDone <- true
+	}()
+
+	ownerMap[CAPOperator+"."+OperatorDomains] = &ownerInfo{
+		ownerNamespace: CAPOperator,
+		ownerName:      OperatorDomains,
+	}
+
+	ctx := context.TODO()
+	klog.Info("checking for old Labels on known resources")
+
+	btpAppLabelReq, _ := labels.NewRequirement(AnnotationBTPApplicationIdentifier, selection.Exists, []string{})
+	ownerLabelReq, _ := labels.NewRequirement(AnnotationOwnerIdentifier, selection.Exists, []string{})
+
+	btpAppSelector := labels.NewSelector()
+	btpAppSelector.Add(*btpAppLabelReq)
+
+	ownerSelector := labels.NewSelector()
+	ownerSelector.Add(*ownerLabelReq)
+
+	btpAppOwnerSelector := labels.NewSelector()
+	btpAppOwnerSelector.Add(*btpAppLabelReq, *ownerLabelReq)
+
+	// CAP application with LabelBTPApplicationIdentifier
+	caList, err := crdClient.SmeV1alpha1().CAPApplications("").List(ctx, metav1.ListOptions{LabelSelector: btpAppSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, ca := range caList.Items {
+		// Update map with known good values
+		btpAppIdMap[ca.Labels[AnnotationBTPApplicationIdentifier]] = &appIdentifier{
+			globalAccountId: ca.Spec.GlobalAccountId,
+			appName:         ca.Spec.BTPAppName,
+		}
+		ownerMap[ca.Namespace+"."+ca.Name] = &ownerInfo{
+			ownerNamespace: ca.Namespace,
+			ownerName:      ca.Name,
+		}
+		// certificates are created with CAPApplication as the kind in ownerinfo
+		ownerMap[CAPApplication+"."+ca.Namespace+"."+ca.Name] = &ownerInfo{
+			kind:           CAPApplication,
+			ownerNamespace: ca.Namespace,
+			ownerName:      ca.Name,
+		}
+		// add Label/Annotation for BTP App
+		if updateLabelAnnotationMetadata(&ca.ObjectMeta, true, false) {
+			crdClient.SmeV1alpha1().CAPApplications(ca.Namespace).Update(ctx, &ca, metav1.UpdateOptions{})
+		}
+	}
+
+	// CAP application version with LabelBTPApplicationIdentifier and LabelOwnerIdentifier
+	cavList, err := crdClient.SmeV1alpha1().CAPApplicationVersions("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, cav := range cavList.Items {
+		ownerMap[cav.Namespace+"."+cav.Name] = &ownerInfo{
+			ownerNamespace: cav.Namespace,
+			ownerName:      cav.Name,
+		}
+		if updateLabelAnnotationMetadata(&cav.ObjectMeta, true, true) {
+			crdClient.SmeV1alpha1().CAPApplicationVersions(cav.Namespace).Update(ctx, &cav, metav1.UpdateOptions{})
+		}
+	}
+
+	// CAP Tenant with LabelBTPApplicationIdentifier and LabelOwnerIdentifier
+	catList, err := crdClient.SmeV1alpha1().CAPTenants("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, cat := range catList.Items {
+		ownerMap[cat.Namespace+"."+cat.Name] = &ownerInfo{
+			ownerNamespace: cat.Namespace,
+			ownerName:      cat.Name,
+		}
+		// DNS entries are being created with CAPTenant as the kind in owner info
+		ownerMap[CAPTenant+"."+cat.Namespace+cat.Name] = &ownerInfo{
+			kind:           CAPTenant,
+			ownerNamespace: cat.Namespace,
+			ownerName:      cat.Name,
+		}
+		if updateLabelAnnotationMetadata(&cat.ObjectMeta, true, true) {
+			crdClient.SmeV1alpha1().CAPTenants(cat.Namespace).Update(ctx, &cat, metav1.UpdateOptions{})
+		}
+	}
+
+	// CAP Tenant Operation with LabelOwnerIdentifier
+	ctopList, err := crdClient.SmeV1alpha1().CAPTenantOperations("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, ctop := range ctopList.Items {
+		ownerMap[ctop.Namespace+"."+ctop.Name] = &ownerInfo{
+			ownerNamespace: ctop.Namespace,
+			ownerName:      ctop.Name,
+		}
+
+		if updateLabelAnnotationMetadata(&ctop.ObjectMeta, false, true) {
+			crdClient.SmeV1alpha1().CAPTenantOperations(ctop.Namespace).Update(ctx, &ctop, metav1.UpdateOptions{})
+		}
+	}
+
+	// Cert Manager Certificates
+	certManagerCertificateList, err := certManagerCertificateClient.CertmanagerV1().Certificates("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, cert := range certManagerCertificateList.Items {
+		if updateLabelAnnotationMetadata(&cert.ObjectMeta, false, true) {
+			certManagerCertificateClient.CertmanagerV1().Certificates(cert.Namespace).Update(ctx, &cert, metav1.UpdateOptions{})
+		}
+	}
+
+	// Gardener Certificates
+	gardenerCertificateList, err := gardenerCertificateClient.CertV1alpha1().Certificates("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, cert := range gardenerCertificateList.Items {
+		if updateLabelAnnotationMetadata(&cert.ObjectMeta, false, true) {
+			gardenerCertificateClient.CertV1alpha1().Certificates(cert.Namespace).Update(ctx, &cert, metav1.UpdateOptions{})
+		}
+	}
+
+	// Gateways
+	gwList, err := istioClient.NetworkingV1beta1().Gateways("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, gw := range gwList.Items {
+		// Update one for just app id (primary domain gw)
+		if updateLabelAnnotationMetadata(&gw.ObjectMeta, true, false) {
+			istioClient.NetworkingV1beta1().Gateways(gw.Namespace).Update(ctx, gw, metav1.UpdateOptions{})
+		}
+		// Update one for just owner info (Secondary domain gw)
+		if updateLabelAnnotationMetadata(&gw.ObjectMeta, false, true) {
+			istioClient.NetworkingV1beta1().Gateways(gw.Namespace).Update(ctx, gw, metav1.UpdateOptions{})
+		}
+	}
+
+	// DNS Entries
+	dnsEntryList, err := gardenerDNSClient.DnsV1alpha1().DNSEntries("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, dnsEntry := range dnsEntryList.Items {
+		if updateLabelAnnotationMetadata(&dnsEntry.ObjectMeta, false, true) {
+			gardenerDNSClient.DnsV1alpha1().DNSEntries(dnsEntry.Namespace).Update(ctx, &dnsEntry, metav1.UpdateOptions{})
+		}
+	}
+
+	// Destination Rules
+	destRuleList, err := istioClient.NetworkingV1beta1().DestinationRules("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, destRule := range destRuleList.Items {
+		if updateLabelAnnotationMetadata(&destRule.ObjectMeta, false, true) {
+			istioClient.NetworkingV1beta1().DestinationRules(destRule.Namespace).Update(ctx, destRule, metav1.UpdateOptions{})
+		}
+	}
+
+	// Virtual Services
+	virtualServiceList, err := istioClient.NetworkingV1beta1().VirtualServices("").List(ctx, metav1.ListOptions{LabelSelector: ownerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, virtualService := range virtualServiceList.Items {
+		if updateLabelAnnotationMetadata(&virtualService.ObjectMeta, false, true) {
+			istioClient.NetworkingV1beta1().VirtualServices(virtualService.Namespace).Update(ctx, virtualService, metav1.UpdateOptions{})
+		}
+	}
+
+	// CAV Deployments
+	deploymentList, err := client.AppsV1().Deployments("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, deployment := range deploymentList.Items {
+		if updateLabelAnnotationMetadata(&deployment.ObjectMeta, true, true) {
+			client.AppsV1().Deployments(deployment.Namespace).Update(ctx, &deployment, metav1.UpdateOptions{})
+		}
+	}
+
+	// CAV Services
+	serviceList, err := client.CoreV1().Services("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, service := range serviceList.Items {
+		if updateLabelAnnotationMetadata(&service.ObjectMeta, true, true) {
+			client.CoreV1().Services(service.Namespace).Update(ctx, &service, metav1.UpdateOptions{})
+		}
+	}
+
+	// CTOP Jobs
+	jobList, err := client.BatchV1().Jobs("").List(ctx, metav1.ListOptions{LabelSelector: btpAppOwnerSelector.String()})
+	if err != nil {
+		klog.Error(err)
+		return
+	}
+	for _, job := range jobList.Items {
+		if updateLabelAnnotationMetadata(&job.ObjectMeta, true, true) {
+			client.BatchV1().Jobs(job.Namespace).Update(ctx, &job, metav1.UpdateOptions{})
+		}
+	}
+}
+
+func sha1Sum(source ...string) string {
+	sum := sha1.Sum([]byte(strings.Join(source, "")))
+	return fmt.Sprintf("%x", sum)
+}
+
+func amendObjectMetadata(object *metav1.ObjectMeta, annotatedOldLabel string, hashLabel string, oldValue string, hashedValue string) (updated bool) {
+	// Check if old label exists, if so remove it
+	if _, ok := object.Labels[annotatedOldLabel]; ok {
+		delete(object.Labels, annotatedOldLabel)
+		klog.Infof("Removed old label %s=%s for resource %s.%s", annotatedOldLabel, oldValue, object.Namespace, object.Name)
+		updated = true
+	}
+	// Add hashed label as the new label with the hashed identifier value
+	if _, ok := object.Labels[hashLabel]; !ok {
+		object.Labels[hashLabel] = hashedValue
+		klog.Infof("Added hashed label %s=%s for resource %s.%s", hashLabel, hashedValue, object.Namespace, object.Name)
+		updated = true
+	}
+	// Add old label as an annotation with the old value
+	if _, ok := object.Annotations[annotatedOldLabel]; !ok {
+		object.Annotations[annotatedOldLabel] = oldValue
+		klog.Infof("Added annotation %s=%s for resource %s.%s", annotatedOldLabel, oldValue, object.Namespace, object.Name)
+		updated = true
+	}
+	// return if something was updated
+	return updated
+}
+
+func updateLabelAnnotationMetadata(object *metav1.ObjectMeta, updateAppId bool, updateOwner bool) (updated bool) {
+	if object.Labels == nil {
+		object.Labels = make(map[string]string)
+	}
+	if object.Annotations == nil {
+		object.Annotations = map[string]string{}
+	}
+
+	// Update BTP Application Identifier
+	if updateAppId {
+		var appDetails *appIdentifier
+		ok := false
+		appID := object.Labels[AnnotationBTPApplicationIdentifier]
+		if appID != "" {
+			if appDetails, ok = btpAppIdMap[appID]; !ok {
+				index := strings.Index(appID, ".")
+				appDetails = &appIdentifier{
+					globalAccountId: appID[:index],
+					appName:         appID[index+1:],
+				}
+				btpAppIdMap[appID] = appDetails
+			}
+
+			if amendObjectMetadata(object, AnnotationBTPApplicationIdentifier, LabelBTPApplicationIdentifierHash, strings.Join([]string{appDetails.globalAccountId, appDetails.appName}, "."), sha1Sum(appDetails.globalAccountId, appDetails.appName)) {
+				updated = true
+			}
+		}
+	}
+
+	// Update OwnerInfo if owner details exists
+	if updateOwner {
+		var ownerDetails *ownerInfo
+		owner := []string{}
+
+		ok := false
+		ownerID := object.Labels[AnnotationOwnerIdentifier]
+		if ownerID != "" {
+			if ownerDetails, ok = ownerMap[ownerID]; !ok {
+				kind := ""
+				if strings.Index(ownerID, CAPApplication+".") == 0 {
+					kind = CAPApplication
+					ownerID = ownerID[15:]
+				} else if strings.Index(ownerID, CAPTenant+".") == 0 {
+					kind = CAPTenant
+					ownerID = ownerID[10:]
+				}
+				index := strings.Index(ownerID, ".")
+				ownerDetails = &ownerInfo{
+					kind:           kind,
+					ownerNamespace: ownerID[:index],
+					ownerName:      ownerID[index+1:],
+				}
+				ownerMap[ownerID] = ownerDetails
+			}
+			if ownerDetails.kind != "" {
+				owner = append(owner, ownerDetails.kind)
+			}
+			owner = append(owner, ownerDetails.ownerNamespace, ownerDetails.ownerName)
+
+			if amendObjectMetadata(object, AnnotationOwnerIdentifier, LabelOwnerIdentifierHash, strings.Join(owner, "."), sha1Sum(owner...)) {
+				updated = true
+			}
+		}
+	}
+
+	return updated
+}
diff --git a/cmd/mtx-job/main.go b/cmd/mtx-job/main.go
new file mode 100644
index 0000000..fe512ce
--- /dev/null
+++ b/cmd/mtx-job/main.go
@@ -0,0 +1,543 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/klog/v2"
+)
+
+const (
+	EnvXSUAAInstanceName        = "XSUAA_INSTANCE_NAME"
+	EnvMTXServiceURL            = "MTX_SERVICE_URL"
+	EnvMTXRequestType           = "MTX_REQUEST_TYPE"
+	EnvMTXTenantId              = "MTX_TENANT_ID"
+	EnvMTXPayload               = "MTX_REQUEST_PAYLOAD"
+	EnvCredentialsPath          = "CREDENTIALS_FILE_PATH"
+	EnvWaitForMTXTimeoutSeconds = "WAIT_FOR_MTX_TIMEOUT_SECONDS"
+	EnvVCAPServices             = "VCAP_SERVICES"
+)
+
+const (
+	RequestTypeProvisioning   = "provisioning"
+	RequestTypeDeprovisioning = "deprovisioning"
+	RequestTypeUpgrade        = "upgrade"
+)
+
+const (
+	Authorization      = "Authorization"
+	Bearer             = "Bearer"
+	ContentType        = "Content-Type"
+	ContentAppJson     = "application/json"
+	ContentFormEncoded = "application/x-www-form-urlencoded"
+	ServiceClassXSUAA  = "xsuaa"
+)
+
+const (
+	ErrorKillingProcess = "Error killing process"
+	FailedWith          = "failed with"
+)
+
+const (
+	statusQueued  = "QUEUED"
+	statusRunning = "RUNNING"
+	statusFailed  = "FAILED"
+	statusSuccess = "SUCCESS"
+)
+
+type asyncUpgradeResponse struct {
+	JobId string `json:"jobID"`
+}
+
+type upgradeJobResponse struct {
+	Error  string           `json:"error"`
+	Status string           `json:"status"`
+	Result upgradeJobResult `json:"result"`
+}
+
+type upgradeJobResult struct {
+	Tenants map[string]tenantUpgradeResult `json:"tenants"`
+}
+
+type tenantUpgradeResult struct {
+	Status    string `json:"status"`
+	Message   string `json:"message"`
+	BuildLogs string `json:"buildLogs"`
+}
+
+func fetchXSUAAServiceCredentials() (*util.XSUAACredentials, error) {
+	vcap, ok := os.LookupEnv(EnvVCAPServices)
+	if !ok || vcap == "" {
+		return fetchXSUAAServiceCredentialsFromVolume()
+	}
+	return fetchXSUAAServiceCredentialsFromVCAP()
+}
+
+func fetchXSUAAServiceCredentialsFromVCAP() (*util.XSUAACredentials, error) {
+	serviceInstanceName := os.Getenv(EnvXSUAAInstanceName)
+	raw := os.Getenv(EnvVCAPServices)
+	if raw == "" {
+		return nil, fmt.Errorf("could not read %s from environment", EnvVCAPServices)
+	}
+	var parsed map[string][]util.VCAPServiceInstance
+	err := json.Unmarshal([]byte(raw), &parsed)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing VCAP_SERVICES: %s", err.Error())
+	}
+	instances := parsed[ServiceClassXSUAA]
+	if len(instances) == 0 {
+		return nil, fmt.Errorf("could not find instances of service offering %s", ServiceClassXSUAA)
+	}
+	for _, i := range instances {
+		name := i.Name
+		if i.BindingName != "" { // if binding name is provided, use explicit instance name
+			if i.InstanceName == "" {
+				continue // instance name could not be identified
+			}
+			name = i.InstanceName
+		}
+		if name == serviceInstanceName {
+			return parseXSUAACredentials(i.Credentials)
+		}
+	}
+
+	return nil, fmt.Errorf("credentials for service instance %s not found", serviceInstanceName)
+}
+
+func parseXSUAACredentials(data interface{}) (credentials *util.XSUAACredentials, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("could parse credentials for service %s: %s", ServiceClassXSUAA, err.Error())
+		}
+	}()
+	creds, err := json.Marshal(data)
+	if err != nil {
+		return nil, err
+	}
+	var xsuaaCredentials util.XSUAACredentials
+	err = json.Unmarshal(creds, &xsuaaCredentials)
+	if err != nil {
+		return nil, err
+	}
+	return &xsuaaCredentials, nil
+}
+
+func fetchXSUAAServiceCredentialsFromVolume() (*util.XSUAACredentials, error) {
+	instance := os.Getenv(EnvXSUAAInstanceName)
+	credPath := getXSUAACredentialsPath(instance)
+	readAttribute := func(attribute string) (string, error) {
+		data, err := os.ReadFile(path.Join(credPath, attribute))
+		if err != nil {
+			return "", err
+		}
+		return string(data), nil
+	}
+
+	var err error
+	parameters := &util.XSUAACredentials{}
+	parameters.CredentialType, err = readAttribute("credential-type")
+	if err != nil {
+		return nil, err
+	}
+	parameters.AuthUrl, err = readAttribute("url")
+	if err != nil {
+		return nil, err
+	}
+	parameters.ClientId, err = readAttribute("clientid")
+	if err != nil {
+		return nil, err
+	}
+	if parameters.CredentialType == "x509" {
+		parameters.CertificateUrl, err = readAttribute("certurl")
+		if err != nil {
+			return nil, err
+		}
+		parameters.Certificate, err = readAttribute("certificate")
+		if err != nil {
+			return nil, err
+		}
+		parameters.CertificateKey, err = readAttribute("key")
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		parameters.ClientSecret, err = readAttribute("clientsecret")
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return parameters, nil
+}
+
+func getXSUAACredentialsPath(instance string) string {
+	basePath, ok := os.LookupEnv(EnvCredentialsPath)
+	if !ok {
+		basePath = "/etc/secrets/sapcp"
+	}
+	return path.Join(basePath, ServiceClassXSUAA, instance)
+}
+
+type OAuthResponse struct {
+	AccessToken string `json:"access_token"`
+	TokenType   string `json:"token_type"` // bearer
+	ExpiresIn   int    `json:"expires_in"`
+	Scope       string `json:"scope"`
+	JTI         string `json:"jti"`
+}
+
+func main() {
+	os.Exit(execute())
+}
+
+func execute() int {
+	var (
+		err    error // main error used for control flow
+		mtxURL *url.URL
+		token  *OAuthResponse
+		client http.Client = http.Client{Timeout: time.Duration(5 * time.Second)}
+	)
+
+	defer func() {
+		// terminate mtx sidecar via tcp connect when completed
+		terminateMTXSidecar()
+
+		// log final error, if any
+		if err != nil {
+			klog.Error("aborting with error: ", err.Error())
+		}
+	}()
+
+	if token, err = fetchOAuthToken(client); err != nil {
+		return 1
+	}
+
+	if mtxURLEnv, ok := os.LookupEnv(EnvMTXServiceURL); ok {
+		mtxURL, err = url.Parse(mtxURLEnv)
+	} else {
+		err = errors.New("could not identify mtx service URL from environment")
+		return 1
+	}
+
+	// wait for mtx instance by checking available tenants
+	if err = waitForMTX(mtxURL, client, token); err != nil {
+		return 1
+	}
+
+	// process request
+	if err = processRequest(mtxURL, client, token); err != nil {
+		return 1
+	}
+
+	return 0
+}
+
+func terminateMTXSidecar() {
+	klog.Info("Terminating by TCP connect..")
+	// TODO: make port configurable
+	conn, err := net.Dial("tcp", "localhost:8080")
+	if err != nil {
+		klog.Error("Error during mtx termination: ", err)
+	}
+	if conn != nil {
+		conn.Close()
+		klog.Info("Terminated..")
+	}
+}
+
+func waitForMTX(mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	t, ok := os.LookupEnv(EnvWaitForMTXTimeoutSeconds)
+	if !ok || t == "" {
+		t = "300" // default wait period of 5 minutes
+	}
+	d, err := time.ParseDuration(t + "s")
+	if err != nil {
+		return fmt.Errorf("error parsing wait duration: %s", err.Error())
+	}
+
+	wait, cancel := context.WithTimeout(context.Background(), d)
+	defer cancel()
+
+	for {
+		select {
+		case <-wait.Done():
+			return fmt.Errorf("error when waiting for mtx: %s", wait.Err().Error())
+		default:
+			err := getTenants(mtxURL, client, token)
+			if err == nil {
+				return nil
+			}
+			klog.Warningf("waiting for mtx: %v", err)
+		}
+		time.Sleep(3 * time.Second)
+	}
+}
+
+func getTenants(mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	mtxURL.Path = path.Join("mtx", "v1/provisioning/tenant")
+
+	req, err := http.NewRequest("GET", mtxURL.String(), nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set(Authorization, fmt.Sprintf("%s %s", Bearer, token.AccessToken))
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return err
+		}
+
+		klog.Infof("%s: %s", v1alpha1.CAPTenantResource, body)
+		return nil
+	} else {
+		return fmt.Errorf("mtx returned status %s", resp.Status)
+	}
+}
+
+func fetchOAuthToken(client http.Client) (*OAuthResponse, error) {
+	parameters, err := fetchXSUAAServiceCredentials()
+	if err != nil {
+		return nil, fmt.Errorf("error when reading xsuaa credentials: %w", err)
+	}
+
+	var req *http.Request
+	if parameters.CredentialType == "x509" {
+		req, err = createRequestWithX509Certificate(parameters, &client)
+		// reset client tls config
+		defer func() { client.Transport = &http.Transport{} }()
+	} else {
+		req, err = createRequestWithClientCredentials(parameters)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error preparing token request: %w", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error during http call: status %w", err)
+	}
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("error reading response body: %w", err)
+	}
+
+	var token OAuthResponse
+	err = json.Unmarshal(body, &token)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse oauth response: %w", err)
+	} else {
+		klog.Infof("retrieved token with scope: %s", token.Scope)
+	}
+
+	return &token, nil
+}
+
+func prepareTokenRequest(clientID string, tokenURL string) (*http.Request, error) {
+	data := url.Values{}
+	data.Add("client_id", clientID)
+	data.Add("grant_type", "client_credentials")
+	req, err := http.NewRequest(http.MethodPost, tokenURL+"/oauth/token", strings.NewReader(data.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("error when creating request: %w", err)
+	}
+	req.Header.Set(ContentType, ContentFormEncoded)
+	return req, nil
+}
+
+func createRequestWithClientCredentials(parameters *util.XSUAACredentials) (*http.Request, error) {
+	req, err := prepareTokenRequest(parameters.ClientId, parameters.AuthUrl)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set(Authorization, "Basic "+base64.URLEncoding.EncodeToString([]byte(parameters.ClientId+":"+parameters.ClientSecret)))
+	return req, nil
+}
+
+func createRequestWithX509Certificate(parameters *util.XSUAACredentials, client *http.Client) (*http.Request, error) {
+	// Read the key pair to create certificate
+	cert, err := tls.X509KeyPair([]byte(parameters.Certificate), []byte(parameters.CertificateKey))
+	if err != nil {
+		return nil, err
+	}
+
+	// Use system certificate pool and add add certificate to it
+	caCertPool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+	caCertPool.AppendCertsFromPEM([]byte(parameters.Certificate))
+
+	// setup TLS configuration for client
+	tlsConfig := &tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{cert},
+	}
+	if t, ok := client.Transport.(*http.Transport); ok {
+		t.TLSClientConfig = tlsConfig
+	} else {
+		client.Transport = &http.Transport{TLSClientConfig: tlsConfig}
+	}
+
+	return prepareTokenRequest(parameters.ClientId, parameters.CertificateUrl)
+}
+
+func processRequest(mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	switch os.Getenv(EnvMTXRequestType) {
+	case RequestTypeProvisioning:
+		return processSubscription(RequestTypeProvisioning, mtxURL, client, token)
+	case RequestTypeDeprovisioning:
+		return processSubscription(RequestTypeDeprovisioning, mtxURL, client, token)
+	case RequestTypeUpgrade:
+		return processUpgrade(mtxURL, client, token)
+	default:
+		return errors.New("unknown mtx request type")
+	}
+}
+
+func processSubscription(requestType string, mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	tenantId := os.Getenv(EnvMTXTenantId)
+
+	client.Timeout = 10 * time.Minute
+	mtxURL.Path = path.Join("mtx", "v1/provisioning/tenant", tenantId)
+	reqBody := bytes.NewBufferString(os.Getenv(EnvMTXPayload))
+	var (
+		req *http.Request
+		err error
+	)
+	if requestType == RequestTypeProvisioning {
+		req, err = http.NewRequest("PUT", mtxURL.String(), reqBody)
+	} else {
+		req, err = http.NewRequest("DELETE", mtxURL.String(), reqBody)
+	}
+	if err != nil {
+		return fmt.Errorf("error when creating request for %s: %w", requestType, err)
+	}
+	req.Header.Set(ContentType, ContentAppJson)
+	req.Header.Set(Authorization, fmt.Sprintf("%s %s", Bearer, token.AccessToken))
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+
+	klog.Infof("%s %s %s response code: %d", v1alpha1.CAPTenantKind, tenantId, requestType, resp.StatusCode)
+	if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
+		return nil
+	} else {
+		return fmt.Errorf("%s for %s %s %s: %d", requestType, v1alpha1.CAPTenantKind, tenantId, FailedWith, resp.StatusCode)
+	}
+}
+
+func processUpgrade(mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	tenantId := os.Getenv(EnvMTXTenantId)
+	client.Timeout = 10 * time.Minute
+	mtxURL.Path = "mtx/v1/model/asyncUpgrade"
+	reqBody := bytes.NewBufferString(os.Getenv(EnvMTXPayload))
+
+	req, err := http.NewRequest("POST", mtxURL.String(), reqBody)
+
+	if err != nil {
+		return fmt.Errorf("error when creating request for upgrade: %v", err)
+	}
+	req.Header.Set(ContentType, ContentAppJson)
+	req.Header.Set(Authorization, fmt.Sprintf("%s %s", Bearer, token.AccessToken))
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+
+	klog.Infof("%s %s upgrade response code: %d", v1alpha1.CAPTenantKind, tenantId, resp.StatusCode)
+	if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
+		decoder := json.NewDecoder(resp.Body)
+		defer resp.Body.Close()
+		var asyncUpgradeResp asyncUpgradeResponse
+		err = decoder.Decode(&asyncUpgradeResp)
+		if err != nil {
+			klog.Errorf("Error parsing response for async upgrade: %v", err)
+			return err
+		}
+		// Check the final job status
+		return checkJobStatus(asyncUpgradeResp.JobId, tenantId, mtxURL, client, token)
+
+	} else {
+		return fmt.Errorf("upgrade for %s %s %s: %d", v1alpha1.CAPTenantKind, tenantId, FailedWith, resp.StatusCode)
+	}
+}
+
+func checkJobStatus(jobId string, tenantId string, mtxURL *url.URL, client http.Client, token *OAuthResponse) error {
+	// Create Request for fetching mtx upgrade Job status
+	mtxURL.Path = "/mtx/v1/model/status/" + jobId
+	req, err := http.NewRequest("GET", mtxURL.String(), nil)
+	if err != nil {
+		return fmt.Errorf("error when creating request for %s(%s) upgrade job status: %w", v1alpha1.CAPTenantKind, tenantId, err)
+	}
+	req.Header.Set(ContentType, ContentAppJson)
+	req.Header.Set(Authorization, fmt.Sprintf("%s %s", Bearer, token.AccessToken))
+	// wait until the final status of Upgrade job is received
+	success, err := fetchJobStatus(tenantId, client, req)
+	if err != nil || !success {
+		return fmt.Errorf("upgrade job for %s: %s %s: %w", v1alpha1.CAPTenantKind, tenantId, FailedWith, err)
+	}
+	// Upgrade Job was Successful
+	return nil
+}
+
+// Wait for and check mtx upgrade job result until a final status is received
+func fetchJobStatus(tenantId string, client http.Client, req *http.Request) (bool, error) {
+	// Send the Get Request to fetch mtx asyncUpgrade Job status
+	jobResp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	// Parse the respnose
+	decoder := json.NewDecoder(jobResp.Body)
+	defer jobResp.Body.Close()
+	var upgradeJobResp upgradeJobResponse
+	err = decoder.Decode(&upgradeJobResp)
+	if err != nil {
+		klog.Errorf("parsing response for async upgrade of %s: %s%s%v", v1alpha1.CAPTenantKind, tenantId, FailedWith, err)
+		return false, err
+	}
+	// Re-trigger after sleeping for 10s if status is not "FINISHED"
+	// TODO: check if some of these should be moved to own go routines
+	if upgradeJobResp.Status == statusQueued || upgradeJobResp.Status == statusRunning {
+		time.Sleep(10 * time.Second)
+		return fetchJobStatus(tenantId, client, req)
+	} else if upgradeJobResp.Status == statusFailed {
+		// Job Failure
+		return false, fmt.Errorf("aync upgrade job for %s: %s %s: %s", v1alpha1.CAPTenantKind, tenantId, FailedWith, upgradeJobResp.Error)
+	}
+
+	// Check tenant upgrade status for the current tenant and return error if needed
+	if upgradeJobResp.Result.Tenants[tenantId].Status != statusSuccess {
+		return false, fmt.Errorf("upgrade of %s: %s %s: %s", v1alpha1.CAPTenantKind, tenantId, FailedWith, upgradeJobResp.Result.Tenants[tenantId].Message)
+	}
+	// tenant upgrade was successful
+	klog.Infof("%s upgrade for %s successful!", v1alpha1.CAPTenantKind, tenantId)
+	return true, nil
+}
diff --git a/cmd/mtx-job/main_test.go b/cmd/mtx-job/main_test.go
new file mode 100644
index 0000000..111f5be
--- /dev/null
+++ b/cmd/mtx-job/main_test.go
@@ -0,0 +1,510 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path"
+	"strings"
+	"testing"
+
+	"github.com/sap/cap-operator/internal/util"
+)
+
+type testPayload struct {
+	Test string `json:"test"`
+}
+
+type tlsAttributes struct {
+	certificate string
+	key         string
+}
+
+func readCertificateData() *struct {
+	cacert []byte
+	cert   []byte
+	key    []byte
+} {
+	cacert, _ := ioutil.ReadFile("../server/internal/testdata/rootCA.pem")
+	cert, _ := ioutil.ReadFile("../server/internal/testdata/auth.service.local.crt")
+	key, _ := ioutil.ReadFile("../server/internal/testdata/auth.service.local.key")
+	return &struct {
+		cacert []byte
+		cert   []byte
+		key    []byte
+	}{
+		cacert: cacert,
+		cert:   cert,
+		key:    key,
+	}
+}
+
+func createTestServer(ctx context.Context, t *testing.T, handler http.HandlerFunc, enableTLS bool, useVCAP bool) (string, func(), error) {
+	var (
+		tlsInfo   *tlsAttributes = nil
+		serverURL string
+	)
+	// create test server
+	ts := httptest.NewUnstartedServer(handler)
+	if enableTLS {
+		// Append CA cert to the system pool
+		rootCAs, _ := x509.SystemCertPool()
+		if rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+		certInfo := readCertificateData()
+		rootCAs.AppendCertsFromPEM(certInfo.cacert)
+		cert, err := tls.X509KeyPair(certInfo.cert, certInfo.key)
+		if err != nil {
+			return "", nil, err
+		}
+		ts.TLS = &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: rootCAs}
+		ts.StartTLS()
+
+		tlsInfo = &tlsAttributes{
+			certificate: string(certInfo.cert),
+			key:         string(certInfo.key),
+		}
+		serverURL = ts.Listener.Addr().String()
+	} else {
+		ts.Start()
+		serverURL = ts.URL
+	}
+	go func() {
+		<-ctx.Done()
+		ts.Close()
+	}()
+
+	basePath, err := createCredentialsForTesting(ts.URL, tlsInfo, useVCAP)
+	return serverURL, func() {
+		if !useVCAP {
+			os.RemoveAll(basePath)
+		} else {
+			os.Unsetenv(EnvVCAPServices)
+		}
+	}, err
+}
+
+func createCredentialsForTesting(url string, tls *tlsAttributes, useVCAP bool) (string, error) {
+	instance := "test-uaa"
+	os.Setenv(EnvXSUAAInstanceName, instance)
+
+	files := map[string]string{
+		"clientid":        "xsuaa-client-id",
+		"clientsecret":    "xsuaa-secret",
+		"url":             url,
+		"credential-type": "instance-secret",
+		"certurl":         "https://cert.auth.service.local",
+	}
+	if tls != nil {
+		files["credential-type"] = "x509"
+		files["certificate"] = tls.certificate
+		files["key"] = tls.key
+	}
+
+	if useVCAP {
+		vcap := map[string][]util.VCAPServiceInstance{"xsuaa": {{
+			Name:         instance,
+			InstanceName: instance,
+			Label:        "xsuaa",
+			Tags:         []string{"xsuaa"},
+			Credentials:  files,
+		}}}
+		data, _ := json.Marshal(vcap)
+		os.Setenv(EnvVCAPServices, string(data))
+		return "", nil
+	}
+
+	basePath, err := os.MkdirTemp("", "test-*")
+	if err != nil {
+		return "", fmt.Errorf("could not create temp dir: %s", err.Error())
+	}
+	os.Setenv(EnvCredentialsPath, basePath)
+
+	tmpDir := path.Join(basePath, "xsuaa", instance)
+	if err := os.MkdirAll(tmpDir, 0755); err != nil {
+		return "", fmt.Errorf("could not create temp dir: %s", err.Error())
+	}
+	var createAttributeFile = func(ch chan<- error, file string, value string) {
+		ch <- os.WriteFile(path.Join(tmpDir, file), []byte(value), 0755)
+	}
+
+	ch := make(chan error, len(files))
+	for k, v := range files {
+		go createAttributeFile(ch, k, v)
+	}
+	for i := 0; i < len(files); i++ {
+		err := <-ch
+		if err != nil {
+			return "", fmt.Errorf("could not create temp file")
+		}
+	}
+
+	return basePath, nil
+}
+
+func TestWaitForMTX(t *testing.T) {
+	ready, timeout := false, false
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/mtx/v1/provisioning/tenant" {
+			t.Error("wrong URI path")
+		}
+		if ready && !timeout {
+			body, _ := json.Marshal([]string{"t1", "t2"})
+			w.Write(body)
+		} else {
+			ready = true
+			w.WriteHeader(http.StatusServiceUnavailable)
+		}
+	}))
+	defer ts.Close()
+	mtxURL, _ := url.Parse(ts.URL)
+	token := &OAuthResponse{AccessToken: "sample-access-token", TokenType: "bearer"}
+
+	// test with one iteration expecting error and the next successful
+	err := waitForMTX(mtxURL, http.Client{}, token)
+	if err != nil {
+		t.Error("unexpected error")
+	}
+
+	// test timeout
+	timeout = true
+	os.Setenv(EnvWaitForMTXTimeoutSeconds, "2")
+	err = waitForMTX(mtxURL, http.Client{}, token)
+	if err == nil {
+		t.Error("expected context deadline error")
+	} else {
+		if err.Error() != "error when waiting for mtx: context deadline exceeded" {
+			t.Errorf("wrong error: %s", err.Error())
+		}
+	}
+}
+
+func TestFetchOAuthTokenWithClientSecret(t *testing.T) {
+	var unauthorized bool
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Error("expected POST operation")
+		}
+		if r.Header.Get(ContentType) != ContentFormEncoded {
+			t.Errorf("expected %s %s", ContentType, ContentFormEncoded)
+		}
+		if r.Header.Get(Authorization) != fmt.Sprintf("Basic %s", base64.URLEncoding.EncodeToString([]byte("xsuaa-client-id:xsuaa-secret"))) {
+			t.Errorf("incorrect authorization header")
+		}
+		if !unauthorized {
+			w.Write([]byte("{\"access_token\":\"sample-access-token\",\"token_type\":\"bearer\",\"expires_in\":43199}"))
+		} else {
+			w.WriteHeader(http.StatusUnauthorized)
+		}
+	}
+
+	_, tearDown, err := createTestServer(context.TODO(), t, handler, false, false)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+	defer tearDown()
+
+	// test valid request
+	token, err := fetchOAuthToken(http.Client{})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+	if token.TokenType != "bearer" || token.AccessToken != "sample-access-token" {
+		t.Error("unexpected response body")
+	}
+
+	// test unauthorized
+	unauthorized = true
+	_, err = fetchOAuthToken(http.Client{})
+	if err == nil {
+		t.Error("expected error")
+	}
+}
+
+func TestFetchOAuthTokenWithX509Cert(t *testing.T) {
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Error("expected POST operation")
+		}
+		if r.Header.Get(ContentType) != ContentFormEncoded {
+			t.Errorf("expected %s %s", ContentType, ContentFormEncoded)
+		}
+		w.Write([]byte("{\"access_token\":\"sample-access-token\",\"token_type\":\"bearer\",\"expires_in\":43199}"))
+	}
+
+	type testConfig struct {
+		testCase string
+		useVCAP  bool
+	}
+
+	for _, p := range []testConfig{
+		{testCase: "fetch token using x509 certificate using credentials from volume", useVCAP: false},
+		{testCase: "fetch token using x509 certificate using credentials from VCAP_SERVICES", useVCAP: true},
+	} {
+		t.Run(p.testCase, func(t *testing.T) {
+			serverAddr, tearDown, err := createTestServer(context.TODO(), t, handler, true, p.useVCAP)
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			defer tearDown()
+
+			dial := func(ctx context.Context, network, addr string) (net.Conn, error) {
+				if strings.Contains(addr, "auth.service.local:") {
+					addr = serverAddr
+				}
+				return net.Dial(network, addr)
+			}
+			client := http.Client{}
+			if t, ok := client.Transport.(*http.Transport); ok {
+				t.DialContext = dial
+			} else {
+				client.Transport = &http.Transport{DialContext: dial}
+			}
+
+			// test valid request
+			token, err := fetchOAuthToken(client)
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			if token.TokenType != "bearer" || token.AccessToken != "sample-access-token" {
+				t.Error("unexpected response body")
+			}
+		})
+	}
+}
+
+func TestSubscription(t *testing.T) {
+	mtx := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/mtx/v1/provisioning/tenant/test-tenant-id" {
+			t.Errorf("expected route with tenant id test-tenant-id")
+		}
+		if r.Header.Get(ContentType) != ContentAppJson {
+			t.Errorf("expected %s %s", ContentType, ContentAppJson)
+		}
+		if r.Header.Get(Authorization) != "Bearer sample-token" {
+			t.Error("expected oauth token for authorization")
+		}
+		content, err := ioutil.ReadAll(r.Body)
+		if err != nil {
+			t.Errorf("could not read payload: %s", err.Error())
+		}
+		var p testPayload
+		err = json.Unmarshal(content, &p)
+		if err != nil {
+			t.Errorf("could not read payload: %s", err.Error())
+		}
+		switch p.Test {
+		case "provisioning-ok":
+			if r.Method != http.MethodPut {
+				t.Errorf("expected %s", http.MethodPut)
+			}
+			w.WriteHeader(http.StatusOK)
+		case "provisioning-fail":
+			w.WriteHeader(http.StatusBadRequest)
+		case "deprovisioning-ok":
+			if r.Method != http.MethodDelete {
+				t.Errorf("expected %s", http.MethodDelete)
+			}
+			w.WriteHeader(http.StatusOK)
+		default:
+			t.Error("unknown test payload")
+		}
+	}))
+	defer mtx.Close()
+	mtxURL, _ := url.Parse(mtx.URL)
+	os.Setenv(EnvMTXTenantId, "test-tenant-id")
+
+	os.Setenv(EnvMTXRequestType, RequestTypeProvisioning)
+	os.Setenv(EnvMTXPayload, "{\"test\":\"provisioning-ok\"}")
+	err := processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err != nil {
+		t.Errorf("unexpected error: %s", err.Error())
+	}
+
+	os.Setenv(EnvMTXPayload, "{\"test\":\"provisioning-fail\"}")
+	err = processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err == nil {
+		t.Errorf("expected error")
+	}
+
+	os.Setenv(EnvMTXRequestType, RequestTypeDeprovisioning)
+	os.Setenv(EnvMTXPayload, "{\"test\":\"deprovisioning-ok\"}")
+	err = processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err != nil {
+		t.Errorf("unexpected error: %s", err.Error())
+	}
+}
+
+func TestUpgrade(t *testing.T) {
+	jobPreviousStatus := ""
+	mtx := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get(Authorization) != "Bearer sample-token" {
+			t.Error("expected oauth token for authorization")
+		}
+
+		switch r.URL.Path {
+		case "/mtx/v1/model/asyncUpgrade":
+			if r.Method != http.MethodPost {
+				t.Errorf("expected %s", http.MethodPost)
+			}
+			jobPreviousStatus = ""
+			if r.Header.Get(ContentType) != ContentAppJson {
+				t.Errorf("expected %s %s", ContentType, ContentAppJson)
+			}
+			content, err := ioutil.ReadAll(r.Body)
+			if err != nil {
+				t.Errorf("could not read payload: %s", err.Error())
+			}
+			var p testPayload
+			err = json.Unmarshal(content, &p)
+			if err != nil {
+				t.Errorf("could not read payload: %s", err.Error())
+			}
+			switch p.Test {
+			case "upgrade-job-ok":
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte("{\"jobID\":\"job-id-ok\"}"))
+			case "upgrade-job-fail":
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte("{\"jobID\":\"job-id-fail\"}"))
+			case "upgrade-job-queue-tenant-fail":
+				w.WriteHeader(http.StatusCreated)
+				w.Write([]byte("{\"jobID\":\"job-id-queue-fail\"}"))
+			case "upgrade-fail":
+				w.WriteHeader(http.StatusInternalServerError)
+			}
+		case "/mtx/v1/model/status/job-id-ok":
+			if r.Method != http.MethodGet {
+				t.Errorf("expected %s", http.MethodGet)
+			}
+			jobResponse := upgradeJobResponse{Status: "FINISHED", Result: upgradeJobResult{Tenants: map[string]tenantUpgradeResult{"test-tenant-id": {Status: "SUCCESS"}}}}
+			body, _ := json.Marshal(jobResponse)
+			w.Write(body)
+		case "/mtx/v1/model/status/job-id-fail":
+			if r.Method != http.MethodGet {
+				t.Errorf("expected %s", http.MethodGet)
+			}
+			jobResponse := upgradeJobResponse{Status: "FAILED", Error: "memory dump"}
+			body, _ := json.Marshal(jobResponse)
+			w.Write(body)
+		case "/mtx/v1/model/status/job-id-queue-fail":
+			if r.Method != http.MethodGet {
+				t.Errorf("expected %s", http.MethodGet)
+			}
+			var jobResponse upgradeJobResponse
+			if jobPreviousStatus == "" {
+				jobResponse = upgradeJobResponse{Status: "QUEUED"}
+				jobPreviousStatus = "QUEUED"
+			} else {
+				jobResponse = upgradeJobResponse{Status: "FINISHED", Result: upgradeJobResult{Tenants: map[string]tenantUpgradeResult{"test-tenant-id": {Status: "FAILED", Message: "tenant upgrade failed"}}}}
+			}
+			body, _ := json.Marshal(jobResponse)
+			w.Write(body)
+		}
+	}))
+	defer mtx.Close()
+	mtxURL, _ := url.Parse(mtx.URL)
+	os.Setenv(EnvMTXRequestType, RequestTypeUpgrade)
+	os.Setenv(EnvMTXTenantId, "test-tenant-id")
+
+	os.Setenv(EnvMTXPayload, "{\"test\":\"upgrade-job-ok\"}")
+	err := processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err != nil {
+		t.Errorf("unexpected error: %s", err.Error())
+	}
+
+	os.Setenv(EnvMTXPayload, "{\"test\":\"upgrade-fail\"}")
+	err = processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err == nil {
+		t.Errorf("expected error")
+	}
+
+	os.Setenv(EnvMTXPayload, "{\"test\":\"upgrade-job-fail\"}")
+	err = processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err == nil {
+		t.Errorf("expected error")
+	}
+
+	os.Setenv(EnvMTXPayload, "{\"test\":\"upgrade-job-queue-tenant-fail\"}")
+	err = processRequest(mtxURL, http.Client{}, &OAuthResponse{AccessToken: "sample-token", TokenType: "bearer"})
+	if err == nil {
+		t.Errorf("expected error")
+	}
+}
+
+func TestExecute(t *testing.T) {
+	provisioningError, mtxTimeout := false, false
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/oauth/token":
+			w.Write([]byte("{\"access_token\":\"sample-access-token\",\"token_type\":\"bearer\",\"expires_in\":43199}"))
+		case "/mtx/v1/provisioning/tenant":
+			if mtxTimeout {
+				w.WriteHeader(http.StatusBadGateway)
+			} else {
+				w.Write([]byte("[]"))
+			}
+		case "/mtx/v1/provisioning/tenant/test-tenant-id":
+			if provisioningError {
+				w.WriteHeader(http.StatusInternalServerError)
+			} else {
+				w.WriteHeader(http.StatusOK)
+			}
+		}
+	}
+
+	serverURL, tearDown, err := createTestServer(context.TODO(), t, handler, false, false)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+	defer tearDown()
+
+	// test w/o mtx url
+	os.Unsetenv(EnvMTXServiceURL)
+	code := execute()
+	if code != 1 {
+		t.Error("expected error")
+	}
+
+	// test w/o request type
+	provisioningError = true
+	os.Setenv(EnvMTXServiceURL, serverURL)
+	os.Unsetenv(EnvMTXRequestType)
+	code = execute()
+	if code != 1 {
+		t.Error("expected error")
+	}
+
+	// test with successful simulated provisioning
+	provisioningError = false
+	os.Setenv(EnvMTXTenantId, "test-tenant-id")
+	os.Setenv(EnvMTXPayload, "{}")
+	os.Setenv(EnvMTXRequestType, RequestTypeProvisioning)
+	code = execute()
+	if code != 0 {
+		t.Error("expected exit code 0")
+	}
+
+	// test timeout waiting for mtx
+	mtxTimeout = true
+	os.Setenv(EnvMTXServiceURL, serverURL)
+	os.Setenv(EnvWaitForMTXTimeoutSeconds, "2")
+	code = execute()
+	if code != 1 {
+		t.Error("expected error")
+	}
+}
diff --git a/cmd/server/internal/client.go b/cmd/server/internal/client.go
new file mode 100644
index 0000000..84e5e69
--- /dev/null
+++ b/cmd/server/internal/client.go
@@ -0,0 +1,19 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"net/http"
+)
+
+type httpClientGenerator interface {
+	NewHTTPClient() *http.Client
+}
+
+type httpClientGeneratorImpl struct{}
+
+func (facade *httpClientGeneratorImpl) NewHTTPClient() *http.Client {
+	return &http.Client{}
+}
diff --git a/cmd/server/internal/handler.go b/cmd/server/internal/handler.go
new file mode 100644
index 0000000..a01c82d
--- /dev/null
+++ b/cmd/server/internal/handler.go
@@ -0,0 +1,585 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha1"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+)
+
+const (
+	LabelBTPApplicationIdentifierHash = "sme.sap.com/btp-app-identifier-hash"
+	LabelTenantId                     = "sme.sap.com/btp-tenant-id"
+)
+
+const (
+	ResourceCreated  = "resource created successfully"
+	ResourceFound    = "resource exists"
+	ResourceDeleted  = "resource deleted successfully"
+	ResourceNotFound = "resource not found"
+)
+
+const ErrorOccured = "Error occured "
+const InvalidRequestMethod = "invalid request method"
+const AuthorizationCheckFailed = "authorization check failed"
+const BearerPrefix = "Bearer "
+const BasicPrefix = "Basic "
+
+const (
+	CallbackSucceeded              = "SUCCEEDED"
+	CallbackFailed                 = "FAILED"
+	ProvisioningSucceededMessage   = "Provisioning successful"
+	ProvisioningFailedMessage      = "Provisioning failed"
+	DeprovisioningSucceededMessage = "Deprovisioning successful"
+	DeprovisioningFailedMessage    = "Deprovisioning failed"
+)
+
+type Result struct {
+	Tenant  *v1alpha1.CAPTenant
+	Message string
+}
+
+type SubscriptionHandler struct {
+	Clientset           versioned.Interface
+	KubeClienset        kubernetes.Interface
+	httpClientGenerator httpClientGenerator
+}
+
+type UserInfo struct {
+	UserId   string `json:"userId"`
+	UserName string `json:"userName"`
+	Email    string `json:"email"`
+	SubIdp   string `json:"subIdp"`
+	Sub      string `json:"sub"`
+}
+
+type AdditionalInformation struct {
+	Clientid     string `json:"clientid"`
+	Clientsecret string `json:"clientsecret"`
+	Tokenurl     string `json:"tokenurl"`
+}
+
+type DeprovisioningRequest struct {
+	SubscriptionAppId              string   `json:"subscriptionAppId"`
+	SubscriptionAppName            string   `json:"subscriptionAppName"`
+	SubscribedTenantId             string   `json:"subscribedTenantId"`
+	SubscribedZoneId               string   `json:"subscribedZoneId"`
+	SubscribedSubdomain            string   `json:"subscribedSubdomain"`
+	SubscribedSubaccountId         string   `json:"subscribedSubaccountId"`
+	SubscribedCrmId                string   `json:"subscribedCrmId"`
+	SubscriptionAppPlan            string   `json:"subscriptionAppPlan"`
+	SubscriptionAppAmount          string   `json:"subscriptionAppAmount"`
+	DependentServiceInstanceAppIds string   `json:"dependentServiceInstanceAppIds"`
+	GlobalAccountGUID              string   `json:"globalAccountGUID"`
+	UserId                         string   `json:"userId"`
+	UserInfo                       UserInfo `json:"userInfo"`
+}
+
+type ProvisioningRequest struct {
+	SubscriptionAppId              string                `json:"subscriptionAppId"`
+	SubscriptionAppName            string                `json:"subscriptionAppName"`
+	SubscribedTenantId             string                `json:"subscribedTenantId"`
+	SubscribedZoneId               string                `json:"subscribedZoneId"`
+	SubscribedSubdomain            string                `json:"subscribedSubdomain"`
+	SubscribedSubaccountId         string                `json:"subscribedSubaccountId"`
+	SubscribedLicenseType          string                `json:"subscribedLicenseType"`
+	SubscribedCrmId                string                `json:"subscribedCrmId"`
+	SubscriptionAppPlan            string                `json:"subscriptionAppPlan"`
+	SubscriptionAppAmount          string                `json:"subscriptionAppAmount"`
+	DependentServiceInstanceAppIds string                `json:"dependentServiceInstanceAppIds"`
+	GlobalAccountGUID              string                `json:"globalAccountGUID"`
+	EventType                      string                `json:"eventType"`
+	AdditionalInformation          AdditionalInformation `json:"additionalInformation"`
+	UserId                         string                `json:"userId"`
+	UserInfo                       UserInfo              `json:"userInfo"`
+}
+
+type GetRequest struct {
+	SubscriptionAppName string `json:"subscriptionAppName"`
+	GlobalAccountGUID   string `json:"globalAccountGUID"`
+	SubscribedTenantId  string `json:"subscribedTenantId"`
+}
+
+type CallbackResponse struct {
+	Status          string `json:"status"`
+	Message         string `json:"message"`
+	SubscriptionUrl string `json:"subscriptionUrl"`
+}
+
+type OAuthResponse struct {
+	AccessToken string `json:"access_token"`
+}
+
+func (s *SubscriptionHandler) CreateTenant(req *http.Request) *Result {
+	klog.Info("Create Tenant triggered")
+	var created = false
+	// Get the relevant provisioning request
+	decoder := json.NewDecoder(req.Body)
+	var reqType ProvisioningRequest
+	err := decoder.Decode(&reqType)
+	if err != nil {
+		klog.Error(ErrorOccured, err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	// Check if CAPApplication instance for the given btpApp exists
+	ca, err := s.checkCAPApp(reqType.GlobalAccountGUID, reqType.SubscriptionAppName)
+	if err != nil {
+		klog.Error(ErrorOccured, err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	// fetch SaaS Registry and XSUAA information
+	saasData, uaaData := s.getServiceDetails(ca)
+	if saasData == nil || uaaData == nil {
+		return &Result{Tenant: nil, Message: ResourceNotFound}
+	}
+
+	// validate token
+	err = s.checkAuthorization(req.Header.Get("Authorization"), saasData, uaaData)
+	if err != nil {
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	// Check if A CRO for CAPTenant already exists
+	tenant := s.getTenant(reqType.GlobalAccountGUID, reqType.SubscriptionAppName, reqType.SubscribedTenantId, ca.Namespace).Tenant
+
+	// If the resource doesn't exist, we'll create it
+	if tenant == nil {
+		created = true
+		klog.Info("Creating Tenant")
+		tenant, _ = s.Clientset.SmeV1alpha1().CAPTenants(ca.Namespace).Create(context.TODO(), &v1alpha1.CAPTenant{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: ca.Name + "-",
+				Namespace:    ca.Namespace,
+				Labels: map[string]string{
+					LabelBTPApplicationIdentifierHash: sha1Sum(reqType.GlobalAccountGUID, reqType.SubscriptionAppName),
+					LabelTenantId:                     reqType.SubscribedTenantId,
+				},
+			},
+			Spec: v1alpha1.CAPTenantSpec{
+				CAPApplicationInstance: ca.Name,
+				BTPTenantIdentification: v1alpha1.BTPTenantIdentification{
+					SubDomain: reqType.SubscribedSubdomain,
+					TenantId:  reqType.SubscribedTenantId,
+				},
+			},
+		}, metav1.CreateOptions{})
+	}
+
+	// TODO: consider retying tenant creation if it is in Error state
+	if tenant != nil {
+		s.initializeCallback(tenant.Name, ca, saasData, req, reqType.SubscribedSubdomain, true)
+	}
+
+	// Tenant created/exists
+	message := func(isCreated bool) string {
+		if isCreated {
+			return ResourceCreated
+		} else {
+			return ResourceFound
+		}
+	}
+	klog.V(2).Info("Done with create: ", message, tenant)
+	return &Result{Tenant: tenant, Message: message(created)}
+}
+
+func (s *SubscriptionHandler) getTenant(globalAccountGUID string, btpAppName string, tenantId string, namespace string) *Result {
+	labelSelector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelBTPApplicationIdentifierHash: sha1Sum(globalAccountGUID, btpAppName),
+		LabelTenantId:                     tenantId,
+	})
+	if err != nil {
+		klog.Error("Error occurred in getTenant", err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	ctList, err := s.Clientset.SmeV1alpha1().CAPTenants(namespace).List(context.TODO(), metav1.ListOptions{LabelSelector: labelSelector.String()})
+	if err != nil {
+		klog.Error("Error occured in getTenant", err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+	if len(ctList.Items) == 0 {
+		klog.Info("No tenant found")
+		return &Result{Tenant: nil, Message: ResourceNotFound}
+	}
+	// Assume only 1 tenant actually matches the selector!
+	klog.V(2).Info("Tenant found", &ctList.Items[0])
+	return &Result{Tenant: &ctList.Items[0], Message: ResourceFound}
+}
+
+func (s *SubscriptionHandler) DeleteTenant(req *http.Request) *Result {
+	klog.Info("Delete Tenant triggered")
+	// Get the relevant deprovisioning request
+	decoder := json.NewDecoder(req.Body)
+	var reqType DeprovisioningRequest
+	err := decoder.Decode(&reqType)
+	if err != nil {
+		klog.Error(ErrorOccured, err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	// Check if CAPApplication instance for the given btpApp exists
+	ca, err := s.checkCAPApp(reqType.GlobalAccountGUID, reqType.SubscriptionAppName)
+	if err != nil {
+		klog.Error(ErrorOccured, err.Error())
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	// fetch SaaS Registry and XSUAA information
+	saasData, uaaData := s.getServiceDetails(ca)
+	if saasData == nil || uaaData == nil {
+		return &Result{Tenant: nil, Message: ResourceNotFound}
+	}
+	if saasData == nil || uaaData == nil {
+		return &Result{Tenant: nil, Message: ResourceNotFound}
+	}
+
+	// validate token
+	err = s.checkAuthorization(req.Header.Get("Authorization"), saasData, uaaData)
+	if err != nil {
+		return &Result{Tenant: nil, Message: err.Error()}
+	}
+
+	tenant := s.getTenant(reqType.GlobalAccountGUID, reqType.SubscriptionAppName, reqType.SubscribedTenantId, ca.Namespace).Tenant
+
+	tenantName := "foo" //TODO
+	if tenant != nil {
+		tenantName = tenant.Name
+		klog.Info("Tenant found, deleting")
+		err = s.Clientset.SmeV1alpha1().CAPTenants(tenant.Namespace).Delete(context.TODO(), tenant.Name, metav1.DeleteOptions{})
+		if err != nil {
+			klog.Error("Error deleting tenant", err.Error())
+			return &Result{Tenant: nil, Message: err.Error()}
+		}
+	}
+
+	s.initializeCallback(tenantName, ca, saasData, req, reqType.SubscribedSubdomain, false)
+
+	return &Result{Tenant: tenant, Message: ResourceDeleted}
+}
+
+func (s *SubscriptionHandler) checkCAPApp(globalAccountId string, btpAppName string) (*v1alpha1.CAPApplication, error) {
+	labelSelector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelBTPApplicationIdentifierHash: sha1Sum(globalAccountId, btpAppName),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	capAppsList, err := s.Clientset.SmeV1alpha1().CAPApplications(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labelSelector.String()})
+	if err != nil {
+		return nil, err
+	}
+	if len(capAppsList.Items) == 0 {
+		return nil, errors.New(ResourceNotFound) // TODO proper error message handling
+	}
+	// Assume only 1 app actually matches the selector!
+	return &capAppsList.Items[0], nil
+}
+
+func (s *SubscriptionHandler) checkAuthorization(authHeader string, saasData *util.SaasRegistryCredentials, uaaData *util.XSUAACredentials) error {
+	if strings.Index(authHeader, BearerPrefix) != 0 {
+		return errors.New("expected bearer token")
+	}
+
+	token := authHeader[7:]
+	err := VerifyXSUAAJWTToken(context.TODO(), token, &XSUAAConfig{
+		UAADomain:      saasData.UAADomain,
+		ClientID:       saasData.ClientId,
+		XSAppName:      uaaData.XSAppName,
+		RequiredScopes: []string{uaaData.XSAppName + ".Callback", uaaData.XSAppName + ".mtcallback"},
+	}, s.httpClientGenerator.NewHTTPClient())
+	if err != nil {
+		klog.Errorf("failed token validation: %s", err.Error())
+		return errors.New(AuthorizationCheckFailed)
+	}
+	return nil
+}
+
+func (s *SubscriptionHandler) initializeCallback(tenantName string, ca *v1alpha1.CAPApplication, saasData *util.SaasRegistryCredentials, req *http.Request, tenantSubDomain string, isProvisioning bool) {
+	appUrl := "https://" + tenantSubDomain + "." + ca.Spec.Domains.Primary
+	asyncCallbackPath := req.Header.Get("STATUS_CALLBACK")
+	klog.Infof("Subscription URL: %s, Async callback URL: %s", appUrl, asyncCallbackPath)
+
+	go func() {
+		// create a context for tenant checks and outgoing requests
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		// Check tenant status asynchronously
+		klog.Info("Waiting for tenant status check...")
+		status := s.checkCAPTenantStatus(ctx, ca.Namespace, tenantName, isProvisioning, saasData.CallbackTimeoutMillis)
+		klog.Info("CAPTenant check result: ", status)
+
+		s.handleAsyncCallback(ctx, saasData, status, asyncCallbackPath, appUrl, isProvisioning)
+	}()
+
+	klog.Info("Waiting for async saas callback after checks...")
+}
+
+func (s *SubscriptionHandler) checkCAPTenantStatus(ctx context.Context, tenantNamespace string, tenantName string, provisioning bool, callbackTimeoutMs string) bool {
+	asyncCallbackTimeout := 15 * time.Minute
+	if callbackTimeoutMs != "" {
+		asyncCallbackTimeout, _ = time.ParseDuration(callbackTimeoutMs + "ms")
+	}
+
+	timedCtx, cancel := context.WithTimeout(ctx, asyncCallbackTimeout) // Assume tenants won't take over 15mins to be "Ready"
+	defer cancel()
+
+	for {
+		select {
+		case <-timedCtx.Done():
+			klog.Warningf("tenant status check: %s", timedCtx.Err().Error())
+			return false
+		default:
+			capTenant, err := s.Clientset.SmeV1alpha1().CAPTenants(tenantNamespace).Get(context.TODO(), tenantName, metav1.GetOptions{})
+			if k8sErrors.IsNotFound(err) {
+				klog.Info("No tenant found.. Exiting CAPTenant status check.")
+				if !provisioning {
+					return true
+				}
+			}
+			if capTenant != nil {
+				klog.Info("CAPTenant (tenantid: "+capTenant.Spec.TenantId+"), status: ", capTenant.Status.State)
+				if provisioning && (capTenant.Status.State == v1alpha1.CAPTenantStateReady || capTenant.Status.State == v1alpha1.CAPTenantStateProvisioningError) {
+					klog.Info("Exiting CAPTenant status check: ", capTenant.Status.State)
+					return capTenant.Status.State == v1alpha1.CAPTenantStateReady
+				}
+			}
+			time.Sleep(5 * time.Second)
+		}
+	}
+}
+
+func (s *SubscriptionHandler) getServiceDetails(ca *v1alpha1.CAPApplication) (*util.SaasRegistryCredentials, *util.XSUAACredentials) {
+	var (
+		wg       sync.WaitGroup
+		saasData *util.SaasRegistryCredentials
+		uaaData  *util.XSUAACredentials
+	)
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		saasData = s.getSaasDetails(ca)
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		uaaData = s.getXSUAADetails(ca)
+	}()
+
+	wg.Wait()
+	return saasData, uaaData
+}
+
+func (s *SubscriptionHandler) getSaasDetails(capApp *v1alpha1.CAPApplication) *util.SaasRegistryCredentials {
+	var (
+		result *util.SaasRegistryCredentials = nil
+		err    error
+		info   *v1alpha1.ServiceInfo
+	)
+	if info, err = s.getServiceInfo(capApp, "saas-registry"); err == nil {
+		result, err = util.ReadServiceCredentialsFromSecret[util.SaasRegistryCredentials](info, capApp.Namespace, s.KubeClienset)
+	}
+	if err != nil {
+		klog.Error("SaaS Registry credentials could not be read. Exiting..", err.Error())
+	}
+	return result
+}
+
+func (s *SubscriptionHandler) getXSUAADetails(capApp *v1alpha1.CAPApplication) *util.XSUAACredentials {
+	var (
+		result *util.XSUAACredentials = nil
+		err    error
+		info   *v1alpha1.ServiceInfo
+	)
+	info = util.GetXSUAAInfo(capApp.Spec.BTP.Services, capApp)
+
+	if info == nil {
+		err = fmt.Errorf("could not find service with class %s in CAPApplication %s.%s", "xsuaa", capApp.Namespace, capApp.Name)
+	} else {
+		result, err = util.ReadServiceCredentialsFromSecret[util.XSUAACredentials](info, capApp.Namespace, s.KubeClienset)
+	}
+
+	if err != nil {
+		klog.Error("XSUAA credentials could not be read. Exiting..", err.Error())
+	}
+	return result
+}
+
+func (s *SubscriptionHandler) getServiceInfo(ca *v1alpha1.CAPApplication, serviceClass string) (*v1alpha1.ServiceInfo, error) {
+	for i := range ca.Spec.BTP.Services {
+		if ca.Spec.BTP.Services[i].Class == serviceClass {
+			return &ca.Spec.BTP.Services[i], nil
+		}
+	}
+	return nil, fmt.Errorf("could not find service with class %s in CAPApplication %s.%s", serviceClass, ca.Namespace, ca.Name)
+}
+
+func prepareTokenRequest(ctx context.Context, saasData *util.SaasRegistryCredentials, client *http.Client) (tokenReq *http.Request, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("error preparing token request: %w", err)
+		}
+	}()
+	var (
+		tokenURL string
+	)
+	if saasData.CredentialType == "x509" {
+		tokenURL = saasData.CertificateUrl + "/oauth/token"
+
+		// setup client for mTLS
+		cert, err := tls.X509KeyPair([]byte(saasData.Certificate), []byte(saasData.CertificateKey))
+		if err != nil {
+			return nil, err
+		}
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		caCertPool.AppendCertsFromPEM([]byte(saasData.Certificate))
+		tlsConfig := &tls.Config{
+			RootCAs:      caCertPool,
+			Certificates: []tls.Certificate{cert},
+		}
+		if t, ok := client.Transport.(*http.Transport); ok {
+			t.TLSClientConfig = tlsConfig
+		} else {
+			client.Transport = &http.Transport{TLSClientConfig: tlsConfig}
+		}
+	} else {
+		tokenURL = saasData.AuthUrl + "/oauth/token"
+	}
+	tokenData := url.Values{}
+	tokenData.Add("client_id", saasData.ClientId)
+	tokenData.Add("grant_type", "client_credentials")
+
+	tokenReq, err = http.NewRequestWithContext(ctx, http.MethodPost, tokenURL, strings.NewReader(tokenData.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	tokenReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	if saasData.CredentialType != "x509" {
+		tokenReq.Header.Set("Authorization", BasicPrefix+base64.StdEncoding.EncodeToString([]byte(saasData.ClientId+":"+saasData.ClientSecret)))
+	}
+
+	return tokenReq, nil
+}
+
+func (s *SubscriptionHandler) handleAsyncCallback(ctx context.Context, saasData *util.SaasRegistryCredentials, status bool, asyncCallbackPath string, appUrl string, isProvisioning bool) {
+	// Get OAuth token
+	tokenClient := s.httpClientGenerator.NewHTTPClient()
+	tokenReq, err := prepareTokenRequest(ctx, saasData, tokenClient)
+	if err != nil {
+		klog.Error(err.Error())
+		return
+	}
+	klog.V(2).Info("Triggering OAuth: ", tokenReq)
+
+	tokenResponse, err := tokenClient.Do(tokenReq)
+	if err != nil {
+		klog.Error("Error getting token for async callback: ", err.Error())
+		return
+	} else {
+		klog.V(2).Info("Response from token handling for async callback: ", tokenResponse)
+		// Get the relevant OAuth request
+		decoder := json.NewDecoder(tokenResponse.Body)
+		var oAuthType OAuthResponse
+		err := decoder.Decode(&oAuthType)
+		if err != nil {
+			klog.Error("Error parsing token for async callback: ", err.Error())
+			return
+		}
+		defer tokenResponse.Body.Close()
+
+		checkMatch := func(match bool, trueVal string, falseVal string) string {
+			if match {
+				return trueVal
+			}
+			return falseVal
+		}
+
+		payload, _ := json.Marshal(&CallbackResponse{
+			Status:          checkMatch(status, CallbackSucceeded, CallbackFailed),
+			Message:         checkMatch(status, checkMatch(isProvisioning, ProvisioningSucceededMessage, DeprovisioningSucceededMessage), checkMatch(isProvisioning, ProvisioningFailedMessage, DeprovisioningFailedMessage)),
+			SubscriptionUrl: appUrl,
+		})
+		callbackReq, _ := http.NewRequestWithContext(ctx, http.MethodPut, saasData.SaasManagerUrl+asyncCallbackPath, bytes.NewBuffer(payload))
+		callbackReq.Header.Set("Content-Type", "application/json")
+		callbackReq.Header.Set("Authorization", BearerPrefix+oAuthType.AccessToken)
+
+		client := s.httpClientGenerator.NewHTTPClient()
+		klog.V(2).Info("Triggering callback: ", callbackReq)
+
+		callbackResponse, err := client.Do(callbackReq)
+		if err != nil {
+			klog.Error("Error sending async callback: ", err.Error())
+			return
+		} else {
+			klog.Info("Response from async callback: ", callbackResponse)
+			defer callbackResponse.Body.Close()
+		}
+	}
+
+	klog.Info("Exiting from async callback..")
+}
+
+func (s *SubscriptionHandler) HandleRequest(w http.ResponseWriter, req *http.Request) {
+	var subscriptionResult *Result
+	switch req.Method {
+	case http.MethodPut:
+		subscriptionResult = s.CreateTenant(req)
+		if subscriptionResult.Tenant == nil {
+			w.WriteHeader(http.StatusNotAcceptable)
+		} else {
+			w.WriteHeader(http.StatusAccepted)
+		}
+	case http.MethodDelete:
+		subscriptionResult = s.DeleteTenant(req)
+		if subscriptionResult.Message != ResourceDeleted {
+			w.WriteHeader(http.StatusNotAcceptable)
+		} else {
+			w.WriteHeader(http.StatusAccepted)
+		}
+	default:
+		subscriptionResult = &Result{Tenant: nil, Message: InvalidRequestMethod}
+		w.WriteHeader(http.StatusMethodNotAllowed)
+	}
+	res, _ := json.Marshal(subscriptionResult)
+	w.Write(res)
+}
+
+func NewSubscriptionHandler(clientset versioned.Interface, kubeClienset kubernetes.Interface) *SubscriptionHandler {
+	return &SubscriptionHandler{Clientset: clientset, KubeClienset: kubeClienset, httpClientGenerator: &httpClientGeneratorImpl{}}
+}
+
+// Returns an sha1 checksum for a given source string
+func sha1Sum(source ...string) string {
+	sum := sha1.Sum([]byte(strings.Join(source, "")))
+	return fmt.Sprintf("%x", sum)
+}
diff --git a/cmd/server/internal/handler_test.go b/cmd/server/internal/handler_test.go
new file mode 100644
index 0000000..11ec5f0
--- /dev/null
+++ b/cmd/server/internal/handler_test.go
@@ -0,0 +1,663 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	k8sfake "k8s.io/client-go/kubernetes/fake"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned/fake"
+)
+
+const RequestPath = "/provision"
+
+type httpTestClientGenerator struct {
+	client *http.Client
+}
+
+func (facade *httpTestClientGenerator) NewHTTPClient() *http.Client { return facade.client }
+
+const (
+	cavName         = "cav-test-controller"
+	caName          = "ca-test-controller"
+	appName         = "some-app-name"
+	globalAccountId = "cap-app-global"
+	subDomain       = "foo"
+	tenantId        = "012012012-1234-1234-123456"
+)
+
+func setup(ca *v1alpha1.CAPApplication, cat *v1alpha1.CAPTenant, client *http.Client) *SubscriptionHandler {
+	crdObjects := []runtime.Object{}
+	if ca != nil {
+		crdObjects = append(crdObjects, ca)
+	}
+	if cat != nil {
+		crdObjects = append(crdObjects, cat)
+	}
+
+	subHandler := NewSubscriptionHandler(fake.NewSimpleClientset(crdObjects...), k8sfake.NewSimpleClientset(createSecrets()...))
+	if client != nil {
+		subHandler.httpClientGenerator = &httpTestClientGenerator{client: client}
+	}
+	return subHandler
+}
+
+func createSecrets() []runtime.Object {
+	secs := []runtime.Object{}
+	secs = append(secs, &corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "test-xsuaa-sec",
+			Namespace: v1.NamespaceDefault,
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"credentials": []byte(`{
+				"uaadomain": "auth.service.local",
+				"xsappname": "appname!b14",
+				"trustedclientidsuffix": "|appname!b14",
+				"verificationkey": "",
+				"sburl": "internal.auth.service.local",
+				"url": "https://app-domain.auth.service.local",
+				"credential-type": "instance-secret"
+			}`),
+		},
+	}, &corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "test-xsuaa-sec2",
+			Namespace: v1.NamespaceDefault,
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"credentials": []byte(`{
+				"uaadomain": "auth2.service.local",
+				"xsappname": "appname!b21",
+				"trustedclientidsuffix": "|appname!b21",
+				"verificationkey": "",
+				"sburl": "internal.auth2.service.local",
+				"url": "https://app2-domain.auth2.service.local",
+				"credential-type": "instance-secret"
+			}`),
+		},
+	}, &corev1.Secret{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      "test-saas-sec",
+			Namespace: v1.NamespaceDefault,
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"credentials": []byte(`{
+				"saas_registry_url": "https://sm.service.local",
+				"clientid": "clientid",
+				"clientsecret": "clientsecret",
+				"uaadomain": "auth.service.local",
+				"sburl": "internal.auth.service.local",
+				"url": "https://app-domain.auth.service.local",
+				"credential-type": "instance-secret"
+			}`),
+		},
+	})
+
+	return secs
+}
+
+func createCA() *v1alpha1.CAPApplication {
+	return &v1alpha1.CAPApplication{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      caName,
+			Namespace: v1.NamespaceDefault,
+			Labels: map[string]string{
+				LabelBTPApplicationIdentifierHash: sha1Sum(globalAccountId, appName),
+			},
+		},
+		Spec: v1alpha1.CAPApplicationSpec{
+			Domains:         v1alpha1.ApplicationDomains{Primary: "app.sme.sap.com", IstioIngressGatewayLabels: []v1alpha1.NameValue{{Name: "foo", Value: "bar"}}},
+			GlobalAccountId: globalAccountId,
+			BTPAppName:      appName,
+			Provider: v1alpha1.BTPTenantIdentification{
+				SubDomain: subDomain,
+				TenantId:  tenantId,
+			},
+			BTP: v1alpha1.BTP{
+				Services: []v1alpha1.ServiceInfo{
+					{
+						Class:  "xsuaa",
+						Name:   "test-xsuaa",
+						Secret: "test-xsuaa-sec",
+					},
+					{
+						Class:  "xsuaa",
+						Name:   "test-xsuaa2",
+						Secret: "test-xsuaa-sec2",
+					},
+					{
+						Class:  "saas-registry",
+						Name:   "test-saas",
+						Secret: "test-saas-sec",
+					},
+					{
+						Class:  "service-manager",
+						Name:   "test-sm",
+						Secret: "test-sm-sec",
+					},
+					{
+						Class:  "destination",
+						Name:   "test-dest",
+						Secret: "test-dest-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-host",
+						Secret: "test-html-host-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-rt",
+						Secret: "test-html-rt-sec",
+					},
+				},
+			},
+		},
+	}
+}
+
+func createCAT(ready bool) *v1alpha1.CAPTenant {
+	cat := &v1alpha1.CAPTenant{
+		ObjectMeta: v1.ObjectMeta{
+			Name:      caName + "-provider",
+			Namespace: v1.NamespaceDefault,
+			Labels: map[string]string{
+				LabelBTPApplicationIdentifierHash: sha1Sum(globalAccountId, appName),
+				LabelTenantId:                     tenantId,
+			},
+		},
+		Spec: v1alpha1.CAPTenantSpec{
+			CAPApplicationInstance: caName,
+			BTPTenantIdentification: v1alpha1.BTPTenantIdentification{
+				SubDomain: subDomain,
+				TenantId:  tenantId,
+			},
+		},
+	}
+	if ready {
+		cat.Status = v1alpha1.CAPTenantStatus{
+			State:                                v1alpha1.CAPTenantStateReady,
+			CurrentCAPApplicationVersionInstance: "cap-version",
+			GenericStatus: v1alpha1.GenericStatus{
+				Conditions: []v1.Condition{{
+					Type:   string(v1alpha1.ConditionTypeReady),
+					Status: "True",
+					Reason: "TenantReady",
+				}},
+			},
+		}
+	}
+	return cat
+}
+
+func TestMain(m *testing.M) {
+	m.Run()
+}
+
+func Test_IncorrectMethod(t *testing.T) {
+	res := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodPatch, RequestPath, strings.NewReader(`{"foo": "bar"}`))
+	subHandler := setup(nil, nil, nil)
+	subHandler.HandleRequest(res, req)
+	if res.Code != http.StatusMethodNotAllowed {
+		t.Errorf("Expected status '%d', received '%d'", http.StatusMethodNotAllowed, res.Code)
+	}
+
+	// Get the relevant response
+	decoder := json.NewDecoder(res.Body)
+	var resType Result
+	err := decoder.Decode(&resType)
+	if err != nil {
+		t.Error("Unexpected error in expected response: ", res.Body)
+	}
+
+	if resType.Tenant != nil && resType.Message != InvalidRequestMethod {
+		t.Error("Response: ", res.Body, " does not match expected result: ", InvalidRequestMethod)
+	}
+
+}
+
+func Test_provisioning(t *testing.T) {
+	tests := []struct {
+		name               string
+		method             string
+		body               string
+		createCROs         bool
+		withSecretKey      bool
+		existingTenant     bool
+		expectedStatusCode int
+		expectedResponse   Result
+	}{
+		{
+			name:               "Invalid Provisioning Request",
+			method:             http.MethodPut,
+			body:               "",
+			expectedStatusCode: http.StatusNotAcceptable,
+			expectedResponse: Result{
+				Message: "EOF", //TODO
+			},
+		},
+		{
+			name:               "Provisioning Request without CROs",
+			method:             http.MethodPut,
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			expectedStatusCode: http.StatusNotAcceptable,
+			expectedResponse: Result{
+				Message: "the server could not find the requested resource (get capapplications.sme.sap.com)", //TODO
+			},
+		},
+		{
+			name:               "Provisioning Request with CROs with invalid app name",
+			method:             http.MethodPut,
+			body:               `{"subscriptionAppName":"test-app","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			createCROs:         true,
+			expectedStatusCode: http.StatusNotAcceptable,
+			expectedResponse: Result{
+				Message: "", //TODO
+			},
+		},
+		{
+			name:               "Provisioning Request valid",
+			method:             http.MethodPut,
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			createCROs:         true,
+			expectedStatusCode: http.StatusAccepted,
+			expectedResponse: Result{
+				Message: ResourceCreated,
+			},
+		},
+		{
+			name:               "Provisioning Request with existing tenant",
+			method:             http.MethodPut,
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			createCROs:         true,
+			existingTenant:     true,
+			expectedStatusCode: http.StatusAccepted,
+			expectedResponse: Result{
+				Message: ResourceFound,
+			},
+		},
+	}
+
+	for _, testData := range tests {
+		t.Run(testData.name, func(t *testing.T) {
+			var ca *v1alpha1.CAPApplication
+			var cat *v1alpha1.CAPTenant
+			if testData.createCROs {
+				ca = createCA()
+			}
+			if testData.existingTenant {
+				cat = createCAT(false)
+			}
+			client, tokenString, err := SetupValidTokenAndIssuerForSubscriptionTests("appname!b14")
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			subHandler := setup(ca, cat, client)
+
+			res := httptest.NewRecorder()
+			req := httptest.NewRequest(testData.method, RequestPath, strings.NewReader(testData.body))
+			req.Header.Set("Authorization", "Bearer "+tokenString)
+			subHandler.HandleRequest(res, req)
+			if res.Code != testData.expectedStatusCode {
+				t.Errorf("Expected status '%d', received '%d'", testData.expectedStatusCode, res.Code)
+			}
+
+			// Get the relevant response
+			decoder := json.NewDecoder(res.Body)
+			var resType Result
+			err = decoder.Decode(&resType)
+			if err != nil {
+				t.Error("Unexpected error in expected response: ", res.Body)
+			}
+
+			if resType.Tenant != testData.expectedResponse.Tenant && resType.Message != testData.expectedResponse.Message {
+				t.Error("Response: ", res.Body, " does not match expected result: ", testData.expectedResponse)
+			}
+		})
+	}
+}
+
+func Test_deprovisioning(t *testing.T) {
+	tests := []struct {
+		name               string
+		method             string
+		createCROs         bool
+		existingTenant     bool
+		body               string
+		expectedStatusCode int
+		expectedResponse   Result
+		withSecretKey      bool
+	}{
+		{
+			name:   "Invalid Deprovisioning Request",
+			method: http.MethodDelete,
+
+			body:               "",
+			expectedStatusCode: http.StatusNotAcceptable,
+			expectedResponse: Result{
+				Message: "EOF", //TODO
+			},
+		},
+		{
+			name:   "Deprovisioning Request w/o CROs",
+			method: http.MethodDelete,
+
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			expectedStatusCode: http.StatusNotAcceptable,
+			expectedResponse: Result{
+				Message: "the server could not find the requested resource (get capapplications.sme.sap.com)", //TODO
+			},
+		},
+		{
+			name:               "Deprovisioning Request valid",
+			method:             http.MethodDelete,
+			createCROs:         true,
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			expectedStatusCode: http.StatusAccepted,
+			expectedResponse: Result{
+				Message: ResourceDeleted,
+			},
+		},
+		{
+			name:               "Deprovisioning Request valid existing tenant",
+			method:             http.MethodDelete,
+			createCROs:         true,
+			existingTenant:     true,
+			body:               `{"subscriptionAppName":"` + appName + `","globalAccountGUID":"` + globalAccountId + `","subscribedTenantId":"` + tenantId + `"}`,
+			expectedStatusCode: http.StatusAccepted,
+			expectedResponse: Result{
+				Message: ResourceDeleted,
+			},
+		},
+	}
+
+	for _, testData := range tests {
+		t.Run(testData.name, func(t *testing.T) {
+			var ca *v1alpha1.CAPApplication
+			var cat *v1alpha1.CAPTenant
+			if testData.createCROs {
+				ca = createCA()
+			}
+			if testData.existingTenant {
+				cat = createCAT(false)
+			}
+
+			// set custom client for testing
+			client, tokenString, err := SetupValidTokenAndIssuerForSubscriptionTests("appname!b14")
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+			subHandler := setup(ca, cat, client)
+
+			res := httptest.NewRecorder()
+			req := httptest.NewRequest(testData.method, RequestPath, strings.NewReader(testData.body))
+			req.Header.Set("Authorization", "Bearer "+tokenString)
+			subHandler.HandleRequest(res, req)
+			if res.Code != testData.expectedStatusCode {
+				t.Errorf("Expected status '%d', received '%d'", testData.expectedStatusCode, res.Code)
+			}
+
+			// Get the relevant response
+			decoder := json.NewDecoder(res.Body)
+			var resType Result
+			err = decoder.Decode(&resType)
+			if err != nil {
+				t.Error("Unexpected error in expected response: ", res.Body)
+			}
+
+			if resType.Tenant != testData.expectedResponse.Tenant && resType.Message != testData.expectedResponse.Message {
+				t.Error("Response: ", res.Body, " does not match expected result: ", testData.expectedResponse)
+			}
+		})
+	}
+}
+
+func getX509KeyPair(t *testing.T) (string, string) {
+	read := func(file string) string {
+		value, err := os.ReadFile(file)
+		if err != nil {
+			t.Fatalf("error reading domain key pair: %s", err.Error())
+		}
+		return string(value)
+	}
+	return read("testdata/auth.service.local.crt"), read("testdata/auth.service.local.key")
+}
+
+func TestAsyncCallback(t *testing.T) {
+	certValue, keyValue := getX509KeyPair(t)
+	type testConfig struct {
+		testName          string
+		status            bool
+		useCredentialType string
+		isProvisioning    bool
+	}
+	saasData := &util.SaasRegistryCredentials{
+		SaasManagerUrl: "https://saas-manager.auth.service.local",
+		CredentialData: util.CredentialData{
+			CredentialType: "x509",
+			ClientId:       "randomapp!b14",
+			AuthUrl:        "https://secret.auth.service.local",
+			UAADomain:      "auth.service.local",
+			Certificate:    certValue,
+			CertificateKey: keyValue,
+			CertificateUrl: "https://cert.auth.service.local",
+		},
+	}
+
+	type testContextKey string
+	const cKey testContextKey = "async-callback-test"
+	createCallbackTestServer := func(ctx context.Context, t *testing.T, params *testConfig) *http.Client {
+		// NOTE: reusing the wildcard domain and certificates for *.auth.service.local
+
+		// Append CA cert to the system pool
+		rootCAs, _ := x509.SystemCertPool()
+		if rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+		certs, err := os.ReadFile("testdata/rootCA.pem")
+		if err != nil {
+			t.Fatalf("error reading root CA certificate: %s", err.Error())
+		}
+		rootCAs.AppendCertsFromPEM(certs)
+
+		var calledHost string
+		ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch r.URL.Path {
+			case "/oauth/token":
+				t.Log(calledHost)
+				var expectedHostPattern string
+				if params.useCredentialType == "x509" {
+					expectedHostPattern = "cert.auth.service.local:"
+				} else {
+					expectedHostPattern = "secret.auth.service.local:"
+				}
+				if !strings.Contains(calledHost, expectedHostPattern) {
+					t.Error("wrong host for token fetch")
+				}
+				w.Write([]byte("{\"access_token\": \"test-server-access-token\"}"))
+			case "/async/callback":
+				if !strings.Contains(calledHost, "saas-manager.auth.service.local:") {
+					t.Error("wrong host for async callback")
+				}
+				if r.Header.Get("Authorization") != "Bearer test-server-access-token" {
+					t.Error("expected authorization header with token in async callback")
+				}
+				payload := &CallbackResponse{}
+				body, err := io.ReadAll(r.Body)
+				if err != nil {
+					t.Fatalf("could not read callback request body: %s", err.Error())
+				}
+				err = json.Unmarshal(body, payload)
+				if err != nil {
+					t.Fatalf("could not parse callback request body: %s", err.Error())
+				}
+				if (params.status && payload.Status != CallbackSucceeded) || (!params.status && payload.Status != CallbackFailed) {
+					t.Fatalf("status %s does not match status initiated from callback", payload.Status)
+				}
+				if params.isProvisioning {
+					if strings.Index(payload.Message, "Provisioning ") != 0 {
+						t.Fatal("incorrect message in payload")
+					}
+				} else {
+					if strings.Index(payload.Message, "Deprovisioning ") != 0 {
+						t.Fatal("incorrect message in payload")
+					}
+				}
+				w.WriteHeader(200)
+			}
+		}))
+		cert, err := tls.X509KeyPair([]byte(certValue), []byte(keyValue))
+		if err != nil {
+			t.Fatalf("error reading domain key pair: %s", err.Error())
+		}
+		ts.TLS = &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: rootCAs}
+		ts.StartTLS()
+
+		// adjust client to have custom domain resolution
+		client := ts.Client()
+		client.Transport = &http.Transport{
+			DialContext: func(c context.Context, network, addr string) (net.Conn, error) {
+				if strings.Contains(addr, "auth.service.local:") {
+					if v := c.Value(cKey); v != nil {
+						calledHost = addr
+					} else {
+						calledHost = ""
+					}
+					addr = ts.Listener.Addr().String()
+				}
+				return net.Dial(network, addr)
+			},
+			TLSClientConfig: ts.TLS,
+		}
+
+		go func() {
+			<-ctx.Done()
+			ts.Close()
+		}()
+		return client
+	}
+
+	tests := []testConfig{
+		{testName: "1", status: true, useCredentialType: "x509", isProvisioning: true},
+		{testName: "2", status: true, useCredentialType: "x509", isProvisioning: false},
+		{testName: "3", status: false, useCredentialType: "instance-secret", isProvisioning: true},
+	}
+
+	ctx := context.WithValue(context.Background(), cKey, true)
+	for _, p := range tests {
+		saasData.CredentialType = p.useCredentialType
+		t.Run(p.testName, func(t *testing.T) {
+			client := createCallbackTestServer(context.TODO(), t, &p)
+			subHandler := setup(nil, nil, client)
+			subHandler.handleAsyncCallback(
+				ctx,
+				saasData,
+				p.status,
+				"/async/callback",
+				"https://app.cluster.local",
+				p.isProvisioning,
+			)
+		})
+	}
+}
+
+func TestCheckTenantStatusContextCancellationAsyncTimeout(t *testing.T) {
+	execTestsWithBLI(t, "Check Tenant Status Context Cancellation AsyncTimeout", []string{"ERP4SMEPREPWORKAPPPLAT-2240"}, func(t *testing.T) {
+		// test context cancellation (like deadline)
+		subHandler := setup(nil, nil, nil)
+		notify := make(chan bool)
+		go func() {
+			r := subHandler.checkCAPTenantStatus(context.Background(), "default", "test-cat", true, "4000")
+			notify <- r
+		}()
+
+		timeout := time.After(6 * time.Second) // this is greater than the sleep duration of the tenant check routine
+
+		select {
+		case r := <-notify:
+			if r != false {
+				t.Error("expected tenant check to return false")
+			}
+		case <-timeout:
+			t.Fatal("failed to cancel tenant check routine")
+		}
+	})
+}
+
+func TestCheckTenantStatusTenantReady(t *testing.T) {
+	// test context cancellation (like deadline)
+	cat := createCAT(true)
+	subHandler := setup(nil, cat, nil)
+	r := subHandler.checkCAPTenantStatus(context.TODO(), cat.Namespace, cat.Name, true, "")
+
+	if r != true {
+		t.Error("expected tenant check to return false")
+	}
+}
+
+func TestCheckTenantStatusWithCallbacktimeout(t *testing.T) {
+	execTestsWithBLI(t, "Check Tenant Status With Callback timeout", []string{"ERP4SMEPREPWORKAPPPLAT-2240"}, func(t *testing.T) {
+		// test context cancellation (like deadline)
+		cat := createCAT(false)
+		subHandler := setup(nil, cat, nil)
+		r := subHandler.checkCAPTenantStatus(context.TODO(), cat.Namespace, cat.Name, true, "4000")
+
+		if r != false {
+			t.Error("expected tenant check to return false, due to timeout (async callback timeout exceeded)")
+		}
+	})
+}
+
+func TestMultiXSUAA(t *testing.T) {
+	execTestsWithBLI(t, "Check Multiple xsuaa services used in a CA", []string{"ERP4SMEPREPWORKAPPPLAT-3773"}, func(t *testing.T) {
+		// CA without "sme.sap.com/primary-xsuaa" annotation
+		ca := createCA()
+
+		subHandler := setup(ca, nil, nil)
+		uaaCreds := subHandler.getXSUAADetails(ca)
+
+		if uaaCreds.AuthUrl != "https://app-domain.auth.service.local" {
+			t.Error("incorrect uaa returned")
+		}
+
+		// CA with "sme.sap.com/primary-xsuaa" annotation
+		ca2 := createCA()
+		ca2.Annotations = map[string]string{
+			util.AnnotationPrimaryXSUAA: "test-xsuaa2",
+		}
+
+		uaaCreds = subHandler.getXSUAADetails(ca2)
+
+		if uaaCreds.AuthUrl != "https://app2-domain.auth2.service.local" {
+			t.Error("incorrect uaa via annotations returned")
+		}
+	})
+}
+
+func execTestsWithBLI(t *testing.T, name string, backlogItems []string, test func(t *testing.T)) {
+	t.Run(name+", BLIs: "+strings.Join(backlogItems, ", "), test)
+}
diff --git a/cmd/server/internal/jwt.go b/cmd/server/internal/jwt.go
new file mode 100644
index 0000000..6d5eb61
--- /dev/null
+++ b/cmd/server/internal/jwt.go
@@ -0,0 +1,235 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/MicahParks/keyfunc/v2"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type XSUAAConfig struct {
+	UAADomain string
+	// one of xsappname OR clientid must be part of the audience
+	XSAppName string
+	ClientID  string
+	// all requested scopes must be fulfilled
+	RequiredScopes []string
+}
+
+type XSUAAJWTClaims struct {
+	Scope                []string `json:"scope"`
+	ClientID             string   `json:"client_id"`
+	AuthorizedParty      string   `json:"azp"`
+	jwt.RegisteredClaims `json:",inline"`
+}
+
+type OpenIDConfig struct {
+	JWKSURI                    string   `json:"jwks_uri"`
+	SigningAlgorithmsSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
+	ClaimsSupported            []string `json:"claims_supported"`
+}
+
+var (
+	errorJKUTokenHeader    = errors.New("jku token header validation failed")
+	errorInvalidClaimsType = errors.New("invalid token claims type")
+	errorInvalidAudience   = errors.New("invalid token audience")
+	errorInvalidScope      = errors.New("invalid token scope")
+)
+
+func getOpenIDConfig(uaaURL string, client *http.Client) (*OpenIDConfig, error) {
+	url, err := url.Parse(uaaURL)
+	if err != nil {
+		return nil, err
+	}
+	url.Path = path.Join(".well-known", "openid-configuration")
+	resp, err := client.Get(url.String())
+	if err != nil {
+		return nil, err
+	}
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("fetching openid configuration returned status %s", resp.Status)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	config := OpenIDConfig{}
+	return &config, json.Unmarshal(body, &config)
+}
+
+// token validation for XSUAA token implemented by following the guidelines provided -> CPSecurity/Knowledge-Base/03_ApplicationSecurity/TokenValidation/
+func VerifyXSUAAJWTToken(ctx context.Context, tokenString string, config *XSUAAConfig, client *http.Client) error {
+	_, err := jwt.ParseWithClaims(tokenString, &XSUAAJWTClaims{}, func(t *jwt.Token) (interface{}, error) {
+		// verify claims excluding expiration (as this is now done internally in jwt v5)
+		err := verifyClaims(t, config)
+		if err != nil {
+			return nil, err
+		}
+
+		// verify token algorithm
+		if tokenAlg, ok := t.Header["alg"].(string); !ok || tokenAlg == "" {
+			return nil, fmt.Errorf("expected token alg to be string")
+		}
+
+		// verify JKU header as per XSUAA requirements
+		jkuHost, ok := verifyJKUHeader(t, config.UAADomain)
+		if !ok {
+			return nil, errorJKUTokenHeader
+		}
+
+		// get well-known openid configuration
+		oidConfig, err := getOpenIDConfig("https://"+jkuHost, client)
+		if err != nil {
+			return nil, err
+		}
+
+		jwks, err := keyfunc.Get(oidConfig.JWKSURI, keyfunc.Options{Ctx: ctx, Client: client})
+		if err != nil {
+			return nil, err
+		}
+		return jwks.Keyfunc(t)
+	}, jwt.WithLeeway(-15*time.Second))
+
+	if err != nil {
+		return err
+	}
+
+	return nil // all good!
+}
+
+func verifyJKUHeader(t *jwt.Token, uaaDomain string) (string, bool) {
+	if jku, ok := t.Header["jku"].(string); ok {
+		if jku == "" {
+			return "", false
+		}
+		u, err := url.Parse(jku)
+		if err != nil {
+			return "", false
+		}
+		if len(u.Query()) > 0 || // there should not be any query parameters
+			!u.IsAbs() || // should contain a schema (HTTPS)
+			u.Fragment != "" || // should not contain fragments
+			!(strings.HasSuffix(u.Path, "token_keys") || strings.HasSuffix(u.Path, "token_keys/")) || // path should end with token_keys
+			!strings.HasSuffix(u.Hostname(), uaaDomain) { // jku hostname must be a subdomain of uaa domain
+			return "", false
+		}
+
+		return u.Host, true
+	}
+	return "", false
+}
+
+func verifyClaims(t *jwt.Token, config *XSUAAConfig) error {
+	claims, ok := t.Claims.(*XSUAAJWTClaims)
+	if !ok {
+		return errorInvalidClaimsType
+	}
+
+	// NOTE: in XSUAA scenarios, do not rely on token iss attribute
+
+	// verify audience
+	ok = verifyAudience(claims, config)
+	if !ok {
+		return errorInvalidAudience
+	}
+
+	ok = verifyScopes(claims, config)
+	if !ok {
+		return errorInvalidScope
+	}
+
+	return nil
+}
+
+func verifyAudience(claims *XSUAAJWTClaims, config *XSUAAConfig) bool {
+	tokenAud := convertToMap(extractAudience(claims))
+	knownAud := appendWithTrim([]string{config.ClientID}, config.XSAppName) // unless XSAPPNAME is provided, don't add it to valid audience list
+
+	// should match at least one of the expected audience
+	for _, expected := range knownAud {
+		if _, ok := tokenAud[expected]; ok {
+			return true // valid audience
+		}
+
+		// additional check for broker clients
+		if strings.Contains(expected, "!b") { // is a broker
+			for a := range tokenAud {
+				if strings.HasSuffix(a, "|"+expected) {
+					return true // valid
+				}
+			}
+		}
+	}
+
+	return false
+}
+
+func extractAudience(claims *XSUAAJWTClaims) []string {
+	r := adjustForNamespace(claims.Audience, false)
+
+	// extract audience from client id and scope (XSUAA specific)
+	// REFERENCE -> CPSecurity/Knowledge-Base/03_ApplicationSecurity/TokenValidation/#xsuaa-specifics_1
+	if len(r) == 0 {
+
+		r = append(r, adjustForNamespace(claims.Scope, true)...)
+	}
+	// use client id from token as audience
+	r = appendWithTrim(r, claims.ClientID)
+
+	return r
+}
+
+func appendWithTrim(s []string, v string) []string {
+	if val := strings.TrimSpace(v); len(val) > 0 {
+		return append(s, val)
+	}
+	return s
+}
+
+func adjustForNamespace(s []string, ignoreIfNotNamespaced bool) []string {
+	r := []string{}
+	for _, v := range s {
+		if i := strings.Index(v, "."); i > -1 {
+			r = appendWithTrim(r, v[:i])
+		} else if !ignoreIfNotNamespaced { // when processing scope, add to list only when namespaced
+			r = appendWithTrim(r, v)
+		}
+	}
+	return r
+}
+
+func verifyScopes(claims *XSUAAJWTClaims, config *XSUAAConfig) bool {
+	scope := claims.Scope
+	tokenScope := convertToMap(scope)
+	for _, expected := range config.RequiredScopes {
+		if _, ok := tokenScope[expected]; !ok {
+			return false // all expected scopes should match
+		}
+	}
+	return true
+}
+
+// Create a dummy lookup map
+func convertToMap(s []string) map[string]struct{} {
+	if s == nil {
+		return nil
+	}
+	m := map[string]struct{}{}
+	for _, item := range s {
+		m[item] = struct{}{}
+	}
+	return m
+}
diff --git a/cmd/server/internal/jwt_test.go b/cmd/server/internal/jwt_test.go
new file mode 100644
index 0000000..286745d
--- /dev/null
+++ b/cmd/server/internal/jwt_test.go
@@ -0,0 +1,360 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+)
+
+type JWKeys struct {
+	Keys []jwk.RSAPublicKey `json:"keys"`
+}
+
+type rsaKeyParams struct {
+	jwks  *JWKeys
+	key   *rsa.PrivateKey
+	keyID string
+}
+
+const jwksKeyID = "test-key-rsa"
+const jwtTestUAADomain = "auth.service.local"
+const testSubdomain = "test-subdomain"
+
+func createRSAKey() (*rsaKeyParams, error) {
+	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
+	key, _ := jwk.FromRaw(privateKey.PublicKey)
+	publicKey := key.(jwk.RSAPublicKey)
+	publicKey.Set(jwk.KeyIDKey, jwksKeyID)
+	publicKey.Set(jwk.KeyUsageKey, "sig")
+	return &rsaKeyParams{
+		jwks:  &JWKeys{Keys: []jwk.RSAPublicKey{publicKey}},
+		key:   privateKey,
+		keyID: jwksKeyID,
+	}, nil
+}
+
+func SetupValidTokenAndIssuerForSubscriptionTests(xsappname string) (*http.Client, string, error) {
+	return setupTokenAndIssuer(&XSUAAConfig{
+		UAADomain:      jwtTestUAADomain,
+		XSAppName:      xsappname,
+		ClientID:       "some-client-id",
+		RequiredScopes: []string{xsappname + ".Callback", xsappname + ".mtcallback"},
+	}, &jwtTestParameters{})
+}
+
+type jwtTestParameters struct {
+	invalidJKUHeader      bool
+	useDifferentKeyToSign bool
+	invalidAudience       bool
+	clientIsBroker        bool
+	invalidScope          bool
+	expiredJWT            bool
+	notBeforeInFuture     bool
+}
+
+func setupTokenAndIssuer(config *XSUAAConfig, params *jwtTestParameters) (*http.Client, string, error) {
+	rsaKey, err := createRSAKey()
+	if err != nil {
+		return nil, "", fmt.Errorf("error generating rsa key: %s", err.Error())
+	}
+	claims := XSUAAJWTClaims{
+		Scope:           config.RequiredScopes,
+		ClientID:        "srv-broker!b14",
+		AuthorizedParty: "srv-broker!b14",
+		RegisteredClaims: jwt.RegisteredClaims{
+			Audience:  jwt.ClaimStrings{config.XSAppName, "srv-broker!b14"},
+			ID:        "jwt-token-01",
+			Issuer:    "https://" + strings.Join([]string{testSubdomain, config.UAADomain}, ".") + "/token",
+			Subject:   "jwt-token-01",
+			IssuedAt:  jwt.NewNumericDate(time.Now().Add(-30 * time.Minute)),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
+		},
+	}
+
+	// audience configuration
+	if params.invalidAudience {
+		claims.Audience = jwt.ClaimStrings{"invalid-a", "invalid-b"}
+	} else if params.clientIsBroker {
+		claims.ClientID = "sb-d447781d-c010-4c19-af30-ed49097f22de!b446|" + config.XSAppName
+		claims.Audience = jwt.ClaimStrings{}
+	}
+
+	if params.invalidScope {
+		claims.Scope = []string{"scope-a", "scope-b"}
+	}
+
+	if params.expiredJWT {
+		claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(-5 * time.Minute))
+	}
+	if params.notBeforeInFuture {
+		claims.NotBefore = jwt.NewNumericDate(time.Now().Add(5 * time.Minute))
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+
+	if params.invalidJKUHeader {
+		token.Header["jku"] = "https://" + strings.Join([]string{testSubdomain, "foo.bar.local"}, ".") + "/token_keys"
+	} else {
+		token.Header["jku"] = "https://" + strings.Join([]string{testSubdomain, config.UAADomain}, ".") + "/token_keys"
+	}
+
+	token.Header["kid"] = rsaKey.keyID
+
+	// sign token
+	signKey := rsaKey
+	if params.useDifferentKeyToSign {
+		signKey, _ = createRSAKey()
+	}
+	tokenString, err := token.SignedString(signKey.key)
+	if err != nil {
+		return nil, "", fmt.Errorf("error signing token: %s", err.Error())
+	}
+
+	client, err := createJWTTestTLSServer(context.TODO(), rsaKey.jwks)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return client, tokenString, nil
+}
+
+func createJWTTestTLSServer(ctx context.Context, jwks *JWKeys) (*http.Client, error) {
+	domain := strings.Join([]string{testSubdomain, jwtTestUAADomain}, ".")
+
+	// Append CA cert to the system pool
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+	certs, err := os.ReadFile("testdata/rootCA.pem")
+	if err != nil {
+		return nil, err
+	}
+	if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+		return nil, errors.New("could not append CA cert")
+	}
+
+	// create test TLS server
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var body []byte
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			body, _ = json.Marshal(OpenIDConfig{JWKSURI: "https://" + domain + "/token_keys", SigningAlgorithmsSupported: []string{"RS256"}})
+		case "/token_keys":
+			body, _ = json.MarshalIndent(jwks, "", "    ")
+		}
+		w.Write(body)
+	}))
+	cert, err := tls.LoadX509KeyPair("testdata/auth.service.local.crt", "testdata/auth.service.local.key")
+	if err != nil {
+		return nil, err
+	}
+	ts.TLS = &tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: rootCAs}
+	ts.StartTLS()
+
+	// adjust client to have custom domain resolution
+	client := ts.Client()
+	client.Transport = &http.Transport{
+		DialContext: func(_ context.Context, network, addr string) (net.Conn, error) {
+			if strings.Contains(addr, jwtTestUAADomain+":") {
+				addr = ts.Listener.Addr().String()
+			}
+			return net.Dial(network, addr)
+		},
+		TLSClientConfig: ts.TLS,
+	}
+
+	go func() {
+		<-ctx.Done()
+		ts.Close()
+	}()
+	return client, nil
+}
+
+var testXSUAAConfig *XSUAAConfig = &XSUAAConfig{
+	UAADomain:      jwtTestUAADomain,
+	XSAppName:      "myxsappname",
+	ClientID:       "some-client-id",
+	RequiredScopes: []string{"myxsappname.Callback", "myxsappname.mtcallback"},
+}
+
+func testVerifyValidToken(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err != nil {
+		t.Fatal("token validation failed")
+	}
+}
+
+func testValidTokenWithBrokerClientId(t *testing.T) {
+	brokerXSUAAConfig := &XSUAAConfig{
+		UAADomain:      testXSUAAConfig.UAADomain,
+		ClientID:       testXSUAAConfig.ClientID,
+		RequiredScopes: testXSUAAConfig.RequiredScopes,
+		XSAppName:      "xsapp!b4711",
+	}
+	client, tokenString, err := setupTokenAndIssuer(brokerXSUAAConfig, &jwtTestParameters{clientIsBroker: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, brokerXSUAAConfig, client)
+	if err != nil {
+		t.Fatal("token validation failed")
+	}
+}
+
+func testInvalidJKUHeader(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{invalidJKUHeader: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+
+	if !errors.Is(err, errorJKUTokenHeader) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func testExpiredToken(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{expiredJWT: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+	if !errors.Is(err, jwt.ErrTokenExpired) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func testTokenWithNotBefore(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{notBeforeInFuture: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+	if !errors.Is(err, jwt.ErrTokenNotValidYet) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func testInvalidSignature(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{useDifferentKeyToSign: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+}
+
+func testInvalidAudience(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{invalidAudience: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+	if !errors.Is(err, errorInvalidAudience) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func testInvalidScope(t *testing.T) {
+	client, tokenString, err := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{invalidScope: true})
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	err = VerifyXSUAAJWTToken(context.TODO(), tokenString, testXSUAAConfig, client)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+	if !errors.Is(err, errorInvalidScope) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func testInvalidClaimsType(t *testing.T) {
+	type foo struct {
+		Foo string `json:"foo"`
+		jwt.RegisteredClaims
+	}
+
+	_, tokenString, _ := setupTokenAndIssuer(testXSUAAConfig, &jwtTestParameters{})
+
+	token, _ := jwt.ParseWithClaims(tokenString, &foo{}, func(t *jwt.Token) (interface{}, error) {
+		return []byte("Test"), nil
+	})
+
+	err := verifyClaims(token, testXSUAAConfig)
+	if err == nil {
+		t.Fatal("expected token validation to fail")
+	}
+	if !errors.Is(err, errorInvalidClaimsType) {
+		t.Error("error message was not as expected")
+	}
+}
+
+func TestJWT(t *testing.T) {
+	catalog := &[]struct {
+		test         func(t *testing.T)
+		backlogItems []string
+	}{
+		{test: testVerifyValidToken, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testValidTokenWithBrokerClientId, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidJKUHeader, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testExpiredToken, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testTokenWithNotBefore, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidSignature, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidAudience, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidScope, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidSignature, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2019", "ERP4SMEPREPWORKAPPPLAT-3188"}},
+		{test: testInvalidClaimsType},
+	}
+	for _, tc := range *catalog {
+		nameParts := []string{runtime.FuncForPC(reflect.ValueOf(tc.test).Pointer()).Name()}
+		t.Run(strings.Join(append(nameParts, tc.backlogItems...), " "), tc.test)
+	}
+}
diff --git a/cmd/server/internal/testdata/auth.service.local.crt b/cmd/server/internal/testdata/auth.service.local.crt
new file mode 100644
index 0000000..a424362
--- /dev/null
+++ b/cmd/server/internal/testdata/auth.service.local.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFJTCCBA2gAwIBAgIJANGmQ9qKKpLJMA0GCSqGSIb3DQEBCwUAMIG3MQswCQYD
+VQQGEwJERTEUMBIGA1UECAwLUmFuZG9tU3RhdGUxEzARBgNVBAcMClJhbmRvbUNp
+dHkxGzAZBgNVBAoMElJhbmRvbU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWUmFuZG9t
+T3JnYW5pemF0aW9uVW5pdDEgMB4GCSqGSIb3DQEJARYRaGVsbG9AZXhhbXBsZS5j
+b20xHTAbBgNVBAMMFCouYXV0aC5zZXJ2aWNlLmxvY2FsMB4XDTIyMDUwNzIxMjAx
+MloXDTIzMDkxOTIxMjAxMlowgbcxCzAJBgNVBAYTAkRFMRQwEgYDVQQIDAtSYW5k
+b21TdGF0ZTETMBEGA1UEBwwKUmFuZG9tQ2l0eTEbMBkGA1UECgwSUmFuZG9tT3Jn
+YW5pemF0aW9uMR8wHQYDVQQLDBZSYW5kb21Pcmdhbml6YXRpb25Vbml0MSAwHgYJ
+KoZIhvcNAQkBFhFoZWxsb0BleGFtcGxlLmNvbTEdMBsGA1UEAwwUKi5hdXRoLnNl
+cnZpY2UubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDwQOin
+JSqDaezbcNDCMSrhd2vG9P7wFssZywzYvy6aU9zBSzQZfDQp/spt5lbQvP/iB4/I
+EFkGiSgjqSb6WK/2ids0t2gfI62xLEjCX9QWPtQeeenp8uxpZg8dp4JBYTaS4zlo
+1JYt/gyaGd/VhERsd0VNSPyQ4aI+nV7ARzP1lw3sdpOuGkfOtpzajniRw+YMK0tK
+k0LSwISVsN3CKYhNNk/Esg0kz+znKTdvQ7IlHUIdVgoQtDsC73VYvt6uADYbKZJq
+YmsL9CkESSZ2ZFkzPpYmAdunnOQTz9ZDxarniC7YPmo3sXM7O3tfyw762/nnWPPe
+wSLCiqnNqvv1j56LAgMBAAGjggEwMIIBLDCB1gYDVR0jBIHOMIHLoYG9pIG6MIG3
+MQswCQYDVQQGEwJERTEUMBIGA1UECAwLUmFuZG9tU3RhdGUxEzARBgNVBAcMClJh
+bmRvbUNpdHkxGzAZBgNVBAoMElJhbmRvbU9yZ2FuaXphdGlvbjEfMB0GA1UECwwW
+UmFuZG9tT3JnYW5pemF0aW9uVW5pdDEgMB4GCSqGSIb3DQEJARYRaGVsbG9AZXhh
+bXBsZS5jb20xHTAbBgNVBAMMFCouYXV0aC5zZXJ2aWNlLmxvY2FsggkA0Tp8M8gl
+9j8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwOQYDVR0RBDIwMIISYXV0aC5zZXJ2
+aWNlLmxvY2FsghQqLmF1dGguc2VydmljZS5sb2NhbIcEfwAAATANBgkqhkiG9w0B
+AQsFAAOCAQEAHKtlbkGSPaGryU3ou8QdKqBfSSPXFhl6aoE1drS2VVeSWYpvReAM
+weACk70v3jJsG+ia51HRvBHBVPdNUr/H8gawJX7fbECUf3DOkXbww/IUFwxd9jFM
+tvv4c3mMh2oHDX68jABApamPfQRhH9qmuEGdsQEwlE8uh0CnUmEeaCw2gtCmjwZ5
+QqCidRtyHQDZtioQzQYxVHeSHEf4YVKtWYkvJSc8kKmAcJAn51cjbD9R7HR3wtsi
+ezQo9wHaTfj4rdHDHqXwEpcPdeCA/CrWrDZfXtF4dkVP8BKvH1NVk6f5Cz8LcAe8
+S7s91u98+w/7Tx+cPVPJE+iTmeahEcAP7Q==
+-----END CERTIFICATE-----
diff --git a/cmd/server/internal/testdata/auth.service.local.key b/cmd/server/internal/testdata/auth.service.local.key
new file mode 100644
index 0000000..3ba01ab
--- /dev/null
+++ b/cmd/server/internal/testdata/auth.service.local.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDwQOinJSqDaezb
+cNDCMSrhd2vG9P7wFssZywzYvy6aU9zBSzQZfDQp/spt5lbQvP/iB4/IEFkGiSgj
+qSb6WK/2ids0t2gfI62xLEjCX9QWPtQeeenp8uxpZg8dp4JBYTaS4zlo1JYt/gya
+Gd/VhERsd0VNSPyQ4aI+nV7ARzP1lw3sdpOuGkfOtpzajniRw+YMK0tKk0LSwISV
+sN3CKYhNNk/Esg0kz+znKTdvQ7IlHUIdVgoQtDsC73VYvt6uADYbKZJqYmsL9CkE
+SSZ2ZFkzPpYmAdunnOQTz9ZDxarniC7YPmo3sXM7O3tfyw762/nnWPPewSLCiqnN
+qvv1j56LAgMBAAECggEBAI8mjbkxyu/8SFXEFY7vjtZCuqQUTGavnhpjQudOmqz3
+tPwzG/rnZ4lyOBldenLreieqS8BwBSuAw7rjyca22zmxkDwL3+1V6+M6OKwgPxV2
+IBt8lqR/yt9OIUmRCmp8SvEglI9iw4zp54ZWTmlBYyehtVhEWcDVwD9Aszkr88ir
+LeWsHiApvmoHJafCqY4q3DGPWEzg1ub/9fvi+BHnnH6crOhOH4HqwoJLrLmsGKDo
+4qBHLWfiRCR34zDJ2I8S75m1QNjFuvMYHarPFLyq5VvDp/Sml7TQvPPIbLB0YD5U
+HfvPoPB6LRG9eFkfTLsmOH9d/rU6054VJBUgwLlRoxECgYEA+BMqt5J6V9oZ2j1W
+v0muKyhvywV9krlEmG5+H84A7a9KLSXwIkx88cbAsKehkQqHavQ/xbSiEcTJ5WsW
+GTBj/cKfnqL/62QYxD9Kpm/LgWP7NZNteJZyx8NBGt7I9zLTYRJhlMh48ivTNRxp
+CxNIEpkf+8eL4hMmkwxGgH0YYnMCgYEA9+3G2WKojfQQhOrgWgal534xD88fxbIU
+TPHmOpGHF07YLP+Kogq3ow4C52Qul+O48z6oNZAKm8uOelyXQHxcgyg8eK3fQjPA
+j+Ghvn+OH74oqfamvbZbNYFlclYyWBOUlGV8xbMeeva6PeuWynqUirGMFyafuI9J
+2epNXFlylYkCgYBfYY81Eb60dIkoHhlyZvPuaBfDqZLEjTNQoHsh42T7/j+46DNS
+HLKVi2OfCHTYfYHfn5W9gFwoFM/Dw861VKO9d81Dg0x+xve2zNb481b9ouF9kfev
+O7laETrBCBOg6AvZ8OVP/VxzUGJes1O4DGvTqshfWDPycoaMV1XsJSzw/QKBgBo8
+QBmK1hlHZWQbUqhUIcQwV1K78TnDUWCfDGTQN4Jg5oFEfVAOYEZR2j7QHBoYj961
+l6krV+QKk0YhfCPnxQZgAJ4okAJ6ZXsUPkBhURHM1pK9tgFHRbmQusJxmpw1Xjih
+0KU/Ag+zAhxBTNCaThOrHA7rGGW4S/FSWONX18c5AoGAYkjPXs/I6B5Jp3H7maNo
+RT3nnNGOd0ZhxU+Z1vveilW9w8ZnAbxYolFucyFDX9NXNKyDVuOpAJUgjB0MNVg2
+whT9txoeDAgfhHDy/3sXZ5c5aMSS2og2nX3OmkO5t9YeHRpBscqmvqrK+f6ffudk
+K7gbgRz/ykbZKIEQBRCjaeA=
+-----END PRIVATE KEY-----
diff --git a/cmd/server/internal/testdata/rootCA.pem b/cmd/server/internal/testdata/rootCA.pem
new file mode 100644
index 0000000..6be1214
--- /dev/null
+++ b/cmd/server/internal/testdata/rootCA.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID7DCCAtQCCQDROnwzyCX2PzANBgkqhkiG9w0BAQsFADCBtzELMAkGA1UEBhMC
+REUxFDASBgNVBAgMC1JhbmRvbVN0YXRlMRMwEQYDVQQHDApSYW5kb21DaXR5MRsw
+GQYDVQQKDBJSYW5kb21Pcmdhbml6YXRpb24xHzAdBgNVBAsMFlJhbmRvbU9yZ2Fu
+aXphdGlvblVuaXQxIDAeBgkqhkiG9w0BCQEWEWhlbGxvQGV4YW1wbGUuY29tMR0w
+GwYDVQQDDBQqLmF1dGguc2VydmljZS5sb2NhbDAeFw0yMjA1MDcyMTE4NDdaFw0y
+NTAyMjQyMTE4NDdaMIG3MQswCQYDVQQGEwJERTEUMBIGA1UECAwLUmFuZG9tU3Rh
+dGUxEzARBgNVBAcMClJhbmRvbUNpdHkxGzAZBgNVBAoMElJhbmRvbU9yZ2FuaXph
+dGlvbjEfMB0GA1UECwwWUmFuZG9tT3JnYW5pemF0aW9uVW5pdDEgMB4GCSqGSIb3
+DQEJARYRaGVsbG9AZXhhbXBsZS5jb20xHTAbBgNVBAMMFCouYXV0aC5zZXJ2aWNl
+LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4gDdW6Z0md2h
+Nym5YLV6bIeupl3dFurcnhq0s7CicjAodeS9U/zwgZdzatEk81y0WELsdvUuzsyx
+g6onObsM3xL/tWnPlrNlvwPlvXD38zb6TYmyuP7eW+da5wW2tlirx1N7adpWz623
+DQpkyvpJHbTmlGE9EGNALAOtvr0h7uR7eHXin4U4ezT2e+vsYK2kQ0zcFm2Qh9Ar
+0YedvlyWvYLLWT8vg2z8dTGbM16A3GiaRBxOo49YoDWhV5S1cviublt0BZ5wmzTr
+0kew4RdHA4WA7cA/dL1Hx8J1FVCjZvTDVt+FUOYb31slSEBPtSw4OL40wtaGUD/K
+8PrtrCV9oQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA1mFZq7DLojN04uo5bZ1JC
+PO/y4/Cn3j4g/lvZpe5IZe6O5qh17J76p0lFoc3JwczACSX33xB3m657pQWhfrx4
+izJ31O4EIsywxgteRp9BYSQxh5ME0YZiHCWRhba4rbJjX8RCA/9RF0n/3XW3cAtZ
+xVF56mjMVlSlVCWdmCJN5vxyHQneU5Fv67wS/qiIweJD2LFm/F7yqC7aElDaxJ9w
+7OPi/Pmyi/aFlmUQVEFkSWeehDfNktK6MHTAc8tD8Og4cQEb0Gy9UA625kNYshOi
+glBBpcwEIx+NPXiRvs1eeydr4G4bB6zcQpYuIulEnImRrMjwmBvwrC3kWHNdnlPq
+-----END CERTIFICATE-----
diff --git a/cmd/server/server.go b/cmd/server/server.go
new file mode 100644
index 0000000..574573c
--- /dev/null
+++ b/cmd/server/server.go
@@ -0,0 +1,71 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"net/http"
+	"os"
+	"strconv"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+
+	handler "github.com/sap/cap-operator/cmd/server/internal"
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+)
+
+func main() {
+	subHandler := getSubscriptionHandler()
+	http.HandleFunc("/provision/", subHandler.HandleRequest)
+
+	// Default port
+	port := "4000"
+
+	// Get Port from env
+	portEnv := os.Getenv("PORT")
+	if portEnv != "" {
+		port = portEnv
+	}
+
+	// Default TLS enabled = false
+	tlsEnabled := false
+
+	// Get TLS details from env
+	var tlsCertFile, tlsKeyFile string
+	tlsEnv := os.Getenv("TLS_ENABLED")
+	if tlsEnv != "" {
+		tlsEnvBool, err := strconv.ParseBool(tlsEnv)
+		if err != nil {
+			klog.Error("Error parsing TLS_ENABLED: ", err.Error())
+		}
+		tlsEnabled = tlsEnvBool
+		tlsCertFile = os.Getenv("TLS_CERT")
+		tlsKeyFile = os.Getenv("TLS_KEY")
+	}
+
+	klog.Info("Server running and listening (provider) with TLS: ", tlsEnabled, ", at port: ", port)
+	if tlsEnabled {
+		klog.Fatal(http.ListenAndServeTLS(":"+port, tlsCertFile, tlsKeyFile, nil))
+	} else {
+		http.ListenAndServe(":"+port, nil)
+	}
+}
+
+func getSubscriptionHandler() *handler.SubscriptionHandler {
+	config := util.GetConfig()
+
+	customResourceClientSet, err := versioned.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for custom resources: ", err.Error())
+	}
+
+	kubernetesClientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		klog.Fatal("could not create client for k8s resources: ", err.Error())
+	}
+
+	return handler.NewSubscriptionHandler(customResourceClientSet, kubernetesClientset)
+}
diff --git a/cmd/web-hooks/internal/handler/handler.go b/cmd/web-hooks/internal/handler/handler.go
new file mode 100644
index 0000000..f79badd
--- /dev/null
+++ b/cmd/web-hooks/internal/handler/handler.go
@@ -0,0 +1,629 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strconv"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	"golang.org/x/exp/slices"
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/api/admission/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/klog/v2"
+)
+
+const (
+	LabelTenantType             = "sme.sap.com/tenant-type"
+	ProviderTenantType          = "provider"
+	SideCarEnv                  = "WEBHOOK_SIDE_CAR"
+	AdmissionError              = "admission error:"
+	InvalidResource             = "invalid resource"
+	InvalidationMessage         = "invalidated from webhook"
+	ValidationMessage           = "validated from webhook"
+	RequestPath                 = "/request"
+	DeploymentWorkloadCountErr  = "%s %s there should always be one workload deployment definition of type %s. Currently, there are %d workloads of type %s"
+	JobWorkloadCountErr         = "%s %s there should always be one workload job definition of type %s. Currently, there are %d workloads of type %s"
+	TenantOpJobWorkloadCountErr = "%s %s there should not be more than one workload job definition of type %s. Currently, there are %d workloads of type %s"
+)
+
+type validateResource struct {
+	errorOccured bool
+	allowed      bool
+	message      string
+}
+
+var (
+	universalDeserializer = serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer()
+)
+
+type WebhookHandler struct {
+	CrdClient versioned.Interface
+}
+
+// Metadata struct for parsing
+type Metadata struct {
+	Name      string            `json:"name"`
+	Namespace string            `json:"namespace"`
+	Labels    map[string]string `json:"labels"`
+}
+
+type ResponseCat struct {
+	Metadata `json:"metadata"`
+	Spec     *v1alpha1.CAPTenantSpec   `json:"spec"`
+	Status   *v1alpha1.CAPTenantStatus `json:"status"`
+	Kind     string                    `json:"kind"`
+}
+
+type ResponseCav struct {
+	Metadata `json:"metadata"`
+	Spec     *v1alpha1.CAPApplicationVersionSpec `json:"spec"`
+	Kind     string                              `json:"kind"`
+}
+
+type ResponseCa struct {
+	Metadata `json:"metadata"`
+	Spec     *v1alpha1.CAPApplicationSpec `json:"spec"`
+	Kind     string                       `json:"kind"`
+}
+
+type responseInterface interface {
+	isEmpty() bool
+}
+
+func (m Metadata) isEmpty() bool {
+	return m.Name == ""
+}
+
+func checkWorkloadPort(workload *v1alpha1.WorkloadDetails) validateResource {
+	if workload.DeploymentDefinition == nil {
+		return validAdmissionReviewObj()
+	}
+
+	if len(workload.DeploymentDefinition.Ports) == 0 {
+		return validAdmissionReviewObj()
+	}
+
+	// Checks-
+	// at least one port configuration should have routerDestinationName defined
+	// port name and port number should be unique
+	uniquePortNameCountMap := make(map[string]int)
+	uniquePortNumCountMap := make(map[string]int)
+	routerDestinationNameFound := false
+	for _, port := range workload.DeploymentDefinition.Ports {
+		if port.RouterDestinationName != "" {
+			routerDestinationNameFound = true
+		}
+		uniquePortNameCountMap[port.Name] += 1
+		uniquePortNumCountMap[strconv.Itoa(int(port.Port))] += 1
+	}
+
+	if !routerDestinationNameFound && workload.DeploymentDefinition.Type == v1alpha1.DeploymentCAP { // workloads of type Additional need not have a router destination
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s routerDestinationName not defined in port configuration of workload - %s", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, workload.Name),
+		}
+	}
+
+	if routerDestinationNameFound && workload.DeploymentDefinition.Type == v1alpha1.DeploymentRouter {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s routerDestinationName should not be defined for workload of type Router - %s", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, workload.Name),
+		}
+	}
+
+	for portName, cnt := range uniquePortNameCountMap {
+		if cnt > 1 {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s duplicate port name: %s in workload - %s", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, portName, workload.Name),
+			}
+		}
+	}
+
+	for portNum, cnt := range uniquePortNumCountMap {
+		if cnt > 1 {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s duplicate port number: %s in workload - %s", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, portNum, workload.Name),
+			}
+		}
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func checkWorkloadType(workload *v1alpha1.WorkloadDetails) validateResource {
+	if workload.DeploymentDefinition != nil && workload.DeploymentDefinition.Type != v1alpha1.DeploymentCAP && workload.DeploymentDefinition.Type != v1alpha1.DeploymentRouter && workload.DeploymentDefinition.Type != v1alpha1.DeploymentAdditional {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s invalid deployment definition type. Only supported - CAP, Router and Additional", InvalidationMessage, v1alpha1.CAPApplicationVersionKind),
+		}
+	}
+
+	if workload.JobDefinition != nil && workload.JobDefinition.Type != v1alpha1.JobContent && workload.JobDefinition.Type != v1alpha1.JobTenantOperation && workload.JobDefinition.Type != v1alpha1.JobCustomTenantOperation {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s invalid job definition type. Only supported - Content, TenantOperation and CustomTenantOperation", InvalidationMessage, v1alpha1.CAPApplicationVersionKind),
+		}
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func getWorkloadTypeCount(workloads []v1alpha1.WorkloadDetails) map[string]int {
+	workloadTypeCount := make(map[string]int)
+	for _, workload := range workloads {
+		if workload.DeploymentDefinition != nil && workload.DeploymentDefinition.Type == v1alpha1.DeploymentCAP {
+			workloadTypeCount[string(v1alpha1.DeploymentCAP)] += 1
+		}
+
+		if workload.DeploymentDefinition != nil && workload.DeploymentDefinition.Type == v1alpha1.DeploymentRouter {
+			workloadTypeCount[string(v1alpha1.DeploymentRouter)] += 1
+		}
+
+		if workload.JobDefinition != nil && workload.JobDefinition.Type == v1alpha1.JobContent {
+			workloadTypeCount[string(v1alpha1.JobContent)] += 1
+		}
+
+		if workload.JobDefinition != nil && workload.JobDefinition.Type == v1alpha1.JobTenantOperation {
+			workloadTypeCount[string(v1alpha1.JobTenantOperation)] += 1
+		}
+	}
+
+	return workloadTypeCount
+}
+
+func checkWorkloadTypeCount(cavObjNew *ResponseCav) validateResource {
+
+	workloadTypeCount := getWorkloadTypeCount(cavObjNew.Spec.Workloads)
+
+	if workloadTypeCount[string(v1alpha1.DeploymentCAP)] != 1 {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf(DeploymentWorkloadCountErr, InvalidationMessage, cavObjNew.Kind, v1alpha1.DeploymentCAP, workloadTypeCount[string(v1alpha1.DeploymentCAP)], v1alpha1.DeploymentCAP),
+		}
+	}
+
+	if workloadTypeCount[string(v1alpha1.DeploymentRouter)] != 1 {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf(DeploymentWorkloadCountErr, InvalidationMessage, cavObjNew.Kind, v1alpha1.DeploymentRouter, workloadTypeCount[string(v1alpha1.DeploymentRouter)], v1alpha1.DeploymentRouter),
+		}
+	}
+
+	if workloadTypeCount[string(v1alpha1.JobContent)] != 1 {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf(JobWorkloadCountErr, InvalidationMessage, cavObjNew.Kind, v1alpha1.JobContent, workloadTypeCount[string(v1alpha1.JobContent)], v1alpha1.JobContent),
+		}
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func validateWorkloads(cavObjNew *ResponseCav) validateResource {
+	// Check: Workload name should be unique
+	//		  Only one workload deployment of type CAP, router and content is allowed
+	uniqueWorkloadNameCountMap := make(map[string]int)
+	for _, workload := range cavObjNew.Spec.Workloads {
+
+		if workloadTypeValidate := checkWorkloadType(&workload); !workloadTypeValidate.allowed {
+			return workloadTypeValidate
+		}
+
+		if workloadPortValidate := checkWorkloadPort(&workload); !workloadPortValidate.allowed {
+			return workloadPortValidate
+		}
+
+		// get count of workload names
+		uniqueWorkloadNameCountMap[workload.Name] += 1
+	}
+
+	for workloadName, cnt := range uniqueWorkloadNameCountMap {
+		if cnt > 1 {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s duplicate workload name: %s", InvalidationMessage, cavObjNew.Kind, workloadName),
+			}
+		}
+	}
+
+	if workloadTypeCntValidate := checkWorkloadTypeCount(cavObjNew); !workloadTypeCntValidate.allowed {
+		return workloadTypeCntValidate
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func getTenantOperationsFromSpec(cavObjNew *ResponseCav) map[string]int {
+	specTenantOperationsCntMap := make(map[string]int)
+	var tenantOperationsList []v1alpha1.TenantOperationWorkloadReference
+	if cavObjNew.Spec.TenantOperations.Provisioning != nil {
+		tenantOperationsList = append(tenantOperationsList, cavObjNew.Spec.TenantOperations.Provisioning...)
+	}
+
+	if cavObjNew.Spec.TenantOperations.Deprovisioning != nil {
+		tenantOperationsList = append(tenantOperationsList, cavObjNew.Spec.TenantOperations.Deprovisioning...)
+	}
+
+	if cavObjNew.Spec.TenantOperations.Upgrade != nil {
+		tenantOperationsList = append(tenantOperationsList, cavObjNew.Spec.TenantOperations.Upgrade...)
+	}
+
+	for _, tenantOperation := range tenantOperationsList {
+		specTenantOperationsCntMap[tenantOperation.WorkloadName] += 1
+	}
+	return specTenantOperationsCntMap
+}
+
+func checkForTenantOpJob(tenantOperations []v1alpha1.TenantOperationWorkloadReference, tenantOperationWorkloadCntMap map[string]int) bool {
+	return slices.ContainsFunc(tenantOperations, func(tenantOp v1alpha1.TenantOperationWorkloadReference) bool {
+		return tenantOperationWorkloadCntMap[tenantOp.WorkloadName] > 0
+	})
+}
+
+func validateWorkloadsinTenantOperations(allTenantOperationsWorkloadCntMap map[string]int, tenantOperationWorkloadCntMap map[string]int, cavObjNew *ResponseCav) validateResource {
+
+	specTenantOperationsCntMap := getTenantOperationsFromSpec(cavObjNew)
+
+	// If spec.tenantOperations is specified, the entries (for provisioning, upgrade and deprovisioning) must include all spec.workloads.jobDefinitions of type TenantOperation and CustomTenantOperation
+	for workloadTenantOperation := range allTenantOperationsWorkloadCntMap {
+		if specTenantOperationsCntMap[workloadTenantOperation] == 0 {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s workload tenant operation %s is not specified in spec.tenantOperations", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, workloadTenantOperation),
+			}
+		}
+	}
+
+	// All the entries specified in spec.tenantOperations should be a valid workload of type TenantOperation or customTenantOperation
+	for specTenantOperation := range specTenantOperationsCntMap {
+		if allTenantOperationsWorkloadCntMap[specTenantOperation] == 0 {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s %s specified in spec.tenantOperations is not a valid workload of type TenantOperation or CustomTenantOperation", InvalidationMessage, v1alpha1.CAPApplicationVersionKind, specTenantOperation),
+			}
+		}
+	}
+
+	// If spec.tenantOperations are defined for provisioning, upgrade or deprovisioning, one of the operation must be a tenant operation
+	if cavObjNew.Spec.TenantOperations.Provisioning != nil && !checkForTenantOpJob(cavObjNew.Spec.TenantOperations.Provisioning, tenantOperationWorkloadCntMap) {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.provisioning", InvalidationMessage, v1alpha1.CAPApplicationVersionKind),
+		}
+	}
+
+	if cavObjNew.Spec.TenantOperations.Upgrade != nil && !checkForTenantOpJob(cavObjNew.Spec.TenantOperations.Upgrade, tenantOperationWorkloadCntMap) {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.upgrade", InvalidationMessage, v1alpha1.CAPApplicationVersionKind),
+		}
+	}
+
+	if cavObjNew.Spec.TenantOperations.Deprovisioning != nil && !checkForTenantOpJob(cavObjNew.Spec.TenantOperations.Deprovisioning, tenantOperationWorkloadCntMap) {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.deprovisioning", InvalidationMessage, v1alpha1.CAPApplicationVersionKind),
+		}
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func validateTenantOperations(cavObjNew *ResponseCav) validateResource {
+	// Check: If a jobDefinition of type CustomTenantOperation is part of the workloads, spec.tenantOperations must be specified. It is possible to omit spec.tenantOperations when there are no jobs of type CustomTenantOperation and only one job of type TenantOperation
+	//		  If spec.tenantOperations is specified, the entries (for provisioning, upgrade and deprovisioning) must include all spec.workloads.jobDefinitions of type TenantOperation
+	// 		  All the entries specified in spec.tenantOperations should be a valid workload of type TenantOperation or CustomTenantOperation
+	tenantOperationWorkloadCntMap := make(map[string]int)
+	allTenantOperationsWorkloadCntMap := make(map[string]int)
+	customTenantOpWorkloadCntMap := make(map[string]int)
+	for _, workload := range cavObjNew.Spec.Workloads {
+		if workload.JobDefinition != nil && workload.JobDefinition.Type == v1alpha1.JobTenantOperation {
+			tenantOperationWorkloadCntMap[workload.Name] += 1
+			allTenantOperationsWorkloadCntMap[workload.Name] += 1
+		}
+
+		if workload.JobDefinition != nil && workload.JobDefinition.Type == v1alpha1.JobCustomTenantOperation {
+			customTenantOpWorkloadCntMap[workload.Name] += 1
+			allTenantOperationsWorkloadCntMap[workload.Name] += 1
+		}
+	}
+
+	// It is possible to omit spec.tenantOperations when there are no jobs of type CustomTenantOperation and only one job of type TenantOperation
+	if len(customTenantOpWorkloadCntMap) == 0 && cavObjNew.Spec.TenantOperations == nil {
+		return validAdmissionReviewObj()
+	}
+
+	// If a jobDefinition of type CustomTenantOperation is part of the workloads, spec.tenantOperations must be specified
+	if len(customTenantOpWorkloadCntMap) > 0 && cavObjNew.Spec.TenantOperations == nil {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s - If a jobDefinition of type CustomTenantOperation is part of the workloads, then spec.tenantOperations must be specified", InvalidationMessage, cavObjNew.Kind),
+		}
+	}
+
+	if cavObjNew.Spec.TenantOperations == nil {
+		return validAdmissionReviewObj()
+	}
+
+	if workloadsinTenantOperationsValidate := validateWorkloadsinTenantOperations(allTenantOperationsWorkloadCntMap, tenantOperationWorkloadCntMap, cavObjNew); !workloadsinTenantOperationsValidate.allowed {
+		return workloadsinTenantOperationsValidate
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) checkCAPAppExists(cavObjNew *ResponseCav) validateResource {
+	if app, err := wh.CrdClient.SmeV1alpha1().CAPApplications(cavObjNew.Metadata.Namespace).Get(context.TODO(), cavObjNew.Spec.CAPApplicationInstance, metav1.GetOptions{}); app == nil || err != nil {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s no valid %s found for: %s.%s", InvalidationMessage, cavObjNew.Kind, v1alpha1.CAPApplicationKind, cavObjNew.Metadata.Namespace, cavObjNew.Metadata.Name),
+		}
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) validateCAPApplicationVersion(w http.ResponseWriter, admissionReview *admissionv1.AdmissionReview) validateResource {
+	cavObjOld := ResponseCav{}
+	cavObjNew := ResponseCav{}
+
+	// Note: Object is nil for "DELETE" operation
+	if admissionReview.Request.Operation == admissionv1.Create || admissionReview.Request.Operation == admissionv1.Update {
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.Object.Raw, &cavObjNew, v1alpha1.CAPApplicationVersionKind); !validatedResource.allowed {
+			return validatedResource
+		}
+	}
+
+	// Note: OldObject is nil for "CONNECT" and "CREATE" operations
+	if admissionReview.Request.Operation == admissionv1.Delete || admissionReview.Request.Operation == admissionv1.Update {
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.OldObject.Raw, &cavObjOld, v1alpha1.CAPApplicationVersionKind); !validatedResource.allowed {
+			return validatedResource
+		}
+	}
+
+	// check: on create
+	if admissionReview.Request.Operation == admissionv1.Create {
+		// Check: CAPApplication exists
+		if capAppExistsValidate := wh.checkCAPAppExists(&cavObjNew); !capAppExistsValidate.allowed {
+			return capAppExistsValidate
+		}
+
+		if workloadValidate := validateWorkloads(&cavObjNew); !workloadValidate.allowed {
+			return workloadValidate
+		}
+
+		return validateTenantOperations(&cavObjNew)
+
+	}
+
+	// check: update on .Spec
+	if admissionReview.Request.Operation == admissionv1.Update && !cmp.Equal(cavObjOld.Spec, cavObjNew.Spec) {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s spec cannot be modified for: %s.%s", InvalidationMessage, cavObjNew.Kind, cavObjNew.Metadata.Namespace, cavObjNew.Metadata.Name),
+		}
+	}
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) checkCaIsConsistent(catObjOld ResponseCat) validateResource {
+
+	ca, err := wh.CrdClient.SmeV1alpha1().CAPApplications(catObjOld.Metadata.Namespace).Get(context.TODO(), catObjOld.Spec.CAPApplicationInstance, metav1.GetOptions{})
+
+	if ca != nil && err == nil && ca.Status.State == v1alpha1.CAPApplicationStateConsistent && catObjOld.Metadata.Labels[LabelTenantType] == ProviderTenantType && catObjOld.Status.State == v1alpha1.CAPTenantStateReady {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s provider %s %s cannot be deleted when a consistent %s %s exists. Delete the %s instead to delete all tenants", InvalidationMessage, catObjOld.Kind, catObjOld.Name, v1alpha1.CAPApplicationKind, ca.Name, v1alpha1.CAPApplicationKind),
+		}
+	}
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) validateCAPTenant(w http.ResponseWriter, admissionReview *admissionv1.AdmissionReview) validateResource {
+	catObjOld := ResponseCat{}
+	catObjNew := ResponseCat{}
+
+	// Note: Object is nil for "DELETE" operation
+	if admissionReview.Request.Operation == admissionv1.Create || admissionReview.Request.Operation == admissionv1.Update {
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.Object.Raw, &catObjNew, v1alpha1.CAPTenantKind); !validatedResource.allowed {
+			return validatedResource
+		}
+	}
+	// Note: OldObject is nil for "CONNECT" and "CREATE" operations
+	if admissionReview.Request.Operation == admissionv1.Delete || admissionReview.Request.Operation == admissionv1.Update {
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.OldObject.Raw, &catObjOld, v1alpha1.CAPTenantKind); !validatedResource.allowed {
+			return validatedResource
+		}
+	}
+
+	// check: CAPApplication exists on create
+	if admissionReview.Request.Operation == admissionv1.Create {
+		if app, err := wh.CrdClient.SmeV1alpha1().CAPApplications(catObjNew.Metadata.Namespace).Get(context.TODO(), catObjNew.Spec.CAPApplicationInstance, metav1.GetOptions{}); app == nil || err != nil {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s no valid %s found for: %s.%s", InvalidationMessage, catObjNew.Kind, v1alpha1.CAPApplicationKind, catObjNew.Metadata.Namespace, catObjNew.Metadata.Name),
+			}
+		}
+	}
+	// check: update on .Spec.CapApplicationInstance
+	if admissionReview.Request.Operation == admissionv1.Update && catObjOld.Spec.CAPApplicationInstance != catObjNew.Spec.CAPApplicationInstance {
+		return validateResource{
+			allowed: false,
+			message: fmt.Sprintf("%s %s capApplicationInstance value cannot be modified for: %s.%s", InvalidationMessage, catObjNew.Kind, catObjNew.Metadata.Namespace, catObjNew.Metadata.Name),
+		}
+	}
+
+	// check: dont allow provider tenant deletion when CA is consistent
+	if admissionReview.Request.Operation == admissionv1.Delete {
+		return wh.checkCaIsConsistent(catObjOld)
+	}
+
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) validateCAPApplication(w http.ResponseWriter, admissionReview *admissionv1.AdmissionReview) validateResource {
+	caObjOld := ResponseCa{}
+	caObjNew := ResponseCa{}
+
+	// Note: OldObject is nil for "CONNECT" and "CREATE" operations
+	if admissionReview.Request.Operation == admissionv1.Delete || admissionReview.Request.Operation == admissionv1.Update {
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.OldObject.Raw, &caObjOld, v1alpha1.CAPApplicationKind); !validatedResource.allowed {
+			return validatedResource
+		}
+	}
+	if admissionReview.Request.Operation == admissionv1.Update || admissionReview.Request.Operation == admissionv1.Create {
+		// Note: Object is nil for "DELETE" operation
+
+		if validatedResource := unmarshalRawObj(w, admissionReview.Request.Object.Raw, &caObjNew, v1alpha1.CAPApplicationKind); !validatedResource.allowed {
+			return validatedResource
+		}
+		// check: update on .Spec.Provider
+		if admissionReview.Request.Operation == admissionv1.Update && !cmp.Equal(caObjNew.Spec.Provider, caObjOld.Spec.Provider) {
+			return validateResource{
+				allowed: false,
+				message: fmt.Sprintf("%s %s provider details cannot be changed for: %s.%s", InvalidationMessage, caObjNew.Kind, caObjNew.Metadata.Namespace, caObjNew.Metadata.Name),
+			}
+		}
+	}
+	return validAdmissionReviewObj()
+}
+
+func unmarshalRawObj(w http.ResponseWriter, rawBytes []byte, response responseInterface, resourceKind string) validateResource {
+	if err := json.Unmarshal(rawBytes, response); err != nil || response.isEmpty() {
+		return invalidAdmissionReviewObj(w, resourceKind, err)
+	}
+	return validAdmissionReviewObj()
+}
+
+func (wh *WebhookHandler) Validate(w http.ResponseWriter, r *http.Request) {
+	// read incoming request to bytes
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		httpError(w, http.StatusInternalServerError, fmt.Errorf("%s %w", AdmissionError, err))
+		return
+	}
+
+	// sidecar
+	if !enableSidecar(w, body) {
+		return
+	}
+
+	// create admission review from bytes
+	admissionReview := getAdmissionRequestFromBytes(w, body)
+	if admissionReview == nil {
+		return
+	}
+
+	klog.Infof("incoming admission review for: %s", admissionReview.Request.Kind.Kind)
+
+	validation := validAdmissionReviewObj()
+
+	switch admissionReview.Request.Kind.Kind {
+	case v1alpha1.CAPApplicationVersionKind:
+		if validation = wh.validateCAPApplicationVersion(w, admissionReview); validation.errorOccured {
+			return
+		}
+	case v1alpha1.CAPTenantKind:
+		if validation = wh.validateCAPTenant(w, admissionReview); validation.errorOccured {
+			return
+		}
+	case v1alpha1.CAPApplicationKind:
+		if validation = wh.validateCAPApplication(w, admissionReview); validation.errorOccured {
+			return
+		}
+	}
+
+	// prepare response
+	if responseBytes := prepareResponse(w, admissionReview, validation); responseBytes == nil {
+		return
+	} else {
+		w.Write(responseBytes)
+	}
+}
+
+func enableSidecar(w http.ResponseWriter, body []byte) bool {
+	// write request to volume mount - if side car is enabled
+	sidecarEnv := os.Getenv(SideCarEnv)
+
+	if sidecarEnv != "" {
+		if sidecarEnabled, err := strconv.ParseBool(sidecarEnv); err != nil {
+			httpError(w, http.StatusInternalServerError, fmt.Errorf("sidecar env read error: %w", err))
+			return false
+		} else if sidecarEnabled {
+			if err = ioutil.WriteFile(os.TempDir()+RequestPath, body, 0644); err != nil {
+				httpError(w, http.StatusInternalServerError, fmt.Errorf("request object write error: %w", err))
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func getAdmissionRequestFromBytes(w http.ResponseWriter, body []byte) *admissionv1.AdmissionReview {
+	admissionReview := admissionv1.AdmissionReview{}
+	if _, _, err := universalDeserializer.Decode(body, nil, &admissionReview); err != nil {
+		httpError(w, http.StatusBadRequest, fmt.Errorf("%s %w", AdmissionError, err))
+		return nil
+	} else if admissionReview.Request == nil {
+		httpError(w, http.StatusBadRequest, fmt.Errorf("%s empty request", AdmissionError))
+		return nil
+	}
+	return &admissionReview
+}
+
+func prepareResponse(w http.ResponseWriter, admissionReview *admissionv1.AdmissionReview, validation validateResource) []byte {
+	// prepare response object
+	finalizedAdmissionReview := v1beta1.AdmissionReview{}
+	finalizedAdmissionReview.Kind = admissionReview.Kind
+	finalizedAdmissionReview.APIVersion = admissionReview.APIVersion
+	finalizedAdmissionReview.Response = &v1beta1.AdmissionResponse{
+		UID:     admissionReview.Request.UID,
+		Allowed: validation.allowed,
+	}
+	finalizedAdmissionReview.APIVersion = admissionReview.APIVersion
+
+	if !validation.allowed {
+		finalizedAdmissionReview.Response.Result = &metav1.Status{
+			Message: validation.message,
+		}
+		klog.Info(admissionReview.Request.Kind.Kind + " " + string(admissionReview.Request.Operation) + " " + InvalidationMessage)
+	} else {
+		klog.Info(admissionReview.Request.Kind.Kind + " " + string(admissionReview.Request.Operation) + " " + ValidationMessage)
+	}
+
+	if bytes, err := json.Marshal(&finalizedAdmissionReview); err != nil {
+		httpError(w, http.StatusInternalServerError, fmt.Errorf("%s %w", AdmissionError, err))
+		return nil
+	} else {
+		return bytes
+	}
+}
+
+func httpError(w http.ResponseWriter, code int, err error) {
+	klog.Error(err)
+	http.Error(w, err.Error(), code)
+}
+
+func invalidAdmissionReviewObj(w http.ResponseWriter, kind string, sourceErr error) validateResource {
+	httpError(w, http.StatusInternalServerError, fmt.Errorf("%s %s %s %w", InvalidResource, kind, AdmissionError, sourceErr))
+	return validateResource{errorOccured: true}
+}
+
+func validAdmissionReviewObj() validateResource {
+	return validateResource{allowed: true}
+}
diff --git a/cmd/web-hooks/internal/handler/handler_test.go b/cmd/web-hooks/internal/handler/handler_test.go
new file mode 100644
index 0000000..d10c90e
--- /dev/null
+++ b/cmd/web-hooks/internal/handler/handler_test.go
@@ -0,0 +1,1164 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package handler
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	fakeCrdClient "github.com/sap/cap-operator/pkg/client/clientset/versioned/fake"
+	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	cavName    = "someCavName"
+	catName    = "someCatName"
+	caName     = "someCaName"
+	uid        = "someUID"
+	apiVersion = "apiVersion"
+	subDomain  = "someSubdomain"
+	tenantId   = "someTenantId"
+)
+
+type updateType int
+
+const (
+	noUpdate updateType = iota
+	providerUpdate
+	appInstanceUpdate
+	registrySecretsUpdate
+	consumedBTPServicesUpdate
+	versionUpdate
+	imageUpdate
+	emptyUpdate
+)
+
+func createCaCRO() *v1alpha1.CAPApplication {
+	return &v1alpha1.CAPApplication{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      caName,
+			Namespace: metav1.NamespaceDefault,
+		},
+		Spec: v1alpha1.CAPApplicationSpec{
+			Domains:         v1alpha1.ApplicationDomains{Primary: "primaryDomain", IstioIngressGatewayLabels: []v1alpha1.NameValue{{Name: "foo", Value: "bar"}}},
+			GlobalAccountId: "globalAccountId",
+			BTPAppName:      "btpApplicationName",
+			Provider: v1alpha1.BTPTenantIdentification{
+				SubDomain: subDomain,
+				TenantId:  tenantId,
+			},
+			BTP: v1alpha1.BTP{
+				Services: []v1alpha1.ServiceInfo{
+					{
+						Class:  "xsuaa",
+						Name:   "test-xsuaa",
+						Secret: "test-xsuaa-sec",
+					},
+					{
+						Class:  "saas-registry",
+						Name:   "test-saas",
+						Secret: "test-saas-sec",
+					},
+					{
+						Class:  "service-manager",
+						Name:   "test-sm",
+						Secret: "test-sm-sec",
+					},
+					{
+						Class:  "destination",
+						Name:   "test-dest",
+						Secret: "test-dest-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-host",
+						Secret: "test-html-host-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-rt",
+						Secret: "test-html-rt-sec",
+					},
+				},
+			},
+		},
+		Status: v1alpha1.CAPApplicationStatus{
+			State: v1alpha1.CAPApplicationStateConsistent,
+		},
+	}
+}
+
+func getHttpRequest(operation admissionv1.Operation, crdType string, crdName string, change updateType, t *testing.T) (*http.Request, *httptest.ResponseRecorder) {
+	admissionReview, err := createAdmissionRequest(operation, crdType, crdName, change)
+	if err != nil {
+		t.Fatal("admission review error")
+	}
+	bytesRequest, err := json.Marshal(admissionReview)
+	if err != nil {
+		t.Fatal("marshal error")
+	}
+	req := httptest.NewRequest(http.MethodGet, "/validate", bytes.NewBuffer(bytesRequest))
+	w := httptest.NewRecorder()
+	return req, w
+}
+
+func createAdmissionRequest(operation admissionv1.Operation, crdType string, crdName string, change updateType) (*admissionv1.AdmissionReview, error) {
+	admissionReview := &admissionv1.AdmissionReview{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       crdType,
+			APIVersion: apiVersion,
+		},
+		Request: &admissionv1.AdmissionRequest{
+			Name: crdName,
+			Kind: metav1.GroupVersionKind{
+				Kind: crdType,
+			},
+			Operation: operation,
+			UID:       uid,
+		},
+	}
+
+	var rawBytes []byte
+	var rawBytesOld []byte
+	var err error
+
+	switch crdType {
+
+	case v1alpha1.CAPApplicationKind:
+		crd := &ResponseCa{}
+		if change != emptyUpdate {
+			crd = &ResponseCa{
+				Metadata: Metadata{
+					Name:      caName,
+					Namespace: metav1.NamespaceDefault,
+				},
+				Spec: &v1alpha1.CAPApplicationSpec{
+					Provider: v1alpha1.BTPTenantIdentification{
+						SubDomain: subDomain,
+						TenantId:  tenantId,
+					},
+					BTP: v1alpha1.BTP{},
+				},
+				Kind: crdType,
+			}
+		}
+		rawBytes, err = json.Marshal(crd)
+		rawBytesOld = rawBytes
+		if operation == admissionv1.Update && err == nil {
+			crdOld := crd
+			if change == providerUpdate {
+				crdOld.Spec.Provider.SubDomain = crdOld.Spec.Provider.SubDomain + "modified"
+				crdOld.Spec.Provider.TenantId = crdOld.Spec.Provider.TenantId + "modified"
+				rawBytesOld, err = json.Marshal(crdOld)
+			}
+		}
+	case v1alpha1.CAPApplicationVersionKind:
+		crd := &ResponseCav{}
+		if change != emptyUpdate {
+			crd = &ResponseCav{
+				Metadata: Metadata{
+					Name:      crdName,
+					Namespace: metav1.NamespaceDefault,
+				},
+				Spec: &v1alpha1.CAPApplicationVersionSpec{
+					CAPApplicationInstance: caName,
+					Workloads: []v1alpha1.WorkloadDetails{
+						{
+							Name:                "cap-backend",
+							ConsumedBTPServices: []string{},
+							DeploymentDefinition: &v1alpha1.DeploymentDetails{
+								Type: v1alpha1.DeploymentCAP,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+						{
+							Name:                "cap-router",
+							ConsumedBTPServices: []string{},
+							DeploymentDefinition: &v1alpha1.DeploymentDetails{
+								Type: v1alpha1.DeploymentRouter,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+						{
+							Name:                "content",
+							ConsumedBTPServices: []string{},
+							JobDefinition: &v1alpha1.JobDetails{
+								Type: v1alpha1.JobContent,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+					},
+				},
+				Kind: crdType,
+			}
+		}
+		rawBytes, err = json.Marshal(crd)
+		rawBytesOld = rawBytes
+		if operation == admissionv1.Update && err == nil && change != noUpdate {
+			crdOld := crd
+
+			switch change {
+			case appInstanceUpdate:
+				crdOld.Spec.CAPApplicationInstance = crdOld.Spec.CAPApplicationInstance + "modified"
+			case registrySecretsUpdate:
+				crdOld.Spec.RegistrySecrets = append(crdOld.Spec.RegistrySecrets, "newSecret")
+			case consumedBTPServicesUpdate:
+				crdOld.Spec.Workloads[0].ConsumedBTPServices = append(crdOld.Spec.Workloads[0].ConsumedBTPServices, "newService")
+			case versionUpdate:
+				crdOld.Spec.Version = crdOld.Spec.Version + "modified"
+			case imageUpdate:
+				crdOld.Spec.Workloads[0].DeploymentDefinition.Image = crdOld.Spec.Workloads[0].DeploymentDefinition.Image + "modified"
+			}
+			rawBytesOld, err = json.Marshal(crdOld)
+		}
+	case v1alpha1.CAPTenantKind:
+		crd := &ResponseCat{}
+		if change != emptyUpdate {
+			crd = &ResponseCat{
+				Metadata: Metadata{
+					Name:      crdName,
+					Namespace: metav1.NamespaceDefault,
+					Labels: map[string]string{
+						LabelTenantType: ProviderTenantType,
+					},
+				},
+				Spec: &v1alpha1.CAPTenantSpec{
+					CAPApplicationInstance: caName,
+				},
+				Status: &v1alpha1.CAPTenantStatus{
+					State: v1alpha1.CAPTenantStateReady,
+				},
+				Kind: crdType,
+			}
+		}
+		rawBytes, err = json.Marshal(crd)
+		rawBytesOld = rawBytes
+		if (operation == admissionv1.Update || operation == admissionv1.Delete) && err == nil {
+			crdOld := crd
+			if change == appInstanceUpdate {
+				crdOld.Spec.CAPApplicationInstance = crdOld.Spec.CAPApplicationInstance + "modified"
+				rawBytesOld, err = json.Marshal(crdOld)
+			}
+		}
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	if operation != admissionv1.Delete {
+		admissionReview.Request.Object.Raw = rawBytes
+	}
+
+	if operation != admissionv1.Create && operation != admissionv1.Connect {
+		admissionReview.Request.OldObject.Raw = rawBytesOld
+	}
+
+	return admissionReview, nil
+}
+
+func TestInvalidRequest(t *testing.T) {
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+
+	recorder := httptest.NewRecorder()
+	admissionReview := admissionv1.AdmissionReview{}
+	bytesRequest, err := json.Marshal(admissionReview)
+	if err != nil {
+		t.Fatal("marshal error")
+	}
+	request := httptest.NewRequest(http.MethodGet, "/validate", bytes.NewBuffer(bytesRequest))
+
+	wh.Validate(recorder, request)
+	if recorder.Code != http.StatusBadRequest {
+		t.Fatal("Error was not recorded correctly")
+	}
+}
+
+func TestSideCar(t *testing.T) {
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+
+	tests := []struct {
+		sideCarEnv string
+	}{
+		{
+			sideCarEnv: "true",
+		},
+		{
+			sideCarEnv: "false",
+		},
+		{
+			sideCarEnv: "invalid",
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing SideCarEnv value "+test.sideCarEnv, func(t *testing.T) {
+			os.Setenv(SideCarEnv, test.sideCarEnv)
+
+			recorder := httptest.NewRecorder()
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytesRequest, err := json.Marshal(admissionReview)
+			if err != nil {
+				t.Fatal("marshal error")
+			}
+			request := httptest.NewRequest(http.MethodGet, "/validate", bytes.NewBuffer(bytesRequest))
+
+			wh.Validate(recorder, request)
+			file, err := os.ReadFile(os.TempDir() + RequestPath)
+			if err != nil {
+				t.Error("Side car file read error")
+			}
+			json.Unmarshal(file, &admissionReview)
+
+			if admissionReview.Request != nil || admissionReview.Response != nil {
+				t.Fatal("Invalid admission review with http error")
+			}
+
+			if test.sideCarEnv == "invalid" {
+				if recorder.Code != http.StatusInternalServerError {
+					t.Fatal("Error was not recorded correctly")
+				}
+			} else if recorder.Code != http.StatusBadRequest {
+				t.Fatal("Error was not recorded correctly")
+			}
+
+			os.Unsetenv(SideCarEnv)
+		})
+	}
+}
+
+func TestEmptyResources(t *testing.T) {
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+	tests := []struct {
+		operation admissionv1.Operation
+		crdType   string
+	}{
+		{
+			operation: admissionv1.Update,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Delete,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Update,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+		{
+			operation: admissionv1.Delete,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+		{
+			operation: admissionv1.Update,
+			crdType:   v1alpha1.CAPApplicationKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPApplicationKind,
+		},
+		{
+			operation: admissionv1.Delete,
+			crdType:   v1alpha1.CAPApplicationKind,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing admission review for empty (invalid) "+test.crdType+" resource with operation "+string(test.operation), func(t *testing.T) {
+			crdName := cavName
+			if test.crdType == v1alpha1.CAPTenantKind {
+				crdName = catName
+			} else {
+				crdName = caName
+			}
+
+			request, recorder := getHttpRequest(test.operation, test.crdType, crdName, emptyUpdate, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, _ := io.ReadAll(recorder.Body)
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+			if admissionReview.Request != nil || admissionReview.Response != nil {
+				t.Fatal("Invalid admission review with http error")
+			}
+			if recorder.Code != http.StatusInternalServerError {
+				t.Fatal("Error was not recorded correctly")
+			}
+		})
+	}
+}
+
+func TestUnhandledType(t *testing.T) {
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+
+	tests := []struct {
+		operation admissionv1.Operation
+		crdType   string
+	}{
+		{
+			operation: admissionv1.Update,
+		},
+		{
+			operation: admissionv1.Create,
+		},
+		{
+			operation: admissionv1.Delete,
+		},
+		{
+			operation: admissionv1.Connect,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing unhandled resource type validity for operation "+string(test.operation), func(t *testing.T) {
+
+			request, recorder := getHttpRequest(test.operation, "Unhandled", "unhandled", noUpdate, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, _ := io.ReadAll(recorder.Body)
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+			if !admissionReview.Response.Allowed || admissionReview.Response.UID != uid {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCavAndCatValidity(t *testing.T) {
+	// valid CAPApplication
+	Ca := createCaCRO()
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(Ca),
+	}
+
+	tests := []struct {
+		operation    admissionv1.Operation
+		crdType      string
+		backlogItems []string
+	}{
+		{
+			operation: admissionv1.Update,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Delete,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Connect,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Update,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+		{
+			operation:    admissionv1.Delete,
+			crdType:      v1alpha1.CAPTenantKind,
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2520"},
+		},
+		{
+			operation: admissionv1.Connect,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+	}
+	for _, test := range tests {
+		nameParts := []string{"Testing " + test.crdType + " validity for operation " + string(test.operation) + "; "}
+		testName := strings.Join(append(nameParts, test.backlogItems...), " ")
+		t.Run(testName, func(t *testing.T) {
+			crdName := cavName
+			if test.crdType == v1alpha1.CAPTenantKind {
+				crdName = catName
+			}
+
+			request, recorder := getHttpRequest(test.operation, test.crdType, crdName, noUpdate, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+
+			var errorMessage string
+			if test.operation == admissionv1.Delete && test.crdType == v1alpha1.CAPTenantKind {
+				errorMessage = fmt.Sprintf("%s provider %s %s cannot be deleted when a consistent %s %s exists. Delete the %s instead to delete all tenants", InvalidationMessage, admissionReview.Kind, catName, v1alpha1.CAPApplicationKind, Ca.Name, v1alpha1.CAPApplicationKind)
+				if admissionReview.Response.Allowed ||
+					admissionReview.Response.UID != uid ||
+					admissionReview.APIVersion != apiVersion ||
+					admissionReview.Response.Result.Message != errorMessage {
+					t.Fatal("validation response error")
+				}
+			} else if !admissionReview.Response.Allowed ||
+				admissionReview.Response.UID != uid ||
+				admissionReview.APIVersion != apiVersion ||
+				admissionReview.Response.Result != nil {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCavAndCatInvalidityNoApp(t *testing.T) {
+	// no CAPApplication
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+
+	tests := []struct {
+		operation admissionv1.Operation
+		crdType   string
+	}{
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPApplicationVersionKind,
+		},
+		{
+			operation: admissionv1.Create,
+			crdType:   v1alpha1.CAPTenantKind,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing "+test.crdType+" invalidity with no CAPApp for operation "+string(test.operation), func(t *testing.T) {
+			crdName := cavName
+			if test.crdType == v1alpha1.CAPTenantKind {
+				crdName = catName
+			}
+
+			request, recorder := getHttpRequest(test.operation, test.crdType, crdName, noUpdate, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+			if admissionReview.Response.Allowed ||
+				admissionReview.Response.UID != uid ||
+				admissionReview.APIVersion != apiVersion ||
+				admissionReview.Response.Result.Message != fmt.Sprintf("%s %s no valid %s found for: %s.%s", InvalidationMessage, admissionReview.Kind, v1alpha1.CAPApplicationKind, metav1.NamespaceDefault, crdName) {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCavAndCatInvaliditySpecChange(t *testing.T) {
+	// valid CAPApplication
+	Ca := createCaCRO()
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(Ca),
+	}
+
+	tests := []struct {
+		operation  admissionv1.Operation
+		crdType    string
+		changeType updateType
+	}{
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPApplicationVersionKind,
+			changeType: appInstanceUpdate,
+		},
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPApplicationVersionKind,
+			changeType: registrySecretsUpdate,
+		},
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPApplicationVersionKind,
+			changeType: consumedBTPServicesUpdate,
+		},
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPApplicationVersionKind,
+			changeType: versionUpdate,
+		},
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPApplicationVersionKind,
+			changeType: imageUpdate,
+		},
+		{
+			operation:  admissionv1.Update,
+			crdType:    v1alpha1.CAPTenantKind,
+			changeType: appInstanceUpdate,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing "+test.crdType+" invalidity with CAPApp instance change for operation "+string(test.operation), func(t *testing.T) {
+			crdName := cavName
+			if test.crdType == v1alpha1.CAPTenantKind {
+				crdName = catName
+			}
+
+			request, recorder := getHttpRequest(test.operation, test.crdType, crdName, test.changeType, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+
+			expectedMessage := fmt.Sprintf("%s %s spec cannot be modified for: %s.%s", InvalidationMessage, admissionReview.Kind, metav1.NamespaceDefault, crdName)
+			if test.crdType == v1alpha1.CAPTenantKind {
+				expectedMessage = fmt.Sprintf("%s %s capApplicationInstance value cannot be modified for: %s.%s", InvalidationMessage, admissionReview.Kind, metav1.NamespaceDefault, crdName)
+			}
+
+			if admissionReview.Response.Allowed ||
+				admissionReview.Response.UID != uid ||
+				admissionReview.APIVersion != apiVersion ||
+				admissionReview.Response.Result.Message != expectedMessage {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCaValidity(t *testing.T) {
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(),
+	}
+	tests := []struct {
+		operation  admissionv1.Operation
+		tenantType string
+	}{
+		{
+			operation: admissionv1.Delete,
+		},
+		{
+			operation: admissionv1.Update,
+		},
+		{
+			operation: admissionv1.Create,
+		},
+		{
+			operation: admissionv1.Connect,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing CAPApplication validity for operation "+string(test.operation), func(t *testing.T) {
+			request, recorder := getHttpRequest(test.operation, v1alpha1.CAPApplicationKind, caName, noUpdate, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+
+			if !admissionReview.Response.Allowed ||
+				admissionReview.Response.UID != uid ||
+				admissionReview.APIVersion != apiVersion ||
+				admissionReview.Response.Result != nil {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCaInvalidity(t *testing.T) {
+	tests := []struct {
+		operation admissionv1.Operation
+		update    updateType
+	}{
+		{
+			operation: admissionv1.Update,
+			update:    providerUpdate,
+		},
+	}
+	for _, test := range tests {
+		t.Run("Testing CAPApplication invalidity for operation "+string(test.operation), func(t *testing.T) {
+			var crdObjects []runtime.Object
+
+			wh := &WebhookHandler{
+				CrdClient: fakeCrdClient.NewSimpleClientset(crdObjects...),
+			}
+
+			request, recorder := getHttpRequest(test.operation, v1alpha1.CAPApplicationKind, caName, test.update, t)
+
+			wh.Validate(recorder, request)
+
+			admissionReview := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+			universalDeserializer.Decode(bytes, nil, &admissionReview)
+
+			var errorMessage string
+			if test.update == providerUpdate {
+				errorMessage = fmt.Sprintf("%s %s provider details cannot be changed for: %s.%s", InvalidationMessage, admissionReview.Kind, metav1.NamespaceDefault, caName)
+			}
+
+			if admissionReview.Response.Allowed ||
+				admissionReview.Response.UID != uid ||
+				admissionReview.APIVersion != apiVersion ||
+				admissionReview.Response.Result.Message != errorMessage {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
+
+func TestCavInvalidity(t *testing.T) {
+	Ca := createCaCRO()
+	wh := &WebhookHandler{
+		CrdClient: fakeCrdClient.NewSimpleClientset(Ca),
+	}
+	tests := []struct {
+		operation                          admissionv1.Operation
+		duplicateWorkloadName              bool
+		invalidDeploymentType              bool
+		invalidJobType                     bool
+		onlyOneCAPTypeAllowed              bool
+		onlyOneRouterTypeAllowed           bool
+		onlyOneContentTypeAllowed          bool
+		duplicatePortName                  bool
+		duplicatePortNumber                bool
+		routerDestNameCAPChk               bool
+		routerDestNameRouterChk            bool
+		customTenantOpWithoutSequence      bool
+		tenantOperationSequenceInvalid     bool
+		invalidWorkloadInTenantOpSeq       bool
+		missingTenantOpInSeqProvisioning   bool
+		missingTenantOpInSeqUpgrade        bool
+		missingTenantOpInSeqDeprovisioning bool
+		backlogItems                       []string
+	}{
+		{
+			operation:             admissionv1.Create,
+			duplicateWorkloadName: true,
+			backlogItems:          []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:             admissionv1.Create,
+			invalidDeploymentType: true,
+			backlogItems:          []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:      admissionv1.Create,
+			invalidJobType: true,
+			backlogItems:   []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:             admissionv1.Create,
+			onlyOneCAPTypeAllowed: true,
+			backlogItems:          []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:                admissionv1.Create,
+			onlyOneRouterTypeAllowed: true,
+			backlogItems:             []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:                 admissionv1.Create,
+			onlyOneContentTypeAllowed: true,
+			backlogItems:              []string{"ERP4SMEPREPWORKAPPPLAT-2338"},
+		},
+		{
+			operation:         admissionv1.Create,
+			duplicatePortName: true,
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2339"},
+		},
+		{
+			operation:           admissionv1.Create,
+			duplicatePortNumber: true,
+			backlogItems:        []string{"ERP4SMEPREPWORKAPPPLAT-2339"},
+		},
+		{
+			operation:            admissionv1.Create,
+			routerDestNameCAPChk: true,
+			backlogItems:         []string{"ERP4SMEPREPWORKAPPPLAT-2339"},
+		},
+		{
+			operation:               admissionv1.Create,
+			routerDestNameRouterChk: true,
+			backlogItems:            []string{"ERP4SMEPREPWORKAPPPLAT-2339"},
+		},
+		{
+			operation:                     admissionv1.Create,
+			customTenantOpWithoutSequence: true,
+			backlogItems:                  []string{"ERP4SMEPREPWORKAPPPLAT-2405"},
+		},
+		{
+			operation:                      admissionv1.Create,
+			tenantOperationSequenceInvalid: true,
+			backlogItems:                   []string{"ERP4SMEPREPWORKAPPPLAT-2405"},
+		},
+		{
+			operation:                    admissionv1.Create,
+			invalidWorkloadInTenantOpSeq: true,
+			backlogItems:                 []string{"ERP4SMEPREPWORKAPPPLAT-2405"},
+		},
+		{
+			operation:                        admissionv1.Create,
+			missingTenantOpInSeqProvisioning: true,
+			backlogItems:                     []string{"ERP4SMEPREPWORKAPPPLAT-3537"},
+		},
+		{
+			operation:                   admissionv1.Create,
+			missingTenantOpInSeqUpgrade: true,
+			backlogItems:                []string{"ERP4SMEPREPWORKAPPPLAT-3537"},
+		},
+		{
+			operation:                          admissionv1.Create,
+			missingTenantOpInSeqDeprovisioning: true,
+			backlogItems:                       []string{"ERP4SMEPREPWORKAPPPLAT-3537"},
+		},
+	}
+	for _, test := range tests {
+		nameParts := []string{"Testing CAPApplicationversion invalidity for operation " + string(test.operation) + "; "}
+		testName := strings.Join(append(nameParts, test.backlogItems...), " ")
+		t.Run(testName, func(t *testing.T) {
+			admissionReview, err := createAdmissionRequest(test.operation, v1alpha1.CAPApplicationVersionKind, caName, noUpdate)
+			if err != nil {
+				t.Fatal("admission review error")
+			}
+
+			crd := &ResponseCav{
+				Metadata: Metadata{
+					Name:      cavName,
+					Namespace: metav1.NamespaceDefault,
+				},
+				Spec: &v1alpha1.CAPApplicationVersionSpec{
+					CAPApplicationInstance: caName,
+					Workloads: []v1alpha1.WorkloadDetails{
+						{
+							Name:                "cap-backend",
+							ConsumedBTPServices: []string{},
+							DeploymentDefinition: &v1alpha1.DeploymentDetails{
+								Type: v1alpha1.DeploymentCAP,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+						{
+							Name:                "cap-router",
+							ConsumedBTPServices: []string{},
+							DeploymentDefinition: &v1alpha1.DeploymentDetails{
+								Type: v1alpha1.DeploymentRouter,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+						{
+							Name:                "content",
+							ConsumedBTPServices: []string{},
+							JobDefinition: &v1alpha1.JobDetails{
+								Type: v1alpha1.JobContent,
+								ContainerDetails: v1alpha1.ContainerDetails{
+									Image: "foo",
+								},
+							},
+						},
+					},
+				},
+				Kind: v1alpha1.CAPApplicationVersionKind,
+			}
+
+			if test.duplicateWorkloadName == true {
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "cap-backend",
+					ConsumedBTPServices: []string{},
+					DeploymentDefinition: &v1alpha1.DeploymentDetails{
+						Type: v1alpha1.DeploymentAdditional,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+			} else if test.invalidDeploymentType == true {
+				crd.Spec.Workloads[0].DeploymentDefinition.Type = "invalid"
+			} else if test.invalidJobType == true {
+				crd.Spec.Workloads[2].JobDefinition.Type = "invalid"
+			} else if test.onlyOneCAPTypeAllowed == true {
+				// add additional workload of type CAP
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "cap-backend-2",
+					ConsumedBTPServices: []string{},
+					DeploymentDefinition: &v1alpha1.DeploymentDetails{
+						Type: v1alpha1.DeploymentCAP,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+			} else if test.onlyOneRouterTypeAllowed == true {
+				// add additional workload of type Router
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "cap-router-2",
+					ConsumedBTPServices: []string{},
+					DeploymentDefinition: &v1alpha1.DeploymentDetails{
+						Type: v1alpha1.DeploymentRouter,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+			} else if test.onlyOneContentTypeAllowed == true {
+				// change existing Content to tenant Operation
+				crd.Spec.Workloads[2].JobDefinition.Type = v1alpha1.JobTenantOperation
+			} else if test.duplicatePortName == true {
+				crd.Spec.Workloads[0].DeploymentDefinition.Ports = []v1alpha1.Ports{
+					{Name: "port-1", RouterDestinationName: "port-1-dest", Port: 4000}, {Name: "port-1", Port: 4004},
+				}
+			} else if test.duplicatePortNumber == true {
+				crd.Spec.Workloads[0].DeploymentDefinition.Ports = []v1alpha1.Ports{
+					{Name: "port-1", RouterDestinationName: "port-1-dest", Port: 4000}, {Name: "port-2", Port: 4000},
+				}
+			} else if test.routerDestNameCAPChk == true {
+				crd.Spec.Workloads[0].DeploymentDefinition.Ports = []v1alpha1.Ports{
+					{Name: "port-1", Port: 4000}, {Name: "port-2", Port: 4004},
+				}
+			} else if test.routerDestNameRouterChk == true {
+				crd.Spec.Workloads[1].DeploymentDefinition.Ports = []v1alpha1.Ports{
+					{Name: "port-1", RouterDestinationName: "port-1-dest", Port: 4000}, {Name: "port-2", Port: 4004},
+				}
+			} else if test.customTenantOpWithoutSequence == true {
+				// add workload of type custom tenant operation
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "custom-tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobCustomTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+			} else if test.tenantOperationSequenceInvalid == true {
+				// add workload of type custom tenant operation and tenant operation
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "custom-tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobCustomTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+
+				crd.Spec.TenantOperations = &v1alpha1.TenantOperations{
+					Provisioning: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "custom-tenant-operation"},
+					},
+					Deprovisioning: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "custom-tenant-operation"},
+					},
+					Upgrade: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "custom-tenant-operation"},
+					},
+				}
+			} else if test.invalidWorkloadInTenantOpSeq == true {
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+
+				crd.Spec.TenantOperations = &v1alpha1.TenantOperations{
+					Provisioning: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+					},
+					Deprovisioning: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "tenant-operation"},
+					},
+					Upgrade: []v1alpha1.TenantOperationWorkloadReference{
+						{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+					},
+				}
+			} else if test.missingTenantOpInSeqProvisioning == true || test.missingTenantOpInSeqUpgrade == true || test.missingTenantOpInSeqDeprovisioning == true {
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+				crd.Spec.Workloads = append(crd.Spec.Workloads, v1alpha1.WorkloadDetails{
+					Name:                "custom-tenant-operation",
+					ConsumedBTPServices: []string{},
+					JobDefinition: &v1alpha1.JobDetails{
+						Type: v1alpha1.JobCustomTenantOperation,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "foo",
+						},
+					},
+				})
+
+				if test.missingTenantOpInSeqProvisioning == true {
+					crd.Spec.TenantOperations = &v1alpha1.TenantOperations{
+						Provisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "custom-tenant-operation"},
+						},
+						Deprovisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+						Upgrade: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+					}
+				} else if test.missingTenantOpInSeqUpgrade == true {
+					crd.Spec.TenantOperations = &v1alpha1.TenantOperations{
+						Provisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+						Deprovisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+						Upgrade: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "custom-tenant-operation"},
+						},
+					}
+				} else if test.missingTenantOpInSeqDeprovisioning == true {
+					crd.Spec.TenantOperations = &v1alpha1.TenantOperations{
+						Provisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+						Deprovisioning: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "custom-tenant-operation"},
+						},
+						Upgrade: []v1alpha1.TenantOperationWorkloadReference{
+							{WorkloadName: "tenant-operation"}, {WorkloadName: "custom-tenant-operation"},
+						},
+					}
+				}
+
+			}
+
+			rawBytes, _ := json.Marshal(crd)
+			admissionReview.Request.Object.Raw = rawBytes
+			bytesRequest, err := json.Marshal(admissionReview)
+			if err != nil {
+				t.Fatal("marshal error")
+			}
+			request := httptest.NewRequest(http.MethodGet, "/validate", bytes.NewBuffer(bytesRequest))
+			recorder := httptest.NewRecorder()
+
+			wh.Validate(recorder, request)
+
+			admissionReviewRes := admissionv1.AdmissionReview{}
+			bytes, err := io.ReadAll(recorder.Body)
+			if err != nil {
+				t.Fatal("io read error")
+			}
+			universalDeserializer.Decode(bytes, nil, &admissionReviewRes)
+
+			var errorMessage string
+			if test.duplicateWorkloadName == true {
+				errorMessage = fmt.Sprintf("%s %s duplicate workload name: cap-backend", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.invalidDeploymentType == true {
+				errorMessage = fmt.Sprintf("%s %s invalid deployment definition type. Only supported - CAP, Router and Additional", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.invalidJobType == true {
+				errorMessage = fmt.Sprintf("%s %s invalid job definition type. Only supported - Content, TenantOperation and CustomTenantOperation", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.onlyOneCAPTypeAllowed == true {
+				errorMessage = fmt.Sprintf(DeploymentWorkloadCountErr, InvalidationMessage, v1alpha1.CAPApplicationVersionKind, v1alpha1.DeploymentCAP, 2, v1alpha1.DeploymentCAP)
+			} else if test.onlyOneRouterTypeAllowed == true {
+				errorMessage = fmt.Sprintf(DeploymentWorkloadCountErr, InvalidationMessage, v1alpha1.CAPApplicationVersionKind, v1alpha1.DeploymentRouter, 2, v1alpha1.DeploymentRouter)
+			} else if test.onlyOneContentTypeAllowed == true {
+				errorMessage = fmt.Sprintf(JobWorkloadCountErr, InvalidationMessage, v1alpha1.CAPApplicationVersionKind, v1alpha1.JobContent, 0, v1alpha1.JobContent)
+			} else if test.duplicatePortName == true {
+				errorMessage = fmt.Sprintf("%s %s duplicate port name: port-1 in workload - cap-backend", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.duplicatePortNumber == true {
+				errorMessage = fmt.Sprintf("%s %s duplicate port number: 4000 in workload - cap-backend", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.routerDestNameCAPChk == true {
+				errorMessage = fmt.Sprintf("%s %s routerDestinationName not defined in port configuration of workload - cap-backend", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.routerDestNameRouterChk == true {
+				errorMessage = fmt.Sprintf("%s %s routerDestinationName should not be defined for workload of type Router - cap-router", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.customTenantOpWithoutSequence == true {
+				errorMessage = fmt.Sprintf("%s %s - If a jobDefinition of type CustomTenantOperation is part of the workloads, then spec.tenantOperations must be specified", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.tenantOperationSequenceInvalid == true {
+				errorMessage = fmt.Sprintf("%s %s workload tenant operation tenant-operation is not specified in spec.tenantOperations", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.invalidWorkloadInTenantOpSeq == true {
+				errorMessage = fmt.Sprintf("%s %s custom-tenant-operation specified in spec.tenantOperations is not a valid workload of type TenantOperation or CustomTenantOperation", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.missingTenantOpInSeqProvisioning == true {
+				errorMessage = fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.provisioning", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.missingTenantOpInSeqUpgrade == true {
+				errorMessage = fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.upgrade", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			} else if test.missingTenantOpInSeqDeprovisioning == true {
+				errorMessage = fmt.Sprintf("%s %s - No tenant operation specified in spec.tenantOperation.deprovisioning", InvalidationMessage, v1alpha1.CAPApplicationVersionKind)
+			}
+
+			if admissionReviewRes.Response.Allowed || admissionReviewRes.Response.Result.Message != errorMessage {
+				t.Fatal("validation response error")
+			}
+		})
+	}
+}
diff --git a/cmd/web-hooks/main.go b/cmd/web-hooks/main.go
new file mode 100644
index 0000000..a330cda
--- /dev/null
+++ b/cmd/web-hooks/main.go
@@ -0,0 +1,77 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package main
+
+import (
+	"net/http"
+	"os"
+	"strconv"
+
+	handler "github.com/sap/cap-operator/cmd/web-hooks/internal/handler"
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	"k8s.io/klog/v2"
+)
+
+type ServerParameters struct {
+	port       int    // webhook server port
+	certFile   string // path to TLS certificate for https
+	keyFile    string // path to TLS key matching for certificate
+	tlsEnabled bool   // indicates if TLS is enabled
+}
+
+var parameters ServerParameters
+
+func main() {
+	// check env for relevant values
+	portEnv := os.Getenv("WEBHOOK_PORT")
+	port := 8443
+	var err error
+
+	if portEnv != "" {
+		port, err = strconv.Atoi(portEnv)
+		if err != nil {
+			klog.Error("Error parsing Webhook server port: ", err.Error())
+		}
+	}
+
+	parameters.port = port
+
+	t := os.Getenv("TLS_ENABLED")
+	tlsEnabled := false
+
+	if t != "" {
+		tlsEnabled, err = strconv.ParseBool(t)
+		if err != nil {
+			klog.Error("Error parsing tls: ", err.Error())
+		}
+	}
+	parameters.tlsEnabled = tlsEnabled
+
+	parameters.certFile = os.Getenv("TLS_CERT")
+	parameters.keyFile = os.Getenv("TLS_KEY")
+
+	if err != nil {
+		klog.Fatalf("Config build: ", err.Error())
+	}
+
+	config := util.GetConfig()
+	crdClient, err := versioned.NewForConfig(config)
+	if err != nil {
+		klog.Fatalf("could not create client for custom resources: %v", err.Error())
+	}
+
+	whHandler := &handler.WebhookHandler{
+		CrdClient: crdClient,
+	}
+
+	http.HandleFunc("/validate", whHandler.Validate)
+
+	if parameters.tlsEnabled {
+		klog.Fatal(http.ListenAndServeTLS(":"+strconv.Itoa(parameters.port), parameters.certFile, parameters.keyFile, nil))
+	} else {
+		klog.Fatal(http.ListenAndServe(":"+strconv.Itoa(parameters.port), nil))
+	}
+}
diff --git a/crds/capapplication.yaml b/crds/capapplication.yaml
new file mode 100644
index 0000000..cd8a2c6
--- /dev/null
+++ b/crds/capapplication.yaml
@@ -0,0 +1,133 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: capapplications.sme.sap.com
+spec:
+  scope: Namespaced
+  names:
+    plural: capapplications
+    singular: capapplication
+    kind: CAPApplication
+    shortNames: ["ca"]
+  group: sme.sap.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Age
+          type: date
+          jsonPath: .metadata.creationTimestamp
+        - name: State
+          type: string
+          jsonPath: .status.state
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: ["spec"]
+          properties:
+            spec:
+              type: object
+              required:
+                ["btpAppName", "globalAccountId", "provider", "domains", "btp"]
+              properties:
+                btpAppName:
+                  type: string
+                globalAccountId:
+                  type: string
+                domains:
+                  type: object
+                  required: ["primary", "istioIngressGatewayLabels"]
+                  properties:
+                    primary:
+                      type: string
+                      pattern: "^[a-z0-9-.]+$"
+                      maxLength: 62
+                    secondary:
+                      type: array
+                      items:
+                        type: string
+                        pattern: "^[a-z0-9-.]+$"
+                    dnsTarget:
+                      type: string
+                      pattern: "^[a-z0-9-.]*$"
+                    istioIngressGatewayLabels:
+                      type: array
+                      items:
+                        minItems: 1
+                        type: object
+                        required: ["name", "value"]
+                        properties:
+                          name:
+                            type: string
+                          value:
+                            type: string
+                            minLength: 1
+                provider:
+                  type: object
+                  required: ["subDomain", "tenantId"]
+                  properties:
+                    subDomain:
+                      type: string
+                    tenantId:
+                      type: string
+                btp:
+                  type: "object"
+                  required: ["services"]
+                  properties:
+                    services:
+                      type: array
+                      items:
+                        type: object
+                        required: ["class", "name", "secret"]
+                        properties:
+                          class:
+                            type: string
+                          name:
+                            type: string
+                          secret:
+                            type: string
+            status:
+              type: object
+              required: ["state"]
+              default:
+                state: ""
+                observedGeneration: -1
+              properties:
+                observedGeneration:
+                  type: integer
+                state:
+                  type: string
+                  enum: ["", "Consistent", "Processing", "Error", "Deleting"]
+                lastFullReconciliationTime:
+                  type: string
+                  format: datetime
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    required: ["type", "status"]
+                    properties:
+                      type:
+                        type: string
+                        enum: ["Ready", "AllTenantsReady", "LatestVersionReady"]
+                      status:
+                        type: string
+                        enum: ["True", "False", "Unknown"]
+                      lastUpdateTime: # Unused property
+                        type: string
+                        format: datetime
+                      lastTransitionTime:
+                        type: string
+                        format: datetime
+                      reason:
+                        type: string
+                        minLength: 1
+                      message:
+                        type: string
+                      observedGeneration:
+                        type: integer
+                domainSpecHash:
+                  type: string
diff --git a/crds/capapplicationversion.yaml b/crds/capapplicationversion.yaml
new file mode 100644
index 0000000..22ad825
--- /dev/null
+++ b/crds/capapplicationversion.yaml
@@ -0,0 +1,755 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: capapplicationversions.sme.sap.com
+spec:
+  scope: Namespaced
+  names:
+    plural: capapplicationversions
+    singular: capapplicationversion
+    kind: CAPApplicationVersion
+    shortNames: ["cav"]
+  group: sme.sap.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Age
+          type: date
+          jsonPath: .metadata.creationTimestamp
+        - name: State
+          type: string
+          jsonPath: .status.state
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: ["spec"]
+          properties:
+            spec:
+              type: object
+              required: ["capApplicationInstance", "workloads", "version"]
+              properties:
+                capApplicationInstance:
+                  type: string
+                registrySecrets:
+                  type: array
+                  items:
+                    type: string
+                workloads:
+                  type: array
+                  items:
+                    type: object
+                    required: ["name"]
+                    oneOf:
+                      -  required:
+                          - deploymentDefinition
+                      - required:
+                          - jobDefinition
+                    properties:
+                      consumedBTPServices:
+                        type: array
+                        items:
+                          type: string
+                      name:
+                        type: string
+                        pattern: "^[a-z]([-a-z0-9]*[a-z0-9])?$"
+                      labels:
+                        type: object
+                        additionalProperties:
+                          type: string
+                      annotations:
+                        type: object
+                        additionalProperties:
+                          type: string
+                      deploymentDefinition:
+                        type: object
+                        required: ["type", "image"]
+                        properties:
+                          type:
+                            type: string
+                          image:
+                            type: string
+                          imagePullPolicy:
+                            type: string
+                          command:
+                            type: array
+                            items:
+                              type: string
+                          env:
+                            type: array
+                            items:
+                              type: object
+                              required: ["name"]
+                              properties:
+                                name:
+                                  type: string
+                                value:
+                                  type: string
+                                valueFrom:
+                                  type: object
+                                  properties:
+                                    secretKeyRef:
+                                      type: object
+                                      required: ["key"]
+                                      properties:
+                                        key:
+                                          type: string
+                                        name:
+                                          type: string
+                                        optional:
+                                          type: boolean
+                                    configMapKeyRef:
+                                      type: object
+                                      required: ["key"]
+                                      properties:
+                                        key:
+                                          type: string
+                                        name:
+                                          type: string
+                                        optional:
+                                          type: boolean
+                                    fieldRef:
+                                      type: object
+                                      required: ["fieldPath"]
+                                      properties:
+                                        apiVersion:
+                                          type: string
+                                        fieldPath:
+                                          type: string
+                                    resourceFieldRef:
+                                      type: object
+                                      required: ["resource"]
+                                      properties:
+                                        containerName:
+                                          type: string
+                                        resource:
+                                          type: string
+                                        divisor:
+                                          type: string
+                          replicas:
+                            type: integer
+                            format: int32
+                          ports:
+                            type: array
+                            items:
+                              type: object
+                              properties:
+                                appProtocol:
+                                  type: string
+                                name:
+                                  type: string
+                                networkPolicy:
+                                  type: string
+                                  enum: ["Application", "Cluster"]
+                                port:
+                                  type: integer
+                                  format: int32
+                                routerDestinationName:
+                                  type: string
+                          livenessProbe:
+                            type: object
+                            oneOf:
+                            - required:
+                                - exec
+                            - required:
+                                - grpc
+                            - required:
+                                - httpGet
+                            - required:
+                                - tcpSocket
+                            properties:
+                              exec:
+                                type: object
+                                required: ["command"]
+                                properties:
+                                  command:
+                                    type: array
+                                    items:
+                                      type: string
+                              httpGet:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  path:
+                                    type: string
+                                  port:
+                                    type: integer
+                                  host:
+                                    type: string
+                                  scheme:
+                                    type: string
+                                  httpHeaders:
+                                    type: object
+                                    required: ["name", "value"]
+                                    properties:
+                                      name:
+                                        type: string
+                                      value:
+                                        type: string
+                              tcpSocket:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  port:
+                                    type: integer
+                                  host:
+                                    type: string
+                              grpc:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  port:
+                                    type: integer
+                                  service:
+                                    type: string
+                              initialDelaySeconds:
+                                type: integer
+                                format: int32
+                              timeoutSeconds:
+                                type: integer
+                                format: int32
+                              periodSeconds:
+                                type: integer
+                                format: int32
+                              successThreshold:
+                                type: integer
+                                format: int32
+                              failureThreshold:
+                                type: integer
+                                format: int32
+                          readinessProbe:
+                            type: object
+                            oneOf:
+                            - required:
+                                - exec
+                            - required:
+                                - grpc
+                            - required:
+                                - httpGet
+                            - required:
+                                - tcpSocket
+                            properties:
+                              exec:
+                                type: object
+                                required: ["command"]
+                                properties:
+                                  command:
+                                    type: array
+                                    items:
+                                      type: string
+                              httpGet:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  path:
+                                    type: string
+                                  port:
+                                    type: integer
+                                  host:
+                                    type: string
+                                  scheme:
+                                    type: string
+                                  httpHeaders:
+                                    type: object
+                                    required: ["name", "value"]
+                                    properties:
+                                      name:
+                                        type: string
+                                      value:
+                                        type: string
+                              tcpSocket:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  port:
+                                    type: integer
+                                  host:
+                                    type: string
+                              grpc:
+                                type: object
+                                required: ["port"]
+                                properties:
+                                  port:
+                                    type: integer
+                                  service:
+                                    type: string
+                              initialDelaySeconds:
+                                type: integer
+                                format: int32
+                              timeoutSeconds:
+                                type: integer
+                                format: int32
+                              periodSeconds:
+                                type: integer
+                                format: int32
+                              successThreshold:
+                                type: integer
+                                format: int32
+                              failureThreshold:
+                                type: integer
+                                format: int32
+                          resources:
+                            type: object
+                            properties:
+                              claims:
+                                type: array
+                                items:
+                                  type: object
+                                  properties:
+                                    name:
+                                      type: string
+                                  required:
+                                  - name
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                type: object
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              requests:
+                                type: object
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                          securityContext:
+                            properties:
+                              allowPrivilegeEscalation:
+                                type: boolean
+                              capabilities:
+                                properties:
+                                  add:
+                                    items:
+                                      type: string
+                                    type: array
+                                  drop:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              privileged:
+                                type: boolean
+                              procMount:
+                                type: string
+                              readOnlyRootFilesystem:
+                                type: boolean
+                              runAsGroup:
+                                format: int64
+                                type: integer
+                              runAsNonRoot:
+                                type: boolean
+                              runAsUser:
+                                format: int64
+                                type: integer
+                              seLinuxOptions:
+                                properties:
+                                  level:
+                                    type: string
+                                  role:
+                                    type: string
+                                  type:
+                                    type: string
+                                  user:
+                                    type: string
+                                type: object
+                              seccompProfile:
+                                properties:
+                                  localhostProfile:
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              windowsOptions:
+                                properties:
+                                  gmsaCredentialSpec:
+                                    type: string
+                                  gmsaCredentialSpecName:
+                                    type: string
+                                  hostProcess:
+                                    type: boolean
+                                  runAsUserName:
+                                    type: string
+                                type: object
+                            type: object
+                          podSecurityContext:
+                            properties:
+                              fsGroup:
+                                format: int64
+                                type: integer
+                              fsGroupChangePolicy:
+                                type: string
+                              runAsGroup:
+                                format: int64
+                                type: integer
+                              runAsNonRoot:
+                                type: boolean
+                              runAsUser:
+                                format: int64
+                                type: integer
+                              seLinuxOptions:
+                                properties:
+                                  level:
+                                    type: string
+                                  role:
+                                    type: string
+                                  type:
+                                    type: string
+                                  user:
+                                    type: string
+                                type: object
+                              seccompProfile:
+                                properties:
+                                  localhostProfile:
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              supplementalGroups:
+                                items:
+                                  format: int64
+                                  type: integer
+                                type: array
+                              sysctls:
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    value:
+                                      type: string
+                                  required:
+                                  - name
+                                  - value
+                                  type: object
+                                type: array
+                              windowsOptions:
+                                properties:
+                                  gmsaCredentialSpec:
+                                    type: string
+                                  gmsaCredentialSpecName:
+                                    type: string
+                                  hostProcess:
+                                    type: boolean
+                                  runAsUserName:
+                                    type: string
+                                type: object
+                            type: object
+                      jobDefinition:
+                        type: object
+                        required: ["type", "image"]
+                        properties:
+                          type:
+                            type: string
+                          image:
+                            type: string
+                          imagePullPolicy:
+                            type: string
+                          command:
+                            type: array
+                            items:
+                              type: string
+                          env:
+                            type: array
+                            items:
+                              type: object
+                              required: ["name"]
+                              properties:
+                                name:
+                                  type: string
+                                value:
+                                  type: string
+                                valueFrom:
+                                  type: object
+                                  properties:
+                                    secretKeyRef:
+                                      type: object
+                                      required: ["key"]
+                                      properties:
+                                        key:
+                                          type: string
+                                        name:
+                                          type: string
+                                        optional:
+                                          type: boolean
+                                    configMapKeyRef:
+                                      type: object
+                                      required: ["key"]
+                                      properties:
+                                        key:
+                                          type: string
+                                        name:
+                                          type: string
+                                        optional:
+                                          type: boolean
+                                    fieldRef:
+                                      type: object
+                                      required: ["fieldPath"]
+                                      properties:
+                                        apiVersion:
+                                          type: string
+                                        fieldPath:
+                                          type: string
+                                    resourceFieldRef:
+                                      type: object
+                                      required: ["resource"]
+                                      properties:
+                                        containerName:
+                                          type: string
+                                        resource:
+                                          type: string
+                                        divisor:
+                                          type: string
+                          backoffLimit:
+                            type: integer
+                            format: int32
+                          ttlSecondsAfterFinished:
+                            type: integer
+                            format: int32
+                          resources:
+                            type: object
+                            properties:
+                              claims:
+                                type: array
+                                items:
+                                  type: object
+                                  properties:
+                                    name:
+                                      type: string
+                                  required:
+                                  - name
+                                x-kubernetes-list-map-keys:
+                                - name
+                                x-kubernetes-list-type: map
+                              limits:
+                                type: object
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                              requests:
+                                type: object
+                                additionalProperties:
+                                  anyOf:
+                                  - type: integer
+                                  - type: string
+                                  pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                                  x-kubernetes-int-or-string: true
+                          securityContext:
+                            properties:
+                              allowPrivilegeEscalation:
+                                type: boolean
+                              capabilities:
+                                properties:
+                                  add:
+                                    items:
+                                      type: string
+                                    type: array
+                                  drop:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              privileged:
+                                type: boolean
+                              procMount:
+                                type: string
+                              readOnlyRootFilesystem:
+                                type: boolean
+                              runAsGroup:
+                                format: int64
+                                type: integer
+                              runAsNonRoot:
+                                type: boolean
+                              runAsUser:
+                                format: int64
+                                type: integer
+                              seLinuxOptions:
+                                properties:
+                                  level:
+                                    type: string
+                                  role:
+                                    type: string
+                                  type:
+                                    type: string
+                                  user:
+                                    type: string
+                                type: object
+                              seccompProfile:
+                                properties:
+                                  localhostProfile:
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              windowsOptions:
+                                properties:
+                                  gmsaCredentialSpec:
+                                    type: string
+                                  gmsaCredentialSpecName:
+                                    type: string
+                                  hostProcess:
+                                    type: boolean
+                                  runAsUserName:
+                                    type: string
+                                type: object
+                            type: object
+                          podSecurityContext:
+                            properties:
+                              fsGroup:
+                                format: int64
+                                type: integer
+                              fsGroupChangePolicy:
+                                type: string
+                              runAsGroup:
+                                format: int64
+                                type: integer
+                              runAsNonRoot:
+                                type: boolean
+                              runAsUser:
+                                format: int64
+                                type: integer
+                              seLinuxOptions:
+                                properties:
+                                  level:
+                                    type: string
+                                  role:
+                                    type: string
+                                  type:
+                                    type: string
+                                  user:
+                                    type: string
+                                type: object
+                              seccompProfile:
+                                properties:
+                                  localhostProfile:
+                                    type: string
+                                  type:
+                                    type: string
+                                required:
+                                - type
+                                type: object
+                              supplementalGroups:
+                                items:
+                                  format: int64
+                                  type: integer
+                                type: array
+                              sysctls:
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    value:
+                                      type: string
+                                  required:
+                                  - name
+                                  - value
+                                  type: object
+                                type: array
+                              windowsOptions:
+                                properties:
+                                  gmsaCredentialSpec:
+                                    type: string
+                                  gmsaCredentialSpecName:
+                                    type: string
+                                  hostProcess:
+                                    type: boolean
+                                  runAsUserName:
+                                    type: string
+                                type: object
+                            type: object
+                version:
+                  type: string
+                tenantOperations:
+                  type: object
+                  properties:
+                    provisioning:
+                      type: array
+                      items:
+                        type: object
+                        required: ["workloadName"]
+                        properties:
+                          workloadName:
+                            type: string
+                            pattern: "[a-z0-9-]*"
+                          continueOnFailure:
+                            type: boolean
+                    deprovisioning:
+                      type: array
+                      items:
+                        type: object
+                        required: ["workloadName"]
+                        properties:
+                          workloadName:
+                            type: string
+                            pattern: "[a-z0-9-]*"
+                          continueOnFailure:
+                            type: boolean
+                    upgrade:
+                      type: array
+                      items:
+                        type: object
+                        required: ["workloadName"]
+                        properties:
+                          workloadName:
+                            type: string
+                            pattern: "[a-z0-9-]*"
+                          continueOnFailure:
+                            type: boolean
+            status:
+              type: object
+              required: ["state"]
+              default:
+                state: ""
+                observedGeneration: -1
+              properties:
+                observedGeneration:
+                  type: integer
+                state:
+                  type: string
+                  enum: ["", "Ready", "Error", "Processing", "Deleting"]
+                finishedJobs:
+                  type: array
+                  items:
+                    type: string
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    required: ["type", "status"]
+                    properties:
+                      type:
+                        type: string
+                        enum: ["Ready", "Error"]
+                      status:
+                        type: string
+                        enum: ["True", "False", "Unknown"]
+                      lastUpdateTime: # Unused property
+                        type: string
+                        format: datetime
+                      lastTransitionTime:
+                        type: string
+                        format: datetime
+                      reason:
+                        type: string
+                        minLength: 1
+                      message:
+                        type: string
+                      observedGeneration:
+                        type: integer
diff --git a/crds/captenant.yaml b/crds/captenant.yaml
new file mode 100644
index 0000000..b9e11eb
--- /dev/null
+++ b/crds/captenant.yaml
@@ -0,0 +1,95 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: captenants.sme.sap.com
+spec:
+  scope: Namespaced
+  names:
+    plural: captenants
+    singular: captenant
+    kind: CAPTenant
+    shortNames: ["cat"]
+  group: sme.sap.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Age
+          type: date
+          jsonPath: .metadata.creationTimestamp
+        - name: State
+          type: string
+          jsonPath: .status.state
+        - name: Current Version
+          type: string
+          jsonPath: .status.currentCAPApplicationVersionInstance
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: ["spec"]
+          properties:
+            spec:
+              type: object
+              required: ["capApplicationInstance", "subDomain", "tenantId"]
+              properties:
+                capApplicationInstance:
+                  type: string
+                subDomain:
+                  type: string
+                tenantId:
+                  type: string
+                version:
+                  type: string
+                versionUpgradeStrategy:
+                  default: "always"
+                  type: string
+                  enum: ["always", "never"]
+            status:
+              type: object
+              required: ["state"]
+              default:
+                state: ""
+                observedGeneration: -1
+              properties:
+                currentCAPApplicationVersionInstance:
+                  type: string
+                observedGeneration:
+                  type: integer
+                state:
+                  type: string
+                  enum: [ "", "Ready", "Provisioning", "Upgrading", "Deleting", "ProvisioningError", "UpgradeError"]
+                lastFullReconciliationTime:
+                  type: string
+                  format: datetime
+                previousCAPApplicationVersions:
+                  type: array
+                  items:
+                    type: string
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    required: ["type", "status"]
+                    properties:
+                      type:
+                        type: string
+                        enum: ["Ready", "Error"]
+                      status:
+                        type: string
+                        enum: ["True", "False", "Unknown"]
+                      lastUpdateTime: # Unused property
+                        type: string
+                        format: datetime
+                      lastTransitionTime:
+                        type: string
+                        format: datetime
+                      reason:
+                        type: string
+                        minLength: 1
+                      message:
+                        type: string
+                      observedGeneration:
+                        type: integer
diff --git a/crds/captenantoperation.yaml b/crds/captenantoperation.yaml
new file mode 100644
index 0000000..c272b3a
--- /dev/null
+++ b/crds/captenantoperation.yaml
@@ -0,0 +1,106 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: captenantoperations.sme.sap.com
+spec:
+  scope: Namespaced
+  names:
+    plural: captenantoperations
+    singular: captenantoperation
+    kind: CAPTenantOperation
+    shortNames: ["ctop"]
+  group: sme.sap.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      additionalPrinterColumns:
+        - name: Age
+          type: date
+          jsonPath: .metadata.creationTimestamp
+        - name: State
+          type: string
+          jsonPath: .status.state
+      subresources:
+        status: {}
+      schema:
+        openAPIV3Schema:
+          type: object
+          required: ["spec"]
+          properties:
+            spec:
+              type: object
+              required:
+                [
+                  "operation",
+                  "tenantId",
+                  "subDomain",
+                  "capApplicationVersionInstance",
+                ]
+              properties:
+                operation:
+                  type: string
+                  enum: ["provisioning", "deprovisioning", "upgrade"]
+                subDomain:
+                  type: string
+                tenantId:
+                  type: string
+                capApplicationVersionInstance:
+                  type: string
+                steps:
+                  type: array
+                  items:
+                    type: object
+                    required: ["name", "type"]
+                    properties:
+                      name:
+                        type: string
+                        pattern: "^[a-z]([-a-z0-9]*[a-z0-9])?$"
+                      type:
+                        type: string
+                        enum: ["TenantOperation", "CustomTenantOperation"]
+                      continueOnFailure:
+                        type: boolean
+            status:
+              type: object
+              required: ["state"]
+              default:
+                state: ""
+                observedGeneration: -1
+              properties:
+                currentStep:
+                  type: integer
+                  format: int32
+                  minimum: 0
+                activeJob:
+                  type: string
+                observedGeneration:
+                  type: integer
+                state:
+                  type: string
+                  enum: ["", "Processing", "Completed", "Failed", "Deleting"]
+                conditions:
+                  type: array
+                  items:
+                    type: object
+                    required: ["type", "status"]
+                    properties:
+                      type:
+                        type: string
+                        enum: ["Ready"]
+                      status:
+                        type: string
+                        enum: ["True", "False", "Unknown"]
+                      lastUpdateTime: # Unused property
+                        type: string
+                        format: datetime
+                      lastTransitionTime:
+                        type: string
+                        format: datetime
+                      reason:
+                        type: string
+                        minLength: 1
+                      message:
+                        type: string
+                      observedGeneration:
+                        type: integer
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..160d554
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,79 @@
+module github.com/sap/cap-operator
+
+go 1.21
+
+require (
+	github.com/MicahParks/keyfunc/v2 v2.1.0
+	github.com/cert-manager/cert-manager v1.12.3
+	github.com/gardener/cert-management v0.10.10
+	github.com/gardener/external-dns-management v0.15.8
+	github.com/golang-jwt/jwt/v5 v5.0.0
+	github.com/google/go-cmp v0.5.9
+	github.com/google/uuid v1.3.0
+	github.com/lestrrat-go/jwx/v2 v2.0.12
+	golang.org/x/mod v0.12.0
+	google.golang.org/protobuf v1.31.0
+	istio.io/api v1.19.0-beta.0
+	istio.io/client-go v1.18.1
+	k8s.io/api v0.28.0
+	k8s.io/apimachinery v0.28.0
+	k8s.io/client-go v0.28.0
+	k8s.io/code-generator v0.28.0
+	k8s.io/klog/v2 v2.100.1
+)
+
+require github.com/google/gnostic-models v0.6.8 // indirect
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
+	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.20.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
+	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/term v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230815205213-6bfd019c3878 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230815205213-6bfd019c3878 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.28.0 // indirect
+	k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect
+	k8s.io/kube-openapi v0.0.0-20230816210353-14e408962443 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/gateway-api v0.7.1 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.3.0
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..e472e1e
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,251 @@
+github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
+github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
+github.com/cert-manager/cert-manager v1.12.3 h1:3gZkP7hHI2CjgX5qZ1Tm98YbHVXB2NGAZPVbOLb3AjU=
+github.com/cert-manager/cert-manager v1.12.3/go.mod h1:/RYHUvK9cxuU5dbRyhb7g6am9jCcZc8huF3AnADE+nA=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
+github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE=
+github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/gardener/cert-management v0.10.10 h1:r8bjF3QEsC5iRfYd0PdjyOQFeJoWxYk8kVrpeHMeB+M=
+github.com/gardener/cert-management v0.10.10/go.mod h1:XWcNx2Vur0MmmptKnR4Ema8zFDDnsDK2ovflUgFyoMs=
+github.com/gardener/external-dns-management v0.15.8 h1:YQMjxmSfGbrh2Eim4jfoOrhI/3MACCMGYUwKAwlE+z8=
+github.com/gardener/external-dns-management v0.15.8/go.mod h1:TK6nWd+j+e0Ypp7FDhYRnUQqqh9YxlOHBeEraepSdgA=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
+github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
+github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
+github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
+github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
+github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.0.12 h1:3d589+5w/b9b7S3DneICPW16AqTyYXB7VRjgluSDWeA=
+github.com/lestrrat-go/jwx/v2 v2.0.12/go.mod h1:Mq4KN1mM7bp+5z/W5HS8aCNs5RKZ911G/0y2qUjAQuQ=
+github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
+github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
+github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb h1:mIKbk8weKhSeLH2GmUTrvx8CjkyJmnU1wFmg59CUjFA=
+golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
+golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
+golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20230815205213-6bfd019c3878 h1:Iveh6tGCJkHAjJgEqUQYGDGgbwmhjoAOz8kO/ajxefY=
+google.golang.org/genproto v0.0.0-20230815205213-6bfd019c3878/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
+google.golang.org/genproto/googleapis/api v0.0.0-20230815205213-6bfd019c3878 h1:WGq4lvB/mlicysM/dUT3SBvijH4D3sm/Ny1A4wmt2CI=
+google.golang.org/genproto/googleapis/api v0.0.0-20230815205213-6bfd019c3878/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+istio.io/api v1.19.0-beta.0 h1:ZbWXHd7kqug+TGBlzWJZwRcXHH4Sfn0jJv0WmNAMHio=
+istio.io/api v1.19.0-beta.0/go.mod h1:dDMe1TsOtrRoUlBzdxqNolWXpXPQjLfbcXvqPMtQ6eo=
+istio.io/client-go v1.18.1 h1:qSpKeJ0+3L9wAEfs30KaTWkifhz7YRmyXsOPnC+zMqk=
+istio.io/client-go v1.18.1/go.mod h1:ha62DtaYYStYdisMZw9OG5iG92irhr2sWK7C38qCdqI=
+k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
+k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
+k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E=
+k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE=
+k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
+k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
+k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM=
+k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc=
+k8s.io/code-generator v0.28.0 h1:msdkRVJNVFgdiIJ8REl/d3cZsMB9HByFcWMmn13NyuE=
+k8s.io/code-generator v0.28.0/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A=
+k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08=
+k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230816210353-14e408962443 h1:CAIciCnJnSOQxPd0xvpV6JU3D4AJvnYbImPpFpO9Hnw=
+k8s.io/kube-openapi v0.0.0-20230816210353-14e408962443/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/gateway-api v0.7.1 h1:Tts2jeepVkPA5rVG/iO+S43s9n7Vp7jCDhZDQYtPigQ=
+sigs.k8s.io/gateway-api v0.7.1/go.mod h1:Xv0+ZMxX0lu1nSSDIIPEfbVztgNZ+3cfiYrJsa2Ooso=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
+sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/hack/LICENSE_BOILERPLATE.txt b/hack/LICENSE_BOILERPLATE.txt
new file mode 100644
index 0000000..d268da3
--- /dev/null
+++ b/hack/LICENSE_BOILERPLATE.txt
@@ -0,0 +1,4 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
\ No newline at end of file
diff --git a/hack/api-reference/config.json b/hack/api-reference/config.json
new file mode 100644
index 0000000..9b853bd
--- /dev/null
+++ b/hack/api-reference/config.json
@@ -0,0 +1,20 @@
+{
+    "hideMemberFields": [
+        "TypeMeta"
+    ],
+    "hideTypePatterns": [
+        "ParseError$",
+        "List$"
+    ],
+    "externalPackages": [
+        {
+            "typeMatchPrefix": "^k8s\\.io/(api|apimachinery/pkg/apis)/",
+            "docsURLTemplate": "https://pkg.go.dev/{{.PackagePath}}#{{.TypeIdentifier}}"
+        }
+    ],
+    "typeDisplayNamePrefixOverrides": {
+        "k8s.io/api/": "Kubernetes ",
+        "k8s.io/apimachinery/pkg/apis/": "Kubernetes "
+    },
+    "markdownDisabled": false
+}
diff --git a/hack/api-reference/generate.sh b/hack/api-reference/generate.sh
new file mode 100644
index 0000000..57bc47a
--- /dev/null
+++ b/hack/api-reference/generate.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eo pipefail
+
+# Change directory to the script dir (i.e. .../hack/api-reference/)
+cd $(dirname "${BASH_SOURCE[0]}")
+
+echo "PWD: ${PWD}"
+
+gen-crd-api-reference-docs \
+  -config config.json \
+  -template-dir template \
+  -api-dir ../../pkg/apis/sme.sap.com/v1alpha1 \
+  -out-file ../../website/includes/api-reference.html
diff --git a/hack/api-reference/template/members.tpl b/hack/api-reference/template/members.tpl
new file mode 100644
index 0000000..a529c67
--- /dev/null
+++ b/hack/api-reference/template/members.tpl
@@ -0,0 +1,48 @@
+{{ define "members" }}
+
+{{ range .Members }}
+{{ if not (hiddenMember .)}}
+<tr>
+    <td>
+        <code>{{ fieldName . }}</code><br/>
+        <em>
+            {{ if linkForType .Type }}
+                <a href="{{ linkForType .Type}}">
+                    {{ typeDisplayName .Type }}
+                </a>
+            {{ else }}
+                {{ typeDisplayName .Type }}
+            {{ end }}
+        </em>
+    </td>
+    <td>
+        {{ if fieldEmbedded . }}
+            <p>
+                (Members of <code>{{ fieldName . }}</code> are embedded into this type.)
+            </p>
+        {{ end}}
+
+        {{ if isOptionalMember .}}
+            <em>(Optional)</em>
+        {{ end }}
+
+        {{ safe (renderComments .CommentLines) }}
+
+    {{ if and (eq (.Type.Name.Name) "ObjectMeta") }}
+        Refer to the Kubernetes API documentation for the fields of the
+        <code>metadata</code> field.
+    {{ end }}
+
+    {{ if or (eq (fieldName .) "spec") }}
+        <br/>
+        <br/>
+        <table>
+            {{ template "members" .Type }}
+        </table>
+    {{ end }}
+    </td>
+</tr>
+{{ end }}
+{{ end }}
+
+{{ end }}
diff --git a/hack/api-reference/template/pkg.tpl b/hack/api-reference/template/pkg.tpl
new file mode 100644
index 0000000..842ec93
--- /dev/null
+++ b/hack/api-reference/template/pkg.tpl
@@ -0,0 +1,49 @@
+{{ define "packages" }}
+
+{{ with .packages}}
+<p>Packages:</p>
+<ul>
+    {{ range . }}
+    <li>
+        <a href="#{{- packageAnchorID . -}}">{{ packageDisplayName . }}</a>
+    </li>
+    {{ end }}
+</ul>
+{{ end}}
+
+{{ range .packages }}
+    <h2 id="{{- packageAnchorID . -}}">
+        {{- packageDisplayName . -}}
+    </h2>
+
+    {{ with (index .GoPackages 0 )}}
+        {{ with .DocComments }}
+        <div>
+            {{ safe (renderComments .) }}
+        </div>
+        {{ end }}
+    {{ end }}
+
+    Resource Types:
+    <ul>
+    {{- range (visibleTypes (sortedTypes .Types)) -}}
+        {{ if isExportedType . -}}
+        <li>
+            <a href="{{ linkForType . }}">{{ typeDisplayName . }}</a>
+        </li>
+        {{- end }}
+    {{- end -}}
+    </ul>
+
+    {{ range (visibleTypes (sortedTypes .Types))}}
+        {{ template "type" .  }}
+    {{ end }}
+    <hr/>
+{{ end }}
+
+<p><em>
+    Generated with <code>gen-crd-api-reference-docs</code>
+    {{ with .gitCommit }} on git commit <code>{{ . }}</code>{{end}}.
+</em></p>
+
+{{ end }}
diff --git a/hack/api-reference/template/placeholder.go b/hack/api-reference/template/placeholder.go
new file mode 100644
index 0000000..cc8f145
--- /dev/null
+++ b/hack/api-reference/template/placeholder.go
@@ -0,0 +1,2 @@
+// Placeholder file to make Go vendor this directory properly.
+package template
diff --git a/hack/api-reference/template/type.tpl b/hack/api-reference/template/type.tpl
new file mode 100644
index 0000000..976e224
--- /dev/null
+++ b/hack/api-reference/template/type.tpl
@@ -0,0 +1,81 @@
+{{ define "type" }}
+
+<h3 id="{{ anchorIDForType . }}">
+    {{- .Name.Name }}
+    {{ if eq .Kind "Alias" }}(<code>{{.Underlying}}</code> alias){{ end -}}
+</h3>
+{{ with (typeReferences .) }}
+    <p>
+        (<em>Appears on: </em>
+        {{- $prev := "" -}}
+        {{- range . -}}
+            {{- if $prev -}}, {{ end -}}
+            {{- $prev = . -}}
+            <a href="{{ linkForType . }}">{{ typeDisplayName . }}</a>
+        {{- end -}}
+        )
+    </p>
+{{ end }}
+
+<div>
+    {{ safe (renderComments .CommentLines) }}
+</div>
+
+{{ with (constantsOfType .) }}
+<table>
+    <thead>
+        <tr>
+            <th>Value</th>
+            <th>Description</th>
+        </tr>
+    </thead>
+    <tbody>
+      {{- range . -}}
+      <tr>
+        {{- /*
+            renderComments implicitly creates a <p> element, so we
+            add one to the display name as well to make the contents
+            of the two cells align evenly.
+        */ -}}
+        <td><p>{{ typeDisplayName . }}</p></td>
+        <td>{{ safe (renderComments .CommentLines) }}</td>
+      </tr>
+      {{- end -}}
+    </tbody>
+</table>
+{{ end }}
+
+{{ if .Members }}
+<table>
+    <thead>
+        <tr>
+            <th>Field</th>
+            <th>Description</th>
+        </tr>
+    </thead>
+    <tbody>
+        {{ if isExportedType . }}
+        <tr>
+            <td>
+                <code>apiVersion</code><br/>
+                string</td>
+            <td>
+                <code>
+                    {{apiGroup .}}
+                </code>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <code>kind</code><br/>
+                string
+            </td>
+            <td><code>{{.Name.Name}}</code></td>
+        </tr>
+        {{ end }}
+        {{ template "members" .}}
+    </tbody>
+</table>
+{{ end }}
+
+{{ end }}
diff --git a/hack/generate.sh b/hack/generate.sh
new file mode 100644
index 0000000..efbedcf
--- /dev/null
+++ b/hack/generate.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if ! which go >/dev/null; then
+  echo "Error: go not found in path"
+  exit 1
+fi
+
+if ! which jq >/dev/null; then
+  echo "Error: jq not found in path"
+  exit 1
+fi
+
+cd $(dirname "${BASH_SOURCE[0]}")/..
+
+if [ ! -f go.mod ]; then
+  echo "Error: this is not a go module, is it?"
+  exit 1
+fi
+
+if [ -z "${CODEGEN_PKG:-}" ]; then
+  if [ -d ./vendor/k8s.io/code-generator ]; then
+    CODEGEN_PKG=./vendor/k8s.io/code-generator
+  else
+    CODEGEN_PKG=$(go mod download -json k8s.io/code-generator | jq -r '.Dir //empty')
+  fi
+fi
+
+if [ -z "${GEN_PKG_PATH:-}" ]; then
+  GEN_PKG_PATH=$(go list -m)/pkg
+fi
+
+echo "PWD: ${PWD}"
+echo "CODEGEN_PKG: ${CODEGEN_PKG}"
+echo "GEN_PKG_PATH: ${GEN_PKG_PATH}"
+
+rm -rf "${PWD}"/tmp
+mkdir -p "${PWD}"/tmp/"${GEN_PKG_PATH}"
+
+ln -s "${PWD}"/pkg/apis "${PWD}"/tmp/"${GEN_PKG_PATH}"/apis
+
+source "${CODEGEN_PKG}/kube_codegen.sh"
+
+kube::codegen::gen_helpers \
+  --input-pkg-root "${GEN_PKG_PATH}"/apis \
+  --output-base "${PWD}"/tmp \
+  --boilerplate ./hack/LICENSE_BOILERPLATE.txt
+
+kube::codegen::gen_client \
+  --with-watch \
+  --with-applyconfig \
+  --input-pkg-root "${GEN_PKG_PATH}"/apis \
+  --output-pkg-root "${GEN_PKG_PATH}"/client \
+  --output-base "${PWD}"/tmp \
+  --boilerplate ./hack/LICENSE_BOILERPLATE.txt
+
+echo "Moving generated code from ${PWD}/tmp/${GEN_PKG_PATH}/client to ${PWD}/pkg"
+rm -rf "${PWD}"/pkg/client
+mv "${PWD}"/tmp/"${GEN_PKG_PATH}"/client "${PWD}"/pkg
+
+echo "Done.. removing local /tmp dir"
+rm -rf "${PWD}"/tmp
\ No newline at end of file
diff --git a/hack/helm-reference/generate.sh b/hack/helm-reference/generate.sh
new file mode 100644
index 0000000..639b55b
--- /dev/null
+++ b/hack/helm-reference/generate.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -eo pipefail
+
+# Change dir to the root dir of this repo (should point to cap-operator)
+cd $(dirname "${BASH_SOURCE[0]}")/../..
+
+echo "PWD: ${PWD}"
+
+TEMPDIR=$(mktemp -d)
+trap 'rm -rf "$TEMPDIR"' EXIT
+
+cp -r "$PWD"/../cap-operator-lifecycle/chart "$TEMPDIR"
+
+helm-docs -c "$TEMPDIR"/chart -s file
+cp "$TEMPDIR"/chart/README.md "$PWD"/../cap-operator-lifecycle/chart
+
+cat > "$TEMPDIR"/chart/README.md.gotmpl <<END
+{{ template "chart.valuesSection" . }}
+END
+helm-docs -c "$TEMPDIR"/chart -s file
+cp "$TEMPDIR"/chart/README.md "$PWD"/website/includes/chart-values.md
\ No newline at end of file
diff --git a/hack/tools.go b/hack/tools.go
new file mode 100644
index 0000000..042c2e8
--- /dev/null
+++ b/hack/tools.go
@@ -0,0 +1,8 @@
+//go:build tools
+// +build tools
+
+package tools
+
+import (
+	_ "k8s.io/code-generator"
+)
diff --git a/internal/controller/common_test.go b/internal/controller/common_test.go
new file mode 100644
index 0000000..2360ed3
--- /dev/null
+++ b/internal/controller/common_test.go
@@ -0,0 +1,638 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"golang.org/x/exp/constraints"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	certManagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	certManagerFake "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/fake"
+	certManagerScheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme"
+	gardenercertv1alpha1 "github.com/gardener/cert-management/pkg/apis/cert/v1alpha1"
+	gardenercertfake "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned/fake"
+	gardenercertscheme "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned/scheme"
+	gardenerdnsv1alpha1 "github.com/gardener/external-dns-management/pkg/apis/dns/v1alpha1"
+	gardenerdnsfake "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned/fake"
+	gardenerdnsscheme "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned/scheme"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	copfake "github.com/sap/cap-operator/pkg/client/clientset/versioned/fake"
+	smeScheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	istiometav1alpha1 "istio.io/api/meta/v1alpha1"
+	networkingv1beta1 "istio.io/api/networking/v1beta1"
+	istionwv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	istiofake "istio.io/client-go/pkg/clientset/versioned/fake"
+	istioscheme "istio.io/client-go/pkg/clientset/versioned/scheme"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sfake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/kubernetes/scheme"
+	k8stesting "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/events"
+)
+
+var gvrKindMap map[string]string = map[string]string{
+	"dnsentries.dns.gardener.cloud/v1alpha1":      "DNSEntry",
+	"captenantoperations.sme.sap.com/v1alpha1":    "CAPTenantOperation",
+	"captenants.sme.sap.com/v1alpha1":             "CAPTenant",
+	"capapplications.sme.sap.com/v1alpha1":        "CAPApplication",
+	"capapplicationversions.sme.sap.com/v1alpha1": "CAPApplicationVersion",
+}
+
+// adds fixed suffix "gen" to newly created objects with generateName
+var generateNameCreateHandler k8stesting.ReactionFunc = func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+	create := action.(k8stesting.CreateAction)
+	obj := create.GetObject()
+	mo, ok := obj.(metav1.Object)
+	if ok {
+		if mo.GetGenerateName() != "" && mo.GetName() == "" {
+			mo.SetName(mo.GetGenerateName() + "gen")
+		}
+	}
+
+	return false, obj, nil
+}
+
+func getErrorReactorWithResources(t *testing.T, items []ResourceAction) k8stesting.ReactionFunc {
+	actionItems := items
+	return func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+		gvr := action.GetResource()
+
+		var getObject = func() runtime.Object {
+			var obj runtime.Object
+			switch action.GetVerb() {
+			case "create":
+				obj = action.(k8stesting.CreateAction).GetObject()
+			case "update":
+				obj = action.(k8stesting.UpdateAction).GetObject()
+			}
+			return obj
+		}
+
+		for _, i := range actionItems {
+			if i.Group == gvr.Group && i.Version == gvr.Version && i.Resource == gvr.Resource {
+				if i.Verb == "*" || i.Verb == action.GetVerb() {
+					if i.Namespace == "*" || i.Namespace == action.GetNamespace() {
+						errMsg := fmt.Sprintf("mocked api error (%s.%s/%s)", gvr.Resource, gvr.Group, gvr.Version)
+						if i.Name == "*" {
+							return true, nil, errors.New(errMsg)
+						}
+						if o := getObject(); o != nil {
+							if mo, ok := o.(metav1.Object); ok {
+								if mo.GetName() == i.Name {
+									return true, nil, errors.New(errMsg)
+								}
+							}
+						}
+						var moName string
+						switch action.GetVerb() {
+						case "delete":
+							moName = action.(k8stesting.DeleteAction).GetName()
+						case "get":
+							moName = action.(k8stesting.GetAction).GetName()
+						}
+						if moName != "" && moName == i.Name {
+							return true, nil, errors.New(errMsg)
+						}
+					}
+				}
+			}
+		}
+
+		return false, getObject(), nil
+	}
+}
+
+// resets the timestamps for know CRO status conditions (so that they can be compared later)
+var removeStatusTimestampHandler k8stesting.ReactionFunc = func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+	update := action.(k8stesting.UpdateAction)
+	obj := update.GetObject()
+	if update.GetSubresource() == "status" {
+		var adjustConditions = func(conditions []metav1.Condition) []metav1.Condition {
+			adjustedConditions := []metav1.Condition{}
+			for _, condition := range conditions {
+				zeroTime, _ := time.Parse(time.RFC3339, "0001-01-01T00:00:00Z")
+				condition.LastTransitionTime = metav1.NewTime(zeroTime)
+				adjustedConditions = append(adjustedConditions, condition)
+			}
+			return adjustedConditions
+		}
+
+		switch cro := obj.(type) {
+		case *v1alpha1.CAPApplication:
+			cro.Status.Conditions = adjustConditions(cro.Status.Conditions)
+		case *v1alpha1.CAPApplicationVersion:
+			cro.Status.Conditions = adjustConditions(cro.Status.Conditions)
+		case *v1alpha1.CAPTenant:
+			cro.Status.Conditions = adjustConditions(cro.Status.Conditions)
+		case *v1alpha1.CAPTenantOperation:
+			cro.Status.Conditions = adjustConditions(cro.Status.Conditions)
+		}
+	}
+
+	return false, obj, nil
+}
+
+type FakeClientSetConstraint interface {
+	*k8sfake.Clientset | *gardenerdnsfake.Clientset | *gardenercertfake.Clientset | *copfake.Clientset | *istiofake.Clientset | *certManagerFake.Clientset
+	Tracker() k8stesting.ObjectTracker
+}
+
+func getKindFromGVR(gvr schema.GroupVersionResource) string {
+	return gvrKindMap[fmt.Sprintf("%s.%s/%s", gvr.Resource, gvr.Group, gvr.Version)]
+}
+
+// the returned ReactionFunction mocks delete-collection action by selecting based on provided labels and deleting individual items. It does not support field selectors.
+func getDeleteCollectionHandler[T FakeClientSetConstraint](t *testing.T, client T) k8stesting.ReactionFunc {
+	return func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+		dca := action.(k8stesting.DeleteCollectionAction)
+		lreqs, err := labels.ParseToRequirements(dca.GetListRestrictions().Labels.String())
+		if err != nil {
+			return true, nil, err
+		}
+		o, err := client.Tracker().List(dca.GetResource(), dca.GetResource().GroupVersion().WithKind(getKindFromGVR(dca.GetResource())), dca.GetNamespace())
+		if err != nil {
+			return true, nil, err
+		}
+		// list, ok := o.(*gardenerdnsv1alpha1.DNSEntryList)
+		tmp := reflect.ValueOf(o).Elem().FieldByName("Items")
+		for i := 0; i < tmp.Len(); i++ {
+			item := tmp.Index(i)
+			mo, ok := item.Addr().Interface().(metav1.Object)
+			if !ok {
+				t.Errorf("expected list item to contain metadata")
+			}
+			t.Logf("%s.%s", mo.GetNamespace(), mo.GetName())
+			matchFailed := false
+			for _, lreq := range lreqs {
+				if !lreq.Matches(labels.Set(mo.GetLabels())) {
+					matchFailed = true
+					break
+				}
+			}
+			if !matchFailed {
+				err = client.Tracker().Delete(dca.GetResource(), dca.GetNamespace(), mo.GetName())
+				if err != nil {
+					return true, nil, err
+				}
+			}
+		}
+		return true, nil, nil
+	}
+}
+
+func initializeControllerForReconciliationTests(t *testing.T, items []ResourceAction) *Controller {
+	// add schemes for various client sets
+	smeScheme.AddToScheme(scheme.Scheme)
+	gardenercertscheme.AddToScheme(scheme.Scheme)
+	gardenerdnsscheme.AddToScheme(scheme.Scheme)
+	istioscheme.AddToScheme(scheme.Scheme)
+	certManagerScheme.AddToScheme(scheme.Scheme)
+
+	coreClient := k8sfake.NewSimpleClientset()
+	copClient := copfake.NewSimpleClientset()
+	istioClient := istiofake.NewSimpleClientset()
+	gardenerCertClient := gardenercertfake.NewSimpleClientset()
+	gardenerDNSClient := gardenerdnsfake.NewSimpleClientset()
+	certManagerClient := certManagerFake.NewSimpleClientset()
+
+	copClient.PrependReactor("create", "*", generateNameCreateHandler)
+	copClient.PrependReactor("update", "*", removeStatusTimestampHandler)
+	copClient.PrependReactor("delete-collection", "*", getDeleteCollectionHandler(t, copClient))
+	copClient.PrependReactor("*", "*", getErrorReactorWithResources(t, items))
+
+	istioClient.PrependReactor("create", "*", generateNameCreateHandler)
+	istioClient.PrependReactor("delete-collection", "*", getDeleteCollectionHandler(t, istioClient))
+	istioClient.PrependReactor("*", "*", getErrorReactorWithResources(t, items))
+
+	coreClient.PrependReactor("create", "*", generateNameCreateHandler)
+	coreClient.PrependReactor("create", "*", generateNameCreateHandler)
+	coreClient.PrependReactor("*", "*", getErrorReactorWithResources(t, items))
+
+	gardenerDNSClient.PrependReactor("create", "*", generateNameCreateHandler)
+	gardenerDNSClient.PrependReactor("*", "*", getErrorReactorWithResources(t, items))
+	gardenerDNSClient.PrependReactor("delete-collection", "*", getDeleteCollectionHandler(t, gardenerDNSClient))
+
+	gardenerCertClient.PrependReactor("create", "*", generateNameCreateHandler)
+	gardenerCertClient.PrependReactor("*", "*", getErrorReactorWithResources(t, items))
+	gardenerCertClient.PrependReactor("delete-collection", "*", getDeleteCollectionHandler(t, gardenerDNSClient))
+
+	c := NewController(coreClient, copClient, istioClient, gardenerCertClient, certManagerClient, gardenerDNSClient)
+	c.eventRecorder = events.NewFakeRecorder(10)
+	return c
+}
+
+type TestData struct {
+	// test case description for logging
+	description string
+	// file paths to initial resources to be loaded before tests
+	initialResources []string
+	// file path to expected resources to compare after test
+	expectedResources string
+	// expect reconciliation error
+	expectError bool
+	// expect resource is not found
+	expectResourceNotFound bool
+	// expect items to be requeued
+	expectedRequeue map[int][]NamespacedResourceKey
+	// attempts
+	attempts int
+	// mock errors during the following resource modifications
+	mockErrorForResources []ResourceAction
+	// relevant backlog items (link for traceability)
+	backlogItems []string
+}
+
+type ResourceAction struct {
+	Verb      string
+	Group     string
+	Version   string
+	Resource  string
+	Name      string
+	Namespace string
+}
+
+type TestDataType string
+
+const (
+	TestDataTypeInitial  TestDataType = "initial"
+	TestDataTypeExpected TestDataType = "expected"
+)
+
+func eventDrain(ctx context.Context, c *Controller, t *testing.T) {
+	select {
+	case <-ctx.Done():
+		return
+	case e := <-c.eventRecorder.(*events.FakeRecorder).Events:
+		t.Log(e)
+	}
+}
+
+func reconcileTestItem(ctx context.Context, t *testing.T, item QueueItem, data TestData) (err error) {
+	// run inside a test sub-context to maintain test case name with reference to backlog items
+	t.Run(strings.Join(append([]string{data.description}, data.backlogItems...), " "), func(t *testing.T) {
+		c := initializeControllerForReconciliationTests(t, data.mockErrorForResources)
+		go eventDrain(ctx, c, t)
+
+		// load initial data
+		processTestData(t, c, data, TestDataTypeInitial)
+
+		var requeue *ReconcileResult
+		switch item.Key {
+		case ResourceCAPApplication:
+			requeue, err = c.reconcileCAPApplication(ctx, item, data.attempts)
+		case ResourceCAPApplicationVersion:
+			requeue, err = c.reconcileCAPApplicationVersion(ctx, item, data.attempts)
+		case ResourceCAPTenant:
+			requeue, err = c.reconcileCAPTenant(ctx, item, data.attempts)
+		case ResourceCAPTenantOperation:
+			requeue, err = c.reconcileCAPTenantOperation(ctx, item, data.attempts)
+		case ResourceOperatorDomains:
+			err = c.reconcileOperatorDomains(ctx, item, data.attempts)
+		default:
+			t.Error("unidentified queue item for testing")
+		}
+
+		if err != nil && !data.expectError {
+			t.Error(err.Error())
+		}
+		if data.expectError && err == nil {
+			t.Error("expected error during reconciliation")
+		}
+
+		if cmpErr := verifyItemsForRequeue(data.expectedRequeue, requeue); cmpErr != nil {
+			t.Error(cmpErr.Error())
+		}
+
+		// load expected data and compare
+		if data.expectedResources != "" {
+			processTestData(t, c, data, TestDataTypeExpected)
+		} else if !data.expectResourceNotFound && err == nil { // when a resource is not found --> we simply skip reconciliation w/o errors
+			t.Error("no expected resources provided (no error from reconciliation)")
+		}
+	})
+
+	return err
+}
+
+func verifyItemsForRequeue(expected map[int][]NamespacedResourceKey, result *ReconcileResult) error {
+	if result == nil && expected == nil {
+		return nil
+	}
+	if (result == nil || result.requeueResources == nil) && expected != nil {
+		return errors.New("expected items for requeue, found none")
+	}
+	if result != nil && expected == nil {
+		return errors.New("did not expect items for requeue")
+	}
+	for rid, ev := range expected {
+		if len(ev) == 0 {
+			continue
+		}
+		av, ok := result.requeueResources[rid]
+		if !ok {
+			return fmt.Errorf("expected items for requeue of type %s", KindMap[rid])
+		}
+		avm := convertRequeueItemSliceToMap(av)
+		for _, i := range ev {
+			k := fmt.Sprintf("%s.%s", i.Namespace, i.Name)
+			if _, ok := avm[k]; !ok {
+				return fmt.Errorf("expected item %s of type %s for requeue", k, KindMap[rid])
+			}
+			delete(avm, k)
+		}
+		if len(avm) > 0 {
+			return fmt.Errorf("did not expect the following items of type %s to be requeued: %s", KindMap[rid], getComaSeparatedKeys(avm, nil))
+		}
+		delete(result.requeueResources, rid)
+	}
+	if len(result.requeueResources) > 0 {
+		return fmt.Errorf("did not expect the following item types to be requeued: %s", getComaSeparatedKeys(result.requeueResources, func(i int) string { return KindMap[i] }))
+	}
+	return nil
+}
+
+func getComaSeparatedKeys[K constraints.Ordered, T any](m map[K]T, stringer func(key K) string) string {
+	s := []string{}
+	for k := range m {
+		var n string
+		if stringer == nil {
+			n = fmt.Sprintf("%v", k)
+		} else {
+			n = stringer(k)
+		}
+		s = append(s, n)
+	}
+	return strings.Join(s, ", ")
+}
+
+func convertRequeueItemSliceToMap(s []RequeueItem) map[string]struct{} {
+	m := map[string]struct{}{}
+	for _, i := range s {
+		m[fmt.Sprintf("%s.%s", i.resourceKey.Namespace, i.resourceKey.Name)] = struct{}{}
+	}
+	return m
+}
+
+func processTestData(t *testing.T, c *Controller, data TestData, dataType TestDataType) {
+	files := make([]string, 0)
+	if dataType == TestDataTypeInitial {
+		files = append(files, data.initialResources...)
+	} else {
+		files = append(files, data.expectedResources)
+	}
+
+	var wg sync.WaitGroup
+
+	var processFile = func(file string) {
+		defer wg.Done()
+		i, err := os.ReadFile(file)
+		if err != nil {
+			t.Error(err.Error())
+		}
+
+		fileContents := string(i)
+		splits := strings.Split(fileContents, "---")
+		for _, part := range splits {
+			if part == "\n" || part == "" {
+				continue
+			}
+
+			if dataType == TestDataTypeInitial {
+				err = addInitialObjectToStore(t, []byte(part), c)
+			} else {
+				err = compareExpectedWithStore(t, []byte(part), c)
+			}
+			if err != nil {
+				t.Error(err.Error())
+			}
+		}
+	}
+
+	for _, f := range files {
+		wg.Add(1)
+		go processFile(f)
+	}
+	wg.Wait()
+}
+
+func addInitialObjectToStore(t *testing.T, resource []byte, c *Controller) error {
+	decoder := scheme.Codecs.UniversalDeserializer().Decode
+	obj, _, err := decoder(resource, nil, nil)
+	if err != nil {
+		return err
+	}
+
+	switch obj.(type) {
+	case *corev1.Secret, *corev1.Pod, *corev1.Namespace, *corev1.Service:
+		fakeClient, ok := c.kubeClient.(*k8sfake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		switch obj.(type) {
+		case *corev1.Secret:
+			err = c.kubeInformerFactory.Core().V1().Secrets().Informer().GetIndexer().Add(obj)
+		case *corev1.Pod:
+			err = c.kubeInformerFactory.Core().V1().Pods().Informer().GetIndexer().Add(obj)
+		case *corev1.Namespace:
+			err = c.kubeInformerFactory.Core().V1().Namespaces().Informer().GetIndexer().Add(obj)
+		case *corev1.Service:
+			err = c.kubeInformerFactory.Core().V1().Services().Informer().GetIndexer().Add(obj)
+		}
+	case *batchv1.Job:
+		fakeClient, ok := c.kubeClient.(*k8sfake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		err = c.kubeInformerFactory.Batch().V1().Jobs().Informer().GetIndexer().Add(obj)
+	case *gardenercertv1alpha1.Certificate:
+		fakeClient, ok := c.gardenerCertificateClient.(*gardenercertfake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		err = c.gardenerCertInformerFactory.Cert().V1alpha1().Certificates().Informer().GetIndexer().Add(obj)
+	case *certManagerv1.Certificate:
+		fakeClient, ok := c.certManagerCertificateClient.(*certManagerFake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		err = c.certManagerInformerFactory.Certmanager().V1().Certificates().Informer().GetIndexer().Add(obj)
+	case *gardenerdnsv1alpha1.DNSEntry:
+		fakeClient, ok := c.gardenerDNSClient.(*gardenerdnsfake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		err = c.gardenerDNSInformerFactory.Dns().V1alpha1().DNSEntries().Informer().GetIndexer().Add(obj)
+	case *istionwv1beta1.Gateway, *istionwv1beta1.VirtualService, *istionwv1beta1.DestinationRule:
+		fakeClient, ok := c.istioClient.(*istiofake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		metaObj, ok := getMetaObject(obj)
+		if !ok {
+			return fmt.Errorf("could not type cast event object to meta object")
+		}
+		switch obj.(type) {
+		case *istionwv1beta1.VirtualService:
+			fakeClient.Tracker().Create(schema.GroupVersionResource{Group: "networking.istio.io", Version: "v1beta1", Resource: "virtualservices"}, obj, metaObj.GetNamespace())
+			err = c.istioInformerFactory.Networking().V1beta1().VirtualServices().Informer().GetIndexer().Add(obj)
+		case *istionwv1beta1.Gateway:
+			fakeClient.Tracker().Create(schema.GroupVersionResource{Group: "networking.istio.io", Version: "v1beta1", Resource: "gateways"}, obj, metaObj.GetNamespace())
+			err = c.istioInformerFactory.Networking().V1beta1().Gateways().Informer().GetIndexer().Add(obj)
+		case *istionwv1beta1.DestinationRule:
+			fakeClient.Tracker().Create(schema.GroupVersionResource{Group: "networking.istio.io", Version: "v1beta1", Resource: "destinationrules"}, obj, metaObj.GetNamespace())
+			err = c.istioInformerFactory.Networking().V1beta1().DestinationRules().Informer().GetIndexer().Add(obj)
+		}
+	case *v1alpha1.CAPApplication, *v1alpha1.CAPApplicationVersion, *v1alpha1.CAPTenant, *v1alpha1.CAPTenantOperation:
+		fakeClient, ok := c.crdClient.(*copfake.Clientset)
+		if !ok {
+			return fmt.Errorf("controller is not using a fake clientset")
+		}
+		fakeClient.Tracker().Add(obj)
+		switch obj.(type) {
+		case *v1alpha1.CAPApplication:
+			err = c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Informer().GetIndexer().Add(obj)
+		case *v1alpha1.CAPApplicationVersion:
+			err = c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Informer().GetIndexer().Add(obj)
+		case *v1alpha1.CAPTenant:
+			err = c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Informer().GetIndexer().Add(obj)
+		case *v1alpha1.CAPTenantOperation:
+			err = c.crdInformerFactory.Sme().V1alpha1().CAPTenantOperations().Informer().GetIndexer().Add(obj)
+		}
+	default:
+		return fmt.Errorf("unknown object type")
+	}
+
+	return err
+}
+
+func compareExpectedWithStore(t *testing.T, resource []byte, c *Controller) error {
+	decoder := scheme.Codecs.UniversalDeserializer().Decode
+	expected, gvk, err := decoder(resource, nil, nil)
+	if err != nil {
+		return err
+	}
+
+	mo, ok := expected.(metav1.Object)
+	if !ok {
+		return fmt.Errorf("expected object is not a meta object")
+	}
+
+	var actual runtime.Object
+	switch expected.(type) {
+	case *corev1.Secret:
+		actual, err = c.kubeClient.(*k8sfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("secrets"), mo.GetNamespace(), mo.GetName())
+	case *corev1.Service:
+		actual, err = c.kubeClient.(*k8sfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("services"), mo.GetNamespace(), mo.GetName())
+	case *batchv1.Job:
+		actual, err = c.kubeClient.(*k8sfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("jobs"), mo.GetNamespace(), mo.GetName())
+	case *appsv1.Deployment:
+		actual, err = c.kubeClient.(*k8sfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("deployments"), mo.GetNamespace(), mo.GetName())
+	case *networkingv1.NetworkPolicy:
+		actual, err = c.kubeClient.(*k8sfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("networkpolicies"), mo.GetNamespace(), mo.GetName())
+	case *gardenercertv1alpha1.Certificate:
+		actual, err = c.gardenerCertificateClient.(*gardenercertfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("certificates.cert.gardener.cloud"), mo.GetNamespace(), mo.GetName())
+	case *certManagerv1.Certificate:
+		actual, err = c.certManagerCertificateClient.(*certManagerFake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("certificates.cert.gardener.cloud"), mo.GetNamespace(), mo.GetName())
+	case *gardenerdnsv1alpha1.DNSEntry:
+		actual, err = c.gardenerDNSClient.(*gardenerdnsfake.Clientset).Tracker().Get(gvk.GroupVersion().WithResource("dnsentries"), mo.GetNamespace(), mo.GetName())
+	case *istionwv1beta1.Gateway, *istionwv1beta1.VirtualService, *istionwv1beta1.DestinationRule:
+		fakeClient := c.istioClient.(*istiofake.Clientset)
+		switch expected.(type) {
+		case *istionwv1beta1.VirtualService:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("virtualservices"), mo.GetNamespace(), mo.GetName())
+		case *istionwv1beta1.DestinationRule:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("destinationrules"), mo.GetNamespace(), mo.GetName())
+		case *istionwv1beta1.Gateway:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("gateways"), mo.GetNamespace(), mo.GetName())
+		}
+	case *v1alpha1.CAPApplication, *v1alpha1.CAPApplicationVersion, *v1alpha1.CAPTenant, *v1alpha1.CAPTenantOperation:
+		fakeClient := c.crdClient.(*copfake.Clientset)
+		switch expected.(type) {
+		case *v1alpha1.CAPApplication:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("capapplications"), mo.GetNamespace(), mo.GetName())
+		case *v1alpha1.CAPApplicationVersion:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("capapplicationversions"), mo.GetNamespace(), mo.GetName())
+		case *v1alpha1.CAPTenant:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("captenants"), mo.GetNamespace(), mo.GetName())
+		case *v1alpha1.CAPTenantOperation:
+			actual, err = fakeClient.Tracker().Get(gvk.GroupVersion().WithResource("captenantoperations"), mo.GetNamespace(), mo.GetName())
+		}
+	default:
+		return fmt.Errorf("unknown expected object type")
+	}
+
+	if err == nil {
+		compareResourceFields(actual, expected, t, gvk.Kind, mo.GetNamespace(), mo.GetName())
+	} else {
+		t.Error(err.Error())
+	}
+
+	return err
+}
+
+func compareResourceFields(actual runtime.Object, expected runtime.Object, t *testing.T, kind string, namespace string, name string) {
+	if diff := cmp.Diff(
+		actual, expected,
+		cmp.FilterPath(func(p cmp.Path) bool {
+			// NOTE: do not compare the type metadata as this is not guaranteed to be filled from the fake client
+			return p.String() == "TypeMeta"
+		}, cmp.Ignore()),
+		cmp.FilterPath(func(p cmp.Path) bool {
+			// Ignore relevant Unexported fields introduced recently by istio in Spec
+			ps := p.String()
+			return ps == "Spec" || strings.HasPrefix(ps, "Spec.")
+		}, cmpopts.IgnoreUnexported(
+			networkingv1beta1.PortSelector{},
+			networkingv1beta1.Destination{},
+			networkingv1beta1.HTTPRouteDestination{},
+			networkingv1beta1.StringMatch{},
+			networkingv1beta1.HTTPMatchRequest{},
+			networkingv1beta1.HTTPRoute{},
+			networkingv1beta1.VirtualService{},
+			networkingv1beta1.Server{},
+			networkingv1beta1.Port{},
+			networkingv1beta1.DestinationRule{},
+			networkingv1beta1.TrafficPolicy{},
+			networkingv1beta1.LoadBalancerSettings{},
+			networkingv1beta1.LoadBalancerSettings_ConsistentHashLB{},
+			networkingv1beta1.LoadBalancerSettings_ConsistentHashLB_HTTPCookie{},
+			durationpb.Duration{},
+		)),
+		cmp.FilterPath(func(p cmp.Path) bool {
+			// Ignore relevant Unexported fields introduced recently by istio in Status
+			ps := p.String()
+			return ps == "Status" || strings.HasPrefix(ps, "Status.")
+		}, cmpopts.IgnoreUnexported(
+			istiometav1alpha1.IstioStatus{},
+		)),
+	); diff != "" {
+		t.Errorf("expected and actual resource differs for %s %s.%s", kind, namespace, name)
+		t.Error(diff)
+	}
+}
diff --git a/internal/controller/controller.go b/internal/controller/controller.go
new file mode 100644
index 0000000..1164da7
--- /dev/null
+++ b/internal/controller/controller.go
@@ -0,0 +1,281 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+	"time"
+
+	certManager "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
+	certManagerInformers "github.com/cert-manager/cert-manager/pkg/client/informers/externalversions"
+	gardenerCert "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned"
+	gardenerCertInformers "github.com/gardener/cert-management/pkg/client/cert/informers/externalversions"
+	gardenerDNS "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned"
+	gardenerDNSInformers "github.com/gardener/external-dns-management/pkg/client/dns/informers/externalversions"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	v1alpha1scheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	crdInformers "github.com/sap/cap-operator/pkg/client/informers/externalversions"
+	istio "istio.io/client-go/pkg/clientset/versioned"
+	istioscheme "istio.io/client-go/pkg/clientset/versioned/scheme"
+	istioInformers "istio.io/client-go/pkg/informers/externalversions"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	kubescheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/events"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+)
+
+type Controller struct {
+	kubeClient                   kubernetes.Interface
+	crdClient                    versioned.Interface
+	istioClient                  istio.Interface
+	gardenerCertificateClient    gardenerCert.Interface
+	certManagerCertificateClient certManager.Interface
+	gardenerDNSClient            gardenerDNS.Interface
+	kubeInformerFactory          informers.SharedInformerFactory
+	crdInformerFactory           crdInformers.SharedInformerFactory
+	istioInformerFactory         istioInformers.SharedInformerFactory
+	gardenerCertInformerFactory  gardenerCertInformers.SharedInformerFactory
+	certManagerInformerFactory   certManagerInformers.SharedInformerFactory
+	gardenerDNSInformerFactory   gardenerDNSInformers.SharedInformerFactory
+	queues                       map[int]workqueue.RateLimitingInterface
+	eventBroadcaster             events.EventBroadcaster
+	eventRecorder                events.EventRecorder
+}
+
+func NewController(client kubernetes.Interface, crdClient versioned.Interface, istioClient istio.Interface, gardenerCertificateClient gardenerCert.Interface, certManagerCertificateClient certManager.Interface, gardenerDNSClient gardenerDNS.Interface) *Controller {
+	queues := map[int]workqueue.RateLimitingInterface{
+		ResourceCAPApplication:        workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		ResourceCAPApplicationVersion: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		ResourceCAPTenant:             workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		ResourceCAPTenantOperation:    workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		ResourceOperatorDomains:       workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+	}
+
+	// Use 30mins as the default Resync interval for kube / proprietary  resources
+	kubeInformerFactory := informers.NewSharedInformerFactory(client, 30*time.Minute)
+	istioInformerFactory := istioInformers.NewSharedInformerFactory(istioClient, 30*time.Minute)
+
+	var gardenerCertInformerFactory gardenerCertInformers.SharedInformerFactory
+	var gardenerDNSInformerFactory gardenerDNSInformers.SharedInformerFactory
+	var certManagerInformerFactory certManagerInformers.SharedInformerFactory
+	switch certificateManager() {
+	case certManagerGardener:
+		gardenerCertInformerFactory = gardenerCertInformers.NewSharedInformerFactory(gardenerCertificateClient, 30*time.Minute)
+	case certManagerCertManagerIO:
+		certManagerInformerFactory = certManagerInformers.NewSharedInformerFactory(certManagerCertificateClient, 30*time.Minute)
+	}
+	switch dnsManager() {
+	case dnsManagerGardener:
+		gardenerDNSInformerFactory = gardenerDNSInformers.NewSharedInformerFactory(gardenerDNSClient, 30*time.Minute)
+	case dnsManagerKubernetes:
+		// no activity needed on our side so far
+	}
+
+	// Use 60 as the default Resync interval for our custom resources (CAP CROs)
+	crdInformerFactory := crdInformers.NewSharedInformerFactory(crdClient, 60*time.Second)
+
+	// initialize event recorder
+	scheme := runtime.NewScheme()
+	kubescheme.AddToScheme(scheme)
+	v1alpha1scheme.AddToScheme(scheme)
+	istioscheme.AddToScheme(scheme)
+	eventBroadcaster := events.NewBroadcaster(&events.EventSinkImpl{Interface: client.EventsV1()})
+	eventBroadcaster.StartStructuredLogging(klog.Level(1))
+	recorder := eventBroadcaster.NewRecorder(scheme, "cap-controller.sme.sap.com")
+
+	c := &Controller{
+		kubeClient:                   client,
+		crdClient:                    crdClient,
+		istioClient:                  istioClient,
+		gardenerCertificateClient:    gardenerCertificateClient,
+		certManagerCertificateClient: certManagerCertificateClient,
+		gardenerDNSClient:            gardenerDNSClient,
+		kubeInformerFactory:          kubeInformerFactory,
+		crdInformerFactory:           crdInformerFactory,
+		istioInformerFactory:         istioInformerFactory,
+		gardenerCertInformerFactory:  gardenerCertInformerFactory,
+		certManagerInformerFactory:   certManagerInformerFactory,
+		gardenerDNSInformerFactory:   gardenerDNSInformerFactory,
+		queues:                       queues,
+		eventBroadcaster:             eventBroadcaster,
+		eventRecorder:                recorder,
+	}
+	return c
+}
+
+func throwInformerStartError(resources map[reflect.Type]bool) {
+	for resource, ok := range resources {
+		if !ok {
+			klog.Error("could not start informer for resource ", resource.String())
+		}
+	}
+}
+
+func (c *Controller) Start(ctx context.Context) {
+	// ensure queue shutdown
+	go func() {
+		<-ctx.Done()
+		for _, q := range c.queues {
+			q.ShutDown()
+		}
+	}()
+
+	c.initializeInformers()
+
+	// start event recorder
+	c.eventBroadcaster.StartRecordingToSink(ctx.Done())
+
+	// start informers and wait for cache sync
+	c.kubeInformerFactory.Start(ctx.Done())
+	throwInformerStartError(c.kubeInformerFactory.WaitForCacheSync(ctx.Done()))
+
+	c.crdInformerFactory.Start(ctx.Done())
+	throwInformerStartError(c.crdInformerFactory.WaitForCacheSync(ctx.Done()))
+
+	c.istioInformerFactory.Start(ctx.Done())
+	throwInformerStartError(c.istioInformerFactory.WaitForCacheSync(ctx.Done()))
+
+	switch certificateManager() {
+	case certManagerGardener:
+		c.gardenerCertInformerFactory.Start(ctx.Done())
+		throwInformerStartError(c.gardenerCertInformerFactory.WaitForCacheSync(ctx.Done()))
+	case certManagerCertManagerIO:
+		c.certManagerInformerFactory.Start(ctx.Done())
+		throwInformerStartError(c.certManagerInformerFactory.WaitForCacheSync(ctx.Done()))
+	}
+
+	switch dnsManager() {
+	case dnsManagerGardener:
+		c.gardenerDNSInformerFactory.Start(ctx.Done())
+		throwInformerStartError(c.gardenerDNSInformerFactory.WaitForCacheSync(ctx.Done()))
+	case dnsManagerKubernetes:
+		// no activity needed on our side so far
+	}
+
+	// create context for worker queues
+	qCxt, qCancel := context.WithCancel(ctx)
+	defer qCancel()
+
+	var wg sync.WaitGroup
+	for k := range c.queues {
+		wg.Add(1)
+		go func(key int) {
+			defer wg.Done()
+			err := c.processQueue(qCxt, key)
+			if err != nil {
+				klog.Error("worker queue ", key, " ended with error: ", err.Error())
+			}
+			qCancel() // cancel context to inform other workers
+		}(k)
+	}
+
+	// wait for workers
+	wg.Wait()
+}
+
+func (c *Controller) processQueue(ctx context.Context, key int) error {
+	klog.Info("starting to process queue ", getResourceKindFromKey(key))
+	for {
+		select {
+		case <-ctx.Done():
+			klog.Info("context done; ending processing of queue ", getResourceKindFromKey(key))
+			return nil
+		default: // fall through - to avoid blocking
+			err := c.processQueueItem(ctx, key)
+			if err != nil {
+				return err
+			}
+		}
+	}
+}
+
+func (c *Controller) processQueueItem(ctx context.Context, key int) error {
+	q, ok := c.queues[key]
+	if !ok {
+		return fmt.Errorf("unknown queue; ending worker %d", key)
+	}
+
+	klog.V(2).Info("current work queue (", getResourceKindFromKey(key), ") length: ", q.Len())
+
+	i, shutdown := q.Get()
+	if shutdown {
+		return fmt.Errorf("queue (%d) shutdown", key) // stop processing when the queue has been shutdown
+	}
+
+	// [IMPORTANT] always mark the item as done (after processing it)
+	defer q.Done(i)
+
+	var (
+		err      error
+		skipItem bool
+		result   *ReconcileResult
+	)
+	item, ok := i.(QueueItem)
+	if !ok {
+		klog.Error("unknown item found in queue ", getResourceKindFromKey(key))
+		return nil // process next item
+	}
+
+	attempts := q.NumRequeues(item)
+	klog.Info("processing ", item.ResourceKey.Namespace, ".", item.ResourceKey.Name, " of type ", getResourceKindFromKey(key), " (attempt ", attempts, ")")
+
+	switch item.Key {
+	case ResourceCAPApplication:
+		result, err = c.reconcileCAPApplication(ctx, item, attempts)
+	case ResourceCAPApplicationVersion:
+		result, err = c.reconcileCAPApplicationVersion(ctx, item, attempts)
+	case ResourceCAPTenant:
+		result, err = c.reconcileCAPTenant(ctx, item, attempts)
+	case ResourceCAPTenantOperation:
+		result, err = c.reconcileCAPTenantOperation(ctx, item, attempts)
+	case ResourceOperatorDomains:
+		err = c.reconcileOperatorDomains(ctx, item, attempts)
+	default:
+		err = errors.New("unidentified queue item")
+		skipItem = true
+	}
+	// Handle reconcile errors
+	if err != nil {
+		klog.Error("queue processing error (", getResourceKindFromKey(key), "): ", err.Error())
+		if !skipItem {
+			// add back to queue for re-processing
+			q.AddRateLimited(i)
+			return nil
+		}
+	}
+
+	// Forget the item after processing it
+	// This just clears the rate limiter from tracking the item
+	q.Forget(i)
+
+	if result != nil {
+		// requeue resources specified in the reconciliation result
+		c.processReconcileResult(result)
+	}
+
+	return nil
+}
+
+func (c *Controller) processReconcileResult(result *ReconcileResult) {
+	for i, items := range result.requeueResources {
+		q, ok := c.queues[i]
+		if !ok {
+			klog.Errorf("could not identify a resource queue with key %v", i)
+			return
+		}
+		for _, item := range items {
+			klog.Infof("(re)queueing %s.%s as %s after %s", item.resourceKey.Namespace, item.resourceKey.Name, KindMap[i], item.requeueAfter.String())
+			// add back item to queue w/o rate limits for re-processing after specified duration
+			q.AddAfter(QueueItem{Key: i, ResourceKey: item.resourceKey}, item.requeueAfter)
+		}
+	}
+}
diff --git a/internal/controller/controller_test.go b/internal/controller/controller_test.go
new file mode 100644
index 0000000..2a5ecf1
--- /dev/null
+++ b/internal/controller/controller_test.go
@@ -0,0 +1,292 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/informers/batch"
+	"k8s.io/client-go/informers/internalinterfaces"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/events"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+)
+
+type dummyInformerFactoryType struct {
+	informers.SharedInformerFactory
+	namespace        string
+	tweakListOptions func(*metav1.ListOptions)
+}
+
+func (f *dummyInformerFactoryType) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
+	//Simulate error
+	return map[reflect.Type]bool{reflect.TypeOf(metav1.TypeMeta{}): false}
+}
+
+func (f *dummyInformerFactoryType) Batch() batch.Interface {
+	return f.SharedInformerFactory.Batch()
+}
+
+func (f *dummyInformerFactoryType) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {
+	return f.SharedInformerFactory.InformerFor(obj, newFunc)
+}
+
+func TestController_processQueue(t *testing.T) {
+	tests := []struct {
+		name              string
+		resource          int
+		resourceName      string
+		resourceNamespace string
+		earlyShutDown     bool
+		expectError       bool
+		errorString       string
+	}{
+		{
+			name:              "Test Controller Start - process queue CAPApplication",
+			resource:          ResourceCAPApplication,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       true,
+			errorString:       "shutdown",
+		},
+		{
+			name:        "Test Controller Start - process queue Unknown resource",
+			resource:    9999,
+			expectError: true,
+			errorString: "unknown queue;",
+		},
+		{
+			name:              "Test Controller Start - process queue CAPApplication - queue shutdown",
+			resource:          ResourceCAPApplication,
+			resourceName:      "test-ca",
+			resourceNamespace: metav1.NamespaceDefault,
+			earlyShutDown:     true,
+			expectError:       false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := getTestController(testResources{preventStart: true})
+
+			dummyKubeInformerFactory := &dummyInformerFactoryType{c.kubeInformerFactory, tt.resourceNamespace, nil}
+
+			testC := &Controller{
+				kubeClient:                  c.kubeClient,
+				crdClient:                   c.crdClient,
+				istioClient:                 c.istioClient,
+				gardenerCertificateClient:   c.gardenerCertificateClient,
+				gardenerDNSClient:           c.gardenerDNSClient,
+				kubeInformerFactory:         dummyKubeInformerFactory,
+				crdInformerFactory:          c.crdInformerFactory,
+				istioInformerFactory:        c.istioInformerFactory,
+				gardenerCertInformerFactory: c.gardenerCertInformerFactory,
+				gardenerDNSInformerFactory:  c.gardenerDNSInformerFactory,
+				queues:                      c.queues,
+				eventBroadcaster:            c.eventBroadcaster,
+				eventRecorder:               events.NewFakeRecorder(10),
+			}
+
+			// Create a background context that gets cancelled once the test run completes
+			ctx, cancel := context.WithCancel(context.Background())
+			cancel()
+
+			testC.Start(ctx)
+
+			// Manual API checks
+			var expectedRes error
+			if tt.earlyShutDown {
+				expectedRes = testC.processQueue(ctx, tt.resource)
+			} else {
+				expectedRes = testC.processQueue(context.TODO(), tt.resource)
+			}
+
+			if !tt.expectError && expectedRes != nil {
+				t.Error("Unexpected result", expectedRes)
+			} else if tt.expectError && expectedRes == nil {
+				t.Error("Unexpected result", "error is nil")
+			} else if tt.expectError && expectedRes != nil {
+				res := strings.Count(expectedRes.Error(), tt.errorString)
+				if res < 1 {
+					t.Error("Unexpected result", expectedRes, "; expected to contain", tt.errorString)
+				}
+			}
+		})
+	}
+}
+
+func TestController_processQueueItem(t *testing.T) {
+	tests := []struct {
+		name              string
+		createCA          bool
+		createCAPTenant   bool
+		resource          int
+		resourceName      string
+		resourceNamespace string
+		earlyShutDown     bool
+		expectError       bool
+		errorString       string
+		expectRequeue     bool
+	}{
+		{
+			name:              "Test Controller Start - process queue item CAPApplication",
+			resource:          ResourceCAPApplication,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPApplication (Requeue)",
+			createCA:          true,
+			resource:          ResourceCAPApplication,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPApplicationVersion",
+			resource:          ResourceCAPApplicationVersion,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPTenant",
+			resource:          ResourceCAPTenant,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPTenantOperation",
+			resource:          ResourceCAPTenantOperation,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:              "Test Controller Start - process queue item unidentified queue item",
+			resource:          9,
+			resourceName:      "test-res",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+		},
+		{
+			name:        "Test Controller Start - process queue item Unknown item",
+			resource:    99,
+			expectError: false,
+		},
+		{
+			name:        "Test Controller Start - process queue item Unknown resource",
+			resource:    999,
+			expectError: true,
+			errorString: "unknown queue;",
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPApplication - queue shutdown",
+			resource:          ResourceCAPApplication,
+			resourceName:      "test-ca",
+			resourceNamespace: metav1.NamespaceDefault,
+			earlyShutDown:     true,
+			expectError:       true,
+			errorString:       "shutdown",
+		},
+		{
+			name:              "Test Controller Start - process queue item CAPTenant - reconciliation error and requeue",
+			createCAPTenant:   true,
+			resource:          ResourceCAPTenant,
+			resourceName:      "ca-does-not-exist-provider",
+			resourceNamespace: metav1.NamespaceDefault,
+			expectError:       false,
+			expectRequeue:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var (
+				ca  *v1alpha1.CAPApplication
+				cat *v1alpha1.CAPTenant
+			)
+			if tt.createCA {
+				ca = createCaCRO(tt.resourceName, true)
+			}
+			if tt.createCAPTenant {
+				cat = createCatCRO("ca-does-not-exist", "provider", true)
+			}
+
+			c := getTestController(testResources{cas: []*v1alpha1.CAPApplication{ca}, cats: []*v1alpha1.CAPTenant{cat}, preventStart: true})
+			if tt.resource == 9 || tt.resource == 99 {
+				c.queues[tt.resource] = workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
+			}
+
+			dummyKubeInformerFactory := &dummyInformerFactoryType{c.kubeInformerFactory, tt.resourceNamespace, nil}
+
+			testC := &Controller{
+				kubeClient:                  c.kubeClient,
+				crdClient:                   c.crdClient,
+				istioClient:                 c.istioClient,
+				gardenerCertificateClient:   c.gardenerCertificateClient,
+				gardenerDNSClient:           c.gardenerDNSClient,
+				kubeInformerFactory:         dummyKubeInformerFactory,
+				crdInformerFactory:          c.crdInformerFactory,
+				istioInformerFactory:        c.istioInformerFactory,
+				gardenerCertInformerFactory: c.gardenerCertInformerFactory,
+				gardenerDNSInformerFactory:  c.gardenerDNSInformerFactory,
+				queues:                      c.queues,
+			}
+
+			// Create a background context that gets cancelled once the test run completes
+			ctx, cancel := context.WithCancel(context.Background())
+
+			item := QueueItem{Key: tt.resource, ResourceKey: NamespacedResourceKey{Namespace: tt.resourceNamespace, Name: tt.resourceName}}
+
+			q := c.queues[tt.resource]
+
+			// Manual API checks
+			var expectedRes error
+			if tt.earlyShutDown {
+				q.ShutDown()
+				cancel()
+				expectedRes = testC.processQueueItem(ctx, tt.resource)
+			} else {
+				if tt.resource < 4 || tt.resource == 9 {
+					q.Add(item)
+				} else if tt.resource == 99 {
+					q.Add(tt.resource)
+				}
+				expectedRes = testC.processQueueItem(context.TODO(), tt.resource)
+			}
+
+			if !tt.expectError && expectedRes != nil {
+				t.Error("Unexpected result", expectedRes)
+			} else if tt.expectError && expectedRes == nil {
+				t.Error("Unexpected result", "error is nil")
+			} else if tt.expectError && expectedRes != nil {
+				res := strings.Count(expectedRes.Error(), tt.errorString)
+				if res < 1 {
+					t.Error("Unexpected result", expectedRes, "; expected to contain", tt.errorString)
+				} else {
+					klog.Info("Error res", expectedRes, " expected result: ", tt.errorString)
+				}
+			} else {
+				if tt.expectRequeue {
+					if q.NumRequeues(item) < 1 {
+						t.Errorf("expected item to be requeued after reconciliation error")
+					}
+				}
+			}
+			cancel()
+		})
+	}
+}
diff --git a/internal/controller/informers.go b/internal/controller/informers.go
new file mode 100644
index 0000000..52ae8b9
--- /dev/null
+++ b/internal/controller/informers.go
@@ -0,0 +1,244 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"reflect"
+	"time"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+)
+
+const (
+	ResourceCAPTenant = iota
+	ResourceCAPApplicationVersion
+	ResourceCAPApplication
+	ResourceCAPTenantOperation
+	ResourceJob
+	ResourceSecret
+	ResourceGateway
+	ResourceCertificate
+	ResourceDNSEntry
+	ResourceOperatorDomains
+	ResourceVirtualService
+	ResourceDestinationRule
+)
+
+const (
+	OperatorDomains = "OperatorDomains"
+)
+
+const queuing = "queuing "
+
+var (
+	KindMap = map[int]string{
+		ResourceCAPTenant:             v1alpha1.CAPTenantKind,
+		ResourceCAPApplicationVersion: v1alpha1.CAPApplicationVersionKind,
+		ResourceCAPApplication:        v1alpha1.CAPApplicationKind,
+		ResourceCAPTenantOperation:    v1alpha1.CAPTenantOperationKind,
+		ResourceOperatorDomains:       OperatorDomains,
+	}
+)
+
+type NamespacedResourceKey struct {
+	Namespace string
+	Name      string
+}
+
+var QueueMapping map[int]map[int]string = map[int]map[int]string{
+	ResourceCAPTenantOperation:    {ResourceCAPTenantOperation: v1alpha1.CAPTenantOperationKind, ResourceCAPTenant: v1alpha1.CAPTenantKind},
+	ResourceJob:                   {ResourceCAPTenantOperation: v1alpha1.CAPTenantOperationKind, ResourceCAPApplicationVersion: v1alpha1.CAPApplicationVersionKind},
+	ResourceSecret:                {ResourceCAPApplication: v1alpha1.CAPApplicationKind, ResourceCAPApplicationVersion: v1alpha1.CAPApplicationVersionKind},
+	ResourceGateway:               {ResourceCAPApplication: v1alpha1.CAPApplicationKind},
+	ResourceCertificate:           {ResourceCAPApplication: v1alpha1.CAPApplicationKind},
+	ResourceDNSEntry:              {ResourceCAPApplication: v1alpha1.CAPApplicationKind, ResourceCAPTenant: v1alpha1.CAPTenantKind},
+	ResourceCAPTenant:             {ResourceCAPTenant: v1alpha1.CAPTenantKind, ResourceCAPApplication: v1alpha1.CAPApplicationKind},
+	ResourceVirtualService:        {ResourceCAPTenant: v1alpha1.CAPTenantKind},
+	ResourceDestinationRule:       {ResourceCAPTenant: v1alpha1.CAPTenantKind},
+	ResourceCAPApplicationVersion: {ResourceCAPApplicationVersion: v1alpha1.CAPApplicationVersionKind, ResourceCAPApplication: v1alpha1.CAPApplicationKind},
+	ResourceCAPApplication:        {ResourceCAPApplication: v1alpha1.CAPApplicationKind},
+	ResourceOperatorDomains:       {ResourceOperatorDomains: OperatorDomains},
+}
+
+type QueueItem struct {
+	Key         int
+	ResourceKey NamespacedResourceKey
+}
+
+func (c *Controller) initializeInformers() {
+	c.registerCAPTenantListeners()
+	c.registerCAPApplicationListeners()
+	c.registerCAPApplicationVersionListeners()
+	c.registerCAPTenantOperationListeners()
+	c.registerJobListeners()
+	c.registerSecretListeners()
+	c.registerGatewayListeners()
+	c.registerVirtualServiceListeners()
+	c.registerDestinationRuleListeners()
+	switch certificateManager() {
+	case certManagerGardener:
+		c.registerGardenerCertificateListeners()
+	case certManagerCertManagerIO:
+		c.registerCertManagerCertificateListeners()
+	}
+	switch dnsManager() {
+	case dnsManagerGardener:
+		c.registerGardenerDNSEntrytListeners()
+	case dnsManagerKubernetes:
+		// no activity needed on our side so far
+	}
+	klog.Info("informers initialized")
+}
+
+func (c *Controller) getEventHandlerFuncsForResource(res int) cache.ResourceEventHandlerFuncs {
+	return cache.ResourceEventHandlerFuncs{
+		AddFunc: func(new interface{}) {
+			c.enqueueModifiedResource(res, new, nil)
+		},
+		UpdateFunc: func(old, new interface{}) {
+			c.enqueueModifiedResource(res, new, old)
+		},
+		DeleteFunc: func(old interface{}) {
+			c.enqueueModifiedResource(res, old, nil)
+		},
+	}
+}
+
+func (c *Controller) registerCAPApplicationListeners() {
+	c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCAPApplication))
+}
+
+func (c *Controller) registerCAPApplicationVersionListeners() {
+	c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCAPApplicationVersion))
+}
+
+func (c *Controller) registerCAPTenantListeners() {
+	c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCAPTenant))
+}
+
+func (c *Controller) registerCAPTenantOperationListeners() {
+	c.crdInformerFactory.Sme().V1alpha1().CAPTenantOperations().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCAPTenantOperation))
+}
+
+func (c *Controller) registerJobListeners() {
+	c.kubeInformerFactory.Batch().V1().Jobs().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceJob))
+}
+
+func (c *Controller) registerVirtualServiceListeners() {
+	c.istioInformerFactory.Networking().V1beta1().VirtualServices().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceVirtualService))
+}
+
+func (c *Controller) registerDestinationRuleListeners() {
+	c.istioInformerFactory.Networking().V1beta1().DestinationRules().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceDestinationRule))
+}
+
+func (c *Controller) registerSecretListeners() {
+	c.kubeInformerFactory.Core().V1().Secrets().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceSecret))
+}
+
+func (c *Controller) registerGatewayListeners() {
+	c.istioInformerFactory.Networking().V1beta1().Gateways().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceGateway))
+}
+
+func (c *Controller) registerGardenerCertificateListeners() {
+	c.gardenerCertInformerFactory.Cert().V1alpha1().Certificates().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCertificate))
+}
+
+func (c *Controller) registerCertManagerCertificateListeners() {
+	c.certManagerInformerFactory.Certmanager().V1().Certificates().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceCertificate))
+}
+
+func (c *Controller) registerGardenerDNSEntrytListeners() {
+	c.gardenerDNSInformerFactory.Dns().V1alpha1().DNSEntries().Informer().
+		AddEventHandler(c.getEventHandlerFuncsForResource(ResourceDNSEntry))
+}
+
+func (c *Controller) enqueueModifiedResource(sourceKey int, new, old interface{}) {
+	newObj, ok := getMetaObject(new)
+	if !ok {
+		return
+	}
+
+	oldObj, ok := getMetaObject(old)
+	if ok && oldObj.GetResourceVersion() == newObj.GetResourceVersion() {
+		return // no changes in update
+	}
+
+	mapping, ok := QueueMapping[sourceKey]
+	if !ok {
+		klog.Error("could not map modification event to a work queue for key: ", sourceKey)
+		return
+	}
+
+	for dependentKey, dependentKind := range mapping {
+		q := c.queues[dependentKey]
+
+		if dependentKey == sourceKey {
+			// when the change is directly on the CRO check for spec and annotation changes - omits status changes
+			if oldObj != nil && !hasReconciliationRelevantChanges(newObj, oldObj) {
+				continue // do not enqueue
+			}
+			klog.Info(queuing, newObj.GetNamespace(), ".", newObj.GetName(), " as ", dependentKind)
+			q.Add(QueueItem{Key: dependentKey, ResourceKey: NamespacedResourceKey{Name: newObj.GetName(), Namespace: newObj.GetNamespace()}})
+		} else if owner, ok := getOwnerByKind(newObj.GetOwnerReferences(), dependentKind); ok {
+			klog.Info(queuing, newObj.GetNamespace(), ".", owner.Name, " as ", dependentKind)
+			q.Add(QueueItem{Key: dependentKey, ResourceKey: NamespacedResourceKey{Name: owner.Name, Namespace: newObj.GetNamespace()}})
+		} else if owner, ok := getOwnerFromObjectMetadata(newObj, dependentKind); ok {
+			klog.Info(queuing, owner.Namespace, ".", owner.Name, " as ", dependentKind)
+			q.Add(QueueItem{Key: dependentKey, ResourceKey: NamespacedResourceKey{Name: owner.Name, Namespace: owner.Namespace}})
+		}
+	}
+
+	// Reconcile OperatorDomains just after all CAPApplication updates
+	if sourceKey == ResourceCAPApplication {
+		klog.Info(queuing, "all.domains", " as ", KindMap[ResourceOperatorDomains])
+		// Reconcile Secondary domains via a dummy resource (separate reconciliation) after 1s
+		c.queues[ResourceOperatorDomains].AddAfter(QueueItem{Key: ResourceOperatorDomains, ResourceKey: NamespacedResourceKey{Namespace: metav1.NamespaceAll, Name: ""}}, 1*time.Second)
+	}
+}
+
+func getMetaObject(obj interface{}) (metav1.Object, bool) {
+	if obj == nil {
+		return nil, false
+	}
+
+	ok := true
+	metaObj, err := meta.Accessor(obj)
+	if err != nil {
+		klog.Error("could not type cast event object to meta object: ", err.Error())
+		ok = false
+	}
+	return metaObj, ok
+}
+
+func hasReconciliationRelevantChanges(newObj metav1.Object, oldObj metav1.Object) bool {
+	if oldObj.GetGeneration() != newObj.GetGeneration() {
+		// generation change denotes a change in the object spec
+		return true
+	}
+
+	// annotation changes
+	if !reflect.DeepEqual(oldObj.GetAnnotations(), newObj.GetAnnotations()) {
+		return true
+	}
+
+	// changes in owner reference
+	return !reflect.DeepEqual(oldObj.GetOwnerReferences(), newObj.GetOwnerReferences())
+}
diff --git a/internal/controller/informers_test.go b/internal/controller/informers_test.go
new file mode 100644
index 0000000..86f24ce
--- /dev/null
+++ b/internal/controller/informers_test.go
@@ -0,0 +1,149 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"testing"
+	"time"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/util/workqueue"
+)
+
+var expectedResult = false
+
+type dummyType struct {
+	workqueue.RateLimitingInterface
+}
+
+func (q *dummyType) Add(item interface{}) {
+	expectedResult = true
+}
+
+func (q *dummyType) AddAfter(item interface{}, duration time.Duration) {
+	expectedResult = true
+}
+
+func TestController_initializeInformers(t *testing.T) {
+	tests := []struct {
+		name            string
+		expectedResult  bool
+		invalidOwnerRef bool
+		res             int
+		itemName        string
+		itemNamespace   string
+	}{
+		{
+			name:           "Test enqueueModifiedResource (ResourceCAPApplication)",
+			res:            ResourceCAPApplication,
+			expectedResult: true,
+			itemName:       "test-ca",
+			itemNamespace:  corev1.NamespaceDefault,
+		},
+		{
+			name:           "Test enqueueModifiedResource (ResourceCAPApplicationVersion)",
+			res:            ResourceCAPApplicationVersion,
+			expectedResult: true,
+			itemName:       "test-cav",
+			itemNamespace:  corev1.NamespaceDefault,
+		},
+		{
+			name:           "Test enqueueModifiedResource (ResourceCertificate) valid owner",
+			res:            ResourceCertificate,
+			expectedResult: true,
+			itemName:       "test-cert",
+			itemNamespace:  corev1.NamespaceDefault,
+		},
+		{
+			name:            "Test enqueueModifiedResource (ResourceCertificate) invalid owner",
+			res:             ResourceCertificate,
+			expectedResult:  false,
+			invalidOwnerRef: true,
+			itemName:        "test-cert",
+			itemNamespace:   corev1.NamespaceDefault,
+		},
+		{
+			name:           "Test enqueueModifiedResource (unknown resource)",
+			res:            99,
+			expectedResult: false,
+			itemName:       "test-unknown-resource",
+			itemNamespace:  corev1.NamespaceDefault,
+		},
+		{
+			name:           "Test enqueueModifiedResource (invalid queue key)",
+			res:            999,
+			expectedResult: false,
+			itemName:       "test-unknown-key",
+			itemNamespace:  corev1.NamespaceDefault,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := getTestController(testResources{})
+			expectedResult = false
+
+			queues := map[int]workqueue.RateLimitingInterface{
+				ResourceCAPApplication:        &dummyType{},
+				ResourceCAPApplicationVersion: &dummyType{},
+				ResourceCAPTenant:             &dummyType{},
+				ResourceCAPTenantOperation:    &dummyType{},
+				ResourceOperatorDomains:       &dummyType{},
+			}
+
+			testC := &Controller{
+				kubeClient:                  c.kubeClient,
+				crdClient:                   c.crdClient,
+				istioClient:                 c.istioClient,
+				gardenerCertificateClient:   c.gardenerCertificateClient,
+				gardenerDNSClient:           c.gardenerDNSClient,
+				kubeInformerFactory:         c.kubeInformerFactory,
+				crdInformerFactory:          c.crdInformerFactory,
+				istioInformerFactory:        c.istioInformerFactory,
+				gardenerCertInformerFactory: c.gardenerCertInformerFactory,
+				gardenerDNSInformerFactory:  c.gardenerDNSInformerFactory,
+				queues:                      queues,
+			}
+
+			testC.initializeInformers()
+			var res interface{}
+			switch tt.res {
+			case ResourceCAPApplication:
+				res = createCaCRO(tt.itemName, false)
+			case ResourceCAPApplicationVersion:
+				ca := createCaCRO(tt.itemName, false)
+				cav := createCavCRO(tt.itemName, v1alpha1.CAPApplicationVersionStateReady, defaultVersion)
+				cav.ObjectMeta.OwnerReferences = []metav1.OwnerReference{*metav1.NewControllerRef(ca, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationKind))}
+				res = cav
+			case ResourceCertificate:
+				// set label on a pod to simulate certificate in a different namespace
+				cert := &corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: tt.itemName, Annotations: map[string]string{
+					AnnotationOwnerIdentifier: KindMap[ResourceCAPApplication] + "." + tt.itemNamespace + "." + tt.itemName,
+				}, Labels: map[string]string{
+					LabelOwnerIdentifierHash: sha1Sum(KindMap[ResourceCAPApplication], tt.itemNamespace, tt.itemName),
+				}}}
+				// Invalid label
+				if tt.invalidOwnerRef {
+					cert.Annotations[AnnotationOwnerIdentifier] = tt.itemNamespace + "." + tt.itemName
+					cert.Labels[LabelOwnerIdentifierHash] = sha1Sum(tt.itemNamespace, tt.itemName)
+				}
+				res = cert
+			case 999:
+				res = &corev1.Pod{ObjectMeta: metav1.ObjectMeta{Name: tt.itemName}}
+			}
+			// Add/delete
+			testC.enqueueModifiedResource(tt.res, res, nil)
+			if expectedResult != tt.expectedResult {
+				t.Error("Unexpected result", expectedResult)
+			}
+			// Update
+			testC.enqueueModifiedResource(tt.res, res, res)
+			if expectedResult != tt.expectedResult {
+				t.Error("Unexpected result", expectedResult)
+			}
+		})
+	}
+}
diff --git a/internal/controller/reconcile-capapplication.go b/internal/controller/reconcile-capapplication.go
new file mode 100644
index 0000000..1d809c7
--- /dev/null
+++ b/internal/controller/reconcile-capapplication.go
@@ -0,0 +1,408 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/klog/v2"
+)
+
+const (
+	CAPApplicationEventMissingSecrets               = "MissingSecrets"
+	CAPApplicationEventPrimaryGatewayModified       = "PrimaryGatewayModified"
+	CAPApplicationEventMissingIngressGatewayInfo    = "MissingIngressGatewayInfo"
+	CAPApplicationEventProviderTenantCreated        = "ProviderTenantCreated"
+	CAPApplicationEventNewCAVTriggeredTenantUpgrade = "NewCAVTriggeredTenantUpgrade"
+)
+
+const (
+	EventActionProcessingSecrets         = "ProcessingSecrets"
+	EventActionProcessingDomainResources = "ProcessingDomainResources"
+	EventActionProviderTenantProcessing  = "ProviderTenantProcessing"
+	EventActionCheckForVersion           = "CheckForVersion"
+)
+
+func (c *Controller) reconcileCAPApplication(ctx context.Context, item QueueItem, attempts int) (result *ReconcileResult, err error) {
+	lister := c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Lister()
+	cached, err := lister.CAPApplications(item.ResourceKey.Namespace).Get(item.ResourceKey.Name)
+	if err != nil {
+		return nil, handleOperatorResourceErrors(err)
+	}
+	ca := cached.DeepCopy()
+
+	// prepare annotations, labels, finalizers
+	if c.prepareCAPApplication(ctx, ca) {
+		if err = c.updateCAPApplication(ctx, ca); err == nil {
+			result = NewReconcileResultWithResource(ResourceCAPApplication, ca.Name, ca.Namespace, 0)
+		}
+		return
+	}
+
+	defer func() {
+		if statusErr := c.updateCAPApplicationStatus(ctx, ca); statusErr != nil && err == nil {
+			err = statusErr
+		}
+	}()
+
+	// check for deletion
+	if ca.DeletionTimestamp != nil {
+		return c.handleCAPApplicationDeletion(ctx, ca)
+	}
+
+	if genChanged := (ca.Status.State == "Consistent" && ca.Status.ObservedGeneration != ca.Generation); ca.Status.State == "" || genChanged {
+		reason := "ApplicationProcessing"
+		message := ""
+		if genChanged {
+			reason = "ResourceDefinitionChanged"
+			message = "re-processing after spec update"
+		}
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, reason, message)
+		result = NewReconcileResultWithResource(ResourceCAPApplication, ca.Name, ca.Namespace, 0)
+	} else {
+		result, err = c.handleCAPApplicationDependentResources(ctx, ca, attempts)
+	}
+
+	return c.checkAdditonalConditions(ctx, ca, result, err)
+}
+
+func (c *Controller) handleCAPApplicationDependentResources(ctx context.Context, ca *v1alpha1.CAPApplication, attempts int) (requeue *ReconcileResult, err error) {
+	var processing bool
+	defer func() {
+		if processing {
+			if requeue == nil {
+				requeue = NewReconcileResult()
+			}
+			// requeue after 30s to check for consistency
+			requeue.AddResource(ResourceCAPApplication, ca.Name, ca.Namespace, 30*time.Second)
+		}
+	}()
+
+	// step 1 - validate BTPServices
+	if processing, err = c.validateSecrets(ctx, ca, attempts); err != nil || processing {
+		return
+	}
+
+	// step 2 - check for valid versions
+	cav, err := c.getLatestReadyCAPApplicationVersion(ctx, ca, true)
+	if err != nil {
+		// do not update the CAPApplication status - this is not an error reported by the version, but error while fetching the version
+		return
+	}
+	if cav == nil {
+		processing = true
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, "WaitingForReadyCAPApplicationVersion", "")
+		// Update additional condition `LatestVersionReady` to False
+		ca.SetStatusCondition(string(v1alpha1.ConditionTypeLatestVersionReady), metav1.ConditionFalse, "WaitingForReadyCAPApplicationVersion", "")
+		return
+	}
+	// We can already update LatestVersionReady to "true" at this point in time, but as this method is called several times, we do not do it here (during initial Provisioning as CA itself is may not be Consistent)
+
+	// step 3 - queue domain handling
+	if requeue, err = c.handleDomains(ctx, ca); requeue != nil || err != nil {
+		return
+	}
+
+	// step 4 - validate provider tenant, create if not available
+	if processing, err = c.reconcileCAPApplicationProviderTenant(ctx, ca, cav); err != nil || processing {
+		return
+	}
+
+	// step 5 - check state of dependant resources
+	if processing, err = c.checkPrimaryDomainResources(ctx, ca); err != nil || processing {
+		return
+	}
+
+	// step 6 - check and set consistent status
+	return c.verifyApplicationConsistent(ctx, ca)
+}
+
+func (c *Controller) verifyApplicationConsistent(ctx context.Context, ca *v1alpha1.CAPApplication) (requeue *ReconcileResult, err error) {
+	if ca.Status.State != v1alpha1.CAPApplicationStateConsistent {
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateConsistent, metav1.ConditionTrue, "VersionExists", "")
+		// Update additional condition `LatestVersionReady` to True
+		ca.SetStatusCondition(string(v1alpha1.ConditionTypeLatestVersionReady), metav1.ConditionTrue, "VersionExists", "")
+		// Update additional condition `AllTenantsReady` to True
+		ca.SetStatusCondition(string(v1alpha1.ConditionTypeAllTenantsReady), metav1.ConditionTrue, "ProviderTenantReady", "")
+	}
+
+	// Check for newer CAPApplicationVersion
+	return nil, c.checkNewCAPApplicationVersion(ctx, ca)
+}
+
+func (c *Controller) checkNewCAPApplicationVersion(ctx context.Context, ca *v1alpha1.CAPApplication) error {
+	cav, err := c.getLatestReadyCAPApplicationVersion(ctx, ca, false)
+	if err != nil {
+		return err
+	}
+
+	// Get all relevant tenants
+	tenants, err := c.getRelevantTenantsForCA(ca)
+	if err != nil || len(tenants) == 0 {
+		return err
+	}
+	updated := false
+	for _, tenant := range tenants {
+		if tenant.Spec.VersionUpgradeStrategy == v1alpha1.VersionUpgradeStrategyTypeNever {
+			// Skip non relevant tenants
+			continue
+		}
+		// Assume we may have to update the tenant and prepare a copy
+		cat := tenant.DeepCopy()
+
+		// Check version of tenant
+		if cat.Spec.Version != cav.Spec.Version {
+			// update CAPTenant Spec to point to the latest version
+			cat.Spec.Version = cav.Spec.Version
+			// Trigger update on CAPTenant (modifies Generation) --> which would reconcile the tenant
+			if _, err = c.crdClient.SmeV1alpha1().CAPTenants(ca.Namespace).Update(ctx, cat, metav1.UpdateOptions{}); err != nil {
+				return fmt.Errorf("could not update %s %s.%s: %w", v1alpha1.CAPTenantKind, cat.Namespace, cat.Name, err)
+			}
+			c.Event(tenant, ca, corev1.EventTypeNormal, CAPTenantEventAutoVersionUpdate, EventActionUpgrade, fmt.Sprintf("version updated to %s for initiating tenant upgrade", cav.Spec.Version))
+			updated = true
+		}
+	}
+	if updated {
+		msg := fmt.Sprintf("new version %s.%s was used to trigger tenant upgrades", cav.Namespace, cav.Name)
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, CAPApplicationEventNewCAVTriggeredTenantUpgrade, msg)
+		ca.SetStatusCondition(string(v1alpha1.ConditionTypeLatestVersionReady), metav1.ConditionTrue, string(v1alpha1.ConditionTypeLatestVersionReady), "")
+		ca.SetStatusCondition(string(v1alpha1.ConditionTypeAllTenantsReady), metav1.ConditionFalse, "UpgradingTenants", "")
+		c.Event(ca, nil, corev1.EventTypeNormal, CAPApplicationEventNewCAVTriggeredTenantUpgrade, EventActionCheckForVersion, msg)
+	}
+	return nil
+}
+
+func (c *Controller) checkAdditonalConditions(ctx context.Context, ca *v1alpha1.CAPApplication, result *ReconcileResult, err error) (*ReconcileResult, error) {
+	// In case of explicit Reconcile or errors return back with the original result
+	if result != nil || err != nil {
+		return result, err
+	}
+
+	// Check and update additional status conditions
+	// Set ready Condition and Reason for Version check LatestVersionNotReady = True
+	readyCondition := metav1.ConditionTrue
+	readyReason := string(v1alpha1.ConditionTypeLatestVersionReady)
+
+	// Get latest CAV (incl. ones that may not be ready)
+	cav, err := c.getLatestCAPApplicationVersion(ctx, ca)
+	if err != nil {
+		return nil, err
+	}
+	// When the latest CAV is not Ready --> LatestVersionNotReady = False
+	if cav.Status.State != v1alpha1.CAPApplicationVersionStateReady {
+		readyCondition = metav1.ConditionFalse
+		readyReason = "LatestVersionNotReady"
+	}
+
+	// Update `LatestVersionReady` status condition
+	ca.SetStatusCondition(string(v1alpha1.ConditionTypeLatestVersionReady), readyCondition, readyReason, "")
+
+	// Reset ready Condition and Reason for Tenant check AllTenantsReady --> True
+	readyCondition = metav1.ConditionTrue
+	readyReason = string(v1alpha1.ConditionTypeAllTenantsReady)
+
+	// Get all relevant tenants
+	tenants, err := c.getRelevantTenantsForCA(ca)
+	if err != nil {
+		return nil, err
+	}
+	for _, tenant := range tenants {
+		// When a Tenant state is not Ready -or- when version of tenant (with VersionUpgradeStrategy = always) does not match the latest CAV version --> AllTenantsReady = False
+		if tenant.Status.State != v1alpha1.CAPTenantStateReady || (tenant.Spec.VersionUpgradeStrategy == v1alpha1.VersionUpgradeStrategyTypeAlways && cav.Spec.Version != tenant.Spec.Version) {
+			readyCondition = metav1.ConditionFalse
+			readyReason = "NotAllTenantsReady"
+			break
+		}
+	}
+	// Update `AllTenantsReady` status condition
+	ca.SetStatusCondition(string(v1alpha1.ConditionTypeAllTenantsReady), readyCondition, readyReason, "")
+
+	return nil, nil
+}
+
+func (c *Controller) updateCAPApplication(ctx context.Context, ca *v1alpha1.CAPApplication) error {
+	caUpdated, err := c.crdClient.SmeV1alpha1().CAPApplications(ca.Namespace).Update(ctx, ca, metav1.UpdateOptions{})
+	// Update reference to the resource
+	if caUpdated != nil {
+		*ca = *caUpdated
+	}
+	return err
+}
+
+func (c *Controller) updateCAPApplicationStatus(ctx context.Context, ca *v1alpha1.CAPApplication) error {
+	if isDeletionImminent(&ca.ObjectMeta) {
+		return nil
+	}
+	caUpdated, err := c.crdClient.SmeV1alpha1().CAPApplications(ca.Namespace).UpdateStatus(ctx, ca, metav1.UpdateOptions{})
+	// update reference to the resource
+	if caUpdated != nil {
+		*ca = *caUpdated
+	}
+	return err
+}
+
+// TODO: remove this entirely from CA soon
+func (c *Controller) validateSecrets(ctx context.Context, ca *v1alpha1.CAPApplication, attempts int) (bool, error) {
+	err := c.checkSecretsExist(ca.Spec.BTP.Services, ca.Namespace)
+
+	if err == nil {
+		return false, nil
+	} else if !k8sErrors.IsNotFound(err) {
+		// TODO -> clarify whether we need to set this in the status, as this is an error probably caused via api-server unavailability / connection issues
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateError, metav1.ConditionFalse, "ProcessingSecretsError", err.Error())
+		return false, err
+	}
+
+	// waiting for secrets
+	message := fmt.Sprintf("waiting for secrets to get ready for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Name, ca.Namespace)
+	klog.V(2).Info(message)
+	c.Event(ca, nil, corev1.EventTypeWarning, CAPApplicationEventMissingSecrets, EventActionProcessingSecrets, message)
+	ca.SetStatusWithReadyCondition(ca.Status.State, metav1.ConditionFalse, EventActionProcessingSecrets, message)
+	return true, nil
+}
+
+func (c *Controller) getRelevantTenantsForCA(ca *v1alpha1.CAPApplication) ([]*v1alpha1.CAPTenant, error) {
+	tenantLabels := map[string]string{
+		LabelBTPApplicationIdentifierHash: sha1Sum(ca.Spec.GlobalAccountId, ca.Spec.BTPAppName),
+	}
+	selector, err := labels.ValidatedSelectorFromSet(tenantLabels)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Lister().List(selector)
+}
+
+func (c *Controller) reconcileCAPApplicationProviderTenant(ctx context.Context, ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) (bool, error) {
+	providerTenantName := strings.Join([]string{ca.Name, ProviderTenantType}, "-")
+	tenant, err := c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Lister().CAPTenants(ca.Namespace).Get(providerTenantName)
+	if err != nil {
+		if !k8sErrors.IsNotFound(err) {
+			ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateError, metav1.ConditionFalse, "ProviderTenantError", err.Error())
+			return false, err
+		}
+
+		// Create provider tenant
+		if tenant, err = c.crdClient.SmeV1alpha1().CAPTenants(ca.Namespace).Create(
+			ctx, &v1alpha1.CAPTenant{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      providerTenantName,
+					Namespace: ca.Namespace,
+					Annotations: map[string]string{
+						AnnotationBTPApplicationIdentifier: ca.Spec.GlobalAccountId + "." + ca.Spec.BTPAppName,
+					},
+					Labels: map[string]string{
+						LabelBTPApplicationIdentifierHash: sha1Sum(ca.Spec.GlobalAccountId, ca.Spec.BTPAppName),
+						LabelTenantType:                   ProviderTenantType,
+						LabelTenantId:                     ca.Spec.Provider.TenantId,
+					},
+				},
+				Spec: v1alpha1.CAPTenantSpec{
+					CAPApplicationInstance: ca.Name,
+					BTPTenantIdentification: v1alpha1.BTPTenantIdentification{
+						SubDomain: ca.Spec.Provider.SubDomain,
+						TenantId:  ca.Spec.Provider.TenantId,
+					},
+					Version: cav.Spec.Version,
+				},
+			}, metav1.CreateOptions{}); err != nil {
+			ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateError, metav1.ConditionFalse, "ProviderTenantError", err.Error())
+			return false, err
+		}
+		c.Event(ca, tenant, corev1.EventTypeNormal, CAPApplicationEventProviderTenantCreated, EventActionProviderTenantProcessing, fmt.Sprintf("created provider tenant %s.%s", tenant.Namespace, tenant.Name))
+	}
+	if !isCROConditionReady(tenant.Status.GenericStatus) {
+		// Upgrade errors also handled
+		if tenant.Status.State == v1alpha1.CAPTenantStateProvisioningError || tenant.Status.State == v1alpha1.CAPTenantStateUpgradeError {
+			err = fmt.Errorf("provider %s in state %s for %s %s.%s", v1alpha1.CAPTenantKind, tenant.Status.State, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+			ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateError, metav1.ConditionFalse, "ProviderTenantError", err.Error())
+			return false, err
+		}
+
+		msg := fmt.Sprintf("provider %v not ready for %v %v.%v; waiting for it to be ready", v1alpha1.CAPTenantKind, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+		klog.Info(msg)
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, EventActionProviderTenantProcessing, msg)
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func (c *Controller) handleCAPApplicationDeletion(ctx context.Context, ca *v1alpha1.CAPApplication) (*ReconcileResult, error) {
+	var err error
+	if ca.Status.State != v1alpha1.CAPApplicationStateDeleting {
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateDeleting, metav1.ConditionFalse, "DeleteTriggered", "")
+		return NewReconcileResultWithResource(ResourceCAPApplication, ca.Name, ca.Namespace, 0), nil
+	}
+
+	// TODO: cleanup domain resources via reconciliation
+	if err = c.deletePrimaryDomainCertificate(ctx, ca); err != nil && !k8sErrors.IsNotFound(err) {
+		return nil, err
+	}
+
+	// delete CAPTenants - return if found in this loop, to verify deletion
+	var tenantFound bool
+	if tenantFound, err = c.deleteTenants(ctx, ca); tenantFound || err != nil {
+		return nil, err
+	}
+
+	// delete CAPApplication
+	if removeFinalizer(&ca.Finalizers, FinalizerCAPApplication) {
+		return nil, c.updateCAPApplication(ctx, ca)
+	}
+
+	return nil, nil
+}
+
+func (c *Controller) deleteTenants(ctx context.Context, ca *v1alpha1.CAPApplication) (bool, error) {
+	tenants, err := c.getRelevantTenantsForCA(ca)
+	if err != nil {
+		return false, err
+	}
+
+	// delete tenants - if not triggered yet
+	for _, tenant := range tenants {
+		if tenant.DeletionTimestamp == nil {
+			if err = c.crdClient.SmeV1alpha1().CAPTenants(ca.Namespace).Delete(ctx, tenant.Name, metav1.DeleteOptions{}); err != nil {
+				return true, err
+			}
+		}
+	}
+
+	return len(tenants) > 0, nil
+}
+
+func (c *Controller) prepareCAPApplication(ctx context.Context, ca *v1alpha1.CAPApplication) (update bool) {
+	// Do nothing when object is deleted
+	if ca.DeletionTimestamp != nil {
+		return false
+	}
+	// add Finalizer to prevent direct deletion
+	if ca.Finalizers == nil {
+		ca.Finalizers = []string{}
+	}
+	if addFinalizer(&ca.Finalizers, FinalizerCAPApplication) {
+		update = true
+	}
+
+	// add Label/Annotation for BTP App
+	appMetadata := appMetadataIdentifiers{
+		globalAccountId: ca.Spec.GlobalAccountId,
+		appName:         ca.Spec.BTPAppName,
+	}
+	if updateLabelAnnotationMetadata(&ca.ObjectMeta, &appMetadata) {
+		update = true
+	}
+
+	return update
+}
diff --git a/internal/controller/reconcile-capapplication_test.go b/internal/controller/reconcile-capapplication_test.go
new file mode 100644
index 0000000..890a73b
--- /dev/null
+++ b/internal/controller/reconcile-capapplication_test.go
@@ -0,0 +1,1128 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"os"
+	"testing"
+)
+
+func TestCAPApplicationWithoutPreExistingLabelAndNilInitialState(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Initial test without pre-existing label and nil initial state",
+			initialResources: []string{
+				"testdata/capapplication/ca-01.initial.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-01.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestCAPApplicationWithLabelsAndFinalizersEmptyState(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "application labels and finalizers set, empty state - expect processing state",
+			initialResources: []string{
+				"testdata/capapplication/ca-42.initial.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-42.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestCAPApplicationWithPreExistingLabelAndProcessingInitialState(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Initial test with pre-existing label, processing initial state and invalid secret",
+			initialResources: []string{
+				"testdata/capapplication/ca-02.initial.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-02.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestCAPApplicationWithValidSecret(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Test with pre-existing label, processing state and valid secret",
+			initialResources: []string{
+				"testdata/capapplication/ca-03.initial.yaml",
+				"testdata/common/credential-secrets.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-03.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestValidationOfBtpServicesWithoutSecrets(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Invalid BTPServices with high attempts",
+			initialResources: []string{
+				"testdata/capapplication/ca-02.initial.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-02.expected.yaml",
+			attempts:          9999,
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestValidationOfBtpServicesWithSecrets(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Valid BTPServices with high attempts",
+			initialResources: []string{
+				"testdata/capapplication/ca-03.initial.yaml",
+				"testdata/common/credential-secrets.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-03.expected.yaml",
+			attempts:          9999,
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestCavCatGateway_Case1(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - provisioning, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-04.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-04.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestCavCatGateway_Case2(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - error, CAPTenant - provisioning, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-05.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/capapplication/cav-error.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-05.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestCavCatGateway_Case3(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-06.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-06.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestCavCatGateway_Case4(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - NA, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-07.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/common/istio-ingress.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-07.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceOperatorDomains: {{Namespace: "", Name: ""}},
+				ResourceCAPApplication:  {{Namespace: "default", Name: "test-cap-01"}},
+				ResourceCAPTenant:       {{Namespace: "default", Name: "test-cap-01-provider"}},
+			},
+		},
+	)
+}
+
+func TestCavCatGateway_Case5(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-08.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/common/istio-ingress.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-08.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceOperatorDomains: {{Namespace: "", Name: ""}},
+				ResourceCAPApplication:  {{Namespace: "default", Name: "test-cap-01"}},
+				ResourceCAPTenant:       {{Namespace: "default", Name: "test-cap-01-provider"}},
+			},
+		},
+	)
+}
+
+func TestCavCatGateway_Case6(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - error, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-09.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-error.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-09.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	if err.Error() != "provider CAPTenant in state ProvisioningError for CAPApplication default.test-cap-01" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCavCatGateway_Case7(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - error, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-10.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert-error.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-10.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	if err.Error() != "Certificate in state Error for CAPApplication default.test-cap-01: cert message" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCavCatGateway_Case8(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - error",
+			initialResources: []string{
+				"testdata/capapplication/ca-11.initial.yaml",
+				"testdata/capapplication/ca-dns-error.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-11.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	if err.Error() != "DNSEntry in state Error for CAPApplication default.test-cap-01: dns message" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCavCatGateway_Case9(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - upgrade error, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-12.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-upgrade-error.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-12.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	if err.Error() != "provider CAPTenant in state UpgradeError for CAPApplication default.test-cap-01" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestDeletion_Case1(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Without deletionTimestamp and without finalizer set",
+			initialResources: []string{
+				"testdata/capapplication/ca-13.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-13.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestDeletion_Case2(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletionTimestamp and without finalizer set",
+			initialResources: []string{
+				"testdata/capapplication/ca-14.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-14.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestDeletion_Case3(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletionTimestamp and with finalizer set",
+			initialResources: []string{
+				"testdata/capapplication/ca-15.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-15.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestDeletion_Case4(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletion triggered, no finalizer on certificate & provider tenant doesn't exist",
+			initialResources: []string{
+				"testdata/capapplication/ca-16.initial.yaml",
+				"testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-16.expected.yaml",
+		},
+	)
+}
+
+func TestDeletion_Case5(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletion triggered, no finalizer on certificate & provider tenant exists",
+			initialResources: []string{
+				"testdata/capapplication/ca-17.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-17.expected.yaml",
+		},
+	)
+}
+
+func TestDeletion_Case6(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletion triggered, no certificate & provider tenant exists",
+			initialResources: []string{
+				"testdata/capapplication/ca-18.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/istio-ingress.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-18.expected.yaml",
+		},
+	)
+}
+
+func TestDeletion_Case7(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletion triggered, finalizer on certificate & provider tenant doesn't exist",
+			initialResources: []string{
+				"testdata/capapplication/ca-19.initial.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-19.expected.yaml",
+		},
+	)
+}
+
+func TestDeletion_Case8(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "With deletion triggered, finalizer on certificate & provider tenant exists",
+			initialResources: []string{
+				"testdata/capapplication/ca-20.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-20.expected.yaml",
+		},
+	)
+}
+
+func TestCertManagerCavCatGateway_Case1(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - provisioning, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-21.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-21.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+}
+
+func TestCertManagerCavCatGateway_Case2(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - error, CAPTenant - provisioning, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-22.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/capapplication/cav-error.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-22.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+}
+
+func TestCertManagerCavCatGateway_Case3(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-23.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-23.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+}
+
+func TestCertManagerCavCatGateway_Case4(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - NA, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-24.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/common/istio-ingress.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-24.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceOperatorDomains: {{Namespace: "", Name: ""}},
+				ResourceCAPApplication:  {{Namespace: "default", Name: "test-cap-01"}},
+				ResourceCAPTenant:       {{Namespace: "default", Name: "test-cap-01-provider"}},
+			},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+}
+
+func TestCertManagerCavCatGateway_Case5(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-25.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-25.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceOperatorDomains: {{Namespace: "", Name: ""}},
+				ResourceCAPApplication:  {{Namespace: "default", Name: "test-cap-01"}},
+				ResourceCAPTenant:       {{Namespace: "default", Name: "test-cap-01-provider"}},
+			},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+}
+
+func TestCertManagerCavCatGateway_Case6(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - error, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-26.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-error.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-26.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+	if err.Error() != "provider CAPTenant in state ProvisioningError for CAPApplication default.test-cap-01" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCertManagerCavCatGateway_Case7(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - error, dnsEntry - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-27.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager-error.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-27.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+	if err.Error() != "Certificate in state not ready for CAPApplication default.test-cap-01: cert message" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCertManagerCavCatGateway_Case8(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - error",
+			initialResources: []string{
+				"testdata/capapplication/ca-28.initial.yaml",
+				"testdata/capapplication/ca-dns-error.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-28.expected.yaml",
+			expectError:       true,
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+	if err.Error() != "DNSEntry in state Error for CAPApplication default.test-cap-01: dns message" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCertManagerDeletion_Case1(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - false, finalizer set - false, certificate - ready, certificate finalizer - true, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-34.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-34.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-3351",
+			},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case2(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - false, certificate - ready, certificate finalizer - true, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-35.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-35.expected.yaml",
+			expectedRequeue:   nil, //When no finalizer is set --> do not expect requeue
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case3(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - ready, certificate finalizer - false, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-36.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-36.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case4(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - ready, certificate finalizer - false, Provider & Consumer tenant with no finalizers - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-37.initial.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-37.expected.yaml",
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case5(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - ready, certificate finalizer - false, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-38.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-38.expected.yaml",
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case6(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - NA, certificate finalizer - false, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-39.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/istio-ingress.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-39.expected.yaml",
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case7(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - ready, certificate finalizer - true, Provider & Consumer tenant with no finalizers - NA",
+			initialResources: []string{
+				"testdata/capapplication/ca-40.initial.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-40.expected.yaml",
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestCertManagerDeletion_Case8(t *testing.T) {
+
+	os.Setenv(certManagerEnv, certManagerCertManagerIO)
+
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When deletionTimestamp - true, finalizer set - true, certificate - ready, certificate finalizer - true, Provider & Consumer tenant with no finalizers - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-41.initial.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/capapplication/istio-ingress-with-certManager.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-41.expected.yaml",
+		},
+	)
+
+	os.Setenv(certManagerEnv, "")
+
+}
+
+func TestController_handleCAPApplicationConsistent_Case1(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state",
+			initialResources: []string{
+				"testdata/capapplication/ca-29.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-29.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestController_handleCAPApplicationConsistent_Case2(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with Generation mismatch",
+			initialResources: []string{
+				"testdata/capapplication/ca-30.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-30.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestController_handleCAPApplicationConsistent_Case3(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with a CAV name update; one tenant with fixed version and never upgrade",
+			initialResources: []string{
+				"testdata/capapplication/ca-31.initial.yaml",
+				"testdata/capapplication/cav-name-modified-ready.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-upg-never-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-31.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestController_handleCAPApplicationConsistent_Case4(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with a CAV name update",
+			initialResources: []string{
+				"testdata/capapplication/ca-32.initial.yaml",
+				"testdata/capapplication/cav-name-modified-ready.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-32.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestController_handleCAPApplicationConsistent_Case5(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with a CAV name update",
+			initialResources: []string{
+				"testdata/capapplication/ca-33.initial.yaml",
+				"testdata/capapplication/cav-33-version-updated-ready.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-33.expected.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestController_handleCAPApplicationConsistent_Case6(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with no certificate",
+			initialResources: []string{
+				"testdata/capapplication/ca-29.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/capapplication/cat-consumer-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-no-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-29.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2976",
+				"ERP4SMEPREPWORKAPPPLAT-2881",
+			},
+		},
+	)
+}
+
+func TestProviderTenantCreationError(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - n/a, gateway - available, certificate - ready, dnsEntry - ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-43.initial.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources:     "testdata/capapplication/ca-43.expected.yaml",
+			expectError:           true,
+			mockErrorForResources: []ResourceAction{{Verb: "create", Group: "sme.sap.com", Version: "v1alpha1", Resource: "captenants", Namespace: "*", Name: "*"}},
+		},
+	)
+
+	if err.Error() != "mocked api error (captenants.sme.sap.com/v1alpha1)" {
+		t.Error("Wrong error message")
+	}
+}
+
+func TestCAPApplicationPrimaryDomainDNSEntryNotReady(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "When CAPApplicationVersion - ready, CAPTenant - ready, gateway - available, certificate - ready, dnsEntry - not ready",
+			initialResources: []string{
+				"testdata/capapplication/ca-06.initial.yaml",
+				"testdata/capapplication/ca-dns-not-ready.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-44.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplication: {{Namespace: "default", Name: "test-cap-01"}}},
+		},
+	)
+}
+
+func TestCAPApplicationConsistentWithNewCAPApplicationVersionTenantUpdateError(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "Consistent state with a new CAV (ready); tenant update failure",
+			initialResources: []string{
+				"testdata/capapplication/ca-31.initial.yaml",
+				"testdata/capapplication/cav-name-modified-ready.yaml",
+				"testdata/capapplication/cat-provider-no-finalizers-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectError:           true,
+			mockErrorForResources: []ResourceAction{{Verb: "update", Group: "sme.sap.com", Version: "v1alpha1", Resource: "captenants", Namespace: "*", Name: "*"}},
+		},
+	)
+	if err.Error() != "could not update CAPTenant default.test-cap-01-provider: mocked api error (captenants.sme.sap.com/v1alpha1)" {
+		t.Error("error message is different from expected")
+	}
+}
+
+func TestAdditionalConditionsTenantReadyUpgradeStrategyNever(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "test additional conditions with tenant having upgrade strategy never - and not on latest version",
+			initialResources: []string{
+				"testdata/capapplication/ca-45.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/common/captenant-provider-upgraded-ready.yaml",
+				"testdata/capapplication/cat-consumer-upg-never-ready.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-29.expected.yaml", // expect - AllTenantsReady is "True"
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2881"},
+		},
+	)
+}
+
+func TestAdditionalConditionsWithTenantDeletingUpgradeStrategyNever(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplication, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01"}},
+		TestData{
+			description: "test additional conditions with tenant having upgrade strategy never, not on latest version and deleting",
+			initialResources: []string{
+				"testdata/capapplication/ca-45.initial.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/common/captenant-provider-upgraded-ready.yaml",
+				"testdata/capapplication/cat-consumer-upg-never-deleting.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplication/gateway.yaml",
+				"testdata/capapplication/istio-ingress-with-cert.yaml",
+				"testdata/capapplication/ca-dns.yaml",
+			},
+			expectedResources: "testdata/capapplication/ca-45.expected.yaml", // expect - AllTenantsReady is "False"
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2881"},
+		},
+	)
+}
diff --git a/internal/controller/reconcile-capapplicationversion.go b/internal/controller/reconcile-capapplicationversion.go
new file mode 100644
index 0000000..15dc0f2
--- /dev/null
+++ b/internal/controller/reconcile-capapplicationversion.go
@@ -0,0 +1,838 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"golang.org/x/exp/slices"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/klog/v2"
+)
+
+const (
+	App = "app"
+)
+
+const (
+	CategoryWorkload = "Workload"
+	CategoryService  = "Service"
+)
+
+const (
+	defaultServerPort = 4004
+	defaultRouterPort = 5000
+)
+
+var trueVal = true
+
+type DeploymentParameters struct {
+	CA              *v1alpha1.CAPApplication
+	CAV             *v1alpha1.CAPApplicationVersion
+	OwnerRef        *metav1.OwnerReference
+	WorkloadDetails v1alpha1.WorkloadDetails
+	VCAPSecretName  string
+}
+
+func (c *Controller) reconcileCAPApplicationVersion(ctx context.Context, item QueueItem, attempts int) (*ReconcileResult, error) {
+	lister := c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister()
+	cached, err := lister.CAPApplicationVersions(item.ResourceKey.Namespace).Get(item.ResourceKey.Name)
+	if err != nil {
+		return nil, handleOperatorResourceErrors(err)
+	}
+	cav := cached.DeepCopy()
+
+	// prepare owner refs, labels, finalizers
+	if update, err := c.prepareCAPApplicationVersion(ctx, cav); err != nil {
+		return nil, err
+	} else if update {
+		err := c.updateCAPApplicationVersion(ctx, cav)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Handle Deletion
+	if cav.DeletionTimestamp != nil {
+		return c.deleteCAPApplicationVersion(ctx, cav)
+	}
+
+	return c.handleCAPApplicationVersion(ctx, cav)
+}
+
+func (c *Controller) updateCAPApplicationVersionStatus(ctx context.Context, cav *v1alpha1.CAPApplicationVersion, state v1alpha1.CAPApplicationVersionState, condition metav1.Condition) error {
+	cav.SetStatusWithReadyCondition(state, condition.Status, condition.Reason, condition.Message)
+
+	cavUpdated, statusErr := c.crdClient.SmeV1alpha1().CAPApplicationVersions(cav.Namespace).UpdateStatus(ctx, cav, metav1.UpdateOptions{})
+	// Update reference to the resource
+	if cavUpdated != nil {
+		*cav = *cavUpdated
+	}
+	if statusErr != nil {
+		klog.Error("could not update status of %s %s.%s: ", v1alpha1.CAPApplicationVersionKind, cav.Namespace, cav.Name, statusErr.Error())
+	}
+
+	return statusErr
+}
+
+func (c *Controller) updateCAPApplicationVersion(ctx context.Context, cav *v1alpha1.CAPApplicationVersion) error {
+	cavUpdated, err := c.crdClient.SmeV1alpha1().CAPApplicationVersions(cav.Namespace).Update(ctx, cav, metav1.UpdateOptions{})
+	// Update reference to the resource
+	if cavUpdated != nil {
+		*cav = *cavUpdated
+	}
+	return err
+}
+
+func (c *Controller) handleCAPApplicationVersion(ctx context.Context, cav *v1alpha1.CAPApplicationVersion) (*ReconcileResult, error) {
+	ca, _ := c.getCachedCAPApplication(cav.Namespace, cav.Spec.CAPApplicationInstance)
+
+	// Check for valid secrets
+	err := c.checkSecretsExist(ca.Spec.BTP.Services, ca.Namespace)
+
+	if err != nil {
+		// Requeue after 10s to check if secrets exist
+		return NewReconcileResultWithResource(ResourceCAPApplicationVersion, cav.Name, cav.Namespace, 10*time.Second), c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateProcessing, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "WaitingForSecrets"})
+	}
+
+	// If Valid secrets exists proceed with processing deployment
+	var statusErr error
+	switch cav.Status.State {
+	case "":
+		statusErr = c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateProcessing, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ReadyForProcessing"})
+	case v1alpha1.CAPApplicationVersionStateError:
+		var errorCondition metav1.Condition
+		if len(cav.Status.Conditions) > 0 {
+			errorCondition = *cav.Status.Conditions[0].DeepCopy() // keep the error condition while re-processing
+		} else {
+			errorCondition = metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "RetryProcessing"}
+		}
+		statusErr = c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateProcessing, errorCondition)
+	}
+
+	if statusErr != nil {
+		return nil, statusErr
+	}
+
+	return nil, c.processDeployments(ctx, ca, cav)
+}
+
+func (c *Controller) processDeployments(ctx context.Context, ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	// TODO: handle create/update of individual deployments/jobs (so far these are just created and never updated, as we expect secrets don't change!)
+
+	// Handle Content job
+	err := c.handleContentDeployJob(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInContentDeploymentJob", Message: err.Error()})
+		return err
+	}
+
+	// Create AppRouter Deployment
+	err = c.updateApprouterDeployment(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInAppRouterDeployment", Message: err.Error()})
+		return err
+	}
+
+	// Create Server Deployment
+	err = c.updateServerDeployment(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInServerDeployment", Message: err.Error()})
+		return err
+	}
+
+	// Create All Services
+	err = c.updateServices(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInServerService", Message: err.Error()})
+		return err
+	}
+
+	// Create Additional Deployments
+	err = c.updateAdditionalDeployment(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInJobWorkerDeployment", Message: err.Error()})
+		return err
+	}
+
+	// Create NetworkPolicy
+	err = c.updateNetworkPolicies(ca, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInNetworkPolicy", Message: err.Error()})
+		return err
+	}
+
+	// Check for status of the Workloads
+	processing, err := c.checkWorkloadStatus(ctx, cav)
+	if err != nil {
+		c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateError, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False", Reason: "ErrorInWorkloadStatus", Message: err.Error()})
+		return err
+	} else if processing {
+		return nil
+	}
+
+	// TODO: wait until the deployments are actually "Ready"!
+	return c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateReady, metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "True", Reason: "CreatedDeployments"})
+}
+
+// #region Content Deploy Job
+func (c *Controller) handleContentDeployJob(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	workload := getRelevantJob(v1alpha1.JobContent, cav)
+	if res := validateEnv(workload.JobDefinition.Env, restrictedEnvNames); res != "" {
+		return errorEnv(workload.Name, res)
+	}
+
+	var vcapSecretName string
+	jobName := cav.Name + "-" + strings.ToLower(string(workload.JobDefinition.Type))
+	// If Job has already executed --> exit
+	if cav.CheckFinishedJobs(jobName) {
+		return nil
+	}
+	// Get the contentDeploy job with the name expected for this CAV instance
+	contentDeployJob, err := c.kubeInformerFactory.Batch().V1().Jobs().Lister().Jobs(cav.Namespace).Get(jobName)
+	// If the resource doesn't exist, we'll create it
+	if k8sErrors.IsNotFound(err) {
+		// Get ServiceInfos for consumed BTP services
+		consumedServiceInfos := getConsumedServiceInfos(getConsumedServiceMap(workload.ConsumedBTPServices), ca.Spec.BTP.Services)
+
+		// Create ownerRef to CAV
+		ownerRef := *metav1.NewControllerRef(cav, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationVersionKind))
+
+		// Get VCAP secret name
+		vcapSecretName, err = createVCAPSecret(jobName, cav.Namespace, ownerRef, consumedServiceInfos, c.kubeClient)
+
+		if err == nil {
+			contentDeployJob, err = c.kubeClient.BatchV1().Jobs(cav.Namespace).Create(context.TODO(), newContentDeploymentJob(ca, cav, workload, ownerRef, vcapSecretName), metav1.CreateOptions{})
+		}
+	}
+
+	return doChecks(err, contentDeployJob, cav, workload.Name)
+}
+
+// newContentDeploymentJob creates a Content Deployment Job for the CAV resource. It also sets the appropriate OwnerReferences.
+func newContentDeploymentJob(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, workload *v1alpha1.WorkloadDetails, ownerRef metav1.OwnerReference, vcapSecretName string) *batchv1.Job {
+	labels := copyMaps(workload.Labels, map[string]string{
+		LabelDisableKarydia: "true",
+	})
+
+	annotations := copyMaps(workload.Annotations, map[string]string{
+		AnnotationIstioSidecarInject: "false",
+	})
+
+	return &batchv1.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        cav.Name + "-" + strings.ToLower(string(workload.JobDefinition.Type)),
+			Namespace:   cav.Namespace,
+			Annotations: workload.Annotations,
+			OwnerReferences: []metav1.OwnerReference{
+				ownerRef,
+			},
+		},
+		Spec: batchv1.JobSpec{
+			BackoffLimit:            workload.JobDefinition.BackoffLimit,
+			TTLSecondsAfterFinished: workload.JobDefinition.TTLSecondsAfterFinished,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: annotations,
+					Labels:      labels,
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:            workload.Name,
+							Image:           workload.JobDefinition.Image,
+							ImagePullPolicy: workload.JobDefinition.ImagePullPolicy,
+							Command:         workload.JobDefinition.Command,
+							Env: append([]corev1.EnvVar{
+								{Name: EnvCAPOpAppVersion, Value: cav.Spec.Version},
+							}, workload.JobDefinition.Env...),
+							EnvFrom:         getEnvFrom(vcapSecretName),
+							Resources:       workload.JobDefinition.Resources,
+							SecurityContext: workload.JobDefinition.SecurityContext,
+						},
+					},
+					SecurityContext:  workload.JobDefinition.PodSecurityContext,
+					ImagePullSecrets: convertToLocalObjectReferences(cav.Spec.RegistrySecrets),
+					RestartPolicy:    corev1.RestartPolicyOnFailure,
+				},
+			},
+		},
+	}
+}
+
+//#endregion
+
+// #region Server
+func (c *Controller) updateServerDeployment(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	serverWorkloads := getDeployments(v1alpha1.DeploymentCAP, cav)
+	for _, serverWorkload := range serverWorkloads {
+		err := c.updateDeployment(ca, cav, &serverWorkload)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+//#endregion
+
+// #region AppRouter
+func (c *Controller) updateApprouterDeployment(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	routerWorkload := getRelevantDeployment(v1alpha1.DeploymentRouter, cav)
+	return c.updateDeployment(ca, cav, routerWorkload)
+}
+
+//#endregion
+
+// #region JobWorker
+func (c *Controller) updateAdditionalDeployment(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	additionalWorkloads := getDeployments(v1alpha1.DeploymentAdditional, cav)
+	for _, workload := range additionalWorkloads {
+		err := c.updateDeployment(ca, cav, &workload)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+//#endregion
+
+// #region Service
+func (c *Controller) updateServices(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	workloadServicePortInfos := getRelevantServicePortInfo(cav)
+	for _, workloadServicePortInfo := range workloadServicePortInfos {
+		// Get the Service with the name specified in CustomDeployment.spec
+		service, err := c.kubeClient.CoreV1().Services(cav.Namespace).Get(context.TODO(), workloadServicePortInfo.WorkloadName+ServiceSuffix, metav1.GetOptions{})
+		// If the resource doesn't exist, we'll create it
+		if k8sErrors.IsNotFound(err) {
+			service, err = c.kubeClient.CoreV1().Services(cav.Namespace).Create(context.TODO(), newService(ca, cav, workloadServicePortInfo), metav1.CreateOptions{})
+		}
+
+		err = doChecks(err, service, cav, workloadServicePortInfo.WorkloadName+ServiceSuffix)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// newService creates a new Service for a CAV resource. It also sets the appropriate OwnerReferences.
+func newService(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, workloadServicePortInfo servicePortInfo) *corev1.Service {
+	var ports []corev1.ServicePort
+
+	for _, port := range workloadServicePortInfo.Ports {
+		ports = append(ports, corev1.ServicePort{Name: port.Name, Port: port.Port, AppProtocol: port.AppProtocol})
+	}
+
+	matchlabels := getLabels(ca, cav, CategoryWorkload, workloadServicePortInfo.DeploymentType, workloadServicePortInfo.WorkloadName, false)
+
+	workload := getWorkloadByName(workloadServicePortInfo.WorkloadName[len(cav.Name)+1:], cav)
+
+	annotations := copyMaps(workload.Annotations, getAnnotations(ca, cav, true))
+
+	labels := copyMaps(workload.Labels, getLabels(ca, cav, CategoryService, workloadServicePortInfo.DeploymentType, workloadServicePortInfo.WorkloadName+ServiceSuffix, true))
+
+	return &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        workloadServicePortInfo.WorkloadName + ServiceSuffix,
+			Namespace:   cav.Namespace,
+			Labels:      labels,
+			Annotations: annotations,
+			OwnerReferences: []metav1.OwnerReference{
+				*metav1.NewControllerRef(cav, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationVersionKind)),
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Ports:    ports,
+			Selector: matchlabels,
+		},
+	}
+}
+
+// #endregion Service
+
+// #region NetworkPolicy
+func (c *Controller) updateNetworkPolicies(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) error {
+	var (
+		spec networkingv1.NetworkPolicySpec
+		err  error
+	)
+
+	// The app pod specific NetworkPolicy
+	spec = getAppPodNetworkPolicySpec(ca, cav)
+	err = c.createNetworkPolicy(cav.Name, spec, cav)
+	if err != nil {
+		return err
+	}
+
+	// The app ingress (to router) NetworkPolicy
+	spec = getAppIngressNetworkPolicySpec(ca, cav)
+	err = c.createNetworkPolicy(cav.Name+"--in", spec, cav)
+	if err != nil {
+		return err
+	}
+
+	// (Tech)Port specific network policy (just clusterWide for now)
+	// Get all the relevant service info (that includes ports exposed clusterwide)
+	workloadServicePortInfos := getRelevantServicePortInfo(cav)
+	for _, workloadServicePortInfo := range workloadServicePortInfos {
+		if len(workloadServicePortInfo.ClusterPorts) > 0 {
+			// Create a network policy for the workload if at least 1 clusterwide exposed port exists.
+			spec = getPortSpecificNetworkPolicySpec(workloadServicePortInfo, ca, cav)
+			err = c.createNetworkPolicy(workloadServicePortInfo.WorkloadName, spec, cav)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// check and create a new NetworkPolicy for the given workload/CAV resource. It also sets the appropriate OwnerReferences.
+func (c *Controller) createNetworkPolicy(name string, spec networkingv1.NetworkPolicySpec, cav *v1alpha1.CAPApplicationVersion) error {
+	networkPolicy, err := c.kubeClient.NetworkingV1().NetworkPolicies(cav.Namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	// If the resource doesn't exist, we'll create it
+	if k8sErrors.IsNotFound(err) {
+		networkPolicy, err = c.kubeClient.NetworkingV1().NetworkPolicies(cav.Namespace).Create(context.TODO(), &networkingv1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: cav.Namespace,
+				OwnerReferences: []metav1.OwnerReference{
+					*metav1.NewControllerRef(cav, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationVersionKind)),
+				},
+			},
+			Spec: spec,
+		}, metav1.CreateOptions{})
+	}
+	return doChecks(err, networkPolicy, cav, "NetworkPolicy")
+}
+
+func getAppPodNetworkPolicySpec(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) networkingv1.NetworkPolicySpec {
+	return networkingv1.NetworkPolicySpec{
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+		Ingress: []networkingv1.NetworkPolicyIngressRule{{
+			From: []networkingv1.NetworkPolicyPeer{
+				// Enable communication across all workload pods with the same version
+				{
+					PodSelector: &metav1.LabelSelector{MatchLabels: getLabels(ca, cav, CategoryWorkload, "", "", false)},
+				},
+			},
+		}},
+		// Target all workloads of the app
+		PodSelector: metav1.LabelSelector{MatchLabels: getLabels(ca, cav, CategoryWorkload, "", "", false)},
+	}
+}
+
+func getAppIngressNetworkPolicySpec(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) networkingv1.NetworkPolicySpec {
+	return networkingv1.NetworkPolicySpec{
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+		Ingress: []networkingv1.NetworkPolicyIngressRule{{
+			From: []networkingv1.NetworkPolicyPeer{
+				// Enable ingress traffic to the router via istio-ingress gateway
+				{
+					NamespaceSelector: &metav1.LabelSelector{},
+					PodSelector:       &metav1.LabelSelector{MatchLabels: getIngressGatewayLabels(ca)},
+				},
+			},
+		}},
+		// Target all workloads of the app
+		PodSelector: metav1.LabelSelector{MatchLabels: getLabels(ca, cav, CategoryWorkload, string(v1alpha1.DeploymentRouter), "", false)},
+	}
+}
+
+func getPortSpecificNetworkPolicySpec(workloadServicePortInfo servicePortInfo, ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion) networkingv1.NetworkPolicySpec {
+	ports := []networkingv1.NetworkPolicyPort{}
+	for _, port := range workloadServicePortInfo.ClusterPorts {
+		ports = append(ports, networkingv1.NetworkPolicyPort{Port: &intstr.IntOrString{IntVal: port}})
+	}
+	return networkingv1.NetworkPolicySpec{
+		PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+		Ingress: []networkingv1.NetworkPolicyIngressRule{{
+			Ports: ports,
+			From: []networkingv1.NetworkPolicyPeer{
+				// Enable ingress traffic to these ports from any pod in the cluster
+				{
+					NamespaceSelector: &metav1.LabelSelector{},
+					PodSelector:       &metav1.LabelSelector{},
+				},
+			},
+		}},
+		// Target the relevant workload whose port(s) needs to be exposed cluster wide
+		PodSelector: metav1.LabelSelector{MatchLabels: getLabels(ca, cav, CategoryWorkload, workloadServicePortInfo.DeploymentType, workloadServicePortInfo.WorkloadName, false)},
+	}
+}
+
+// #endregion NetworkPolicy
+
+// #region Deployments
+
+func (c *Controller) updateDeployment(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, workload *v1alpha1.WorkloadDetails) error {
+	if res := validateEnv(workload.DeploymentDefinition.Env, restrictedEnvNames); res != "" {
+		return errorEnv(workload.Name, res)
+	}
+
+	var vcapSecretName string
+	deploymentName := cav.Name + "-" + strings.ToLower(string(workload.Name))
+	// Get the workloadDeployment with the name specified in CustomDeployment.spec
+	workloadDeployment, err := c.kubeClient.AppsV1().Deployments(cav.Namespace).Get(context.TODO(), deploymentName, metav1.GetOptions{})
+	// If the resource doesn't exist, we'll create it
+	if k8sErrors.IsNotFound(err) {
+		// Get ServiceInfos for consumed BTP services
+		consumedServiceInfos := getConsumedServiceInfos(getConsumedServiceMap(workload.ConsumedBTPServices), ca.Spec.BTP.Services)
+
+		// Create ownerRef to CAV
+		ownerRef := *metav1.NewControllerRef(cav, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationVersionKind))
+
+		// Get VCAP secret name
+		vcapSecretName, err = createVCAPSecret(deploymentName, cav.Namespace, ownerRef, consumedServiceInfos, c.kubeClient)
+
+		if err == nil {
+			workloadDeployment, err = c.kubeClient.AppsV1().Deployments(cav.Namespace).Create(context.TODO(), newDeployment(ca, cav, workload, ownerRef, vcapSecretName), metav1.CreateOptions{})
+		}
+	}
+
+	return doChecks(err, workloadDeployment, cav, workload.Name)
+}
+
+// newDeployment creates a new generic Deployment for a CAV resource based on the type. It also sets the appropriate OwnerReferences.
+func newDeployment(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, workload *v1alpha1.WorkloadDetails, ownerRef metav1.OwnerReference, vcapSecretName string) *appsv1.Deployment {
+	params := &DeploymentParameters{
+		CA:              ca,
+		CAV:             cav,
+		OwnerRef:        &ownerRef,
+		WorkloadDetails: *workload,
+		VCAPSecretName:  vcapSecretName,
+	}
+
+	return createDeployment(params)
+}
+
+func createDeployment(params *DeploymentParameters) *appsv1.Deployment {
+	workloadName := params.CAV.Name + "-" + strings.ToLower(params.WorkloadDetails.Name)
+	annotations := copyMaps(params.WorkloadDetails.Annotations, getAnnotations(params.CA, params.CAV, true))
+	labels := copyMaps(params.WorkloadDetails.Labels, getLabels(params.CA, params.CAV, CategoryWorkload, string(params.WorkloadDetails.DeploymentDefinition.Type), workloadName, true))
+
+	return &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      workloadName,
+			Namespace: params.CAV.Namespace,
+			OwnerReferences: []metav1.OwnerReference{
+				*params.OwnerRef,
+			},
+			Annotations: annotations,
+			Labels:      labels,
+		},
+		Spec: appsv1.DeploymentSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: labels,
+			},
+			Replicas: params.WorkloadDetails.DeploymentDefinition.Replicas, // will automatically default to 1 (if pointer is nil)
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: annotations,
+					Labels:      labels,
+				},
+				Spec: corev1.PodSpec{
+					ImagePullSecrets: convertToLocalObjectReferences(params.CAV.Spec.RegistrySecrets),
+					Containers:       getContainer(params),
+					SecurityContext:  params.WorkloadDetails.DeploymentDefinition.PodSecurityContext,
+				},
+			},
+		},
+	}
+}
+
+func getContainer(params *DeploymentParameters) []corev1.Container {
+	container := corev1.Container{
+		Name:            params.WorkloadDetails.Name,
+		Image:           params.WorkloadDetails.DeploymentDefinition.Image,
+		ImagePullPolicy: params.WorkloadDetails.DeploymentDefinition.ImagePullPolicy,
+		Command:         params.WorkloadDetails.DeploymentDefinition.Command,
+		Env:             getEnv(params),
+		EnvFrom:         getEnvFrom(params.VCAPSecretName),
+		LivenessProbe:   params.WorkloadDetails.DeploymentDefinition.LivenessProbe,
+		ReadinessProbe:  params.WorkloadDetails.DeploymentDefinition.ReadinessProbe,
+		Resources:       params.WorkloadDetails.DeploymentDefinition.Resources,
+		SecurityContext: params.WorkloadDetails.DeploymentDefinition.SecurityContext,
+	}
+	return []corev1.Container{container}
+}
+
+func getEnv(params *DeploymentParameters) []corev1.EnvVar {
+	env := []corev1.EnvVar{
+		{Name: EnvCAPOpAppVersion, Value: params.CAV.Spec.Version},
+	}
+	env = append(env, params.WorkloadDetails.DeploymentDefinition.Env...)
+
+	if params.WorkloadDetails.DeploymentDefinition.Type == v1alpha1.DeploymentRouter {
+		// Add destinations env for `Router`
+		appendDestinationsEnv(params.CAV, &env)
+	}
+
+	return env
+}
+
+func appendDestinationsEnv(cav *v1alpha1.CAPApplicationVersion, env *[]corev1.EnvVar) {
+	var (
+		destEnvIndex int                          = -1
+		destMap      map[string]RouterDestination = map[string]RouterDestination{}
+	)
+
+	destEnvIndex = slices.IndexFunc(*env, func(currentEnv corev1.EnvVar) bool { return currentEnv.Name == "destinations" })
+
+	if destEnvIndex > -1 {
+		if destinations, err := util.ParseJSON[[]RouterDestination]([]byte((*env)[destEnvIndex].Value)); err == nil {
+			for _, d := range *destinations {
+				destMap[d.Name] = d
+			}
+		} // else -> in case of parsing error continue with only the workload destinations
+	}
+
+	destinations := []RouterDestination{}
+	portInfos := getRelevantServicePortInfo(cav)
+	for _, portInfo := range portInfos {
+		for _, destinationInfo := range portInfo.Destinations {
+			dest := getDestination(destMap, destinationInfo, portInfo)
+			destinations = append(destinations, dest)
+			delete(destMap, destinationInfo.DestinationName)
+		}
+	}
+
+	for _, d := range destMap {
+		destinations = append(destinations, d)
+	}
+	serialized, _ := json.Marshal(destinations)
+	if destEnvIndex > -1 {
+		(*env)[destEnvIndex].Value = string(serialized)
+	} else {
+		*env = append(*env, corev1.EnvVar{Name: "destinations", Value: string(serialized)})
+	}
+}
+
+func getDestination(destMap map[string]RouterDestination, destinationInfo destinationInfo, portInfo servicePortInfo) RouterDestination {
+	dest, ok := destMap[destinationInfo.DestinationName]
+	if !ok {
+		dest = RouterDestination{
+			Name:             destinationInfo.DestinationName,
+			URL:              "http://" + portInfo.WorkloadName + ServiceSuffix + ":" + strconv.Itoa(int(destinationInfo.Port)),
+			ForwardAuthToken: true,
+		}
+	} else {
+		// Overwrite just the URL from existing destination configuration
+		dest.URL = "http://" + portInfo.WorkloadName + ServiceSuffix + ":" + strconv.Itoa(int(destinationInfo.Port))
+	}
+	return dest
+}
+
+// endregion Deployments
+
+func getEnvFrom(vcapServiceName string) []corev1.EnvFromSource {
+	return []corev1.EnvFromSource{
+		{
+			SecretRef: &corev1.SecretEnvSource{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: vcapServiceName,
+				},
+				Optional: &trueVal,
+			},
+		},
+	}
+}
+
+func (c *Controller) prepareCAPApplicationVersion(ctx context.Context, cav *v1alpha1.CAPApplicationVersion) (update bool, err error) {
+	// Do nothing when object is deleted
+	if cav.DeletionTimestamp != nil {
+		return false, nil
+	}
+	ca, err := c.getCachedCAPApplication(cav.Namespace, cav.Spec.CAPApplicationInstance)
+	if err != nil {
+		return false, err
+	}
+	if _, ok := getOwnerByKind(cav.OwnerReferences, v1alpha1.CAPApplicationKind); !ok {
+		// create owner reference - CAPApplication
+		cav.OwnerReferences = append(cav.OwnerReferences, *metav1.NewControllerRef(ca, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationKind)))
+		update = true
+	}
+
+	if addCAPApplicationVersionLabels(cav, ca) {
+		update = true
+	}
+
+	if cav.DeletionTimestamp == nil {
+		// Finalizer to prevent direct deletion of CAPApplicationVersion
+		if cav.Finalizers == nil {
+			cav.Finalizers = []string{}
+		}
+		if addFinalizer(&cav.Finalizers, FinalizerCAPApplicationVersion) {
+			update = true
+		}
+	}
+
+	return update, nil
+}
+
+// Annotations
+func getAnnotations(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, ownerInfo bool) map[string]string {
+	annotations := map[string]string{
+		AnnotationBTPApplicationIdentifier: strings.Join([]string{ca.Spec.GlobalAccountId, ca.Spec.BTPAppName}, "."),
+	}
+
+	if ownerInfo {
+		annotations[AnnotationOwnerIdentifier] = cav.Namespace + "." + cav.Name
+
+	}
+
+	return annotations
+}
+
+// Labels
+func getLabels(ca *v1alpha1.CAPApplication, cav *v1alpha1.CAPApplicationVersion, category string, workloadType string, workloadName string, additionalDetails bool) map[string]string {
+	labels := map[string]string{
+		App:                               ca.Spec.BTPAppName,
+		LabelBTPApplicationIdentifierHash: sha1Sum(ca.Spec.GlobalAccountId, ca.Spec.BTPAppName),
+		LabelCAVVersion:                   cav.Spec.Version,
+		LabelResourceCategory:             category,
+	}
+
+	addIfNotEmpty := func(k, v string) {
+		if v != "" {
+			labels[k] = v
+		}
+	}
+	addIfNotEmpty(LabelWorkloadType, workloadType)
+	addIfNotEmpty(LabelWorkloadName, workloadName)
+
+	if additionalDetails {
+		labels[LabelOwnerIdentifierHash] = sha1Sum(cav.Namespace, cav.Name)
+		labels[LabelOwnerGeneration] = strconv.FormatInt(cav.Generation, 10)
+	}
+
+	return labels
+}
+
+func addCAPApplicationVersionLabels(cav *v1alpha1.CAPApplicationVersion, ca *v1alpha1.CAPApplication) (updated bool) {
+	appMetadata := appMetadataIdentifiers{
+		globalAccountId: ca.Spec.GlobalAccountId,
+		appName:         ca.Spec.BTPAppName,
+		ownerInfo: &ownerInfo{
+			ownerNamespace:  ca.Namespace,
+			ownerName:       ca.Name,
+			ownerGeneration: ca.Generation,
+		},
+	}
+	if updateLabelAnnotationMetadata(&cav.ObjectMeta, &appMetadata) {
+		updated = true
+	}
+	return updated
+}
+
+// Check if an error occured or if owner references are correct
+func doChecks(err error, obj metav1.Object, cav *v1alpha1.CAPApplicationVersion, res string) error {
+	// If an error occurs during Get/Create, we'll requeue the item so we can
+	// attempt processing again later. This could have been caused by a
+	// temporary network failure, or any other transient reason.
+	if err != nil {
+		return err
+	}
+
+	// Check if the Deployment is not controlled by this CustomDeployment resource
+	_, ok := getOwnerByKind(obj.GetOwnerReferences(), v1alpha1.CAPApplicationVersionKind)
+	if !ok {
+		return fmt.Errorf("%s could not be identified for the resource %s %s: %s.%s", v1alpha1.CAPApplicationVersionKind, res, obj.GetName(), cav.Namespace, cav.Name)
+	}
+
+	return nil
+}
+
+// checkWorkloadStatus --> This just checks the contentDeployJob status for now
+// TODO: Checks for issues with Deployment(s)!
+func (c *Controller) checkWorkloadStatus(ctx context.Context, cav *v1alpha1.CAPApplicationVersion) (bool, error) {
+	workload := getRelevantJob(v1alpha1.JobContent, cav)
+	job := cav.Name + "-" + strings.ToLower(string(workload.JobDefinition.Type))
+
+	// Get the contentDeploy job with the name expected for this CAV instance
+	contentDeployJob, err := c.kubeInformerFactory.Batch().V1().Jobs().Lister().Jobs(cav.Namespace).Get(job)
+	if err != nil {
+		return false, err
+	}
+
+	// check for completion or failure and accordingly set the cav state by returning error msg
+	for _, condition := range contentDeployJob.Status.Conditions {
+		if condition.Type == batchv1.JobComplete && condition.Status == corev1.ConditionTrue {
+			cav.SetStatusFinishedJobs(job)
+			return false, nil
+		} else if condition.Type == batchv1.JobFailed && condition.Status == corev1.ConditionTrue {
+			cav.SetStatusFinishedJobs(job)
+			return false, fmt.Errorf("%s", condition.Message)
+		}
+	}
+
+	// Assume Job is being processed!
+	return true, nil
+}
+
+func (c *Controller) getRelevantTenantsForCAV(cav *v1alpha1.CAPApplicationVersion) []*v1alpha1.CAPTenant {
+	var tenants []*v1alpha1.CAPTenant
+	// Get CAPApplication instance
+	ca, _ := c.getCachedCAPApplication(cav.Namespace, cav.Spec.CAPApplicationInstance)
+	if ca != nil {
+		// Get all tenants in the namespace for the CAPApplication
+		allTenants, _ := c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Lister().CAPTenants(cav.Namespace).List(labels.SelectorFromSet(map[string]string{LabelBTPApplicationIdentifierHash: sha1Sum(ca.Spec.GlobalAccountId, ca.Spec.BTPAppName)}))
+		// Filter out relevant tenants for the CAPApplicationVersion
+		for _, tenant := range allTenants {
+			// If a tenant is already on a given version -or- is being provisioned/upgraded to a version, it is relevant for this CAPApplicationVersion
+			if tenant.Status.CurrentCAPApplicationVersionInstance == cav.Name || tenant.Spec.Version == cav.Spec.Version {
+				tenants = append(tenants, tenant)
+			}
+		}
+	}
+	return tenants
+}
+
+func (c *Controller) deleteCAPApplicationVersion(ctx context.Context, cav *v1alpha1.CAPApplicationVersion) (*ReconcileResult, error) {
+	// Update State if it is not set yet
+	if cav.Status.State != v1alpha1.CAPApplicationVersionStateDeleting {
+		var deleteCondition metav1.Condition
+		if len(cav.Status.Conditions) > 0 {
+			deleteCondition = *cav.Status.Conditions[0].DeepCopy() // Reuse the existing condition during deletion
+		} else {
+			deleteCondition = metav1.Condition{Type: string(v1alpha1.ConditionTypeReady), Status: "False"}
+		}
+		// Set the reason for Deletion
+		deleteCondition.Reason = "DeleteTriggered"
+		err := c.updateCAPApplicationVersionStatus(ctx, cav, v1alpha1.CAPApplicationVersionStateDeleting, deleteCondition)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	tenants := c.getRelevantTenantsForCAV(cav)
+
+	// Check if tenants exists
+	if len(tenants) > 0 {
+		// Requeue after 10s to check if all tenants are gone
+		return NewReconcileResultWithResource(ResourceCAPApplicationVersion, cav.Name, cav.Namespace, 10*time.Second), nil
+	} else if removeFinalizer(&cav.Finalizers, FinalizerCAPApplicationVersion) { // All tenants are gone --> remove finalizer and process deletion
+		return nil, c.updateCAPApplicationVersion(ctx, cav)
+	}
+
+	// No finalizer exists
+	return nil, nil
+}
diff --git a/internal/controller/reconcile-capapplicationversion_test.go b/internal/controller/reconcile-capapplicationversion_test.go
new file mode 100644
index 0000000..6e9aa4c
--- /dev/null
+++ b/internal/controller/reconcile-capapplicationversion_test.go
@@ -0,0 +1,540 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"testing"
+)
+
+func TestCAV_WithoutCAPApplicationAndVersion(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description:            "capapplication version with invalid capapplication and deleted capapplicationversion reference",
+			expectResourceNotFound: true,
+			expectError:            false, //No errors when no CAV to skip requeues
+		},
+	)
+}
+
+func TestCAV_WithoutCAPApplication(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description:      "capapplication version with invalid capapplication reference",
+			initialResources: []string{"testdata/capapplicationversion/cav-invalid-ca.yaml"},
+			expectError:      true,
+		},
+	)
+}
+
+func TestCAV_MissingSecrets(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with missing secrets",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/capapplicationversion/cav-empty-status.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-missing-secrets.yaml",
+			expectError:       false, // CAV is requeued
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplicationVersion: {{Namespace: "default", Name: "test-cap-01-cav-v1"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-3351",
+			},
+		},
+	)
+}
+
+func TestCAV_EmptyStatusProcessing(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with empty status",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-empty-status.yaml",
+				"testdata/capapplicationversion/content-job-pending.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-processing.yaml",
+		},
+	)
+}
+
+func TestCAV_ErrorStatusProcessing(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with error (e.g. api-server error) status to processing",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-error-status.yaml",
+				"testdata/capapplicationversion/content-job-pending.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-error-processing.yaml",
+		},
+	)
+}
+
+func TestCAV_ErrorWithConditionStatusProcessing(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with unknown error condition (e.g. api-server error) status to processing",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-error-condition-status.yaml",
+				"testdata/capapplicationversion/content-job-pending.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-error-condition-processing.yaml",
+		},
+	)
+}
+
+func TestCAV_ContentJobMissing(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with content job missing",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-processing.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-missing-content-job.yaml",
+			expectError:       true, // job.batch "test-cap-01-cav-v1-content-job" not found
+		},
+	)
+}
+
+func TestCAV_ContentJobPending(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with pending content job",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-processing.yaml",
+				"testdata/capapplicationversion/content-job-pending.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-processing.yaml",
+		},
+	)
+}
+
+func TestCAV_ContentJobFailed(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with failed content job",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-processing.yaml",
+				"testdata/capapplicationversion/content-job-failed.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-failed-content-job.yaml",
+			expectError:       true,
+		},
+	)
+}
+
+func TestCAV_ContentJobFailedReconcilation(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "Reconcile error capapplication version with failed content job",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-failed-content-job.yaml",
+				"testdata/capapplicationversion/content-job-failed.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-failed-content-job.yaml",
+			expectError:       true,
+		},
+	)
+}
+
+func TestCAV_ContentJobCompletedFromProcessing(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with completed content job",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-processing.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-content-job.yaml",
+		},
+	)
+}
+
+func TestCAV_ContentJobCompletedExisting(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with completed content job",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-processing-job-finished.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-content-job.yaml",
+		},
+	)
+}
+
+func TestCAV_InvalidEnvConfigContent(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with invalid content env config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-invalid-env-content.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-failed-env-content.yaml",
+			expectError:       true,
+		},
+	)
+}
+
+func TestCAV_WithRouterDestinationsEnv(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with invalid router env config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-merged-destinations-router.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-merged-destinations-router.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-3386", // merge existing `destinations` operator workload configuration by just overwriting the URL!
+			},
+		},
+	)
+}
+
+func TestCAV_InvalidEnvConfigCAPServer(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with invalid cap server env config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-invalid-env-cap.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-failed-env-cap.yaml",
+			expectError:       true,
+		},
+	)
+}
+
+func TestCAV_InvalidEnvConfigJobWorker(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with invalid job worker env config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/cav-invalid-env-job-worker.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-failed-env-job-worker.yaml",
+			expectError:       true,
+		},
+	)
+}
+
+func TestCAV_ValidEnvConfigOverall(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with valid overall env config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-valid-env-config.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-valid-env-config.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2048", // Overall the generic workloads should run fine with this change
+				"ERP4SMEPREPWORKAPPPLAT-3226", // imagePullPolicy
+			},
+		},
+	)
+}
+
+func TestCAV_CustomLabels(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with valid overall config with custom labels",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-custom-labels.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-custom-labels-config.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2187", // Custom labels also tested here
+			},
+		},
+	)
+}
+
+func TestCAV_CustomDestinationConfig(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with custom destination config",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-custom-destination-config.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-custom-destination-config.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-1843",
+			},
+		},
+	)
+}
+
+func TestCAV_DeletingWithReadyTenants(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication deleting with valid ready tenants",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/capapplicationversion/cav-ready-deleting.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-deleting.yaml",
+			expectError:       false, // cav is requeued until dependants are gone
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplicationVersion: {{Namespace: "default", Name: "test-cap-01-cav-v1"}}},
+		},
+	)
+}
+
+func TestCAV_DeletingWithUpgradingVersionTenants(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication deleting with valid upgrading (version dependant) tenants",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cat-provider-version.yaml",
+				"testdata/capapplicationversion/cav-ready-deleting.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-deleting.yaml",
+			expectError:       false, // cav is requeued until dependants are gone
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPApplicationVersion: {{Namespace: "default", Name: "test-cap-01-cav-v1"}}},
+		},
+	)
+}
+
+func TestCAV_DeletedWithNoTenants(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication deleting with no relevant tenants",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-ready-deleting.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-deleted.yaml", //finalizers removed
+		},
+	)
+}
+
+func TestCAV_DeletedWithUnknownStatusNoFinalizers(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication deleting with unknown status and no finalizers",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cat-provider-version.yaml",
+				"testdata/capapplicationversion/cav-unknown-deleting.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-deleted-unknown.yaml", //finalizers not existing
+		},
+	)
+}
+
+func TestCAV_ProbesResources(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with probes and resources",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-probes-and-resources.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-probes-and-resources.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2237", // Probes and resources should be applied to deployments and jobs
+			},
+		},
+	)
+}
+
+func TestCAV_AppNetworkPolicy(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with default network policies",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-probes-and-resources.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-app-netpol.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2638", // Default network policy w/o cluster type ports
+				"ERP4SMEPREPWORKAPPPLAT-2707", //No N/w policies exist
+				"ERP4SMEPREPWORKAPPPLAT-2707", // Split n/w policies
+			},
+		},
+	)
+}
+
+func TestCAV_ClusterPortNetworkPolicy(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with cluster network policy ports",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-cluster-netpol-port.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-cluster-netpol-port.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2638", // Network policy for cluster-wide "tech" ports
+				"ERP4SMEPREPWORKAPPPLAT-2707", // No fallback cluster network policy
+				"ERP4SMEPREPWORKAPPPLAT-2707", // Split n/w policies
+			},
+		},
+	)
+}
+
+func TestCAV_SecurityContext(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with container security context",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-security-context.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-security-context.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2573", // Security Context for containers
+			},
+		},
+	)
+}
+
+func TestCAV_PodSecurityContext(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with pod security context",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-pod-security-context.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-pod-security-context.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2573", // Security Context for containers
+			},
+		},
+	)
+}
+
+func TestCAV_Annotations(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPApplicationVersion, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-cav-v1"}},
+		TestData{
+			description: "capapplication version with annotations",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/capapplicationversion/content-job-completed.yaml",
+				"testdata/capapplicationversion/cav-annotations.yaml",
+			},
+			expectedResources: "testdata/capapplicationversion/expected/cav-ready-annotations.yaml",
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2885", // Annotations supported
+			},
+		},
+	)
+}
diff --git a/internal/controller/reconcile-captenant.go b/internal/controller/reconcile-captenant.go
new file mode 100644
index 0000000..43c5681
--- /dev/null
+++ b/internal/controller/reconcile-captenant.go
@@ -0,0 +1,697 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/klog/v2"
+)
+
+type IdentifiedCAPTenantOperations struct {
+	active    []v1alpha1.CAPTenantOperation
+	processed []v1alpha1.CAPTenantOperation
+}
+
+type CAPTenantOperationTypeSelector string
+
+type CAPTenantStateHandlerFunc func(ctx context.Context, c *Controller, cat *v1alpha1.CAPTenant, target StateCondition, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error)
+
+type StateCondition struct {
+	state           v1alpha1.CAPTenantState
+	conditionReason string
+	conditionStatus metav1.ConditionStatus
+}
+
+type TargetStateHandler struct {
+	target  StateCondition
+	handler CAPTenantStateHandlerFunc
+}
+
+type StatusInfo struct {
+	failed     TargetStateHandler
+	completed  TargetStateHandler
+	processing TargetStateHandler
+}
+
+const (
+	CAPTenantOperationTypeSelectorAll            CAPTenantOperationTypeSelector = "All"
+	CAPTenantOperationTypeSelectorUpgrade        CAPTenantOperationTypeSelector = CAPTenantOperationTypeSelector(v1alpha1.CAPTenantOperationTypeUpgrade)
+	CAPTenantOperationTypeSelectorProvisioning   CAPTenantOperationTypeSelector = CAPTenantOperationTypeSelector(v1alpha1.CAPTenantOperationTypeProvisioning)
+	CAPTenantOperationTypeSelectorDeprovisioning CAPTenantOperationTypeSelector = CAPTenantOperationTypeSelector(v1alpha1.CAPTenantOperationTypeDeprovisioning)
+)
+
+const (
+	CAPTenantEventProcessingStarted                 = "ProcessingStarted"
+	CAPTenantEventProvisioningFailed                = "ProvisioningFailed"
+	CAPTenantEventProvisioningCompleted             = "ProvisioningCompleted"
+	CAPTenantEventProvisioningOperationCreated      = "ProvisioningOperationCreated"
+	CAPTenantEventDeprovisioningFailed              = "DeprovisioningFailed"
+	CAPTenantEventDeprovisioningCompleted           = "DeprovisioningCompleted"
+	CAPTenantEventDeprovisioningOperationCreated    = "DeprovisioningOperationCreated"
+	CAPTenantEventUpgradeFailed                     = "UpgradeFailed"
+	CAPTenantEventUpgradeCompleted                  = "UpgradeCompleted"
+	CAPTenantEventUpgradeOperationCreated           = "UpgradeOperationCreated"
+	CAPTenantEventTenantNetworkingModified          = "TenantNetworkingModified"
+	CAPTenantEventVirtualServiceModificationFailed  = "VirtualServiceModificationFailed"
+	CAPTenantEventDestinationRuleModificationFailed = "DestinationRuleModificationFailed"
+	CAPTenantEventInvalidReference                  = "InvalidReference"
+	CAPTenantEventAutoVersionUpdate                 = "AutoVersionUpdate"
+)
+
+const (
+	EventActionReconcileTenantNetworking = "ReconcileTenantNetworking"
+	EventActionPrepare                   = "Prepare"
+	EventActionUpgrade                   = "Upgrade"
+)
+
+// maps tenant operation types (and their status) to CAPTenant status changes
+var TenantOperationStatusMap = map[v1alpha1.CAPTenantOperationType]StatusInfo{
+	v1alpha1.CAPTenantOperationTypeProvisioning: {
+		failed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateProvisioningError, conditionReason: CAPTenantEventProvisioningFailed, conditionStatus: metav1.ConditionFalse},
+			handler: handleFailingTenantOperation,
+		},
+		completed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateReady, conditionReason: CAPTenantEventProvisioningCompleted, conditionStatus: metav1.ConditionTrue},
+			handler: handleCompletedProvisioningUpgradeOperation,
+		},
+		processing: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateProvisioning, conditionReason: CAPTenantEventProvisioningOperationCreated, conditionStatus: metav1.ConditionFalse},
+			handler: handleWaitingForTenantOperation,
+		},
+	},
+	v1alpha1.CAPTenantOperationTypeUpgrade: { // NOTE: during upgrades the ready condition status remains "True" as the tenant is in use
+		failed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateUpgradeError, conditionReason: CAPTenantEventUpgradeFailed, conditionStatus: metav1.ConditionTrue},
+			handler: handleFailingTenantOperation,
+		},
+		completed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateReady, conditionReason: CAPTenantEventUpgradeCompleted, conditionStatus: metav1.ConditionTrue},
+			handler: handleCompletedProvisioningUpgradeOperation,
+		},
+		processing: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateUpgrading, conditionReason: CAPTenantEventUpgradeOperationCreated, conditionStatus: metav1.ConditionTrue},
+			handler: handleWaitingForTenantOperation,
+		},
+	},
+	v1alpha1.CAPTenantOperationTypeDeprovisioning: {
+		failed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateDeleting, conditionReason: CAPTenantEventDeprovisioningFailed, conditionStatus: metav1.ConditionFalse},
+			handler: handleFailingTenantOperation,
+		},
+		completed: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateDeleting, conditionReason: CAPTenantEventDeprovisioningCompleted, conditionStatus: metav1.ConditionFalse},
+			handler: removeTenantFinalizers,
+		},
+		processing: TargetStateHandler{
+			target:  StateCondition{state: v1alpha1.CAPTenantStateDeleting, conditionReason: CAPTenantEventDeprovisioningOperationCreated, conditionStatus: metav1.ConditionFalse},
+			handler: handleWaitingForTenantOperation,
+		},
+	},
+}
+
+func getTenantReconcileResultConsideringDeletion(cat *v1alpha1.CAPTenant, fallback *ReconcileResult) *ReconcileResult {
+	if cat.DeletionTimestamp != nil && cat.Status.State != v1alpha1.CAPTenantStateDeleting {
+		return NewReconcileResultWithResource(ResourceCAPTenant, cat.Name, cat.Namespace, 15*time.Second)
+	}
+	return fallback
+}
+
+var handleWaitingForTenantOperation = func(ctx context.Context, c *Controller, cat *v1alpha1.CAPTenant, target StateCondition, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error) {
+	// NOTE: not returning a requeue item is ok, as changes in CAPTenantOperation status will queue the item via the informer
+	cat.SetStatusWithReadyCondition(target.state, target.conditionStatus, target.conditionReason, fmt.Sprintf("waiting for %s %s.%s of type %s to complete", v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name, ctop.Spec.Operation))
+	return NewReconcileResultWithResource(ResourceCAPTenant, cat.Name, cat.Namespace, 15*time.Second), nil // requeue while the tenant operation is being processed
+}
+
+var handleCompletedProvisioningUpgradeOperation = func(ctx context.Context, c *Controller, cat *v1alpha1.CAPTenant, target StateCondition, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error) {
+	message := fmt.Sprintf("%s %s.%s successfully completed", v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+	c.Event(cat, ctop, corev1.EventTypeNormal, target.conditionReason, string(target.state), message)
+
+	ca, err := c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Lister().CAPApplications(cat.Namespace).Get(cat.Spec.CAPApplicationInstance)
+	if err != nil {
+		return nil, err
+	}
+	// check for dns entries only when there are secondary domains
+	if len(ca.Spec.Domains.Secondary) > 0 {
+		// Check if all Tenant DNSEntries are Ready
+		processing, err := c.checkTenantDNSEntries(ctx, cat)
+		if err != nil {
+			klog.Error("error with DNS Entries for CAPTenant ", cat.Namespace, ".", cat.Name)
+			return nil, err
+		}
+		if processing {
+			// requeue to iterate this check after a delay
+			return NewReconcileResultWithResource(ResourceCAPTenant, cat.Name, cat.Namespace, 10*time.Second), nil
+		}
+	}
+
+	// check and reconcile tenant virtual service
+	// adjust virtual service only when tenant is finalizing (after provisioning or upgrade)
+	requeue, err := c.reconcileTenantNetworking(ctx, cat, ctop.Spec.CAPApplicationVersionInstance, ca)
+	if err != nil || requeue != nil {
+		return requeue, err
+	}
+
+	// the ObservedGeneration of the tenant should be updated here (when Ready)
+	cat.SetStatusWithReadyCondition(target.state, target.conditionStatus, target.conditionReason, message)
+	cat.SetStatusCAPApplicationVersion(ctop.Spec.CAPApplicationVersionInstance)
+	return getTenantReconcileResultConsideringDeletion(cat, nil), nil
+}
+
+var handleFailingTenantOperation = func(ctx context.Context, c *Controller, cat *v1alpha1.CAPTenant, target StateCondition, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error) {
+	var (
+		message string
+		related runtime.Object = nil
+	)
+	if ctop == nil {
+		message = fmt.Sprintf("could not identify %s for tenant state %s", v1alpha1.CAPTenantOperationKind, cat.Status.State)
+	} else {
+		message = fmt.Sprintf("%s %s.%s failed", v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+		related = ctop
+	}
+
+	c.Event(cat, related, corev1.EventTypeWarning, target.conditionReason, string(target.state), message)
+	cat.SetStatusWithReadyCondition(target.state, target.conditionStatus, target.conditionReason, message)
+	return getTenantReconcileResultConsideringDeletion(cat, nil), nil
+}
+
+var removeTenantFinalizers = func(ctx context.Context, c *Controller, cat *v1alpha1.CAPTenant, target StateCondition, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error) {
+	if ctop != nil {
+		c.Event(cat, ctop, corev1.EventTypeNormal, target.conditionReason, string(target.state), fmt.Sprintf("%s of %s %s.%s successfully completed; attempting to remove finalizers", ctop.Spec.Operation, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name))
+	}
+
+	// remove known finalizer
+	if removeFinalizer(&cat.Finalizers, FinalizerCAPTenant) {
+		return c.updateCAPTenant(ctx, cat, false)
+	}
+	return nil, nil
+}
+
+func (c *Controller) reconcileCAPTenant(ctx context.Context, item QueueItem, attempts int) (requeue *ReconcileResult, err error) {
+	cached, err := c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Lister().CAPTenants(item.ResourceKey.Namespace).Get(item.ResourceKey.Name)
+	if err != nil {
+		return nil, handleOperatorResourceErrors(err)
+	}
+	cat := cached.DeepCopy()
+
+	defer func() {
+		if statusErr := c.updateCAPTenantStatus(ctx, cat); statusErr != nil && err != nil {
+			err = statusErr
+		}
+	}()
+
+	// prepare owner refs, labels, finalizers
+	if update, err := c.prepareCAPTenant(ctx, cat); err != nil {
+		return nil, err
+	} else if update {
+		return c.updateCAPTenant(ctx, cat, true)
+	}
+
+	// Skip processing until the right version is set on the CAPTenant (via CAPApplication)
+	// This indirectly ensures that we do not create duplicate tenant operations for consumer tenant provisioning scenarios!
+	if cat.Spec.Version == "" {
+		klog.Info(v1alpha1.CAPTenantKind, " without version detected, skip processing until version is set on ", cat.Namespace, ".", cat.Name)
+		return requeue, nil
+	}
+
+	if cat.DeletionTimestamp == nil {
+		// Create relevant DNSEntries for this tenant. DNS entries are checked before setting the tenant as ready
+		if err = c.reconcileTenantDNSEntries(ctx, cat); err != nil {
+			return
+		}
+	}
+
+	// create and track CAPTenantOperations based on state, deletion timestamp, version change etc.
+	requeue, err = c.handleTenantOperationsForCAPTenant(ctx, cat)
+	if err != nil || requeue != nil {
+		return
+	}
+
+	if cat.DeletionTimestamp == nil && cat.Status.CurrentCAPApplicationVersionInstance != "" {
+		requeue, err = c.reconcileTenantNetworking(ctx, cat, cat.Status.CurrentCAPApplicationVersionInstance, nil)
+	}
+
+	return
+}
+
+func (c *Controller) updateCAPTenant(ctx context.Context, cat *v1alpha1.CAPTenant, requeue bool) (result *ReconcileResult, err error) {
+	var catUpdated *v1alpha1.CAPTenant
+	catUpdated, err = c.crdClient.SmeV1alpha1().CAPTenants(cat.Namespace).Update(ctx, cat, metav1.UpdateOptions{})
+	// Update reference to the resource
+	if catUpdated != nil {
+		*cat = *catUpdated
+	}
+	if requeue {
+		result = NewReconcileResultWithResource(ResourceCAPTenant, cat.Name, cat.Namespace, 0)
+	}
+	return
+}
+
+func findLatestCreatedTenantOperation(ops []v1alpha1.CAPTenantOperation, selector CAPTenantOperationTypeSelector) (latest *v1alpha1.CAPTenantOperation) {
+	for _, op := range ops {
+		// workaround to fix pointer resolution after loop -> https://stackoverflow.com/questions/45967305/copying-the-address-of-a-loop-variable-in-go
+		ctop := op
+		if selector != CAPTenantOperationTypeSelectorAll && CAPTenantOperationTypeSelector(ctop.Spec.Operation) != selector {
+			continue
+		}
+		if latest == nil || ctop.CreationTimestamp.After(latest.CreationTimestamp.Time) {
+			latest = &ctop
+		}
+	}
+
+	return latest
+}
+
+func findCAPTenantOperationTypeFromProcessingState(state v1alpha1.CAPTenantState) v1alpha1.CAPTenantOperationType {
+	var opType v1alpha1.CAPTenantOperationType
+	for k, v := range TenantOperationStatusMap {
+		if v.processing.target.state == state {
+			opType = k
+			break
+		}
+	}
+	return opType
+}
+
+func isTenantOperationConditionFailed(ctop *v1alpha1.CAPTenantOperation) bool {
+	ready := ctop.Status.GenericStatus.Conditions[0]
+	// NOTE: check reason != StepCompleted, instead of == StepFailed (operation could fail because of multiple reasons)
+	if ready.Status == metav1.ConditionTrue && ready.Reason != CAPTenantOperationConditionReasonStepCompleted {
+		return true
+	}
+	return false
+}
+
+func (c *Controller) handleTenantOperationsForCAPTenant(ctx context.Context, cat *v1alpha1.CAPTenant) (*ReconcileResult, error) {
+	ops, err := c.getCAPTenantOperationsByType(ctx, cat, CAPTenantOperationTypeSelectorAll)
+	if err != nil {
+		return nil, err
+	}
+
+	// [1] wait for active operations to complete
+	if len(ops.active) > 0 {
+		if len(ops.active) > 1 {
+			klog.Warningf("identified multiple active CAPTenantOperations for %s %s.%s", v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+		}
+		ctop := findLatestCreatedTenantOperation(ops.active, CAPTenantOperationTypeSelectorAll)
+		targetInfo := TenantOperationStatusMap[ctop.Spec.Operation].processing
+		return targetInfo.handler(ctx, c, cat, targetInfo.target, ctop)
+	}
+
+	// [2] look for operations which have recently finished and set status accordingly
+	if cat.Status.State == v1alpha1.CAPTenantStateProvisioning || cat.Status.State == v1alpha1.CAPTenantStateUpgrading || cat.Status.State == v1alpha1.CAPTenantStateDeleting {
+		opType := findCAPTenantOperationTypeFromProcessingState(cat.Status.State)
+		ctop := findLatestCreatedTenantOperation(ops.processed, CAPTenantOperationTypeSelector(opType))
+		var targetInfo TargetStateHandler
+		if ctop != nil {
+			if isTenantOperationConditionFailed(ctop) { // operation state is failed or the operation does not exist
+				targetInfo = TenantOperationStatusMap[opType].failed
+			} else { // operation state is completed
+				targetInfo = TenantOperationStatusMap[opType].completed
+			}
+			return targetInfo.handler(ctx, c, cat, targetInfo.target, ctop)
+		} // else => fall through to create new operation - also for deprovisioning
+	}
+
+	// [3] create new tenant operations when necessary
+	return c.handleNewTenantOperations(ctx, cat, ops)
+}
+
+func (c *Controller) handleNewTenantOperations(ctx context.Context, cat *v1alpha1.CAPTenant, ops *IdentifiedCAPTenantOperations) (*ReconcileResult, error) {
+	// (1)) process deletion when Deletion timestamp is set
+	if cat.DeletionTimestamp != nil {
+		if cat.Status.CurrentCAPApplicationVersionInstance == "" {
+			// there is no valid version so far -> deprovisioning is not required
+			return removeTenantFinalizers(ctx, c, cat, TenantOperationStatusMap[v1alpha1.CAPTenantOperationTypeDeprovisioning].completed.target, nil)
+		} else {
+			return c.triggerTenantOperation(ctx, cat, v1alpha1.CAPTenantOperationTypeDeprovisioning)
+		}
+	}
+
+	// (2) Check whether a new tenant operation is required (in case of ProvisioningError / UpgradeError)
+	if isRequired, err := c.isNewTenantOperationRequired(ctx, cat, ops); err != nil || !isRequired {
+		return nil, err
+	}
+
+	// (3) start provisioning when there is no current version
+	if cat.Status.CurrentCAPApplicationVersionInstance == "" {
+		return c.triggerTenantOperation(ctx, cat, v1alpha1.CAPTenantOperationTypeProvisioning)
+	}
+
+	// (4) check for newer version to upgrade
+	return c.tryForTenantUpgrade(ctx, cat)
+}
+
+func (c *Controller) isNewTenantOperationRequired(ctx context.Context, cat *v1alpha1.CAPTenant, ops *IdentifiedCAPTenantOperations) (bool, error) {
+	if cat.Status.State != v1alpha1.CAPTenantStateProvisioningError && cat.Status.State != v1alpha1.CAPTenantStateUpgradeError {
+		return true, nil
+	}
+
+	// find existing operation (processed) - there can be no active operations at this point in the code (active operations have already been considered)
+	var opType v1alpha1.CAPTenantOperationType
+	if cat.Status.State == v1alpha1.CAPTenantStateProvisioningError {
+		opType = v1alpha1.CAPTenantOperationTypeProvisioning
+	} else {
+		opType = v1alpha1.CAPTenantOperationTypeUpgrade
+	}
+	ctop := findLatestCreatedTenantOperation(ops.processed, CAPTenantOperationTypeSelector(opType))
+	if ctop == nil {
+		// a new tenant operation is to be created when there are none existing (or older ones have been deleted manually)
+		return true, nil
+	}
+
+	cav, err := c.getCAPApplicationVersionForTenantOperationType(ctx, cat, opType)
+	if err != nil || cav == nil {
+		return false, err
+	}
+
+	// a new tenant operation needs to be created when there is a different CAPApplicationVersion available for the lifecycle operation
+	return ctop.Spec.CAPApplicationVersionInstance != cav.Name, nil
+}
+
+// create a CAPTenantOperation instance of a specific type (provisioning/deprovisioning/upgrade)
+func (c *Controller) createCAPTenantOperation(ctx context.Context, cat *v1alpha1.CAPTenant, opType v1alpha1.CAPTenantOperationType) (*v1alpha1.CAPTenantOperation, error) {
+	// delete all previous tenant operations of the current type
+	labelsMap := map[string]string{
+		LabelOwnerIdentifierHash: sha1Sum(cat.Namespace, cat.Name),
+		LabelTenantOperationType: string(opType),
+	}
+	selector, err := labels.ValidatedSelectorFromSet(labelsMap)
+	if err != nil {
+		return nil, err
+	}
+	err = c.crdClient.SmeV1alpha1().CAPTenantOperations(cat.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: selector.String()})
+	if err != nil {
+		return nil, fmt.Errorf("deletion of previous %ss of type %s failed: %s", v1alpha1.CAPTenantOperationKind, opType, err.Error())
+	}
+
+	// get CAPApplicationVersion to be used for the TenantOperation job
+	cav, err := c.getCAPApplicationVersionForTenantOperationType(ctx, cat, opType)
+	if err != nil {
+		return nil, err
+	}
+
+	// determine operation steps
+	steps, err := deriveStepsForTenantOperation(cav, opType)
+	if err != nil {
+		return nil, err
+	}
+
+	// create CAPTenantOperation
+	ctop := &v1alpha1.CAPTenantOperation{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace:       cat.Namespace,
+			GenerateName:    cat.Name + "-",
+			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind))},
+			Finalizers:      []string{FinalizerCAPTenantOperation},
+		},
+		Spec: v1alpha1.CAPTenantOperationSpec{
+			Operation:                     opType,
+			BTPTenantIdentification:       v1alpha1.BTPTenantIdentification{SubDomain: cat.Spec.SubDomain, TenantId: cat.Spec.TenantId},
+			CAPApplicationVersionInstance: cav.Name,
+			Steps:                         steps,
+		},
+	}
+	addCAPTenantOperationLabels(ctop, cat) // NOTE: this is very important to do here as subsequent reconciliation of tenant will be inconsistent otherwise
+	return c.crdClient.SmeV1alpha1().CAPTenantOperations(cat.Namespace).Create(ctx, ctop, metav1.CreateOptions{})
+}
+
+func deriveStepsForTenantOperation(cav *v1alpha1.CAPApplicationVersion, opType v1alpha1.CAPTenantOperationType) (steps []v1alpha1.CAPTenantOperationStep, err error) {
+	defaultSteps := func() {
+		// if there are no specified steps, add only one step of type TenantOperation
+		workload := getRelevantJob(v1alpha1.JobTenantOperation, cav)
+		if workload == nil { // fallback to CAP workload
+			workload = getRelevantDeployment(v1alpha1.DeploymentCAP, cav)
+		}
+		if workload == nil {
+			// cannot proceed further without an identified workload
+			err = fmt.Errorf("could not find workload of type %s or %s in %s %s.%s", v1alpha1.JobTenantOperation, v1alpha1.DeploymentCAP, v1alpha1.CAPApplicationVersionKind, cav.Namespace, cav.Name)
+		} else {
+			steps = []v1alpha1.CAPTenantOperationStep{{Name: workload.Name, Type: v1alpha1.JobTenantOperation}}
+		}
+	}
+
+	if cav.Spec.TenantOperations == nil {
+		defaultSteps()
+		return
+	}
+
+	var ops []v1alpha1.TenantOperationWorkloadReference
+	switch opType {
+	case v1alpha1.CAPTenantOperationTypeProvisioning:
+		ops = cav.Spec.TenantOperations.Provisioning
+	case v1alpha1.CAPTenantOperationTypeDeprovisioning:
+		ops = cav.Spec.TenantOperations.Deprovisioning
+	case v1alpha1.CAPTenantOperationTypeUpgrade:
+		ops = cav.Spec.TenantOperations.Upgrade
+	}
+
+	if len(ops) == 0 {
+		defaultSteps()
+		return
+	}
+
+	steps = []v1alpha1.CAPTenantOperationStep{}
+	addedTenantOprJob := false
+	for _, entry := range ops {
+		workload := getWorkloadByName(entry.WorkloadName, cav)
+		switch workload.JobDefinition.Type {
+		case v1alpha1.JobTenantOperation:
+			addedTenantOprJob = true
+			fallthrough
+		case v1alpha1.JobCustomTenantOperation:
+			// continuing the tenant operation on failure is not possible for tenant operation jobs
+			continueOnFailure := (workload.JobDefinition.Type != v1alpha1.JobTenantOperation) && entry.ContinueOnFailure
+			steps = append(steps, v1alpha1.CAPTenantOperationStep{Name: entry.WorkloadName, Type: workload.JobDefinition.Type, ContinueOnFailure: continueOnFailure})
+		default:
+			continue // ignore all other types (even if specified)
+		}
+	}
+	if !addedTenantOprJob { // ensure step of type TenantOperation is added
+		return nil, fmt.Errorf("specified steps for operation %s does not contain a step of type %s", opType, v1alpha1.JobTenantOperation)
+	}
+	return
+}
+
+// trigger CAPTenantOperation creation and change status of tenant
+func (c *Controller) triggerTenantOperation(ctx context.Context, cat *v1alpha1.CAPTenant, opType v1alpha1.CAPTenantOperationType) (*ReconcileResult, error) {
+	// Create CAPTenantOperation
+	ctop, err := c.createCAPTenantOperation(ctx, cat, opType)
+	if err != nil {
+		return nil, err
+	}
+
+	// call status handler
+	targetInfo := TenantOperationStatusMap[opType].processing
+	c.Event(cat, ctop, corev1.EventTypeNormal, targetInfo.target.conditionReason, string(targetInfo.target.state), fmt.Sprintf("%s %s.%s of type %s created", v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name, ctop.Spec.Operation))
+	return targetInfo.handler(ctx, c, cat, targetInfo.target, ctop)
+}
+
+func (c *Controller) getCAPTenantOperationsByType(ctx context.Context, cat *v1alpha1.CAPTenant, operationTypeSelector CAPTenantOperationTypeSelector) (*IdentifiedCAPTenantOperations, error) {
+	labelsMap := map[string]string{
+		LabelOwnerIdentifierHash: sha1Sum(cat.Namespace, cat.Name),
+	}
+	if operationTypeSelector != CAPTenantOperationTypeSelectorAll {
+		labelsMap[LabelTenantOperationType] = string(operationTypeSelector)
+	}
+	selector, err := labels.ValidatedSelectorFromSet(labelsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	// NOTE: do not use cache for listing (this is not a very frequent operation)
+	ops, err := c.crdClient.SmeV1alpha1().CAPTenantOperations(cat.Namespace).List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
+	if err != nil {
+		return nil, err
+	}
+
+	var results = IdentifiedCAPTenantOperations{active: []v1alpha1.CAPTenantOperation{}, processed: []v1alpha1.CAPTenantOperation{}}
+	for _, ctop := range ops.Items {
+		if isCROConditionReady(ctop.Status.GenericStatus) {
+			results.processed = append(results.processed, ctop)
+		} else {
+			results.active = append(results.active, ctop)
+		}
+	}
+
+	return &results, nil
+}
+
+func (c *Controller) getCAPApplicationVersionForTenantOperationType(ctx context.Context, cat *v1alpha1.CAPTenant, opType v1alpha1.CAPTenantOperationType) (*v1alpha1.CAPApplicationVersion, error) {
+	// get owning CAPApplication
+	ca, _ := c.getCachedCAPApplication(cat.Namespace, cat.Spec.CAPApplicationInstance)
+
+	// get CAPApplication version
+	switch opType {
+	case v1alpha1.CAPTenantOperationTypeProvisioning, v1alpha1.CAPTenantOperationTypeUpgrade: // for provisioning or upgrade - use the relevant CAPApplicationVersion
+		// get relevant CAPApplicationVersion
+		cav, err := c.getRelevantCAPApplicationVersion(ctx, ca, cat.Spec.Version)
+		if err != nil {
+			return nil, err
+		}
+		klog.V(2).Info("identified CAPApplicationVersion ", cav.Namespace, ".", cav.Name, " (", cav.Spec.Version, ") for ", opType, " of CAPTenant ", cat.Namespace, ".", cat.Name)
+		return cav, nil
+	case v1alpha1.CAPTenantOperationTypeDeprovisioning: // for deletion - use the current CAPApplicationVersion (from status)
+		if cat.Status.CurrentCAPApplicationVersionInstance == "" {
+			return nil, fmt.Errorf("cannot identify %s for %s %s.%s", v1alpha1.CAPApplicationVersionKind, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+		}
+		cav, err := c.crdClient.SmeV1alpha1().CAPApplicationVersions(cat.Namespace).Get(ctx, cat.Status.CurrentCAPApplicationVersionInstance, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+		// verify status of CAPApplicationVersion
+		if !isCROConditionReady(cav.Status.GenericStatus) {
+			return nil, fmt.Errorf("%s %s.%s is not %s to be used for %s", v1alpha1.CAPApplicationVersionKind, cav.Namespace, cav.Name, v1alpha1.CAPApplicationVersionStateReady, opType)
+		}
+		// verify owner reference
+		if cav.Spec.CAPApplicationInstance != ca.Name {
+			return nil, fmt.Errorf("found deviating owner references for %s %s.%s and %s %s.%s", v1alpha1.CAPApplicationVersionKind, cav.Namespace, cav.Name, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+		}
+		return cav, nil
+	}
+	return nil, fmt.Errorf("unknown error when resolving %s for %s %s.%s", v1alpha1.CAPApplicationVersionKind, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+}
+
+func addCAPTenantLabels(cat *v1alpha1.CAPTenant, ca *v1alpha1.CAPApplication) (updated bool) {
+	appMetadata := appMetadataIdentifiers{
+		globalAccountId: ca.Spec.GlobalAccountId,
+		appName:         ca.Spec.BTPAppName,
+		ownerInfo: &ownerInfo{
+			ownerNamespace:  ca.Namespace,
+			ownerName:       ca.Name,
+			ownerGeneration: ca.Generation,
+		},
+	}
+	if updateLabelAnnotationMetadata(&cat.ObjectMeta, &appMetadata) {
+		updated = true
+	}
+	if _, ok := cat.ObjectMeta.Labels[LabelTenantId]; !ok {
+		cat.ObjectMeta.Labels[LabelTenantId] = cat.Spec.TenantId
+		updated = true
+	}
+	if _, ok := cat.ObjectMeta.Labels[LabelTenantType]; !ok {
+		if ca.Spec.Provider.TenantId == cat.Spec.TenantId {
+			cat.ObjectMeta.Labels[LabelTenantType] = ProviderTenantType
+		} else {
+			cat.ObjectMeta.Labels[LabelTenantType] = ConsumerTenantType
+		}
+		updated = true
+	}
+	return updated
+}
+
+func (c *Controller) prepareCAPTenant(ctx context.Context, cat *v1alpha1.CAPTenant) (update bool, err error) {
+	// Do nothing when object is deleted
+	if cat.DeletionTimestamp != nil {
+		return false, nil
+	}
+	ca, err := c.getCachedCAPApplication(cat.Namespace, cat.Spec.CAPApplicationInstance)
+	if err != nil {
+		msg := fmt.Sprintf("invalid %s reference", v1alpha1.CAPApplicationKind)
+		c.Event(cat, nil, corev1.EventTypeWarning, CAPTenantEventInvalidReference, EventActionPrepare, msg)
+		return false, err
+	}
+
+	// create owner reference - CAPApplication
+	if _, ok := getOwnerByKind(cat.OwnerReferences, v1alpha1.CAPApplicationKind); !ok {
+		cat.OwnerReferences = append(cat.OwnerReferences, *metav1.NewControllerRef(ca, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationKind)))
+		update = true
+	}
+
+	if addCAPTenantLabels(cat, ca) {
+		update = true
+	}
+
+	if cat.DeletionTimestamp == nil {
+		// set finalizers if not added
+		if cat.Finalizers == nil {
+			cat.Finalizers = []string{}
+		}
+		if addFinalizer(&cat.Finalizers, FinalizerCAPTenant) {
+			update = true
+		}
+	}
+	return update, nil
+}
+
+func (c *Controller) tryForTenantUpgrade(ctx context.Context, cat *v1alpha1.CAPTenant) (*ReconcileResult, error) {
+	// try for upgrade only when upgrade strategy is not 'never'
+	if cat.Spec.VersionUpgradeStrategy == v1alpha1.VersionUpgradeStrategyTypeNever {
+		return nil, nil
+	}
+
+	ca, err := c.getCachedCAPApplication(cat.Namespace, cat.Spec.CAPApplicationInstance)
+	if err != nil {
+		return nil, err
+	}
+
+	// fetch CAPApplicationVersion as per current tenant spec
+	cav, err := c.getRelevantCAPApplicationVersion(ctx, ca, cat.Spec.Version)
+	if err != nil {
+		return nil, err
+	}
+
+	// compare with current version
+	if cat.Status.CurrentCAPApplicationVersionInstance != cav.Name {
+		// update status of the CAPTenant - ready for upgrade
+		return c.triggerTenantOperation(ctx, cat, v1alpha1.CAPTenantOperationTypeUpgrade)
+	}
+
+	return nil, nil
+}
+
+func (c *Controller) updateCAPTenantStatus(ctx context.Context, cat *v1alpha1.CAPTenant) error {
+	if isDeletionImminent(&cat.ObjectMeta) {
+		return nil
+	}
+
+	if len(cat.Status.Conditions) == 0 {
+		// initialize conditions - with processing status
+		cat.SetStatusWithReadyCondition(cat.Status.State, metav1.ConditionFalse, CAPTenantEventProcessingStarted, "")
+	}
+	catUpdated, err := c.crdClient.SmeV1alpha1().CAPTenants(cat.Namespace).UpdateStatus(ctx, cat, metav1.UpdateOptions{})
+	// update reference to the resource
+	if catUpdated != nil {
+		*cat = *catUpdated
+	}
+	return err
+}
+
+func (*Controller) enforceTenantResourceOwnership(objMeta *metav1.ObjectMeta, typeMeta *metav1.TypeMeta, cat *v1alpha1.CAPTenant) (bool, error) {
+	var update bool
+	// verify owner references
+	if owner, ok := getOwnerByKind(objMeta.OwnerReferences, v1alpha1.CAPTenantKind); !ok {
+		// set owner reference
+		if objMeta.OwnerReferences == nil {
+			objMeta.OwnerReferences = []metav1.OwnerReference{}
+		}
+		objMeta.OwnerReferences = append(objMeta.OwnerReferences, *metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind)))
+		update = true
+	} else if owner.Name != cat.Name {
+		return false, fmt.Errorf("invalid owner reference found for %s %s.%s", typeMeta.Kind, objMeta.Namespace, objMeta.Name)
+	}
+
+	// set labels, but do not set update to true (set based on  owner reference or spec changes)
+	if objMeta.Labels == nil {
+		objMeta.Labels = map[string]string{}
+	}
+	objMeta.Labels[LabelOwnerIdentifierHash] = sha1Sum(cat.Namespace, cat.Name)
+	objMeta.Labels[LabelOwnerGeneration] = strconv.FormatInt(cat.Generation, 10)
+	if objMeta.Annotations == nil {
+		objMeta.Annotations = map[string]string{}
+	}
+	objMeta.Annotations[AnnotationOwnerIdentifier] = cat.Namespace + "." + cat.Name
+
+	return update, nil
+}
diff --git a/internal/controller/reconcile-captenant_test.go b/internal/controller/reconcile-captenant_test.go
new file mode 100644
index 0000000..dd72e21
--- /dev/null
+++ b/internal/controller/reconcile-captenant_test.go
@@ -0,0 +1,595 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+)
+
+func TestInvalidCAPApplication(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description:      "new captenant with invalid capapplication reference",
+			initialResources: []string{"testdata/captenant/cat-01.initial.yaml"},
+			expectError:      true,
+		},
+	)
+}
+
+func TestLabelsOwnerRefs(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-consumer"}},
+		TestData{
+			description:       "new captenant without labels, finalizers and owner references",
+			initialResources:  []string{"testdata/common/capapplication.yaml", "testdata/captenant/cat-02.initial.yaml"},
+			expectedResources: "testdata/captenant/cat-02.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Name: "test-cap-01-consumer", Namespace: "default"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-3351",
+			},
+		},
+	)
+}
+
+func TestWithoutSpecVersion(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-consumer"}},
+		TestData{
+			description:       "new captenant with labels, finalizers and owner references and no version in spec",
+			initialResources:  []string{"testdata/common/capapplication.yaml", "testdata/captenant/cat-with-no-version.yaml"},
+			expectedResources: "testdata/captenant/cat-with-no-version.yaml",
+		},
+	)
+}
+
+func TestInvalidVersion(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-consumer"}},
+		TestData{
+			description: "new captenant with invalid version",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/captenant/cat-14.initial.yaml",
+			},
+			expectError: true,
+		},
+	)
+
+	if err.Error() != "could not find a CAPApplicationVersion with status Ready for CAPApplication default.test-cap-01 and version 5.6.7" {
+		t.Error("error message did not match expected")
+	}
+}
+
+func TestCAPTenantStartProvisioning(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-consumer"}},
+		TestData{
+			description: "new captenant start provisioning (with secondary domains)",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-03.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-03.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-consumer"}}},
+		},
+	)
+}
+
+func TestCAPTenantProvisioningCompletedDNSEntriesNotReady(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation completed dns entries not ready",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/provider-tenant-dnsentry-not-ready.yaml",
+				"testdata/captenant/cat-04.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-04.initial.yaml", // expect the same resource state
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantProvisioningCompleted(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation completed (creates virtual service and destination rule)",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-04.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-04.expected.yaml",
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2811"},
+		},
+	)
+}
+
+func TestCAPTenantProvisioningCompletedDestinationRuleModificationFailure(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation completed (destination rule creation fails)",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-04.initial.yaml",
+			},
+			expectError:           true,
+			mockErrorForResources: []ResourceAction{{Verb: "create", Group: "networking.istio.io", Version: "v1beta1", Resource: "destinationrules", Namespace: "default", Name: "test-cap-01-provider"}},
+			backlogItems:          []string{"ERP4SMEPREPWORKAPPPLAT-2811"},
+		},
+	)
+	if err.Error() != "mocked api error (destinationrules.networking.istio.io/v1beta1)" {
+		t.Error("error message is different from expected")
+	}
+}
+
+func TestCAPTenantProvisioningFailed(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation failed",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-05.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-05.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantProvisioningRequestFailedWithInvalidEnv(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation failed due to invalid env (status reason)",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-invalid-env.yaml",
+				"testdata/captenant/cat-26.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-05.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantProvisioningRequestDeleted(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant provisioning operation deleted while tenant is provisioning",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-20.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-20.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantWaitingForProvisioning(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant waiting for provisioning operation",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-06.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-06.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantStartUpgradeWithStrategyAlways(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant start upgrade from ready state with strategy always",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/cat-07.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-07.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantStartUpgradeWithStrategyNever(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant start upgrade from ready state with strategy never ",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/cat-08.initial.yaml",
+				"testdata/captenant/provider-tenant-vs-v1.yaml",
+				"testdata/captenant/provider-tenant-dr-v1.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-08.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantDeprovisioningFromReady(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant deprovisioning from ready",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/cat-09.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-09.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantDeprovisioningCompleted(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant deprovisioning completed",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-10.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-10.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantDeprovisioningFromProvisioningError(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant deprovisioning from provisioning error",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/captenant/cat-11.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-11.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantUpgradeOperationCompleted(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant upgrade operation completed expecting virtual service, destination rule adjustments",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/provider-tenant-vs-v1.yaml",
+				"testdata/captenant/provider-tenant-dr-v1.yaml",
+				"testdata/captenant/cat-13.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-13.expected.yaml",
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2811", "ERP4SMEPREPWORKAPPPLAT-3206"},
+		},
+	)
+}
+
+func TestCAPTenantUpgradeOperationCompletedPreviousVersionsLimited(t *testing.T) {
+	os.Setenv(v1alpha1.EnvMaxTenantVersionHistory, "3")
+	defer os.Unsetenv(v1alpha1.EnvMaxTenantVersionHistory)
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant upgrade operation completed expecting limited previous versions in status to be adjusted",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/provider-tenant-vs-v1.yaml",
+				"testdata/captenant/provider-tenant-dr-v1.yaml",
+				"testdata/captenant/cat-29.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-29.expected.yaml",
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-3206"},
+		},
+	)
+}
+
+func TestCAPTenantUpgradeRequestCompletedIncorrectVirtualServiceOwner(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant upgrade operation completed, existing virtual service owner wrong",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-22.initial.yaml",
+			},
+			expectError: true,
+		},
+	)
+	if err.Error() != "invalid owner reference found for VirtualService default.test-cap-01-provider" {
+		t.Error("wrong error message")
+	}
+}
+
+func TestCAPTenantUpgradeRequestCompletedWithDeletionTriggered(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "captenant upgrade operation completed and deletion timestamp set",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-21.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-21.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantSubdomainChange(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "update captenant subdomain (no existing destination rule)",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/changed-provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-15.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-15.expected.yaml",
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-2811"},
+		},
+	)
+}
+
+func TestAdjustVirtualServiceWithoutOperatorGateway(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "reconcile virtual service (subdomain change) when operator gateway is not ready",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/changed-provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-15.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-16.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantDNSEntryModified(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "reconcile DNS Entry (subdomain change) update from existing DNSEntry",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/to-be-updated-provider-tenant-dnsentry.yaml",
+				"testdata/captenant/cat-17.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-17.expected.yaml",
+			// DeleteCollection does not work for fake test client - the common_test framework currently mocks it by matching (only) labels
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-1817", "ERP4SMEPREPWORKAPPPLAT-2707", "ERP4SMEPREPWORKAPPPLAT-2811"},
+		},
+	)
+}
+
+func TestCAPTenantDNSEntryDeletedInCluster(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "reconcile DNS Entry (subdomain change) when existing DNSEntry was deleted in cluster",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/captenant/cat-15.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-17.expected.yaml",
+			backlogItems:      []string{"ERP4SMEPREPWORKAPPPLAT-1817", "ERP4SMEPREPWORKAPPPLAT-2707"},
+		},
+	)
+}
+
+func TestCAPTenantWithUpgradeErrorSameVersion(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "tenant in UpgradeError state, no spec update, failed mtxrequest exists - expect no new mtxrequest",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/operator-gateway.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/common/capapplicationversion-v3.yaml",
+				"testdata/captenant/cat-23.initial.yaml",
+				"testdata/captenant/provider-tenant-vs-v1.yaml",
+				"testdata/captenant/provider-tenant-dr-v1.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-23.expected.yaml",
+		},
+	)
+}
+
+func TestCAPTenantWithUpgradeErrorUpdatedVersion(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "tenant in UpgradeError state, spec version incremented, failed mtxrequest exists - expect new mtxrequest to be created",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/common/capapplicationversion-v3.yaml",
+				"testdata/captenant/cat-24.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-24.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2977", // `Ready` condition stays `True` through upgrades
+			},
+		},
+	)
+}
+
+func TestCAPTenantWithUpgradeErrorSameVersionMTXRequestRemoved(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			description: "tenant in UpgradeError state, no spec update, failed mtxrequest removed - expect new mtxrequest",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2.yaml",
+				"testdata/common/capapplicationversion-v3.yaml",
+				"testdata/captenant/cat-25.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-25.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantUpgradeWithoutTenantOperationWorkloadInVersion(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "captenant start upgrade deriving TenantOperation workload from CAP workload",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/capapplicationversion-v2-no-mtx-workload.yaml",
+				"testdata/captenant/cat-07.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-27.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-provider"}}},
+		},
+	)
+}
+
+func TestCAPTenantStartProvisioningWithMultipleOperationSteps(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenant, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-consumer"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "captenant start provisioning with version containing multiple operation steps",
+			initialResources: []string{
+				"testdata/common/istio-ingress.yaml",
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/captenant/cat-28.initial.yaml",
+			},
+			expectedResources: "testdata/captenant/cat-28.expected.yaml",
+			expectedRequeue:   map[int][]NamespacedResourceKey{ResourceCAPTenant: {{Namespace: "default", Name: "test-cap-01-consumer"}}},
+		},
+	)
+}
diff --git a/internal/controller/reconcile-captenantoperation.go b/internal/controller/reconcile-captenantoperation.go
new file mode 100644
index 0000000..42dce67
--- /dev/null
+++ b/internal/controller/reconcile-captenantoperation.go
@@ -0,0 +1,682 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"golang.org/x/exp/slices"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+)
+
+type ProvisioningPayload struct {
+	SubscribedSubdomain string `json:"subscribedSubdomain"`
+	EventType           string `json:"eventType"`
+}
+
+type UpgradePayload struct {
+	Tenants      []string `json:"tenants"`
+	AutoUnDeploy bool     `json:"autoUndeploy"`
+}
+
+type tentantOperationWorkload struct {
+	image                   string
+	imagePullPolicy         corev1.PullPolicy
+	command                 []string
+	env                     []corev1.EnvVar
+	resources               corev1.ResourceRequirements
+	securityContext         *corev1.SecurityContext
+	podSecurityContext      *corev1.PodSecurityContext
+	backoffLimit            *int32
+	ttlSecondsAfterFinished *int32
+}
+
+const (
+	CAPTenantOperationEventInvalidReference = "InvalidReference"
+)
+
+const (
+	EnvMTXJobImage            = "MTX_JOB_IMAGE"
+	MTXJobImageAllowedPattern = "^ghcr.io/sap/"
+	MTXJobImageDefault        = "ghcr.io/sap/cap-operator/mtx-job"
+	EnvIsMTXSEnabled          = "IS_MTXS_ENABLED"
+)
+
+type cros struct {
+	CAPTenant             *v1alpha1.CAPTenant
+	CAPApplication        *v1alpha1.CAPApplication
+	CAPApplicationVersion *v1alpha1.CAPApplicationVersion
+}
+
+const (
+	CAPTenantOperationConditionReasonStepProcessing      string = "StepProcessing"
+	CAPTenantOperationConditionReasonStepCompleted       string = "StepCompleted"
+	CAPTenantOperationConditionReasonStepFailed          string = "StepFailed"
+	CAPTenantOperationConditionReasonStepInitiated       string = "StepInitiated"
+	CAPTenantOperationConditionReasonStepProcessingError string = "StepProcessingError"
+)
+
+const (
+	EventActionCreateJob = "CreateJob"
+	EventActionTrackJob  = "TrackJob"
+)
+
+func (c *Controller) reconcileCAPTenantOperation(ctx context.Context, item QueueItem, attempts int) (result *ReconcileResult, err error) {
+	// cached, err := c.crdInformerFactory.Sme().V1alpha1().CAPTenantOperations().Lister().CAPTenantOperations(item.ResourceKey.Namespace).Get(item.ResourceKey.Name)
+	cached, err := c.crdClient.SmeV1alpha1().CAPTenantOperations(item.ResourceKey.Namespace).Get(ctx, item.ResourceKey.Name, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, handleOperatorResourceErrors(err)
+	}
+	ctop := cached.DeepCopy()
+
+	defer func() {
+		if statusErr := c.updateCAPTenantOperationStatus(ctx, ctop); err == nil {
+			err = statusErr
+		}
+	}()
+
+	// prepare owner refs, labels, finalizers
+	if update, err := c.prepareCAPTenantOperation(ctop); err != nil {
+		return nil, err
+	} else if update {
+		return c.updateCAPTenantOperation(ctx, ctop, true)
+	}
+
+	if !isCROConditionReady(ctop.Status.GenericStatus) {
+		return c.reconcileTenantOperationSteps(ctx, ctop)
+	} else if ctop.DeletionTimestamp != nil {
+		return c.handleCAPTenantOperationDeletion(ctx, ctop)
+	}
+
+	return result, err
+}
+
+func (c *Controller) updateCAPTenantOperationStatus(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) error {
+	if isDeletionImminent(&ctop.ObjectMeta) {
+		return nil
+	}
+
+	if ctop.DeletionTimestamp != nil {
+		// set appropriate state for deletion
+		ctop.Status.State = v1alpha1.CAPTenantOperationStateDeleting
+	} else if ctop.Status.State == "" {
+		// start processing
+		ctop.Status.State = v1alpha1.CAPTenantOperationStateProcessing
+	}
+
+	ctopUpdated, err := c.crdClient.SmeV1alpha1().CAPTenantOperations(ctop.Namespace).UpdateStatus(ctx, ctop, metav1.UpdateOptions{})
+	// update reference to the resource
+	if ctopUpdated != nil {
+		*ctop = *ctopUpdated
+	}
+	return err
+}
+
+func (c *Controller) prepareCAPTenantOperation(ctop *v1alpha1.CAPTenantOperation) (update bool, err error) {
+	// Do nothing when object is deleted
+	if ctop.DeletionTimestamp != nil {
+		return false, nil
+	}
+	cat, err := c.getCachedCAPTenant(ctop.Namespace, ctop.Spec.TenantId, true)
+	if err != nil {
+		msg := fmt.Sprintf("invalid %s reference", v1alpha1.CAPTenantKind)
+		c.Event(ctop, nil, corev1.EventTypeWarning, CAPTenantOperationEventInvalidReference, EventActionPrepare, msg)
+		return false, err
+	}
+
+	// create owner reference - CAPTenant
+	if _, ok := getOwnerByKind(ctop.OwnerReferences, v1alpha1.CAPTenantKind); !ok {
+		ctop.OwnerReferences = append(ctop.OwnerReferences, *metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind)))
+		update = true
+	}
+
+	if addCAPTenantOperationLabels(ctop, cat) {
+		update = true
+	}
+
+	if ctop.DeletionTimestamp == nil {
+		// set finalizers if not added
+		if ctop.Finalizers == nil {
+			ctop.Finalizers = []string{}
+		}
+		if addFinalizer(&ctop.Finalizers, FinalizerCAPTenantOperation) {
+			update = true
+		}
+	}
+
+	return
+}
+
+func (c *Controller) getCachedCAPTenantFromOwnerReferences(refs []metav1.OwnerReference, namespace string) (*v1alpha1.CAPTenant, error) {
+	// get owning CAPTenant
+	owner, ok := getOwnerByKind(refs, v1alpha1.CAPTenantKind)
+	if !ok {
+		return nil, fmt.Errorf("could not find %s as owner reference", v1alpha1.CAPTenantKind)
+	}
+	return c.getCachedCAPTenant(namespace, owner.Name, false)
+}
+
+func (c *Controller) updateCAPTenantOperation(ctx context.Context, ctop *v1alpha1.CAPTenantOperation, requeue bool) (result *ReconcileResult, err error) {
+	var ctopUpdated *v1alpha1.CAPTenantOperation
+	ctopUpdated, err = c.crdClient.SmeV1alpha1().CAPTenantOperations(ctop.Namespace).Update(ctx, ctop, metav1.UpdateOptions{})
+	// Update reference to the resource
+	if ctopUpdated != nil {
+		*ctop = *ctopUpdated
+	}
+	if requeue {
+		result = NewReconcileResultWithResource(ResourceCAPTenantOperation, ctop.Name, ctop.Namespace, 1*time.Second)
+	}
+	return
+}
+
+func (c *Controller) handleCAPTenantOperationDeletion(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) (*ReconcileResult, error) {
+	// remove finalizer
+	update := removeFinalizer(&ctop.Finalizers, FinalizerCAPTenantOperation)
+	if update {
+		return c.updateCAPTenantOperation(ctx, ctop, false)
+	}
+	return nil, nil
+}
+
+func (c *Controller) reconcileTenantOperationSteps(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) (result *ReconcileResult, err error) {
+	/* NOTE REGARDING STEPS:
+	 * - Initially the the first step (1) is identified and updated in the status
+	 * - the job for the current step is created only in the next pass, which ensures that the current step in the status is always consistent
+	 * - when the job for the current step gets completed the current step is incremented in the status (a job created in the subsequent pass)
+	 * - the steps are sequentially executed till the end
+	 */
+
+	defer func() {
+		if err != nil {
+			c.Event(ctop, nil, corev1.EventTypeWarning, CAPTenantOperationConditionReasonStepProcessingError, EventActionTrackJob, err.Error())
+		}
+	}()
+
+	if ctop.Status.CurrentStep == nil { // set initial step
+		if len(ctop.Spec.Steps) == 0 {
+			err = fmt.Errorf("operation steps missing in %s %s.%s", v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+			ctop.SetStatusWithReadyCondition(v1alpha1.CAPTenantOperationStateFailed, metav1.ConditionTrue, CAPTenantOperationConditionReasonStepProcessingError, err.Error())
+			return
+		}
+		var initStep uint32 = 1
+		ctop.SetStatusCurrentStep(&initStep, nil)
+		return NewReconcileResultWithResource(ResourceCAPTenantOperation, ctop.Name, ctop.Namespace, 0), nil
+	}
+
+	defer func() {
+		if err != nil { // set step processing error in status
+			ctop.SetStatusWithReadyCondition(ctop.Status.State, metav1.ConditionFalse, CAPTenantOperationConditionReasonStepProcessingError, err.Error())
+		}
+	}()
+
+	// try to fetch active job
+	job, err := c.getActiveCAPTenantOperationJob(ctx, ctop)
+	if err != nil {
+		return
+	}
+
+	if job == nil { // create job for step
+		result, err = c.initiateJobForCAPTenantOperationStep(ctx, ctop)
+	} else { // track the job
+		if ctop.Status.ActiveJob == nil || job.Name != *ctop.Status.ActiveJob { // check whether status is in sync.
+			ctop.SetStatusCurrentStep(ctop.Status.CurrentStep, &job.Name)
+		}
+		result = c.setCAPTenantOperationStatusFromJob(ctop, job)
+	}
+
+	return
+}
+
+func (c *Controller) getActiveCAPTenantOperationJob(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) (*batchv1.Job, error) {
+	// NOTE: read using label selector from the api server (not the cache)
+	currentStep := ctop.Spec.Steps[*ctop.Status.CurrentStep-1]
+	labelsMap := map[string]string{
+		LabelOwnerIdentifierHash: sha1Sum(ctop.Namespace, ctop.Name),
+		LabelTenantOperationType: string(ctop.Spec.Operation),
+		LabelTenantOperationStep: strconv.FormatInt(int64(*ctop.Status.CurrentStep), 10), // NOTE: step is required to read the job
+		LabelWorkloadType:        string(currentStep.Type),                               // NOTE: use step type and not workload type as TenantOperation could be derived from CAP
+		LabelWorkloadName:        currentStep.Name,
+	}
+	selector := labels.SelectorFromSet(labelsMap)
+	jobs, err := c.kubeClient.BatchV1().Jobs(ctop.Namespace).List(ctx, metav1.ListOptions{LabelSelector: selector.String()})
+	if err != nil {
+		return nil, err
+	}
+
+	switch len(jobs.Items) {
+	case 0:
+		return nil, nil
+	case 1:
+		return &jobs.Items[0], nil
+	default:
+		return nil, fmt.Errorf("multiple jobs exist for step %v of %s %s.%s", *ctop.Status.CurrentStep, v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+	}
+}
+
+func (c *Controller) setCAPTenantOperationStatusFromJob(ctop *v1alpha1.CAPTenantOperation, job *batchv1.Job) (result *ReconcileResult) {
+	var requeueAfter time.Duration = 1 * time.Second
+	status := struct {
+		state            v1alpha1.CAPTenantOperationState
+		conditionReason  string
+		conditionStatus  metav1.ConditionStatus
+		conditionMessage string
+		eventType        string
+	}{}
+
+	isFinalStep := false
+	if *ctop.Status.CurrentStep == uint32(len(ctop.Spec.Steps)) {
+		isFinalStep = true
+	}
+
+	processStepCompletion := func() {
+		status.conditionReason = CAPTenantOperationConditionReasonStepCompleted
+		if isFinalStep {
+			status.state = v1alpha1.CAPTenantOperationStateCompleted
+			status.conditionStatus = metav1.ConditionTrue
+			ctop.SetStatusCurrentStep(nil, nil)
+		} else {
+			status.state = v1alpha1.CAPTenantOperationStateProcessing
+			status.conditionStatus = metav1.ConditionFalse
+			nxtStep := *ctop.Status.CurrentStep + 1
+			ctop.SetStatusCurrentStep(&nxtStep, nil)
+		}
+	}
+
+	jobState := getJobState(job)
+	switch jobState {
+	case JobStateComplete:
+		status.conditionMessage = fmt.Sprintf("step %v/%v : job %s.%s completed", *ctop.Status.CurrentStep, len(ctop.Spec.Steps), job.Namespace, job.Name)
+		status.eventType = corev1.EventTypeNormal
+		processStepCompletion()
+	case JobStateFailed:
+		status.conditionMessage = fmt.Sprintf("step %v/%v : job %s.%s failed", *ctop.Status.CurrentStep, len(ctop.Spec.Steps), job.Namespace, job.Name)
+		status.eventType = corev1.EventTypeWarning
+		if step := ctop.Spec.Steps[*ctop.Status.CurrentStep-1]; step.ContinueOnFailure {
+			status.conditionMessage = status.conditionMessage + "; continuing operation"
+			processStepCompletion() // NOTE: condition.reason needs to be set to StepCompleted in this case, as this is looked up by the CAPTenant
+		} else {
+			status.conditionReason = CAPTenantOperationConditionReasonStepFailed
+			status.state = v1alpha1.CAPTenantOperationStateFailed
+			status.conditionStatus = metav1.ConditionTrue
+			ctop.SetStatusCurrentStep(nil, nil)
+		}
+	case JobStateProcessing:
+		status.conditionReason = CAPTenantOperationConditionReasonStepProcessing
+		status.conditionMessage = fmt.Sprintf("step %v/%v : waiting for job %s.%s", *ctop.Status.CurrentStep, len(ctop.Spec.Steps), job.Namespace, job.Name)
+		status.state = v1alpha1.CAPTenantOperationStateProcessing
+		status.conditionStatus = metav1.ConditionFalse
+		requeueAfter = 15 * time.Second
+	}
+
+	ctop.SetStatusWithReadyCondition(status.state, status.conditionStatus, status.conditionReason, status.conditionMessage)
+	if status.eventType != "" {
+		c.Event(ctop, job, status.eventType, status.conditionReason, EventActionTrackJob, status.conditionMessage)
+	}
+
+	return NewReconcileResultWithResource(ResourceCAPTenantOperation, ctop.Name, ctop.Namespace, requeueAfter)
+}
+
+func (c *Controller) getCAPResourcesFromCAPTenantOperation(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) (*cros, error) {
+	// get owning CAPTenant
+	cat, err := c.getCachedCAPTenantFromOwnerReferences(ctop.OwnerReferences, ctop.Namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	// get owning CAPApplication
+	owner, ok := getOwnerByKind(cat.OwnerReferences, v1alpha1.CAPApplicationKind)
+	if !ok {
+		return nil, fmt.Errorf("%s could not be identified for %s %s.%s", v1alpha1.CAPApplicationKind, v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+	}
+	ca, err := c.getCachedCAPApplication(cat.Namespace, owner.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	// get specified CAPApplicationVersion
+	cav, err := c.crdClient.SmeV1alpha1().CAPApplicationVersions(ca.Namespace).Get(ctx, ctop.Spec.CAPApplicationVersionInstance, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	// verify status of CAPApplicationVersion
+	if !isCROConditionReady(cav.Status.GenericStatus) {
+		return nil, fmt.Errorf("%s %s is not %s to be used in %s %s.%s", v1alpha1.CAPApplicationVersionKind, cav.Name, v1alpha1.CAPApplicationVersionStateReady, v1alpha1.CAPTenantOperationKind, ctop.Namespace, ctop.Name)
+	}
+
+	return &cros{
+		CAPApplication:        ca,
+		CAPTenant:             cat,
+		CAPApplicationVersion: cav,
+	}, nil
+}
+
+func (c *Controller) initiateJobForCAPTenantOperationStep(ctx context.Context, ctop *v1alpha1.CAPTenantOperation) (result *ReconcileResult, err error) {
+	relatedResources, err := c.getCAPResourcesFromCAPTenantOperation(ctx, ctop)
+	if err != nil {
+		return nil, err
+	}
+
+	// get workload
+	step := ctop.Spec.Steps[*ctop.Status.CurrentStep-1]
+	workload := getWorkloadByName(step.Name, relatedResources.CAPApplicationVersion)
+	if workload == nil {
+		return nil, fmt.Errorf("could not find workload %s in %s %s.%s", step.Name, v1alpha1.CAPApplicationVersionKind, relatedResources.CAPApplicationVersion.Namespace, relatedResources.CAPApplicationVersion.Name)
+	}
+
+	// create VCAP secret from consumed BTP services
+	consumedServiceInfos := getConsumedServiceInfos(getConsumedServiceMap(workload.ConsumedBTPServices), relatedResources.CAPApplication.Spec.BTP.Services)
+	vcapSecretName, err := createVCAPSecret(ctop.Name+"-"+strings.ToLower(workload.Name), ctop.Namespace, *metav1.NewControllerRef(ctop, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantOperationKind)), consumedServiceInfos, c.kubeClient)
+	if err != nil {
+		return nil, err
+	}
+
+	annotations := copyMaps(workload.Annotations, map[string]string{
+		AnnotationIstioSidecarInject:       "false",
+		AnnotationBTPApplicationIdentifier: relatedResources.CAPApplication.Spec.GlobalAccountId + "." + relatedResources.CAPApplication.Spec.BTPAppName,
+		AnnotationOwnerIdentifier:          ctop.Namespace + "." + ctop.Name,
+	})
+
+	labels := copyMaps(workload.Labels, map[string]string{
+		App:                               relatedResources.CAPApplication.Spec.BTPAppName,
+		LabelBTPApplicationIdentifierHash: sha1Sum(relatedResources.CAPApplication.Spec.GlobalAccountId, relatedResources.CAPApplication.Spec.BTPAppName),
+		LabelOwnerIdentifierHash:          sha1Sum(ctop.Namespace, ctop.Name),
+		LabelOwnerGeneration:              strconv.FormatInt(ctop.Generation, 10),
+		LabelTenantOperationType:          string(ctop.Spec.Operation),
+		LabelTenantOperationStep:          strconv.FormatInt(int64(*ctop.Status.CurrentStep), 10), // NOTE: step is required to read the job
+		LabelWorkloadName:                 step.Name,
+		LabelWorkloadType:                 string(step.Type), // NOTE: use step type and not workload type as TenantOperation could be derived from CAP
+		LabelResourceCategory:             CategoryWorkload,
+	})
+
+	params := &jobCreateParams{
+		namePrefix:        relatedResources.CAPTenant.Name + "-" + workload.Name + "-",
+		labels:            labels,
+		annotations:       annotations,
+		envFromVCAPSecret: getEnvFrom(vcapSecretName),
+		imagePullSecrets:  convertToLocalObjectReferences(relatedResources.CAPApplicationVersion.Spec.RegistrySecrets),
+		version:           relatedResources.CAPApplicationVersion.Spec.Version,
+	}
+
+	var job *batchv1.Job
+	if ctop.Spec.Steps[*ctop.Status.CurrentStep-1].Type == v1alpha1.JobTenantOperation {
+		if params.xsuaaInstanceName, err = getXSUAAInstanceName(consumedServiceInfos, relatedResources, c.kubeClient); err != nil {
+			return
+		}
+		job, err = c.createTenantOperationJob(ctx, ctop, workload, params)
+	} else { // custom tenant operation
+		job, err = c.createCustomTenantOperationJob(ctx, ctop, workload, params)
+	}
+	if err != nil {
+		return
+	}
+
+	msg := fmt.Sprintf("step %v/%v : job %s.%s created", *ctop.Status.CurrentStep, len(ctop.Spec.Steps), job.Namespace, job.Name)
+	ctop.SetStatusWithReadyCondition(v1alpha1.CAPTenantOperationStateProcessing, metav1.ConditionFalse, CAPTenantOperationConditionReasonStepInitiated, msg)
+	ctop.SetStatusCurrentStep(ctop.Status.CurrentStep, &job.Name)
+	c.Event(ctop, job, corev1.EventTypeNormal, CAPTenantOperationConditionReasonStepInitiated, EventActionCreateJob, msg)
+
+	return NewReconcileResultWithResource(ResourceCAPTenantOperation, ctop.Name, ctop.Namespace, 15*time.Second), nil
+}
+
+type jobCreateParams struct {
+	namePrefix        string
+	labels            map[string]string
+	annotations       map[string]string
+	envFromVCAPSecret []corev1.EnvFromSource
+	imagePullSecrets  []corev1.LocalObjectReference
+	version           string
+	xsuaaInstanceName string
+}
+
+func (c *Controller) createTenantOperationJob(ctx context.Context, ctop *v1alpha1.CAPTenantOperation, workload *v1alpha1.WorkloadDetails, params *jobCreateParams) (*batchv1.Job, error) {
+	// prepare payload request
+	var (
+		payload []byte
+		err     error
+	)
+	if ctop.Spec.Operation == v1alpha1.CAPTenantOperationTypeProvisioning {
+		payload, err = json.Marshal(ProvisioningPayload{SubscribedSubdomain: ctop.Spec.SubDomain, EventType: "CREATE"})
+	} else if ctop.Spec.Operation == v1alpha1.CAPTenantOperationTypeUpgrade {
+		payload, err = json.Marshal(UpgradePayload{Tenants: []string{ctop.Spec.TenantId}, AutoUnDeploy: true})
+	} else { // deprovisioning
+		payload, err = json.Marshal(struct{}{})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	derivedWorkload := deriveWorkloadForTenantOperation(workload)
+
+	// create job for tenant operation (provisioning / upgrade / deprovisioning)
+	job := &batchv1.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName:    params.namePrefix, // generate name for each step
+			Namespace:       ctop.Namespace,
+			Labels:          params.labels,
+			Annotations:     params.annotations,
+			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ctop, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantOperationKind))},
+		},
+		Spec: batchv1.JobSpec{
+			BackoffLimit:            derivedWorkload.backoffLimit,
+			TTLSecondsAfterFinished: derivedWorkload.ttlSecondsAfterFinished,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels:      params.labels,
+					Annotations: params.annotations,
+				},
+				Spec: corev1.PodSpec{
+					RestartPolicy:    corev1.RestartPolicyNever,
+					ImagePullSecrets: params.imagePullSecrets,
+					Containers:       getContainers(payload, ctop, derivedWorkload, workload, params),
+					SecurityContext:  derivedWorkload.podSecurityContext,
+				},
+			},
+		},
+	}
+
+	return c.kubeClient.BatchV1().Jobs(ctop.Namespace).Create(ctx, job, metav1.CreateOptions{})
+}
+
+func isMTXSDisabled(envVars []corev1.EnvVar) bool {
+	return slices.ContainsFunc(envVars, func(env corev1.EnvVar) bool { return env.Name == EnvIsMTXSEnabled && env.Value == "false" })
+}
+
+func getContainers(payload []byte, ctop *v1alpha1.CAPTenantOperation, derivedWorkload tentantOperationWorkload, workload *v1alpha1.WorkloadDetails, params *jobCreateParams) []corev1.Container {
+	if !isMTXSDisabled(derivedWorkload.env) {
+		var operation string
+		container := &corev1.Container{
+			Name:            workload.Name,
+			Image:           derivedWorkload.image,
+			ImagePullPolicy: derivedWorkload.imagePullPolicy,
+			Env: append([]corev1.EnvVar{
+				{Name: EnvCAPOpAppVersion, Value: params.version}, {Name: EnvCAPOpTenantID, Value: ctop.Spec.TenantId}, {Name: EnvCAPOpTenantOperation, Value: string(ctop.Spec.Operation)}, {Name: EnvCAPOpTenantSubDomain, Value: string(ctop.Spec.SubDomain)},
+			}, derivedWorkload.env...),
+			EnvFrom:         params.envFromVCAPSecret,
+			Resources:       derivedWorkload.resources,
+			SecurityContext: derivedWorkload.securityContext,
+		}
+
+		if ctop.Spec.Operation == v1alpha1.CAPTenantOperationTypeProvisioning {
+			operation = "subscribe"
+		} else if ctop.Spec.Operation == v1alpha1.CAPTenantOperationTypeUpgrade {
+			operation = "upgrade"
+		} else { // deprovisioning
+			operation = "unsubscribe"
+		}
+
+		if derivedWorkload.command != nil {
+			container.Command = derivedWorkload.command
+		} else {
+			container.Command = []string{"node", "./node_modules/@sap/cds-mtxs/bin/cds-mtx", operation, ctop.Spec.TenantId}
+		}
+
+		return append([]corev1.Container{}, *container)
+	}
+
+	return []corev1.Container{
+		{
+			Name:  "trigger", // TODO: get rid of this --> hopefully with mtxs cli where we start a single container image
+			Image: getMTXJobImage(),
+			Env: []corev1.EnvVar{
+				{Name: "WAIT_FOR_SIDECAR", Value: "false"},
+				{Name: "XSUAA_INSTANCE_NAME", Value: params.xsuaaInstanceName},
+				{Name: "MTX_SERVICE_URL", Value: "http://localhost:" + strconv.Itoa(defaultServerPort)},
+				{Name: "MTX_REQUEST_TYPE", Value: string(ctop.Spec.Operation)},
+				{Name: "MTX_TENANT_ID", Value: ctop.Spec.TenantId},
+				{Name: "MTX_REQUEST_PAYLOAD", Value: string(payload)},
+			},
+			EnvFrom: params.envFromVCAPSecret,
+		},
+		{
+			Name:            workload.Name,
+			Image:           derivedWorkload.image,
+			ImagePullPolicy: derivedWorkload.imagePullPolicy,
+			Env: append([]corev1.EnvVar{
+				{Name: EnvCAPOpAppVersion, Value: params.version}, {Name: EnvCAPOpTenantID, Value: ctop.Spec.TenantId}, {Name: EnvCAPOpTenantOperation, Value: string(ctop.Spec.Operation)}, {Name: EnvCAPOpTenantSubDomain, Value: string(ctop.Spec.SubDomain)},
+			}, derivedWorkload.env...),
+			EnvFrom:         params.envFromVCAPSecret,
+			Resources:       derivedWorkload.resources,
+			SecurityContext: derivedWorkload.securityContext,
+			Command:         []string{"/bin/sh", "-c"},
+			Args:            []string{"node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080"},
+		},
+	}
+}
+
+func deriveWorkloadForTenantOperation(workload *v1alpha1.WorkloadDetails) tentantOperationWorkload {
+	result := tentantOperationWorkload{}
+	if workload.JobDefinition == nil {
+		// this must be a reference to CAP workload
+		result.image = workload.DeploymentDefinition.Image
+		result.imagePullPolicy = workload.DeploymentDefinition.ImagePullPolicy
+		result.env = workload.DeploymentDefinition.Env
+		result.resources = workload.DeploymentDefinition.Resources
+		result.backoffLimit = &backoffLimitValue
+		result.ttlSecondsAfterFinished = &tTLSecondsAfterFinishedValue
+		result.securityContext = workload.DeploymentDefinition.SecurityContext
+		result.podSecurityContext = workload.DeploymentDefinition.PodSecurityContext
+	} else {
+		// use job definition
+		result.image = workload.JobDefinition.Image
+		result.imagePullPolicy = workload.JobDefinition.ImagePullPolicy
+		result.command = workload.JobDefinition.Command
+		result.env = workload.JobDefinition.Env
+		result.resources = workload.JobDefinition.Resources
+		result.securityContext = workload.JobDefinition.SecurityContext
+		result.podSecurityContext = workload.JobDefinition.PodSecurityContext
+		if workload.JobDefinition.BackoffLimit != nil {
+			result.backoffLimit = workload.JobDefinition.BackoffLimit
+		}
+		if workload.JobDefinition.TTLSecondsAfterFinished != nil {
+			result.ttlSecondsAfterFinished = workload.JobDefinition.TTLSecondsAfterFinished
+		}
+	}
+	return result
+}
+
+func (c *Controller) createCustomTenantOperationJob(ctx context.Context, ctop *v1alpha1.CAPTenantOperation, workload *v1alpha1.WorkloadDetails, params *jobCreateParams) (*batchv1.Job, error) {
+	// create job for custom tenant operation
+	job := &batchv1.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName:    params.namePrefix, // generate name for each step
+			Namespace:       ctop.Namespace,
+			Labels:          params.labels,
+			Annotations:     params.annotations,
+			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ctop, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantOperationKind))},
+		},
+		Spec: batchv1.JobSpec{
+			BackoffLimit:            workload.JobDefinition.BackoffLimit,
+			TTLSecondsAfterFinished: workload.JobDefinition.TTLSecondsAfterFinished,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels:      params.labels,
+					Annotations: params.annotations,
+				},
+				Spec: corev1.PodSpec{
+					RestartPolicy:    corev1.RestartPolicyNever,
+					SecurityContext:  workload.JobDefinition.PodSecurityContext,
+					ImagePullSecrets: params.imagePullSecrets,
+					Containers: []corev1.Container{
+						{
+							Name:            workload.Name,
+							Image:           workload.JobDefinition.Image,
+							ImagePullPolicy: workload.JobDefinition.ImagePullPolicy,
+							Env: append([]corev1.EnvVar{
+								{Name: EnvCAPOpAppVersion, Value: params.version}, {Name: EnvCAPOpTenantID, Value: ctop.Spec.TenantId}, {Name: EnvCAPOpTenantOperation, Value: string(ctop.Spec.Operation)}, {Name: EnvCAPOpTenantSubDomain, Value: string(ctop.Spec.SubDomain)},
+							}, workload.JobDefinition.Env...),
+							EnvFrom:         params.envFromVCAPSecret,
+							Command:         workload.JobDefinition.Command,
+							Resources:       workload.JobDefinition.Resources,
+							SecurityContext: workload.JobDefinition.SecurityContext,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	return c.kubeClient.BatchV1().Jobs(ctop.Namespace).Create(ctx, job, metav1.CreateOptions{})
+}
+
+func getMTXJobImage() string {
+	mtxJobImageUri := os.Getenv(EnvMTXJobImage)
+	allowedUri, _ := regexp.MatchString(MTXJobImageAllowedPattern, mtxJobImageUri)
+	if !allowedUri {
+		klog.Warning("MTX Job Image URI '", mtxJobImageUri, "' not given in environment, or not allowed. Falling back to default.")
+		mtxJobImageUri = MTXJobImageDefault
+	}
+
+	return mtxJobImageUri
+}
+
+func getXSUAAInstanceName(consumedServiceInfos []v1alpha1.ServiceInfo, relatedResources *cros, kubeClient kubernetes.Interface) (string, error) {
+	info := util.GetXSUAAInfo(consumedServiceInfos, relatedResources.CAPApplication)
+	if info.Secret == "" {
+		return "", errors.New("missing XSUAA service information")
+	}
+	entry, err := util.CreateVCAPEntryFromSecret(info, relatedResources.CAPApplication.Namespace, kubeClient)
+	if err != nil {
+		return "", err
+	}
+	return entry["name"].(string), nil
+}
+
+func addCAPTenantOperationLabels(ctop *v1alpha1.CAPTenantOperation, cat *v1alpha1.CAPTenant) (updated bool) {
+	appMetadata := appMetadataIdentifiers{
+		ownerInfo: &ownerInfo{
+			ownerNamespace:  cat.Namespace,
+			ownerName:       cat.Name,
+			ownerGeneration: cat.Generation,
+		},
+	}
+	if updateLabelAnnotationMetadata(&ctop.ObjectMeta, &appMetadata) {
+		updated = true
+	}
+
+	if _, ok := ctop.Labels[LabelTenantOperationType]; !ok {
+		ctop.Labels[LabelTenantOperationType] = string(ctop.Spec.Operation)
+		if ctop.Spec.Operation == v1alpha1.CAPTenantOperationTypeUpgrade {
+			ctop.Labels[LabelCAVVersion] = cat.Spec.Version
+		}
+		updated = true
+	}
+	return updated
+}
diff --git a/internal/controller/reconcile-captenantoperation_test.go b/internal/controller/reconcile-captenantoperation_test.go
new file mode 100644
index 0000000..165fffe
--- /dev/null
+++ b/internal/controller/reconcile-captenantoperation_test.go
@@ -0,0 +1,655 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"os"
+	"testing"
+)
+
+func TestPrepareCAPTenantOperationProvisioning(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136", "ERP4SMEPREPWORKAPPPLAT-3351"},
+			description:  "new captenantoperation type provisioning - prepare",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-01.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-01.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestTenantOperationInitializeStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - initialize current step",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-02.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-02.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestTenantOperationWithNoSteps(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation w/o valid capapplicationversion",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-03.initial.yaml",
+			},
+			expectError:       true,
+			expectedResources: "testdata/captenantoperation/ctop-03.expected.yaml",
+		},
+	)
+	if err.Error() != "operation steps missing in CAPTenantOperation default.test-cap-01-provider-abcd" {
+		t.Error("unexpected error")
+	}
+}
+
+func TestTenantOperationStepProcessingWithoutVersion(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - initialize current step",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-04.initial.yaml",
+			},
+			expectError: true,
+		},
+	)
+	if err.Error() != "capapplicationversions.sme.sap.com \"test-cap-01-cav-v1\" not found" {
+		t.Error("unexpected error")
+	}
+}
+
+func TestProvisioningOperationTriggerStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - initialize current step",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-04.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-04.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestPrepareCAPTenantOperationUpgrade(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "new captenantoperation type upgrade - prepare",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-05.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-05.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationDeriveFromCAPWorkload(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - tenant operation step deriving from cap workload",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-no-mtx-workload.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-06.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-06.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsInitiateFirstStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136", "ERP4SMEPREPWORKAPPPLAT-3226"},
+			description:  "prepared captenantoperation - multiple steps - start custom operation",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-07.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-07.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsStepCompleted(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136", "ERP4SMEPREPWORKAPPPLAT-3226"},
+			description:  "prepared captenantoperation - multiple steps - custom step completed",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-08.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-08.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsInitiateSubsequentStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - multiple steps - initiate subsequent step",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-09.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-09.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsStepFailure(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - multiple steps - step failure",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-10.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-10.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsFinalStepCompleted(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - multiple steps - final step completed",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-11.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-11.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsStepCompletedWithDeletion(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - multiple steps - custom step completed with deletion timestamp set",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-12.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-12.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationMultipleStepsStepFailureWithDeletion(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - multiple steps - step failure with deletion timestamp set",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-13.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-13.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeOperationFailedWithDeletion(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation - failed condition - with deletion timestamp set",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-14.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-14.expected.yaml",
+		},
+	)
+}
+
+func TestPrepareCAPTenantOperationDeprovisioningInvalidReference(t *testing.T) {
+	err := reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-invalid-tenant-op"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "new captenantoperation type deprovisioning - prepare with invalid reference",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-15.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-15.expected.yaml",
+			expectError:       true,
+		},
+	)
+	if err.Error() != "could not find CAPTenant with tenant id tenant-id-invalid" {
+		t.Errorf("unexpected error: %s", err.Error())
+	}
+}
+
+func TestTenantOperationDeprovisioningInitiateStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "prepared captenantoperation type deprovisioning - initiate step processing",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-16.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-16.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestTenantOperationDeprovisioningTrackStep(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2136"},
+			description:  "captenantoperation type deprovisioning - track step progress",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-17.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-17.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestProvisioningWithMTXSEnabled(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2236", "ERP4SMEPREPWORKAPPPLAT-2379", "ERP4SMEPREPWORKAPPPLAT-3226", "ERP4SMEPREPWORKAPPPLAT-3807"},
+			description:  "Provisioning - With MTXS enabled",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1-mtxs.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-18.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-18.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestUpgradeWithMTXSEnabled(t *testing.T) {
+	reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2379", "ERP4SMEPREPWORKAPPPLAT-3226", "ERP4SMEPREPWORKAPPPLAT-3807"},
+			description:  "Upgrade - With MTXS enabled",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1-mtxs.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-20.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-20.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestDeprovisioningWithMTXSEnabled(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2236", "ERP4SMEPREPWORKAPPPLAT-2379", "ERP4SMEPREPWORKAPPPLAT-3226", "ERP4SMEPREPWORKAPPPLAT-3807"},
+			description:  "Deprovisioning - With MTXS enabled",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/capapplicationversion-v1-mtxs.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/captenantoperation/ctop-19.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-19.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestProvisioningWithMTXSEnabledAndCustomCommand(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{
+				"ERP4SMEPREPWORKAPPPLAT-2747", // Custom command for Tenant Operation
+				"ERP4SMEPREPWORKAPPPLAT-2885", // Annotations for Tenant Operation
+				"ERP4SMEPREPWORKAPPPLAT-3807", // MTXS is made default
+			},
+			description: "Provisioning - With MTXS enabled and custom command",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1-mtxs-custom-cmd.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-24.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-24.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestGetMTXJobImage(t *testing.T) {
+	const (
+		jiraBLI = "(ERP4SMEPREPWORKAPPPLAT-1647)"
+	)
+
+	const (
+		imageAllowed     = "ghcr.io/sap/some-repo/another-mtx-job"
+		imageNotAllowed1 = "unwanted.external.repositories.cloud/cap-operator/mtx-job"
+		imageNotAllowed2 = "ghcr.io/sapfake/cap-operator/mtx-job"
+	)
+
+	tests := []struct {
+		id             string
+		setEnvironment string
+		expectedImage  string
+	}{
+		{
+			id:             "not given environment leads to default image", // which is a special case of 'not matching image pattern'
+			setEnvironment: "",
+			expectedImage:  MTXJobImageDefault,
+		},
+		{
+			id:             "not matching image pattern leads to default image, subdomain",
+			setEnvironment: imageNotAllowed1,
+			expectedImage:  MTXJobImageDefault,
+		},
+		{
+			id:             "not matching image pattern leads to default image, ensures .sap/",
+			setEnvironment: imageNotAllowed2,
+			expectedImage:  MTXJobImageDefault,
+		},
+		{
+			id:             "matching image pattern is passing",
+			setEnvironment: imageAllowed,
+			expectedImage:  imageAllowed,
+		},
+	}
+
+	activeEnvironment := os.Getenv(EnvMTXJobImage)
+	defer func() {
+		os.Setenv(EnvMTXJobImage, activeEnvironment)
+	}()
+
+	for _, tt := range tests {
+		t.Run(tt.id+" "+jiraBLI, func(t *testing.T) {
+			if tt.setEnvironment == "" {
+				os.Unsetenv(EnvMTXJobImage)
+			} else {
+				os.Setenv(EnvMTXJobImage, tt.setEnvironment)
+			}
+
+			actualImage := getMTXJobImage()
+			if actualImage != tt.expectedImage {
+				t.Errorf("expected image '%q', got '%q", tt.expectedImage, actualImage)
+			}
+		})
+	}
+}
+
+func TestProvisioningWithResources(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2237"},
+			description:  "Provisioning - With Resources",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1-resources.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-21.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-21.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestProvisioningWithSecurityContext(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2573"},
+			description:  "Provisioning - With securityContext for Container",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v1-security-context.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-22.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-22.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestProvisioningWithPodSecurityContext(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2573"},
+			description:  "Provisioning - With securityContext for Pod",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-pod-security-context.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-23.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-23.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestProvisioningWithAnnotations(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2885"},
+			description:  "Provisioning - With annotations",
+			initialResources: []string{
+				"testdata/common/capapplication.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-annotations.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-25.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-25.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
+
+func TestMultiXSUAAWithAnnotation(t *testing.T) {
+	_ = reconcileTestItem(
+		context.TODO(), t,
+		QueueItem{Key: ResourceCAPTenantOperation, ResourceKey: NamespacedResourceKey{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+		TestData{
+			backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-3773"},
+			description:  "prepared captenantoperation - tenant operation with multiple xsuaa usage",
+			initialResources: []string{
+				"testdata/common/capapplication-multi-xsuaa.yaml",
+				"testdata/common/captenant-provider-ready.yaml",
+				"testdata/common/capapplicationversion-v2-multi-xsuaa.yaml",
+				"testdata/common/credential-secrets.yaml",
+				"testdata/captenantoperation/ctop-26.initial.yaml",
+			},
+			expectedResources: "testdata/captenantoperation/ctop-26.expected.yaml",
+			expectedRequeue: map[int][]NamespacedResourceKey{
+				ResourceCAPTenantOperation: {{Namespace: "default", Name: "test-cap-01-provider-abcd"}},
+			},
+		},
+	)
+}
diff --git a/internal/controller/reconcile-domains.go b/internal/controller/reconcile-domains.go
new file mode 100644
index 0000000..b90d847
--- /dev/null
+++ b/internal/controller/reconcile-domains.go
@@ -0,0 +1,1274 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	certManagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	certManagermetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	certv1alpha1 "github.com/gardener/cert-management/pkg/apis/cert/v1alpha1"
+	dnsv1alpha1 "github.com/gardener/external-dns-management/pkg/apis/dns/v1alpha1"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"google.golang.org/protobuf/types/known/durationpb"
+	networkingv1beta1 "istio.io/api/networking/v1beta1"
+	istionwv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/klog/v2"
+)
+
+// TODO: ignore duplicates reconciliation calls for same dnsTarget, Finalizers... and a whole lot more!
+
+const PrimaryDnsSuffix = "primary-dns"
+
+const (
+	CAPOperator              = "CAPOperator"
+	OperatorDomainLabel      = CAPOperator + "." + OperatorDomains
+	OperatorDomainNamePrefix = "cap-operator-domains-"
+)
+
+var (
+	cNameLookup = int64(30)
+	ttl         = int64(600)
+)
+
+const (
+	formatResourceState    = "%s in state %s for %s %s.%s"
+	formatResourceStateErr = formatResourceState + ": %s"
+)
+
+func (c *Controller) handleDomains(ctx context.Context, ca *v1alpha1.CAPApplication) (*ReconcileResult, error) {
+	domains, err := json.Marshal(ca.Spec.Domains)
+	if err != nil {
+		return nil, fmt.Errorf("error occurred while encoding domains to json: %w", err)
+	}
+	domainsHash := sha256Sum(string(domains))
+
+	requeue := NewReconcileResult()
+
+	commonName := strings.Join([]string{"*", ca.Spec.Domains.Primary}, ".")
+	secretName := strings.Join([]string{strings.Join([]string{ca.Namespace, ca.Name}, "--"), SecretSuffix}, "-")
+	c.handlePrimaryDomainGateway(ctx, ca, secretName, ca.Namespace)
+
+	istioIngressGatewayInfo, err := c.getIngressGatewayInfo(ctx, ca)
+	if err != nil {
+		return nil, err
+	}
+
+	c.handlePrimaryDomainCertificate(ctx, ca, commonName, secretName, istioIngressGatewayInfo.Namespace)
+	c.handlePrimaryDomainDNSEntry(ctx, ca, commonName, ca.Namespace, istioIngressGatewayInfo.DNSTarget)
+
+	if domainsHash != ca.Status.DomainSpecHash {
+
+		// Reconcile Secondary domains via a dummy resource (separate reconciliation)
+		requeue.AddResource(ResourceOperatorDomains, "", metav1.NamespaceAll, 0)
+		requeue.AddResource(ResourceCAPApplication, ca.Name, ca.Namespace, 3*time.Second) // requeue CAPApplication for further processing
+
+		// notify tenants of domain specification change (dns entries, virtual services)
+		cats, err := c.getRelevantTenantsForCA(ca)
+		if err != nil {
+			return nil, err
+		}
+		for _, cat := range cats {
+			requeue.AddResource(ResourceCAPTenant, cat.Name, cat.Namespace, 2*time.Second)
+		}
+
+		ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, EventActionProcessingDomainResources, "")
+		ca.SetStatusDomainSpecHash(domainsHash)
+		return requeue, nil
+	}
+
+	return nil, nil
+}
+
+func (c *Controller) handlePrimaryDomainGateway(ctx context.Context, ca *v1alpha1.CAPApplication, secretName string, namespace string) error {
+	gwName := getResourceName(ca.Spec.BTPAppName, GatewaySuffix)
+	ingressGWLabels := getIngressGatewayLabels(ca)
+	gwSpec := networkingv1beta1.Gateway{
+		Selector: ingressGWLabels,
+		Servers: []*networkingv1beta1.Server{
+			getGatewayServerSpec(ca.Spec.Domains.Primary, secretName),
+		},
+	}
+	// Calculate sha256 sum for GW spec
+	hash := sha256Sum(ca.Spec.Domains.Primary, secretName, fmt.Sprintf("%v", ingressGWLabels))
+
+	// check for existing gateway
+	gw, err := c.istioInformerFactory.Networking().V1beta1().Gateways().Lister().Gateways(namespace).Get(gwName)
+
+	// create gateway
+	if errors.IsNotFound(err) {
+		_, err = c.istioClient.NetworkingV1beta1().Gateways(namespace).Create(
+			ctx, &istionwv1beta1.Gateway{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      gwName,
+					Namespace: namespace,
+					Annotations: map[string]string{
+						AnnotationResourceHash:             hash,
+						AnnotationBTPApplicationIdentifier: ca.Spec.GlobalAccountId + "." + ca.Spec.BTPAppName,
+					},
+					Labels: map[string]string{
+						LabelBTPApplicationIdentifierHash: sha1Sum(ca.Spec.GlobalAccountId, ca.Spec.BTPAppName),
+					},
+					OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ca, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationKind))},
+				},
+				Spec: gwSpec,
+			}, metav1.CreateOptions{},
+		)
+	} else if err == nil && gw != nil && gw.Annotations[AnnotationResourceHash] != hash {
+		// Update the relevant gw parts, if there are changes (detected via sha256 sum)
+		gw.Spec = gwSpec
+
+		// Update hash value on annotation
+		updateResourceAnnotation(&gw.ObjectMeta, hash)
+
+		// Trigger the actual update on the resource
+		_, err = c.istioClient.NetworkingV1beta1().Gateways(namespace).Update(ctx, gw, metav1.UpdateOptions{})
+	}
+
+	if err == nil {
+		c.Event(ca, nil, corev1.EventTypeNormal, CAPApplicationEventPrimaryGatewayModified, EventActionProcessingDomainResources, fmt.Sprintf("primary gateway %s has been modified", gwName))
+	}
+	return err
+}
+
+func (c *Controller) handlePrimaryDomainCertificate(ctx context.Context, ca *v1alpha1.CAPApplication, commonName string, secretName string, istioNamespace string) error {
+	var err error
+	certName := getResourceName(ca.Spec.BTPAppName, CertificateSuffix)
+	// Calculate sha256 sum for Cert spec
+	hash := sha256Sum(commonName, secretName)
+	switch certificateManager() {
+	case certManagerGardener:
+		// check for existing certificate
+		gardenerCert, err := c.gardenerCertificateClient.CertV1alpha1().Certificates(istioNamespace).Get(context.TODO(), certName, metav1.GetOptions{})
+		gardenerCertSpec := getGardenerCertificateSpec(commonName, secretName)
+		if errors.IsNotFound(err) {
+			// create certificate
+			_, err = c.gardenerCertificateClient.CertV1alpha1().Certificates(istioNamespace).Create(
+				ctx, &certv1alpha1.Certificate{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      certName,
+						Namespace: istioNamespace,
+						Annotations: map[string]string{
+							AnnotationResourceHash:    hash,
+							AnnotationOwnerIdentifier: KindMap[ResourceCAPApplication] + "." + ca.Namespace + "." + ca.Name,
+						},
+						Labels: map[string]string{
+							LabelOwnerIdentifierHash: sha1Sum(KindMap[ResourceCAPApplication], ca.Namespace, ca.Name),
+							LabelOwnerGeneration:     strconv.FormatInt(ca.Generation, 10),
+						},
+						Finalizers: []string{FinalizerCAPApplication},
+					},
+					Spec: gardenerCertSpec,
+				}, metav1.CreateOptions{},
+			)
+		} else if err == nil && gardenerCert != nil && gardenerCert.Annotations[AnnotationResourceHash] != hash {
+			// Update the certificate spec
+			gardenerCert.Spec = gardenerCertSpec
+
+			// Update hash value on annotation
+			updateResourceAnnotation(&gardenerCert.ObjectMeta, hash)
+
+			// Trigger the actual update on the resource
+			_, err = c.gardenerCertificateClient.CertV1alpha1().Certificates(istioNamespace).Update(ctx, gardenerCert, metav1.UpdateOptions{})
+		}
+
+	case certManagerCertManagerIO:
+		// check for existing certificate
+		certManagerCert, err := c.certManagerCertificateClient.CertmanagerV1().Certificates(istioNamespace).Get(context.TODO(), certName, metav1.GetOptions{})
+		certManagerCertSpec := getCertManagerCertificateSpec(commonName, secretName)
+
+		if errors.IsNotFound(err) {
+			// create certificate
+			_, err = c.certManagerCertificateClient.CertmanagerV1().Certificates(istioNamespace).Create(
+				ctx, &certManagerv1.Certificate{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      certName,
+						Namespace: istioNamespace,
+						Annotations: map[string]string{
+							AnnotationResourceHash:    hash,
+							AnnotationOwnerIdentifier: KindMap[ResourceCAPApplication] + "." + ca.Namespace + "." + ca.Name,
+						},
+						Labels: map[string]string{
+							LabelOwnerIdentifierHash: sha1Sum(KindMap[ResourceCAPApplication], ca.Namespace, ca.Name),
+							LabelOwnerGeneration:     strconv.FormatInt(ca.Generation, 10),
+						},
+						Finalizers: []string{FinalizerCAPApplication},
+					},
+					Spec: certManagerCertSpec,
+				}, metav1.CreateOptions{},
+			)
+		} else if err == nil && certManagerCert != nil && certManagerCert.Annotations[AnnotationResourceHash] != hash {
+			// Update the certificate spec
+			certManagerCert.Spec = certManagerCertSpec
+
+			// Update hash value on annotation
+			updateResourceAnnotation(&certManagerCert.ObjectMeta, hash)
+
+			// Trigger the actual update on the resource
+			_, err = c.certManagerCertificateClient.CertmanagerV1().Certificates(istioNamespace).Update(ctx, certManagerCert, metav1.UpdateOptions{})
+		}
+	}
+	return err
+}
+
+func (c *Controller) handlePrimaryDomainDNSEntry(ctx context.Context, ca *v1alpha1.CAPApplication, commonName string, namespace string, dnsTarget string) error {
+	// nothing to do here for non-gardener scenario because external-dns handles istio gateways automatically
+	if dnsManager() == dnsManagerGardener {
+		dnsEntryName := getResourceName(ca.Spec.BTPAppName, PrimaryDnsSuffix)
+		dnsEntrySpec := dnsv1alpha1.DNSEntrySpec{
+			CNameLookupInterval: &cNameLookup,
+			DNSName:             commonName,
+			Targets: []string{
+				dnsTarget,
+			},
+			TTL: &ttl,
+		}
+		// Calculate sha256 sum for DNSEntry spec
+		hash := sha256Sum(commonName, dnsTarget)
+		// check for existing DNSEntry
+		dnsEntry, err := c.gardenerDNSClient.DnsV1alpha1().DNSEntries(namespace).Get(context.TODO(), dnsEntryName, metav1.GetOptions{})
+
+		if errors.IsNotFound(err) {
+			// create DNSEntry
+			_, err = c.gardenerDNSClient.DnsV1alpha1().DNSEntries(namespace).Create(
+				ctx, &dnsv1alpha1.DNSEntry{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      dnsEntryName,
+						Namespace: namespace,
+						Annotations: map[string]string{
+							AnnotationResourceHash:     hash,
+							GardenerDNSClassIdentifier: GardenerDNSClassValue,
+							AnnotationOwnerIdentifier:  KindMap[ResourceCAPApplication] + "." + ca.Namespace + "." + ca.Name,
+						},
+						Labels: map[string]string{
+							LabelOwnerIdentifierHash: sha1Sum(KindMap[ResourceCAPApplication], ca.Namespace, ca.Name),
+						},
+						OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ca, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPApplicationKind))},
+					},
+					Spec: dnsEntrySpec,
+				}, metav1.CreateOptions{},
+			)
+		} else if err == nil && dnsEntry != nil && dnsEntry.Annotations[AnnotationResourceHash] != hash {
+			// Update the DnsEntry spec
+			dnsEntry.Spec = dnsEntrySpec
+
+			// Update hash value on annotation
+			updateResourceAnnotation(&dnsEntry.ObjectMeta, hash)
+
+			// Trigger the actual update on the resource
+			_, err = c.gardenerDNSClient.DnsV1alpha1().DNSEntries(namespace).Update(ctx, dnsEntry, metav1.UpdateOptions{})
+		}
+		return err
+	}
+	return nil
+}
+
+func (c *Controller) checkPrimaryDomainResources(ctx context.Context, ca *v1alpha1.CAPApplication) (processing bool, err error) {
+	defer func() {
+		if err != nil {
+			// set CAPApplication status - with error
+			ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateError, metav1.ConditionFalse, "DomainResourcesError", err.Error())
+		}
+	}()
+
+	// check for existing gateway
+	_, err = c.istioClient.NetworkingV1beta1().Gateways(ca.Namespace).Get(ctx, getResourceName(ca.Spec.BTPAppName, GatewaySuffix), metav1.GetOptions{})
+	if err != nil {
+		return false, err
+	}
+
+	var istioIngressGatewayInfo *ingressGatewayInfo
+	istioIngressGatewayInfo, err = c.getIngressGatewayInfo(ctx, ca)
+	if err != nil {
+		return false, err
+	}
+
+	certName := getResourceName(ca.Spec.BTPAppName, CertificateSuffix)
+	// check for certificate status
+	if processing, err := c.checkCertificateStatus(ctx, ca, istioIngressGatewayInfo.Namespace, certName); err != nil || processing {
+		return processing, err
+	}
+
+	dnsEntryName := strings.Join([]string{ca.Spec.BTPAppName, PrimaryDnsSuffix}, "-")
+	if dnsManager() == dnsManagerGardener {
+		// check for existing DNSEntry
+		dnsEntry, err := c.gardenerDNSClient.DnsV1alpha1().DNSEntries(ca.Namespace).Get(context.TODO(), dnsEntryName, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+
+		// check for ready state
+		if dnsEntry.Status.State == dnsv1alpha1.STATE_ERROR {
+			return false, fmt.Errorf(formatResourceStateErr, dnsv1alpha1.DNSEntryKind, dnsv1alpha1.STATE_ERROR, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name, *dnsEntry.Status.Message)
+		} else if dnsEntry.Status.State != dnsv1alpha1.STATE_READY {
+			klog.Infof(formatResourceState, dnsv1alpha1.DNSEntryKind, dnsEntry.Status.State, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+			ca.SetStatusWithReadyCondition(v1alpha1.CAPApplicationStateProcessing, metav1.ConditionFalse, "DomainResourcesProcessing", "")
+			return true, nil
+		}
+	}
+
+	return
+}
+
+func (c *Controller) deletePrimaryDomainCertificate(ctx context.Context, ca *v1alpha1.CAPApplication) error {
+	var err error
+	ingressGatewayInfo, err := c.getIngressGatewayInfo(ctx, ca)
+	if err != nil {
+		return err
+	}
+	certName := getResourceName(ca.Spec.BTPAppName, CertificateSuffix)
+	// delete Certificate
+	switch certificateManager() {
+	case certManagerGardener:
+		err = c.deleteGardenerCertificate(ingressGatewayInfo, certName, ctx)
+	case certManagerCertManagerIO:
+		err = c.deleteCertManagerCertificate(ingressGatewayInfo, certName, ctx)
+	}
+	return err
+}
+
+func (c *Controller) deleteGardenerCertificate(ingressGatewayInfo *ingressGatewayInfo, certName string, ctx context.Context) error {
+	certificate, err := c.gardenerCertInformerFactory.Cert().V1alpha1().Certificates().Lister().Certificates(ingressGatewayInfo.Namespace).Get(certName)
+	if err != nil {
+		return err
+	}
+	// remove Finalizer from Certificate
+	if removeFinalizer(&certificate.Finalizers, FinalizerCAPApplication) {
+		if _, err = c.gardenerCertificateClient.CertV1alpha1().Certificates(ingressGatewayInfo.Namespace).Update(ctx, certificate, metav1.UpdateOptions{}); err != nil {
+			return err
+		}
+	}
+	// delete Certificate
+	if err = c.gardenerCertificateClient.CertV1alpha1().Certificates(ingressGatewayInfo.Namespace).Delete(ctx, certName, metav1.DeleteOptions{}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (c *Controller) deleteCertManagerCertificate(ingressGatewayInfo *ingressGatewayInfo, certName string, ctx context.Context) error {
+	certificate, err := c.certManagerInformerFactory.Certmanager().V1().Certificates().Lister().Certificates(ingressGatewayInfo.Namespace).Get(certName)
+	if err != nil {
+		return err
+	}
+	// remove Finalizer from Certificate
+	if removeFinalizer(&certificate.Finalizers, FinalizerCAPApplication) {
+		if _, err = c.certManagerCertificateClient.CertmanagerV1().Certificates(ingressGatewayInfo.Namespace).Update(ctx, certificate, metav1.UpdateOptions{}); err != nil {
+			return err
+		}
+	}
+	// delete Certificate
+	if err = c.certManagerCertificateClient.CertmanagerV1().Certificates(ingressGatewayInfo.Namespace).Delete(ctx, certName, metav1.DeleteOptions{}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getResourceName(btpAppName string, resourceSuffix string) string {
+	return strings.Join([]string{btpAppName, resourceSuffix}, "-")
+}
+
+func (c *Controller) checkCertificateStatus(ctx context.Context, ca *v1alpha1.CAPApplication, certNamespace string, certName string) (bool, error) {
+	switch certificateManager() {
+	case certManagerGardener:
+		// check for existing certificate
+		certificate, err := c.gardenerCertificateClient.CertV1alpha1().Certificates(certNamespace).Get(context.TODO(), certName, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+
+		// check for ready state
+		if certificate.Status.State == certv1alpha1.StateError {
+			return false, fmt.Errorf(formatResourceStateErr, certv1alpha1.CertificateKind, certv1alpha1.StateError, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name, *certificate.Status.Message)
+		} else if certificate.Status.State != certv1alpha1.StateReady {
+			klog.Infof(formatResourceState, certv1alpha1.CertificateKind, certificate.Status.State, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+			return true, nil
+		}
+	case certManagerCertManagerIO:
+		// check for existing certificate
+		certificate, err := c.certManagerCertificateClient.CertmanagerV1().Certificates(certNamespace).Get(context.TODO(), certName, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+
+		// get ready condition
+		readyCond := getCertManagerReadyCondition(certificate)
+		// check for ready state
+		if readyCond == nil || readyCond.Status == certManagermetav1.ConditionUnknown {
+			klog.Infof(formatResourceState, certManagerv1.CertificateKind, "unknown", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+			return true, nil
+		} else if readyCond.Status == certManagermetav1.ConditionFalse {
+			return false, fmt.Errorf(formatResourceStateErr, certManagerv1.CertificateKind, "not ready", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name, readyCond.Message)
+		}
+	}
+	// Cert is Ready
+	return false, nil
+}
+
+func getCertManagerReadyCondition(certificate *certManagerv1.Certificate) *certManagerv1.CertificateCondition {
+	var readyCond *certManagerv1.CertificateCondition
+	for _, cond := range certificate.Status.Conditions {
+		if cond.Type == certManagerv1.CertificateConditionReady {
+			readyCond = &cond
+			break
+		}
+	}
+	return readyCond
+}
+
+func getGatewayServerSpec(domain string, credentialName string) *networkingv1beta1.Server {
+	return &networkingv1beta1.Server{
+		Hosts: []string{"*." + domain},
+		Port: &networkingv1beta1.Port{
+			Number:   443,
+			Protocol: "HTTPS",
+			Name:     domain,
+		},
+		Tls: &networkingv1beta1.ServerTLSSettings{
+			CredentialName: credentialName,
+			Mode:           networkingv1beta1.ServerTLSSettings_SIMPLE,
+		},
+	}
+}
+
+func getGardenerCertificateSpec(commonName string, secretName string) certv1alpha1.CertificateSpec {
+	return certv1alpha1.CertificateSpec{
+		CommonName: &commonName,
+		SecretName: &secretName,
+	}
+}
+
+func getCertManagerCertificateSpec(commonName string, secretName string) certManagerv1.CertificateSpec {
+	return certManagerv1.CertificateSpec{
+		CommonName: commonName,
+		DNSNames:   []string{commonName},
+		SecretName: secretName,
+		IssuerRef: certManagermetav1.ObjectReference{
+			// TODO: make this configurable
+			Kind: certManagerv1.ClusterIssuerKind,
+			Name: "cluster-ca",
+		},
+	}
+}
+
+func (c *Controller) detectTenantDNSEntryChanges(ctx context.Context, cat *v1alpha1.CAPTenant, ca *v1alpha1.CAPApplication, hash string) (bool, error) {
+	labelOwner := map[string]string{
+		LabelOwnerIdentifierHash: sha1Sum(v1alpha1.CAPTenantKind, cat.Namespace, cat.Name),
+	}
+	dnsEntries, err := c.gardenerDNSClient.DnsV1alpha1().DNSEntries(ca.Namespace).List(ctx, metav1.ListOptions{LabelSelector: labels.SelectorFromSet(labelOwner).String()})
+	if err != nil {
+		return false, err
+	}
+	// When no DNSEntry exists --> assume we might have to create some
+	if len(dnsEntries.Items) == 0 {
+		return true, nil
+	}
+
+	// Detect changes on DNSEntry based on known mismatches (hash / length)
+	changeDetected := false
+	// length check
+	if len(dnsEntries.Items) != len(ca.Spec.Domains.Secondary) {
+		changeDetected = true
+	}
+	// hash check
+	if !changeDetected {
+		for _, dnsEntry := range dnsEntries.Items {
+			if dnsEntry.Annotations[AnnotationResourceHash] != hash {
+				changeDetected = true
+				break
+			}
+		}
+	}
+	// Delete all existing DNSEntries
+	if changeDetected {
+		// Delete all existing DNSEntries
+		err = c.gardenerDNSClient.DnsV1alpha1().DNSEntries(ca.Namespace).DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: labels.SelectorFromSet(labelOwner).String()})
+		if err != nil {
+			return false, err
+		}
+	}
+
+	return changeDetected, nil
+}
+
+func (c *Controller) reconcileTenantDNSEntries(ctx context.Context, cat *v1alpha1.CAPTenant) error {
+	if dnsManager() != dnsManagerGardener {
+		// Not a gardener managed cluster -> return
+		return nil
+	}
+	// get owning CAPApplication
+	ca, _ := c.getCachedCAPApplication(cat.Namespace, cat.Spec.CAPApplicationInstance)
+	ingressGatewayInfo, err := c.getIngressGatewayInfo(ctx, ca)
+	if err != nil {
+		return err
+	}
+	hash := sha256Sum(ingressGatewayInfo.DNSTarget, cat.Spec.SubDomain, strings.Join(ca.Spec.Domains.Secondary, ""))
+	changeDetected, err := c.detectTenantDNSEntryChanges(ctx, cat, ca, hash)
+	if err != nil || !changeDetected {
+		return err
+	}
+
+	// Create DNS Entries
+	for index, domain := range ca.Spec.Domains.Secondary {
+		dnsEntryName := cat.Name + strconv.Itoa(index)
+		_, err = c.gardenerDNSClient.DnsV1alpha1().DNSEntries(ca.Namespace).Create(
+			ctx, &dnsv1alpha1.DNSEntry{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: dnsEntryName,
+					Annotations: map[string]string{
+						GardenerDNSClassIdentifier: GardenerDNSClassValue,
+						AnnotationResourceHash:     hash,
+						AnnotationOwnerIdentifier:  v1alpha1.CAPTenantKind + "." + cat.Namespace + "." + cat.Name,
+					},
+					Labels: map[string]string{
+						LabelOwnerIdentifierHash: sha1Sum(v1alpha1.CAPTenantKind, cat.Namespace, cat.Name),
+					},
+					OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind))},
+				},
+				Spec: dnsv1alpha1.DNSEntrySpec{
+					DNSName: cat.Spec.SubDomain + "." + domain,
+					Targets: []string{
+						ingressGatewayInfo.DNSTarget,
+					},
+				},
+			}, metav1.CreateOptions{},
+		)
+		// Unknown error --> break loop
+		if err != nil {
+			break
+		}
+	}
+	return err
+}
+
+func (c *Controller) checkTenantDNSEntries(ctx context.Context, cat *v1alpha1.CAPTenant) (bool, error) {
+	// TODO: ensure that the CAPTenant is set to Ready only once all these DNSEntries are actually ready
+	if dnsManager() == dnsManagerGardener {
+		// get relevant DNSEntries
+		dnsEntries, err := c.gardenerDNSClient.DnsV1alpha1().DNSEntries(cat.Namespace).List(ctx, metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(KindMap[ResourceCAPTenant], cat.Namespace, cat.Name)}).String()})
+		if err != nil {
+			return false, err
+		}
+
+		if len(dnsEntries.Items) == 0 {
+			return false, fmt.Errorf("could not find dnsentries for %s %s.%s", v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+		}
+
+		for _, dnsEntry := range dnsEntries.Items {
+			// check for ready state
+			if dnsEntry.Status.State == dnsv1alpha1.STATE_ERROR {
+				return false, fmt.Errorf(formatResourceStateErr, dnsv1alpha1.DNSEntryKind, dnsv1alpha1.STATE_ERROR, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name, *dnsEntry.Status.Message)
+			} else if dnsEntry.Status.State != dnsv1alpha1.STATE_READY {
+				klog.Infof(formatResourceState, dnsv1alpha1.DNSEntryKind, dnsEntry.Status.State, v1alpha1.CAPTenantKind, cat.Namespace, cat.Name)
+				return true, nil
+			}
+		}
+	}
+	// Not a gardener managed cluster -or- DNSEntries Ready -> return
+	return false, nil
+}
+
+func (c *Controller) reconcileTenantNetworking(ctx context.Context, cat *v1alpha1.CAPTenant, cavName string, ca *v1alpha1.CAPApplication) (requeue *ReconcileResult, err error) {
+	var (
+		reason, message        string
+		drModified, vsModified bool
+		eventType              string = corev1.EventTypeNormal
+	)
+
+	defer func() {
+		if err != nil {
+			eventType = corev1.EventTypeWarning
+			message = err.Error()
+			if _, ok := err.(*OperatorGatewayMissingError); ok {
+				err = nil
+				requeue = NewReconcileResultWithResource(ResourceCAPTenant, cat.Name, cat.Namespace, 10*time.Second)
+			}
+		}
+		if reason != "" { // raise event only when there is a modification or problem
+			c.Event(cat, nil, eventType, reason, EventActionReconcileTenantNetworking, message)
+		}
+	}()
+
+	if drModified, err = c.reconcileTenantDestinationRule(ctx, cat, cavName, ca); err != nil {
+		reason = CAPTenantEventDestinationRuleModificationFailed
+		return
+	}
+
+	if vsModified, err = c.reconcileTenantVirtualService(ctx, cat, cavName, ca); err != nil {
+		reason = CAPTenantEventVirtualServiceModificationFailed
+		return
+	}
+
+	// update tenant status
+	if drModified || vsModified {
+		message = fmt.Sprintf("VirtualService (and DestinationRule) %s.%s was reconciled", cat.Namespace, cat.Name)
+		reason = CAPTenantEventTenantNetworkingModified
+		conditionStatus := metav1.ConditionFalse
+		if isCROConditionReady(cat.Status.GenericStatus) {
+			conditionStatus = metav1.ConditionTrue
+		}
+		cat.SetStatusWithReadyCondition(cat.Status.State, conditionStatus, CAPTenantEventTenantNetworkingModified, message)
+	}
+
+	return
+}
+
+func (c *Controller) reconcileTenantDestinationRule(ctx context.Context, cat *v1alpha1.CAPTenant, cavName string, ca *v1alpha1.CAPApplication) (modified bool, err error) {
+	var (
+		create, update bool
+		dr             *istionwv1beta1.DestinationRule
+	)
+	dr, err = c.istioClient.NetworkingV1beta1().DestinationRules(cat.Namespace).Get(ctx, cat.Name, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		dr = &istionwv1beta1.DestinationRule{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:            cat.Name, // keep the same name as CAPTenant to avoid duplicates
+				Namespace:       cat.Namespace,
+				Labels:          map[string]string{},
+				OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind))},
+			},
+		}
+		create = true
+	} else if err != nil {
+		return
+	}
+
+	if update, err = c.getUpdatedTenantDestinationRuleObject(ctx, cat, dr, cavName); err != nil {
+		return
+	}
+
+	if create {
+		_, err = c.istioClient.NetworkingV1beta1().DestinationRules(cat.Namespace).Create(ctx, dr, metav1.CreateOptions{})
+	} else if update {
+		_, err = c.istioClient.NetworkingV1beta1().DestinationRules(cat.Namespace).Update(ctx, dr, metav1.UpdateOptions{})
+	}
+
+	return create || update, err
+}
+
+func (c *Controller) getUpdatedTenantDestinationRuleObject(ctx context.Context, cat *v1alpha1.CAPTenant, dr *istionwv1beta1.DestinationRule, cavName string) (modified bool, err error) {
+	// verify owner reference
+	modified, err = c.enforceTenantResourceOwnership(&dr.ObjectMeta, &dr.TypeMeta, cat)
+	if err != nil {
+		return modified, err
+	}
+
+	routerPortInfo, err := c.getRouterServicePortInfo(cavName, cat.Namespace)
+	if err != nil {
+		return modified, err
+	}
+
+	spec := &networkingv1beta1.DestinationRule{
+		Host: routerPortInfo.WorkloadName + ServiceSuffix + "." + cat.Namespace + ".svc.cluster.local",
+		TrafficPolicy: &networkingv1beta1.TrafficPolicy{
+			LoadBalancer: &networkingv1beta1.LoadBalancerSettings{
+				LbPolicy: &networkingv1beta1.LoadBalancerSettings_ConsistentHash{
+					ConsistentHash: &networkingv1beta1.LoadBalancerSettings_ConsistentHashLB{
+						HashKey: &networkingv1beta1.LoadBalancerSettings_ConsistentHashLB_HttpCookie{
+							HttpCookie: &networkingv1beta1.LoadBalancerSettings_ConsistentHashLB_HTTPCookie{
+								Name: HttpCookieName,
+								Ttl:  durationpb.New(0 * time.Second),
+								Path: "/",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// check whether changes have to be applied using hash comparison
+	serializedSpec, err := json.Marshal(spec)
+	if err != nil {
+		return modified, fmt.Errorf("error serializing destination rule spec: %s", err.Error())
+	}
+	hash := sha256Sum(string(serializedSpec))
+	if dr.Annotations[AnnotationResourceHash] != hash {
+		dr.Spec = *spec
+		updateResourceAnnotation(&dr.ObjectMeta, hash)
+		modified = true
+	}
+
+	return modified, err
+}
+
+func (c *Controller) reconcileTenantVirtualService(ctx context.Context, cat *v1alpha1.CAPTenant, cavName string, ca *v1alpha1.CAPApplication) (modified bool, err error) {
+	var (
+		create, update bool
+		vs             *istionwv1beta1.VirtualService
+	)
+
+	vs, err = c.istioClient.NetworkingV1beta1().VirtualServices(cat.Namespace).Get(ctx, cat.Name, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		vs = &istionwv1beta1.VirtualService{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:            cat.Name, // keep the same name as CAPTenant to avoid duplicates
+				Namespace:       cat.Namespace,
+				Labels:          map[string]string{},
+				OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(cat, v1alpha1.SchemeGroupVersion.WithKind(v1alpha1.CAPTenantKind))},
+			},
+		}
+		create = true
+	} else if err != nil {
+		return
+	}
+
+	if update, err = c.getUpdatedTenantVirtualServiceObject(ctx, cat, vs, cavName, ca); err != nil {
+		return
+	}
+
+	if create {
+		_, err = c.istioClient.NetworkingV1beta1().VirtualServices(cat.Namespace).Create(ctx, vs, metav1.CreateOptions{})
+	} else if update {
+		_, err = c.istioClient.NetworkingV1beta1().VirtualServices(cat.Namespace).Update(ctx, vs, metav1.UpdateOptions{})
+	}
+
+	return create || update, err
+}
+
+func (c *Controller) getUpdatedTenantVirtualServiceObject(ctx context.Context, cat *v1alpha1.CAPTenant, vs *istionwv1beta1.VirtualService, cavName string, ca *v1alpha1.CAPApplication) (modified bool, err error) {
+	if ca == nil {
+		ca, err = c.getCachedCAPApplication(cat.Namespace, cat.Spec.CAPApplicationInstance)
+		if err != nil {
+			return modified, err
+		}
+	}
+
+	// verify owner reference
+	modified, err = c.enforceTenantResourceOwnership(&vs.ObjectMeta, &vs.TypeMeta, cat)
+	if err != nil {
+		return modified, err
+	}
+
+	routerPortInfo, err := c.getRouterServicePortInfo(cavName, ca.Namespace)
+	if err != nil {
+		return modified, err
+	}
+
+	spec := &networkingv1beta1.VirtualService{
+		Gateways: []string{ca.Spec.BTPAppName + "-gw"},
+		Hosts:    []string{cat.Spec.SubDomain + "." + ca.Spec.Domains.Primary},
+		Http: []*networkingv1beta1.HTTPRoute{{
+			Match: []*networkingv1beta1.HTTPMatchRequest{
+				{Uri: &networkingv1beta1.StringMatch{MatchType: &networkingv1beta1.StringMatch_Prefix{Prefix: "/"}}},
+			},
+			Route: []*networkingv1beta1.HTTPRouteDestination{{
+				Destination: &networkingv1beta1.Destination{
+					Host: routerPortInfo.WorkloadName + ServiceSuffix + "." + cat.Namespace + ".svc.cluster.local",
+					Port: &networkingv1beta1.PortSelector{Number: uint32(routerPortInfo.Ports[0].Port)},
+				},
+				Weight: 100,
+			}},
+		}},
+	}
+	err = c.updateTenantVirtualServiceSpecWithSecondaryDomains(ctx, spec, cat, ca)
+	if err != nil {
+		return modified, err
+	}
+
+	// check whether changes have to be applied using hash comparison
+	serializedSpec, err := json.Marshal(spec)
+	if err != nil {
+		return modified, fmt.Errorf("error serializing virtual service spec: %s", err.Error())
+	}
+	hash := sha256Sum(string(serializedSpec))
+	if vs.Annotations[AnnotationResourceHash] != hash {
+		vs.Spec = *spec
+		updateResourceAnnotation(&vs.ObjectMeta, hash)
+		modified = true
+	}
+
+	return modified, err
+}
+
+type OperatorGatewayMissingError struct{}
+
+func (err *OperatorGatewayMissingError) Error() string {
+	return "operator gateway for secondary domains missing"
+}
+
+func (c *Controller) updateTenantVirtualServiceSpecWithSecondaryDomains(ctx context.Context, spec *networkingv1beta1.VirtualService, cat *v1alpha1.CAPTenant, ca *v1alpha1.CAPApplication) error {
+	secondaryDomainsExist := ca.Spec.Domains.Secondary != nil && len(ca.Spec.Domains.Secondary) > 0
+	if !secondaryDomainsExist {
+		return nil
+	}
+
+	// add customer specific domains
+	for _, domain := range ca.Spec.Domains.Secondary {
+		spec.Hosts = append(spec.Hosts, cat.Spec.SubDomain+"."+domain)
+	}
+
+	// Determine Ingress GW service for this app
+	gwInfo, err := c.getIngressGatewayInfo(ctx, ca)
+	if err != nil {
+		return err
+	}
+
+	// Get the relevant central operator GW for this ingress GW
+	operatorGW, _ := c.getOperatorGateway(ctx, gwInfo.Namespace, sha1Sum(gwInfo.DNSTarget))
+	if operatorGW == nil {
+		// requeue for later reconciliation
+		return &OperatorGatewayMissingError{}
+	}
+	spec.Gateways = append(spec.Gateways, operatorGW.Namespace+"/"+operatorGW.Name)
+
+	return nil
+}
+
+func getIngressGatewayLabels(ca *v1alpha1.CAPApplication) map[string]string {
+	ingressLabels := map[string]string{}
+	for _, label := range ca.Spec.Domains.IstioIngressGatewayLabels {
+		ingressLabels[label.Name] = label.Value
+	}
+	return ingressLabels
+}
+
+func (c *Controller) getIngressGatewayInfo(ctx context.Context, ca *v1alpha1.CAPApplication) (ingGwInfo *ingressGatewayInfo, err error) {
+	// create ingress gateway selector from labels
+	ingressLabelSelector, err := labels.ValidatedSelectorFromSet(getIngressGatewayLabels(ca))
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			c.Event(ca, nil, corev1.EventTypeWarning, CAPApplicationEventMissingIngressGatewayInfo, EventActionProcessingDomainResources, err.Error())
+		}
+	}()
+
+	// Get relevant Ingress Gateway pods
+	ingressPods, err := c.kubeClient.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{LabelSelector: ingressLabelSelector.String()})
+	if err != nil {
+		return nil, err
+	}
+
+	// Determine relevant istio-ingressgateway namespace
+	namespace := ""
+	name := ""
+	// Create a dummy lookup map for determining relevant pods
+	relevantPodsNames := map[string]struct{}{}
+	for _, pod := range ingressPods.Items {
+		// We only support 1 ingress gateway pod namespace as of now! (Multiple pods e.g. replicas can exist in the same namespace)
+		if namespace == "" {
+			namespace = pod.Namespace
+			name = pod.Name
+		} else if namespace != pod.Namespace {
+			return nil, fmt.Errorf("more than one matching ingress gateway pod namespaces found for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+		}
+		relevantPodsNames[pod.Name] = struct{}{}
+	}
+	if namespace == "" {
+		return nil, fmt.Errorf("no matching ingress gateway pod found for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+	}
+
+	// Get dnsTarget
+	// First try to use dnsTarget --> if it is set
+	dnsTarget := ca.Spec.Domains.DnsTarget
+	// Attempt to get dnsTarget from Service via annotation(s)
+	if dnsTarget == "" {
+		ingressGWSvc, err := c.getIngressGatewayService(ctx, namespace, relevantPodsNames, ca)
+		if err != nil {
+			return nil, err
+		}
+		if ingressGWSvc != nil {
+			dnsTarget = getDNSTarget(ingressGWSvc)
+		}
+	}
+	// No DNS Target --> Error
+	if dnsTarget == "" {
+		return nil, fmt.Errorf("ingress gateway service not annotated with dns target name for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+	}
+
+	// Return ingress Gateway info (Namespace and DNS target)
+	return &ingressGatewayInfo{Namespace: namespace, Name: name, DNSTarget: dnsTarget}, nil
+}
+
+func getDNSTarget(ingressGWSvc *corev1.Service) string {
+	var dnsTarget string
+	switch dnsManager() {
+	case dnsManagerGardener:
+		dnsTarget = ingressGWSvc.Annotations[AnnotationGardenerDNSTarget]
+	case dnsManagerKubernetes:
+		dnsTarget = ingressGWSvc.Annotations[AnnotationKubernetesDNSTarget]
+	}
+
+	// Use the 1st value from Comma separated values (if any)
+	return strings.Split(dnsTarget, ",")[0]
+}
+
+func (c *Controller) getLoadBalancerSvcs(ctx context.Context, istioIngressGWNamespace string) ([]corev1.Service, error) {
+	// List all services in the same namespace as the istio-ingressgateway pod namespace
+	allServices, err := c.kubeClient.CoreV1().Services(istioIngressGWNamespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	// Filter out LoadBalancer services
+	loadBalancerSvcs := []corev1.Service{}
+	for _, svc := range allServices.Items {
+		if svc.Spec.Type == corev1.ServiceTypeLoadBalancer {
+			loadBalancerSvcs = append(loadBalancerSvcs, svc)
+		}
+	}
+	return loadBalancerSvcs, nil
+}
+
+func (c *Controller) getIngressGatewayService(ctx context.Context, istioIngressGWNamespace string, relevantPodNames map[string]struct{}, ca *v1alpha1.CAPApplication) (*corev1.Service, error) {
+	loadBalancerSvcs, err := c.getLoadBalancerSvcs(ctx, istioIngressGWNamespace)
+	if err != nil {
+		return nil, err
+	}
+	// Get Relevant services that match the ingress gw pod via selectors
+	var ingressGwSvc corev1.Service
+	for _, svc := range loadBalancerSvcs {
+		// Get all matching ingress GW pods in the ingress gw namespace via ingress gw service selectors
+		matchedPods, err := c.kubeClient.CoreV1().Pods(istioIngressGWNamespace).List(ctx, metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(svc.Spec.Selector).String()})
+		if err != nil {
+			return nil, err
+		}
+		for _, pod := range matchedPods.Items {
+			if _, ok := relevantPodNames[pod.Name]; ok {
+				if ingressGwSvc.Name == "" {
+					// we only expect 1 ingress gateway service in the cluster
+					ingressGwSvc = svc
+					break
+				} else if ingressGwSvc.Name != svc.Name {
+					return nil, fmt.Errorf("more than one matching ingress gateway service found for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+				}
+			}
+		}
+	}
+
+	if ingressGwSvc.Name == "" {
+		return nil, fmt.Errorf("unable to find a matching ingress gateway service for %s %s.%s", v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+	}
+	return &ingressGwSvc, nil
+}
+
+type operatorDomainInfo struct {
+	Namespace         string
+	Name              string
+	ingressGWSelector map[string]string
+	dnsTarget         string
+	Domains           []string
+}
+
+// Operator Domains is a dummy resource that is referenced by a DNSTarget (in QueuedItem) to handle "secondary" domains across all relevant CAPApplications
+// TODO: ignore duplicate reconciliation calls for same dnsTarget, Finalizers... and a whole lot more!
+func (c *Controller) reconcileOperatorDomains(ctx context.Context, item QueueItem, attempts int) error {
+	// Get Relevant Domain Infos
+	relevantDomainInfos, err := c.getRelevantOperatorDomainInfo(ctx)
+	if err != nil {
+		return err
+	}
+
+	for dnsTargetSum, relevantDomainInfo := range relevantDomainInfos {
+		// When no secondary domains exists --> Cleanup and return
+		if len(relevantDomainInfo.Domains) == 0 {
+			return c.cleanUpOperatorDomains(ctx, relevantDomainInfo, dnsTargetSum)
+		}
+
+		// Handle Operator Gateway
+		gw, err := c.handleOperatorGateway(ctx, relevantDomainInfo, dnsTargetSum)
+		if err != nil {
+			return err
+		}
+		// Handle Operator Certificate
+		return c.handleOperatorCertificate(ctx, gw.Name, relevantDomainInfo, dnsTargetSum)
+	}
+	return nil
+}
+
+func (c *Controller) getRelevantOperatorDomainInfo(ctx context.Context) (map[string]*operatorDomainInfo, error) {
+	relevantDomainInfos := map[string]*operatorDomainInfo{}
+	operatorDomainGWs, err := c.istioInformerFactory.Networking().V1beta1().Gateways().Lister().Gateways(metav1.NamespaceAll).List(labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}))
+	if err != nil {
+		return nil, err
+	}
+	// Collect existing operator gateways (without Domains)
+	for _, operatorDomainGW := range operatorDomainGWs {
+		dnsTargetSum := operatorDomainGW.Labels[LabelRelevantDNSTarget]
+		relevantDomainInfos[dnsTargetSum] = &operatorDomainInfo{
+			Namespace:         operatorDomainGW.Namespace,
+			Name:              operatorDomainGW.Name,
+			ingressGWSelector: operatorDomainGW.Spec.Selector,
+			Domains:           []string{},
+		}
+	}
+
+	allCAs, err := c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Lister().CAPApplications(metav1.NamespaceAll).List(labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+	// Create & Update relevant operator gateways with domains
+	for _, ca := range allCAs {
+		// If no secondary domain exists for a CAPApplication --> skip
+		if len(ca.Spec.Domains.Secondary) == 0 {
+			continue
+		}
+		// Create / Update relevant operator domain info
+		if gwInfo, err := c.getIngressGatewayInfo(ctx, ca); err == nil {
+			dnsTarget := trimDNSTarget(gwInfo.DNSTarget)
+
+			dnsTargetSum := sha1Sum(gwInfo.DNSTarget)
+
+			if relevantDomainInfo, ok := relevantDomainInfos[dnsTargetSum]; ok {
+				relevantDomainInfo.Domains = append(relevantDomainInfo.Domains, ca.Spec.Domains.Secondary...)
+				// Fill dnsTarget
+				relevantDomainInfo.dnsTarget = dnsTarget
+			} else {
+				relevantDomainInfos[dnsTargetSum] = &operatorDomainInfo{
+					Namespace:         gwInfo.Namespace,
+					Name:              OperatorDomainNamePrefix,
+					ingressGWSelector: getIngressGatewayLabels(ca),
+					dnsTarget:         dnsTarget,
+					Domains:           ca.Spec.Domains.Secondary,
+				}
+			}
+		} else {
+			return nil, err
+		}
+	}
+
+	return relevantDomainInfos, nil
+}
+
+func (c *Controller) getOperatorGateway(ctx context.Context, gwNamespace string, dnsTargetSum string) (*istionwv1beta1.Gateway, error) {
+	gwSelector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelRelevantDNSTarget:   dnsTargetSum,
+		LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+	})
+	if err != nil {
+		return nil, err
+	}
+	gwList, err := c.istioInformerFactory.Networking().V1beta1().Gateways().Lister().Gateways(gwNamespace).List(gwSelector)
+	if err != nil {
+		return nil, err
+	}
+	if len(gwList) == 0 {
+		return nil, nil
+	}
+	return gwList[0], nil
+}
+
+func (c *Controller) handleOperatorGateway(ctx context.Context, relevantDomainInfo *operatorDomainInfo, dnsTargetSum string) (*istionwv1beta1.Gateway, error) {
+	gw, err := c.getOperatorGateway(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+	if err != nil {
+		return nil, err
+	}
+	hash := sha256Sum(fmt.Sprintf("%v", relevantDomainInfo))
+	// If no Gateway exists yet --> create one
+	if gw == nil {
+		gw = &istionwv1beta1.Gateway{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: relevantDomainInfo.Name,
+				Annotations: map[string]string{
+					AnnotationResourceHash:    hash,
+					AnnotationOwnerIdentifier: OperatorDomainLabel,
+				},
+				Labels: map[string]string{
+					LabelRelevantDNSTarget:   dnsTargetSum,
+					LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+				},
+			},
+			Spec: networkingv1beta1.Gateway{
+				Selector: relevantDomainInfo.ingressGWSelector,
+			},
+		}
+		c.updateServerInfo(gw, relevantDomainInfo, relevantDomainInfo.dnsTarget)
+		gw, err = c.istioClient.NetworkingV1beta1().Gateways(relevantDomainInfo.Namespace).Create(ctx, gw, metav1.CreateOptions{})
+	} else if gw.Annotations[AnnotationResourceHash] != hash { // Check if update is needed
+		// Update the relevant gw parts, if there are changes (detected via sha256 sum)
+		gw = gw.DeepCopy()
+		c.updateServerInfo(gw, relevantDomainInfo, relevantDomainInfo.dnsTarget)
+		// Update hash value on annotation
+		updateResourceAnnotation(&gw.ObjectMeta, hash)
+		// Trigger the actual update on the resource
+		gw, err = c.istioClient.NetworkingV1beta1().Gateways(relevantDomainInfo.Namespace).Update(ctx, gw, metav1.UpdateOptions{})
+	}
+	return gw, err
+}
+
+func (c *Controller) updateServerInfo(gw *istionwv1beta1.Gateway, relevantDomainInfo *operatorDomainInfo, dnsTarget string) {
+	gw.Spec.Servers = []*networkingv1beta1.Server{}
+	for _, domain := range relevantDomainInfo.Domains {
+		gw.Spec.Servers = append(gw.Spec.Servers, getGatewayServerSpec(domain, dnsTarget))
+	}
+}
+
+func (c *Controller) handleOperatorCertificate(ctx context.Context, certName string, relevantDomainInfo *operatorDomainInfo, dnsTargetSum string) error {
+	hash := sha256Sum(fmt.Sprintf("%v", relevantDomainInfo))
+	dnsTarget := trimDNSTarget(relevantDomainInfo.dnsTarget)
+	switch certificateManager() {
+	case certManagerGardener:
+		cert, err := c.getGardenerOperatorCertificate(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+		if err != nil {
+			return err
+		}
+		// If no certiicate exists yet --> create one
+		if cert == nil {
+			cert := &certv1alpha1.Certificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: certName,
+					Annotations: map[string]string{
+						AnnotationResourceHash:    hash,
+						AnnotationOwnerIdentifier: OperatorDomainLabel,
+					},
+					Labels: map[string]string{
+						LabelRelevantDNSTarget:   dnsTargetSum,
+						LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+					},
+				},
+				Spec: getGardenerCertificateSpec(dnsTarget, dnsTarget),
+			}
+			cert.Spec.DNSNames = getCertificateDNSNames(relevantDomainInfo)
+			_, err = c.gardenerCertificateClient.CertV1alpha1().Certificates(relevantDomainInfo.Namespace).Create(ctx, cert, metav1.CreateOptions{})
+		} else if cert.Annotations[AnnotationResourceHash] != hash {
+			// Update the relevant certificate parts, if there are changes (detected via sha256 sum)
+			cert = cert.DeepCopy()
+			cert.Spec.DNSNames = getCertificateDNSNames(relevantDomainInfo)
+			// Update hash value on annotation
+			updateResourceAnnotation(&cert.ObjectMeta, hash)
+			// Trigger the actual update on the resource
+			_, err = c.gardenerCertificateClient.CertV1alpha1().Certificates(relevantDomainInfo.Namespace).Update(ctx, cert, metav1.UpdateOptions{})
+		}
+		return err
+	case certManagerCertManagerIO:
+		cert, err := c.getCertManagerOperatorCertificate(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+		if err != nil {
+			return err
+		}
+		// If no certiicate exists yet --> create one
+		if cert == nil {
+			cert := &certManagerv1.Certificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: certName,
+					Annotations: map[string]string{
+						AnnotationResourceHash:    hash,
+						AnnotationOwnerIdentifier: OperatorDomainLabel,
+					},
+					Labels: map[string]string{
+						LabelRelevantDNSTarget:   dnsTargetSum,
+						LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+					},
+				},
+				Spec: getCertManagerCertificateSpec("*."+dnsTarget, dnsTarget),
+			}
+			cert.Spec.DNSNames = getCertificateDNSNames(relevantDomainInfo)
+			_, err = c.certManagerCertificateClient.CertmanagerV1().Certificates(relevantDomainInfo.Namespace).Create(ctx, cert, metav1.CreateOptions{})
+		} else if cert.Annotations[AnnotationResourceHash] != hash {
+			// Update the relevant certificate parts, if there are changes (detected via sha256 sum)
+			cert = cert.DeepCopy()
+			cert.Spec.DNSNames = getCertificateDNSNames(relevantDomainInfo)
+			// Update hash value on annotation
+			updateResourceAnnotation(&cert.ObjectMeta, hash)
+			// Trigger the actual update on the resource
+			_, err = c.certManagerCertificateClient.CertmanagerV1().Certificates(relevantDomainInfo.Namespace).Update(ctx, cert, metav1.UpdateOptions{})
+		}
+		return err
+	}
+	return nil
+}
+
+func (c *Controller) getGardenerOperatorCertificate(ctx context.Context, gwNamespace string, dnsTargetSum string) (*certv1alpha1.Certificate, error) {
+	certSelector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelRelevantDNSTarget:   dnsTargetSum,
+		LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	certList, err := c.gardenerCertInformerFactory.Cert().V1alpha1().Certificates().Lister().Certificates(gwNamespace).List(certSelector)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(certList) == 0 {
+		return nil, nil
+	}
+	return certList[0], nil
+}
+
+func (c *Controller) getCertManagerOperatorCertificate(ctx context.Context, gwNamespace string, dnsTargetSum string) (*certManagerv1.Certificate, error) {
+	certSelector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelRelevantDNSTarget:   dnsTargetSum,
+		LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	certList, err := c.certManagerInformerFactory.Certmanager().V1().Certificates().Lister().Certificates(gwNamespace).List(certSelector)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(certList) == 0 {
+		return nil, nil
+	}
+	return certList[0], nil
+}
+
+func (c *Controller) cleanUpOperatorDomains(ctx context.Context, relevantDomainInfo *operatorDomainInfo, dnsTargetSum string) error {
+	// Delete Operator Gateway (if any)
+	gw, err := c.getOperatorGateway(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+	if err != nil {
+		return err
+	}
+	if gw != nil {
+		err := c.istioClient.NetworkingV1beta1().Gateways(relevantDomainInfo.Namespace).Delete(ctx, gw.Name, metav1.DeleteOptions{})
+		if err != nil {
+			return err
+		}
+	}
+
+	// Delete Operator certificate (if any)
+	switch certificateManager() {
+	case certManagerGardener:
+		cert, err := c.getGardenerOperatorCertificate(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+		if err != nil {
+			return err
+		}
+		if cert != nil {
+			return c.gardenerCertificateClient.CertV1alpha1().Certificates(relevantDomainInfo.Namespace).Delete(ctx, cert.Name, metav1.DeleteOptions{})
+		}
+	case certManagerCertManagerIO:
+		cert, err := c.getCertManagerOperatorCertificate(ctx, relevantDomainInfo.Namespace, dnsTargetSum)
+		if err != nil {
+			return err
+		}
+		if cert != nil {
+			return c.certManagerCertificateClient.CertmanagerV1().Certificates(relevantDomainInfo.Namespace).Delete(ctx, cert.Name, metav1.DeleteOptions{})
+		}
+	}
+	return nil
+}
+
+func getCertificateDNSNames(relevantDomainInfo *operatorDomainInfo) []string {
+	dnsNames := []string{}
+	for _, domain := range relevantDomainInfo.Domains {
+		dnsNames = append(dnsNames, "*."+domain)
+	}
+	return dnsNames
+}
+
+func trimDNSTarget(dnsTarget string) string {
+	// Trim dnsTarget to under 64 chars --> TODO: Also handle this in webhook/crd spec
+	for len(dnsTarget) > 64 {
+		dnsTarget = dnsTarget[strings.Index(dnsTarget, ".")+1:]
+	}
+	// Fix for domain gw/creds secret name (Replace *.domain with x.domain for secret name)
+	return strings.ReplaceAll(dnsTarget, "*", "x")
+}
diff --git a/internal/controller/reconcile-domains_test.go b/internal/controller/reconcile-domains_test.go
new file mode 100644
index 0000000..aaa295c
--- /dev/null
+++ b/internal/controller/reconcile-domains_test.go
@@ -0,0 +1,284 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	certManagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	certv1alpha1 "github.com/gardener/cert-management/pkg/apis/cert/v1alpha1"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	istionwv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+func TestController_reconcileOperatorDomains(t *testing.T) {
+	tests := []struct {
+		name                  string
+		createCA              bool
+		createCA2             bool
+		updateCA              bool
+		createIngress         bool
+		cleanUpDomains        bool
+		wantErr               bool
+		expectDomainResources bool
+		enableCertManagerEnv  bool
+	}{
+		{
+			name:                  "Test without CAPApplication",
+			wantErr:               false,
+			expectDomainResources: false,
+		},
+		{
+			name:                  "Test with CAPApplication but without Ingress GW",
+			createCA:              true,
+			wantErr:               true,
+			expectDomainResources: false,
+		},
+		{
+			name:                  "Test with CAPApplication and Ingress GW",
+			createCA:              true,
+			createIngress:         true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+		{
+			name:                  "Test cleanup after creation",
+			createCA:              true,
+			createIngress:         true,
+			wantErr:               false,
+			cleanUpDomains:        true,
+			expectDomainResources: false,
+		},
+		{
+			name:                  "Test with multiple CAPApplications and Ingress GW",
+			createCA:              true,
+			createCA2:             true,
+			createIngress:         true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+		// {
+		// 	name:                  "Test cleanup with multiple CAPApplications and Ingress GW",
+		// 	createCA:              true,
+		// 	createCA2:             true,
+		// 	createIngress:         true,
+		// 	cleanUpDomains:        true,
+		// 	wantErr:               false,
+		// 	expectDomainResources: true,
+		// },
+		{
+			name:                  "Test update with CAPApplication and Ingress GW",
+			createCA:              true,
+			updateCA:              true,
+			createIngress:         true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+		{
+			name:                  "Test with CAPApplication and Ingress GW (enableCertManagerEnv)",
+			createCA:              true,
+			createIngress:         true,
+			enableCertManagerEnv:  true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+		{
+			name:                  "Test cleanup after creation (enableCertManagerEnv)",
+			createCA:              true,
+			createIngress:         true,
+			enableCertManagerEnv:  true,
+			wantErr:               false,
+			cleanUpDomains:        true,
+			expectDomainResources: false,
+		},
+		{
+			name:                  "Test with multiple CAPApplications and Ingress GW (enableCertManagerEnv)",
+			createCA:              true,
+			createCA2:             true,
+			createIngress:         true,
+			enableCertManagerEnv:  true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+		// {
+		// 	name:                  "Test cleanup with multiple CAPApplications and Ingress GW (enableCertManagerEnv)",
+		// 	createCA:              true,
+		// 	createCA2:             true,
+		// 	createIngress:         true,
+		// 	cleanUpDomains:        true,
+		// 	enableCertManagerEnv:     true,
+		// 	wantErr:               false,
+		// 	expectDomainResources: true,
+		// },
+		{
+			name:                  "Test update with CAPApplication and Ingress GW (enableCertManagerEnv)",
+			createCA:              true,
+			updateCA:              true,
+			createIngress:         true,
+			enableCertManagerEnv:  true,
+			wantErr:               false,
+			expectDomainResources: true,
+		},
+	}
+	defer os.Setenv(certManagerEnv, "")
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.enableCertManagerEnv {
+				os.Setenv(certManagerEnv, certManagerCertManagerIO)
+			} else {
+				os.Setenv(certManagerEnv, certManagerGardener)
+			}
+			var c *Controller
+			var ca *v1alpha1.CAPApplication
+			var ca2 *v1alpha1.CAPApplication
+			var ingressRes *ingressResources
+			if tt.createCA {
+				ca = createCaCRO(caCroName, false)
+				if tt.createCA2 {
+					ca2 = ca.DeepCopy()
+					ca2.Name += "2"
+					ca2.Spec.Domains.Secondary = []string{"2" + secondaryDomain, "3" + secondaryDomain}
+				}
+			}
+
+			if tt.createIngress {
+				ingressRes = createIngressResource(ingressGWName, ca, dnsTarget)
+			}
+
+			c = getTestController(testResources{
+				cas:       []*v1alpha1.CAPApplication{ca, ca2},
+				ingressGW: []*ingressResources{ingressRes},
+			})
+
+			q := QueueItem{
+				Key: ResourceOperatorDomains,
+				ResourceKey: NamespacedResourceKey{
+					Namespace: metav1.NamespaceAll,
+					Name:      "",
+				},
+			}
+			err := c.reconcileOperatorDomains(context.TODO(), q, 0)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Controller.reconcileOperatorDomains() error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			if tt.updateCA {
+				var gw *istionwv1beta1.Gateway
+				listGWs, _ := c.istioClient.NetworkingV1beta1().Gateways(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+				if len(listGWs.Items) > 0 {
+					gw = listGWs.Items[0]
+					generateMetaObjName(gw)
+				}
+				var gardenerCert *certv1alpha1.Certificate
+				var certManagerCert *certManagerv1.Certificate
+				if tt.enableCertManagerEnv {
+					certManagerCertList, _ := c.certManagerCertificateClient.CertmanagerV1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+					if len(certManagerCertList.Items) > 0 {
+						certManagerCert = &certManagerCertList.Items[0]
+						certManagerCert.Name = gw.Name
+					}
+				} else {
+					gardenerCertList, _ := c.gardenerCertificateClient.CertV1alpha1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+					if len(gardenerCertList.Items) > 0 {
+						gardenerCert = &gardenerCertList.Items[0]
+						gardenerCert.Name = gw.Name
+					}
+				}
+				ca.Spec.Domains.Secondary = []string{"2" + secondaryDomain, "3" + secondaryDomain}
+				c = getTestController(testResources{
+					cas:             []*v1alpha1.CAPApplication{ca, ca2},
+					gateway:         gw,
+					gardenerCert:    gardenerCert,
+					certManagerCert: certManagerCert,
+					ingressGW:       []*ingressResources{ingressRes},
+				})
+				err = c.reconcileOperatorDomains(context.TODO(), q, 0)
+				if (err != nil) != tt.wantErr {
+					t.Errorf("Controller.reconcileOperatorDomains() error = %v, wantErr %v", err, tt.wantErr)
+				}
+			}
+
+			if tt.cleanUpDomains {
+				var gw *istionwv1beta1.Gateway
+				var ingressGW2 *ingressResources
+				listGWs, _ := c.istioClient.NetworkingV1beta1().Gateways(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+				if len(listGWs.Items) > 0 {
+					gw = listGWs.Items[0]
+					generateMetaObjName(gw)
+				}
+				var gardenerCert *certv1alpha1.Certificate
+				var certManagerCert *certManagerv1.Certificate
+				if tt.enableCertManagerEnv {
+					certManagerCertList, _ := c.certManagerCertificateClient.CertmanagerV1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+					if len(certManagerCertList.Items) > 0 {
+						certManagerCert = &certManagerCertList.Items[0]
+						certManagerCert.Name = gw.Name
+					}
+				} else {
+					gardenerCertList, _ := c.gardenerCertificateClient.CertV1alpha1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+					if len(gardenerCertList.Items) > 0 {
+						gardenerCert = &gardenerCertList.Items[0]
+						gardenerCert.Name = gw.Name
+					}
+				}
+				ca.Spec.Domains.Secondary = []string{}
+				if tt.createCA2 {
+					ca2.Spec.Domains.IstioIngressGatewayLabels[0].Value += "2"
+					ca2.Spec.Domains.IstioIngressGatewayLabels[1].Value += "2"
+					ingressGW2 = createIngressResource(ingressGWName+"2", ca2, "Something.that.surely.exceeds.the.64char.limit."+dnsTarget)
+				}
+				c = getTestController(testResources{
+					cas:             []*v1alpha1.CAPApplication{ca, ca2},
+					gateway:         gw,
+					gardenerCert:    gardenerCert,
+					certManagerCert: certManagerCert,
+					ingressGW:       []*ingressResources{ingressRes, ingressGW2},
+				})
+				err = c.reconcileOperatorDomains(context.TODO(), q, 0)
+				if (err != nil) != tt.wantErr {
+					t.Errorf("Controller.reconcileOperatorDomains() error = %v, wantErr %v", err, tt.wantErr)
+				}
+			}
+
+			var gw *istionwv1beta1.Gateway
+			listGWs, _ := c.istioClient.NetworkingV1beta1().Gateways(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+			if len(listGWs.Items) > 0 {
+				gw = listGWs.Items[0]
+			}
+			var cert interface{}
+			if tt.enableCertManagerEnv {
+				certManagerCertList, _ := c.certManagerCertificateClient.CertmanagerV1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+				if len(certManagerCertList.Items) > 0 {
+					cert = &certManagerCertList.Items[0]
+				}
+			} else {
+				gardenerCertList, _ := c.gardenerCertificateClient.CertV1alpha1().Certificates(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{LabelSelector: labels.SelectorFromValidatedSet(map[string]string{LabelOwnerIdentifierHash: sha1Sum(CAPOperator, OperatorDomains)}).String()})
+				if len(gardenerCertList.Items) > 0 {
+					cert = &gardenerCertList.Items[0]
+				}
+			}
+
+			if tt.expectDomainResources {
+				if gw == nil {
+					t.Errorf("Controller.reconcileOperatorDomains() error = Expected OperatorDomain Gateway missing")
+				}
+				if cert == nil {
+					t.Errorf("Controller.reconcileOperatorDomains() error = Expected OperatorDomain Certificate missing")
+				}
+			} else {
+				if gw != nil {
+					t.Errorf("Controller.reconcileOperatorDomains() error = Unexpected OperatorDomain Gateway: %v", gw)
+				}
+				if cert != nil {
+					t.Errorf("Controller.reconcileOperatorDomains() error = Unexpected OperatorDomain Certificate: %v", cert)
+				}
+			}
+		})
+	}
+}
diff --git a/internal/controller/reconcile.go b/internal/controller/reconcile.go
new file mode 100644
index 0000000..d7999f6
--- /dev/null
+++ b/internal/controller/reconcile.go
@@ -0,0 +1,523 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/sap/cap-operator/internal/util"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"golang.org/x/mod/semver"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/klog/v2"
+)
+
+const (
+	LabelOwnerIdentifierHash           = "sme.sap.com/owner-identifier-hash"
+	LabelOwnerGeneration               = "sme.sap.com/owner-generation"
+	LabelWorkloadName                  = "sme.sap.com/workload-name"
+	LabelWorkloadType                  = "sme.sap.com/workload-type"
+	LabelResourceCategory              = "sme.sap.com/category"
+	LabelBTPApplicationIdentifierHash  = "sme.sap.com/btp-app-identifier-hash"
+	LabelTenantType                    = "sme.sap.com/tenant-type"
+	LabelTenantId                      = "sme.sap.com/btp-tenant-id"
+	LabelTenantOperationType           = "sme.sap.com/tenant-operation-type"
+	LabelTenantOperationStep           = "sme.sap.com/tenant-operation-step"
+	LabelCAVVersion                    = "sme.sap.com/cav-version"
+	LabelRelevantDNSTarget             = "sme.sap.com/relevant-dns-target-hash"
+	LabelDisableKarydia                = "x4.sap.com/disable-karydia"
+	AnnotationOwnerIdentifier          = "sme.sap.com/owner-identifier"
+	AnnotationBTPApplicationIdentifier = "sme.sap.com/btp-app-identifier"
+	AnnotationResourceHash             = "sme.sap.com/resource-hash"
+	AnnotationControllerClass          = "sme.sap.com/controller-class"
+	AnnotationIstioSidecarInject       = "sidecar.istio.io/inject"
+	AnnotationGardenerDNSTarget        = "dns.gardener.cloud/dnsnames"
+	AnnotationKubernetesDNSTarget      = "external-dns.alpha.kubernetes.io/hostname"
+	FinalizerCAPApplication            = "sme.sap.com/capapplication"
+	FinalizerCAPApplicationVersion     = "sme.sap.com/capapplicationversion"
+	FinalizerCAPTenant                 = "sme.sap.com/captenant"
+	FinalizerCAPTenantOperation        = "sme.sap.com/captenantoperation"
+	GardenerDNSClassIdentifier         = "dns.gardener.cloud/class"
+)
+
+const (
+	CertificateSuffix     = "certificate"
+	GardenerDNSClassValue = "garden"
+	GatewaySuffix         = "gw"
+	IstioSystemNamespace  = "istio-system"
+	SecretSuffix          = "secret"
+)
+
+var (
+	backoffLimitValue            int32 = 2
+	tTLSecondsAfterFinishedValue int32 = 300
+)
+
+const (
+	ProviderTenantType = "provider"
+	ConsumerTenantType = "consumer"
+)
+
+// Use same name as default cookie from approuter used for session stickiness
+const HttpCookieName = "JSESSIONID"
+
+const (
+	EnvCAPOpAppVersion      = "CAPOP_APP_VERSION"
+	EnvCAPOpTenantID        = "CAPOP_TENANT_ID"
+	EnvCAPOpTenantSubDomain = "CAPOP_TENANT_SUBDOMAIN"
+	EnvCAPOpTenantOperation = "CAPOP_TENANT_OPERATION"
+	EnvVCAPServices         = "VCAP_SERVICES"
+)
+
+type JobState string
+
+const (
+	JobStateComplete   JobState = "Complete"
+	JobStateFailed     JobState = "Failed"
+	JobStateProcessing JobState = "Processing"
+)
+
+type ingressGatewayInfo struct {
+	Namespace string
+	Name      string
+	DNSTarget string
+}
+
+type servicePortInfo struct {
+	WorkloadName   string
+	DeploymentType string
+	Ports          []corev1.ServicePort
+	ClusterPorts   []int32
+	Destinations   []destinationInfo
+}
+
+type destinationInfo struct {
+	DestinationName string
+	Port            int32
+}
+
+const (
+	ServiceSuffix = "-svc"
+)
+
+var restrictedEnvNames = map[string]struct{}{
+	EnvCAPOpAppVersion: {},
+	EnvVCAPServices:    {},
+}
+
+// See https://www.npmjs.com//*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package/@sap/approuter#destinations
+type RouterDestination struct {
+	Name                 string `json:"name"`
+	URL                  string `json:"url"`
+	ProxyHost            string `json:"proxyHost,omitempty"`
+	ProxyPort            string `json:"proxyPort,omitempty"`
+	ForwardAuthToken     bool   `json:"forwardAuthToken,omitempty"`
+	StrictSSL            bool   `json:"strictSSL,omitempty"`
+	Timeout              *int64 `json:"timeout,omitempty"`
+	SetXForwardedHeaders bool   `json:"setXForwardedHeaders,omitempty"`
+	ProxyType            string `json:"proxyType,omitempty"`
+}
+
+func (c *Controller) Event(main runtime.Object, related runtime.Object, eventType, reason, action, message string) {
+	defer func() {
+		// do not let the routine dump due to event recording errors
+		if r := recover(); r != nil {
+			klog.Errorf("error when recording event: ", r)
+		}
+	}()
+	c.eventRecorder.Eventf(main, related, eventType, reason, action, message)
+}
+
+func (c *Controller) getCachedCAPApplication(namespace string, name string) (*v1alpha1.CAPApplication, error) {
+	lister := c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Lister()
+	return lister.CAPApplications(namespace).Get(name)
+}
+
+func (c *Controller) getCachedCAPTenant(namespace string, value string, valueIsTenantId bool) (*v1alpha1.CAPTenant, error) {
+	lister := c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Lister()
+	if !valueIsTenantId {
+		// fetch with name
+		return lister.CAPTenants(namespace).Get(value)
+	}
+
+	// fetch with label selector
+	set := map[string]string{LabelTenantId: value}
+	selector, err := labels.ValidatedSelectorFromSet(set)
+	if err != nil {
+		return nil, err
+	}
+
+	cats, err := lister.CAPTenants(namespace).List(selector)
+	if err != nil {
+		return nil, err
+	}
+	if len(cats) == 0 {
+		return nil, fmt.Errorf("could not find CAPTenant with tenant id %s", value)
+	}
+	return cats[0], nil // expect only one matching tenant
+}
+
+/*
+fetch the latest CAPApplicationVersion in Ready state, for a specified CAPApplication
+*/
+func (c *Controller) getLatestReadyCAPApplicationVersion(ctx context.Context, ca *v1alpha1.CAPApplication, avoidNotFound bool) (*v1alpha1.CAPApplicationVersion, error) {
+	cavs, err := c.getCachedCAPApplicationVersions(ctx, ca)
+	if err != nil {
+		return nil, err
+	}
+
+	var latestCav *v1alpha1.CAPApplicationVersion
+	for _, cav := range cavs {
+		// determine the latest semantic version
+		if isCROConditionReady(cav.Status.GenericStatus) &&
+			(latestCav == nil || semver.Compare("v"+cav.Spec.Version, "v"+latestCav.Spec.Version) == 1) {
+			latestCav = cav
+		}
+	}
+
+	if latestCav == nil && !avoidNotFound {
+		err = fmt.Errorf("could not find a %s with status %s for %s %s.%s", v1alpha1.CAPApplicationVersionKind, v1alpha1.CAPApplicationVersionStateReady, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+	}
+
+	return latestCav, err
+}
+
+/*
+fetch the latest CAPApplicationVersion, for a specified CAPApplication
+*/
+func (c *Controller) getLatestCAPApplicationVersion(ctx context.Context, ca *v1alpha1.CAPApplication) (*v1alpha1.CAPApplicationVersion, error) {
+	cavs, err := c.getCachedCAPApplicationVersions(ctx, ca)
+	if err != nil {
+		return nil, err
+	}
+
+	var latestCav *v1alpha1.CAPApplicationVersion
+	for _, cav := range cavs {
+		// determine the latest semantic version
+		if latestCav == nil || semver.Compare("v"+cav.Spec.Version, "v"+latestCav.Spec.Version) == 1 {
+			latestCav = cav
+		}
+	}
+
+	if latestCav == nil {
+		err = fmt.Errorf("could not find a %s for %s %s.%s", v1alpha1.CAPApplicationVersionKind, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name)
+	}
+
+	return latestCav, err
+}
+
+/*
+*
+
+	fetch the relevant CAPApplicationVersion in Ready state, for a specified CAPApplication and version string
+*/
+func (c *Controller) getRelevantCAPApplicationVersion(ctx context.Context, ca *v1alpha1.CAPApplication, version string) (*v1alpha1.CAPApplicationVersion, error) {
+	cavs, err := c.getCachedCAPApplicationVersions(ctx, ca)
+	if err != nil {
+		return nil, err
+	}
+
+	var latestCav *v1alpha1.CAPApplicationVersion
+	for _, cav := range cavs {
+		// determine the matching semantic version and return
+		if isCROConditionReady(cav.Status.GenericStatus) && cav.Spec.Version == version {
+			latestCav = cav
+			break
+		}
+	}
+
+	if latestCav == nil {
+		err = fmt.Errorf("could not find a %s with status %s for %s %s.%s and version %s", v1alpha1.CAPApplicationVersionKind, v1alpha1.CAPApplicationVersionStateReady, v1alpha1.CAPApplicationKind, ca.Namespace, ca.Name, version)
+	}
+
+	return latestCav, err
+}
+
+func (c *Controller) getCachedCAPApplicationVersions(ctx context.Context, ca *v1alpha1.CAPApplication) ([]*v1alpha1.CAPApplicationVersion, error) {
+	selector, err := labels.ValidatedSelectorFromSet(map[string]string{
+		LabelOwnerIdentifierHash: sha1Sum(ca.Namespace, ca.Name),
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister().List(selector)
+}
+
+func (c *Controller) checkSecretsExist(serviceInfos []v1alpha1.ServiceInfo, namespace string) error {
+	var err error
+	secretLister := c.kubeInformerFactory.Core().V1().Secrets().Lister()
+
+	for _, service := range serviceInfos {
+		secretName := service.Secret
+		if _, err = secretLister.Secrets(namespace).Get(secretName); err != nil {
+			break
+		}
+	}
+	return err
+}
+
+// This method is called to handle NotFound error at the beginning of reconciliation to skip requeue on errors due to deletion of resource
+func handleOperatorResourceErrors(err error) error {
+	// Handle NotFound errors (object was most likely deleted)
+	if errors.IsNotFound(err) {
+		return nil // No error, to skips requeue of the resource
+	}
+	return err
+}
+
+func getConsumedServiceMap(consumedServices []string) map[string]string {
+	// Create a Map of consumedServices
+	consumedServicesMap := make(map[string]string)
+	for _, consumedService := range consumedServices {
+		consumedServicesMap[consumedService] = consumedService
+	}
+	return consumedServicesMap
+}
+
+func getConsumedServiceInfos(consumedServicesMap map[string]string, serviceInfos []v1alpha1.ServiceInfo) []v1alpha1.ServiceInfo {
+	consumedServiceInfo := []v1alpha1.ServiceInfo{}
+
+	for _, serviceInfo := range serviceInfos {
+		if serviceInfo.Name == consumedServicesMap[serviceInfo.Name] {
+			consumedServiceInfo = append(consumedServiceInfo, serviceInfo)
+		}
+	}
+	return consumedServiceInfo
+}
+
+func generateVCAPEnv(ns string, serviceInfos []v1alpha1.ServiceInfo, kubeClient kubernetes.Interface) ([]byte, error) {
+	envVCAPServices := map[string][]map[string]any{}
+	for _, serviceInfo := range serviceInfos {
+		entry, err := util.CreateVCAPEntryFromSecret(&serviceInfo, ns, kubeClient)
+		if err != nil {
+			return nil, err
+		}
+
+		// Generate vcap_service info for the class
+		if envVCAPServices[serviceInfo.Class] == nil {
+			envVCAPServices[serviceInfo.Class] = []map[string]any{}
+		}
+		// Simulate attributes that describe a bound service (@TODO: consider adding tags, binding_name, plan etc..)
+		envVCAPServices[serviceInfo.Class] = append(envVCAPServices[serviceInfo.Class], entry)
+	}
+
+	// Return stringified vcap env
+	return json.Marshal(envVCAPServices)
+}
+
+func createVCAPSecret(namePrefix string, ns string, ownerRef metav1.OwnerReference, serviceInfos []v1alpha1.ServiceInfo, kubeClient kubernetes.Interface) (string, error) {
+	// Generate VCAP_SERVICES env. variable
+	vcapEnv, err := generateVCAPEnv(ns, serviceInfos, kubeClient)
+	if err != nil {
+		return "", err
+	}
+
+	// Create a secret for VCAP_SERVICES for the given workload
+	secret, err := kubeClient.CoreV1().Secrets(ns).Create(context.TODO(),
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName:    namePrefix + "-",
+				OwnerReferences: []metav1.OwnerReference{ownerRef},
+			},
+			StringData: map[string]string{
+				EnvVCAPServices: string(vcapEnv),
+			},
+		},
+		metav1.CreateOptions{},
+	)
+	if err != nil {
+		return "", err
+	}
+	// Successfully created deployment secret --> return name
+	// @TODO: Reconcile CAV once we expect secrets/credentials to be updated
+	return secret.Name, nil
+}
+
+func validateEnv(envConfig []corev1.EnvVar, restrictedNames map[string]struct{}) string {
+	for _, envConfigEntry := range envConfig {
+		if _, ok := restrictedNames[envConfigEntry.Name]; ok {
+			return envConfigEntry.Name
+		}
+	}
+	// No restricted entries found
+	return ""
+}
+
+func errorEnv(workloadType string, entry string) error {
+	return fmt.Errorf("invalid env configuration for workload: %s, remove entry: %s from configuration", workloadType, entry)
+}
+
+func getRelevantJob(workloadType v1alpha1.JobType, cav *v1alpha1.CAPApplicationVersion) *v1alpha1.WorkloadDetails {
+	for _, workload := range cav.Spec.Workloads {
+		if workload.JobDefinition != nil && workload.JobDefinition.Type == workloadType {
+			return &workload
+		}
+	}
+	return nil
+}
+
+func getRelevantDeployment(workloadType v1alpha1.DeploymentType, cav *v1alpha1.CAPApplicationVersion) *v1alpha1.WorkloadDetails {
+	workloads := getDeployments(workloadType, cav)
+	if len(workloads) == 0 {
+		return nil
+	}
+	return &workloads[0]
+}
+
+func getDeployments(workloadType v1alpha1.DeploymentType, cav *v1alpha1.CAPApplicationVersion) []v1alpha1.WorkloadDetails {
+	deployments := []v1alpha1.WorkloadDetails{}
+	for _, workload := range cav.Spec.Workloads {
+		if workload.DeploymentDefinition != nil && workload.DeploymentDefinition.Type == workloadType {
+			deployments = append(deployments, workload)
+		}
+	}
+	return deployments
+}
+
+func getWorkloadByName(name string, cav *v1alpha1.CAPApplicationVersion) *v1alpha1.WorkloadDetails {
+	for _, workload := range cav.Spec.Workloads {
+		if workload.Name == name {
+			return &workload
+		}
+	}
+	return nil
+}
+
+func getJobState(job *batchv1.Job) JobState {
+	// check for completion
+	for _, condition := range job.Status.Conditions {
+		if condition.Status == corev1.ConditionTrue {
+			var state JobState
+			switch condition.Type {
+			case batchv1.JobComplete:
+				state = JobStateComplete
+			case batchv1.JobFailed:
+				state = JobStateFailed
+			default:
+				continue
+			}
+			return state
+		}
+	}
+
+	// probably the job is still in process
+	return JobStateProcessing
+}
+
+func isDeletionImminent(m *metav1.ObjectMeta) bool {
+	if m.DeletionTimestamp == nil {
+		return false
+	}
+	return len(m.Finalizers) == 0
+}
+
+func getRelevantServicePortInfo(cav *v1alpha1.CAPApplicationVersion) []servicePortInfo {
+	overallPortInfos := []servicePortInfo{}
+	for _, workload := range cav.Spec.Workloads {
+		var workloadPortInfo *servicePortInfo
+		if workload.DeploymentDefinition != nil {
+			workloadPortInfo = getWorkloadPortInfo(workload, cav.Name)
+		}
+
+		if workloadPortInfo != nil {
+			overallPortInfos = append(overallPortInfos, *workloadPortInfo)
+		}
+	}
+	return overallPortInfos
+}
+
+func getWorkloadPortInfo(workload v1alpha1.WorkloadDetails, cavName string) *servicePortInfo {
+	var servicePorts []corev1.ServicePort
+	var destinationDetails []destinationInfo
+	var clusterPorts []int32
+	if len(workload.DeploymentDefinition.Ports) > 0 {
+		servicePorts = []corev1.ServicePort{}
+		destinationDetails = []destinationInfo{}
+		clusterPorts = []int32{}
+		for _, port := range workload.DeploymentDefinition.Ports {
+			servicePorts = append(servicePorts, corev1.ServicePort{Name: port.Name, Port: port.Port, AppProtocol: port.AppProtocol})
+			if port.RouterDestinationName != "" {
+				destinationDetails = append(destinationDetails, destinationInfo{
+					DestinationName: port.RouterDestinationName,
+					Port:            port.Port,
+				})
+			}
+			if port.NetworkPolicy == v1alpha1.PortNetworkPolicyTypeCluster {
+				clusterPorts = append(clusterPorts, port.Port)
+			}
+		}
+	}
+	workloadPortInfo := updateWorkloadPortInfo(cavName, workload.Name, workload.DeploymentDefinition.Type, servicePorts, destinationDetails, clusterPorts)
+	return workloadPortInfo
+}
+
+func updateWorkloadPortInfo(cavName string, workloadName string, deploymentType v1alpha1.DeploymentType, servicePorts []corev1.ServicePort, destinationDetails []destinationInfo, clusterPorts []int32) *servicePortInfo {
+	var workloadPortInfo *servicePortInfo
+	if len(servicePorts) == 0 {
+		// Use fallback defaults
+		if deploymentType == v1alpha1.DeploymentRouter {
+			servicePorts = []corev1.ServicePort{
+				{Name: "router-svc-port", Port: defaultRouterPort},
+			}
+		} else if deploymentType == v1alpha1.DeploymentCAP {
+			servicePorts = []corev1.ServicePort{
+				{Name: "server-svc-port", Port: defaultServerPort},
+			}
+			// When there are no ports there can be no destinations, just create a default one for CAP backend
+			destinationDetails = append([]destinationInfo{}, destinationInfo{
+				DestinationName: "srv-api",
+				Port:            defaultServerPort,
+			})
+		}
+	}
+
+	if len(servicePorts) > 0 {
+		workloadPortInfo = &servicePortInfo{
+			WorkloadName:   cavName + "-" + workloadName,
+			DeploymentType: string(deploymentType),
+			Ports:          servicePorts,
+			Destinations:   destinationDetails,
+			ClusterPorts:   clusterPorts,
+		}
+	}
+
+	return workloadPortInfo
+}
+
+func (c *Controller) getRouterServicePortInfo(cavName string, namespace string) (*servicePortInfo, error) {
+	cav, err := c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister().CAPApplicationVersions(namespace).Get(cavName)
+	if err != nil {
+		return nil, err
+	}
+
+	routerWorkload := getRelevantDeployment(v1alpha1.DeploymentRouter, cav)
+
+	return getWorkloadPortInfo(*routerWorkload, cavName), nil
+}
+
+func copyMaps(originalMap map[string]string, additionalMap map[string]string) map[string]string {
+	newMap := map[string]string{}
+	for key, value := range originalMap {
+		newMap[key] = value
+	}
+	for key, value := range additionalMap {
+		newMap[key] = value
+	}
+	return newMap
+}
diff --git a/internal/controller/reconcile_test.go b/internal/controller/reconcile_test.go
new file mode 100644
index 0000000..63c362b
--- /dev/null
+++ b/internal/controller/reconcile_test.go
@@ -0,0 +1,585 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"context"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/rand"
+	k8sfake "k8s.io/client-go/kubernetes/fake"
+	k8stesting "k8s.io/client-go/testing"
+
+	certManagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	certManagerFake "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/fake"
+	certv1alpha1 "github.com/gardener/cert-management/pkg/apis/cert/v1alpha1"
+	certfake "github.com/gardener/cert-management/pkg/client/cert/clientset/versioned/fake"
+	dnsv1alpha1 "github.com/gardener/external-dns-management/pkg/apis/dns/v1alpha1"
+	dnsfake "github.com/gardener/external-dns-management/pkg/client/dns/clientset/versioned/fake"
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned/fake"
+	istionwv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	istiofake "istio.io/client-go/pkg/clientset/versioned/fake"
+)
+
+const (
+	caCroName          = "ca-test-name"
+	providerSubDomain  = "provider-subdomain"
+	consumerSubDomain  = "consumer-subdomain"
+	providerTenantId   = "provider-tenant-id"
+	consumerTenantId   = "consumer-tenant-id"
+	cavCroName         = "cav-test-name"
+	btpApplicationName = "some-app-name"
+	globalAccountId    = "global-id-test"
+	primaryDomain      = "app.sme.sap.com"
+	secondaryDomain    = "sec.sme.sap.com"
+	dnsTarget          = "public-ingress.some.cluster.sap"
+	defaultVersion     = "0.0.1"
+)
+
+const (
+	ingressGWName        = "ingressGw"
+	istioSystemNamespace = "istio-system"
+	gatewayName          = btpApplicationName + "-" + GatewaySuffix
+	certificateName      = btpApplicationName + "-" + CertificateSuffix
+	dnsEntryName         = btpApplicationName + "-" + PrimaryDnsSuffix
+)
+
+type ingressResources struct {
+	service *corev1.Service
+	pod     *corev1.Pod
+}
+
+type testResources struct {
+	cas             []*v1alpha1.CAPApplication
+	cavs            []*v1alpha1.CAPApplicationVersion
+	cats            []*v1alpha1.CAPTenant
+	ingressGW       []*ingressResources
+	gateway         *istionwv1beta1.Gateway
+	gardenerCert    *certv1alpha1.Certificate
+	certManagerCert *certManagerv1.Certificate
+	dnsEntry        *dnsv1alpha1.DNSEntry
+	preventStart    bool
+}
+
+func createIngressResource(name string, ca *v1alpha1.CAPApplication, dnsTarget string) *ingressResources {
+	ingressLabelSelector := map[string]string{}
+	svcName := "istioingress-gateway"
+	namespace := istioSystemNamespace
+	if name != ingressGWName {
+		svcName = name
+		namespace = metav1.NamespaceDefault
+	}
+	for _, label := range ca.Spec.Domains.IstioIngressGatewayLabels {
+		ingressLabelSelector[label.Name] = label.Value
+	}
+
+	return &ingressResources{
+		pod: &corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+				Labels:    ingressLabelSelector,
+			},
+		},
+		service: &corev1.Service{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      svcName,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					AnnotationGardenerDNSTarget: dnsTarget,
+				},
+			},
+			Spec: corev1.ServiceSpec{
+				Type:     corev1.ServiceTypeLoadBalancer,
+				Selector: ingressLabelSelector,
+			},
+		},
+	}
+}
+
+func createCaCRO(name string, withFinalizer bool) *v1alpha1.CAPApplication {
+	ca := &v1alpha1.CAPApplication{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: metav1.NamespaceDefault,
+		},
+		Spec: v1alpha1.CAPApplicationSpec{
+			Domains: v1alpha1.ApplicationDomains{
+				Primary:   primaryDomain,
+				Secondary: []string{secondaryDomain},
+				IstioIngressGatewayLabels: []v1alpha1.NameValue{
+					{
+						Name:  "istio",
+						Value: "ingressgateway",
+					},
+					{
+						Name:  "app",
+						Value: "istio-ingressgateway",
+					},
+				},
+			},
+			GlobalAccountId: globalAccountId,
+			BTPAppName:      btpApplicationName,
+			Provider: v1alpha1.BTPTenantIdentification{
+				SubDomain: providerSubDomain,
+				TenantId:  providerTenantId,
+			},
+			BTP: v1alpha1.BTP{
+				Services: []v1alpha1.ServiceInfo{
+					{
+						Class:  "xsuaa",
+						Name:   "test-xsuaa",
+						Secret: "test-xsuaa-sec",
+					},
+					{
+						Class:  "saas-registry",
+						Name:   "test-saas",
+						Secret: "test-saas-sec",
+					},
+					{
+						Class:  "service-manager",
+						Name:   "test-sm",
+						Secret: "test-sm-sec",
+					},
+					{
+						Class:  "destination",
+						Name:   "test-dest",
+						Secret: "test-dest-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-host",
+						Secret: "test-html-host-sec",
+					},
+					{
+						Class:  "html5-apps-repo",
+						Name:   "test-html-rt",
+						Secret: "test-html-rt-sec",
+					},
+				},
+			},
+		},
+	}
+
+	if withFinalizer {
+		ca.Finalizers = []string{FinalizerCAPApplication}
+	}
+
+	return ca
+}
+
+func createCavCRO(name string, state v1alpha1.CAPApplicationVersionState, version string) *v1alpha1.CAPApplicationVersion {
+	status := metav1.ConditionFalse
+	if state == v1alpha1.CAPApplicationVersionStateReady || state == v1alpha1.CAPApplicationVersionStateDeleting {
+		status = metav1.ConditionTrue
+	}
+	return &v1alpha1.CAPApplicationVersion{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: metav1.NamespaceDefault,
+			Labels: map[string]string{
+				LabelOwnerIdentifierHash: sha1Sum(metav1.NamespaceDefault, caCroName),
+			},
+		},
+		Spec: v1alpha1.CAPApplicationVersionSpec{
+			CAPApplicationInstance: caCroName,
+			Version:                version,
+			Workloads: []v1alpha1.WorkloadDetails{
+				{
+					Name: "cap-backend-server",
+					ConsumedBTPServices: []string{
+						"test-xsuaa",
+						"test-saas",
+					},
+					DeploymentDefinition: &v1alpha1.DeploymentDetails{
+						Type: v1alpha1.DeploymentCAP,
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "test://image",
+						},
+					},
+				},
+				{
+					Name:                "app-router",
+					ConsumedBTPServices: []string{},
+					DeploymentDefinition: &v1alpha1.DeploymentDetails{
+						ContainerDetails: v1alpha1.ContainerDetails{
+							Image: "test://image",
+						},
+					},
+				},
+			},
+		},
+		Status: v1alpha1.CAPApplicationVersionStatus{
+			GenericStatus: v1alpha1.GenericStatus{
+				Conditions: []metav1.Condition{
+					{
+						Status: status,
+						Type:   string(v1alpha1.ConditionTypeReady),
+					},
+				},
+			},
+			State: state,
+		},
+	}
+}
+
+// Replace GenerateName logic from k8s as fake clients do not generate a name
+func generateName(namePrefix string) string {
+	return namePrefix + rand.String(5)
+}
+
+func generateMetaObjName(obj interface{}) {
+	metaObj, _ := meta.Accessor(obj)
+	if metaObj.GetName() == "" && metaObj.GetGenerateName() != "" {
+		metaObj.SetName(generateName(metaObj.GetGenerateName()))
+	}
+}
+
+func createCatCRO(caName string, tenantType string, withFinalizers bool) *v1alpha1.CAPTenant {
+	cat := &v1alpha1.CAPTenant{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      strings.Join([]string{caName, tenantType}, "-"),
+			Namespace: metav1.NamespaceDefault,
+		},
+		Spec: v1alpha1.CAPTenantSpec{
+			CAPApplicationInstance:  caCroName,
+			BTPTenantIdentification: v1alpha1.BTPTenantIdentification{},
+			Version:                 defaultVersion,
+		},
+		Status: v1alpha1.CAPTenantStatus{
+			CurrentCAPApplicationVersionInstance: cavCroName,
+		},
+	}
+
+	if tenantType == ProviderTenantType {
+		cat.Spec.BTPTenantIdentification.TenantId = providerTenantId
+		cat.Spec.BTPTenantIdentification.SubDomain = providerSubDomain
+	} else {
+		cat.Spec.BTPTenantIdentification.TenantId = consumerTenantId
+		cat.Spec.BTPTenantIdentification.SubDomain = consumerSubDomain
+	}
+
+	if withFinalizers {
+		cat.Finalizers = []string{FinalizerCAPTenant}
+	}
+	return cat
+}
+
+func addRuntimeObjects(objects *[]runtime.Object, object runtime.Object) {
+	if reflect.ValueOf(object).Elem().IsValid() {
+		*objects = append(*objects, object)
+	}
+}
+
+func getTestController(resources testResources) *Controller {
+	crdObjects := []runtime.Object{}
+	coreObjects := []runtime.Object{}
+	istioObjects := []runtime.Object{}
+	gardenerCertObjects := []runtime.Object{}
+	certManagerCertObjects := []runtime.Object{}
+	dnsObjects := []runtime.Object{}
+
+	for _, ca := range resources.cas {
+		addRuntimeObjects(&crdObjects, ca)
+	}
+
+	for _, cav := range resources.cavs {
+		addRuntimeObjects(&crdObjects, cav)
+	}
+
+	for _, cat := range resources.cats {
+		addRuntimeObjects(&crdObjects, cat)
+	}
+
+	for _, ingressGW := range resources.ingressGW {
+		if ingressGW != nil {
+			addRuntimeObjects(&coreObjects, ingressGW.service)
+			addRuntimeObjects(&coreObjects, ingressGW.pod)
+		}
+	}
+
+	addRuntimeObjects(&istioObjects, resources.gateway)
+	addRuntimeObjects(&gardenerCertObjects, resources.gardenerCert)
+	addRuntimeObjects(&certManagerCertObjects, resources.certManagerCert)
+	addRuntimeObjects(&dnsObjects, resources.dnsEntry)
+
+	coreClient := k8sfake.NewSimpleClientset(coreObjects...)
+	coreClient.PrependReactor("create", "*", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+		act := action.(k8stesting.CreateAction)
+		obj := act.GetObject()
+		generateMetaObjName(obj)
+		return false, obj, nil
+	})
+
+	crdClient := fake.NewSimpleClientset(crdObjects...)
+
+	istioClient := istiofake.NewSimpleClientset(istioObjects...)
+
+	certClient := certfake.NewSimpleClientset(gardenerCertObjects...)
+
+	certManagerCertClient := certManagerFake.NewSimpleClientset(certManagerCertObjects...)
+
+	dnsClient := dnsfake.NewSimpleClientset(dnsObjects...)
+
+	c := NewController(coreClient, crdClient, istioClient, certClient, certManagerCertClient, dnsClient)
+
+	for _, ca := range resources.cas {
+		if ca != nil {
+			c.crdInformerFactory.Sme().V1alpha1().CAPApplications().Informer().GetIndexer().Add(ca)
+		}
+	}
+
+	for _, cav := range resources.cavs {
+		if cav != nil {
+			c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Informer().GetIndexer().Add(cav)
+		}
+	}
+
+	for _, cat := range resources.cats {
+		if cat != nil {
+			c.crdInformerFactory.Sme().V1alpha1().CAPTenants().Informer().GetIndexer().Add(cat)
+		}
+	}
+
+	if resources.gateway != nil {
+		c.istioClient.NetworkingV1beta1().Gateways(resources.gateway.Namespace).Create(context.TODO(), resources.gateway, metav1.CreateOptions{})
+		c.istioInformerFactory.Networking().V1beta1().Gateways().Informer().GetIndexer().Add(resources.gateway)
+	}
+
+	if resources.gardenerCert != nil {
+		c.gardenerCertInformerFactory.Cert().V1alpha1().Certificates().Informer().GetIndexer().Add(resources.gardenerCert)
+	}
+
+	if resources.certManagerCert != nil {
+		c.certManagerInformerFactory.Certmanager().V1().Certificates().Informer().GetIndexer().Add(resources.certManagerCert)
+	}
+
+	if resources.dnsEntry != nil {
+		c.gardenerDNSInformerFactory.Dns().V1alpha1().DNSEntries().Informer().GetIndexer().Add(resources.dnsEntry)
+	}
+
+	for _, ingressGW := range resources.ingressGW {
+		if ingressGW != nil {
+			c.kubeInformerFactory.Core().V1().Services().Informer().GetIndexer().Add(ingressGW.service)
+			c.kubeInformerFactory.Core().V1().Pods().Informer().GetIndexer().Add(ingressGW.pod)
+		}
+	}
+	if !resources.preventStart {
+		stopCh := make(chan struct{})
+		defer close(stopCh)
+
+		c.crdInformerFactory.Start(stopCh)
+		c.kubeInformerFactory.Start(stopCh)
+		c.istioInformerFactory.Start(stopCh)
+		switch certificateManager() {
+		case certManagerGardener:
+			c.gardenerCertInformerFactory.Start(stopCh)
+		case certManagerCertManagerIO:
+			c.certManagerInformerFactory.Start(stopCh)
+		}
+		c.gardenerDNSInformerFactory.Start(stopCh)
+	}
+
+	return c
+}
+
+func TestMain(m *testing.M) {
+	os.Setenv(certManagerEnv, "gardener")
+	os.Setenv(dnsManagerEnv, "gardener")
+	defer os.Setenv(certManagerEnv, "")
+	defer os.Setenv(dnsManagerEnv, "")
+	m.Run()
+}
+
+func TestGetLatestReadyCAPApplicationVersion(t *testing.T) {
+	tests := []struct {
+		testName        string
+		status          v1alpha1.CAPApplicationVersionState
+		number          int
+		expectedVersion string
+	}{
+		{
+			testName:        "when getLatestReadyCAPApplicationVersion() is called with no CAVs",
+			status:          "",
+			number:          0,
+			expectedVersion: "",
+		},
+		{
+			testName:        "when getLatestReadyCAPApplicationVersion() is called with one CAV in ready state",
+			status:          v1alpha1.CAPApplicationVersionStateReady,
+			number:          1,
+			expectedVersion: "0.0.1",
+		},
+		{
+			testName:        "when getLatestReadyCAPApplicationVersion() is called with one CAV in processing (not ready) state",
+			status:          v1alpha1.CAPApplicationVersionStateProcessing,
+			number:          9,
+			expectedVersion: "",
+		},
+		{
+			testName:        "when getLatestReadyCAPApplicationVersion() is called with multiple CAVs in ready states",
+			status:          v1alpha1.CAPApplicationVersionStateReady,
+			number:          18,
+			expectedVersion: "0.9.0",
+		},
+		{
+			testName:        "when getLatestReadyCAPApplicationVersion() is called with multiple CAVs in mixed states",
+			status:          "mixed",
+			number:          18,
+			expectedVersion: "0.0.9",
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.testName, func(t *testing.T) {
+			ca := createCaCRO(caCroName, true)
+			var cavs []*v1alpha1.CAPApplicationVersion
+
+			for i := 1; i <= test.number; i++ {
+				var state v1alpha1.CAPApplicationVersionState
+				// for mixed states - mark the latest versions in processing (not-ready) state
+				if test.status == "mixed" {
+					if i > 9 {
+						state = v1alpha1.CAPApplicationVersionStateProcessing
+					} else {
+						state = v1alpha1.CAPApplicationVersionStateReady
+					}
+				} else {
+					state = test.status
+				}
+
+				indexString := strconv.Itoa(i)
+				var version string
+				if i > 9 && i < 20 {
+					version = "0." + strconv.Itoa((i+1)-10) + ".0" // 0.1.0 - 0.9.0
+				} else {
+					version = "0.0." + indexString // 0.0.1 - 0.0.9
+				}
+				cav := createCavCRO(cavCroName+version, state, version)
+
+				cavs = append(cavs, cav)
+			}
+
+			c := getTestController(testResources{
+				cas:  []*v1alpha1.CAPApplication{ca},
+				cavs: cavs,
+			})
+
+			latestCav, err := c.getLatestReadyCAPApplicationVersion(context.TODO(), ca, false)
+
+			if test.status == v1alpha1.CAPApplicationVersionStateReady || test.status == "mixed" {
+				if err != nil {
+					t.Fatal("Error should not be thrown")
+				}
+
+				if latestCav.Spec.Version != test.expectedVersion {
+					t.Fatal("Expected version not returned")
+				}
+			} else if err == nil {
+				t.Fatal("Error should be thrown")
+			}
+		})
+	}
+}
+
+func TestGetLatestCAPApplicationVersion(t *testing.T) {
+	tests := []struct {
+		testName        string
+		expectError     bool
+		status          string
+		number          int
+		expectedVersion string
+	}{
+		{
+			testName:        "when getLatestCAPApplicationVersion() is called with no CAVs",
+			expectError:     true,
+			number:          0,
+			expectedVersion: "",
+		},
+		{
+			testName:        "when getLatestCAPApplicationVersion() is called with one CAV in ready state",
+			expectError:     false,
+			number:          1,
+			expectedVersion: "0.0.1",
+		},
+		{
+			testName:        "when getLatestCAPApplicationVersion() is called with one CAV in processing (not ready) state",
+			expectError:     false,
+			status:          "mixed",
+			number:          10,
+			expectedVersion: "0.1.0",
+		},
+		{
+			testName:        "when getLatestCAPApplicationVersion() is called with multiple CAVs in ready states",
+			expectError:     false,
+			number:          18,
+			expectedVersion: "0.9.0",
+		},
+		{
+			testName:        "when getLatestCAPApplicationVersion() is called with multiple CAVs in mixed states",
+			status:          "mixed",
+			number:          18,
+			expectedVersion: "0.9.0",
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.testName, func(t *testing.T) {
+			ca := createCaCRO(caCroName, true)
+			var cavs []*v1alpha1.CAPApplicationVersion
+
+			for i := 1; i <= test.number; i++ {
+				var state v1alpha1.CAPApplicationVersionState
+				// for mixed states - mark the latest versions in processing (not-ready) state
+				if test.status == "mixed" {
+					if i > 9 {
+						state = v1alpha1.CAPApplicationVersionStateProcessing
+					} else {
+						state = v1alpha1.CAPApplicationVersionStateReady
+					}
+				} else {
+					state = v1alpha1.CAPApplicationVersionStateReady
+				}
+
+				indexString := strconv.Itoa(i)
+				var version string
+				if i > 9 && i < 20 {
+					version = "0." + strconv.Itoa((i+1)-10) + ".0" // 0.1.0 - 0.9.0
+				} else {
+					version = "0.0." + indexString // 0.0.1 - 0.0.9
+				}
+				cav := createCavCRO(cavCroName+version, state, version)
+
+				cavs = append(cavs, cav)
+			}
+
+			c := getTestController(testResources{
+				cas:  []*v1alpha1.CAPApplication{ca},
+				cavs: cavs,
+			})
+
+			latestCav, err := c.getLatestCAPApplicationVersion(context.TODO(), ca)
+
+			if test.expectError == false {
+				if err != nil {
+					t.Fatal("Error should not be thrown")
+				}
+
+				if latestCav.Spec.Version != test.expectedVersion {
+					t.Fatal("Expected version not returned")
+				}
+			} else if err == nil {
+				t.Fatal("Error should be thrown")
+			}
+		})
+	}
+}
diff --git a/internal/controller/reconciliation-result.go b/internal/controller/reconciliation-result.go
new file mode 100644
index 0000000..8c2632b
--- /dev/null
+++ b/internal/controller/reconciliation-result.go
@@ -0,0 +1,46 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"time"
+)
+
+type ReconcileResult struct {
+	// the key in this map is a value which corresponds to a specific resource type
+	requeueResources map[int][]RequeueItem
+}
+
+type RequeueItem struct {
+	resourceKey NamespacedResourceKey
+	// requeueAfter tells the Controller to re-queue the item after the specified duration. Defaults to 0s (immediate re-queue)
+	requeueAfter time.Duration
+}
+
+func NewReconcileResult() *ReconcileResult {
+	return &ReconcileResult{}
+}
+
+func NewReconcileResultWithResource(rid int, resourceName string, resourceNamespace string, requeueAfter time.Duration) *ReconcileResult {
+	reconResult := NewReconcileResult()
+	reconResult.AddResource(rid, resourceName, resourceNamespace, requeueAfter)
+	return reconResult
+}
+
+func (r *ReconcileResult) AddResource(rid int, resourceName string, resourceNamespace string, after time.Duration) {
+	resource := NamespacedResourceKey{Namespace: resourceNamespace, Name: resourceName}
+	if r.requeueResources == nil {
+		r.requeueResources = map[int][]RequeueItem{
+			rid: {{resourceKey: resource, requeueAfter: after}},
+		}
+		return
+	}
+	items, ok := r.requeueResources[rid]
+	if !ok {
+		r.requeueResources[rid] = []RequeueItem{{resourceKey: resource, requeueAfter: after}}
+	} else {
+		r.requeueResources[rid] = append(items, RequeueItem{resourceKey: resource, requeueAfter: after})
+	}
+}
diff --git a/internal/controller/testdata/capapplication/ca-01.expected.yaml b/internal/controller/testdata/capapplication/ca-01.expected.yaml
new file mode 100644
index 0000000..4aeaab1
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-01.expected.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: ""
diff --git a/internal/controller/testdata/capapplication/ca-01.initial.yaml b/internal/controller/testdata/capapplication/ca-01.initial.yaml
new file mode 100644
index 0000000..e25a1f5
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-01.initial.yaml
@@ -0,0 +1,38 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: ""
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-02.expected.yaml b/internal/controller/testdata/capapplication/ca-02.expected.yaml
new file mode 100644
index 0000000..f025fd2
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-02.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingSecrets
+      message: waiting for secrets to get ready for CAPApplication test-cap-01.default
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  state: Processing
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-02.initial.yaml b/internal/controller/testdata/capapplication/ca-02.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-02.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-03.expected.yaml b/internal/controller/testdata/capapplication/ca-03.expected.yaml
new file mode 100644
index 0000000..1bb1958
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-03.expected.yaml
@@ -0,0 +1,52 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: WaitingForReadyCAPApplicationVersion
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: WaitingForReadyCAPApplicationVersion
+      observedGeneration: 2
+      status: "False"
+  observedGeneration: 2
+  state: Processing
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-03.initial.yaml b/internal/controller/testdata/capapplication/ca-03.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-03.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-04.expected.yaml b/internal/controller/testdata/capapplication/ca-04.expected.yaml
new file mode 100644
index 0000000..0e739ce
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-04.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantProcessing
+      message: "provider CAPTenant not ready for CAPApplication default.test-cap-01; waiting for it to be ready"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-04.initial.yaml b/internal/controller/testdata/capapplication/ca-04.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-04.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-05.expected.yaml b/internal/controller/testdata/capapplication/ca-05.expected.yaml
new file mode 100644
index 0000000..1bb1958
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-05.expected.yaml
@@ -0,0 +1,52 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: WaitingForReadyCAPApplicationVersion
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: WaitingForReadyCAPApplicationVersion
+      observedGeneration: 2
+      status: "False"
+  observedGeneration: 2
+  state: Processing
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-05.initial.yaml b/internal/controller/testdata/capapplication/ca-05.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-05.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-06.expected.yaml b/internal/controller/testdata/capapplication/ca-06.expected.yaml
new file mode 100644
index 0000000..7875d03
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-06.expected.yaml
@@ -0,0 +1,57 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: VersionExists
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+    - reason: LatestVersionReady
+      observedGeneration: 2
+      status: "True"
+      type: LatestVersionReady
+    - reason: AllTenantsReady
+      observedGeneration: 2
+      status: "True"
+      type: AllTenantsReady
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Consistent
diff --git a/internal/controller/testdata/capapplication/ca-06.initial.yaml b/internal/controller/testdata/capapplication/ca-06.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-06.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-07.expected.yaml b/internal/controller/testdata/capapplication/ca-07.expected.yaml
new file mode 100644
index 0000000..ca1aba5
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-07.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingDomainResources
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-07.initial.yaml b/internal/controller/testdata/capapplication/ca-07.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-07.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-08.expected.yaml b/internal/controller/testdata/capapplication/ca-08.expected.yaml
new file mode 100644
index 0000000..ca1aba5
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-08.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingDomainResources
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-08.initial.yaml b/internal/controller/testdata/capapplication/ca-08.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-08.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-09.expected.yaml b/internal/controller/testdata/capapplication/ca-09.expected.yaml
new file mode 100644
index 0000000..6396dc8
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-09.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantError
+      message: "provider CAPTenant in state ProvisioningError for CAPApplication default.test-cap-01"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-09.initial.yaml b/internal/controller/testdata/capapplication/ca-09.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-09.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-10.expected.yaml b/internal/controller/testdata/capapplication/ca-10.expected.yaml
new file mode 100644
index 0000000..3fdd810
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-10.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DomainResourcesError
+      message: "Certificate in state Error for CAPApplication default.test-cap-01: cert message"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-10.initial.yaml b/internal/controller/testdata/capapplication/ca-10.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-10.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-11.expected.yaml b/internal/controller/testdata/capapplication/ca-11.expected.yaml
new file mode 100644
index 0000000..d52d485
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-11.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DomainResourcesError
+      message: "DNSEntry in state Error for CAPApplication default.test-cap-01: dns message"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-11.initial.yaml b/internal/controller/testdata/capapplication/ca-11.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-11.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-12.expected.yaml b/internal/controller/testdata/capapplication/ca-12.expected.yaml
new file mode 100644
index 0000000..25ed51a
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-12.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantError
+      message: "provider CAPTenant in state UpgradeError for CAPApplication default.test-cap-01"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-12.initial.yaml b/internal/controller/testdata/capapplication/ca-12.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-12.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-13.expected.yaml b/internal/controller/testdata/capapplication/ca-13.expected.yaml
new file mode 100644
index 0000000..04d2204
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-13.expected.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-13.initial.yaml b/internal/controller/testdata/capapplication/ca-13.initial.yaml
new file mode 100644
index 0000000..bfe51cf
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-13.initial.yaml
@@ -0,0 +1,40 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-14.expected.yaml b/internal/controller/testdata/capapplication/ca-14.expected.yaml
new file mode 100644
index 0000000..2fbdbe2
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-14.expected.yaml
@@ -0,0 +1,41 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-14.initial.yaml b/internal/controller/testdata/capapplication/ca-14.initial.yaml
new file mode 100644
index 0000000..4234d73
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-14.initial.yaml
@@ -0,0 +1,41 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-15.expected.yaml b/internal/controller/testdata/capapplication/ca-15.expected.yaml
new file mode 100644
index 0000000..b102df5
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-15.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DeleteTriggered
+      message: ""
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  state: Deleting
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-15.initial.yaml b/internal/controller/testdata/capapplication/ca-15.initial.yaml
new file mode 100644
index 0000000..4fbc4b3
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-15.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-16.expected.yaml b/internal/controller/testdata/capapplication/ca-16.expected.yaml
new file mode 100644
index 0000000..d88e0d7
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-16.expected.yaml
@@ -0,0 +1,46 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers: []
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeleteTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-16.initial.yaml b/internal/controller/testdata/capapplication/ca-16.initial.yaml
new file mode 100644
index 0000000..a9d588e
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-16.initial.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeleteTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-17.expected.yaml b/internal/controller/testdata/capapplication/ca-17.expected.yaml
new file mode 100644
index 0000000..ea6f53d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-17.expected.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-17.initial.yaml b/internal/controller/testdata/capapplication/ca-17.initial.yaml
new file mode 100644
index 0000000..aae4a74
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-17.initial.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-18.expected.yaml b/internal/controller/testdata/capapplication/ca-18.expected.yaml
new file mode 100644
index 0000000..ea6f53d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-18.expected.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-18.initial.yaml b/internal/controller/testdata/capapplication/ca-18.initial.yaml
new file mode 100644
index 0000000..aae4a74
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-18.initial.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-19.expected.yaml b/internal/controller/testdata/capapplication/ca-19.expected.yaml
new file mode 100644
index 0000000..5c263ac
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-19.expected.yaml
@@ -0,0 +1,46 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers: []
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-19.initial.yaml b/internal/controller/testdata/capapplication/ca-19.initial.yaml
new file mode 100644
index 0000000..aae4a74
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-19.initial.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-20.expected.yaml b/internal/controller/testdata/capapplication/ca-20.expected.yaml
new file mode 100644
index 0000000..923c348
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-20.expected.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeleteTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-20.initial.yaml b/internal/controller/testdata/capapplication/ca-20.initial.yaml
new file mode 100644
index 0000000..a9d588e
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-20.initial.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeleteTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-21.expected.yaml b/internal/controller/testdata/capapplication/ca-21.expected.yaml
new file mode 100644
index 0000000..0e739ce
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-21.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantProcessing
+      message: "provider CAPTenant not ready for CAPApplication default.test-cap-01; waiting for it to be ready"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-21.initial.yaml b/internal/controller/testdata/capapplication/ca-21.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-21.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-22.expected.yaml b/internal/controller/testdata/capapplication/ca-22.expected.yaml
new file mode 100644
index 0000000..76ed81b
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-22.expected.yaml
@@ -0,0 +1,53 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: WaitingForReadyCAPApplicationVersion
+      message: ""
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: WaitingForReadyCAPApplicationVersion
+      observedGeneration: 2
+      status: "False"
+  observedGeneration: 2
+  state: Processing
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-22.initial.yaml b/internal/controller/testdata/capapplication/ca-22.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-22.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-23.expected.yaml b/internal/controller/testdata/capapplication/ca-23.expected.yaml
new file mode 100644
index 0000000..deb8a7d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-23.expected.yaml
@@ -0,0 +1,58 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: VersionExists
+      message: ""
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 2
+      status: "True"
+    - type: AllTenantsReady
+      reason: AllTenantsReady
+      observedGeneration: 2
+      status: "True"
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Consistent
diff --git a/internal/controller/testdata/capapplication/ca-23.initial.yaml b/internal/controller/testdata/capapplication/ca-23.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-23.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-24.expected.yaml b/internal/controller/testdata/capapplication/ca-24.expected.yaml
new file mode 100644
index 0000000..c859a3d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-24.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingDomainResources
+      message: ""
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-24.initial.yaml b/internal/controller/testdata/capapplication/ca-24.initial.yaml
new file mode 100644
index 0000000..74de667
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-24.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-25.expected.yaml b/internal/controller/testdata/capapplication/ca-25.expected.yaml
new file mode 100644
index 0000000..c859a3d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-25.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingDomainResources
+      message: ""
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-25.initial.yaml b/internal/controller/testdata/capapplication/ca-25.initial.yaml
new file mode 100644
index 0000000..6a8e125
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-25.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: oudated-hash
diff --git a/internal/controller/testdata/capapplication/ca-26.expected.yaml b/internal/controller/testdata/capapplication/ca-26.expected.yaml
new file mode 100644
index 0000000..6396dc8
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-26.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantError
+      message: "provider CAPTenant in state ProvisioningError for CAPApplication default.test-cap-01"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-26.initial.yaml b/internal/controller/testdata/capapplication/ca-26.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-26.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-27.expected.yaml b/internal/controller/testdata/capapplication/ca-27.expected.yaml
new file mode 100644
index 0000000..b196f9a
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-27.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DomainResourcesError
+      message: "Certificate in state not ready for CAPApplication default.test-cap-01: cert message"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-27.initial.yaml b/internal/controller/testdata/capapplication/ca-27.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-27.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-28.expected.yaml b/internal/controller/testdata/capapplication/ca-28.expected.yaml
new file mode 100644
index 0000000..d52d485
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-28.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DomainResourcesError
+      message: "DNSEntry in state Error for CAPApplication default.test-cap-01: dns message"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-28.initial.yaml b/internal/controller/testdata/capapplication/ca-28.initial.yaml
new file mode 100644
index 0000000..bb22196
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-28.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-29.expected.yaml b/internal/controller/testdata/capapplication/ca-29.expected.yaml
new file mode 100644
index 0000000..de70616
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-29.expected.yaml
@@ -0,0 +1,55 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Consistent
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  conditions:
+    - type: Ready
+      observedGeneration: 0
+      status: "True"
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 0
+      status: "True"
+    - type: AllTenantsReady
+      reason: AllTenantsReady
+      observedGeneration: 0
+      status: "True"
diff --git a/internal/controller/testdata/capapplication/ca-29.initial.yaml b/internal/controller/testdata/capapplication/ca-29.initial.yaml
new file mode 100644
index 0000000..7dc67e4
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-29.initial.yaml
@@ -0,0 +1,52 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  conditions:
+    - type: Ready
+      status: "True"
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      status: "True"
+    - type: AllTenantsReady
+      reason: AllTenantsReady
+      status: "True"
diff --git a/internal/controller/testdata/capapplication/ca-30.expected.yaml b/internal/controller/testdata/capapplication/ca-30.expected.yaml
new file mode 100644
index 0000000..b44507e
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-30.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ResourceDefinitionChanged
+      message: "re-processing after spec update"
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+  observedGeneration: 0
+  state: Processing
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-30.initial.yaml b/internal/controller/testdata/capapplication/ca-30.initial.yaml
new file mode 100644
index 0000000..dc0f678
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-30.initial.yaml
@@ -0,0 +1,45 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions: []
+  observedGeneration: 999
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-31.expected.yaml b/internal/controller/testdata/capapplication/ca-31.expected.yaml
new file mode 100644
index 0000000..2572052
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-31.expected.yaml
@@ -0,0 +1,58 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: NewCAVTriggeredTenantUpgrade
+      message: "new version default.test-cap-01-cav-v1-modified was used to trigger tenant upgrades"
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 0
+      status: "True"
+    - type: AllTenantsReady
+      reason: NotAllTenantsReady
+      observedGeneration: 0
+      status: "False"
+  observedGeneration: 0
+  state: Processing
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-31.initial.yaml b/internal/controller/testdata/capapplication/ca-31.initial.yaml
new file mode 100644
index 0000000..8ad6b34
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-31.initial.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-32.expected.yaml b/internal/controller/testdata/capapplication/ca-32.expected.yaml
new file mode 100644
index 0000000..2572052
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-32.expected.yaml
@@ -0,0 +1,58 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: NewCAVTriggeredTenantUpgrade
+      message: "new version default.test-cap-01-cav-v1-modified was used to trigger tenant upgrades"
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 0
+      status: "True"
+    - type: AllTenantsReady
+      reason: NotAllTenantsReady
+      observedGeneration: 0
+      status: "False"
+  observedGeneration: 0
+  state: Processing
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-32.initial.yaml b/internal/controller/testdata/capapplication/ca-32.initial.yaml
new file mode 100644
index 0000000..8ad6b34
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-32.initial.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-33.expected.yaml b/internal/controller/testdata/capapplication/ca-33.expected.yaml
new file mode 100644
index 0000000..5f386a2
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-33.expected.yaml
@@ -0,0 +1,58 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: NewCAVTriggeredTenantUpgrade
+      message: "new version default.test-cap-01-cav-v1 was used to trigger tenant upgrades"
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 0
+      status: "True"
+    - type: AllTenantsReady
+      reason: NotAllTenantsReady
+      observedGeneration: 0
+      status: "False"
+  observedGeneration: 0
+  state: Processing
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
diff --git a/internal/controller/testdata/capapplication/ca-33.initial.yaml b/internal/controller/testdata/capapplication/ca-33.initial.yaml
new file mode 100644
index 0000000..8ad6b34
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-33.initial.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-34.expected.yaml b/internal/controller/testdata/capapplication/ca-34.expected.yaml
new file mode 100644
index 0000000..e2dc6b7
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-34.expected.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-34.initial.yaml b/internal/controller/testdata/capapplication/ca-34.initial.yaml
new file mode 100644
index 0000000..6fd0396
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-34.initial.yaml
@@ -0,0 +1,41 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-35.expected.yaml b/internal/controller/testdata/capapplication/ca-35.expected.yaml
new file mode 100644
index 0000000..d167f20
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-35.expected.yaml
@@ -0,0 +1,47 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+  observedGeneration: 0
+  state: Deleting
diff --git a/internal/controller/testdata/capapplication/ca-35.initial.yaml b/internal/controller/testdata/capapplication/ca-35.initial.yaml
new file mode 100644
index 0000000..61f5f77
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-35.initial.yaml
@@ -0,0 +1,46 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DeletionTriggered
+      status: "False"
+      type: Ready
+  observedGeneration: 0
+  state: Deleting
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-36.expected.yaml b/internal/controller/testdata/capapplication/ca-36.expected.yaml
new file mode 100644
index 0000000..2e286cf
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-36.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DeleteTriggered
+      message: ""
+      observedGeneration: 0
+      status: "False"
+      type: Ready
+  observedGeneration: 0
+  state: Deleting
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-36.initial.yaml b/internal/controller/testdata/capapplication/ca-36.initial.yaml
new file mode 100644
index 0000000..49dfdd0
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-36.initial.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Processing"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/ca-37.expected.yaml b/internal/controller/testdata/capapplication/ca-37.expected.yaml
new file mode 100644
index 0000000..aa89b85
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-37.expected.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers: []
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-37.initial.yaml b/internal/controller/testdata/capapplication/ca-37.initial.yaml
new file mode 100644
index 0000000..3630b65
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-37.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-38.expected.yaml b/internal/controller/testdata/capapplication/ca-38.expected.yaml
new file mode 100644
index 0000000..1a4863d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-38.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-38.initial.yaml b/internal/controller/testdata/capapplication/ca-38.initial.yaml
new file mode 100644
index 0000000..3630b65
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-38.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-39.expected.yaml b/internal/controller/testdata/capapplication/ca-39.expected.yaml
new file mode 100644
index 0000000..1a4863d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-39.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-39.initial.yaml b/internal/controller/testdata/capapplication/ca-39.initial.yaml
new file mode 100644
index 0000000..3630b65
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-39.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-40.expected.yaml b/internal/controller/testdata/capapplication/ca-40.expected.yaml
new file mode 100644
index 0000000..aa89b85
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-40.expected.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers: []
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-40.initial.yaml b/internal/controller/testdata/capapplication/ca-40.initial.yaml
new file mode 100644
index 0000000..3630b65
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-40.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-41.expected.yaml b/internal/controller/testdata/capapplication/ca-41.expected.yaml
new file mode 100644
index 0000000..1a4863d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-41.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: Deleting
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-41.initial.yaml b/internal/controller/testdata/capapplication/ca-41.initial.yaml
new file mode 100644
index 0000000..3630b65
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-41.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  observedGeneration: 0
+  state: "Deleting"
+  conditions:
+    - type: Ready
+      reason: DeletionTriggered
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-42.expected.yaml b/internal/controller/testdata/capapplication/ca-42.expected.yaml
new file mode 100644
index 0000000..0577f23
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-42.expected.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Processing"
+  observedGeneration: 2
+  conditions:
+    - type: Ready
+      reason: "ApplicationProcessing"
+      observedGeneration: 2
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-42.initial.yaml b/internal/controller/testdata/capapplication/ca-42.initial.yaml
new file mode 100644
index 0000000..4aeaab1
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-42.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: ""
diff --git a/internal/controller/testdata/capapplication/ca-43.expected.yaml b/internal/controller/testdata/capapplication/ca-43.expected.yaml
new file mode 100644
index 0000000..7b329b2
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-43.expected.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProviderTenantError
+      message: "mocked api error (captenants.sme.sap.com/v1alpha1)"
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Error
diff --git a/internal/controller/testdata/capapplication/ca-43.initial.yaml b/internal/controller/testdata/capapplication/ca-43.initial.yaml
new file mode 100644
index 0000000..1330a9b
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-43.initial.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: ProcessingDomainResources
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-44.expected.yaml b/internal/controller/testdata/capapplication/ca-44.expected.yaml
new file mode 100644
index 0000000..75d67c8
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-44.expected.yaml
@@ -0,0 +1,49 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  conditions:
+    - reason: DomainResourcesProcessing
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  observedGeneration: 2
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  state: Processing
diff --git a/internal/controller/testdata/capapplication/ca-45.expected.yaml b/internal/controller/testdata/capapplication/ca-45.expected.yaml
new file mode 100644
index 0000000..414981d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-45.expected.yaml
@@ -0,0 +1,55 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: Consistent
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  conditions:
+    - type: Ready
+      observedGeneration: 0
+      status: "True"
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      observedGeneration: 0
+      status: "True"
+    - type: AllTenantsReady
+      reason: NotAllTenantsReady
+      observedGeneration: 0
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-45.initial.yaml b/internal/controller/testdata/capapplication/ca-45.initial.yaml
new file mode 100644
index 0000000..2e07b2d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-45.initial.yaml
@@ -0,0 +1,52 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 0
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
+status:
+  state: "Consistent"
+  domainSpecHash: 84fdeebf558412817f54b17a0158c6b6d53dda98e8bc7a887aaa7170296841f8
+  conditions:
+    - type: Ready
+      status: "True"
+    - type: LatestVersionReady
+      reason: LatestVersionReady
+      status: "True"
+    - type: AllTenantsReady
+      reason: NotAllTenantsReady
+      status: "False"
diff --git a/internal/controller/testdata/capapplication/ca-dns-error.yaml b/internal/controller/testdata/capapplication/ca-dns-error.yaml
new file mode 100644
index 0000000..8dbcfcc
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-dns-error.yaml
@@ -0,0 +1,27 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: be44dd98e914aa033f04f18a03338da45b40090b55e0e1c935353f088bd7c583
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-primary-dns
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+spec:
+  dnsName: "*.app-domain.test.local"
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  state: Error
+  message: "dns message"
+  targets:
+    - public-ingress.operator.testing.local
+    
diff --git a/internal/controller/testdata/capapplication/ca-dns-not-ready.yaml b/internal/controller/testdata/capapplication/ca-dns-not-ready.yaml
new file mode 100644
index 0000000..bc82540
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-dns-not-ready.yaml
@@ -0,0 +1,23 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: be44dd98e914aa033f04f18a03338da45b40090b55e0e1c935353f088bd7c583
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-primary-dns
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+spec:
+  dnsName: "*.app-domain.test.local"
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  state: Pending
diff --git a/internal/controller/testdata/capapplication/ca-dns.yaml b/internal/controller/testdata/capapplication/ca-dns.yaml
new file mode 100644
index 0000000..55b80c9
--- /dev/null
+++ b/internal/controller/testdata/capapplication/ca-dns.yaml
@@ -0,0 +1,26 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: be44dd98e914aa033f04f18a03338da45b40090b55e0e1c935353f088bd7c583
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-primary-dns
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+spec:
+  dnsName: "*.app-domain.test.local"
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  state: Ready
+  targets:
+    - public-ingress.operator.testing.local
+    
diff --git a/internal/controller/testdata/capapplication/cat-consumer-no-finalizers-ready.yaml b/internal/controller/testdata/capapplication/cat-consumer-no-finalizers-ready.yaml
new file mode 100644
index 0000000..65fe433
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-consumer-no-finalizers-ready.yaml
@@ -0,0 +1,35 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cat-consumer-ready.yaml b/internal/controller/testdata/capapplication/cat-consumer-ready.yaml
new file mode 100644
index 0000000..1dbac75
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-consumer-ready.yaml
@@ -0,0 +1,38 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cat-consumer-upg-never-deleting.yaml b/internal/controller/testdata/capapplication/cat-consumer-upg-never-deleting.yaml
new file mode 100644
index 0000000..3237674
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-consumer-upg-never-deleting.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+    sme.sap.com/btp-tenant-id: "provider-tenant-id"
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: never
+status:
+  state: Deleting
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-consumer-xyz1 of type deprovisioning to complete"
+      reason: DeprovisioningOperationCreated
+      status: "False"
+      type: Ready
diff --git a/internal/controller/testdata/capapplication/cat-consumer-upg-never-ready.yaml b/internal/controller/testdata/capapplication/cat-consumer-upg-never-ready.yaml
new file mode 100644
index 0000000..0a72efc
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-consumer-upg-never-ready.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+    sme.sap.com/btp-tenant-id: "provider-tenant-id"
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: never
+status:
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-consumer-prvn successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
diff --git a/internal/controller/testdata/capapplication/cat-provider-error.yaml b/internal/controller/testdata/capapplication/cat-provider-error.yaml
new file mode 100644
index 0000000..5bd4ed3
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-provider-error.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "Error"
+      reason: ProvisioningError
+      status: "False"
+      type: Ready
+  state: ProvisioningError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cat-provider-no-finalizers-error.yaml b/internal/controller/testdata/capapplication/cat-provider-no-finalizers-error.yaml
new file mode 100644
index 0000000..4881478
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-provider-no-finalizers-error.yaml
@@ -0,0 +1,35 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "Error"
+      reason: ProvisioningError
+      status: "False"
+      type: Ready
+  state: ProvisioningError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cat-provider-no-finalizers-ready.yaml b/internal/controller/testdata/capapplication/cat-provider-no-finalizers-ready.yaml
new file mode 100644
index 0000000..af95ca1
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-provider-no-finalizers-ready.yaml
@@ -0,0 +1,35 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cat-provider-upgrade-error.yaml b/internal/controller/testdata/capapplication/cat-provider-upgrade-error.yaml
new file mode 100644
index 0000000..786e6cd
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cat-provider-upgrade-error.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "UpgradeError"
+      reason: UpgradeError
+      status: "False"
+      type: Ready
+  state: UpgradeError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/capapplication/cav-33-version-updated-ready.yaml b/internal/controller/testdata/capapplication/cav-33-version-updated-ready.yaml
new file mode 100644
index 0000000..2c6b77c
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cav-33-version-updated-ready.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 9.9.9
+  workloads:
+  - name: cap-backend-srv
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/srv/server:latest 
+      type: CAP
+  - name: app-router
+    consumedBTPServices:
+      - cap-uaa
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/approuter/approuter:latest
+      type: Router
+  - name: content-job
+    consumedBTPServices:
+      - cap-uaa
+    jobDefinition:
+      image: docker.image.repo/content/cap-content:latest
+      type: Content    
+  - name: mtx-job
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    jobDefinition:
+      image: docker.image.repo/srv/server:latest
+      type: TenantOperation    
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/capapplication/cav-error.yaml b/internal/controller/testdata/capapplication/cav-error.yaml
new file mode 100644
index 0000000..430f5ba
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cav-error.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+  - name: cap-backend-srv
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/srv/server:latest 
+      type: CAP
+  - name: app-router
+    consumedBTPServices:
+      - cap-uaa
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/approuter/approuter:latest
+      type: Router
+  - name: content-job
+    consumedBTPServices:
+      - cap-uaa
+    jobDefinition:
+      image: docker.image.repo/content/cap-content:latest
+      type: Content    
+  - name: mtx-job
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    jobDefinition:
+      image: docker.image.repo/srv/server:latest
+      type: TenantOperation  
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplication/cav-name-modified-ready.yaml b/internal/controller/testdata/capapplication/cav-name-modified-ready.yaml
new file mode 100644
index 0000000..fa955f0
--- /dev/null
+++ b/internal/controller/testdata/capapplication/cav-name-modified-ready.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1-modified
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 9.9.9
+  workloads:
+  - name: cap-backend-srv
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/srv/server:latest 
+      type: CAP
+  - name: app-router
+    consumedBTPServices:
+      - cap-uaa
+      - cap-saas-registry
+    deploymentDefinition:
+      image: docker.image.repo/approuter/approuter:latest
+      type: Router
+  - name: content-job
+    consumedBTPServices:
+      - cap-uaa
+    jobDefinition:
+      image: docker.image.repo/content/cap-content:latest
+      type: Content    
+  - name: mtx-job
+    consumedBTPServices:
+      - cap-uaa
+      - cap-service-manager
+      - cap-saas-registry
+    jobDefinition:
+      image: docker.image.repo/srv/server:latest
+      type: TenantOperation  
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/capapplication/gateway.yaml b/internal/controller/testdata/capapplication/gateway.yaml
new file mode 100644
index 0000000..08b01d2
--- /dev/null
+++ b/internal/controller/testdata/capapplication/gateway.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  name: test-cap-01-gw
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+spec:
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  servers:
+    - hosts:
+        - "*.app-domain.test.local"
+      port:
+        name: app-domain.test.local
+        number: 443
+        protocol: HTTPS
+      tls:
+        credentialName: default--test-cap-01-secret
+        mode: SIMPLE
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-cert-error.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-cert-error.yaml
new file mode 100644
index 0000000..39f4d67
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-cert-error.yaml
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/btp-app-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  finalizers:
+    - sme.sap.com/capapplication
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  observedGeneration: 0
+  state: Error
+  message: "cert message"
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml
new file mode 100644
index 0000000..cd8c9db
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-cert-no-finalizers.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/btp-app-identifier: default.test-cap-01
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  observedGeneration: 0
+  state: Ready
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-cert.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-cert.yaml
new file mode 100644
index 0000000..60ef1a0
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-cert.yaml
@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/btp-app-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+  finalizers:
+    - sme.sap.com/capapplication
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  observedGeneration: 0
+  state: Ready
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-certManager-error.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-certManager-error.yaml
new file mode 100644
index 0000000..e96e951
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-certManager-error.yaml
@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+        sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  finalizers:
+    - sme.sap.com/capapplication
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  conditions:
+  - message: "cert message"
+    reason: ""
+    status: "False"
+    type: Ready
+    observedGeneration: 0
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml
new file mode 100644
index 0000000..9082b45
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-certManager-no-finalizers.yaml
@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+        sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  conditions:
+  - message: "cert message"
+    reason: ""
+    status: "True"
+    type: Ready
+    observedGeneration: 0
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-certManager.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-certManager.yaml
new file mode 100644
index 0000000..cd2a049
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-certManager.yaml
@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-cap-01-certificate
+  namespace: istio-system
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+        sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  finalizers:
+    - sme.sap.com/capapplication
+spec:
+  commonname: "*.app-domain.test.local"
+  secretname: default--test-cap-01-secret
+status:
+  conditions:
+  - message: "cert message"
+    reason: ""
+    status: "True"
+    type: Ready
+    observedGeneration: 0
\ No newline at end of file
diff --git a/internal/controller/testdata/capapplication/istio-ingress-with-no-cert.yaml b/internal/controller/testdata/capapplication/istio-ingress-with-no-cert.yaml
new file mode 100644
index 0000000..f4bb51d
--- /dev/null
+++ b/internal/controller/testdata/capapplication/istio-ingress-with-no-cert.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
diff --git a/internal/controller/testdata/capapplicationversion/cat-provider-version.yaml b/internal/controller/testdata/capapplicationversion/cat-provider-version.yaml
new file mode 100644
index 0000000..3dbffd3
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cat-provider-version.yaml
@@ -0,0 +1,31 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 1.2.3
+  versionUpgradeStrategy: always
+status:
+  state: Upgrading
diff --git a/internal/controller/testdata/capapplicationversion/cav-annotations.yaml b/internal/controller/testdata/capapplicationversion/cav-annotations.yaml
new file mode 100644
index 0000000..7a2e0c3
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-annotations.yaml
@@ -0,0 +1,170 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        ports:
+          - name: "app-port"
+            port: 4004
+            routerDestinationName: "srv-api"
+            appProtocol: http
+          - name: "app-tech-port"
+            port: 4005
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      annotations:
+        foo: "bar"
+        sme.sap.com/some-custom-annotation: "some value for the annotation: 'sme.sap.com/some-custom-annotation'"
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          fsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-cluster-netpol-port.yaml b/internal/controller/testdata/capapplicationversion/cav-cluster-netpol-port.yaml
new file mode 100644
index 0000000..73bc898
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-cluster-netpol-port.yaml
@@ -0,0 +1,153 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-custom-destination-config.yaml b/internal/controller/testdata/capapplicationversion/cav-custom-destination-config.yaml
new file mode 100644
index 0000000..58bc299
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-custom-destination-config.yaml
@@ -0,0 +1,71 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        ports:
+          - name: server-app-port
+            port: 4000
+            routerDestinationName: custom-srv-api
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-custom-labels.yaml b/internal/controller/testdata/capapplicationversion/cav-custom-labels.yaml
new file mode 100644
index 0000000..c977b3b
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-custom-labels.yaml
@@ -0,0 +1,101 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+    - name: app-router
+      labels:
+        foo: bar
+        sme.sap.com/app-type: my-cap-operator-app
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-empty-status.yaml b/internal/controller/testdata/capapplicationversion/cav-empty-status.yaml
new file mode 100644
index 0000000..881987b
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-empty-status.yaml
@@ -0,0 +1,48 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-cav-v1
+  namespace: default
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
diff --git a/internal/controller/testdata/capapplicationversion/cav-error-condition-status.yaml b/internal/controller/testdata/capapplicationversion/cav-error-condition-status.yaml
new file mode 100644
index 0000000..c408ac0
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-error-condition-status.yaml
@@ -0,0 +1,55 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-cav-v1
+  namespace: default
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: Unknown
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/cav-error-status.yaml b/internal/controller/testdata/capapplicationversion/cav-error-status.yaml
new file mode 100644
index 0000000..2d8a23f
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-error-status.yaml
@@ -0,0 +1,50 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-cav-v1
+  namespace: default
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/cav-failed-content-job.yaml b/internal/controller/testdata/capapplicationversion/cav-failed-content-job.yaml
new file mode 100644
index 0000000..b9be919
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-failed-content-job.yaml
@@ -0,0 +1,70 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ErrorInWorkloadStatus
+      status: "False"
+      type: Ready
+      message: "content deployer error in job 'test-cap-01-cav-v1-content'"
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/cav-invalid-ca.yaml b/internal/controller/testdata/capapplicationversion/cav-invalid-ca.yaml
new file mode 100644
index 0000000..bcdf5bd
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-invalid-ca.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  name: test-cap-01-cav-v1
+  namespace: default
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
diff --git a/internal/controller/testdata/capapplicationversion/cav-invalid-env-cap.yaml b/internal/controller/testdata/capapplicationversion/cav-invalid-env-cap.yaml
new file mode 100644
index 0000000..8272340
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-invalid-env-cap.yaml
@@ -0,0 +1,69 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: VCAP_SERVICES
+        value: "{'foo':'bar'}"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            value: "true"
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-invalid-env-content.yaml b/internal/controller/testdata/capapplicationversion/cav-invalid-env-content.yaml
new file mode 100644
index 0000000..15e97da
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-invalid-env-content.yaml
@@ -0,0 +1,63 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: CAPOP_APP_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-invalid-env-job-worker.yaml b/internal/controller/testdata/capapplicationversion/cav-invalid-env-job-worker.yaml
new file mode 100644
index 0000000..0cf6be0
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-invalid-env-job-worker.yaml
@@ -0,0 +1,80 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: MISC_ENV
+        value: "{'foo':'bar'}"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            value: "true"
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: CAPOP_APP_VERSION
+            value: "1.2.3"
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-merged-destinations-router.yaml b/internal/controller/testdata/capapplicationversion/cav-merged-destinations-router.yaml
new file mode 100644
index 0000000..4676909
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-merged-destinations-router.yaml
@@ -0,0 +1,66 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: destinations
+            value: '[{"name": "foo", "url": "http://foo.svc:5000", "strictSSL": true},{"name": "srv-api", "url": "http://some.domain", "timeout": 60000}]'
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-pod-security-context.yaml b/internal/controller/testdata/capapplicationversion/cav-pod-security-context.yaml
new file mode 100644
index 0000000..13da048
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-pod-security-context.yaml
@@ -0,0 +1,167 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        ports:
+          - name: "app-port"
+            port: 4004
+            routerDestinationName: "srv-api"
+            appProtocol: http
+          - name: "app-tech-port"
+            port: 4005
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          fsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-probes-and-resources.yaml b/internal/controller/testdata/capapplicationversion/cav-probes-and-resources.yaml
new file mode 100644
index 0000000..3d9c2c0
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-probes-and-resources.yaml
@@ -0,0 +1,143 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-processing-job-finished.yaml b/internal/controller/testdata/capapplicationversion/cav-processing-job-finished.yaml
new file mode 100644
index 0000000..9f6a18e
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-processing-job-finished.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ReadyForProcessing
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-processing.yaml b/internal/controller/testdata/capapplicationversion/cav-processing.yaml
new file mode 100644
index 0000000..7d0ed17
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-processing.yaml
@@ -0,0 +1,66 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ReadyForProcessing
+      status: "False"
+      observedGeneration: 1
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-ready-deleting.yaml b/internal/controller/testdata/capapplicationversion/cav-ready-deleting.yaml
new file mode 100644
index 0000000..622efcc
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-ready-deleting.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  deletionTimestamp: "2022-07-18T16:04:15Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/capapplicationversion/cav-security-context.yaml b/internal/controller/testdata/capapplicationversion/cav-security-context.yaml
new file mode 100644
index 0000000..7bc8dbc
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-security-context.yaml
@@ -0,0 +1,156 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/cav-unknown-deleting.yaml b/internal/controller/testdata/capapplicationversion/cav-unknown-deleting.yaml
new file mode 100644
index 0000000..e178d76
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-unknown-deleting.yaml
@@ -0,0 +1,59 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  deletionTimestamp: "2022-07-18T16:04:15Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 2.3.4
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
diff --git a/internal/controller/testdata/capapplicationversion/cav-valid-env-config.yaml b/internal/controller/testdata/capapplicationversion/cav-valid-env-config.yaml
new file mode 100644
index 0000000..932ca64
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/cav-valid-env-config.yaml
@@ -0,0 +1,91 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        imagePullPolicy: Always
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/content-job-completed.yaml b/internal/controller/testdata/capapplicationversion/content-job-completed.yaml
new file mode 100644
index 0000000..c48fade
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/content-job-completed.yaml
@@ -0,0 +1,71 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  creationTimestamp: "2022-07-18T12:16:21Z"
+  labels:
+    job-name: test-cap-01-cav-v1-content
+  name: test-cap-01-cav-v1-content
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1-content
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+  resourceVersion: "150625273"
+  uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+spec:
+  backoffLimit: 2
+  completions: 1
+  parallelism: 1
+  selector:
+    matchLabels:
+      controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      creationTimestamp: null
+      labels:
+        controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+        job-name: test-cap-01-cav-v1-content
+        x4.sap.com/disable-karydia: "true"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "14"
+            - name: TEST
+              value: Dummy
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-content-gen
+                optional: true
+          image: bem.some.repo.example.com/content/bem-content
+          imagePullPolicy: Always
+          name: content-deploy
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: OnFailure
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+status:
+  completionTime: "2022-07-18T12:16:41Z"
+  conditions:
+    - lastProbeTime: "2022-07-18T12:16:41Z"
+      lastTransitionTime: "2022-07-18T12:16:41Z"
+      status: "True"
+      type: Complete
+  startTime: "2022-07-14T12:16:21Z"
+  succeeded: 1
diff --git a/internal/controller/testdata/capapplicationversion/content-job-failed.yaml b/internal/controller/testdata/capapplicationversion/content-job-failed.yaml
new file mode 100644
index 0000000..9432e0f
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/content-job-failed.yaml
@@ -0,0 +1,72 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  creationTimestamp: "2022-07-18T12:16:21Z"
+  labels:
+    job-name: test-cap-01-cav-v1-content
+  name: test-cap-01-cav-v1-content
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1-content
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+  resourceVersion: "150625273"
+  uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+spec:
+  backoffLimit: 2
+  completions: 1
+  parallelism: 1
+  selector:
+    matchLabels:
+      controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      creationTimestamp: null
+      labels:
+        controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+        job-name: test-cap-01-cav-v1-content
+        x4.sap.com/disable-karydia: "true"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "14"
+            - name: TEST
+              value: Dummy
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-content-gen
+                optional: true
+          image: bem.some.repo.example.com/content/bem-content
+          imagePullPolicy: Always
+          name: content-deploy
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: OnFailure
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+status:
+  completionTime: "2022-07-18T12:16:41Z"
+  conditions:
+    - lastProbeTime: "2022-07-18T12:16:41Z"
+      lastTransitionTime: "2022-07-18T12:16:41Z"
+      status: "True"
+      type: Failed
+      message: "content deployer error in job 'test-cap-01-cav-v1-content'"
+  startTime: "2022-07-14T12:16:21Z"
+  succeeded: 0
diff --git a/internal/controller/testdata/capapplicationversion/content-job-pending.yaml b/internal/controller/testdata/capapplicationversion/content-job-pending.yaml
new file mode 100644
index 0000000..142fe3c
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/content-job-pending.yaml
@@ -0,0 +1,69 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  creationTimestamp: "2022-07-18T12:16:21Z"
+  labels:
+    job-name: test-cap-01-cav-v1-content
+  name: test-cap-01-cav-v1-content
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1-content
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+  resourceVersion: "150625273"
+  uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+spec:
+  backoffLimit: 2
+  completions: 1
+  parallelism: 1
+  selector:
+    matchLabels:
+      controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+      creationTimestamp: null
+      labels:
+        controller-uid: afb8bcad-72ce-4567-8337-12fc67ef55acb
+        job-name: test-cap-01-cav-v1-content
+        x4.sap.com/disable-karydia: "true"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "14"
+            - name: TEST
+              value: Dummy
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-content-gen
+                optional: true
+          image: bem.some.repo.example.com/content/bem-content
+          imagePullPolicy: Always
+          name: content-deploy
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: OnFailure
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+status:
+  conditions:
+    - lastProbeTime: "2022-07-18T12:16:41Z"
+      lastTransitionTime: "2022-07-18T12:16:41Z"
+      status: "False"
+      type: ""
+  startTime: "2022-07-14T12:16:21Z"
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-deleted-unknown.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-deleted-unknown.yaml
new file mode 100644
index 0000000..62f3383
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-deleted-unknown.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  deletionTimestamp: "2022-07-18T16:04:15Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 2.3.4
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: DeleteTriggered
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Deleting
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-deleted.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-deleted.yaml
new file mode 100644
index 0000000..baee208
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-deleted.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  deletionTimestamp: "2022-07-18T16:04:15Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers: []
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: DeleteTriggered
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Deleting
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-deleting.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-deleting.yaml
new file mode 100644
index 0000000..96254e8
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-deleting.yaml
@@ -0,0 +1,69 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  deletionTimestamp: "2022-07-18T16:04:15Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: DeleteTriggered
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Deleting
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-error-condition-processing.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-error-condition-processing.yaml
new file mode 100644
index 0000000..65cbc43
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-error-condition-processing.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: Unknown
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-error-processing.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-error-processing.yaml
new file mode 100644
index 0000000..fdf602a
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-error-processing.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: RetryProcessing
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-failed-content-job.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-failed-content-job.yaml
new file mode 100644
index 0000000..c59df00
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-failed-content-job.yaml
@@ -0,0 +1,71 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ErrorInWorkloadStatus
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+      message: "content deployer error in job 'test-cap-01-cav-v1-content'"
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-cap.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-cap.yaml
new file mode 100644
index 0000000..35442ac
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-cap.yaml
@@ -0,0 +1,78 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: VCAP_SERVICES
+        value: "{'foo':'bar'}"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            value: "true"
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ErrorInServerDeployment
+      observedGeneration: 1
+      message: "invalid env configuration for workload: cap-backend-srv, remove entry: VCAP_SERVICES from configuration"
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-content.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-content.yaml
new file mode 100644
index 0000000..b5e421d
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-content.yaml
@@ -0,0 +1,72 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: CAPOP_APP_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ErrorInContentDeploymentJob
+      message: "invalid env configuration for workload: content-job, remove entry: CAPOP_APP_VERSION from configuration"
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-job-worker.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-job-worker.yaml
new file mode 100644
index 0000000..49941a1
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-failed-env-job-worker.yaml
@@ -0,0 +1,89 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: MISC_ENV
+        value: "{'foo':'bar'}"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            value: "true"
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: CAPOP_APP_VERSION
+            value: "1.2.3"
+status:
+  conditions:
+    - reason: ErrorInJobWorkerDeployment
+      message: "invalid env configuration for workload: job-worker, remove entry: CAPOP_APP_VERSION from configuration"
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-missing-content-job.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-missing-content-job.yaml
new file mode 100644
index 0000000..21dcd80
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-missing-content-job.yaml
@@ -0,0 +1,69 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ErrorInWorkloadStatus
+      message: 'job.batch "test-cap-01-cav-v1-content" not found'
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Error
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-missing-secrets.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-missing-secrets.yaml
new file mode 100644
index 0000000..158b840
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-missing-secrets.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: WaitingForSecrets
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-processing.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-processing.yaml
new file mode 100644
index 0000000..122d9bd
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-processing.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: ReadyForProcessing
+      observedGeneration: 1
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-annotations.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-annotations.yaml
new file mode 100644
index 0000000..7aefb67
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-annotations.yaml
@@ -0,0 +1,449 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        ports:
+          - name: "app-port"
+            port: 4004
+            routerDestinationName: "srv-api"
+            appProtocol: http
+          - name: "app-tech-port"
+            port: 4005
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      annotations:
+        foo: "bar"
+        sme.sap.com/some-custom-annotation: "some value for the annotation: 'sme.sap.com/some-custom-annotation'"
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          fsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    foo: "bar"
+    sme.sap.com/some-custom-annotation: "some value for the annotation: 'sme.sap.com/some-custom-annotation'"
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      annotations:
+        foo: "bar"
+        sme.sap.com/some-custom-annotation: "some value for the annotation: 'sme.sap.com/some-custom-annotation'"
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
+      securityContext:
+        runAsUser: 2000
+        fsGroup: 2000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: test-cap-01
+              sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+              sme.sap.com/category: Workload
+              sme.sap.com/cav-version: "1.2.3"
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1--in
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+              istio: ingressgateway
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4004
+        - port: 4007
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-cap-backend-srv
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4005
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-cap-backend-srv
+      sme.sap.com/workload-type: CAP
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    foo: "bar"
+    sme.sap.com/some-custom-annotation: "some value for the annotation: 'sme.sap.com/some-custom-annotation'"
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  labels:
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: Service
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router-svc
+    sme.sap.com/workload-type: Router
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  name: test-cap-01-cav-v1-app-router-svc
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ports:
+    - name: router-port
+      port: 4000
+      appProtocol: "http"
+    - name: router-tech-port
+      port: 4004
+    - name: router-metrics-port
+      port: 4007
+  selector:
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/cav-version: "1.2.3"
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-app-netpol.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-app-netpol.yaml
new file mode 100644
index 0000000..1f4041e
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-app-netpol.yaml
@@ -0,0 +1,308 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: test-cap-01
+              sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+              sme.sap.com/category: Workload
+              sme.sap.com/cav-version: "1.2.3"
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1--in
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+              istio: ingressgateway
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-cluster-netpol-port.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-cluster-netpol-port.yaml
new file mode 100644
index 0000000..832feb7
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-cluster-netpol-port.yaml
@@ -0,0 +1,349 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: test-cap-01
+              sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+              sme.sap.com/category: Workload
+              sme.sap.com/cav-version: "1.2.3"
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1--in
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+              istio: ingressgateway
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4004
+        - port: 4007
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-content-job.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-content-job.yaml
new file mode 100644
index 0000000..efcee83
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-content-job.yaml
@@ -0,0 +1,70 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-destination-config.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-destination-config.yaml
new file mode 100644
index 0000000..5a71c57
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-destination-config.yaml
@@ -0,0 +1,153 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        ports:
+          - name: server-app-port
+            port: 4000
+            routerDestinationName: custom-srv-api
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"custom-srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4000","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-labels-config.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-labels-config.yaml
new file mode 100644
index 0000000..1c6e9dc
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-custom-labels-config.yaml
@@ -0,0 +1,189 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+    - name: app-router
+      labels:
+        foo: bar
+        sme.sap.com/app-type: my-cap-operator-app
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      labels:
+        foo: bar
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    foo: bar
+    sme.sap.com/app-type: my-cap-operator-app
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      foo: bar
+      sme.sap.com/app-type: my-cap-operator-app
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        foo: bar
+        sme.sap.com/app-type: my-cap-operator-app
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-merged-destinations-router.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-merged-destinations-router.yaml
new file mode 100644
index 0000000..311cd66
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-merged-destinations-router.yaml
@@ -0,0 +1,142 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: destinations
+            value: '[{"name": "foo", "url": "http://foo.svc:5000", "strictSSL": true},{"name": "srv-api", "url": "http://some.domain", "timeout": 60000}]'
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1  
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","timeout":60000},{"name":"foo","url":"http://foo.svc:5000","strictSSL":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-pod-security-context.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-pod-security-context.yaml
new file mode 100644
index 0000000..735b417
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-pod-security-context.yaml
@@ -0,0 +1,399 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        ports:
+          - name: "app-port"
+            port: 4004
+            routerDestinationName: "srv-api"
+            appProtocol: http
+          - name: "app-tech-port"
+            port: 4005
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          fsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
+      securityContext:
+        runAsUser: 2000
+        fsGroup: 2000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: test-cap-01
+              sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+              sme.sap.com/category: Workload
+              sme.sap.com/cav-version: "1.2.3"
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1--in
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+              istio: ingressgateway
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4004
+        - port: 4007
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-cap-backend-srv
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4005
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-cap-backend-srv
+      sme.sap.com/workload-type: CAP
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-probes-and-resources.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-probes-and-resources.yaml
new file mode 100644
index 0000000..1e39244
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-probes-and-resources.yaml
@@ -0,0 +1,248 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-security-context.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-security-context.yaml
new file mode 100644
index 0000000..92a2984
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-security-context.yaml
@@ -0,0 +1,355 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4004
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+        ports:
+          - name: "router-port"
+            port: 4000
+            appProtocol: http
+          - name: "router-tech-port"
+            port: 4004
+            networkPolicy: "Cluster"
+          - name: "router-metrics-port"
+            port: 4007
+            networkPolicy: "Cluster"
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+        resources:
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /
+              port: 4000
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2
+          resources:
+            limits:
+              cpu: 200m
+              memory: 500Mi
+            requests:
+              cpu: 20m
+              memory: 50Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: test-cap-01
+              sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+              sme.sap.com/category: Workload
+              sme.sap.com/cav-version: "1.2.3"
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1--in
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              app: istio-ingressgateway
+              istio: ingressgateway
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  ingress:
+    - from:
+        - namespaceSelector: {}
+          podSelector: {}
+      ports:
+        - port: 4004
+        - port: 4007
+  podSelector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/cav-version: "1.2.3"
+  policyTypes:
+    - Ingress
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready-valid-env-config.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready-valid-env-config.yaml
new file mode 100644
index 0000000..152b178
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready-valid-env-config.yaml
@@ -0,0 +1,174 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+        env:
+          - name: HOST_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.PodIp
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        imagePullPolicy: "Always"
+        type: Router
+        env:
+          - name: debug
+            valueFrom:
+              configMapKeyRef:
+                key: someKey
+                name: someCM
+                optional: true
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+        env:
+          - name: SOME_VERSION
+            value: 0.0.1
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+    - name: job-worker
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: Additional
+        env:
+          - name: TEST_SEC_REF
+            valueFrom:
+              secretKeyRef:
+                key: someKey
+                name: someSecret
+                optional: true
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  finishedJobs:
+    - "test-cap-01-cav-v1-content"
+  state: Ready
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-cap-01
+    sme.sap.com/category: Workload
+    sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+    sme.sap.com/workload-type: Router
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/cav-version: "1.2.3"
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+  name: test-cap-01-cav-v1-app-router
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplicationVersion
+      name: test-cap-01-cav-v1
+      uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  selector:
+    matchLabels:
+      app: test-cap-01
+      sme.sap.com/category: Workload
+      sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+      sme.sap.com/workload-type: Router
+      sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+      sme.sap.com/cav-version: "1.2.3"
+      sme.sap.com/owner-generation: "1"
+      sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: test-cap-01
+        sme.sap.com/category: Workload
+        sme.sap.com/workload-name: test-cap-01-cav-v1-app-router
+        sme.sap.com/workload-type: Router
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/cav-version: "1.2.3"
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: e95e0682f33a657e75e1fc435972d19bd407ba3b
+      annotations:
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+        sme.sap.com/owner-identifier: default.test-cap-01-cav-v1
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: "1.2.3"
+            - name: debug
+              valueFrom:
+                configMapKeyRef:
+                  key: someKey
+                  name: someCM
+                  optional: true
+            - name: destinations
+              value: '[{"name":"srv-api","url":"http://test-cap-01-cav-v1-cap-backend-srv-svc:4004","forwardAuthToken":true}]'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-cav-v1-app-router-gen
+                optional: true
+          image: docker.image.repo/approuter/approuter:latest
+          imagePullPolicy: "Always"
+          name: app-router
+      imagePullSecrets:
+        - name: regcred
diff --git a/internal/controller/testdata/capapplicationversion/expected/cav-ready.yaml b/internal/controller/testdata/capapplicationversion/expected/cav-ready.yaml
new file mode 100644
index 0000000..6f9969b
--- /dev/null
+++ b/internal/controller/testdata/capapplicationversion/expected/cav-ready.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-07-18T06:13:52Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  finalizers:
+    - "sme.sap.com/capapplicationversion"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 1.2.3
+  workloads:
+    - name: cap-backend-srv
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: CAP
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        image: docker.image.repo/approuter/approuter:latest
+        type: Router
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        image: docker.image.repo/content/cap-content:latest
+        type: Content
+    - name: mtx-job
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        image: docker.image.repo/srv/server:latest
+        type: TenantOperation
+status:
+  conditions:
+    - reason: CreatedDeployments
+      observedGeneration: 1
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/captenant/cat-01.initial.yaml b/internal/controller/testdata/captenant/cat-01.initial.yaml
new file mode 100644
index 0000000..5391ab6
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-01.initial.yaml
@@ -0,0 +1,11 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  name: test-cap-01-provider
+  namespace: default
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
diff --git a/internal/controller/testdata/captenant/cat-02.expected.yaml b/internal/controller/testdata/captenant/cat-02.expected.yaml
new file mode 100644
index 0000000..c6f1db7
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-02.expected.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  state: ""
+  conditions:
+    - type: Ready
+      status: "False"      
+      reason: "ProcessingStarted"
+      message: ""
diff --git a/internal/controller/testdata/captenant/cat-02.initial.yaml b/internal/controller/testdata/captenant/cat-02.initial.yaml
new file mode 100644
index 0000000..81e7b43
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-02.initial.yaml
@@ -0,0 +1,11 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  name: test-cap-01-consumer
+  namespace: default
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
diff --git a/internal/controller/testdata/captenant/cat-03.expected.yaml b/internal/controller/testdata/captenant/cat-03.expected.yaml
new file mode 100644
index 0000000..459db89
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-03.expected.yaml
@@ -0,0 +1,89 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  observedGeneration: 0
+  state: Provisioning
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 0
+      reason: ProvisioningOperationCreated
+      message: "waiting for CAPTenantOperation default.test-cap-01-consumer-gen of type provisioning to complete"
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-consumer-
+  name: test-cap-01-consumer-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-consumer
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: a9df2080f99fd77b1b2c7e4cee1e1bff69498511
+    sme.sap.com/tenant-operation-type: provisioning
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-consumer
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  operation: provisioning
+  steps:
+    - name: mtx
+      type: TenantOperation
+---
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: c38b79c0bac0cf1b5b8e6757b31d892898fe18472338996f7103adbf0249c79e
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-consumer
+  labels:
+    sme.sap.com/owner-identifier-hash: f57a7105fbe1d899a7757ddd04747b6b33dde594
+  name: test-cap-01-consumer0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-consumer
+spec:
+  dnsName: my-consumer.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
diff --git a/internal/controller/testdata/captenant/cat-03.initial.yaml b/internal/controller/testdata/captenant/cat-03.initial.yaml
new file mode 100644
index 0000000..61b257d
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-03.initial.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  state: ""
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: "ProcessingStarted"
+      message: ""
diff --git a/internal/controller/testdata/captenant/cat-04.expected.yaml b/internal/controller/testdata/captenant/cat-04.expected.yaml
new file mode 100644
index 0000000..cfdbf5f
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-04.expected.yaml
@@ -0,0 +1,99 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: 2309c27d407c5e1d71529d3448da227ab25f63fb5f9d631d7c8a3e9fd0a1ff34
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: 5d065e2112f26ad9b5ace902461365ba9cbf539123dea326f060534bc30e22d1
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
diff --git a/internal/controller/testdata/captenant/cat-04.initial.yaml b/internal/controller/testdata/captenant/cat-04.initial.yaml
new file mode 100644
index 0000000..49339c7
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-04.initial.yaml
@@ -0,0 +1,72 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "created CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning"
+      reason: ProvisioningRequestCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-s6f4l
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-s6f4l-abc completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
diff --git a/internal/controller/testdata/captenant/cat-05.expected.yaml b/internal/controller/testdata/captenant/cat-05.expected.yaml
new file mode 100644
index 0000000..bbcc316
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-05.expected.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l failed"
+      reason: ProvisioningFailed
+      status: "False"
+      type: Ready
+  state: ProvisioningError
diff --git a/internal/controller/testdata/captenant/cat-05.initial.yaml b/internal/controller/testdata/captenant/cat-05.initial.yaml
new file mode 100644
index 0000000..19fe291
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-05.initial.yaml
@@ -0,0 +1,72 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning to complete"
+      reason: ProvisioningRequestCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-s6f4l
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-s6f4l-abcs failed
+      reason: JobFailed
+      status: "True"
+      type: Ready
+  state: Failed
diff --git a/internal/controller/testdata/captenant/cat-06.expected.yaml b/internal/controller/testdata/captenant/cat-06.expected.yaml
new file mode 100644
index 0000000..a3a1370
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-06.expected.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning to complete"
+      reason: ProvisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
diff --git a/internal/controller/testdata/captenant/cat-06.initial.yaml b/internal/controller/testdata/captenant/cat-06.initial.yaml
new file mode 100644
index 0000000..d3194da
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-06.initial.yaml
@@ -0,0 +1,69 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "created CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning"
+      reason: ProvisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-s6f4l
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+status:
+  conditions:
+    - message: waiting for job default.test-cap-01-provider-s6f4l-abcd
+      reason: JobRunning
+      status: "False"
+      type: Ready
+  state: Processing
diff --git a/internal/controller/testdata/captenant/cat-07.expected.yaml b/internal/controller/testdata/captenant/cat-07.expected.yaml
new file mode 100644
index 0000000..cd16b27
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-07.expected.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      status: "True"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenant/cat-07.initial.yaml b/internal/controller/testdata/captenant/cat-07.initial.yaml
new file mode 100644
index 0000000..d465dde
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-07.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/captenant/cat-08.expected.yaml b/internal/controller/testdata/captenant/cat-08.expected.yaml
new file mode 100644
index 0000000..0aba4c6
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-08.expected.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: never
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/captenant/cat-08.initial.yaml b/internal/controller/testdata/captenant/cat-08.initial.yaml
new file mode 100644
index 0000000..0aba4c6
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-08.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: never
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/captenant/cat-09.expected.yaml b/internal/controller/testdata/captenant/cat-09.expected.yaml
new file mode 100644
index 0000000..a2a3d0c
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-09.expected.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type deprovisioning to complete"
+      reason: DeprovisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Deleting
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/tenant-operation-type: deprovisioning
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: deprovisioning
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenant/cat-09.initial.yaml b/internal/controller/testdata/captenant/cat-09.initial.yaml
new file mode 100644
index 0000000..6eb2a21
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-09.initial.yaml
@@ -0,0 +1,38 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/captenant/cat-10.expected.yaml b/internal/controller/testdata/captenant/cat-10.expected.yaml
new file mode 100644
index 0000000..47eeb1c
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-10.expected.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers: []
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "created CAPTenantOperation default.test-cap-01-provider-gen of type deprovisioning"
+      reason: DeprovisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Deleting
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/captenant/cat-10.initial.yaml b/internal/controller/testdata/captenant/cat-10.initial.yaml
new file mode 100644
index 0000000..329004c
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-10.initial.yaml
@@ -0,0 +1,74 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "created CAPTenantOperation default.test-cap-01-provider-gen of type deprovisioning"
+      reason: DeprovisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Deleting
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: deprovisioning
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-gen-abcd completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
diff --git a/internal/controller/testdata/captenant/cat-11.expected.yaml b/internal/controller/testdata/captenant/cat-11.expected.yaml
new file mode 100644
index 0000000..b3f1422
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-11.expected.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers: []
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l failed"
+      reason: ProvisioningFailed
+      status: "False"
+      type: Ready
+  state: ProvisioningError
diff --git a/internal/controller/testdata/captenant/cat-11.initial.yaml b/internal/controller/testdata/captenant/cat-11.initial.yaml
new file mode 100644
index 0000000..650fd05
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-11.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l failed"
+      reason: ProvisioningFailed
+      status: "False"
+      type: Ready
+  state: ProvisioningError
diff --git a/internal/controller/testdata/captenant/cat-13.expected.yaml b/internal/controller/testdata/captenant/cat-13.expected.yaml
new file mode 100644
index 0000000..3847064
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-13.expected.yaml
@@ -0,0 +1,105 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  previousCAPApplicationVersions:
+    - test-cap-01-cav-v1
+  observedGeneration: 2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "4973adfd25df6a6ef553c2d02ec88a8165e83bc25cc46d608904ffb7c6a77cbd"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: ca930fa3ab9c0c67bf3d2d948cdacefd93505d6089f56ebcd7cc7cf06e66ad7d
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  generation: 1
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
diff --git a/internal/controller/testdata/captenant/cat-13.initial.yaml b/internal/controller/testdata/captenant/cat-13.initial.yaml
new file mode 100644
index 0000000..c830e00
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-13.initial.yaml
@@ -0,0 +1,75 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-upg of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      status: "False"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-abcd completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
diff --git a/internal/controller/testdata/captenant/cat-14.initial.yaml b/internal/controller/testdata/captenant/cat-14.initial.yaml
new file mode 100644
index 0000000..5cfcdab
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-14.initial.yaml
@@ -0,0 +1,29 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 5.6.7
+  versionUpgradeStrategy: always
diff --git a/internal/controller/testdata/captenant/cat-15.expected.yaml b/internal/controller/testdata/captenant/cat-15.expected.yaml
new file mode 100644
index 0000000..ba4fe88
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-15.expected.yaml
@@ -0,0 +1,102 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-changed-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "VirtualService (and DestinationRule) default.test-cap-01-provider was reconciled"
+      reason: TenantNetworkingModified
+      observedGeneration: 3
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  observedGeneration: 3
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: 45f51780d8501067cf08285170eb13e1fbfbccbfcd3ba57bf7116d026ce98af8
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-changed-provider.app-domain.test.local
+    - my-changed-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: ca930fa3ab9c0c67bf3d2d948cdacefd93505d6089f56ebcd7cc7cf06e66ad7d
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
diff --git a/internal/controller/testdata/captenant/cat-15.initial.yaml b/internal/controller/testdata/captenant/cat-15.initial.yaml
new file mode 100644
index 0000000..16180a6
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-15.initial.yaml
@@ -0,0 +1,74 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-changed-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  observedGeneration: 2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "6be23b7628815f7a8b5ea532763e4474f0c7b05f7209fcba047cabd0b29d879e"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 4000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/cat-16.expected.yaml b/internal/controller/testdata/captenant/cat-16.expected.yaml
new file mode 100644
index 0000000..16180a6
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-16.expected.yaml
@@ -0,0 +1,74 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-changed-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  observedGeneration: 2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "6be23b7628815f7a8b5ea532763e4474f0c7b05f7209fcba047cabd0b29d879e"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 4000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/cat-17.expected.yaml b/internal/controller/testdata/captenant/cat-17.expected.yaml
new file mode 100644
index 0000000..aa4c128
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-17.expected.yaml
@@ -0,0 +1,124 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-changed-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "VirtualService (and DestinationRule) default.test-cap-01-provider was reconciled"
+      reason: TenantNetworkingModified
+      observedGeneration: 3
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  observedGeneration: 3
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: 45f51780d8501067cf08285170eb13e1fbfbccbfcd3ba57bf7116d026ce98af8
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-changed-provider.app-domain.test.local
+    - my-changed-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: ca930fa3ab9c0c67bf3d2d948cdacefd93505d6089f56ebcd7cc7cf06e66ad7d
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
+---
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: be44dd98e914aa033f04f18a03338da45b40090b55e0e1c935353f088bd7c583
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-provider0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  dnsName: my-changed-provider.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
diff --git a/internal/controller/testdata/captenant/cat-17.initial.yaml b/internal/controller/testdata/captenant/cat-17.initial.yaml
new file mode 100644
index 0000000..d3dfea9
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-17.initial.yaml
@@ -0,0 +1,101 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-changed-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  observedGeneration: 2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "6be23b7628815f7a8b5ea532763e4474f0c7b05f7209fcba047cabd0b29d879e"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-changed-provider.app-domain.test.local
+    - my-changed-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 4000
+          weight: 100
+---
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: ca930fa3ab9c0c67bf3d2d948cdacefd93505d6089f56ebcd7cc7cf06e66ad7d
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
diff --git a/internal/controller/testdata/captenant/cat-20.expected.yaml b/internal/controller/testdata/captenant/cat-20.expected.yaml
new file mode 100644
index 0000000..b7d9d96
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-20.expected.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type provisioning to complete"
+      reason: ProvisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
diff --git a/internal/controller/testdata/captenant/cat-20.initial.yaml b/internal/controller/testdata/captenant/cat-20.initial.yaml
new file mode 100644
index 0000000..a3a1370
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-20.initial.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning to complete"
+      reason: ProvisioningOperationCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
diff --git a/internal/controller/testdata/captenant/cat-21.expected.yaml b/internal/controller/testdata/captenant/cat-21.expected.yaml
new file mode 100644
index 0000000..8f2b9f8
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-21.expected.yaml
@@ -0,0 +1,78 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  previousCAPApplicationVersions:
+   - test-cap-01-cav-v1
+  observedGeneration: 2
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "4973adfd25df6a6ef553c2d02ec88a8165e83bc25cc46d608904ffb7c6a77cbd"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/cat-21.initial.yaml b/internal/controller/testdata/captenant/cat-21.initial.yaml
new file mode 100644
index 0000000..13af6ea
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-21.initial.yaml
@@ -0,0 +1,109 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  deletionTimestamp: "2022-03-22T13:24:38Z"
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "created CAPTenantOperation default.test-cap-01-provider-upg of type upgrade"
+      reason: UpgradeOperationCreated
+      status: "False"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-abcd completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v2-app-router-svc.default.svc.cluster.local
+            port:
+              number: 4000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/cat-22.initial.yaml b/internal/controller/testdata/captenant/cat-22.initial.yaml
new file mode 100644
index 0000000..e587c4b
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-22.initial.yaml
@@ -0,0 +1,106 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-upg of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      status: "False"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-abcs completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  labels:
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier: default.test-cap-01-wrong-tenant
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-wrong-tenant
+spec:
+  gateways:
+    - test-cap-01-gw
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v1-router-svc.default.svc.cluster.local
+            port:
+              number: 4000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/cat-23.expected.yaml b/internal/controller/testdata/captenant/cat-23.expected.yaml
new file mode 100644
index 0000000..2d6737c
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-23.expected.yaml
@@ -0,0 +1,40 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg failed"
+      reason: UpgradeFailed
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  state: UpgradeError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 2
diff --git a/internal/controller/testdata/captenant/cat-23.initial.yaml b/internal/controller/testdata/captenant/cat-23.initial.yaml
new file mode 100644
index 0000000..9c008c7
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-23.initial.yaml
@@ -0,0 +1,75 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg failed"
+      reason: UpgradeFailed
+      observedGeneration: 2
+      status: "False"
+      type: Ready
+  state: UpgradeError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 2
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-abcd failed
+      reason: StepFailed
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Failed
diff --git a/internal/controller/testdata/captenant/cat-24.expected.yaml b/internal/controller/testdata/captenant/cat-24.expected.yaml
new file mode 100644
index 0000000..0d2e497
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-24.expected.yaml
@@ -0,0 +1,70 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 11.12.13
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      observedGeneration: 3
+      status: "True"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 3
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "3"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/cav-version: "11.12.13"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v3
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenant/cat-24.initial.yaml b/internal/controller/testdata/captenant/cat-24.initial.yaml
new file mode 100644
index 0000000..579c4c9
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-24.initial.yaml
@@ -0,0 +1,74 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 3
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 11.12.13
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg failed"
+      reason: UpgradeFailed
+      status: "True"
+      type: Ready
+  state: UpgradeError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 2
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-xyz failed
+      reason: StepFailed
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Failed
diff --git a/internal/controller/testdata/captenant/cat-25.expected.yaml b/internal/controller/testdata/captenant/cat-25.expected.yaml
new file mode 100644
index 0000000..fc05413
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-25.expected.yaml
@@ -0,0 +1,70 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 2
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenant/cat-25.initial.yaml b/internal/controller/testdata/captenant/cat-25.initial.yaml
new file mode 100644
index 0000000..e9f95cd
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-25.initial.yaml
@@ -0,0 +1,39 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg failed"
+      reason: UpgradeFailed
+      status: "True"
+      type: Ready
+  state: UpgradeError
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  observedGeneration: 2
diff --git a/internal/controller/testdata/captenant/cat-26.initial.yaml b/internal/controller/testdata/captenant/cat-26.initial.yaml
new file mode 100644
index 0000000..901e775
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-26.initial.yaml
@@ -0,0 +1,72 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-s6f4l of type provisioning to complete"
+      reason: ProvisioningRequestCreated
+      status: "False"
+      type: Ready
+  state: Provisioning
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-s6f4l
+  namespace: default
+  finalizers:
+    - sme.sap.com/mtxrequest
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  steps:
+    - name: mtx
+      type: CAPTenantOperation
+status:
+  conditions:
+    - message: "invalid env configuration for workload: mtx job, remove entry: VCAP_SERVICES from configuration"
+      reason: InvalidEnv
+      status: "True"
+      type: Ready
+  state: Failed
diff --git a/internal/controller/testdata/captenant/cat-27.expected.yaml b/internal/controller/testdata/captenant/cat-27.expected.yaml
new file mode 100644
index 0000000..9d9acc4
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-27.expected.yaml
@@ -0,0 +1,67 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-gen of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      status: "True"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  name: test-cap-01-provider-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: cap-backend
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenant/cat-28.expected.yaml b/internal/controller/testdata/captenant/cat-28.expected.yaml
new file mode 100644
index 0000000..2709cf5
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-28.expected.yaml
@@ -0,0 +1,91 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  observedGeneration: 0
+  state: Provisioning
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 0
+      reason: ProvisioningOperationCreated
+      message: "waiting for CAPTenantOperation default.test-cap-01-consumer-gen of type provisioning to complete"
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-consumer-
+  name: test-cap-01-consumer-gen
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-consumer
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: a9df2080f99fd77b1b2c7e4cee1e1bff69498511
+    sme.sap.com/tenant-operation-type: provisioning
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-consumer
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  operation: provisioning
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+---
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: c38b79c0bac0cf1b5b8e6757b31d892898fe18472338996f7103adbf0249c79e
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-consumer
+  labels:
+    sme.sap.com/owner-identifier-hash: f57a7105fbe1d899a7757ddd04747b6b33dde594
+  name: test-cap-01-consumer0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-consumer
+spec:
+  dnsName: my-consumer.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
diff --git a/internal/controller/testdata/captenant/cat-28.initial.yaml b/internal/controller/testdata/captenant/cat-28.initial.yaml
new file mode 100644
index 0000000..8b061af
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-28.initial.yaml
@@ -0,0 +1,36 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  state: ""
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: "ProcessingStarted"
+      message: ""
diff --git a/internal/controller/testdata/captenant/cat-29.expected.yaml b/internal/controller/testdata/captenant/cat-29.expected.yaml
new file mode 100644
index 0000000..5575931
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-29.expected.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-upg successfully completed"
+      reason: UpgradeCompleted
+      observedGeneration: 2
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
+  previousCAPApplicationVersions:
+    - old-version-2
+    - old-version-3
+    - test-cap-01-cav-v1
+  observedGeneration: 2
diff --git a/internal/controller/testdata/captenant/cat-29.initial.yaml b/internal/controller/testdata/captenant/cat-29.initial.yaml
new file mode 100644
index 0000000..0c2b8af
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-29.initial.yaml
@@ -0,0 +1,79 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  generation: 2
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "waiting for CAPTenantOperation default.test-cap-01-provider-upg of type upgrade to complete"
+      reason: UpgradeOperationCreated
+      status: "False"
+      type: Ready
+  state: Upgrading
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
+  previousCAPApplicationVersions:
+    - old-version-1
+    - old-version-2
+    - old-version-3
+---
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  generateName: test-cap-01-provider-
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/cav-version: "8.9.10"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider-upg
+  namespace: default
+  finalizers:
+    - sme.sap.com/captenantoperation
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  conditions:
+    - message: job default.test-cap-01-provider-upg-abcd completed
+      reason: StepCompleted
+      status: "True"
+      type: Ready
+  state: Completed
diff --git a/internal/controller/testdata/captenant/cat-with-no-version.yaml b/internal/controller/testdata/captenant/cat-with-no-version.yaml
new file mode 100644
index 0000000..dc21039
--- /dev/null
+++ b/internal/controller/testdata/captenant/cat-with-no-version.yaml
@@ -0,0 +1,35 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-consumer
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: consumer
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  name: test-cap-01-consumer
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-consumer
+  tenantId: tenant-id-for-consumer
+  versionUpgradeStrategy: always
+status:
+  state: ""
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: "ProcessingStarted"
+      message: ""
diff --git a/internal/controller/testdata/captenant/changed-provider-tenant-dnsentry.yaml b/internal/controller/testdata/captenant/changed-provider-tenant-dnsentry.yaml
new file mode 100644
index 0000000..f4922ae
--- /dev/null
+++ b/internal/controller/testdata/captenant/changed-provider-tenant-dnsentry.yaml
@@ -0,0 +1,27 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: be44dd98e914aa033f04f18a03338da45b40090b55e0e1c935353f088bd7c583
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-provider0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  dnsName: my-provider.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  message: dns entry active
+  state: Ready
+  targets:
+    - public-ingress.operator.testing.local
+  ttl: 300
diff --git a/internal/controller/testdata/captenant/provider-tenant-dnsentry-not-ready.yaml b/internal/controller/testdata/captenant/provider-tenant-dnsentry-not-ready.yaml
new file mode 100644
index 0000000..d9f7ce5
--- /dev/null
+++ b/internal/controller/testdata/captenant/provider-tenant-dnsentry-not-ready.yaml
@@ -0,0 +1,27 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: 8a2ffda0d9efb285c9653316b443d8f6a40246532eb5aee009e65a8a8389e8fe
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-provider0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  dnsName: my-provider.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  message: processing
+  state: Processing
+  targets:
+    - public-ingress.operator.testing.local
+  ttl: 300
diff --git a/internal/controller/testdata/captenant/provider-tenant-dnsentry.yaml b/internal/controller/testdata/captenant/provider-tenant-dnsentry.yaml
new file mode 100644
index 0000000..9a95c31
--- /dev/null
+++ b/internal/controller/testdata/captenant/provider-tenant-dnsentry.yaml
@@ -0,0 +1,27 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: 8a2ffda0d9efb285c9653316b443d8f6a40246532eb5aee009e65a8a8389e8fe
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-provider0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  dnsName: my-provider.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  message: dns entry active
+  state: Ready
+  targets:
+    - public-ingress.operator.testing.local
+  ttl: 300
diff --git a/internal/controller/testdata/captenant/provider-tenant-dr-v1.yaml b/internal/controller/testdata/captenant/provider-tenant-dr-v1.yaml
new file mode 100644
index 0000000..06d0700
--- /dev/null
+++ b/internal/controller/testdata/captenant/provider-tenant-dr-v1.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: 5d065e2112f26ad9b5ace902461365ba9cbf539123dea326f060534bc30e22d1
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  generation: 1
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+  trafficPolicy:
+    loadBalancer:
+      consistentHash:
+        httpCookie:
+          name: JSESSIONID
+          path: /
+          ttl: 0s
diff --git a/internal/controller/testdata/captenant/provider-tenant-vs-v1.yaml b/internal/controller/testdata/captenant/provider-tenant-vs-v1.yaml
new file mode 100644
index 0000000..a218117
--- /dev/null
+++ b/internal/controller/testdata/captenant/provider-tenant-vs-v1.yaml
@@ -0,0 +1,34 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    sme.sap.com/resource-hash: "2309c27d407c5e1d71529d3448da227ab25f63fb5f9d631d7c8a3e9fd0a1ff34"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  gateways:
+    - test-cap-01-gw
+    - istio-system/cap-operator-domains-gen
+  hosts:
+    - my-provider.app-domain.test.local
+    - my-provider.foo.bar.local
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+            port:
+              number: 5000
+          weight: 100
diff --git a/internal/controller/testdata/captenant/to-be-updated-provider-tenant-dnsentry.yaml b/internal/controller/testdata/captenant/to-be-updated-provider-tenant-dnsentry.yaml
new file mode 100644
index 0000000..1598adf
--- /dev/null
+++ b/internal/controller/testdata/captenant/to-be-updated-provider-tenant-dnsentry.yaml
@@ -0,0 +1,27 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    sme.sap.com/resource-hash: foobarsomehash
+    sme.sap.com/owner-identifier: CAPTenant.default.test-cap-01-provider
+  labels:
+    sme.sap.com/owner-identifier-hash: ec24f9b09337c244cf5ac64b539f8c04f507cd99
+  name: test-cap-01-provider0
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  dnsName: my-provider.foo.bar.local
+  targets:
+    - public-ingress.operator.testing.local
+status:
+  message: dns entry active
+  state: Ready
+  targets:
+    - public-ingress.operator.testing.local
+  ttl: 300
diff --git a/internal/controller/testdata/captenantoperation/ctop-01.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-01.expected.yaml
new file mode 100644
index 0000000..beae87e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-01.expected.yaml
@@ -0,0 +1,30 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
diff --git a/internal/controller/testdata/captenantoperation/ctop-01.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-01.initial.yaml
new file mode 100644
index 0000000..99008d2
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-01.initial.yaml
@@ -0,0 +1,13 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenantoperation/ctop-02.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-02.expected.yaml
new file mode 100644
index 0000000..c34b850
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-02.expected.yaml
@@ -0,0 +1,31 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-02.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-02.initial.yaml
new file mode 100644
index 0000000..beae87e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-02.initial.yaml
@@ -0,0 +1,30 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
diff --git a/internal/controller/testdata/captenantoperation/ctop-03.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-03.expected.yaml
new file mode 100644
index 0000000..54459fb
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-03.expected.yaml
@@ -0,0 +1,34 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps: []
+status:
+  state: Failed
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepProcessingError
+      message: "operation steps missing in CAPTenantOperation default.test-cap-01-provider-abcd"
diff --git a/internal/controller/testdata/captenantoperation/ctop-03.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-03.initial.yaml
new file mode 100644
index 0000000..87a5507
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-03.initial.yaml
@@ -0,0 +1,28 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps: []
+status:
+  state: Processing
+  conditions: []
diff --git a/internal/controller/testdata/captenantoperation/ctop-04.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-04.expected.yaml
new file mode 100644
index 0000000..ba87a03
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-04.expected.yaml
@@ -0,0 +1,129 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: provisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: provisioning
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"subscribedSubdomain":"my-provider","eventType":"CREATE"}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: provisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: "IS_MTXS_ENABLED" 
+              value: "false"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-04.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-04.initial.yaml
new file mode 100644
index 0000000..8086d46
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-04.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-05.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-05.expected.yaml
new file mode 100644
index 0000000..0934e02
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-05.expected.yaml
@@ -0,0 +1,31 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "5.6.7"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
diff --git a/internal/controller/testdata/captenantoperation/ctop-05.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-05.initial.yaml
new file mode 100644
index 0000000..39895fc
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-05.initial.yaml
@@ -0,0 +1,13 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+spec:
+  tenantId: tenant-id-for-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenantoperation/ctop-06.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-06.expected.yaml
new file mode 100644
index 0000000..603b264
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-06.expected.yaml
@@ -0,0 +1,134 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: cap-backend
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-cap-backend-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-cap-backend-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "cap-backend"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-cap-backend-
+  name: test-cap-01-provider-cap-backend-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 2
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "cap-backend"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: upgrade
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"tenants":["tenant-id-for-provider"],"autoUndeploy":true}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-cap-backend-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: foo
+              value: bar
+            - name: "IS_MTXS_ENABLED" 
+              value: "false"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-cap-backend-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:v2
+          name: cap-backend
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-06.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-06.initial.yaml
new file mode 100644
index 0000000..521e8f1
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-06.initial.yaml
@@ -0,0 +1,33 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: cap-backend
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-07.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-07.expected.yaml
new file mode 100644
index 0000000..ecf49d7
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-07.expected.yaml
@@ -0,0 +1,114 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-custom-say-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          image: docker/whalesay
+          imagePullPolicy: IfNotPresent
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-07.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-07.initial.yaml
new file mode 100644
index 0000000..d95fb1e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-07.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-08.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-08.expected.yaml
new file mode 100644
index 0000000..8f7bfad
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-08.expected.yaml
@@ -0,0 +1,119 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepCompleted
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-xyz completed"
+  currentStep: 2
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          image: docker/whalesay
+          imagePullPolicy: IfNotPresent
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Complete
+      status: "True"
+      Reason: PodCompleted
diff --git a/internal/controller/testdata/captenantoperation/ctop-08.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-08.initial.yaml
new file mode 100644
index 0000000..d7cac20
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-08.initial.yaml
@@ -0,0 +1,119 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-xyz created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-custom-say-xyz"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          image: docker/whalesay
+          imagePullPolicy: IfNotPresent
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Complete
+      status: "True"
+      Reason: PodCompleted
diff --git a/internal/controller/testdata/captenantoperation/ctop-09.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-09.expected.yaml
new file mode 100644
index 0000000..e979581
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-09.expected.yaml
@@ -0,0 +1,138 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 2/3 : job default.test-cap-01-provider-ten-op-gen created"
+  currentStep: 2
+  activeJob: "test-cap-01-provider-ten-op-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "2"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "ten-op"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-ten-op-
+  name: test-cap-01-provider-ten-op-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "2"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "ten-op"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: upgrade
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"tenants":["tenant-id-for-provider"],"autoUndeploy":true}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: flow
+              value: glow
+            - name: "IS_MTXS_ENABLED" 
+              value: "false"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: ten-op
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-09.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-09.initial.yaml
new file mode 100644
index 0000000..7f28d6c
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-09.initial.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepCompleted
+      message: "step 1/3 : job default.test-cap-01-provider-abcd-xyz completed"
+  currentStep: 2
diff --git a/internal/controller/testdata/captenantoperation/ctop-10.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-10.expected.yaml
new file mode 100644
index 0000000..90eafdc
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-10.expected.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Failed
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepFailed
+      message: "step 2/3 : job default.test-cap-01-provider-mtx-xyz failed"
diff --git a/internal/controller/testdata/captenantoperation/ctop-10.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-10.initial.yaml
new file mode 100644
index 0000000..1092b5e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-10.initial.yaml
@@ -0,0 +1,141 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 2/3 : job default.test-cap-01-provider-mtx-xyz created"
+  currentStep: 2
+  activeJob: "test-cap-01-provider-mtx-xyz"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "2"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "ten-op"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "2"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "ten-op"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: upgrade
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"tenants":["tenant-id-for-provider"],"autoUndeploy":true}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: flow
+              value: glow
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Failed
+      status: "True"
+      Reason: PodError
diff --git a/internal/controller/testdata/captenantoperation/ctop-11.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-11.expected.yaml
new file mode 100644
index 0000000..f3b29d2
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-11.expected.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Completed
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepCompleted
+      message: "step 3/3 : job default.test-cap-01-provider-custom-say-xyz completed"
diff --git a/internal/controller/testdata/captenantoperation/ctop-11.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-11.initial.yaml
new file mode 100644
index 0000000..f55f9f2
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-11.initial.yaml
@@ -0,0 +1,118 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 3/3 : job default.test-cap-01-provider-custom-say-xyz created"
+  currentStep: 3
+  activeJob: "test-cap-01-provider-custom-say-xyz"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "3"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "3"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          image: docker/whalesay
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Complete
+      status: "True"
+      Reason: PodCompleted
diff --git a/internal/controller/testdata/captenantoperation/ctop-12.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-12.expected.yaml
new file mode 100644
index 0000000..716fa42
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-12.expected.yaml
@@ -0,0 +1,44 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Deleting
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepCompleted
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-xyz completed"
+  currentStep: 2
diff --git a/internal/controller/testdata/captenantoperation/ctop-12.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-12.initial.yaml
new file mode 100644
index 0000000..a5e9d30
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-12.initial.yaml
@@ -0,0 +1,119 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-xyz created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-custom-say-xyz"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          image: docker/whalesay
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Complete
+      status: "True"
+      Reason: PodCompleted
diff --git a/internal/controller/testdata/captenantoperation/ctop-13.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-13.expected.yaml
new file mode 100644
index 0000000..f9e16e8
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-13.expected.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Deleting
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepFailed
+      message: "step 2/3 : job default.test-cap-01-provider-ten-op-xyz failed"
diff --git a/internal/controller/testdata/captenantoperation/ctop-13.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-13.initial.yaml
new file mode 100644
index 0000000..35a32a3
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-13.initial.yaml
@@ -0,0 +1,142 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 2/3 : job default.test-cap-01-provider-ten-op-xyz created"
+  currentStep: 2
+  activeJob: "test-cap-01-provider-ten-op-xyz"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "2"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "ten-op"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-ten-op-
+  name: test-cap-01-provider-ten-op-xyz
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "2"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "ten-op"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: upgrade
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"tenants":["tenant-id-for-provider"],"autoUndeploy":true}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: flow
+              value: glow
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: ten-op
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 0
+  conditions:
+    - type: Failed
+      status: "True"
+      Reason: PodError
diff --git a/internal/controller/testdata/captenantoperation/ctop-14.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-14.expected.yaml
new file mode 100644
index 0000000..2a1d054
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-14.expected.yaml
@@ -0,0 +1,42 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers: []
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Deleting
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepFailed
+      message: "step 2/3 : job default.test-cap-01-provider-abcd-xyz failed"
diff --git a/internal/controller/testdata/captenantoperation/ctop-14.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-14.initial.yaml
new file mode 100644
index 0000000..cf71c1a
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-14.initial.yaml
@@ -0,0 +1,43 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  deletionTimestamp: "2022-08-22T13:24:38Z"
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Deleting
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "True"
+      observedGeneration: 1
+      reason: StepFailed
+      message: "step 2/3 : job default.test-cap-01-provider-abcd-xyz failed"
diff --git a/internal/controller/testdata/captenantoperation/ctop-15.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-15.expected.yaml
new file mode 100644
index 0000000..3749af1
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-15.expected.yaml
@@ -0,0 +1,16 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-invalid-tenant-op
+  namespace: default
+  generation: 1
+spec:
+  tenantId: tenant-id-invalid
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
diff --git a/internal/controller/testdata/captenantoperation/ctop-15.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-15.initial.yaml
new file mode 100644
index 0000000..8010244
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-15.initial.yaml
@@ -0,0 +1,13 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-invalid-tenant-op
+  namespace: default
+  generation: 1
+spec:
+  tenantId: tenant-id-invalid
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
diff --git a/internal/controller/testdata/captenantoperation/ctop-16.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-16.expected.yaml
new file mode 100644
index 0000000..cbede7a
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-16.expected.yaml
@@ -0,0 +1,129 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: deprovisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: deprovisioning
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: "{}"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: deprovisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: "IS_MTXS_ENABLED" 
+              value: "false"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-16.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-16.initial.yaml
new file mode 100644
index 0000000..afb672c
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-16.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-17.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-17.expected.yaml
new file mode 100644
index 0000000..8a5fe00
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-17.expected.yaml
@@ -0,0 +1,129 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepProcessing
+      message: "step 1/1 : waiting for job default.test-cap-01-provider-mtx-gen"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: deprovisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: deprovisioning
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: "{}"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: deprovisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-17.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-17.initial.yaml
new file mode 100644
index 0000000..f64b4d4
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-17.initial.yaml
@@ -0,0 +1,128 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: deprovisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: deprovisioning
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: "{}"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: deprovisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+status:
+  activeItems: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-18.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-18.expected.yaml
new file mode 100644
index 0000000..b6637f7
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-18.expected.yaml
@@ -0,0 +1,110 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: provisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: provisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node
+            - ./node_modules/@sap/cds-mtxs/bin/cds-mtx
+            - subscribe
+            - tenant-id-for-provider
+          image: docker.image.repo/srv/server:latest
+          imagePullPolicy: Always
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+
diff --git a/internal/controller/testdata/captenantoperation/ctop-18.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-18.initial.yaml
new file mode 100644
index 0000000..8086d46
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-18.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-19.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-19.expected.yaml
new file mode 100644
index 0000000..0253daa
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-19.expected.yaml
@@ -0,0 +1,109 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: deprovisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: deprovisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node
+            - ./node_modules/@sap/cds-mtxs/bin/cds-mtx
+            - unsubscribe
+            - tenant-id-for-provider
+          image: docker.image.repo/srv/server:latest
+          imagePullPolicy: Always
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-19.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-19.initial.yaml
new file mode 100644
index 0000000..afb672c
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-19.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: deprovisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: deprovisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-20.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-20.expected.yaml
new file mode 100644
index 0000000..3d21519
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-20.expected.yaml
@@ -0,0 +1,109 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node
+            - ./node_modules/@sap/cds-mtxs/bin/cds-mtx
+            - upgrade
+            - tenant-id-for-provider
+          image: docker.image.repo/srv/server:latest
+          imagePullPolicy: Always
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-20.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-20.initial.yaml
new file mode 100644
index 0000000..5b23137
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-20.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-21.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-21.expected.yaml
new file mode 100644
index 0000000..5a2d547
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-21.expected.yaml
@@ -0,0 +1,115 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: provisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: provisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node
+            - ./node_modules/@sap/cds-mtxs/bin/cds-mtx
+            - subscribe
+            - tenant-id-for-provider
+          resources:
+            limits:
+              cpu: 200m
+              memory: 200Mi
+            requests:
+              cpu: 20m
+              memory: 20Mi
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-21.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-21.initial.yaml
new file mode 100644
index 0000000..8086d46
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-21.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-22.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-22.expected.yaml
new file mode 100644
index 0000000..2889ca1
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-22.expected.yaml
@@ -0,0 +1,118 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: provisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: provisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node
+            - ./node_modules/@sap/cds-mtxs/bin/cds-mtx
+            - subscribe
+            - tenant-id-for-provider
+          resources:
+            limits:
+              cpu: 200m
+              memory: 200Mi
+            requests:
+              cpu: 20m
+              memory: 20Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-22.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-22.initial.yaml
new file mode 100644
index 0000000..8086d46
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-22.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-23.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-23.expected.yaml
new file mode 100644
index 0000000..b7fd73f
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-23.expected.yaml
@@ -0,0 +1,119 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-custom-say-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          image: docker/whalesay
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-23.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-23.initial.yaml
new file mode 100644
index 0000000..d95fb1e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-23.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-24.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-24.expected.yaml
new file mode 100644
index 0000000..cbe9d63
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-24.expected.yaml
@@ -0,0 +1,110 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-mtx-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-mtx-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    foo: "bar"
+    sme.sap.com/my-custom-operation-identifier: "some value for the annotation: `sme.sap.com/my-custom-operation-identifier`"
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "mtx"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-mtx-
+  name: test-cap-01-provider-mtx-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  template:
+    metadata:
+      annotations:
+        foo: "bar"
+        sme.sap.com/my-custom-operation-identifier: "some value for the annotation: `sme.sap.com/my-custom-operation-identifier`"
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: provisioning
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "mtx"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 5.6.7
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: provisioning
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-mtx-gen
+                optional: true
+          command:
+            - node custom-command
+          image: docker.image.repo/srv/server:latest
+          name: mtx
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
+
diff --git a/internal/controller/testdata/captenantoperation/ctop-24.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-24.initial.yaml
new file mode 100644
index 0000000..8086d46
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-24.initial.yaml
@@ -0,0 +1,32 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: provisioning
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: provisioning
+  capApplicationVersionInstance: test-cap-01-cav-v1
+  steps:
+    - name: mtx
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-25.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-25.expected.yaml
new file mode 100644
index 0000000..0d3078b
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-25.expected.yaml
@@ -0,0 +1,123 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/3 : job default.test-cap-01-provider-custom-say-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-custom-say-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    foo: "bar"
+    sme.sap.com/my-custom-app-identifier: "some value for the annotation: `sme.sap.com/my-custom-app-identifier`"
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    app: test-cap-01
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "custom-say"
+    sme.sap.com/workload-type: "CustomTenantOperation"
+  generateName: test-cap-01-provider-custom-say-
+  name: test-cap-01-provider-custom-say-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        foo: "bar"
+        sme.sap.com/my-custom-app-identifier: "some value for the annotation: `sme.sap.com/my-custom-app-identifier`"
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        app: test-cap-01
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "custom-say"
+        sme.sap.com/workload-type: "CustomTenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: close
+              value: encounter
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-custom-say-gen
+                optional: true
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 2000
+          image: docker/whalesay
+          command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+          name: custom-say
+      imagePullSecrets:
+        - name: regcred
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-25.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-25.initial.yaml
new file mode 100644
index 0000000..d95fb1e
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-25.initial.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: custom-say
+      type: CustomTenantOperation
+    - name: ten-op
+      type: TenantOperation
+    - name: custom-say
+      type: CustomTenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/captenantoperation/ctop-26.expected.yaml b/internal/controller/testdata/captenantoperation/ctop-26.expected.yaml
new file mode 100644
index 0000000..1ccc475
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-26.expected.yaml
@@ -0,0 +1,134 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: default.test-cap-01-provider
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: 8.9.10
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: ten-op
+      type: TenantOperation
+status:
+  state: Processing
+  observedGeneration: 1
+  conditions:
+    - type: Ready
+      status: "False"
+      observedGeneration: 1
+      reason: StepInitiated
+      message: "step 1/1 : job default.test-cap-01-provider-ten-op-gen created"
+  currentStep: 1
+  activeJob: "test-cap-01-provider-ten-op-gen"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    sidecar.istio.io/inject: "false"
+    sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+  labels:
+    sme.sap.com/tenant-operation-step: "1"
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "1"
+    sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+    app: test-cap-01
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/category: "Workload"
+    sme.sap.com/workload-name: "ten-op"
+    sme.sap.com/workload-type: "TenantOperation"
+  generateName: test-cap-01-provider-ten-op-
+  name: test-cap-01-provider-ten-op-gen
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenantOperation
+      name: test-cap-01-provider-abcd
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 150
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "false"
+        sme.sap.com/owner-identifier: default.test-cap-01-provider-abcd
+        sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+      labels:
+        sme.sap.com/tenant-operation-step: "1"
+        sme.sap.com/tenant-operation-type: upgrade
+        sme.sap.com/owner-generation: "1"
+        sme.sap.com/owner-identifier-hash: ce6bb3ae0b5ebbd0116259415ccac00bff0dc431
+        app: test-cap-01
+        sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+        sme.sap.com/category: "Workload"
+        sme.sap.com/workload-name: "ten-op"
+        sme.sap.com/workload-type: "TenantOperation"
+    spec:
+      containers:
+        - env:
+            - name: WAIT_FOR_SIDECAR
+              value: "false"
+            - name: XSUAA_INSTANCE_NAME
+              value: cap-uaa2
+            - name: MTX_SERVICE_URL
+              value: http://localhost:4004
+            - name: MTX_REQUEST_TYPE
+              value: upgrade
+            - name: MTX_TENANT_ID
+              value: tenant-id-for-provider
+            - name: MTX_REQUEST_PAYLOAD
+              value: '{"tenants":["tenant-id-for-provider"],"autoUndeploy":true}'
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          image: ghcr.io/sap/cap-operator/mtx-job
+          name: trigger
+        - env:
+            - name: CAPOP_APP_VERSION
+              value: 8.9.10
+            - name: CAPOP_TENANT_ID
+              value: tenant-id-for-provider
+            - name: CAPOP_TENANT_OPERATION
+              value: upgrade
+            - name: CAPOP_TENANT_SUBDOMAIN
+              value: my-provider
+            - name: flow
+              value: glow
+            - name: "IS_MTXS_ENABLED" 
+              value: "false"
+          envFrom:
+            - secretRef:
+                name: test-cap-01-provider-abcd-ten-op-gen
+                optional: true
+          command:
+            - "/bin/sh"
+            - "-c"
+          args:
+            - node ./node_modules/@sap/cds/bin/cds run & nc -lv -s localhost -p 8080
+          image: docker.image.repo/srv/server:latest
+          name: ten-op
+      imagePullSecrets:
+        - name: regcred
+      restartPolicy: Never
diff --git a/internal/controller/testdata/captenantoperation/ctop-26.initial.yaml b/internal/controller/testdata/captenantoperation/ctop-26.initial.yaml
new file mode 100644
index 0000000..159fd11
--- /dev/null
+++ b/internal/controller/testdata/captenantoperation/ctop-26.initial.yaml
@@ -0,0 +1,33 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: test-cap-01-provider-abcd
+  namespace: default
+  generation: 1
+  finalizers:
+    - sme.sap.com/captenantoperation
+  annotations:
+    sme.sap.com/owner-identifier: "default.test-cap-01-provider"
+  labels:
+    sme.sap.com/tenant-operation-type: upgrade
+    sme.sap.com/owner-generation: "0"
+    sme.sap.com/owner-identifier-hash: db1f1fd7eaeb0e6407c741b7e4b2540044bcc4ec
+    sme.sap.com/cav-version: "8.9.10"
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPTenant
+      name: test-cap-01-provider
+spec:
+  tenantId: tenant-id-for-provider
+  subDomain: my-provider
+  operation: upgrade
+  capApplicationVersionInstance: test-cap-01-cav-v2
+  steps:
+    - name: ten-op
+      type: TenantOperation
+status:
+  state: Processing
+  conditions: []
+  currentStep: 1
diff --git a/internal/controller/testdata/common/capapplication-multi-xsuaa.yaml b/internal/controller/testdata/common/capapplication-multi-xsuaa.yaml
new file mode 100644
index 0000000..16d4b33
--- /dev/null
+++ b/internal/controller/testdata/common/capapplication-multi-xsuaa.yaml
@@ -0,0 +1,41 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  annotations:
+    "sme.sap.com/primary-xsuaa": "cap-uaa2"
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: xsuaa
+        name: cap-uaa2
+        secret: cap-cap-01-uaa2-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
diff --git a/internal/controller/testdata/common/capapplication.yaml b/internal/controller/testdata/common/capapplication.yaml
new file mode 100644
index 0000000..097045c
--- /dev/null
+++ b/internal/controller/testdata/common/capapplication.yaml
@@ -0,0 +1,39 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  finalizers:
+    - sme.sap.com/capapplication
+  generation: 2
+  name: test-cap-01
+  namespace: default
+  resourceVersion: "11373799"
+  uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-cap-01-uaa-bind-cf
+      - class: xsuaa
+        name: cap-uaa2
+        secret: cap-cap-01-uaa2-bind-cf
+      - class: saas-registry
+        name: cap-saas-registry
+        secret: cap-cap-01-saas-bind-cf
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-cap-01-svc-man-bind-cf
+  btpAppName: test-cap-01
+  domains:
+    istioIngressGatewayLabels:
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: app-domain.test.local
+    secondary:
+      - foo.bar.local
+  globalAccountId: btp-glo-acc-id
+  provider:
+    subDomain: my-provider
+    tenantId: tenant-id-for-provider
diff --git a/internal/controller/testdata/common/capapplicationversion-invalid-env.yaml b/internal/controller/testdata/common/capapplicationversion-invalid-env.yaml
new file mode 100644
index 0000000..f63156a
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-invalid-env.yaml
@@ -0,0 +1,78 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        env:
+          - name: foo
+            value: bar
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: TenantOperation
+        image: docker.image.repo/srv/server:latest
+        env:
+          - name: foo
+            value: bar
+          - name: VCAP_SERVICES
+            value: "{'foo': [{'test': 'bar'}]}"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        env:
+          - name: foo
+            value: bar
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v1-mtxs-custom-cmd.yaml b/internal/controller/testdata/common/capapplicationversion-v1-mtxs-custom-cmd.yaml
new file mode 100644
index 0000000..cf634fd
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1-mtxs-custom-cmd.yaml
@@ -0,0 +1,72 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      annotations:
+        foo: "bar"
+        sme.sap.com/my-custom-operation-identifier: "some value for the annotation: `sme.sap.com/my-custom-operation-identifier`"
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        image: docker.image.repo/srv/server:latest
+        command: 
+          - node custom-command
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v1-mtxs.yaml b/internal/controller/testdata/common/capapplicationversion-v1-mtxs.yaml
new file mode 100644
index 0000000..3ffa992
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1-mtxs.yaml
@@ -0,0 +1,68 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        image: docker.image.repo/srv/server:latest
+        imagePullPolicy: Always
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v1-not-ready.yaml b/internal/controller/testdata/common/capapplicationversion-v1-not-ready.yaml
new file mode 100644
index 0000000..5f4c664
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1-not-ready.yaml
@@ -0,0 +1,65 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 5.6.7
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: TenantOperation
+        image: docker.image.repo/srv/server:latest
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - reason: ReadyForProcessing
+      status: "False"
+      type: Ready
+  observedGeneration: 1
+  state: Processing
diff --git a/internal/controller/testdata/common/capapplicationversion-v1-resources.yaml b/internal/controller/testdata/common/capapplicationversion-v1-resources.yaml
new file mode 100644
index 0000000..dd7e669
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1-resources.yaml
@@ -0,0 +1,74 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        resources:
+          limits:
+            cpu: 200m
+            memory: 200Mi
+          requests:
+            cpu: 20m
+            memory: 20Mi
+        image: docker.image.repo/srv/server:latest
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v1-security-context.yaml b/internal/controller/testdata/common/capapplicationversion-v1-security-context.yaml
new file mode 100644
index 0000000..7a1ff17
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1-security-context.yaml
@@ -0,0 +1,77 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        resources:
+          limits:
+            cpu: 200m
+            memory: 200Mi
+          requests:
+            cpu: 20m
+            memory: 20Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        image: docker.image.repo/srv/server:latest
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v1.yaml b/internal/controller/testdata/common/capapplicationversion-v1.yaml
new file mode 100644
index 0000000..edb876e
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v1.yaml
@@ -0,0 +1,70 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  creationTimestamp: "2022-03-18T22:14:33Z"
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v1
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  registrySecrets:
+    - regcred
+  version: 5.6.7
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:latest
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:latest
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        image: docker.image.repo/srv/server:latest
+        env:
+        - name: IS_MTXS_ENABLED
+          value: "false"
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:latest
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2-annotations.yaml b/internal/controller/testdata/common/capapplicationversion-v2-annotations.yaml
new file mode 100644
index 0000000..5194bdf
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2-annotations.yaml
@@ -0,0 +1,104 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+        env:
+          - name: foo
+            value: bar
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+    - name: ten-op
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        image: docker.image.repo/srv/server:latest
+        env:
+          - name: flow
+            value: glow
+    - name: custom-say
+      annotations:
+        foo: "bar"
+        sme.sap.com/my-custom-app-identifier: "some value for the annotation: `sme.sap.com/my-custom-app-identifier`"
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: "CustomTenantOperation"
+        image: docker/whalesay
+        command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          runAsGroup: 2000
+        env:
+          - name: close
+            value: encounter
+  tenantOperations:
+    provisioning:
+      - workloadName: custom-say
+      - workloadName: content-job # this will be ignored
+      - workloadName: ten-op
+    upgrade:
+      - workloadName: custom-say
+      - workloadName: ten-op
+      - workloadName: custom-say
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2-multi-xsuaa.yaml b/internal/controller/testdata/common/capapplicationversion-v2-multi-xsuaa.yaml
new file mode 100644
index 0000000..7d4816c
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2-multi-xsuaa.yaml
@@ -0,0 +1,78 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-uaa2
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+        env:
+          - name: foo
+            value: bar
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+    - name: ten-op
+      consumedBTPServices:
+        - cap-uaa
+        - cap-uaa2
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        image: docker.image.repo/srv/server:latest
+        env:
+          - name: flow
+            value: glow
+          - name: "IS_MTXS_ENABLED" 
+            value: "false"
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml b/internal/controller/testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml
new file mode 100644
index 0000000..dd5f061
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2-multiple-tenant-ops.yaml
@@ -0,0 +1,98 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+        env:
+          - name: foo
+            value: bar
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+    - name: ten-op
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        image: docker.image.repo/srv/server:latest
+        env:
+          - name: flow
+            value: glow
+          - name: "IS_MTXS_ENABLED" 
+            value: "false"
+    - name: custom-say
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: "CustomTenantOperation"
+        image: docker/whalesay
+        imagePullPolicy: IfNotPresent
+        command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        env:
+          - name: close
+            value: encounter
+  tenantOperations:
+    provisioning:
+      - workloadName: custom-say
+      - workloadName: content-job # this will be ignored
+      - workloadName: ten-op
+    upgrade:
+      - workloadName: custom-say
+      - workloadName: ten-op
+      - workloadName: custom-say
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2-no-mtx-workload.yaml b/internal/controller/testdata/common/capapplicationversion-v2-no-mtx-workload.yaml
new file mode 100644
index 0000000..24d5425
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2-no-mtx-workload.yaml
@@ -0,0 +1,63 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+        env:
+          - name: foo
+            value: bar
+          - name: "IS_MTXS_ENABLED" 
+            value: "false"
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2-pod-security-context.yaml b/internal/controller/testdata/common/capapplicationversion-v2-pod-security-context.yaml
new file mode 100644
index 0000000..2212d68
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2-pod-security-context.yaml
@@ -0,0 +1,101 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+        env:
+          - name: foo
+            value: bar
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+    - name: ten-op
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        image: docker.image.repo/srv/server:latest
+        env:
+          - name: flow
+            value: glow
+    - name: custom-say
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: "CustomTenantOperation"
+        image: docker/whalesay
+        command: ["cowsay", "$(CAPOP_TENANT_OPERATION)", "$(CAPOP_TENANT_ID)"]
+        backoffLimit: 1
+        ttlSecondsAfterFinished: 150
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+        podSecurityContext:
+          runAsUser: 2000
+          runAsGroup: 2000
+        env:
+          - name: close
+            value: encounter
+  tenantOperations:
+    provisioning:
+      - workloadName: custom-say
+      - workloadName: content-job # this will be ignored
+      - workloadName: ten-op
+    upgrade:
+      - workloadName: custom-say
+      - workloadName: ten-op
+      - workloadName: custom-say
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v2.yaml b/internal/controller/testdata/common/capapplicationversion-v2.yaml
new file mode 100644
index 0000000..c809b91
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v2.yaml
@@ -0,0 +1,66 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v2
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "11371108"
+  uid: 5e64489b-7346-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 8.9.10
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v2
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v2
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        image: docker.image.repo/srv/server:v2
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v2
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/capapplicationversion-v3.yaml b/internal/controller/testdata/common/capapplicationversion-v3.yaml
new file mode 100644
index 0000000..62c0e67
--- /dev/null
+++ b/internal/controller/testdata/common/capapplicationversion-v3.yaml
@@ -0,0 +1,66 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  generation: 1
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+  name: test-cap-01-cav-v3
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+  resourceVersion: "113715468"
+  uid: 5e64489b-1234-4984-8617-e8c37338b3d8
+spec:
+  capApplicationInstance: test-cap-01
+  version: 11.12.13
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      deploymentDefinition:
+        type: CAP
+        image: docker.image.repo/srv/server:v3
+    - name: content-job
+      consumedBTPServices:
+        - cap-uaa
+      jobDefinition:
+        type: Content
+        image: docker.image.repo/content/cap-content:v3
+    - name: mtx
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-registry
+      jobDefinition:
+        type: "TenantOperation"
+        image: docker.image.repo/srv/server:v3
+    - name: app-router
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-registry
+      deploymentDefinition:
+        type: Router
+        image: docker.image.repo/approuter/approuter:v3
+status:
+  conditions:
+    - lastTransitionTime: "2022-03-18T23:07:47Z"
+      lastUpdateTime: "2022-03-18T23:07:47Z"
+      reason: CreatedDeployments
+      status: "True"
+      type: Ready
+  observedGeneration: 1
+  state: Ready
diff --git a/internal/controller/testdata/common/captenant-provider-ready.yaml b/internal/controller/testdata/common/captenant-provider-ready.yaml
new file mode 100644
index 0000000..5969035
--- /dev/null
+++ b/internal/controller/testdata/common/captenant-provider-ready.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 5.6.7
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: ProvisioningCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v1
diff --git a/internal/controller/testdata/common/captenant-provider-upgraded-ready.yaml b/internal/controller/testdata/common/captenant-provider-upgraded-ready.yaml
new file mode 100644
index 0000000..60ad219
--- /dev/null
+++ b/internal/controller/testdata/common/captenant-provider-upgraded-ready.yaml
@@ -0,0 +1,37 @@
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  finalizers:
+    - sme.sap.com/captenant
+  annotations:
+    sme.sap.com/btp-app-identifier: btp-glo-acc-id.test-cap-01
+    sme.sap.com/owner-identifier: default.test-cap-01
+  labels:
+    sme.sap.com/btp-app-identifier-hash: f20cc8aeb2003b3abc33f749a16bd53544b6bab2
+    sme.sap.com/btp-tenant-id: tenant-id-for-provider
+    sme.sap.com/owner-generation: "2"
+    sme.sap.com/owner-identifier-hash: 1f74ae2fbff71a708786a4df4bb2ca87ec603581
+    sme.sap.com/tenant-type: provider
+  name: test-cap-01-provider
+  namespace: default
+  ownerReferences:
+    - apiVersion: sme.sap.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: CAPApplication
+      name: test-cap-01
+      uid: 3c7ba7cb-dc04-4fd1-be86-3eb3a5c64a98
+spec:
+  capApplicationInstance: test-cap-01
+  subDomain: my-provider
+  tenantId: tenant-id-for-provider
+  version: 8.9.10
+  versionUpgradeStrategy: always
+status:
+  conditions:
+    - message: "CAPTenantOperation default.test-cap-01-provider-s6f4l successfully completed"
+      reason: UpgradeCompleted
+      status: "True"
+      type: Ready
+  state: Ready
+  currentCAPApplicationVersionInstance: test-cap-01-cav-v2
diff --git a/internal/controller/testdata/common/credential-secrets.yaml b/internal/controller/testdata/common/credential-secrets.yaml
new file mode 100644
index 0000000..f258f50
--- /dev/null
+++ b/internal/controller/testdata/common/credential-secrets.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cap-cap-01-uaa-bind-cf
+  namespace: default
+type: Opaque
+data:
+  credentials: ewogICJ1YWFkb21haW4iOiAiYXV0aC5zZXJ2aWNlLmxvY2FsIiwKICAieHNhcHBuYW1lIjogInRlc3QtY2FwLTAxIWIxNCIsCiAgInVybCI6ICJodHRwczovL2FwcC1kb21haW4uYXV0aC5zZXJ2aWNlLmxvY2FsIiwKICAiY3JlZGVudGlhbC10eXBlIjogImluc3RhbmNlLXNlY3JldCIKfQo=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cap-cap-01-uaa2-bind-cf
+  namespace: default
+type: Opaque
+data:
+  credentials: eyJ1YWFkb21haW4iOiJhdXRoMi5zZXJ2aWNlLmxvY2FsIiwieHNhcHBuYW1lIjoidGVzdC1jYXAtMDIhYjIxIiwidXJsIjoiaHR0cHM6Ly9hcHAtZG9tYWluMi5hdXRoLnNlcnZpY2UubG9jYWwiLCJjcmVkZW50aWFsLXR5cGUiOiJpbnN0YW5jZS1zZWNyZXQifQ==
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cap-cap-01-saas-bind-cf
+  namespace: default
+type: Opaque
+data:
+  credentials: ewogICJzYWFzX3JlZ2lzdHJ5X3VybCI6ICJodHRwczovL3NtLnNlcnZpY2UubG9jYWwiLAogICJjbGllbnRpZCI6ICJjbGllbnRpZCIsCiAgImNsaWVudHNlY3JldCI6ICJjbGllbnRzZWNyZXQiLAogICJ1YWFkb21haW4iOiAiYXV0aC5zZXJ2aWNlLmxvY2FsIgp9Cg==
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cap-cap-01-svc-man-bind-cf
+  namespace: default
+type: Opaque
+data:
+  credentials: ewogICJzbV91cmwiOiAiaHR0cHM6Ly9zbS5zZXJ2aWNlLmxvY2FsIiwKICAiY2xpZW50aWQiOiAiY2xpZW50aWQiLAogICJjbGllbnRzZWNyZXQiOiAiY2xpZW50c2VjcmV0IiwKICAidWFhZG9tYWluIjogImF1dGguc2VydmljZS5sb2NhbCIKfQo=
diff --git a/internal/controller/testdata/common/istio-ingress.yaml b/internal/controller/testdata/common/istio-ingress.yaml
new file mode 100644
index 0000000..f4bb51d
--- /dev/null
+++ b/internal/controller/testdata/common/istio-ingress.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+status:
+  phase: Active
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  name: istio-ingressgateway-5dbdc4cdbb-pvgtp
+  namespace: istio-system
+spec:
+  containers:
+    - image: istio.ingress.image.local:1.12.2
+      imagePullPolicy: IfNotPresent
+      name: istio-proxy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/class: garden
+    dns.gardener.cloud/dnsnames: public-ingress.operator.testing.local
+    dns.gardener.cloud/ttl: "600"
+  creationTimestamp: "2022-03-01T15:14:59Z"
+  finalizers:
+    - garden.dns.gardener.cloud/service-dns
+  name: istio-ingressgateway
+  namespace: istio-system
+  resourceVersion: "4876"
+  uid: ee535038-2f0f-4d9a-adbd-1ae05ba1e864
+spec:
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  sessionAffinity: None
+  type: LoadBalancer
diff --git a/internal/controller/testdata/common/operator-gateway.yaml b/internal/controller/testdata/common/operator-gateway.yaml
new file mode 100644
index 0000000..5b60fc3
--- /dev/null
+++ b/internal/controller/testdata/common/operator-gateway.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  generateName: cap-operator-domains-
+  generation: 1
+  annotations:
+    sme.sap.com/owner-identifier: CAPOperator.OperatorDomains
+  labels:
+    sme.sap.com/owner-identifier-hash: 933c63ba93a11feed88e28ae21e68591bf13256b
+    sme.sap.com/relevant-dns-target-hash: 2b2bdb40343ac1ec9a7d18bce136a564c026e7d2
+  name: cap-operator-domains-gen
+  namespace: istio-system
+spec:
+  selector:
+    app: istio-ingressgateway
+    istio: ingressgateway
+  servers:
+    - hosts:
+        - "*.foo.bar.local"
+      port:
+        name: foo.bar.local
+        number: 443
+        protocol: HTTPS
+      tls:
+        credentialName: test.local
+        mode: SIMPLE
diff --git a/internal/controller/utils.go b/internal/controller/utils.go
new file mode 100644
index 0000000..2ee04bd
--- /dev/null
+++ b/internal/controller/utils.go
@@ -0,0 +1,222 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package controller
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"golang.org/x/exp/slices"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+)
+
+const (
+	certManagerGardener      = "gardener"
+	certManagerCertManagerIO = "cert-manager.io"
+	dnsManagerGardener       = "gardener"
+	dnsManagerKubernetes     = "kubernetes"
+)
+
+const (
+	certManagerEnv = "CERT_MANAGER"
+	dnsManagerEnv  = "DNS_MANAGER"
+)
+
+type ownerInfo struct {
+	ownerNamespace  string
+	ownerName       string
+	ownerGeneration int64
+}
+type appMetadataIdentifiers struct {
+	globalAccountId string
+	appName         string
+	ownerInfo       *ownerInfo
+}
+
+func getOwnerByKind(owners []metav1.OwnerReference, kind string) (*metav1.OwnerReference, bool) {
+	for _, o := range owners {
+		if o.APIVersion == v1alpha1.SchemeGroupVersion.String() && o.Kind == kind && *o.Controller {
+			return &o, true
+		}
+	}
+	return nil, false
+}
+
+func getOwnerFromObjectMetadata(objectMeta metav1.Object, dependentKind string) (NamespacedResourceKey, bool) {
+	var ownerKey NamespacedResourceKey
+
+	annotations := objectMeta.GetAnnotations()
+
+	if annotations[AnnotationOwnerIdentifier] != "" {
+		identifier := strings.Split(annotations[AnnotationOwnerIdentifier], ".")
+		if len(identifier) == 3 && identifier[0] == dependentKind {
+			ownerKey.Namespace = identifier[1]
+			ownerKey.Name = identifier[2]
+			return ownerKey, true
+		}
+	}
+
+	return ownerKey, false
+}
+
+func convertToLocalObjectReferences(entries []string) []corev1.LocalObjectReference {
+	localObjects := make([]corev1.LocalObjectReference, 0)
+	for _, entry := range entries {
+		localObjects = append(localObjects, corev1.LocalObjectReference{Name: entry})
+	}
+	return localObjects
+}
+
+func getResourceKindFromKey(key int) string {
+	kind, ok := KindMap[key]
+	if !ok {
+		kind = "unknown"
+	}
+	return kind
+}
+
+/*
+check whether the status of a custom resource (sme.sap.com) is Ready (based on metav1.Condition)
+*/
+func isCROConditionReady(status v1alpha1.GenericStatus) bool {
+	if status.Conditions == nil {
+		return false
+	}
+
+	return slices.ContainsFunc(status.Conditions, func(condition metav1.Condition) bool {
+		return condition.Type == string(v1alpha1.ConditionTypeReady) && condition.Status == metav1.ConditionTrue
+	})
+}
+
+func addFinalizer(finalizers *[]string, finalizerType string) bool {
+	finalizerExists := slices.ContainsFunc(*finalizers, func(f string) bool {
+		return f == finalizerType
+	})
+
+	if !finalizerExists {
+		*finalizers = append(*finalizers, finalizerType)
+		return true
+	}
+	return false
+}
+
+func removeFinalizer(finalizers *[]string, finalizerType string) bool {
+	finalizerExists := false
+	adjusted := make([]string, 0)
+	for _, f := range *finalizers {
+		if f != finalizerType {
+			adjusted = append(adjusted, f)
+		} else {
+			finalizerExists = true
+		}
+	}
+
+	if finalizerExists {
+		*finalizers = adjusted
+		return true
+	}
+	return false
+}
+
+func certificateManager() string {
+	mgr := certManagerGardener
+	env := os.Getenv(certManagerEnv)
+	if env != "" {
+		if env == certManagerGardener || env == certManagerCertManagerIO {
+			mgr = env
+		} else {
+			klog.Error("Error parsing certificate manager environment variable: invalid value")
+		}
+	}
+	return mgr
+}
+
+func dnsManager() string {
+	mgr := dnsManagerGardener
+	env := os.Getenv(dnsManagerEnv)
+	if env != "" {
+		if env == dnsManagerGardener || env == dnsManagerKubernetes {
+			mgr = env
+		} else {
+			klog.Error("Error parsing DNS manager environment variable: invalid value")
+		}
+	}
+	return mgr
+}
+
+func updateResourceAnnotation(object *metav1.ObjectMeta, hash string) {
+	if object.Annotations == nil {
+		object.Annotations = map[string]string{}
+	}
+	// Update Annotation hash
+	object.Annotations[AnnotationResourceHash] = hash
+}
+
+// Returns an sha256 checksum for a given source string
+func sha256Sum(source ...string) string {
+	sum := sha256.Sum256([]byte(strings.Join(source, "")))
+	return fmt.Sprintf("%x", sum)
+}
+
+// Returns an sha1 checksum for a given source string
+func sha1Sum(source ...string) string {
+	sum := sha1.Sum([]byte(strings.Join(source, "")))
+	return fmt.Sprintf("%x", sum)
+}
+
+func amendObjectMetadata(object *metav1.ObjectMeta, annotatedOldLabel string, hashLabel string, oldValue string, hashedValue string) (updated bool) {
+	// Check if old label exists, if so remove it
+	if _, ok := object.Labels[annotatedOldLabel]; ok {
+		// Should never happen
+		klog.Infof("Unexpected label %s=%s found for resource %s.%s", annotatedOldLabel, oldValue, object.Namespace, object.Name)
+		delete(object.Labels, annotatedOldLabel)
+		updated = true
+	}
+	// Add hashed label as the new label with the hashed identifier value
+	if _, ok := object.Labels[hashLabel]; !ok {
+		object.Labels[hashLabel] = hashedValue
+		updated = true
+	}
+	// Add old label as an annotation with the old value
+	if _, ok := object.Annotations[annotatedOldLabel]; !ok {
+		object.Annotations[annotatedOldLabel] = oldValue
+		updated = true
+	}
+	// return if something was updated
+	return updated
+}
+
+func updateLabelAnnotationMetadata(object *metav1.ObjectMeta, appMetadata *appMetadataIdentifiers) (updated bool) {
+	if object.Labels == nil {
+		object.Labels = make(map[string]string)
+	}
+	if object.Annotations == nil {
+		object.Annotations = map[string]string{}
+	}
+
+	// Update BTP Application Identifier
+	if appMetadata.globalAccountId != "" && amendObjectMetadata(object, AnnotationBTPApplicationIdentifier, LabelBTPApplicationIdentifierHash, strings.Join([]string{appMetadata.globalAccountId, appMetadata.appName}, "."), sha1Sum(appMetadata.globalAccountId, appMetadata.appName)) {
+		updated = true
+	}
+
+	// Update OwnerInfo if owner details exists
+	if appMetadata.ownerInfo != nil {
+		if amendObjectMetadata(object, AnnotationOwnerIdentifier, LabelOwnerIdentifierHash, strings.Join([]string{appMetadata.ownerInfo.ownerNamespace, appMetadata.ownerInfo.ownerName}, "."), sha1Sum(appMetadata.ownerInfo.ownerNamespace, appMetadata.ownerInfo.ownerName)) {
+			updated = true
+		}
+		if _, ok := object.Labels[LabelOwnerGeneration]; !ok {
+			object.Labels[LabelOwnerGeneration] = strconv.FormatInt(appMetadata.ownerInfo.ownerGeneration, 10)
+		}
+	}
+
+	return updated
+}
diff --git a/internal/util/config.go b/internal/util/config.go
new file mode 100644
index 0000000..db7c70b
--- /dev/null
+++ b/internal/util/config.go
@@ -0,0 +1,59 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/klog/v2"
+)
+
+func GetConfig() *rest.Config {
+	// Try to load config from within cluster
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		klog.Warning("Could not load config from cluster; will attempt to load from file")
+
+		// Load config from local/home directory
+		loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+		pwd, err := os.Getwd()
+		if err != nil {
+			klog.Fatal("Could not determine working directory")
+		}
+		loadingRules.Precedence = append(loadingRules.Precedence, path.Join(pwd, ".kubeconfig"))
+		clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+		config, err = clientConfig.ClientConfig()
+		if err != nil {
+			klog.Fatal("Error: ", err)
+			return nil
+		} else {
+			klog.Info("Found config file in: ", clientConfig.ConfigAccess().GetDefaultFilename())
+		}
+	} else {
+		klog.Info("Found config in cluster")
+	}
+
+	return config
+}
+
+func GetNamespace() string {
+	if ns := os.Getenv("POD_NAMESPACE"); ns != "" {
+		return ns
+	}
+
+	// Fall back to the namespace associated with the service account token, if available
+	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
+			return ns
+		}
+	}
+
+	return "default"
+}
diff --git a/internal/util/types.go b/internal/util/types.go
new file mode 100644
index 0000000..f9e85b1
--- /dev/null
+++ b/internal/util/types.go
@@ -0,0 +1,42 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+type VCAPServiceInstance struct {
+	Name         string      `json:"name"` // this attribute holds the binding name if it exists, otherwise, instance name
+	BindingGUID  string      `json:"binding_guid,omitempty"`
+	BindingName  string      `json:"binding_name,omitempty"`
+	InstanceGUID string      `json:"instance_guid,omitempty"`
+	InstanceName string      `json:"instance_name,omitempty"`
+	Label        string      `json:"label"`
+	Plan         string      `json:"plan,omitempty"`
+	Credentials  interface{} `json:"credentials"`
+	Tags         []string    `json:"tags,omitempty"`
+}
+
+type CredentialData struct {
+	CredentialType        string `json:"credential-type"`
+	ClientId              string `json:"clientid"`
+	ClientSecret          string `json:"clientsecret"`
+	AuthUrl               string `json:"url"`
+	UAADomain             string `json:"uaadomain"`
+	ServiceBrokerUrl      string `json:"sburl"`
+	CertificateUrl        string `json:"certurl"`
+	Certificate           string `json:"certificate"`
+	CertificateKey        string `json:"key"`
+	VerificationKey       string `json:"verificationkey"`
+	CallbackTimeoutMillis string `json:"callbackTimeoutMillis"`
+}
+
+type SaasRegistryCredentials struct {
+	CredentialData `json:",inline"`
+	SaasManagerUrl string `json:"saas_registry_url"`
+}
+
+type XSUAACredentials struct {
+	CredentialData        `json:",inline"`
+	XSAppName             string `json:"xsappname"`
+	TrusterClientIDSuffix string `json:"trustedclientidsuffix"`
+}
diff --git a/internal/util/uaa.go b/internal/util/uaa.go
new file mode 100644
index 0000000..ec341f5
--- /dev/null
+++ b/internal/util/uaa.go
@@ -0,0 +1,40 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+import (
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"golang.org/x/exp/slices"
+)
+
+const (
+	AnnotationPrimaryXSUAA = "sme.sap.com/primary-xsuaa"
+)
+
+func GetXSUAAInfo(consumedServiceInfos []v1alpha1.ServiceInfo, ca *v1alpha1.CAPApplication) *v1alpha1.ServiceInfo {
+	// Get primary xsuaa service instance name
+	primaryXSUAA := ca.Annotations[AnnotationPrimaryXSUAA]
+
+	serviceIndex := -1
+
+	// Check if matching service with annotated xsuaa name exists
+	if primaryXSUAA != "" {
+		serviceIndex = slices.IndexFunc(consumedServiceInfos, func(consumedServiceInfo v1alpha1.ServiceInfo) bool {
+			return consumedServiceInfo.Name == primaryXSUAA
+		})
+	}
+
+	// Fallback to using 1st matching "xsuaa" class in the list of consumed services
+	if serviceIndex == -1 {
+		serviceIndex = slices.IndexFunc(consumedServiceInfos, func(consumedServiceInfo v1alpha1.ServiceInfo) bool { return consumedServiceInfo.Class == "xsuaa" })
+	}
+
+	// Return matching service info if any
+	if serviceIndex > -1 {
+		return &consumedServiceInfos[serviceIndex]
+	}
+
+	return nil
+}
diff --git a/internal/util/uaa_test.go b/internal/util/uaa_test.go
new file mode 100644
index 0000000..3e391e6
--- /dev/null
+++ b/internal/util/uaa_test.go
@@ -0,0 +1,97 @@
+// This file is needed just to show some coverage as go tests report coverage package wise. The usage in controller and server already cover most of the code.
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var serviceInfos = []v1alpha1.ServiceInfo{
+	{
+		Class:  "xsuaa",
+		Name:   "test-xsuaa",
+		Secret: "test-xsuaa-sec",
+	},
+	{
+		Class:  "xsuaa",
+		Name:   "test-xsuaa2",
+		Secret: "test-xsuaa-sec2",
+	},
+	{
+		Class:  "saas-registry",
+		Name:   "test-saas",
+		Secret: "test-saas-sec",
+	},
+	{
+		Class:  "service-manager",
+		Name:   "test-sm",
+		Secret: "test-sm-sec",
+	},
+	{
+		Class:  "destination",
+		Name:   "test-dest",
+		Secret: "test-dest-sec",
+	},
+	{
+		Class:  "html5-apps-repo",
+		Name:   "test-html-host",
+		Secret: "test-html-host-sec",
+	},
+	{
+		Class:  "html5-apps-repo",
+		Name:   "test-html-rt",
+		Secret: "test-html-rt-sec",
+	},
+}
+
+func execTestsWithBLI(t *testing.T, name string, backlogItems []string, test func(t *testing.T)) {
+	t.Run(name+", BLIs: "+strings.Join(backlogItems, ", "), test)
+}
+
+func TestGetXSUAAInfoMissingService(t *testing.T) {
+	execTestsWithBLI(t, "Check that no uaa info is returned when no uaa service is present", []string{"ERP4SMEPREPWORKAPPPLAT-3773"}, func(t *testing.T) {
+		res := GetXSUAAInfo([]v1alpha1.ServiceInfo{}, &v1alpha1.CAPApplication{})
+
+		if res != nil {
+			t.Error("unexpected uaa info")
+		}
+	})
+}
+func TestGetXSUAAInfoWithoutAnnotation(t *testing.T) {
+	execTestsWithBLI(t, "Check that the 1st uaa info is returned with CA with no annotation is present", []string{"ERP4SMEPREPWORKAPPPLAT-3773"}, func(t *testing.T) {
+		// CA without "sme.sap.com/primary-xsuaa" annotation
+		ca := v1alpha1.CAPApplication{}
+
+		res := GetXSUAAInfo(serviceInfos, &ca)
+
+		if res.Name != "test-xsuaa" {
+			t.Error("incorrect uaa info")
+		}
+	})
+}
+
+func TestGetXSUAAInfoWithAnnotation(t *testing.T) {
+	execTestsWithBLI(t, "Check that the right uaa info is returned for CA with annotation present", []string{"ERP4SMEPREPWORKAPPPLAT-3773"}, func(t *testing.T) {
+		// CA without "sme.sap.com/primary-xsuaa" annotation
+		ca := v1alpha1.CAPApplication{
+			ObjectMeta: v1.ObjectMeta{
+				Annotations: map[string]string{
+					AnnotationPrimaryXSUAA: "test-xsuaa2",
+				},
+			},
+		}
+
+		res := GetXSUAAInfo(serviceInfos, &ca)
+
+		if res.Name != "test-xsuaa2" {
+			t.Error("incorrect uaa info")
+		}
+	})
+}
diff --git a/internal/util/vcap-credentials.go b/internal/util/vcap-credentials.go
new file mode 100644
index 0000000..92b9b4a
--- /dev/null
+++ b/internal/util/vcap-credentials.go
@@ -0,0 +1,153 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+// See Kubernetes-Service-Bindings/doc
+type SecretMetadata struct {
+	MetadataProperties   []MetadataPropertyDescriptor `json:"metaDataProperties"`
+	CredentialProperties []MetadataPropertyDescriptor `json:"credentialProperties"`
+}
+
+type MetadataPropertyDescriptor struct {
+	Name       string         `json:"name"`
+	SourceName string         `json:"sourceName"`
+	Format     PropertyFormat `json:"format"`
+	Container  bool           `json:"container"`
+}
+
+func (d MetadataPropertyDescriptor) getKey() (key string) {
+	key = d.SourceName
+	if key == "" {
+		key = d.Name
+	}
+	return
+}
+
+func (d MetadataPropertyDescriptor) move(source map[string][]byte, target map[string]any) (map[string]any, error) {
+	key := d.getKey()
+	switch d.Format {
+	case PropertyFormatText:
+		target[d.Name] = string(source[key]) // when property is a container, it cannot have text format
+	case PropertyFormatJSON:
+		var (
+			v   *any
+			err error
+		)
+		if v, err = ParseJSON[any](source[key]); err != nil {
+			return nil, err
+		}
+		if d.Container {
+			return (*v).(map[string]any), nil
+		}
+		target[d.Name] = v
+	}
+	return target, nil
+}
+
+type PropertyFormat string
+
+const (
+	PropertyFormatText PropertyFormat = "text"
+	PropertyFormatJSON PropertyFormat = "json"
+)
+
+func ReadServiceCredentialsFromSecret[T any](serviceInfo *v1alpha1.ServiceInfo, ns string, kubeClient kubernetes.Interface) (*T, error) {
+	entry, err := CreateVCAPEntryFromSecret(serviceInfo, ns, kubeClient)
+	if err != nil {
+		return nil, err
+	}
+	b, err := json.Marshal(entry["credentials"])
+	if err != nil {
+		return nil, fmt.Errorf("could not serialize credentials for service %s: %s", serviceInfo.Name, err)
+	}
+	return ParseJSON[T](b)
+}
+
+func CreateVCAPEntryFromSecret(serviceInfo *v1alpha1.ServiceInfo, ns string, kubeClient kubernetes.Interface) (entry map[string]any, err error) {
+	// Get secret
+	secret, err := kubeClient.CoreV1().Secrets(ns).Get(context.TODO(), serviceInfo.Secret, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	return createVCAPEntry(secret.Data, serviceInfo)
+}
+
+func createVCAPEntry(data map[string][]byte, si *v1alpha1.ServiceInfo) (entry map[string]any, err error) {
+	if metaBytes, ok := data[".metadata"]; ok { // metadata available from new service binding specification
+		var meta SecretMetadata
+		if err = json.Unmarshal(metaBytes, &meta); err != nil {
+			return nil, errorCredentialParse("metadata", si.Secret, err)
+		}
+		return createVCAPEntryWithMetadata(data, &meta, si)
+	} else { // fallback to reading secret-key "credentials"
+		credBytes, ok := data["credentials"]
+		if !ok {
+			return nil, fmt.Errorf("could not find credentials for secret %s", si.Secret)
+		}
+		// Parse JSON value for the given service secret
+		cred, err := ParseJSON[map[string]any](credBytes)
+		if err != nil {
+			return nil, errorCredentialParse("credentials", si.Secret, err)
+		}
+		entry = map[string]any{
+			"credentials":   cred,
+			"label":         si.Class,
+			"name":          si.Name,
+			"instance_name": si.Name,
+			"tags":          []string{si.Class}, // app-router looks for xsuaa in tags alone! So add class as a tag!
+		}
+	}
+	return
+}
+
+func createVCAPEntryWithMetadata(data map[string][]byte, meta *SecretMetadata, si *v1alpha1.ServiceInfo) (entry map[string]any, err error) {
+	entry = map[string]any{"credentials": map[string]any{}}
+	for i := range meta.MetadataProperties {
+		if entry, err = meta.MetadataProperties[i].move(data, entry); err != nil {
+			return nil, errorCredentialParse("metadata", si.Secret, err)
+		}
+	}
+	for i := range meta.CredentialProperties {
+		if entry["credentials"], err = meta.CredentialProperties[i].move(data, entry["credentials"].(map[string]any)); err != nil {
+			return nil, errorCredentialParse("credentials", si.Secret, err)
+		}
+		if meta.CredentialProperties[i].Container {
+			break
+		}
+	}
+	if _, ok := entry["label"]; !ok {
+		entry["label"] = si.Class // ensure label is provided
+	}
+	// ensure name is set
+	if instanceName, ok := entry["instance_name"]; ok {
+		entry["name"] = instanceName // conform to VCAP_SERVICES specification (https://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#VCAP-SERVICES)
+	} else {
+		entry["name"] = si.Name // source from service info as a fallback
+	}
+	return
+}
+
+func errorCredentialParse(key string, secret string, err error) error {
+	return fmt.Errorf("could not parse %s from secret %s: %w", key, secret, err)
+}
+
+func ParseJSON[T any](b []byte) (*T, error) {
+	var v T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return nil, err // ensure nil pointer is returned in case of error
+	}
+	return &v, nil
+}
diff --git a/internal/util/vcap-credentials_test.go b/internal/util/vcap-credentials_test.go
new file mode 100644
index 0000000..bdee273
--- /dev/null
+++ b/internal/util/vcap-credentials_test.go
@@ -0,0 +1,215 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package util
+
+import (
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func createTestClient() (*fake.Clientset, error) {
+	secs := []k8sruntime.Object{
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Name: "no-meta-credential-key", Namespace: "default"},
+			Data: map[string][]byte{
+				"credentials": []byte(`{
+						"user": "a-user",
+						"password": "some-pass"
+					}`),
+			},
+		},
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Name: "metadata-with-credential-key", Namespace: "default"},
+			Data: map[string][]byte{
+				".metadata": []byte(`{
+					"metadataProperties": [
+						{"name": "instance_name", "sourceName": "service_instance", "format": "text"},
+						{"name": "plan", "format": "text"},
+						{"name": "type", "format": "text"}
+					],
+					"credentialProperties": [
+						{"name": "credentials", "sourceName": "secret-data", "format": "json", "container": true}
+					]
+				}`),
+				"secret-data": []byte(`{
+					"user": "a-user",
+					"password": "some-pass"
+				}`),
+				"service_instance": []byte(`service-a`),
+				"plan":             []byte(`default`),
+				"type":             []byte(`xyz`),
+			},
+		},
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Name: "malformed-metadata", Namespace: "default"},
+			Data: map[string][]byte{
+				".metadata": []byte(`{
+					"metadataProperties": [
+						{"name": "instance_name", "sourceName": "service_instance", "format": "text"},
+						{"name": "plan", "format": "text"},
+						{"name": "type", "format": "text"}
+					],
+					"MALFORMED": [[[ //
+						{"name": "credentials", "sourceName": "secret-data", "format": "json", "container": true}
+					]
+				}`),
+				"secret-data": []byte(`{
+					"user": "a-user",
+					"password": "some-pass"
+				}`),
+				"service_instance": []byte(`service-a`),
+				"plan":             []byte(`default`),
+				"type":             []byte(`xyz`),
+			},
+		},
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Name: "metadata-with-credential-properties", Namespace: "default"},
+			Data: map[string][]byte{
+				".metadata": []byte(`{
+					"metadataProperties": [
+						{"name": "instance_name", "sourceName": "service_instance", "format": "text"},
+						{"name": "plan", "format": "text"},
+						{"name": "type", "format": "text"},
+						{"name": "tags", "format": "json"}
+					],
+					"credentialProperties": [
+						{"name": "api-keys", "sourceName": "keys", "format": "json"},
+						{"name": "host", "format": "text"}
+					]
+				}`),
+				"secret-data": []byte(`{
+					"user": "a-user",
+					"password": "some-pass"
+				}`),
+				"service_instance": []byte(`service-a`),
+				"plan":             []byte(`default`),
+				"type":             []byte(`xyz`),
+				"host":             []byte(`abc.url.local`),
+				"keys":             []byte(`["one", "two"]`),
+				"tags":             []byte(`["xyz", "lmnop"]`),
+			},
+		},
+	}
+	return fake.NewSimpleClientset(secs...), nil
+}
+
+func testCreateVCAPEntryFromSecret(t *testing.T) {
+	type testCase struct {
+		name                 string
+		serviceInfo          *v1alpha1.ServiceInfo
+		namespace            string
+		expectError          bool
+		errorMsg             string
+		expectedLabel        string
+		expectedInstanceName string
+		expectTags           bool
+	}
+	cases := []testCase{
+		{
+			name:                 "valid credential secret without metadata",
+			namespace:            "default",
+			serviceInfo:          &v1alpha1.ServiceInfo{Name: "service-a", Secret: "no-meta-credential-key", Class: "xzy"},
+			expectedInstanceName: "service-a",
+			expectedLabel:        "xyz",
+		},
+		{
+			name:        "secret not found",
+			namespace:   "another",
+			serviceInfo: &v1alpha1.ServiceInfo{Name: "service-a", Secret: "no-meta-credential-key", Class: "xzy"},
+			expectError: true,
+			errorMsg:    "secrets \"no-meta-credential-key\" not found",
+		},
+		{
+			name:                 "valid credentials (container) with metadata",
+			namespace:            "default",
+			serviceInfo:          &v1alpha1.ServiceInfo{Name: "service-a", Secret: "metadata-with-credential-key", Class: "xzy"},
+			expectedInstanceName: "service-a",
+			expectedLabel:        "xyz",
+		},
+		{
+			name:        "malformed metadata",
+			namespace:   "default",
+			serviceInfo: &v1alpha1.ServiceInfo{Name: "service-a", Secret: "malformed-metadata", Class: "xzy"},
+			expectError: true,
+			errorMsg:    "could not parse metadata from secret malformed-metadata: invalid character '/' looking for beginning of value",
+		},
+		{
+			name:                 "valid credentials (multiple properties) with metadata",
+			namespace:            "default",
+			serviceInfo:          &v1alpha1.ServiceInfo{Name: "service-a", Secret: "metadata-with-credential-properties", Class: "xzy"},
+			expectedInstanceName: "service-a",
+			expectedLabel:        "xyz",
+			expectTags:           true,
+		},
+	}
+	c, _ := createTestClient()
+	for i := range cases {
+		t.Run(cases[i].name, func(t *testing.T) {
+			config := &cases[i]
+			entry, err := CreateVCAPEntryFromSecret(config.serviceInfo, config.namespace, c)
+			if err != nil {
+				if !config.expectError {
+					t.Errorf("unexpected error in test case: %s", config.name)
+				}
+				if config.errorMsg != "" && err.Error() != config.errorMsg {
+					t.Errorf("error differs from expected for test case: %s", config.name)
+				}
+				return
+			} else {
+				if config.expectError {
+					t.Errorf("expected error in test case: %s", config.name)
+				}
+			}
+			if config.expectedInstanceName != "" && config.expectedInstanceName != entry["instance_name"].(string) {
+				t.Errorf("instance name differs from expected for test case: %s", config.name)
+			}
+			if tags, ok := entry["tags"]; config.expectTags && (!ok || tags == nil) {
+				t.Errorf("expected tags for test case: %s", config.name)
+			}
+		})
+	}
+}
+
+func testReadServiceCredentialsFromSecret(t *testing.T) {
+	c, _ := createTestClient()
+
+	// test successful read
+	secretName := "metadata-with-credential-key"
+	credentials, err := ReadServiceCredentialsFromSecret[map[string]string](&v1alpha1.ServiceInfo{Name: "service-a", Class: "xyz", Secret: secretName}, "default", c)
+	if err != nil {
+		t.Errorf("could not read credentials from secret %s", secretName)
+	}
+	if (*credentials)["user"] != "a-user" || (*credentials)["password"] != "some-pass" {
+		t.Errorf("credential attributes from secret %s not as expected", secretName)
+	}
+
+	// test with type mismatch
+	_, err = ReadServiceCredentialsFromSecret[[]string](&v1alpha1.ServiceInfo{Name: "service-a", Class: "xyz", Secret: secretName}, "default", c)
+	if err == nil {
+		t.Errorf("expected error when reading credentials as array from secret %s", secretName)
+	}
+}
+
+func TestVCAPCredentials(t *testing.T) {
+	catalog := &[]struct {
+		test         func(t *testing.T)
+		backlogItems []string
+	}{
+		{test: testCreateVCAPEntryFromSecret, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2611"}},
+		{test: testReadServiceCredentialsFromSecret, backlogItems: []string{"ERP4SMEPREPWORKAPPPLAT-2611"}},
+	}
+	for _, tc := range *catalog {
+		nameParts := []string{runtime.FuncForPC(reflect.ValueOf(tc.test).Pointer()).Name()}
+		t.Run(strings.Join(append(nameParts, tc.backlogItems...), " "), tc.test)
+	}
+}
diff --git a/pkg/apis/sme.sap.com/v1alpha1/doc.go b/pkg/apis/sme.sap.com/v1alpha1/doc.go
new file mode 100644
index 0000000..3bd2a8b
--- /dev/null
+++ b/pkg/apis/sme.sap.com/v1alpha1/doc.go
@@ -0,0 +1,8 @@
+// +k8s:deepcopy-gen=package
+// +groupName=sme.sap.com
+
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package v1alpha1
diff --git a/pkg/apis/sme.sap.com/v1alpha1/register.go b/pkg/apis/sme.sap.com/v1alpha1/register.go
new file mode 100644
index 0000000..ac873b9
--- /dev/null
+++ b/pkg/apis/sme.sap.com/v1alpha1/register.go
@@ -0,0 +1,57 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package v1alpha1
+
+import (
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+var (
+	// SchemeBuilder initializes a scheme builder
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	// AddToScheme is a global function that registers this API group & version to a scheme
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// Adds the list of known types to the given scheme
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(
+		SchemeGroupVersion,
+		&CAPApplication{},
+		&CAPApplicationList{},
+	)
+	scheme.AddKnownTypes(
+		SchemeGroupVersion,
+		&CAPApplicationVersion{},
+		&CAPApplicationVersionList{},
+	)
+	scheme.AddKnownTypes(
+		SchemeGroupVersion,
+		&CAPTenant{},
+		&CAPTenantList{},
+	)
+	scheme.AddKnownTypes(
+		SchemeGroupVersion,
+		&CAPTenantOperation{},
+		&CAPTenantOperationList{},
+	)
+	metaV1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/pkg/apis/sme.sap.com/v1alpha1/types.go b/pkg/apis/sme.sap.com/v1alpha1/types.go
new file mode 100644
index 0000000..ab6e3fd
--- /dev/null
+++ b/pkg/apis/sme.sap.com/v1alpha1/types.go
@@ -0,0 +1,475 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	Group                         = "sme.sap.com"
+	Version                       = "v1alpha1"
+	CAPApplicationKind            = "CAPApplication"
+	CAPApplicationResource        = "capapplications"
+	CAPApplicationVersionKind     = "CAPApplicationVersion"
+	CAPApplicationVersionResource = "capapplicationversions"
+	CAPTenantKind                 = "CAPTenant"
+	CAPTenantResource             = "captenants"
+	CAPTenantOperationKind        = "CAPTenantOperation"
+	CAPTenantOperationResource    = "captenantoperations"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPApplication is the schema for capapplications API
+type CAPApplication struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+	// CAPApplication spec
+	Spec CAPApplicationSpec `json:"spec"`
+	// CAPApplication status
+	Status CAPApplicationStatus `json:"status"`
+}
+
+type CAPApplicationStatus struct {
+	GenericStatus `json:",inline"`
+	// State of CAPApplication
+	State CAPApplicationState `json:"state"`
+	// Hash representing last known application domains
+	DomainSpecHash string `json:"domainSpecHash,omitempty"`
+	// The last time a full reconciliation was completed
+	LastFullReconciliationTime metav1.Time `json:"lastFullReconciliationTime,omitempty"`
+}
+
+type CAPApplicationState string
+
+const (
+	// CAPApplication is being reconciled
+	CAPApplicationStateProcessing CAPApplicationState = "Processing"
+	// An error occurred during reconciliation
+	CAPApplicationStateError CAPApplicationState = "Error"
+	// Deletion has been triggered
+	CAPApplicationStateDeleting CAPApplicationState = "Deleting"
+	// CAPApplication has been reconciled and is now consistent
+	CAPApplicationStateConsistent CAPApplicationState = "Consistent"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPApplicationList contains a list of CAPApplication
+type CAPApplicationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CAPApplication `json:"items"`
+}
+
+// CAPApplicationSpec defines the desired state of CAPApplication
+type CAPApplicationSpec struct {
+	// Domains used by the application
+	Domains ApplicationDomains `json:"domains"`
+	// SAP BTP Global Account Identifier where services are entitles for the current application
+	GlobalAccountId string `json:"globalAccountId"`
+	// Short name for the application (similar to BTP XSAPPNAME)
+	BTPAppName string `json:"btpAppName"`
+	// Provider subaccount where application services are created
+	Provider BTPTenantIdentification `json:"provider"`
+	// SAP BTP Services consumed by the application
+	BTP BTP `json:"btp"`
+}
+
+// Application domains
+type ApplicationDomains struct {
+	// Primary application domain will be used to generate a wildcard TLS certificate. In SAP Gardener managed clusters this is (usually) a subdomain of the cluster domain
+	Primary string `json:"primary"`
+	// Customer specific domains to serve application endpoints (optional)
+	Secondary []string `json:"secondary,omitempty"`
+	// Public ingress URL for the cluster Load Balancer
+	DnsTarget string `json:"dnsTarget,omitempty"`
+	// Labels used to identify the istio ingress-gateway component and its corresponding namespace. Usually {"app":"istio-ingressgateway","istio":"ingressgateway"}
+	IstioIngressGatewayLabels []NameValue `json:"istioIngressGatewayLabels"`
+}
+
+// Generic Name/Value configuration
+type NameValue struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}
+
+// Identifies an SAP BTP subaccount (tenant)
+type BTPTenantIdentification struct {
+	// BTP subaccount subdomain
+	SubDomain string `json:"subDomain"`
+	// BTP subaccount Tenant ID
+	TenantId string `json:"tenantId"`
+}
+
+type BTP struct {
+	// Details of BTP Services
+	Services []ServiceInfo `json:"services"`
+}
+
+// Service information
+type ServiceInfo struct {
+	// Name of service instance
+	Name string `json:"name"`
+	// Secret containing service access credentials
+	Secret string `json:"secret"`
+	// Type of service
+	Class string `json:"class"`
+	// TODO: enhance this with params and other options --> Needed if/when we want to create the services via BTP/CF Operator
+}
+
+// Custom resource status
+type GenericStatus struct {
+	// Observed generation of the resource where this status was identified
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+	// State expressed as conditions
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+}
+
+type CAPApplicationStatusConditionType string
+
+const (
+	ConditionTypeAllTenantsReady    CAPApplicationStatusConditionType = "AllTenantsReady"
+	ConditionTypeLatestVersionReady CAPApplicationStatusConditionType = "LatestVersionReady"
+)
+
+type StatusConditionType string
+
+const (
+	ConditionTypeReady StatusConditionType = "Ready"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPApplicationVersion defines the schema for capapplicationversions API
+type CAPApplicationVersion struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+	// CAPApplicationVersion spec
+	Spec CAPApplicationVersionSpec `json:"spec"`
+	// CAPApplicationVersion status
+	Status CAPApplicationVersionStatus `json:"status"`
+}
+
+type CAPApplicationVersionStatus struct {
+	GenericStatus `json:",inline"`
+	// State of CAPApplicationVersion
+	State CAPApplicationVersionState `json:"state"`
+	// List of finished Content Jobs
+	FinishedJobs []string `json:"finishedJobs,omitempty"`
+}
+
+type CAPApplicationVersionState string
+
+const (
+	// CAPApplicationVersion is being processed
+	CAPApplicationVersionStateProcessing CAPApplicationVersionState = "Processing"
+	// An error occurred during reconciliation
+	CAPApplicationVersionStateError CAPApplicationVersionState = "Error"
+	// Deletion has been triggered
+	CAPApplicationVersionStateDeleting CAPApplicationVersionState = "Deleting"
+	// CAPApplicationVersion is now ready for use (dependent resources have been created)
+	CAPApplicationVersionStateReady CAPApplicationVersionState = "Ready"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPApplicationVersionList contains a list of CAPApplicationVersion
+type CAPApplicationVersionList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CAPApplicationVersion `json:"items"`
+}
+
+// CAPApplicationVersionSpec specifies the desired state of CAPApplicationVersion
+type CAPApplicationVersionSpec struct {
+	// Denotes to which CAPApplication the current version belongs
+	CAPApplicationInstance string `json:"capApplicationInstance"`
+	// Semantic version
+	Version string `json:"version"`
+	// Registry secrets used to pull images of the application components
+	RegistrySecrets []string `json:"registrySecrets"`
+	// Information about the Workloads
+	Workloads []WorkloadDetails `json:"workloads"`
+	// Tenant Operations may be used to specify how jobs are sequenced for the different tenant operations
+	TenantOperations *TenantOperations `json:"tenantOperations,omitempty"`
+}
+
+// WorkloadDetails specifies the details of the Workload
+type WorkloadDetails struct {
+	// Name of the workload
+	Name string `json:"name"`
+	// List of BTP services consumed by the current application component workload. These services must be defined in the corresponding CAPApplication.
+	ConsumedBTPServices []string `json:"consumedBTPServices"`
+	// Custom labels for the current workload
+	Labels map[string]string `json:"labels"`
+	// Annotations for the current workload, in case of `Deployments` this also get copied over to any `Service` that may be created
+	Annotations map[string]string `json:"annotations"`
+	// Definition of a deployment
+	DeploymentDefinition *DeploymentDetails `json:"deploymentDefinition,omitempty"`
+	// Definition of a job
+	JobDefinition *JobDetails `json:"jobDefinition,omitempty"`
+}
+
+// DeploymentDetails specifies the details of the Deployment
+type DeploymentDetails struct {
+	ContainerDetails `json:",inline"`
+	// Type of the Deployment
+	Type DeploymentType `json:"type"`
+	// Number of replicas
+	Replicas *int32 `json:"replicas,omitempty"`
+	// Port configuration
+	Ports []Ports `json:"ports,omitempty"`
+	// Liveness probe
+	LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"`
+	//  Readiness probe
+	ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"`
+}
+
+// Type of deployment
+type DeploymentType string
+
+const (
+	// CAP backend server deployment type
+	DeploymentCAP DeploymentType = "CAP"
+	// Application router deployment type
+	DeploymentRouter DeploymentType = "Router"
+	// Additional deployment type
+	DeploymentAdditional DeploymentType = "Additional"
+)
+
+// JobDetails specifies the details of the Job
+type JobDetails struct {
+	ContainerDetails `json:",inline"`
+	// Type of Job
+	Type JobType `json:"type"`
+	// Specifies the number of retries before marking this job failed.
+	BackoffLimit *int32 `json:"backoffLimit,omitempty"`
+	// Specifies the time after which the job may be cleaned up.
+	TTLSecondsAfterFinished *int32 `json:"ttlSecondsAfterFinished,omitempty"`
+}
+
+// Type of Job
+type JobType string
+
+const (
+	// job for deploying content or configuration to (BTP) services
+	JobContent JobType = "Content"
+	// job for tenant operation e.g. deploying relevant data to a tenant
+	JobTenantOperation JobType = "TenantOperation"
+	// job for custom tenant operation e.g. pre/post hooks for a tenant operation
+	JobCustomTenantOperation JobType = "CustomTenantOperation"
+)
+
+// ContainerDetails specifies the details of the Container
+type ContainerDetails struct {
+	// Image info for the container
+	Image string `json:"image"`
+	// Pull policy for the container image
+	ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
+	// Entrypoint array for the container
+	Command []string `json:"command,omitempty"`
+	// Environment Config for the Container
+	Env []corev1.EnvVar `json:"env,omitempty"`
+	// Resources
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+	// SecurityContext for the Container
+	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
+	// SecurityContext for the Pod
+	PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
+}
+
+// Configuration of Service Ports for the deployment
+type Ports struct {
+	// App protocol used by the service port
+	AppProtocol *string `json:"appProtocol,omitempty"`
+	// Name of the service port
+	Name string `json:"name"`
+	// Network Policy of the service port
+	NetworkPolicy PortNetworkPolicyType `json:"networkPolicy,omitempty"`
+	// The port number used for container and the corresponding service (if any)
+	Port int32 `json:"port"`
+	// Destination name which may be used by the Router deployment to reach this backend service
+	RouterDestinationName string `json:"routerDestinationName,omitempty"`
+}
+
+// Type of NetworkPolicy for the port
+type PortNetworkPolicyType string
+
+const (
+	// Expose the port for the current application versions pod(s) scope
+	PortNetworkPolicyTypeApplication PortNetworkPolicyType = "Application"
+	// Expose the port for any pod(s) in the overall cluster scope
+	PortNetworkPolicyTypeCluster PortNetworkPolicyType = "Cluster"
+)
+
+// Configuration used to sequence tenant related jobs for a given tenant operation
+type TenantOperations struct {
+	// Tenant provisioning steps
+	Provisioning []TenantOperationWorkloadReference `json:"provisioning,omitempty"`
+	// Tenant upgrade steps
+	Upgrade []TenantOperationWorkloadReference `json:"upgrade,omitempty"`
+	// Tenant deprovisioning steps
+	Deprovisioning []TenantOperationWorkloadReference `json:"deprovisioning,omitempty"`
+}
+
+type TenantOperationWorkloadReference struct {
+	// Reference to a specified workload of type 'TenantOperation' or 'CustomTenantOperation'
+	WorkloadName string `json:"workloadName"`
+	// Indicates whether to proceed with remaining operation steps in case of failure. Relevant only for 'CustomTenantOperation'
+	ContinueOnFailure bool `json:"continueOnFailure,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPTenant defines the schema for captenants API
+type CAPTenant struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+	// CAPTenant spec
+	Spec CAPTenantSpec `json:"spec"`
+	// CAPTenant status
+	Status CAPTenantStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPTenantList contains a list of CAPTenant
+type CAPTenantList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CAPTenant `json:"items"`
+}
+
+type CAPTenantStatus struct {
+	GenericStatus `json:",inline"`
+	// State of CAPTenant
+	State CAPTenantState `json:"state"`
+	// Specifies the current version of the tenant after provisioning or upgrade
+	CurrentCAPApplicationVersionInstance string `json:"currentCAPApplicationVersionInstance,omitempty"`
+	// Previous versions of the tenant (first to last)
+	PreviousCAPApplicationVersions []string `json:"previousCAPApplicationVersions,omitempty"`
+	// The last time a full reconciliation was completed
+	LastFullReconciliationTime metav1.Time `json:"lastFullReconciliationTime,omitempty"`
+}
+
+type CAPTenantState string
+
+const (
+	// Tenant is being provisioned
+	CAPTenantStateProvisioning CAPTenantState = "Provisioning"
+	// Tenant provisioning ended in error
+	CAPTenantStateProvisioningError CAPTenantState = "ProvisioningError"
+	// Tenant is being upgraded
+	CAPTenantStateUpgrading CAPTenantState = "Upgrading"
+	// Tenant upgrade failed
+	CAPTenantStateUpgradeError CAPTenantState = "UpgradeError"
+	// Deletion has been triggered
+	CAPTenantStateDeleting CAPTenantState = "Deleting"
+	// Tenant has been provisioned/upgraded and is now ready for use
+	CAPTenantStateReady CAPTenantState = "Ready"
+)
+
+// CAPTenantSpec defines the desired state of the CAPTenant
+type CAPTenantSpec struct {
+	// Denotes to which CAPApplication the current tenant belongs
+	CAPApplicationInstance string `json:"capApplicationInstance"`
+	// Details of consumer sub-account subscribing to the application
+	BTPTenantIdentification `json:",inline"`
+	// Semver that is used to determine the relevant CAPApplicationVersion that a CAPTenant can be upgraded to (i.e. if it is not already on that version)
+	Version string `json:"version,omitempty"`
+	// Denotes whether a CAPTenant can be upgraded. One of ('always', 'never')
+	VersionUpgradeStrategy VersionUpgradeStrategyType `json:"versionUpgradeStrategy,omitempty"`
+}
+
+type VersionUpgradeStrategyType string
+
+const (
+	// Always (default)
+	VersionUpgradeStrategyTypeAlways VersionUpgradeStrategyType = "always"
+	// Never
+	VersionUpgradeStrategyTypeNever VersionUpgradeStrategyType = "never"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPTenantOperation defines the schema for captenantoperations API
+type CAPTenantOperation struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+	// CAPTenantOperation spec
+	Spec CAPTenantOperationSpec `json:"spec"`
+	// CAPTenantOperation status
+	Status CAPTenantOperationStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CAPTenantOperationList contains a list of CAPTenantOperation
+type CAPTenantOperationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CAPTenantOperation `json:"items"`
+}
+
+type CAPTenantOperationSpec struct {
+	// Scope of the tenant lifecycle operation. One of 'provisioning', 'deprovisioning' or 'upgrade'
+	Operation CAPTenantOperationType `json:"operation"`
+	// BTP sub-account (tenant) for which request is created
+	BTPTenantIdentification `json:",inline"`
+	// Reference to CAPApplicationVersion for executing the operation
+	CAPApplicationVersionInstance string `json:"capApplicationVersionInstance"`
+	// Steps (jobs) to be executed for the operation to complete
+	Steps []CAPTenantOperationStep `json:"steps"`
+}
+
+type CAPTenantOperationStep struct {
+	// Name of the workload from the referenced CAPApplicationVersion
+	Name string `json:"name"`
+	// Type of job. One of 'TenantOperation' or 'CustomTenantOperation'
+	Type JobType `json:"type"`
+	// Indicates whether the operation can continue in case of step failure. Relevant only for type 'CustomTenantOperation'
+	ContinueOnFailure bool `json:"continueOnFailure,omitempty"`
+}
+
+type CAPTenantOperationStatus struct {
+	GenericStatus `json:",inline"`
+	// State of CAPTenantOperation
+	State CAPTenantOperationState `json:"state"`
+	// Current step being processed from the sequence of specified steps
+	CurrentStep *uint32 `json:"currentStep,omitempty"`
+	// Name of the job being executed for the current step
+	ActiveJob *string `json:"activeJob,omitempty"`
+}
+
+type CAPTenantOperationState string
+
+const (
+	// CAPTenantOperation is being processed
+	CAPTenantOperationStateProcessing CAPTenantOperationState = "Processing"
+	// CAPTenantOperation steps have failed
+	CAPTenantOperationStateFailed CAPTenantOperationState = "Failed"
+	// CAPTenantOperation steps completed
+	CAPTenantOperationStateCompleted CAPTenantOperationState = "Completed"
+	// CAPTenantOperation deletion has been triggered
+	CAPTenantOperationStateDeleting CAPTenantOperationState = "Deleting"
+)
+
+type CAPTenantOperationType string
+
+const (
+	// Provision tenant
+	CAPTenantOperationTypeProvisioning CAPTenantOperationType = "provisioning"
+	// Deprovision tenant
+	CAPTenantOperationTypeDeprovisioning CAPTenantOperationType = "deprovisioning"
+	// Upgrade tenant
+	CAPTenantOperationTypeUpgrade CAPTenantOperationType = "upgrade"
+)
diff --git a/pkg/apis/sme.sap.com/v1alpha1/utils.go b/pkg/apis/sme.sap.com/v1alpha1/utils.go
new file mode 100644
index 0000000..b4ad331
--- /dev/null
+++ b/pkg/apis/sme.sap.com/v1alpha1/utils.go
@@ -0,0 +1,93 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+package v1alpha1
+
+import (
+	"os"
+	"strconv"
+
+	"golang.org/x/exp/slices"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	readyType                      = string(ConditionTypeReady)
+	EnvMaxTenantVersionHistory     = "MAX_TENANT_VERSION_HISTORY"
+	defaultMaxTenantVersionHistory = 10
+	minTenantVersionHistory        = 3
+)
+
+func (ca *CAPApplication) SetStatusWithReadyCondition(state CAPApplicationState, readyStatus metav1.ConditionStatus, reason string, message string) {
+	ca.Status.State = state
+	ca.SetStatusCondition(readyType, readyStatus, reason, message)
+}
+
+func (ca *CAPApplication) SetStatusDomainSpecHash(hash string) {
+	ca.Status.DomainSpecHash = hash
+}
+
+// SetStatusCondition updates/sets the conditions in the Status of the resource.
+func (ca *CAPApplication) SetStatusCondition(conditionType string, readyStatus metav1.ConditionStatus, reason string, message string) {
+	ca.Status.SetStatusCondition(metav1.Condition{Type: conditionType, Status: readyStatus, Reason: reason, Message: message, ObservedGeneration: ca.Generation})
+}
+
+func (cav *CAPApplicationVersion) SetStatusWithReadyCondition(state CAPApplicationVersionState, readyStatus metav1.ConditionStatus, reason string, message string) {
+	cav.Status.State = state
+	cav.Status.SetStatusCondition(metav1.Condition{Type: readyType, Status: readyStatus, Reason: reason, Message: message, ObservedGeneration: cav.Generation})
+}
+
+func (cav *CAPApplicationVersion) SetStatusFinishedJobs(finishedJob string) {
+	if !cav.CheckFinishedJobs(finishedJob) {
+		cav.Status.FinishedJobs = append(cav.Status.FinishedJobs, finishedJob)
+	}
+}
+
+func (cav *CAPApplicationVersion) CheckFinishedJobs(finishedJob string) bool {
+	return slices.ContainsFunc(cav.Status.FinishedJobs, func(job string) bool {
+		return job == finishedJob
+	})
+}
+
+func (cat *CAPTenant) SetStatusWithReadyCondition(state CAPTenantState, readyStatus metav1.ConditionStatus, reason string, message string) {
+	cat.Status.State = state
+	cat.Status.SetStatusCondition(metav1.Condition{Type: readyType, Status: readyStatus, Reason: reason, Message: message, ObservedGeneration: cat.Generation})
+}
+
+func (cat *CAPTenant) SetStatusCAPApplicationVersion(cavName string) {
+	if cat.Status.CurrentCAPApplicationVersionInstance != "" {
+		if cat.Status.PreviousCAPApplicationVersions == nil {
+			cat.Status.PreviousCAPApplicationVersions = []string{}
+		}
+		cat.Status.PreviousCAPApplicationVersions = append(cat.Status.PreviousCAPApplicationVersions, cat.Status.CurrentCAPApplicationVersionInstance)
+		if len(cat.Status.PreviousCAPApplicationVersions) > minTenantVersionHistory { // clean up history only if it exceeds minimum
+			max := defaultMaxTenantVersionHistory
+			if sval, ok := os.LookupEnv(EnvMaxTenantVersionHistory); ok {
+				if i, err := strconv.ParseInt(sval, 10, 0); err == nil {
+					max = int(i)
+				}
+			}
+			if len(cat.Status.PreviousCAPApplicationVersions) > max {
+				cat.Status.PreviousCAPApplicationVersions = cat.Status.PreviousCAPApplicationVersions[1:] // remove one entry
+			}
+		}
+	}
+	cat.Status.CurrentCAPApplicationVersionInstance = cavName
+}
+
+func (ctop *CAPTenantOperation) SetStatusWithReadyCondition(state CAPTenantOperationState, readyStatus metav1.ConditionStatus, reason string, message string) {
+	ctop.Status.State = state
+	ctop.Status.SetStatusCondition(metav1.Condition{Type: readyType, Status: readyStatus, Reason: reason, Message: message, ObservedGeneration: ctop.Generation})
+}
+
+func (ctop *CAPTenantOperation) SetStatusCurrentStep(step *uint32, job *string) {
+	ctop.Status.CurrentStep = step
+	ctop.Status.ActiveJob = job
+}
+
+func (status *GenericStatus) SetStatusCondition(condition metav1.Condition) {
+	status.ObservedGeneration = condition.ObservedGeneration
+	meta.SetStatusCondition(&status.Conditions, condition)
+}
diff --git a/pkg/apis/sme.sap.com/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/sme.sap.com/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 0000000..aee5d8b
--- /dev/null
+++ b/pkg/apis/sme.sap.com/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,793 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationDomains) DeepCopyInto(out *ApplicationDomains) {
+	*out = *in
+	if in.Secondary != nil {
+		in, out := &in.Secondary, &out.Secondary
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.IstioIngressGatewayLabels != nil {
+		in, out := &in.IstioIngressGatewayLabels, &out.IstioIngressGatewayLabels
+		*out = make([]NameValue, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationDomains.
+func (in *ApplicationDomains) DeepCopy() *ApplicationDomains {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationDomains)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BTP) DeepCopyInto(out *BTP) {
+	*out = *in
+	if in.Services != nil {
+		in, out := &in.Services, &out.Services
+		*out = make([]ServiceInfo, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BTP.
+func (in *BTP) DeepCopy() *BTP {
+	if in == nil {
+		return nil
+	}
+	out := new(BTP)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BTPTenantIdentification) DeepCopyInto(out *BTPTenantIdentification) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BTPTenantIdentification.
+func (in *BTPTenantIdentification) DeepCopy() *BTPTenantIdentification {
+	if in == nil {
+		return nil
+	}
+	out := new(BTPTenantIdentification)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplication) DeepCopyInto(out *CAPApplication) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplication.
+func (in *CAPApplication) DeepCopy() *CAPApplication {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPApplication) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationList) DeepCopyInto(out *CAPApplicationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CAPApplication, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationList.
+func (in *CAPApplicationList) DeepCopy() *CAPApplicationList {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPApplicationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationSpec) DeepCopyInto(out *CAPApplicationSpec) {
+	*out = *in
+	in.Domains.DeepCopyInto(&out.Domains)
+	out.Provider = in.Provider
+	in.BTP.DeepCopyInto(&out.BTP)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationSpec.
+func (in *CAPApplicationSpec) DeepCopy() *CAPApplicationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationStatus) DeepCopyInto(out *CAPApplicationStatus) {
+	*out = *in
+	in.GenericStatus.DeepCopyInto(&out.GenericStatus)
+	in.LastFullReconciliationTime.DeepCopyInto(&out.LastFullReconciliationTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationStatus.
+func (in *CAPApplicationStatus) DeepCopy() *CAPApplicationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationVersion) DeepCopyInto(out *CAPApplicationVersion) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationVersion.
+func (in *CAPApplicationVersion) DeepCopy() *CAPApplicationVersion {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationVersion)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPApplicationVersion) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationVersionList) DeepCopyInto(out *CAPApplicationVersionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CAPApplicationVersion, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationVersionList.
+func (in *CAPApplicationVersionList) DeepCopy() *CAPApplicationVersionList {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationVersionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPApplicationVersionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationVersionSpec) DeepCopyInto(out *CAPApplicationVersionSpec) {
+	*out = *in
+	if in.RegistrySecrets != nil {
+		in, out := &in.RegistrySecrets, &out.RegistrySecrets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Workloads != nil {
+		in, out := &in.Workloads, &out.Workloads
+		*out = make([]WorkloadDetails, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TenantOperations != nil {
+		in, out := &in.TenantOperations, &out.TenantOperations
+		*out = new(TenantOperations)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationVersionSpec.
+func (in *CAPApplicationVersionSpec) DeepCopy() *CAPApplicationVersionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationVersionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPApplicationVersionStatus) DeepCopyInto(out *CAPApplicationVersionStatus) {
+	*out = *in
+	in.GenericStatus.DeepCopyInto(&out.GenericStatus)
+	if in.FinishedJobs != nil {
+		in, out := &in.FinishedJobs, &out.FinishedJobs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPApplicationVersionStatus.
+func (in *CAPApplicationVersionStatus) DeepCopy() *CAPApplicationVersionStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPApplicationVersionStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenant) DeepCopyInto(out *CAPTenant) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenant.
+func (in *CAPTenant) DeepCopy() *CAPTenant {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenant)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPTenant) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantList) DeepCopyInto(out *CAPTenantList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CAPTenant, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantList.
+func (in *CAPTenantList) DeepCopy() *CAPTenantList {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPTenantList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantOperation) DeepCopyInto(out *CAPTenantOperation) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantOperation.
+func (in *CAPTenantOperation) DeepCopy() *CAPTenantOperation {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantOperation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPTenantOperation) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantOperationList) DeepCopyInto(out *CAPTenantOperationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CAPTenantOperation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantOperationList.
+func (in *CAPTenantOperationList) DeepCopy() *CAPTenantOperationList {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantOperationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CAPTenantOperationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantOperationSpec) DeepCopyInto(out *CAPTenantOperationSpec) {
+	*out = *in
+	out.BTPTenantIdentification = in.BTPTenantIdentification
+	if in.Steps != nil {
+		in, out := &in.Steps, &out.Steps
+		*out = make([]CAPTenantOperationStep, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantOperationSpec.
+func (in *CAPTenantOperationSpec) DeepCopy() *CAPTenantOperationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantOperationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantOperationStatus) DeepCopyInto(out *CAPTenantOperationStatus) {
+	*out = *in
+	in.GenericStatus.DeepCopyInto(&out.GenericStatus)
+	if in.CurrentStep != nil {
+		in, out := &in.CurrentStep, &out.CurrentStep
+		*out = new(uint32)
+		**out = **in
+	}
+	if in.ActiveJob != nil {
+		in, out := &in.ActiveJob, &out.ActiveJob
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantOperationStatus.
+func (in *CAPTenantOperationStatus) DeepCopy() *CAPTenantOperationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantOperationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantOperationStep) DeepCopyInto(out *CAPTenantOperationStep) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantOperationStep.
+func (in *CAPTenantOperationStep) DeepCopy() *CAPTenantOperationStep {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantOperationStep)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantSpec) DeepCopyInto(out *CAPTenantSpec) {
+	*out = *in
+	out.BTPTenantIdentification = in.BTPTenantIdentification
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantSpec.
+func (in *CAPTenantSpec) DeepCopy() *CAPTenantSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAPTenantStatus) DeepCopyInto(out *CAPTenantStatus) {
+	*out = *in
+	in.GenericStatus.DeepCopyInto(&out.GenericStatus)
+	if in.PreviousCAPApplicationVersions != nil {
+		in, out := &in.PreviousCAPApplicationVersions, &out.PreviousCAPApplicationVersions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.LastFullReconciliationTime.DeepCopyInto(&out.LastFullReconciliationTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAPTenantStatus.
+func (in *CAPTenantStatus) DeepCopy() *CAPTenantStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CAPTenantStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerDetails) DeepCopyInto(out *ContainerDetails) {
+	*out = *in
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]v1.EnvVar, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Resources.DeepCopyInto(&out.Resources)
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		*out = new(v1.SecurityContext)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PodSecurityContext != nil {
+		in, out := &in.PodSecurityContext, &out.PodSecurityContext
+		*out = new(v1.PodSecurityContext)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerDetails.
+func (in *ContainerDetails) DeepCopy() *ContainerDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentDetails) DeepCopyInto(out *DeploymentDetails) {
+	*out = *in
+	in.ContainerDetails.DeepCopyInto(&out.ContainerDetails)
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		*out = new(int32)
+		**out = **in
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]Ports, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LivenessProbe != nil {
+		in, out := &in.LivenessProbe, &out.LivenessProbe
+		*out = new(v1.Probe)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ReadinessProbe != nil {
+		in, out := &in.ReadinessProbe, &out.ReadinessProbe
+		*out = new(v1.Probe)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentDetails.
+func (in *DeploymentDetails) DeepCopy() *DeploymentDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericStatus) DeepCopyInto(out *GenericStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericStatus.
+func (in *GenericStatus) DeepCopy() *GenericStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobDetails) DeepCopyInto(out *JobDetails) {
+	*out = *in
+	in.ContainerDetails.DeepCopyInto(&out.ContainerDetails)
+	if in.BackoffLimit != nil {
+		in, out := &in.BackoffLimit, &out.BackoffLimit
+		*out = new(int32)
+		**out = **in
+	}
+	if in.TTLSecondsAfterFinished != nil {
+		in, out := &in.TTLSecondsAfterFinished, &out.TTLSecondsAfterFinished
+		*out = new(int32)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobDetails.
+func (in *JobDetails) DeepCopy() *JobDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(JobDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NameValue) DeepCopyInto(out *NameValue) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NameValue.
+func (in *NameValue) DeepCopy() *NameValue {
+	if in == nil {
+		return nil
+	}
+	out := new(NameValue)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Ports) DeepCopyInto(out *Ports) {
+	*out = *in
+	if in.AppProtocol != nil {
+		in, out := &in.AppProtocol, &out.AppProtocol
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ports.
+func (in *Ports) DeepCopy() *Ports {
+	if in == nil {
+		return nil
+	}
+	out := new(Ports)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceInfo) DeepCopyInto(out *ServiceInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceInfo.
+func (in *ServiceInfo) DeepCopy() *ServiceInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOperationWorkloadReference) DeepCopyInto(out *TenantOperationWorkloadReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOperationWorkloadReference.
+func (in *TenantOperationWorkloadReference) DeepCopy() *TenantOperationWorkloadReference {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOperationWorkloadReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TenantOperations) DeepCopyInto(out *TenantOperations) {
+	*out = *in
+	if in.Provisioning != nil {
+		in, out := &in.Provisioning, &out.Provisioning
+		*out = make([]TenantOperationWorkloadReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Upgrade != nil {
+		in, out := &in.Upgrade, &out.Upgrade
+		*out = make([]TenantOperationWorkloadReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Deprovisioning != nil {
+		in, out := &in.Deprovisioning, &out.Deprovisioning
+		*out = make([]TenantOperationWorkloadReference, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TenantOperations.
+func (in *TenantOperations) DeepCopy() *TenantOperations {
+	if in == nil {
+		return nil
+	}
+	out := new(TenantOperations)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadDetails) DeepCopyInto(out *WorkloadDetails) {
+	*out = *in
+	if in.ConsumedBTPServices != nil {
+		in, out := &in.ConsumedBTPServices, &out.ConsumedBTPServices
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.DeploymentDefinition != nil {
+		in, out := &in.DeploymentDefinition, &out.DeploymentDefinition
+		*out = new(DeploymentDetails)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JobDefinition != nil {
+		in, out := &in.JobDefinition, &out.JobDefinition
+		*out = new(JobDetails)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadDetails.
+func (in *WorkloadDetails) DeepCopy() *WorkloadDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(WorkloadDetails)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/pkg/client/applyconfiguration/internal/internal.go b/pkg/client/applyconfiguration/internal/internal.go
new file mode 100644
index 0000000..b2ce045
--- /dev/null
+++ b/pkg/client/applyconfiguration/internal/internal.go
@@ -0,0 +1,50 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package internal
+
+import (
+	"fmt"
+	"sync"
+
+	typed "sigs.k8s.io/structured-merge-diff/v4/typed"
+)
+
+func Parser() *typed.Parser {
+	parserOnce.Do(func() {
+		var err error
+		parser, err = typed.NewParser(schemaYAML)
+		if err != nil {
+			panic(fmt.Sprintf("Failed to parse schema: %v", err))
+		}
+	})
+	return parser
+}
+
+var parserOnce sync.Once
+var parser *typed.Parser
+var schemaYAML = typed.YAMLObject(`types:
+- name: __untyped_atomic_
+  scalar: untyped
+  list:
+    elementType:
+      namedType: __untyped_atomic_
+    elementRelationship: atomic
+  map:
+    elementType:
+      namedType: __untyped_atomic_
+    elementRelationship: atomic
+- name: __untyped_deduced_
+  scalar: untyped
+  list:
+    elementType:
+      namedType: __untyped_atomic_
+    elementRelationship: atomic
+  map:
+    elementType:
+      namedType: __untyped_deduced_
+    elementRelationship: separable
+`)
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/applicationdomains.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/applicationdomains.go
new file mode 100644
index 0000000..25d83b1
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/applicationdomains.go
@@ -0,0 +1,61 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ApplicationDomainsApplyConfiguration represents an declarative configuration of the ApplicationDomains type for use
+// with apply.
+type ApplicationDomainsApplyConfiguration struct {
+	Primary                   *string                       `json:"primary,omitempty"`
+	Secondary                 []string                      `json:"secondary,omitempty"`
+	DnsTarget                 *string                       `json:"dnsTarget,omitempty"`
+	IstioIngressGatewayLabels []NameValueApplyConfiguration `json:"istioIngressGatewayLabels,omitempty"`
+}
+
+// ApplicationDomainsApplyConfiguration constructs an declarative configuration of the ApplicationDomains type for use with
+// apply.
+func ApplicationDomains() *ApplicationDomainsApplyConfiguration {
+	return &ApplicationDomainsApplyConfiguration{}
+}
+
+// WithPrimary sets the Primary field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Primary field is set to the value of the last call.
+func (b *ApplicationDomainsApplyConfiguration) WithPrimary(value string) *ApplicationDomainsApplyConfiguration {
+	b.Primary = &value
+	return b
+}
+
+// WithSecondary adds the given value to the Secondary field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Secondary field.
+func (b *ApplicationDomainsApplyConfiguration) WithSecondary(values ...string) *ApplicationDomainsApplyConfiguration {
+	for i := range values {
+		b.Secondary = append(b.Secondary, values[i])
+	}
+	return b
+}
+
+// WithDnsTarget sets the DnsTarget field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DnsTarget field is set to the value of the last call.
+func (b *ApplicationDomainsApplyConfiguration) WithDnsTarget(value string) *ApplicationDomainsApplyConfiguration {
+	b.DnsTarget = &value
+	return b
+}
+
+// WithIstioIngressGatewayLabels adds the given value to the IstioIngressGatewayLabels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the IstioIngressGatewayLabels field.
+func (b *ApplicationDomainsApplyConfiguration) WithIstioIngressGatewayLabels(values ...*NameValueApplyConfiguration) *ApplicationDomainsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithIstioIngressGatewayLabels")
+		}
+		b.IstioIngressGatewayLabels = append(b.IstioIngressGatewayLabels, *values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btp.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btp.go
new file mode 100644
index 0000000..e8ccad7
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btp.go
@@ -0,0 +1,32 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// BTPApplyConfiguration represents an declarative configuration of the BTP type for use
+// with apply.
+type BTPApplyConfiguration struct {
+	Services []ServiceInfoApplyConfiguration `json:"services,omitempty"`
+}
+
+// BTPApplyConfiguration constructs an declarative configuration of the BTP type for use with
+// apply.
+func BTP() *BTPApplyConfiguration {
+	return &BTPApplyConfiguration{}
+}
+
+// WithServices adds the given value to the Services field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Services field.
+func (b *BTPApplyConfiguration) WithServices(values ...*ServiceInfoApplyConfiguration) *BTPApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithServices")
+		}
+		b.Services = append(b.Services, *values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btptenantidentification.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btptenantidentification.go
new file mode 100644
index 0000000..911a0a8
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/btptenantidentification.go
@@ -0,0 +1,36 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// BTPTenantIdentificationApplyConfiguration represents an declarative configuration of the BTPTenantIdentification type for use
+// with apply.
+type BTPTenantIdentificationApplyConfiguration struct {
+	SubDomain *string `json:"subDomain,omitempty"`
+	TenantId  *string `json:"tenantId,omitempty"`
+}
+
+// BTPTenantIdentificationApplyConfiguration constructs an declarative configuration of the BTPTenantIdentification type for use with
+// apply.
+func BTPTenantIdentification() *BTPTenantIdentificationApplyConfiguration {
+	return &BTPTenantIdentificationApplyConfiguration{}
+}
+
+// WithSubDomain sets the SubDomain field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SubDomain field is set to the value of the last call.
+func (b *BTPTenantIdentificationApplyConfiguration) WithSubDomain(value string) *BTPTenantIdentificationApplyConfiguration {
+	b.SubDomain = &value
+	return b
+}
+
+// WithTenantId sets the TenantId field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TenantId field is set to the value of the last call.
+func (b *BTPTenantIdentificationApplyConfiguration) WithTenantId(value string) *BTPTenantIdentificationApplyConfiguration {
+	b.TenantId = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplication.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplication.go
new file mode 100644
index 0000000..a4146c5
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplication.go
@@ -0,0 +1,207 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CAPApplicationApplyConfiguration represents an declarative configuration of the CAPApplication type for use
+// with apply.
+type CAPApplicationApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CAPApplicationSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CAPApplicationStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CAPApplication constructs an declarative configuration of the CAPApplication type for use with
+// apply.
+func CAPApplication(name, namespace string) *CAPApplicationApplyConfiguration {
+	b := &CAPApplicationApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CAPApplication")
+	b.WithAPIVersion("sme.sap.com/v1alpha1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithKind(value string) *CAPApplicationApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithAPIVersion(value string) *CAPApplicationApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithName(value string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithGenerateName(value string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithNamespace(value string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithUID(value types.UID) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithResourceVersion(value string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithGeneration(value int64) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CAPApplicationApplyConfiguration) WithLabels(entries map[string]string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CAPApplicationApplyConfiguration) WithAnnotations(entries map[string]string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CAPApplicationApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CAPApplicationApplyConfiguration) WithFinalizers(values ...string) *CAPApplicationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CAPApplicationApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithSpec(value *CAPApplicationSpecApplyConfiguration) *CAPApplicationApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CAPApplicationApplyConfiguration) WithStatus(value *CAPApplicationStatusApplyConfiguration) *CAPApplicationApplyConfiguration {
+	b.Status = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationspec.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationspec.go
new file mode 100644
index 0000000..6c4fc60
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationspec.go
@@ -0,0 +1,63 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// CAPApplicationSpecApplyConfiguration represents an declarative configuration of the CAPApplicationSpec type for use
+// with apply.
+type CAPApplicationSpecApplyConfiguration struct {
+	Domains         *ApplicationDomainsApplyConfiguration      `json:"domains,omitempty"`
+	GlobalAccountId *string                                    `json:"globalAccountId,omitempty"`
+	BTPAppName      *string                                    `json:"btpAppName,omitempty"`
+	Provider        *BTPTenantIdentificationApplyConfiguration `json:"provider,omitempty"`
+	BTP             *BTPApplyConfiguration                     `json:"btp,omitempty"`
+}
+
+// CAPApplicationSpecApplyConfiguration constructs an declarative configuration of the CAPApplicationSpec type for use with
+// apply.
+func CAPApplicationSpec() *CAPApplicationSpecApplyConfiguration {
+	return &CAPApplicationSpecApplyConfiguration{}
+}
+
+// WithDomains sets the Domains field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Domains field is set to the value of the last call.
+func (b *CAPApplicationSpecApplyConfiguration) WithDomains(value *ApplicationDomainsApplyConfiguration) *CAPApplicationSpecApplyConfiguration {
+	b.Domains = value
+	return b
+}
+
+// WithGlobalAccountId sets the GlobalAccountId field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GlobalAccountId field is set to the value of the last call.
+func (b *CAPApplicationSpecApplyConfiguration) WithGlobalAccountId(value string) *CAPApplicationSpecApplyConfiguration {
+	b.GlobalAccountId = &value
+	return b
+}
+
+// WithBTPAppName sets the BTPAppName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BTPAppName field is set to the value of the last call.
+func (b *CAPApplicationSpecApplyConfiguration) WithBTPAppName(value string) *CAPApplicationSpecApplyConfiguration {
+	b.BTPAppName = &value
+	return b
+}
+
+// WithProvider sets the Provider field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Provider field is set to the value of the last call.
+func (b *CAPApplicationSpecApplyConfiguration) WithProvider(value *BTPTenantIdentificationApplyConfiguration) *CAPApplicationSpecApplyConfiguration {
+	b.Provider = value
+	return b
+}
+
+// WithBTP sets the BTP field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BTP field is set to the value of the last call.
+func (b *CAPApplicationSpecApplyConfiguration) WithBTP(value *BTPApplyConfiguration) *CAPApplicationSpecApplyConfiguration {
+	b.BTP = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationstatus.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationstatus.go
new file mode 100644
index 0000000..1548543
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationstatus.go
@@ -0,0 +1,69 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CAPApplicationStatusApplyConfiguration represents an declarative configuration of the CAPApplicationStatus type for use
+// with apply.
+type CAPApplicationStatusApplyConfiguration struct {
+	GenericStatusApplyConfiguration `json:",inline"`
+	State                           *smesapcomv1alpha1.CAPApplicationState `json:"state,omitempty"`
+	DomainSpecHash                  *string                                `json:"domainSpecHash,omitempty"`
+	LastFullReconciliationTime      *v1.Time                               `json:"lastFullReconciliationTime,omitempty"`
+}
+
+// CAPApplicationStatusApplyConfiguration constructs an declarative configuration of the CAPApplicationStatus type for use with
+// apply.
+func CAPApplicationStatus() *CAPApplicationStatusApplyConfiguration {
+	return &CAPApplicationStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CAPApplicationStatusApplyConfiguration) WithObservedGeneration(value int64) *CAPApplicationStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CAPApplicationStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CAPApplicationStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *CAPApplicationStatusApplyConfiguration) WithState(value smesapcomv1alpha1.CAPApplicationState) *CAPApplicationStatusApplyConfiguration {
+	b.State = &value
+	return b
+}
+
+// WithDomainSpecHash sets the DomainSpecHash field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DomainSpecHash field is set to the value of the last call.
+func (b *CAPApplicationStatusApplyConfiguration) WithDomainSpecHash(value string) *CAPApplicationStatusApplyConfiguration {
+	b.DomainSpecHash = &value
+	return b
+}
+
+// WithLastFullReconciliationTime sets the LastFullReconciliationTime field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LastFullReconciliationTime field is set to the value of the last call.
+func (b *CAPApplicationStatusApplyConfiguration) WithLastFullReconciliationTime(value v1.Time) *CAPApplicationStatusApplyConfiguration {
+	b.LastFullReconciliationTime = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversion.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversion.go
new file mode 100644
index 0000000..b71be0f
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversion.go
@@ -0,0 +1,207 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CAPApplicationVersionApplyConfiguration represents an declarative configuration of the CAPApplicationVersion type for use
+// with apply.
+type CAPApplicationVersionApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CAPApplicationVersionSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CAPApplicationVersionStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CAPApplicationVersion constructs an declarative configuration of the CAPApplicationVersion type for use with
+// apply.
+func CAPApplicationVersion(name, namespace string) *CAPApplicationVersionApplyConfiguration {
+	b := &CAPApplicationVersionApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CAPApplicationVersion")
+	b.WithAPIVersion("sme.sap.com/v1alpha1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithKind(value string) *CAPApplicationVersionApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithAPIVersion(value string) *CAPApplicationVersionApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithName(value string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithGenerateName(value string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithNamespace(value string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithUID(value types.UID) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithResourceVersion(value string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithGeneration(value int64) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CAPApplicationVersionApplyConfiguration) WithLabels(entries map[string]string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CAPApplicationVersionApplyConfiguration) WithAnnotations(entries map[string]string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CAPApplicationVersionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CAPApplicationVersionApplyConfiguration) WithFinalizers(values ...string) *CAPApplicationVersionApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CAPApplicationVersionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithSpec(value *CAPApplicationVersionSpecApplyConfiguration) *CAPApplicationVersionApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CAPApplicationVersionApplyConfiguration) WithStatus(value *CAPApplicationVersionStatusApplyConfiguration) *CAPApplicationVersionApplyConfiguration {
+	b.Status = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionspec.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionspec.go
new file mode 100644
index 0000000..0a30c32
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionspec.go
@@ -0,0 +1,70 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// CAPApplicationVersionSpecApplyConfiguration represents an declarative configuration of the CAPApplicationVersionSpec type for use
+// with apply.
+type CAPApplicationVersionSpecApplyConfiguration struct {
+	CAPApplicationInstance *string                             `json:"capApplicationInstance,omitempty"`
+	Version                *string                             `json:"version,omitempty"`
+	RegistrySecrets        []string                            `json:"registrySecrets,omitempty"`
+	Workloads              []WorkloadDetailsApplyConfiguration `json:"workloads,omitempty"`
+	TenantOperations       *TenantOperationsApplyConfiguration `json:"tenantOperations,omitempty"`
+}
+
+// CAPApplicationVersionSpecApplyConfiguration constructs an declarative configuration of the CAPApplicationVersionSpec type for use with
+// apply.
+func CAPApplicationVersionSpec() *CAPApplicationVersionSpecApplyConfiguration {
+	return &CAPApplicationVersionSpecApplyConfiguration{}
+}
+
+// WithCAPApplicationInstance sets the CAPApplicationInstance field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CAPApplicationInstance field is set to the value of the last call.
+func (b *CAPApplicationVersionSpecApplyConfiguration) WithCAPApplicationInstance(value string) *CAPApplicationVersionSpecApplyConfiguration {
+	b.CAPApplicationInstance = &value
+	return b
+}
+
+// WithVersion sets the Version field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Version field is set to the value of the last call.
+func (b *CAPApplicationVersionSpecApplyConfiguration) WithVersion(value string) *CAPApplicationVersionSpecApplyConfiguration {
+	b.Version = &value
+	return b
+}
+
+// WithRegistrySecrets adds the given value to the RegistrySecrets field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the RegistrySecrets field.
+func (b *CAPApplicationVersionSpecApplyConfiguration) WithRegistrySecrets(values ...string) *CAPApplicationVersionSpecApplyConfiguration {
+	for i := range values {
+		b.RegistrySecrets = append(b.RegistrySecrets, values[i])
+	}
+	return b
+}
+
+// WithWorkloads adds the given value to the Workloads field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Workloads field.
+func (b *CAPApplicationVersionSpecApplyConfiguration) WithWorkloads(values ...*WorkloadDetailsApplyConfiguration) *CAPApplicationVersionSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithWorkloads")
+		}
+		b.Workloads = append(b.Workloads, *values[i])
+	}
+	return b
+}
+
+// WithTenantOperations sets the TenantOperations field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TenantOperations field is set to the value of the last call.
+func (b *CAPApplicationVersionSpecApplyConfiguration) WithTenantOperations(value *TenantOperationsApplyConfiguration) *CAPApplicationVersionSpecApplyConfiguration {
+	b.TenantOperations = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionstatus.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionstatus.go
new file mode 100644
index 0000000..05f3fa5
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/capapplicationversionstatus.go
@@ -0,0 +1,62 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CAPApplicationVersionStatusApplyConfiguration represents an declarative configuration of the CAPApplicationVersionStatus type for use
+// with apply.
+type CAPApplicationVersionStatusApplyConfiguration struct {
+	GenericStatusApplyConfiguration `json:",inline"`
+	State                           *smesapcomv1alpha1.CAPApplicationVersionState `json:"state,omitempty"`
+	FinishedJobs                    []string                                      `json:"finishedJobs,omitempty"`
+}
+
+// CAPApplicationVersionStatusApplyConfiguration constructs an declarative configuration of the CAPApplicationVersionStatus type for use with
+// apply.
+func CAPApplicationVersionStatus() *CAPApplicationVersionStatusApplyConfiguration {
+	return &CAPApplicationVersionStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CAPApplicationVersionStatusApplyConfiguration) WithObservedGeneration(value int64) *CAPApplicationVersionStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CAPApplicationVersionStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CAPApplicationVersionStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *CAPApplicationVersionStatusApplyConfiguration) WithState(value smesapcomv1alpha1.CAPApplicationVersionState) *CAPApplicationVersionStatusApplyConfiguration {
+	b.State = &value
+	return b
+}
+
+// WithFinishedJobs adds the given value to the FinishedJobs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the FinishedJobs field.
+func (b *CAPApplicationVersionStatusApplyConfiguration) WithFinishedJobs(values ...string) *CAPApplicationVersionStatusApplyConfiguration {
+	for i := range values {
+		b.FinishedJobs = append(b.FinishedJobs, values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenant.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenant.go
new file mode 100644
index 0000000..010dca8
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenant.go
@@ -0,0 +1,207 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CAPTenantApplyConfiguration represents an declarative configuration of the CAPTenant type for use
+// with apply.
+type CAPTenantApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CAPTenantSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CAPTenantStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CAPTenant constructs an declarative configuration of the CAPTenant type for use with
+// apply.
+func CAPTenant(name, namespace string) *CAPTenantApplyConfiguration {
+	b := &CAPTenantApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CAPTenant")
+	b.WithAPIVersion("sme.sap.com/v1alpha1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithKind(value string) *CAPTenantApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithAPIVersion(value string) *CAPTenantApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithName(value string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithGenerateName(value string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithNamespace(value string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithUID(value types.UID) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithResourceVersion(value string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithGeneration(value int64) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CAPTenantApplyConfiguration) WithLabels(entries map[string]string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CAPTenantApplyConfiguration) WithAnnotations(entries map[string]string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CAPTenantApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CAPTenantApplyConfiguration) WithFinalizers(values ...string) *CAPTenantApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CAPTenantApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithSpec(value *CAPTenantSpecApplyConfiguration) *CAPTenantApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CAPTenantApplyConfiguration) WithStatus(value *CAPTenantStatusApplyConfiguration) *CAPTenantApplyConfiguration {
+	b.Status = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperation.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperation.go
new file mode 100644
index 0000000..0516631
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperation.go
@@ -0,0 +1,207 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CAPTenantOperationApplyConfiguration represents an declarative configuration of the CAPTenantOperation type for use
+// with apply.
+type CAPTenantOperationApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CAPTenantOperationSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CAPTenantOperationStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CAPTenantOperation constructs an declarative configuration of the CAPTenantOperation type for use with
+// apply.
+func CAPTenantOperation(name, namespace string) *CAPTenantOperationApplyConfiguration {
+	b := &CAPTenantOperationApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CAPTenantOperation")
+	b.WithAPIVersion("sme.sap.com/v1alpha1")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithKind(value string) *CAPTenantOperationApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithAPIVersion(value string) *CAPTenantOperationApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithName(value string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithGenerateName(value string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithNamespace(value string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithUID(value types.UID) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithResourceVersion(value string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithGeneration(value int64) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CAPTenantOperationApplyConfiguration) WithLabels(entries map[string]string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CAPTenantOperationApplyConfiguration) WithAnnotations(entries map[string]string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CAPTenantOperationApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CAPTenantOperationApplyConfiguration) WithFinalizers(values ...string) *CAPTenantOperationApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CAPTenantOperationApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithSpec(value *CAPTenantOperationSpecApplyConfiguration) *CAPTenantOperationApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CAPTenantOperationApplyConfiguration) WithStatus(value *CAPTenantOperationStatusApplyConfiguration) *CAPTenantOperationApplyConfiguration {
+	b.Status = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationspec.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationspec.go
new file mode 100644
index 0000000..15d6720
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationspec.go
@@ -0,0 +1,71 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+)
+
+// CAPTenantOperationSpecApplyConfiguration represents an declarative configuration of the CAPTenantOperationSpec type for use
+// with apply.
+type CAPTenantOperationSpecApplyConfiguration struct {
+	Operation                                 *v1alpha1.CAPTenantOperationType `json:"operation,omitempty"`
+	BTPTenantIdentificationApplyConfiguration `json:",inline"`
+	CAPApplicationVersionInstance             *string                                    `json:"capApplicationVersionInstance,omitempty"`
+	Steps                                     []CAPTenantOperationStepApplyConfiguration `json:"steps,omitempty"`
+}
+
+// CAPTenantOperationSpecApplyConfiguration constructs an declarative configuration of the CAPTenantOperationSpec type for use with
+// apply.
+func CAPTenantOperationSpec() *CAPTenantOperationSpecApplyConfiguration {
+	return &CAPTenantOperationSpecApplyConfiguration{}
+}
+
+// WithOperation sets the Operation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Operation field is set to the value of the last call.
+func (b *CAPTenantOperationSpecApplyConfiguration) WithOperation(value v1alpha1.CAPTenantOperationType) *CAPTenantOperationSpecApplyConfiguration {
+	b.Operation = &value
+	return b
+}
+
+// WithSubDomain sets the SubDomain field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SubDomain field is set to the value of the last call.
+func (b *CAPTenantOperationSpecApplyConfiguration) WithSubDomain(value string) *CAPTenantOperationSpecApplyConfiguration {
+	b.SubDomain = &value
+	return b
+}
+
+// WithTenantId sets the TenantId field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TenantId field is set to the value of the last call.
+func (b *CAPTenantOperationSpecApplyConfiguration) WithTenantId(value string) *CAPTenantOperationSpecApplyConfiguration {
+	b.TenantId = &value
+	return b
+}
+
+// WithCAPApplicationVersionInstance sets the CAPApplicationVersionInstance field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CAPApplicationVersionInstance field is set to the value of the last call.
+func (b *CAPTenantOperationSpecApplyConfiguration) WithCAPApplicationVersionInstance(value string) *CAPTenantOperationSpecApplyConfiguration {
+	b.CAPApplicationVersionInstance = &value
+	return b
+}
+
+// WithSteps adds the given value to the Steps field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Steps field.
+func (b *CAPTenantOperationSpecApplyConfiguration) WithSteps(values ...*CAPTenantOperationStepApplyConfiguration) *CAPTenantOperationSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithSteps")
+		}
+		b.Steps = append(b.Steps, *values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstatus.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstatus.go
new file mode 100644
index 0000000..67ec764
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstatus.go
@@ -0,0 +1,69 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CAPTenantOperationStatusApplyConfiguration represents an declarative configuration of the CAPTenantOperationStatus type for use
+// with apply.
+type CAPTenantOperationStatusApplyConfiguration struct {
+	GenericStatusApplyConfiguration `json:",inline"`
+	State                           *smesapcomv1alpha1.CAPTenantOperationState `json:"state,omitempty"`
+	CurrentStep                     *uint32                                    `json:"currentStep,omitempty"`
+	ActiveJob                       *string                                    `json:"activeJob,omitempty"`
+}
+
+// CAPTenantOperationStatusApplyConfiguration constructs an declarative configuration of the CAPTenantOperationStatus type for use with
+// apply.
+func CAPTenantOperationStatus() *CAPTenantOperationStatusApplyConfiguration {
+	return &CAPTenantOperationStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CAPTenantOperationStatusApplyConfiguration) WithObservedGeneration(value int64) *CAPTenantOperationStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CAPTenantOperationStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CAPTenantOperationStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *CAPTenantOperationStatusApplyConfiguration) WithState(value smesapcomv1alpha1.CAPTenantOperationState) *CAPTenantOperationStatusApplyConfiguration {
+	b.State = &value
+	return b
+}
+
+// WithCurrentStep sets the CurrentStep field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CurrentStep field is set to the value of the last call.
+func (b *CAPTenantOperationStatusApplyConfiguration) WithCurrentStep(value uint32) *CAPTenantOperationStatusApplyConfiguration {
+	b.CurrentStep = &value
+	return b
+}
+
+// WithActiveJob sets the ActiveJob field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ActiveJob field is set to the value of the last call.
+func (b *CAPTenantOperationStatusApplyConfiguration) WithActiveJob(value string) *CAPTenantOperationStatusApplyConfiguration {
+	b.ActiveJob = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstep.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstep.go
new file mode 100644
index 0000000..fb22f53
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantoperationstep.go
@@ -0,0 +1,49 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+)
+
+// CAPTenantOperationStepApplyConfiguration represents an declarative configuration of the CAPTenantOperationStep type for use
+// with apply.
+type CAPTenantOperationStepApplyConfiguration struct {
+	Name              *string           `json:"name,omitempty"`
+	Type              *v1alpha1.JobType `json:"type,omitempty"`
+	ContinueOnFailure *bool             `json:"continueOnFailure,omitempty"`
+}
+
+// CAPTenantOperationStepApplyConfiguration constructs an declarative configuration of the CAPTenantOperationStep type for use with
+// apply.
+func CAPTenantOperationStep() *CAPTenantOperationStepApplyConfiguration {
+	return &CAPTenantOperationStepApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CAPTenantOperationStepApplyConfiguration) WithName(value string) *CAPTenantOperationStepApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithType sets the Type field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Type field is set to the value of the last call.
+func (b *CAPTenantOperationStepApplyConfiguration) WithType(value v1alpha1.JobType) *CAPTenantOperationStepApplyConfiguration {
+	b.Type = &value
+	return b
+}
+
+// WithContinueOnFailure sets the ContinueOnFailure field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ContinueOnFailure field is set to the value of the last call.
+func (b *CAPTenantOperationStepApplyConfiguration) WithContinueOnFailure(value bool) *CAPTenantOperationStepApplyConfiguration {
+	b.ContinueOnFailure = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantspec.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantspec.go
new file mode 100644
index 0000000..1966560
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantspec.go
@@ -0,0 +1,66 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+)
+
+// CAPTenantSpecApplyConfiguration represents an declarative configuration of the CAPTenantSpec type for use
+// with apply.
+type CAPTenantSpecApplyConfiguration struct {
+	CAPApplicationInstance                    *string `json:"capApplicationInstance,omitempty"`
+	BTPTenantIdentificationApplyConfiguration `json:",inline"`
+	Version                                   *string                                       `json:"version,omitempty"`
+	VersionUpgradeStrategy                    *smesapcomv1alpha1.VersionUpgradeStrategyType `json:"versionUpgradeStrategy,omitempty"`
+}
+
+// CAPTenantSpecApplyConfiguration constructs an declarative configuration of the CAPTenantSpec type for use with
+// apply.
+func CAPTenantSpec() *CAPTenantSpecApplyConfiguration {
+	return &CAPTenantSpecApplyConfiguration{}
+}
+
+// WithCAPApplicationInstance sets the CAPApplicationInstance field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CAPApplicationInstance field is set to the value of the last call.
+func (b *CAPTenantSpecApplyConfiguration) WithCAPApplicationInstance(value string) *CAPTenantSpecApplyConfiguration {
+	b.CAPApplicationInstance = &value
+	return b
+}
+
+// WithSubDomain sets the SubDomain field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SubDomain field is set to the value of the last call.
+func (b *CAPTenantSpecApplyConfiguration) WithSubDomain(value string) *CAPTenantSpecApplyConfiguration {
+	b.SubDomain = &value
+	return b
+}
+
+// WithTenantId sets the TenantId field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TenantId field is set to the value of the last call.
+func (b *CAPTenantSpecApplyConfiguration) WithTenantId(value string) *CAPTenantSpecApplyConfiguration {
+	b.TenantId = &value
+	return b
+}
+
+// WithVersion sets the Version field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Version field is set to the value of the last call.
+func (b *CAPTenantSpecApplyConfiguration) WithVersion(value string) *CAPTenantSpecApplyConfiguration {
+	b.Version = &value
+	return b
+}
+
+// WithVersionUpgradeStrategy sets the VersionUpgradeStrategy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the VersionUpgradeStrategy field is set to the value of the last call.
+func (b *CAPTenantSpecApplyConfiguration) WithVersionUpgradeStrategy(value smesapcomv1alpha1.VersionUpgradeStrategyType) *CAPTenantSpecApplyConfiguration {
+	b.VersionUpgradeStrategy = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantstatus.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantstatus.go
new file mode 100644
index 0000000..68ed5db
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/captenantstatus.go
@@ -0,0 +1,80 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CAPTenantStatusApplyConfiguration represents an declarative configuration of the CAPTenantStatus type for use
+// with apply.
+type CAPTenantStatusApplyConfiguration struct {
+	GenericStatusApplyConfiguration      `json:",inline"`
+	State                                *smesapcomv1alpha1.CAPTenantState `json:"state,omitempty"`
+	CurrentCAPApplicationVersionInstance *string                           `json:"currentCAPApplicationVersionInstance,omitempty"`
+	PreviousCAPApplicationVersions       []string                          `json:"previousCAPApplicationVersions,omitempty"`
+	LastFullReconciliationTime           *v1.Time                          `json:"lastFullReconciliationTime,omitempty"`
+}
+
+// CAPTenantStatusApplyConfiguration constructs an declarative configuration of the CAPTenantStatus type for use with
+// apply.
+func CAPTenantStatus() *CAPTenantStatusApplyConfiguration {
+	return &CAPTenantStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *CAPTenantStatusApplyConfiguration) WithObservedGeneration(value int64) *CAPTenantStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CAPTenantStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CAPTenantStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
+
+// WithState sets the State field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the State field is set to the value of the last call.
+func (b *CAPTenantStatusApplyConfiguration) WithState(value smesapcomv1alpha1.CAPTenantState) *CAPTenantStatusApplyConfiguration {
+	b.State = &value
+	return b
+}
+
+// WithCurrentCAPApplicationVersionInstance sets the CurrentCAPApplicationVersionInstance field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CurrentCAPApplicationVersionInstance field is set to the value of the last call.
+func (b *CAPTenantStatusApplyConfiguration) WithCurrentCAPApplicationVersionInstance(value string) *CAPTenantStatusApplyConfiguration {
+	b.CurrentCAPApplicationVersionInstance = &value
+	return b
+}
+
+// WithPreviousCAPApplicationVersions adds the given value to the PreviousCAPApplicationVersions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the PreviousCAPApplicationVersions field.
+func (b *CAPTenantStatusApplyConfiguration) WithPreviousCAPApplicationVersions(values ...string) *CAPTenantStatusApplyConfiguration {
+	for i := range values {
+		b.PreviousCAPApplicationVersions = append(b.PreviousCAPApplicationVersions, values[i])
+	}
+	return b
+}
+
+// WithLastFullReconciliationTime sets the LastFullReconciliationTime field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LastFullReconciliationTime field is set to the value of the last call.
+func (b *CAPTenantStatusApplyConfiguration) WithLastFullReconciliationTime(value v1.Time) *CAPTenantStatusApplyConfiguration {
+	b.LastFullReconciliationTime = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/containerdetails.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/containerdetails.go
new file mode 100644
index 0000000..3e9ad48
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/containerdetails.go
@@ -0,0 +1,89 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/core/v1"
+)
+
+// ContainerDetailsApplyConfiguration represents an declarative configuration of the ContainerDetails type for use
+// with apply.
+type ContainerDetailsApplyConfiguration struct {
+	Image              *string                  `json:"image,omitempty"`
+	ImagePullPolicy    *v1.PullPolicy           `json:"imagePullPolicy,omitempty"`
+	Command            []string                 `json:"command,omitempty"`
+	Env                []v1.EnvVar              `json:"env,omitempty"`
+	Resources          *v1.ResourceRequirements `json:"resources,omitempty"`
+	SecurityContext    *v1.SecurityContext      `json:"securityContext,omitempty"`
+	PodSecurityContext *v1.PodSecurityContext   `json:"podSecurityContext,omitempty"`
+}
+
+// ContainerDetailsApplyConfiguration constructs an declarative configuration of the ContainerDetails type for use with
+// apply.
+func ContainerDetails() *ContainerDetailsApplyConfiguration {
+	return &ContainerDetailsApplyConfiguration{}
+}
+
+// WithImage sets the Image field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Image field is set to the value of the last call.
+func (b *ContainerDetailsApplyConfiguration) WithImage(value string) *ContainerDetailsApplyConfiguration {
+	b.Image = &value
+	return b
+}
+
+// WithImagePullPolicy sets the ImagePullPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ImagePullPolicy field is set to the value of the last call.
+func (b *ContainerDetailsApplyConfiguration) WithImagePullPolicy(value v1.PullPolicy) *ContainerDetailsApplyConfiguration {
+	b.ImagePullPolicy = &value
+	return b
+}
+
+// WithCommand adds the given value to the Command field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Command field.
+func (b *ContainerDetailsApplyConfiguration) WithCommand(values ...string) *ContainerDetailsApplyConfiguration {
+	for i := range values {
+		b.Command = append(b.Command, values[i])
+	}
+	return b
+}
+
+// WithEnv adds the given value to the Env field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Env field.
+func (b *ContainerDetailsApplyConfiguration) WithEnv(values ...v1.EnvVar) *ContainerDetailsApplyConfiguration {
+	for i := range values {
+		b.Env = append(b.Env, values[i])
+	}
+	return b
+}
+
+// WithResources sets the Resources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resources field is set to the value of the last call.
+func (b *ContainerDetailsApplyConfiguration) WithResources(value v1.ResourceRequirements) *ContainerDetailsApplyConfiguration {
+	b.Resources = &value
+	return b
+}
+
+// WithSecurityContext sets the SecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SecurityContext field is set to the value of the last call.
+func (b *ContainerDetailsApplyConfiguration) WithSecurityContext(value v1.SecurityContext) *ContainerDetailsApplyConfiguration {
+	b.SecurityContext = &value
+	return b
+}
+
+// WithPodSecurityContext sets the PodSecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodSecurityContext field is set to the value of the last call.
+func (b *ContainerDetailsApplyConfiguration) WithPodSecurityContext(value v1.PodSecurityContext) *ContainerDetailsApplyConfiguration {
+	b.PodSecurityContext = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/deploymentdetails.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/deploymentdetails.go
new file mode 100644
index 0000000..6bdecf3
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/deploymentdetails.go
@@ -0,0 +1,134 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/api/core/v1"
+)
+
+// DeploymentDetailsApplyConfiguration represents an declarative configuration of the DeploymentDetails type for use
+// with apply.
+type DeploymentDetailsApplyConfiguration struct {
+	ContainerDetailsApplyConfiguration `json:",inline"`
+	Type                               *smesapcomv1alpha1.DeploymentType `json:"type,omitempty"`
+	Replicas                           *int32                            `json:"replicas,omitempty"`
+	Ports                              []PortsApplyConfiguration         `json:"ports,omitempty"`
+	LivenessProbe                      *v1.Probe                         `json:"livenessProbe,omitempty"`
+	ReadinessProbe                     *v1.Probe                         `json:"readinessProbe,omitempty"`
+}
+
+// DeploymentDetailsApplyConfiguration constructs an declarative configuration of the DeploymentDetails type for use with
+// apply.
+func DeploymentDetails() *DeploymentDetailsApplyConfiguration {
+	return &DeploymentDetailsApplyConfiguration{}
+}
+
+// WithImage sets the Image field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Image field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithImage(value string) *DeploymentDetailsApplyConfiguration {
+	b.Image = &value
+	return b
+}
+
+// WithImagePullPolicy sets the ImagePullPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ImagePullPolicy field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithImagePullPolicy(value v1.PullPolicy) *DeploymentDetailsApplyConfiguration {
+	b.ImagePullPolicy = &value
+	return b
+}
+
+// WithCommand adds the given value to the Command field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Command field.
+func (b *DeploymentDetailsApplyConfiguration) WithCommand(values ...string) *DeploymentDetailsApplyConfiguration {
+	for i := range values {
+		b.Command = append(b.Command, values[i])
+	}
+	return b
+}
+
+// WithEnv adds the given value to the Env field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Env field.
+func (b *DeploymentDetailsApplyConfiguration) WithEnv(values ...v1.EnvVar) *DeploymentDetailsApplyConfiguration {
+	for i := range values {
+		b.Env = append(b.Env, values[i])
+	}
+	return b
+}
+
+// WithResources sets the Resources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resources field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithResources(value v1.ResourceRequirements) *DeploymentDetailsApplyConfiguration {
+	b.Resources = &value
+	return b
+}
+
+// WithSecurityContext sets the SecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SecurityContext field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithSecurityContext(value v1.SecurityContext) *DeploymentDetailsApplyConfiguration {
+	b.SecurityContext = &value
+	return b
+}
+
+// WithPodSecurityContext sets the PodSecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodSecurityContext field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithPodSecurityContext(value v1.PodSecurityContext) *DeploymentDetailsApplyConfiguration {
+	b.PodSecurityContext = &value
+	return b
+}
+
+// WithType sets the Type field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Type field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithType(value smesapcomv1alpha1.DeploymentType) *DeploymentDetailsApplyConfiguration {
+	b.Type = &value
+	return b
+}
+
+// WithReplicas sets the Replicas field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Replicas field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithReplicas(value int32) *DeploymentDetailsApplyConfiguration {
+	b.Replicas = &value
+	return b
+}
+
+// WithPorts adds the given value to the Ports field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Ports field.
+func (b *DeploymentDetailsApplyConfiguration) WithPorts(values ...*PortsApplyConfiguration) *DeploymentDetailsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithPorts")
+		}
+		b.Ports = append(b.Ports, *values[i])
+	}
+	return b
+}
+
+// WithLivenessProbe sets the LivenessProbe field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LivenessProbe field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithLivenessProbe(value v1.Probe) *DeploymentDetailsApplyConfiguration {
+	b.LivenessProbe = &value
+	return b
+}
+
+// WithReadinessProbe sets the ReadinessProbe field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ReadinessProbe field is set to the value of the last call.
+func (b *DeploymentDetailsApplyConfiguration) WithReadinessProbe(value v1.Probe) *DeploymentDetailsApplyConfiguration {
+	b.ReadinessProbe = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/genericstatus.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/genericstatus.go
new file mode 100644
index 0000000..0b26b02
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/genericstatus.go
@@ -0,0 +1,42 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GenericStatusApplyConfiguration represents an declarative configuration of the GenericStatus type for use
+// with apply.
+type GenericStatusApplyConfiguration struct {
+	ObservedGeneration *int64         `json:"observedGeneration,omitempty"`
+	Conditions         []v1.Condition `json:"conditions,omitempty"`
+}
+
+// GenericStatusApplyConfiguration constructs an declarative configuration of the GenericStatus type for use with
+// apply.
+func GenericStatus() *GenericStatusApplyConfiguration {
+	return &GenericStatusApplyConfiguration{}
+}
+
+// WithObservedGeneration sets the ObservedGeneration field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ObservedGeneration field is set to the value of the last call.
+func (b *GenericStatusApplyConfiguration) WithObservedGeneration(value int64) *GenericStatusApplyConfiguration {
+	b.ObservedGeneration = &value
+	return b
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *GenericStatusApplyConfiguration) WithConditions(values ...v1.Condition) *GenericStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/jobdetails.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/jobdetails.go
new file mode 100644
index 0000000..3fd5674
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/jobdetails.go
@@ -0,0 +1,111 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/api/core/v1"
+)
+
+// JobDetailsApplyConfiguration represents an declarative configuration of the JobDetails type for use
+// with apply.
+type JobDetailsApplyConfiguration struct {
+	ContainerDetailsApplyConfiguration `json:",inline"`
+	Type                               *smesapcomv1alpha1.JobType `json:"type,omitempty"`
+	BackoffLimit                       *int32                     `json:"backoffLimit,omitempty"`
+	TTLSecondsAfterFinished            *int32                     `json:"ttlSecondsAfterFinished,omitempty"`
+}
+
+// JobDetailsApplyConfiguration constructs an declarative configuration of the JobDetails type for use with
+// apply.
+func JobDetails() *JobDetailsApplyConfiguration {
+	return &JobDetailsApplyConfiguration{}
+}
+
+// WithImage sets the Image field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Image field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithImage(value string) *JobDetailsApplyConfiguration {
+	b.Image = &value
+	return b
+}
+
+// WithImagePullPolicy sets the ImagePullPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ImagePullPolicy field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithImagePullPolicy(value v1.PullPolicy) *JobDetailsApplyConfiguration {
+	b.ImagePullPolicy = &value
+	return b
+}
+
+// WithCommand adds the given value to the Command field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Command field.
+func (b *JobDetailsApplyConfiguration) WithCommand(values ...string) *JobDetailsApplyConfiguration {
+	for i := range values {
+		b.Command = append(b.Command, values[i])
+	}
+	return b
+}
+
+// WithEnv adds the given value to the Env field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Env field.
+func (b *JobDetailsApplyConfiguration) WithEnv(values ...v1.EnvVar) *JobDetailsApplyConfiguration {
+	for i := range values {
+		b.Env = append(b.Env, values[i])
+	}
+	return b
+}
+
+// WithResources sets the Resources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resources field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithResources(value v1.ResourceRequirements) *JobDetailsApplyConfiguration {
+	b.Resources = &value
+	return b
+}
+
+// WithSecurityContext sets the SecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the SecurityContext field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithSecurityContext(value v1.SecurityContext) *JobDetailsApplyConfiguration {
+	b.SecurityContext = &value
+	return b
+}
+
+// WithPodSecurityContext sets the PodSecurityContext field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the PodSecurityContext field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithPodSecurityContext(value v1.PodSecurityContext) *JobDetailsApplyConfiguration {
+	b.PodSecurityContext = &value
+	return b
+}
+
+// WithType sets the Type field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Type field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithType(value smesapcomv1alpha1.JobType) *JobDetailsApplyConfiguration {
+	b.Type = &value
+	return b
+}
+
+// WithBackoffLimit sets the BackoffLimit field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the BackoffLimit field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithBackoffLimit(value int32) *JobDetailsApplyConfiguration {
+	b.BackoffLimit = &value
+	return b
+}
+
+// WithTTLSecondsAfterFinished sets the TTLSecondsAfterFinished field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TTLSecondsAfterFinished field is set to the value of the last call.
+func (b *JobDetailsApplyConfiguration) WithTTLSecondsAfterFinished(value int32) *JobDetailsApplyConfiguration {
+	b.TTLSecondsAfterFinished = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/namevalue.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/namevalue.go
new file mode 100644
index 0000000..014db3d
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/namevalue.go
@@ -0,0 +1,36 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// NameValueApplyConfiguration represents an declarative configuration of the NameValue type for use
+// with apply.
+type NameValueApplyConfiguration struct {
+	Name  *string `json:"name,omitempty"`
+	Value *string `json:"value,omitempty"`
+}
+
+// NameValueApplyConfiguration constructs an declarative configuration of the NameValue type for use with
+// apply.
+func NameValue() *NameValueApplyConfiguration {
+	return &NameValueApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *NameValueApplyConfiguration) WithName(value string) *NameValueApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithValue sets the Value field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Value field is set to the value of the last call.
+func (b *NameValueApplyConfiguration) WithValue(value string) *NameValueApplyConfiguration {
+	b.Value = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/ports.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/ports.go
new file mode 100644
index 0000000..e4f7771
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/ports.go
@@ -0,0 +1,67 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+)
+
+// PortsApplyConfiguration represents an declarative configuration of the Ports type for use
+// with apply.
+type PortsApplyConfiguration struct {
+	AppProtocol           *string                         `json:"appProtocol,omitempty"`
+	Name                  *string                         `json:"name,omitempty"`
+	NetworkPolicy         *v1alpha1.PortNetworkPolicyType `json:"networkPolicy,omitempty"`
+	Port                  *int32                          `json:"port,omitempty"`
+	RouterDestinationName *string                         `json:"routerDestinationName,omitempty"`
+}
+
+// PortsApplyConfiguration constructs an declarative configuration of the Ports type for use with
+// apply.
+func Ports() *PortsApplyConfiguration {
+	return &PortsApplyConfiguration{}
+}
+
+// WithAppProtocol sets the AppProtocol field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AppProtocol field is set to the value of the last call.
+func (b *PortsApplyConfiguration) WithAppProtocol(value string) *PortsApplyConfiguration {
+	b.AppProtocol = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PortsApplyConfiguration) WithName(value string) *PortsApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithNetworkPolicy sets the NetworkPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the NetworkPolicy field is set to the value of the last call.
+func (b *PortsApplyConfiguration) WithNetworkPolicy(value v1alpha1.PortNetworkPolicyType) *PortsApplyConfiguration {
+	b.NetworkPolicy = &value
+	return b
+}
+
+// WithPort sets the Port field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Port field is set to the value of the last call.
+func (b *PortsApplyConfiguration) WithPort(value int32) *PortsApplyConfiguration {
+	b.Port = &value
+	return b
+}
+
+// WithRouterDestinationName sets the RouterDestinationName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RouterDestinationName field is set to the value of the last call.
+func (b *PortsApplyConfiguration) WithRouterDestinationName(value string) *PortsApplyConfiguration {
+	b.RouterDestinationName = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/serviceinfo.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/serviceinfo.go
new file mode 100644
index 0000000..98bc167
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/serviceinfo.go
@@ -0,0 +1,45 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ServiceInfoApplyConfiguration represents an declarative configuration of the ServiceInfo type for use
+// with apply.
+type ServiceInfoApplyConfiguration struct {
+	Name   *string `json:"name,omitempty"`
+	Secret *string `json:"secret,omitempty"`
+	Class  *string `json:"class,omitempty"`
+}
+
+// ServiceInfoApplyConfiguration constructs an declarative configuration of the ServiceInfo type for use with
+// apply.
+func ServiceInfo() *ServiceInfoApplyConfiguration {
+	return &ServiceInfoApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ServiceInfoApplyConfiguration) WithName(value string) *ServiceInfoApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithSecret sets the Secret field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Secret field is set to the value of the last call.
+func (b *ServiceInfoApplyConfiguration) WithSecret(value string) *ServiceInfoApplyConfiguration {
+	b.Secret = &value
+	return b
+}
+
+// WithClass sets the Class field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Class field is set to the value of the last call.
+func (b *ServiceInfoApplyConfiguration) WithClass(value string) *ServiceInfoApplyConfiguration {
+	b.Class = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperations.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperations.go
new file mode 100644
index 0000000..5b966e9
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperations.go
@@ -0,0 +1,60 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// TenantOperationsApplyConfiguration represents an declarative configuration of the TenantOperations type for use
+// with apply.
+type TenantOperationsApplyConfiguration struct {
+	Provisioning   []TenantOperationWorkloadReferenceApplyConfiguration `json:"provisioning,omitempty"`
+	Upgrade        []TenantOperationWorkloadReferenceApplyConfiguration `json:"upgrade,omitempty"`
+	Deprovisioning []TenantOperationWorkloadReferenceApplyConfiguration `json:"deprovisioning,omitempty"`
+}
+
+// TenantOperationsApplyConfiguration constructs an declarative configuration of the TenantOperations type for use with
+// apply.
+func TenantOperations() *TenantOperationsApplyConfiguration {
+	return &TenantOperationsApplyConfiguration{}
+}
+
+// WithProvisioning adds the given value to the Provisioning field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Provisioning field.
+func (b *TenantOperationsApplyConfiguration) WithProvisioning(values ...*TenantOperationWorkloadReferenceApplyConfiguration) *TenantOperationsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithProvisioning")
+		}
+		b.Provisioning = append(b.Provisioning, *values[i])
+	}
+	return b
+}
+
+// WithUpgrade adds the given value to the Upgrade field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Upgrade field.
+func (b *TenantOperationsApplyConfiguration) WithUpgrade(values ...*TenantOperationWorkloadReferenceApplyConfiguration) *TenantOperationsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithUpgrade")
+		}
+		b.Upgrade = append(b.Upgrade, *values[i])
+	}
+	return b
+}
+
+// WithDeprovisioning adds the given value to the Deprovisioning field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Deprovisioning field.
+func (b *TenantOperationsApplyConfiguration) WithDeprovisioning(values ...*TenantOperationWorkloadReferenceApplyConfiguration) *TenantOperationsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithDeprovisioning")
+		}
+		b.Deprovisioning = append(b.Deprovisioning, *values[i])
+	}
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperationworkloadreference.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperationworkloadreference.go
new file mode 100644
index 0000000..a919db6
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/tenantoperationworkloadreference.go
@@ -0,0 +1,36 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// TenantOperationWorkloadReferenceApplyConfiguration represents an declarative configuration of the TenantOperationWorkloadReference type for use
+// with apply.
+type TenantOperationWorkloadReferenceApplyConfiguration struct {
+	WorkloadName      *string `json:"workloadName,omitempty"`
+	ContinueOnFailure *bool   `json:"continueOnFailure,omitempty"`
+}
+
+// TenantOperationWorkloadReferenceApplyConfiguration constructs an declarative configuration of the TenantOperationWorkloadReference type for use with
+// apply.
+func TenantOperationWorkloadReference() *TenantOperationWorkloadReferenceApplyConfiguration {
+	return &TenantOperationWorkloadReferenceApplyConfiguration{}
+}
+
+// WithWorkloadName sets the WorkloadName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the WorkloadName field is set to the value of the last call.
+func (b *TenantOperationWorkloadReferenceApplyConfiguration) WithWorkloadName(value string) *TenantOperationWorkloadReferenceApplyConfiguration {
+	b.WorkloadName = &value
+	return b
+}
+
+// WithContinueOnFailure sets the ContinueOnFailure field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ContinueOnFailure field is set to the value of the last call.
+func (b *TenantOperationWorkloadReferenceApplyConfiguration) WithContinueOnFailure(value bool) *TenantOperationWorkloadReferenceApplyConfiguration {
+	b.ContinueOnFailure = &value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/workloaddetails.go b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/workloaddetails.go
new file mode 100644
index 0000000..86e0de7
--- /dev/null
+++ b/pkg/client/applyconfiguration/sme.sap.com/v1alpha1/workloaddetails.go
@@ -0,0 +1,86 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// WorkloadDetailsApplyConfiguration represents an declarative configuration of the WorkloadDetails type for use
+// with apply.
+type WorkloadDetailsApplyConfiguration struct {
+	Name                 *string                              `json:"name,omitempty"`
+	ConsumedBTPServices  []string                             `json:"consumedBTPServices,omitempty"`
+	Labels               map[string]string                    `json:"labels,omitempty"`
+	Annotations          map[string]string                    `json:"annotations,omitempty"`
+	DeploymentDefinition *DeploymentDetailsApplyConfiguration `json:"deploymentDefinition,omitempty"`
+	JobDefinition        *JobDetailsApplyConfiguration        `json:"jobDefinition,omitempty"`
+}
+
+// WorkloadDetailsApplyConfiguration constructs an declarative configuration of the WorkloadDetails type for use with
+// apply.
+func WorkloadDetails() *WorkloadDetailsApplyConfiguration {
+	return &WorkloadDetailsApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *WorkloadDetailsApplyConfiguration) WithName(value string) *WorkloadDetailsApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithConsumedBTPServices adds the given value to the ConsumedBTPServices field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ConsumedBTPServices field.
+func (b *WorkloadDetailsApplyConfiguration) WithConsumedBTPServices(values ...string) *WorkloadDetailsApplyConfiguration {
+	for i := range values {
+		b.ConsumedBTPServices = append(b.ConsumedBTPServices, values[i])
+	}
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *WorkloadDetailsApplyConfiguration) WithLabels(entries map[string]string) *WorkloadDetailsApplyConfiguration {
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *WorkloadDetailsApplyConfiguration) WithAnnotations(entries map[string]string) *WorkloadDetailsApplyConfiguration {
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithDeploymentDefinition sets the DeploymentDefinition field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeploymentDefinition field is set to the value of the last call.
+func (b *WorkloadDetailsApplyConfiguration) WithDeploymentDefinition(value *DeploymentDetailsApplyConfiguration) *WorkloadDetailsApplyConfiguration {
+	b.DeploymentDefinition = value
+	return b
+}
+
+// WithJobDefinition sets the JobDefinition field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the JobDefinition field is set to the value of the last call.
+func (b *WorkloadDetailsApplyConfiguration) WithJobDefinition(value *JobDetailsApplyConfiguration) *WorkloadDetailsApplyConfiguration {
+	b.JobDefinition = value
+	return b
+}
diff --git a/pkg/client/applyconfiguration/utils.go b/pkg/client/applyconfiguration/utils.go
new file mode 100644
index 0000000..e90cf67
--- /dev/null
+++ b/pkg/client/applyconfiguration/utils.go
@@ -0,0 +1,75 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package applyconfiguration
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// ForKind returns an apply configuration type for the given GroupVersionKind, or nil if no
+// apply configuration type exists for the given GroupVersionKind.
+func ForKind(kind schema.GroupVersionKind) interface{} {
+	switch kind {
+	// Group=sme.sap.com, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationDomains"):
+		return &smesapcomv1alpha1.ApplicationDomainsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("BTP"):
+		return &smesapcomv1alpha1.BTPApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("BTPTenantIdentification"):
+		return &smesapcomv1alpha1.BTPTenantIdentificationApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplication"):
+		return &smesapcomv1alpha1.CAPApplicationApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationSpec"):
+		return &smesapcomv1alpha1.CAPApplicationSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationStatus"):
+		return &smesapcomv1alpha1.CAPApplicationStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationVersion"):
+		return &smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationVersionSpec"):
+		return &smesapcomv1alpha1.CAPApplicationVersionSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationVersionStatus"):
+		return &smesapcomv1alpha1.CAPApplicationVersionStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenant"):
+		return &smesapcomv1alpha1.CAPTenantApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantOperation"):
+		return &smesapcomv1alpha1.CAPTenantOperationApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantOperationSpec"):
+		return &smesapcomv1alpha1.CAPTenantOperationSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantOperationStatus"):
+		return &smesapcomv1alpha1.CAPTenantOperationStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantOperationStep"):
+		return &smesapcomv1alpha1.CAPTenantOperationStepApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantSpec"):
+		return &smesapcomv1alpha1.CAPTenantSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("CAPTenantStatus"):
+		return &smesapcomv1alpha1.CAPTenantStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ContainerDetails"):
+		return &smesapcomv1alpha1.ContainerDetailsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("DeploymentDetails"):
+		return &smesapcomv1alpha1.DeploymentDetailsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("GenericStatus"):
+		return &smesapcomv1alpha1.GenericStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("JobDetails"):
+		return &smesapcomv1alpha1.JobDetailsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("NameValue"):
+		return &smesapcomv1alpha1.NameValueApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("Ports"):
+		return &smesapcomv1alpha1.PortsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ServiceInfo"):
+		return &smesapcomv1alpha1.ServiceInfoApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("TenantOperations"):
+		return &smesapcomv1alpha1.TenantOperationsApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("TenantOperationWorkloadReference"):
+		return &smesapcomv1alpha1.TenantOperationWorkloadReferenceApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("WorkloadDetails"):
+		return &smesapcomv1alpha1.WorkloadDetailsApplyConfiguration{}
+
+	}
+	return nil
+}
diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go
new file mode 100644
index 0000000..1c4e34d
--- /dev/null
+++ b/pkg/client/clientset/versioned/clientset.go
@@ -0,0 +1,108 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package versioned
+
+import (
+	"fmt"
+	"net/http"
+
+	smev1alpha1 "github.com/sap/cap-operator/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1"
+	discovery "k8s.io/client-go/discovery"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	SmeV1alpha1() smev1alpha1.SmeV1alpha1Interface
+}
+
+// Clientset contains the clients for groups.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	smeV1alpha1 *smev1alpha1.SmeV1alpha1Client
+}
+
+// SmeV1alpha1 retrieves the SmeV1alpha1Client
+func (c *Clientset) SmeV1alpha1() smev1alpha1.SmeV1alpha1Interface {
+	return c.smeV1alpha1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+
+	if configShallowCopy.UserAgent == "" {
+		configShallowCopy.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	// share the transport between all clients
+	httpClient, err := rest.HTTPClientFor(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewForConfigAndClient(&configShallowCopy, httpClient)
+}
+
+// NewForConfigAndClient creates a new Clientset for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfigAndClient will generate a rate-limiter in configShallowCopy.
+func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+
+	var cs Clientset
+	var err error
+	cs.smeV1alpha1, err = smev1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfigAndClient(&configShallowCopy, httpClient)
+	if err != nil {
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	cs, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.smeV1alpha1 = smev1alpha1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}
diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go
new file mode 100644
index 0000000..cd0c824
--- /dev/null
+++ b/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -0,0 +1,73 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	clientset "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	smev1alpha1 "github.com/sap/cap-operator/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1"
+	fakesmev1alpha1 "github.com/sap/cap-operator/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/discovery"
+	fakediscovery "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/testing"
+)
+
+// NewSimpleClientset returns a clientset that will respond with the provided objects.
+// It's backed by a very simple object tracker that processes creates, updates and deletions as-is,
+// without applying any validations and/or defaults. It shouldn't be considered a replacement
+// for a real clientset and is mostly useful in simple unit tests.
+func NewSimpleClientset(objects ...runtime.Object) *Clientset {
+	o := testing.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range objects {
+		if err := o.Add(obj); err != nil {
+			panic(err)
+		}
+	}
+
+	cs := &Clientset{tracker: o}
+	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
+	cs.AddReactor("*", "*", testing.ObjectReaction(o))
+	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
+
+	return cs
+}
+
+// Clientset implements clientset.Interface. Meant to be embedded into a
+// struct to get a default implementation. This makes faking out just the method
+// you want to test easier.
+type Clientset struct {
+	testing.Fake
+	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
+}
+
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	return c.discovery
+}
+
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
+var (
+	_ clientset.Interface = &Clientset{}
+	_ testing.FakeClient  = &Clientset{}
+)
+
+// SmeV1alpha1 retrieves the SmeV1alpha1Client
+func (c *Clientset) SmeV1alpha1() smev1alpha1.SmeV1alpha1Interface {
+	return &fakesmev1alpha1.FakeSmeV1alpha1{Fake: &c.Fake}
+}
diff --git a/pkg/client/clientset/versioned/fake/doc.go b/pkg/client/clientset/versioned/fake/doc.go
new file mode 100644
index 0000000..29cce4b
--- /dev/null
+++ b/pkg/client/clientset/versioned/fake/doc.go
@@ -0,0 +1,8 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated fake clientset.
+package fake
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
new file mode 100644
index 0000000..a7fbaab
--- /dev/null
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -0,0 +1,44 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	smev1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var scheme = runtime.NewScheme()
+var codecs = serializer.NewCodecFactory(scheme)
+
+var localSchemeBuilder = runtime.SchemeBuilder{
+	smev1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//	import (
+//	  "k8s.io/client-go/kubernetes"
+//	  clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//	  aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//	)
+//
+//	kclientset, _ := kubernetes.NewForConfig(c)
+//	_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(scheme))
+}
diff --git a/pkg/client/clientset/versioned/scheme/doc.go b/pkg/client/clientset/versioned/scheme/doc.go
new file mode 100644
index 0000000..42d6fb6
--- /dev/null
+++ b/pkg/client/clientset/versioned/scheme/doc.go
@@ -0,0 +1,8 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme
diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go
new file mode 100644
index 0000000..6558109
--- /dev/null
+++ b/pkg/client/clientset/versioned/scheme/register.go
@@ -0,0 +1,44 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package scheme
+
+import (
+	smev1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+var localSchemeBuilder = runtime.SchemeBuilder{
+	smev1alpha1.AddToScheme,
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//	import (
+//	  "k8s.io/client-go/kubernetes"
+//	  clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+//	  aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//	)
+//
+//	kclientset, _ := kubernetes.NewForConfig(c)
+//	_ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+var AddToScheme = localSchemeBuilder.AddToScheme
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	utilruntime.Must(AddToScheme(Scheme))
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplication.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplication.go
new file mode 100644
index 0000000..c54505f
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplication.go
@@ -0,0 +1,244 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+	"time"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	scheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CAPApplicationsGetter has a method to return a CAPApplicationInterface.
+// A group's client should implement this interface.
+type CAPApplicationsGetter interface {
+	CAPApplications(namespace string) CAPApplicationInterface
+}
+
+// CAPApplicationInterface has methods to work with CAPApplication resources.
+type CAPApplicationInterface interface {
+	Create(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.CreateOptions) (*v1alpha1.CAPApplication, error)
+	Update(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (*v1alpha1.CAPApplication, error)
+	UpdateStatus(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (*v1alpha1.CAPApplication, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CAPApplication, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CAPApplicationList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplication, err error)
+	Apply(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error)
+	ApplyStatus(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error)
+	CAPApplicationExpansion
+}
+
+// cAPApplications implements CAPApplicationInterface
+type cAPApplications struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCAPApplications returns a CAPApplications
+func newCAPApplications(c *SmeV1alpha1Client, namespace string) *cAPApplications {
+	return &cAPApplications{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cAPApplication, and returns the corresponding cAPApplication object, and an error if there is any.
+func (c *cAPApplications) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPApplication, err error) {
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CAPApplications that match those selectors.
+func (c *cAPApplications) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPApplicationList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CAPApplicationList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplications").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cAPApplications.
+func (c *cAPApplications) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplications").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cAPApplication and creates it.  Returns the server's representation of the cAPApplication, and an error, if there is any.
+func (c *cAPApplications) Create(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.CreateOptions) (result *v1alpha1.CAPApplication, err error) {
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("capapplications").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplication).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cAPApplication and updates it. Returns the server's representation of the cAPApplication, and an error, if there is any.
+func (c *cAPApplications) Update(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (result *v1alpha1.CAPApplication, err error) {
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(cAPApplication.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplication).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cAPApplications) UpdateStatus(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (result *v1alpha1.CAPApplication, err error) {
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(cAPApplication.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplication).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cAPApplication and deletes it. Returns an error if one occurs.
+func (c *cAPApplications) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cAPApplications) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("capapplications").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cAPApplication.
+func (c *cAPApplications) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplication, err error) {
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPApplication.
+func (c *cAPApplications) Apply(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error) {
+	if cAPApplication == nil {
+		return nil, fmt.Errorf("cAPApplication provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPApplication)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplication.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplication.Name must be provided to Apply")
+	}
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(*name).
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *cAPApplications) ApplyStatus(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error) {
+	if cAPApplication == nil {
+		return nil, fmt.Errorf("cAPApplication provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPApplication)
+	if err != nil {
+		return nil, err
+	}
+
+	name := cAPApplication.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplication.Name must be provided to Apply")
+	}
+
+	result = &v1alpha1.CAPApplication{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("capapplications").
+		Name(*name).
+		SubResource("status").
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplicationversion.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplicationversion.go
new file mode 100644
index 0000000..a53428f
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/capapplicationversion.go
@@ -0,0 +1,244 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+	"time"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	scheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CAPApplicationVersionsGetter has a method to return a CAPApplicationVersionInterface.
+// A group's client should implement this interface.
+type CAPApplicationVersionsGetter interface {
+	CAPApplicationVersions(namespace string) CAPApplicationVersionInterface
+}
+
+// CAPApplicationVersionInterface has methods to work with CAPApplicationVersion resources.
+type CAPApplicationVersionInterface interface {
+	Create(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.CreateOptions) (*v1alpha1.CAPApplicationVersion, error)
+	Update(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (*v1alpha1.CAPApplicationVersion, error)
+	UpdateStatus(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (*v1alpha1.CAPApplicationVersion, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CAPApplicationVersion, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CAPApplicationVersionList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplicationVersion, err error)
+	Apply(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error)
+	ApplyStatus(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error)
+	CAPApplicationVersionExpansion
+}
+
+// cAPApplicationVersions implements CAPApplicationVersionInterface
+type cAPApplicationVersions struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCAPApplicationVersions returns a CAPApplicationVersions
+func newCAPApplicationVersions(c *SmeV1alpha1Client, namespace string) *cAPApplicationVersions {
+	return &cAPApplicationVersions{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cAPApplicationVersion, and returns the corresponding cAPApplicationVersion object, and an error if there is any.
+func (c *cAPApplicationVersions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CAPApplicationVersions that match those selectors.
+func (c *cAPApplicationVersions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPApplicationVersionList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CAPApplicationVersionList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cAPApplicationVersions.
+func (c *cAPApplicationVersions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cAPApplicationVersion and creates it.  Returns the server's representation of the cAPApplicationVersion, and an error, if there is any.
+func (c *cAPApplicationVersions) Create(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.CreateOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplicationVersion).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cAPApplicationVersion and updates it. Returns the server's representation of the cAPApplicationVersion, and an error, if there is any.
+func (c *cAPApplicationVersions) Update(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(cAPApplicationVersion.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplicationVersion).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cAPApplicationVersions) UpdateStatus(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(cAPApplicationVersion.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPApplicationVersion).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cAPApplicationVersion and deletes it. Returns an error if one occurs.
+func (c *cAPApplicationVersions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cAPApplicationVersions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cAPApplicationVersion.
+func (c *cAPApplicationVersions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplicationVersion, err error) {
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPApplicationVersion.
+func (c *cAPApplicationVersions) Apply(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	if cAPApplicationVersion == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPApplicationVersion)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplicationVersion.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion.Name must be provided to Apply")
+	}
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(*name).
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *cAPApplicationVersions) ApplyStatus(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	if cAPApplicationVersion == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPApplicationVersion)
+	if err != nil {
+		return nil, err
+	}
+
+	name := cAPApplicationVersion.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion.Name must be provided to Apply")
+	}
+
+	result = &v1alpha1.CAPApplicationVersion{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("capapplicationversions").
+		Name(*name).
+		SubResource("status").
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenant.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenant.go
new file mode 100644
index 0000000..19cb768
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenant.go
@@ -0,0 +1,244 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+	"time"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	scheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CAPTenantsGetter has a method to return a CAPTenantInterface.
+// A group's client should implement this interface.
+type CAPTenantsGetter interface {
+	CAPTenants(namespace string) CAPTenantInterface
+}
+
+// CAPTenantInterface has methods to work with CAPTenant resources.
+type CAPTenantInterface interface {
+	Create(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.CreateOptions) (*v1alpha1.CAPTenant, error)
+	Update(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (*v1alpha1.CAPTenant, error)
+	UpdateStatus(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (*v1alpha1.CAPTenant, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CAPTenant, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CAPTenantList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenant, err error)
+	Apply(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error)
+	ApplyStatus(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error)
+	CAPTenantExpansion
+}
+
+// cAPTenants implements CAPTenantInterface
+type cAPTenants struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCAPTenants returns a CAPTenants
+func newCAPTenants(c *SmeV1alpha1Client, namespace string) *cAPTenants {
+	return &cAPTenants{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cAPTenant, and returns the corresponding cAPTenant object, and an error if there is any.
+func (c *cAPTenants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPTenant, err error) {
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CAPTenants that match those selectors.
+func (c *cAPTenants) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPTenantList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CAPTenantList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("captenants").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cAPTenants.
+func (c *cAPTenants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("captenants").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cAPTenant and creates it.  Returns the server's representation of the cAPTenant, and an error, if there is any.
+func (c *cAPTenants) Create(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.CreateOptions) (result *v1alpha1.CAPTenant, err error) {
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("captenants").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenant).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cAPTenant and updates it. Returns the server's representation of the cAPTenant, and an error, if there is any.
+func (c *cAPTenants) Update(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (result *v1alpha1.CAPTenant, err error) {
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(cAPTenant.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenant).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cAPTenants) UpdateStatus(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (result *v1alpha1.CAPTenant, err error) {
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(cAPTenant.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenant).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cAPTenant and deletes it. Returns an error if one occurs.
+func (c *cAPTenants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cAPTenants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("captenants").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cAPTenant.
+func (c *cAPTenants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenant, err error) {
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPTenant.
+func (c *cAPTenants) Apply(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error) {
+	if cAPTenant == nil {
+		return nil, fmt.Errorf("cAPTenant provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPTenant)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenant.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenant.Name must be provided to Apply")
+	}
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(*name).
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *cAPTenants) ApplyStatus(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error) {
+	if cAPTenant == nil {
+		return nil, fmt.Errorf("cAPTenant provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPTenant)
+	if err != nil {
+		return nil, err
+	}
+
+	name := cAPTenant.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenant.Name must be provided to Apply")
+	}
+
+	result = &v1alpha1.CAPTenant{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("captenants").
+		Name(*name).
+		SubResource("status").
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenantoperation.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenantoperation.go
new file mode 100644
index 0000000..7d4f6a9
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/captenantoperation.go
@@ -0,0 +1,244 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+	"time"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	scheme "github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CAPTenantOperationsGetter has a method to return a CAPTenantOperationInterface.
+// A group's client should implement this interface.
+type CAPTenantOperationsGetter interface {
+	CAPTenantOperations(namespace string) CAPTenantOperationInterface
+}
+
+// CAPTenantOperationInterface has methods to work with CAPTenantOperation resources.
+type CAPTenantOperationInterface interface {
+	Create(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.CreateOptions) (*v1alpha1.CAPTenantOperation, error)
+	Update(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (*v1alpha1.CAPTenantOperation, error)
+	UpdateStatus(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (*v1alpha1.CAPTenantOperation, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CAPTenantOperation, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CAPTenantOperationList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenantOperation, err error)
+	Apply(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error)
+	ApplyStatus(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error)
+	CAPTenantOperationExpansion
+}
+
+// cAPTenantOperations implements CAPTenantOperationInterface
+type cAPTenantOperations struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCAPTenantOperations returns a CAPTenantOperations
+func newCAPTenantOperations(c *SmeV1alpha1Client, namespace string) *cAPTenantOperations {
+	return &cAPTenantOperations{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cAPTenantOperation, and returns the corresponding cAPTenantOperation object, and an error if there is any.
+func (c *cAPTenantOperations) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CAPTenantOperations that match those selectors.
+func (c *cAPTenantOperations) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPTenantOperationList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.CAPTenantOperationList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cAPTenantOperations.
+func (c *cAPTenantOperations) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cAPTenantOperation and creates it.  Returns the server's representation of the cAPTenantOperation, and an error, if there is any.
+func (c *cAPTenantOperations) Create(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.CreateOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenantOperation).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cAPTenantOperation and updates it. Returns the server's representation of the cAPTenantOperation, and an error, if there is any.
+func (c *cAPTenantOperations) Update(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(cAPTenantOperation.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenantOperation).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cAPTenantOperations) UpdateStatus(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(cAPTenantOperation.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cAPTenantOperation).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cAPTenantOperation and deletes it. Returns an error if one occurs.
+func (c *cAPTenantOperations) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cAPTenantOperations) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cAPTenantOperation.
+func (c *cAPTenantOperations) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenantOperation, err error) {
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPTenantOperation.
+func (c *cAPTenantOperations) Apply(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	if cAPTenantOperation == nil {
+		return nil, fmt.Errorf("cAPTenantOperation provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPTenantOperation)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenantOperation.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenantOperation.Name must be provided to Apply")
+	}
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(*name).
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *cAPTenantOperations) ApplyStatus(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	if cAPTenantOperation == nil {
+		return nil, fmt.Errorf("cAPTenantOperation provided to Apply must not be nil")
+	}
+	patchOpts := opts.ToPatchOptions()
+	data, err := json.Marshal(cAPTenantOperation)
+	if err != nil {
+		return nil, err
+	}
+
+	name := cAPTenantOperation.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenantOperation.Name must be provided to Apply")
+	}
+
+	result = &v1alpha1.CAPTenantOperation{}
+	err = c.client.Patch(types.ApplyPatchType).
+		Namespace(c.ns).
+		Resource("captenantoperations").
+		Name(*name).
+		SubResource("status").
+		VersionedParams(&patchOpts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/doc.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/doc.go
new file mode 100644
index 0000000..6b9df16
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/doc.go
@@ -0,0 +1,8 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/doc.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/doc.go
new file mode 100644
index 0000000..f8cf898
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/doc.go
@@ -0,0 +1,8 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+// Package fake has the automatically generated clients.
+package fake
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplication.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplication.go
new file mode 100644
index 0000000..408dc20
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplication.go
@@ -0,0 +1,177 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCAPApplications implements CAPApplicationInterface
+type FakeCAPApplications struct {
+	Fake *FakeSmeV1alpha1
+	ns   string
+}
+
+var capapplicationsResource = v1alpha1.SchemeGroupVersion.WithResource("capapplications")
+
+var capapplicationsKind = v1alpha1.SchemeGroupVersion.WithKind("CAPApplication")
+
+// Get takes name of the cAPApplication, and returns the corresponding cAPApplication object, and an error if there is any.
+func (c *FakeCAPApplications) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPApplication, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(capapplicationsResource, c.ns, name), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// List takes label and field selectors, and returns the list of CAPApplications that match those selectors.
+func (c *FakeCAPApplications) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPApplicationList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(capapplicationsResource, capapplicationsKind, c.ns, opts), &v1alpha1.CAPApplicationList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CAPApplicationList{ListMeta: obj.(*v1alpha1.CAPApplicationList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CAPApplicationList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cAPApplications.
+func (c *FakeCAPApplications) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(capapplicationsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cAPApplication and creates it.  Returns the server's representation of the cAPApplication, and an error, if there is any.
+func (c *FakeCAPApplications) Create(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.CreateOptions) (result *v1alpha1.CAPApplication, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(capapplicationsResource, c.ns, cAPApplication), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// Update takes the representation of a cAPApplication and updates it. Returns the server's representation of the cAPApplication, and an error, if there is any.
+func (c *FakeCAPApplications) Update(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (result *v1alpha1.CAPApplication, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(capapplicationsResource, c.ns, cAPApplication), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCAPApplications) UpdateStatus(ctx context.Context, cAPApplication *v1alpha1.CAPApplication, opts v1.UpdateOptions) (*v1alpha1.CAPApplication, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(capapplicationsResource, "status", c.ns, cAPApplication), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// Delete takes name of the cAPApplication and deletes it. Returns an error if one occurs.
+func (c *FakeCAPApplications) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(capapplicationsResource, c.ns, name, opts), &v1alpha1.CAPApplication{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCAPApplications) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(capapplicationsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CAPApplicationList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cAPApplication.
+func (c *FakeCAPApplications) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplication, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPApplication.
+func (c *FakeCAPApplications) Apply(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error) {
+	if cAPApplication == nil {
+		return nil, fmt.Errorf("cAPApplication provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPApplication)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplication.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplication.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationsResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeCAPApplications) ApplyStatus(ctx context.Context, cAPApplication *smesapcomv1alpha1.CAPApplicationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplication, err error) {
+	if cAPApplication == nil {
+		return nil, fmt.Errorf("cAPApplication provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPApplication)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplication.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplication.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationsResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha1.CAPApplication{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplication), err
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplicationversion.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplicationversion.go
new file mode 100644
index 0000000..ce41d39
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_capapplicationversion.go
@@ -0,0 +1,177 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCAPApplicationVersions implements CAPApplicationVersionInterface
+type FakeCAPApplicationVersions struct {
+	Fake *FakeSmeV1alpha1
+	ns   string
+}
+
+var capapplicationversionsResource = v1alpha1.SchemeGroupVersion.WithResource("capapplicationversions")
+
+var capapplicationversionsKind = v1alpha1.SchemeGroupVersion.WithKind("CAPApplicationVersion")
+
+// Get takes name of the cAPApplicationVersion, and returns the corresponding cAPApplicationVersion object, and an error if there is any.
+func (c *FakeCAPApplicationVersions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(capapplicationversionsResource, c.ns, name), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// List takes label and field selectors, and returns the list of CAPApplicationVersions that match those selectors.
+func (c *FakeCAPApplicationVersions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPApplicationVersionList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(capapplicationversionsResource, capapplicationversionsKind, c.ns, opts), &v1alpha1.CAPApplicationVersionList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CAPApplicationVersionList{ListMeta: obj.(*v1alpha1.CAPApplicationVersionList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CAPApplicationVersionList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cAPApplicationVersions.
+func (c *FakeCAPApplicationVersions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(capapplicationversionsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cAPApplicationVersion and creates it.  Returns the server's representation of the cAPApplicationVersion, and an error, if there is any.
+func (c *FakeCAPApplicationVersions) Create(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.CreateOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(capapplicationversionsResource, c.ns, cAPApplicationVersion), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// Update takes the representation of a cAPApplicationVersion and updates it. Returns the server's representation of the cAPApplicationVersion, and an error, if there is any.
+func (c *FakeCAPApplicationVersions) Update(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(capapplicationversionsResource, c.ns, cAPApplicationVersion), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCAPApplicationVersions) UpdateStatus(ctx context.Context, cAPApplicationVersion *v1alpha1.CAPApplicationVersion, opts v1.UpdateOptions) (*v1alpha1.CAPApplicationVersion, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(capapplicationversionsResource, "status", c.ns, cAPApplicationVersion), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// Delete takes name of the cAPApplicationVersion and deletes it. Returns an error if one occurs.
+func (c *FakeCAPApplicationVersions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(capapplicationversionsResource, c.ns, name, opts), &v1alpha1.CAPApplicationVersion{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCAPApplicationVersions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(capapplicationversionsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CAPApplicationVersionList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cAPApplicationVersion.
+func (c *FakeCAPApplicationVersions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPApplicationVersion, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationversionsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPApplicationVersion.
+func (c *FakeCAPApplicationVersions) Apply(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	if cAPApplicationVersion == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPApplicationVersion)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplicationVersion.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationversionsResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeCAPApplicationVersions) ApplyStatus(ctx context.Context, cAPApplicationVersion *smesapcomv1alpha1.CAPApplicationVersionApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPApplicationVersion, err error) {
+	if cAPApplicationVersion == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPApplicationVersion)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPApplicationVersion.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPApplicationVersion.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(capapplicationversionsResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha1.CAPApplicationVersion{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), err
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenant.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenant.go
new file mode 100644
index 0000000..4f32862
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenant.go
@@ -0,0 +1,177 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCAPTenants implements CAPTenantInterface
+type FakeCAPTenants struct {
+	Fake *FakeSmeV1alpha1
+	ns   string
+}
+
+var captenantsResource = v1alpha1.SchemeGroupVersion.WithResource("captenants")
+
+var captenantsKind = v1alpha1.SchemeGroupVersion.WithKind("CAPTenant")
+
+// Get takes name of the cAPTenant, and returns the corresponding cAPTenant object, and an error if there is any.
+func (c *FakeCAPTenants) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPTenant, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(captenantsResource, c.ns, name), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// List takes label and field selectors, and returns the list of CAPTenants that match those selectors.
+func (c *FakeCAPTenants) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPTenantList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(captenantsResource, captenantsKind, c.ns, opts), &v1alpha1.CAPTenantList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CAPTenantList{ListMeta: obj.(*v1alpha1.CAPTenantList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CAPTenantList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cAPTenants.
+func (c *FakeCAPTenants) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(captenantsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cAPTenant and creates it.  Returns the server's representation of the cAPTenant, and an error, if there is any.
+func (c *FakeCAPTenants) Create(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.CreateOptions) (result *v1alpha1.CAPTenant, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(captenantsResource, c.ns, cAPTenant), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// Update takes the representation of a cAPTenant and updates it. Returns the server's representation of the cAPTenant, and an error, if there is any.
+func (c *FakeCAPTenants) Update(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (result *v1alpha1.CAPTenant, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(captenantsResource, c.ns, cAPTenant), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCAPTenants) UpdateStatus(ctx context.Context, cAPTenant *v1alpha1.CAPTenant, opts v1.UpdateOptions) (*v1alpha1.CAPTenant, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(captenantsResource, "status", c.ns, cAPTenant), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// Delete takes name of the cAPTenant and deletes it. Returns an error if one occurs.
+func (c *FakeCAPTenants) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(captenantsResource, c.ns, name, opts), &v1alpha1.CAPTenant{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCAPTenants) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(captenantsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CAPTenantList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cAPTenant.
+func (c *FakeCAPTenants) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenant, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPTenant.
+func (c *FakeCAPTenants) Apply(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error) {
+	if cAPTenant == nil {
+		return nil, fmt.Errorf("cAPTenant provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPTenant)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenant.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenant.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantsResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeCAPTenants) ApplyStatus(ctx context.Context, cAPTenant *smesapcomv1alpha1.CAPTenantApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenant, err error) {
+	if cAPTenant == nil {
+		return nil, fmt.Errorf("cAPTenant provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPTenant)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenant.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenant.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantsResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha1.CAPTenant{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenant), err
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenantoperation.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenantoperation.go
new file mode 100644
index 0000000..5f7ff24
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_captenantoperation.go
@@ -0,0 +1,177 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+	json "encoding/json"
+	"fmt"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/client/applyconfiguration/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCAPTenantOperations implements CAPTenantOperationInterface
+type FakeCAPTenantOperations struct {
+	Fake *FakeSmeV1alpha1
+	ns   string
+}
+
+var captenantoperationsResource = v1alpha1.SchemeGroupVersion.WithResource("captenantoperations")
+
+var captenantoperationsKind = v1alpha1.SchemeGroupVersion.WithKind("CAPTenantOperation")
+
+// Get takes name of the cAPTenantOperation, and returns the corresponding cAPTenantOperation object, and an error if there is any.
+func (c *FakeCAPTenantOperations) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(captenantoperationsResource, c.ns, name), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// List takes label and field selectors, and returns the list of CAPTenantOperations that match those selectors.
+func (c *FakeCAPTenantOperations) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CAPTenantOperationList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(captenantoperationsResource, captenantoperationsKind, c.ns, opts), &v1alpha1.CAPTenantOperationList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.CAPTenantOperationList{ListMeta: obj.(*v1alpha1.CAPTenantOperationList).ListMeta}
+	for _, item := range obj.(*v1alpha1.CAPTenantOperationList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cAPTenantOperations.
+func (c *FakeCAPTenantOperations) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(captenantoperationsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cAPTenantOperation and creates it.  Returns the server's representation of the cAPTenantOperation, and an error, if there is any.
+func (c *FakeCAPTenantOperations) Create(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.CreateOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(captenantoperationsResource, c.ns, cAPTenantOperation), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// Update takes the representation of a cAPTenantOperation and updates it. Returns the server's representation of the cAPTenantOperation, and an error, if there is any.
+func (c *FakeCAPTenantOperations) Update(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(captenantoperationsResource, c.ns, cAPTenantOperation), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCAPTenantOperations) UpdateStatus(ctx context.Context, cAPTenantOperation *v1alpha1.CAPTenantOperation, opts v1.UpdateOptions) (*v1alpha1.CAPTenantOperation, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(captenantoperationsResource, "status", c.ns, cAPTenantOperation), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// Delete takes name of the cAPTenantOperation and deletes it. Returns an error if one occurs.
+func (c *FakeCAPTenantOperations) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(captenantoperationsResource, c.ns, name, opts), &v1alpha1.CAPTenantOperation{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCAPTenantOperations) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(captenantoperationsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.CAPTenantOperationList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cAPTenantOperation.
+func (c *FakeCAPTenantOperations) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CAPTenantOperation, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantoperationsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// Apply takes the given apply declarative configuration, applies it and returns the applied cAPTenantOperation.
+func (c *FakeCAPTenantOperations) Apply(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	if cAPTenantOperation == nil {
+		return nil, fmt.Errorf("cAPTenantOperation provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPTenantOperation)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenantOperation.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenantOperation.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantoperationsResource, c.ns, *name, types.ApplyPatchType, data), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
+
+// ApplyStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+func (c *FakeCAPTenantOperations) ApplyStatus(ctx context.Context, cAPTenantOperation *smesapcomv1alpha1.CAPTenantOperationApplyConfiguration, opts v1.ApplyOptions) (result *v1alpha1.CAPTenantOperation, err error) {
+	if cAPTenantOperation == nil {
+		return nil, fmt.Errorf("cAPTenantOperation provided to Apply must not be nil")
+	}
+	data, err := json.Marshal(cAPTenantOperation)
+	if err != nil {
+		return nil, err
+	}
+	name := cAPTenantOperation.Name
+	if name == nil {
+		return nil, fmt.Errorf("cAPTenantOperation.Name must be provided to Apply")
+	}
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(captenantoperationsResource, c.ns, *name, types.ApplyPatchType, data, "status"), &v1alpha1.CAPTenantOperation{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), err
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_sme.sap.com_client.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_sme.sap.com_client.go
new file mode 100644
index 0000000..239fc90
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/fake/fake_sme.sap.com_client.go
@@ -0,0 +1,40 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1"
+	rest "k8s.io/client-go/rest"
+	testing "k8s.io/client-go/testing"
+)
+
+type FakeSmeV1alpha1 struct {
+	*testing.Fake
+}
+
+func (c *FakeSmeV1alpha1) CAPApplications(namespace string) v1alpha1.CAPApplicationInterface {
+	return &FakeCAPApplications{c, namespace}
+}
+
+func (c *FakeSmeV1alpha1) CAPApplicationVersions(namespace string) v1alpha1.CAPApplicationVersionInterface {
+	return &FakeCAPApplicationVersions{c, namespace}
+}
+
+func (c *FakeSmeV1alpha1) CAPTenants(namespace string) v1alpha1.CAPTenantInterface {
+	return &FakeCAPTenants{c, namespace}
+}
+
+func (c *FakeSmeV1alpha1) CAPTenantOperations(namespace string) v1alpha1.CAPTenantOperationInterface {
+	return &FakeCAPTenantOperations{c, namespace}
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *FakeSmeV1alpha1) RESTClient() rest.Interface {
+	var ret *rest.RESTClient
+	return ret
+}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/generated_expansion.go
new file mode 100644
index 0000000..bb475c0
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/generated_expansion.go
@@ -0,0 +1,15 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+type CAPApplicationExpansion interface{}
+
+type CAPApplicationVersionExpansion interface{}
+
+type CAPTenantExpansion interface{}
+
+type CAPTenantOperationExpansion interface{}
diff --git a/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/sme.sap.com_client.go b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/sme.sap.com_client.go
new file mode 100644
index 0000000..21feefc
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/sme.sap.com/v1alpha1/sme.sap.com_client.go
@@ -0,0 +1,110 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"net/http"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"github.com/sap/cap-operator/pkg/client/clientset/versioned/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type SmeV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	CAPApplicationsGetter
+	CAPApplicationVersionsGetter
+	CAPTenantsGetter
+	CAPTenantOperationsGetter
+}
+
+// SmeV1alpha1Client is used to interact with features provided by the sme.sap.com group.
+type SmeV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *SmeV1alpha1Client) CAPApplications(namespace string) CAPApplicationInterface {
+	return newCAPApplications(c, namespace)
+}
+
+func (c *SmeV1alpha1Client) CAPApplicationVersions(namespace string) CAPApplicationVersionInterface {
+	return newCAPApplicationVersions(c, namespace)
+}
+
+func (c *SmeV1alpha1Client) CAPTenants(namespace string) CAPTenantInterface {
+	return newCAPTenants(c, namespace)
+}
+
+func (c *SmeV1alpha1Client) CAPTenantOperations(namespace string) CAPTenantOperationInterface {
+	return newCAPTenantOperations(c, namespace)
+}
+
+// NewForConfig creates a new SmeV1alpha1Client for the given config.
+// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
+// where httpClient was generated with rest.HTTPClientFor(c).
+func NewForConfig(c *rest.Config) (*SmeV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	httpClient, err := rest.HTTPClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return NewForConfigAndClient(&config, httpClient)
+}
+
+// NewForConfigAndClient creates a new SmeV1alpha1Client for the given config and http client.
+// Note the http client provided takes precedence over the configured transport values.
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*SmeV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientForConfigAndClient(&config, h)
+	if err != nil {
+		return nil, err
+	}
+	return &SmeV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new SmeV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *SmeV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new SmeV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *SmeV1alpha1Client {
+	return &SmeV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *SmeV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go
new file mode 100644
index 0000000..32e1513
--- /dev/null
+++ b/pkg/client/informers/externalversions/factory.go
@@ -0,0 +1,239 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package externalversions
+
+import (
+	reflect "reflect"
+	sync "sync"
+	time "time"
+
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	smesapcom "github.com/sap/cap-operator/pkg/client/informers/externalversions/sme.sap.com"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// SharedInformerOption defines the functional option type for SharedInformerFactory.
+type SharedInformerOption func(*sharedInformerFactory) *sharedInformerFactory
+
+type sharedInformerFactory struct {
+	client           versioned.Interface
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	lock             sync.Mutex
+	defaultResync    time.Duration
+	customResync     map[reflect.Type]time.Duration
+
+	informers map[reflect.Type]cache.SharedIndexInformer
+	// startedInformers is used for tracking which informers have been started.
+	// This allows Start() to be called multiple times safely.
+	startedInformers map[reflect.Type]bool
+	// wg tracks how many goroutines were started.
+	wg sync.WaitGroup
+	// shuttingDown is true when Shutdown has been called. It may still be running
+	// because it needs to wait for goroutines.
+	shuttingDown bool
+}
+
+// WithCustomResyncConfig sets a custom resync period for the specified informer types.
+func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		for k, v := range resyncConfig {
+			factory.customResync[reflect.TypeOf(k)] = v
+		}
+		return factory
+	}
+}
+
+// WithTweakListOptions sets a custom filter on all listers of the configured SharedInformerFactory.
+func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		factory.tweakListOptions = tweakListOptions
+		return factory
+	}
+}
+
+// WithNamespace limits the SharedInformerFactory to the specified namespace.
+func WithNamespace(namespace string) SharedInformerOption {
+	return func(factory *sharedInformerFactory) *sharedInformerFactory {
+		factory.namespace = namespace
+		return factory
+	}
+}
+
+// NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces.
+func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory {
+	return NewSharedInformerFactoryWithOptions(client, defaultResync)
+}
+
+// NewFilteredSharedInformerFactory constructs a new instance of sharedInformerFactory.
+// Listers obtained via this SharedInformerFactory will be subject to the same filters
+// as specified here.
+// Deprecated: Please use NewSharedInformerFactoryWithOptions instead
+func NewFilteredSharedInformerFactory(client versioned.Interface, defaultResync time.Duration, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) SharedInformerFactory {
+	return NewSharedInformerFactoryWithOptions(client, defaultResync, WithNamespace(namespace), WithTweakListOptions(tweakListOptions))
+}
+
+// NewSharedInformerFactoryWithOptions constructs a new instance of a SharedInformerFactory with additional options.
+func NewSharedInformerFactoryWithOptions(client versioned.Interface, defaultResync time.Duration, options ...SharedInformerOption) SharedInformerFactory {
+	factory := &sharedInformerFactory{
+		client:           client,
+		namespace:        v1.NamespaceAll,
+		defaultResync:    defaultResync,
+		informers:        make(map[reflect.Type]cache.SharedIndexInformer),
+		startedInformers: make(map[reflect.Type]bool),
+		customResync:     make(map[reflect.Type]time.Duration),
+	}
+
+	// Apply all options
+	for _, opt := range options {
+		factory = opt(factory)
+	}
+
+	return factory
+}
+
+func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if f.shuttingDown {
+		return
+	}
+
+	for informerType, informer := range f.informers {
+		if !f.startedInformers[informerType] {
+			f.wg.Add(1)
+			// We need a new variable in each loop iteration,
+			// otherwise the goroutine would use the loop variable
+			// and that keeps changing.
+			informer := informer
+			go func() {
+				defer f.wg.Done()
+				informer.Run(stopCh)
+			}()
+			f.startedInformers[informerType] = true
+		}
+	}
+}
+
+func (f *sharedInformerFactory) Shutdown() {
+	f.lock.Lock()
+	f.shuttingDown = true
+	f.lock.Unlock()
+
+	// Will return immediately if there is nothing to wait for.
+	f.wg.Wait()
+}
+
+func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
+	informers := func() map[reflect.Type]cache.SharedIndexInformer {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+
+		informers := map[reflect.Type]cache.SharedIndexInformer{}
+		for informerType, informer := range f.informers {
+			if f.startedInformers[informerType] {
+				informers[informerType] = informer
+			}
+		}
+		return informers
+	}()
+
+	res := map[reflect.Type]bool{}
+	for informType, informer := range informers {
+		res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)
+	}
+	return res
+}
+
+// InformerFor returns the SharedIndexInformer for obj using an internal
+// client.
+func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	informerType := reflect.TypeOf(obj)
+	informer, exists := f.informers[informerType]
+	if exists {
+		return informer
+	}
+
+	resyncPeriod, exists := f.customResync[informerType]
+	if !exists {
+		resyncPeriod = f.defaultResync
+	}
+
+	informer = newFunc(f.client, resyncPeriod)
+	f.informers[informerType] = informer
+
+	return informer
+}
+
+// SharedInformerFactory provides shared informers for resources in all known
+// API group versions.
+//
+// It is typically used like this:
+//
+//	ctx, cancel := context.Background()
+//	defer cancel()
+//	factory := NewSharedInformerFactory(client, resyncPeriod)
+//	defer factory.WaitForStop()    // Returns immediately if nothing was started.
+//	genericInformer := factory.ForResource(resource)
+//	typedInformer := factory.SomeAPIGroup().V1().SomeType()
+//	factory.Start(ctx.Done())          // Start processing these informers.
+//	synced := factory.WaitForCacheSync(ctx.Done())
+//	for v, ok := range synced {
+//	    if !ok {
+//	        fmt.Fprintf(os.Stderr, "caches failed to sync: %v", v)
+//	        return
+//	    }
+//	}
+//
+//	// Creating informers can also be created after Start, but then
+//	// Start must be called again:
+//	anotherGenericInformer := factory.ForResource(resource)
+//	factory.Start(ctx.Done())
+type SharedInformerFactory interface {
+	internalinterfaces.SharedInformerFactory
+
+	// Start initializes all requested informers. They are handled in goroutines
+	// which run until the stop channel gets closed.
+	Start(stopCh <-chan struct{})
+
+	// Shutdown marks a factory as shutting down. At that point no new
+	// informers can be started anymore and Start will return without
+	// doing anything.
+	//
+	// In addition, Shutdown blocks until all goroutines have terminated. For that
+	// to happen, the close channel(s) that they were started with must be closed,
+	// either before Shutdown gets called or while it is waiting.
+	//
+	// Shutdown may be called multiple times, even concurrently. All such calls will
+	// block until all goroutines have terminated.
+	Shutdown()
+
+	// WaitForCacheSync blocks until all started informers' caches were synced
+	// or the stop channel gets closed.
+	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
+
+	// ForResource gives generic access to a shared informer of the matching type.
+	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
+
+	// InformerFor returns the SharedIndexInformer for obj using an internal
+	// client.
+	InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer
+
+	Sme() smesapcom.Interface
+}
+
+func (f *sharedInformerFactory) Sme() smesapcom.Interface {
+	return smesapcom.New(f, f.namespace, f.tweakListOptions)
+}
diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go
new file mode 100644
index 0000000..fbe7916
--- /dev/null
+++ b/pkg/client/informers/externalversions/generic.go
@@ -0,0 +1,56 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package externalversions
+
+import (
+	"fmt"
+
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// GenericInformer is type of SharedIndexInformer which will locate and delegate to other
+// sharedInformers based on type
+type GenericInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() cache.GenericLister
+}
+
+type genericInformer struct {
+	informer cache.SharedIndexInformer
+	resource schema.GroupResource
+}
+
+// Informer returns the SharedIndexInformer.
+func (f *genericInformer) Informer() cache.SharedIndexInformer {
+	return f.informer
+}
+
+// Lister returns the GenericLister.
+func (f *genericInformer) Lister() cache.GenericLister {
+	return cache.NewGenericLister(f.Informer().GetIndexer(), f.resource)
+}
+
+// ForResource gives generic access to a shared informer of the matching type
+// TODO extend this to unknown resources with a client pool
+func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
+	switch resource {
+	// Group=sme.sap.com, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("capapplications"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Sme().V1alpha1().CAPApplications().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("capapplicationversions"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Sme().V1alpha1().CAPApplicationVersions().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("captenants"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Sme().V1alpha1().CAPTenants().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("captenantoperations"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Sme().V1alpha1().CAPTenantOperations().Informer()}, nil
+
+	}
+
+	return nil, fmt.Errorf("no informer found for %v", resource)
+}
diff --git a/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go b/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go
new file mode 100644
index 0000000..b2b93ad
--- /dev/null
+++ b/pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go
@@ -0,0 +1,28 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package internalinterfaces
+
+import (
+	time "time"
+
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// NewInformerFunc takes versioned.Interface and time.Duration to return a SharedIndexInformer.
+type NewInformerFunc func(versioned.Interface, time.Duration) cache.SharedIndexInformer
+
+// SharedInformerFactory a small interface to allow for adding an informer without an import cycle
+type SharedInformerFactory interface {
+	Start(stopCh <-chan struct{})
+	InformerFor(obj runtime.Object, newFunc NewInformerFunc) cache.SharedIndexInformer
+}
+
+// TweakListOptionsFunc is a function that transforms a v1.ListOptions.
+type TweakListOptionsFunc func(*v1.ListOptions)
diff --git a/pkg/client/informers/externalversions/sme.sap.com/interface.go b/pkg/client/informers/externalversions/sme.sap.com/interface.go
new file mode 100644
index 0000000..f52db38
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/interface.go
@@ -0,0 +1,34 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package sme
+
+import (
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/informers/externalversions/sme.sap.com/v1alpha1"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	// V1alpha1 provides access to shared informers for resources in V1alpha1.
+	V1alpha1() v1alpha1.Interface
+}
+
+type group struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// V1alpha1 returns a new v1alpha1.Interface.
+func (g *group) V1alpha1() v1alpha1.Interface {
+	return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
+}
diff --git a/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplication.go b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplication.go
new file mode 100644
index 0000000..33eab36
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplication.go
@@ -0,0 +1,78 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/listers/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CAPApplicationInformer provides access to a shared informer and lister for
+// CAPApplications.
+type CAPApplicationInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CAPApplicationLister
+}
+
+type cAPApplicationInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCAPApplicationInformer constructs a new informer for CAPApplication type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCAPApplicationInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCAPApplicationInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCAPApplicationInformer constructs a new informer for CAPApplication type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCAPApplicationInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPApplications(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPApplications(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&smesapcomv1alpha1.CAPApplication{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cAPApplicationInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCAPApplicationInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cAPApplicationInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&smesapcomv1alpha1.CAPApplication{}, f.defaultInformer)
+}
+
+func (f *cAPApplicationInformer) Lister() v1alpha1.CAPApplicationLister {
+	return v1alpha1.NewCAPApplicationLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplicationversion.go b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplicationversion.go
new file mode 100644
index 0000000..66f44f6
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/capapplicationversion.go
@@ -0,0 +1,78 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/listers/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CAPApplicationVersionInformer provides access to a shared informer and lister for
+// CAPApplicationVersions.
+type CAPApplicationVersionInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CAPApplicationVersionLister
+}
+
+type cAPApplicationVersionInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCAPApplicationVersionInformer constructs a new informer for CAPApplicationVersion type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCAPApplicationVersionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCAPApplicationVersionInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCAPApplicationVersionInformer constructs a new informer for CAPApplicationVersion type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCAPApplicationVersionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPApplicationVersions(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPApplicationVersions(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&smesapcomv1alpha1.CAPApplicationVersion{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cAPApplicationVersionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCAPApplicationVersionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cAPApplicationVersionInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&smesapcomv1alpha1.CAPApplicationVersion{}, f.defaultInformer)
+}
+
+func (f *cAPApplicationVersionInformer) Lister() v1alpha1.CAPApplicationVersionLister {
+	return v1alpha1.NewCAPApplicationVersionLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenant.go b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenant.go
new file mode 100644
index 0000000..27dd930
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenant.go
@@ -0,0 +1,78 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/listers/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CAPTenantInformer provides access to a shared informer and lister for
+// CAPTenants.
+type CAPTenantInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CAPTenantLister
+}
+
+type cAPTenantInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCAPTenantInformer constructs a new informer for CAPTenant type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCAPTenantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCAPTenantInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCAPTenantInformer constructs a new informer for CAPTenant type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCAPTenantInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPTenants(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPTenants(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&smesapcomv1alpha1.CAPTenant{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cAPTenantInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCAPTenantInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cAPTenantInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&smesapcomv1alpha1.CAPTenant{}, f.defaultInformer)
+}
+
+func (f *cAPTenantInformer) Lister() v1alpha1.CAPTenantLister {
+	return v1alpha1.NewCAPTenantLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenantoperation.go b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenantoperation.go
new file mode 100644
index 0000000..5645022
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/captenantoperation.go
@@ -0,0 +1,78 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	smesapcomv1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	versioned "github.com/sap/cap-operator/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/sap/cap-operator/pkg/client/listers/sme.sap.com/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CAPTenantOperationInformer provides access to a shared informer and lister for
+// CAPTenantOperations.
+type CAPTenantOperationInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.CAPTenantOperationLister
+}
+
+type cAPTenantOperationInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCAPTenantOperationInformer constructs a new informer for CAPTenantOperation type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCAPTenantOperationInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCAPTenantOperationInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCAPTenantOperationInformer constructs a new informer for CAPTenantOperation type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCAPTenantOperationInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPTenantOperations(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.SmeV1alpha1().CAPTenantOperations(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&smesapcomv1alpha1.CAPTenantOperation{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cAPTenantOperationInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCAPTenantOperationInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cAPTenantOperationInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&smesapcomv1alpha1.CAPTenantOperation{}, f.defaultInformer)
+}
+
+func (f *cAPTenantOperationInformer) Lister() v1alpha1.CAPTenantOperationLister {
+	return v1alpha1.NewCAPTenantOperationLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/interface.go b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/interface.go
new file mode 100644
index 0000000..7165764
--- /dev/null
+++ b/pkg/client/informers/externalversions/sme.sap.com/v1alpha1/interface.go
@@ -0,0 +1,54 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	internalinterfaces "github.com/sap/cap-operator/pkg/client/informers/externalversions/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// CAPApplications returns a CAPApplicationInformer.
+	CAPApplications() CAPApplicationInformer
+	// CAPApplicationVersions returns a CAPApplicationVersionInformer.
+	CAPApplicationVersions() CAPApplicationVersionInformer
+	// CAPTenants returns a CAPTenantInformer.
+	CAPTenants() CAPTenantInformer
+	// CAPTenantOperations returns a CAPTenantOperationInformer.
+	CAPTenantOperations() CAPTenantOperationInformer
+}
+
+type version struct {
+	factory          internalinterfaces.SharedInformerFactory
+	namespace        string
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
+	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
+}
+
+// CAPApplications returns a CAPApplicationInformer.
+func (v *version) CAPApplications() CAPApplicationInformer {
+	return &cAPApplicationInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
+// CAPApplicationVersions returns a CAPApplicationVersionInformer.
+func (v *version) CAPApplicationVersions() CAPApplicationVersionInformer {
+	return &cAPApplicationVersionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
+// CAPTenants returns a CAPTenantInformer.
+func (v *version) CAPTenants() CAPTenantInformer {
+	return &cAPTenantInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
+// CAPTenantOperations returns a CAPTenantOperationInformer.
+func (v *version) CAPTenantOperations() CAPTenantOperationInformer {
+	return &cAPTenantOperationInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
diff --git a/pkg/client/listers/sme.sap.com/v1alpha1/capapplication.go b/pkg/client/listers/sme.sap.com/v1alpha1/capapplication.go
new file mode 100644
index 0000000..6be54bf
--- /dev/null
+++ b/pkg/client/listers/sme.sap.com/v1alpha1/capapplication.go
@@ -0,0 +1,87 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CAPApplicationLister helps list CAPApplications.
+// All objects returned here must be treated as read-only.
+type CAPApplicationLister interface {
+	// List lists all CAPApplications in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPApplication, err error)
+	// CAPApplications returns an object that can list and get CAPApplications.
+	CAPApplications(namespace string) CAPApplicationNamespaceLister
+	CAPApplicationListerExpansion
+}
+
+// cAPApplicationLister implements the CAPApplicationLister interface.
+type cAPApplicationLister struct {
+	indexer cache.Indexer
+}
+
+// NewCAPApplicationLister returns a new CAPApplicationLister.
+func NewCAPApplicationLister(indexer cache.Indexer) CAPApplicationLister {
+	return &cAPApplicationLister{indexer: indexer}
+}
+
+// List lists all CAPApplications in the indexer.
+func (s *cAPApplicationLister) List(selector labels.Selector) (ret []*v1alpha1.CAPApplication, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPApplication))
+	})
+	return ret, err
+}
+
+// CAPApplications returns an object that can list and get CAPApplications.
+func (s *cAPApplicationLister) CAPApplications(namespace string) CAPApplicationNamespaceLister {
+	return cAPApplicationNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CAPApplicationNamespaceLister helps list and get CAPApplications.
+// All objects returned here must be treated as read-only.
+type CAPApplicationNamespaceLister interface {
+	// List lists all CAPApplications in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPApplication, err error)
+	// Get retrieves the CAPApplication from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.CAPApplication, error)
+	CAPApplicationNamespaceListerExpansion
+}
+
+// cAPApplicationNamespaceLister implements the CAPApplicationNamespaceLister
+// interface.
+type cAPApplicationNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CAPApplications in the indexer for a given namespace.
+func (s cAPApplicationNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CAPApplication, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPApplication))
+	})
+	return ret, err
+}
+
+// Get retrieves the CAPApplication from the indexer for a given namespace and name.
+func (s cAPApplicationNamespaceLister) Get(name string) (*v1alpha1.CAPApplication, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("capapplication"), name)
+	}
+	return obj.(*v1alpha1.CAPApplication), nil
+}
diff --git a/pkg/client/listers/sme.sap.com/v1alpha1/capapplicationversion.go b/pkg/client/listers/sme.sap.com/v1alpha1/capapplicationversion.go
new file mode 100644
index 0000000..43fef60
--- /dev/null
+++ b/pkg/client/listers/sme.sap.com/v1alpha1/capapplicationversion.go
@@ -0,0 +1,87 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CAPApplicationVersionLister helps list CAPApplicationVersions.
+// All objects returned here must be treated as read-only.
+type CAPApplicationVersionLister interface {
+	// List lists all CAPApplicationVersions in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPApplicationVersion, err error)
+	// CAPApplicationVersions returns an object that can list and get CAPApplicationVersions.
+	CAPApplicationVersions(namespace string) CAPApplicationVersionNamespaceLister
+	CAPApplicationVersionListerExpansion
+}
+
+// cAPApplicationVersionLister implements the CAPApplicationVersionLister interface.
+type cAPApplicationVersionLister struct {
+	indexer cache.Indexer
+}
+
+// NewCAPApplicationVersionLister returns a new CAPApplicationVersionLister.
+func NewCAPApplicationVersionLister(indexer cache.Indexer) CAPApplicationVersionLister {
+	return &cAPApplicationVersionLister{indexer: indexer}
+}
+
+// List lists all CAPApplicationVersions in the indexer.
+func (s *cAPApplicationVersionLister) List(selector labels.Selector) (ret []*v1alpha1.CAPApplicationVersion, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPApplicationVersion))
+	})
+	return ret, err
+}
+
+// CAPApplicationVersions returns an object that can list and get CAPApplicationVersions.
+func (s *cAPApplicationVersionLister) CAPApplicationVersions(namespace string) CAPApplicationVersionNamespaceLister {
+	return cAPApplicationVersionNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CAPApplicationVersionNamespaceLister helps list and get CAPApplicationVersions.
+// All objects returned here must be treated as read-only.
+type CAPApplicationVersionNamespaceLister interface {
+	// List lists all CAPApplicationVersions in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPApplicationVersion, err error)
+	// Get retrieves the CAPApplicationVersion from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.CAPApplicationVersion, error)
+	CAPApplicationVersionNamespaceListerExpansion
+}
+
+// cAPApplicationVersionNamespaceLister implements the CAPApplicationVersionNamespaceLister
+// interface.
+type cAPApplicationVersionNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CAPApplicationVersions in the indexer for a given namespace.
+func (s cAPApplicationVersionNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CAPApplicationVersion, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPApplicationVersion))
+	})
+	return ret, err
+}
+
+// Get retrieves the CAPApplicationVersion from the indexer for a given namespace and name.
+func (s cAPApplicationVersionNamespaceLister) Get(name string) (*v1alpha1.CAPApplicationVersion, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("capapplicationversion"), name)
+	}
+	return obj.(*v1alpha1.CAPApplicationVersion), nil
+}
diff --git a/pkg/client/listers/sme.sap.com/v1alpha1/captenant.go b/pkg/client/listers/sme.sap.com/v1alpha1/captenant.go
new file mode 100644
index 0000000..18bb6a6
--- /dev/null
+++ b/pkg/client/listers/sme.sap.com/v1alpha1/captenant.go
@@ -0,0 +1,87 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CAPTenantLister helps list CAPTenants.
+// All objects returned here must be treated as read-only.
+type CAPTenantLister interface {
+	// List lists all CAPTenants in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPTenant, err error)
+	// CAPTenants returns an object that can list and get CAPTenants.
+	CAPTenants(namespace string) CAPTenantNamespaceLister
+	CAPTenantListerExpansion
+}
+
+// cAPTenantLister implements the CAPTenantLister interface.
+type cAPTenantLister struct {
+	indexer cache.Indexer
+}
+
+// NewCAPTenantLister returns a new CAPTenantLister.
+func NewCAPTenantLister(indexer cache.Indexer) CAPTenantLister {
+	return &cAPTenantLister{indexer: indexer}
+}
+
+// List lists all CAPTenants in the indexer.
+func (s *cAPTenantLister) List(selector labels.Selector) (ret []*v1alpha1.CAPTenant, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPTenant))
+	})
+	return ret, err
+}
+
+// CAPTenants returns an object that can list and get CAPTenants.
+func (s *cAPTenantLister) CAPTenants(namespace string) CAPTenantNamespaceLister {
+	return cAPTenantNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CAPTenantNamespaceLister helps list and get CAPTenants.
+// All objects returned here must be treated as read-only.
+type CAPTenantNamespaceLister interface {
+	// List lists all CAPTenants in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPTenant, err error)
+	// Get retrieves the CAPTenant from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.CAPTenant, error)
+	CAPTenantNamespaceListerExpansion
+}
+
+// cAPTenantNamespaceLister implements the CAPTenantNamespaceLister
+// interface.
+type cAPTenantNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CAPTenants in the indexer for a given namespace.
+func (s cAPTenantNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CAPTenant, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPTenant))
+	})
+	return ret, err
+}
+
+// Get retrieves the CAPTenant from the indexer for a given namespace and name.
+func (s cAPTenantNamespaceLister) Get(name string) (*v1alpha1.CAPTenant, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("captenant"), name)
+	}
+	return obj.(*v1alpha1.CAPTenant), nil
+}
diff --git a/pkg/client/listers/sme.sap.com/v1alpha1/captenantoperation.go b/pkg/client/listers/sme.sap.com/v1alpha1/captenantoperation.go
new file mode 100644
index 0000000..ee4d86a
--- /dev/null
+++ b/pkg/client/listers/sme.sap.com/v1alpha1/captenantoperation.go
@@ -0,0 +1,87 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/sap/cap-operator/pkg/apis/sme.sap.com/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CAPTenantOperationLister helps list CAPTenantOperations.
+// All objects returned here must be treated as read-only.
+type CAPTenantOperationLister interface {
+	// List lists all CAPTenantOperations in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPTenantOperation, err error)
+	// CAPTenantOperations returns an object that can list and get CAPTenantOperations.
+	CAPTenantOperations(namespace string) CAPTenantOperationNamespaceLister
+	CAPTenantOperationListerExpansion
+}
+
+// cAPTenantOperationLister implements the CAPTenantOperationLister interface.
+type cAPTenantOperationLister struct {
+	indexer cache.Indexer
+}
+
+// NewCAPTenantOperationLister returns a new CAPTenantOperationLister.
+func NewCAPTenantOperationLister(indexer cache.Indexer) CAPTenantOperationLister {
+	return &cAPTenantOperationLister{indexer: indexer}
+}
+
+// List lists all CAPTenantOperations in the indexer.
+func (s *cAPTenantOperationLister) List(selector labels.Selector) (ret []*v1alpha1.CAPTenantOperation, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPTenantOperation))
+	})
+	return ret, err
+}
+
+// CAPTenantOperations returns an object that can list and get CAPTenantOperations.
+func (s *cAPTenantOperationLister) CAPTenantOperations(namespace string) CAPTenantOperationNamespaceLister {
+	return cAPTenantOperationNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CAPTenantOperationNamespaceLister helps list and get CAPTenantOperations.
+// All objects returned here must be treated as read-only.
+type CAPTenantOperationNamespaceLister interface {
+	// List lists all CAPTenantOperations in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.CAPTenantOperation, err error)
+	// Get retrieves the CAPTenantOperation from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.CAPTenantOperation, error)
+	CAPTenantOperationNamespaceListerExpansion
+}
+
+// cAPTenantOperationNamespaceLister implements the CAPTenantOperationNamespaceLister
+// interface.
+type cAPTenantOperationNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CAPTenantOperations in the indexer for a given namespace.
+func (s cAPTenantOperationNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CAPTenantOperation, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.CAPTenantOperation))
+	})
+	return ret, err
+}
+
+// Get retrieves the CAPTenantOperation from the indexer for a given namespace and name.
+func (s cAPTenantOperationNamespaceLister) Get(name string) (*v1alpha1.CAPTenantOperation, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("captenantoperation"), name)
+	}
+	return obj.(*v1alpha1.CAPTenantOperation), nil
+}
diff --git a/pkg/client/listers/sme.sap.com/v1alpha1/expansion_generated.go b/pkg/client/listers/sme.sap.com/v1alpha1/expansion_generated.go
new file mode 100644
index 0000000..f0872b7
--- /dev/null
+++ b/pkg/client/listers/sme.sap.com/v1alpha1/expansion_generated.go
@@ -0,0 +1,39 @@
+/*
+SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and cap-operator contributors
+SPDX-License-Identifier: Apache-2.0
+*/
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// CAPApplicationListerExpansion allows custom methods to be added to
+// CAPApplicationLister.
+type CAPApplicationListerExpansion interface{}
+
+// CAPApplicationNamespaceListerExpansion allows custom methods to be added to
+// CAPApplicationNamespaceLister.
+type CAPApplicationNamespaceListerExpansion interface{}
+
+// CAPApplicationVersionListerExpansion allows custom methods to be added to
+// CAPApplicationVersionLister.
+type CAPApplicationVersionListerExpansion interface{}
+
+// CAPApplicationVersionNamespaceListerExpansion allows custom methods to be added to
+// CAPApplicationVersionNamespaceLister.
+type CAPApplicationVersionNamespaceListerExpansion interface{}
+
+// CAPTenantListerExpansion allows custom methods to be added to
+// CAPTenantLister.
+type CAPTenantListerExpansion interface{}
+
+// CAPTenantNamespaceListerExpansion allows custom methods to be added to
+// CAPTenantNamespaceLister.
+type CAPTenantNamespaceListerExpansion interface{}
+
+// CAPTenantOperationListerExpansion allows custom methods to be added to
+// CAPTenantOperationLister.
+type CAPTenantOperationListerExpansion interface{}
+
+// CAPTenantOperationNamespaceListerExpansion allows custom methods to be added to
+// CAPTenantOperationNamespaceLister.
+type CAPTenantOperationNamespaceListerExpansion interface{}
diff --git a/website/archetypes/default.md b/website/archetypes/default.md
new file mode 100644
index 0000000..00e77bd
--- /dev/null
+++ b/website/archetypes/default.md
@@ -0,0 +1,6 @@
+---
+title: "{{ replace .Name "-" " " | title }}"
+date: {{ .Date }}
+draft: true
+---
+
diff --git a/website/content/en/_index.md b/website/content/en/_index.md
new file mode 100644
index 0000000..adcd3a5
--- /dev/null
+++ b/website/content/en/_index.md
@@ -0,0 +1,17 @@
+---
+title: CAP Operator
+linkTitle: CAP Operator
+description: A Kubernetes Operator for managing the lifecycle of multi-tenant CAP applications
+---
+
+{{% blocks/cover title="Welcome to CAP Operator !" image_anchor="top" height="full" color="primary" %}}
+<div class="mx-auto">
+	<span class="font-weight-bold">A Kubernetes Operator for managing the lifecycle of multi-tenant CAP applications</span><br><br><br>
+	<a class="btn btn-lg btn-outline-info mr-3 mb-4" href="docs/">
+		Documentation <i class="fas fa-arrow-alt-circle-right ml-2"></i>
+	</a>
+	<a class="btn btn-lg btn-outline-info mr-3 mb-4" href="https://github.com/sap/cap-operator">
+		Source Repository <i class="fab fa-github ml-2 "></i>
+	</a>
+</div>
+{{% /blocks/cover %}}
\ No newline at end of file
diff --git a/website/content/en/docs/_index.md b/website/content/en/docs/_index.md
new file mode 100644
index 0000000..4e8c88d
--- /dev/null
+++ b/website/content/en/docs/_index.md
@@ -0,0 +1,25 @@
+---
+title: "Documentation"
+linkTitle: "Documentation"
+weight: 20
+menu:
+  main:
+    weight: 10
+    pre: "<i class='fas fa-book pr-2'></i>"
+---
+
+The [**CAP Operator**](https://github.com/sap/cap-operator) deploys and manages the lifecycle of multi-tenant BTP Golden Path based [CAP](https://cap.cloud.sap/docs) applications and related components, within a Kubernetes cluster.
+
+Main features of the CAP Operator:
+
+- Quick and easy deployment of CAP application backends, router and related networking components.
+- Integrates with BTP SaaS Provisioning to handle asynchronous tenant subscription requests, executing provisioning / deprovisioning tasks as Kubernetes jobs.
+- Automatically upgrades known tenants when newer application versions are available.
+- Supports deployment of service specific content / configuration as a Kubernetes job with with every application version (e.g. HTML5 application content to HTML5 Repository Service).
+- Manages TLS certificates and DNS entries related to the deployed application, with support for customer specific domains.
+
+The following picture provides an overview of the major automation steps handled by the Operator during application deployment.
+
+![workflow](/img/workflow.png)
+
+Explore the following chapters to learn more.
diff --git a/website/content/en/docs/concepts/_index.md b/website/content/en/docs/concepts/_index.md
new file mode 100644
index 0000000..1965a7f
--- /dev/null
+++ b/website/content/en/docs/concepts/_index.md
@@ -0,0 +1,16 @@
+---
+title: "Concepts"
+linkTitle: "Concepts"
+weight: 10
+type: "docs"
+description: >
+  Motivation and overview of components
+---
+
+Provisioning and operating a CAP Application on a Kubernetes cluster requires deployment of various components in addition to the CAP application server (see [a list of typical components]({{< ref "/cap-application-components.md" >}})). Some of these components can be created at the time of system provisioning, while others need to be created (or updated) at different points during the lifecycle of the application (DAY 2 operational tasks).
+
+Using helm charts to manage a CAP Application deployment can support the initial system provisioning, but further lifecycle operations like tenant provisioning, which are initiated from external components (SAP BTP), will require manual adjustment of the deployed resources. An example of such an instance would be the creation of `VirtualServices` (part of Istio service mesh) during tenant provisioning to route application (HTTP) requests submitted on the new tenant subdomain to the application server. Another limitation of using helm charts is the lack of control over the order in which resources are created.
+
+More control over the deployment and further automation of lifecycle operations can be achieved by extending the Kubernetes API with custom resources, which describe the components and configuration of CAP applications, and controllers to reconcile them. Similar to standard controllers of Kubernetes the custom controllers watch for changes in the custom resource objects and work towards moving the cluster state to the desired state.
+
+The [CAP Operator](https://github.com/sap/cap-operator) comprises of Custom Resource Definitions which describe the CAP application components, the controller to reconcile these resources, and other components which support the lifecycle management.
diff --git a/website/content/en/docs/concepts/cap-application-components.md b/website/content/en/docs/concepts/cap-application-components.md
new file mode 100644
index 0000000..91bbb2c
--- /dev/null
+++ b/website/content/en/docs/concepts/cap-application-components.md
@@ -0,0 +1,30 @@
+---
+title: "CAP Application Components"
+linkTitle: "CAP Application Components"
+weight: 20
+type: "docs"
+description: >
+  A typical multi-tenant CAP application
+---
+
+A full stack application built using the CAP programming model will have the following components
+
+### SAP BTP Service Instances
+
+Multi-tenant CAP based applications need to consume services from SAP BTP like XSUAA, SaaS Provisioning etc. These service instances need to be created within a BTP Provider Account. Service keys (bindings) need to be created for these instances which generate the credentials used by the application for accessing these services.
+
+### CAP application server
+
+The application provides data models which will be deployed to the connected database. An HTTP server exposes defined services and handles server side application logic. For more details check out [CAP documentation](https://cap.cloud.sap/docs). It is also possible that the application is split into multiple servers (services) which work together.
+
+### CAP components to support Multi-tenancy
+
+CAP provides the module `@sap/cds-mtxs` which can be operated as a sidecar (component running independently from the application server). This component is then responsible for handling requests related to tenant management like onboarding which then creates the required schema in the connected database. This module also supports triggering tenant management tasks as CLI commands.
+
+### AppRouter
+
+The [AppRouter](https://www.npmjs.com/package/@sap/approuter), or an extended version of it, takes care of authenticating requests (using the XSUAA service) and routes the requests to the application servers or related services (e.g. HTML5 Application Repository Service).
+
+### SAP Fiori applications
+
+Multiple SAP Fiori frontend applications may connect to the CAP application backend. These UI5 applications are deployed to the HTML5 Application Repository Service and served from there. Similarly, the application may have content specific to other services which need to be deployed, like the Portal Service.
diff --git a/website/content/en/docs/concepts/operator-components/_index.md b/website/content/en/docs/concepts/operator-components/_index.md
new file mode 100644
index 0000000..39b1747
--- /dev/null
+++ b/website/content/en/docs/concepts/operator-components/_index.md
@@ -0,0 +1,23 @@
+---
+title: "CAP Operator Overview"
+linkTitle: "CAP Operator Overview"
+weight: 10
+type: "docs"
+description: >
+  An overview of the architecture
+---
+
+The CAP Operator is comprised of the following components
+
+1. **CAP Controller**: a native Kubernetes controller that reconciles custom resources which are defined as part of the operator
+2. **Web-hooks**: validating web-hooks to ensure consistency of custom resource objects submitted to kubernetes API server
+3. **Subscription Server**: web server for handling HTTP requests submitted by the BTP `saas-registry` service instances during tenant subscription (and unsubscribe)
+4. **MTX Job** _[DEPRECATED]_: wrapper component which enables execution of tenant lifecycle operations using `cds/mtx` module provided by CAP, as kubernetes Jobs. _This module is no longer required for applications using the newer `@sap/cds-mtxs` module._
+
+> Note: [`@sap/cds-mtx` is no longer supported with CDS 7](https://cap.cloud.sap/docs/releases/jun23#migration-from-old-mtx). The MTX Job component will be removed once support for older CDS version ends.
+
+The following diagram depicts how the main components interact when deployed to a cluster.
+
+![cluster-components](/img/block-cluster.png)
+
+The following pages provide further details about the CAP Operator components.
diff --git a/website/content/en/docs/concepts/operator-components/controller.md b/website/content/en/docs/concepts/operator-components/controller.md
new file mode 100644
index 0000000..61faac0
--- /dev/null
+++ b/website/content/en/docs/concepts/operator-components/controller.md
@@ -0,0 +1,23 @@
+---
+title: "Controller"
+linkTitle: "Controller"
+weight: 10
+type: "docs"
+description: >
+  Reconciliation of Custom Resource Objects
+---
+
+The CAP Controller is implemented using the [client-go](https://github.com/kubernetes/client-go) from Kubernetes, which provides the required tools and utilities to interact with the Kubernetes API server. It manages custom resources which are included with the operator.
+
+The controller uses `Informers` to watch certain resources and invokes registered event handlers when these resources are modified. To streamline the processing of such notifications, rate limiting queues are implemented which store the changes and allow processing of these items in independent reconciliation threads (go routines). Such a design allows sequential processing of the changed items and avoids conflicts.
+
+The following _namespaced_ Custom Resources have been defined to be reconciled by the CAP controller:
+
+- `CAPApplication`: defines a high level application, its domains and consumed BTP services
+- `CAPApplicationVersion`: defines a child resource of the `CAPApplication` which contains container images which will be used to deploy application components (workloads) of a specific version
+- `CAPTenant`: represents a child resource of the `CAPApplication` which corresponds to a BTP sub-account which has subscribed to the application
+- `CAPTenantOperation`: represents a provisioning, deprovisioning or upgrade operation on a tenant which is scheduled as a child resource of a `CAPTenant` and executed as a sequence of specified steps.
+
+> Parent-child relationships between custom resources are established by defining owner references for the children.
+
+![controller](/img/block-controller.png)
diff --git a/website/content/en/docs/concepts/operator-components/mtx-job.md b/website/content/en/docs/concepts/operator-components/mtx-job.md
new file mode 100644
index 0000000..fca4fe5
--- /dev/null
+++ b/website/content/en/docs/concepts/operator-components/mtx-job.md
@@ -0,0 +1,16 @@
+---
+title: "MTX Job"
+linkTitle: "MTX Job"
+weight: 30
+type: "docs"
+description: >
+  Executing `cds-mtx` routes as Kubernetes Jobs
+---
+
+CAP provides the [`cds/mtx`](https://cap.cloud.sap/docs/guides/multitenancy/old-mtx-apis) module which provides APIs (HTTP endpoints) for triggering tenant lifecycle operations like provisioning or upgrade. Even though these routes can be served from a deployment of the CAP application server, they consume considerably higher memory compared to application routes. It would be ideal to execute such operations, independent from the application server, as dedicated Kubernetes jobs which can be monitored. As the current `cds-mtx` version operates only as a web-server serving specific lifecycle routes, a trigger or wrapper is required which starts the `cds-mtx` server, executes the required lifecycle route with the given payload, and finally shuts down the server.
+
+MTX Job component was developed as such a wrapper which runs as a sidecar container within the job pod, along with the `cds-mtx` server, and manages the lifecycle operation. During the reconciliation of custom resource `CAPTenantOperation` which represents a tenant lifecycle operation, the controller creates Jobs where MTX Job is added as a sidecar to the `cds-mtx` server. The MTX Job component waits for the `cds-mtx` server to start, triggers the required lifecycle route, and waits for it to be completed. Finally, it shuts down the `cds-mtx` server and completes the job with the appropriate exit code. This is achieved using a `netcat` listener in the job pod template to allow the trigger to manage the mtx container by sending a dummy connect to the mtx pod (listener) and hence exit gracefully.
+
+MTX Job will connect to [XSUAA service](https://help.sap.com/viewer/5088c3bb02144e7782959bb1529ca70e/SHIP/en-US/9cde62c2d3a8440caae18f7dbcf68d4c.html) for a valid authentication token to trigger the required lifecycle operation.
+
+> Note: [`@sap/cds-mtx` is no longer supported with CDS 7](https://cap.cloud.sap/docs/releases/jun23#migration-from-old-mtx). This MTX Job component will be removed once support for older CDS version ends.
diff --git a/website/content/en/docs/concepts/operator-components/subscription-server.md b/website/content/en/docs/concepts/operator-components/subscription-server.md
new file mode 100644
index 0000000..f5d42ef
--- /dev/null
+++ b/website/content/en/docs/concepts/operator-components/subscription-server.md
@@ -0,0 +1,26 @@
+---
+title: "Subscription Server"
+linkTitle: "Subscription Server"
+weight: 20
+type: "docs"
+description: >
+  Integration with SaaS Provisioning Service
+---
+
+The Subscription Server handles HTTP requests from the [SaaS Provisioning Service](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/2cd8913a50bc4d3e8172f84bb4bfba20.html) for tenant subscription operations on CAP applications which have been installed in the cluster. 
+
+During the creation of a `saas-registry` service instance (in the provider sub-account) [callback URLs are configured](../../../usage/prerequisites/#saas-provisioning-service) which should point to the subscription server routes.
+
+When a consumer tenant subscribes to an application managed by the operator a subscription callback is received by the subscription server which then generates the `CAPTenant` custom resource object. 
+
+The subscription server returns an `Accepted` (202) response code and starts a routine/thread which keeps polling for the tenant status until the changes to the `CAPTenant` are then independently reconciled by the controller. 
+
+Once the tenant provisioning process has completed (or has failed), the tracking routine will return the appropriate status to the SaaS Registry via an asynchronous callback (by obtaining the necessary authorization token).
+
+
+![subscription](/img/block-subscription.png)
+
+
+([More details about asynchronous tenant subscription](https://controlcenter.ondemand.com/index.html#/knowledge_center/articles/2316430f7d804820934910db736cefbf).)
+
+Such an asynchronous processing allows us to avoid timeouts during synchronous calls, as well as schedule dedicated jobs (via `CAPTenantOperation`) for completion of the subscription and perform any further tasks required in the cluster (e.g. create a `VirtualService` corresponding to the tenant subdomain).
diff --git a/website/content/en/docs/configuration/_index.md b/website/content/en/docs/configuration/_index.md
new file mode 100644
index 0000000..13d58ba
--- /dev/null
+++ b/website/content/en/docs/configuration/_index.md
@@ -0,0 +1,20 @@
+---
+title: "Configuration"
+linkTitle: "Configuration"
+weight: 30
+type: "docs"
+tags: ["setup"]
+description: >
+  Configuration options
+---
+
+This page provides a list of environment variables used by the CAP Operator.
+
+### Controller
+
+- `CERT_MANAGER`: Specifies the certificate manager to be used for TLS certificates. Possible values are:
+  - `gardener`: [SAP Gardener Certificate Management](https://github.com/gardener/cert-management)
+  - `cert-manager.io`: [cert-manager.io cert-manager](https://github.com/cert-manager/cert-manager)
+- `DNS_MANAGER`: Specifies the External DNS Manager to be used. Possible values are:
+  - `gardener`: [SAP Gardener External DNS Manager](https://github.com/gardener/external-dns-management)
+  - `kubernetes`: [External DNS Management from Kubernetes](https://github.com/kubernetes-sigs/external-dns)
diff --git a/website/content/en/docs/installation/_index.md b/website/content/en/docs/installation/_index.md
new file mode 100644
index 0000000..295eb86
--- /dev/null
+++ b/website/content/en/docs/installation/_index.md
@@ -0,0 +1,10 @@
+---
+title: "Installation"
+linkTitle: "Installation"
+weight: 20
+type: "docs"
+description: >
+  How to install CAP Operator in a Kubernetes cluster
+---
+
+This page provides an overview of available methods to install the CAP Operator on a Kubernetes cluster.
diff --git a/website/content/en/docs/installation/helm-install.md b/website/content/en/docs/installation/helm-install.md
new file mode 100644
index 0000000..521c1da
--- /dev/null
+++ b/website/content/en/docs/installation/helm-install.md
@@ -0,0 +1,56 @@
+---
+title: "Using Helm"
+linkTitle: "Using Helm"
+weight: 20
+type: "docs"
+tags: ["setup"]
+description: >
+  How to deploy using Helm chart
+---
+
+The recommended way to install the CAP operator components is using the [Helm chart](https://github.com/sap/cap-operator-lifecycle/tree/main/chart) which is published in as an OCI package here: oci://ghcr.io/sap/cap-operator-helm/cap-operator.
+
+To install create a namespace and helm install the chart into it. You need to supply your `domain` and the `dnsTarget` of your subscription server, either as command line parameter or with a values file:
+
+Command line parameters:
+
+```bash
+kubectl create namespace cap-operator-system
+helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-helm/cap-operator --set subscriptionServer.domain=cap-operator.<CLUSTER-DOMAIN> --set subscriptionServer.dnsTarget=public-ingress.<CLUSTER-DOMAIN>
+```
+
+Values file:
+
+```bash
+kubectl create namespace cap-operator-system
+helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-helm/cap-operator -f my-cap-operator-values.yaml
+```
+
+with a values file `my-cap-operator-values.yaml` like
+
+```yaml
+subscriptionServer:
+    dnsTarget: public-ingress.<CLUSTER-DOMAIN>
+    domain: cap-operator.<CLUSTER-DOMAIN>   
+```
+
+Note:
+This uses your existing docker credentials, if any. Alternatively, you can pass the desired credentials with options `username` and `password`:
+
+```bash
+ helm upgrade -i -n cap-operator-system cap-operator oci://ghcr.io/sap/cap-operator-helm/cap-operator --set subscriptionServer.domain=cap-operator.<CLUSTER-DOMAIN> --set subscriptionServer.dnsTarget=public-ingress.<CLUSTER-DOMAIN> --username <ARTIFACTORY-USER> --password <ARTIFACTORY-API-TOKEN>
+```
+
+To utilize the [local version](https://github.com/sap/cap-operator-lifecycle/tree/main/chart), use
+
+```bash
+helm upgrade -i -n cap-operator-system cap-operator PATH_TO_CAP_OPERATOR_LIFECYCLE_REPOSITORY/chart --set subscriptionServer.domain=cap-operator.<CLUSTER-DOMAIN> --set subscriptionServer.dnsTarget=public-ingress.<CLUSTER-DOMAIN>
+```
+
+or
+
+```bash
+helm upgrade -i -n cap-operator-system cap-operator PATH_TO_CAP_OPERATOR_LIFECYCLE_REPOSITORY/chart -f my-values.yaml
+```
+
+{{% include "includes/chart-values.md" %}}
diff --git a/website/content/en/docs/installation/prerequisites.md b/website/content/en/docs/installation/prerequisites.md
new file mode 100644
index 0000000..afed244
--- /dev/null
+++ b/website/content/en/docs/installation/prerequisites.md
@@ -0,0 +1,30 @@
+---
+title: "Prerequisites"
+linkTitle: "Prerequisites"
+weight: 10
+type: "docs"
+description: >
+  How to prepare the cluster before installing CAP Operator
+---
+
+It is recommended to use a [Gardener](https://gardener.cloud/) managed cluster for deploying CAP applications managed using the CAP Operator.
+
+The Kubernetes cluster must be setup with the following prerequisites before installing the CAP Operator.
+
+##### [Istio](https://istio.io/latest/docs/concepts/traffic-management/) (version >= 1.12)
+
+Istio Service Mesh is used for HTTP traffic management. The CAP Operator creates Istio resources for managing incoming HTTP requests to the application as well as for routing requests on specific (tenant) subdomains.
+
+> It is required to determine the public ingress gateway subdomain and the overall shoot domain for the system and specify them in the [Chart values](../../installation/helm-install/#values)
+
+##### [cf-service-operator](https://sap.github.io/cf-service-operator/docs/) or [sap-btp-service-operator](https://github.com/SAP/sap-btp-service-operator)
+
+These operators can be used for managing SAP BTP service instances and service bindings from within the Kubernetes cluster.
+
+> Due to unavailability of certain BTP services for Kubernetes platforms, it is recommended to use the [cf-service-operator](https://github.com/sap/cf-service-operator/) which creates the services for a Cloud Foundry space and injects the required access credentials as secrets into the Kubernetes cluster.
+
+> Please note that service credentials added as Kubernetes Secrets to a namespace, by these operators, supports additional metadata. If you do not use this feature of these operators, it is also required that you use `secretKey: credentials` in the spec of these operators to ensure the service credentials retain any JSON data as it is. **It is recommended to use `secretKey`, even when credential metadata is available to reduce the overhead of interpreting parsing multiple JSON attributes.**
+
+##### [SAP Gardener Certificate Management](https://github.com/gardener/cert-management)
+
+This component is available in clusters managed by SAP Gardener and will be used to manage TLS Certificates and issuers. SAP Gardener manages encryption, issuing and signing of certificates. Alternatively, [cert-manager.io cert-manager](https://github.com/cert-manager/cert-manager) can be used.
diff --git a/website/content/en/docs/reference/_index.md b/website/content/en/docs/reference/_index.md
new file mode 100644
index 0000000..ea2b46e
--- /dev/null
+++ b/website/content/en/docs/reference/_index.md
@@ -0,0 +1,10 @@
+---
+title: "Reference"
+linkTitle: "Reference"
+weight: 99
+type: "docs"
+description: >
+  API reference
+---
+
+{{% include "includes/api-reference.html" %}}
diff --git a/website/content/en/docs/support/_index.md b/website/content/en/docs/support/_index.md
new file mode 100644
index 0000000..91b4302
--- /dev/null
+++ b/website/content/en/docs/support/_index.md
@@ -0,0 +1,19 @@
+---
+title: Support
+linkTitle: "Support"
+weight: 95
+type: "docs"
+description: >
+  How to get Support
+---
+
+Reach out to the project team and the project community via the communication channels listed below.
+
+To report a bug, please create an [issue](https://github.com/sap/cap-operator/issues).
+
+See anything missing? Please let us know or [raise a PR](https://github.com/sap/cap-operator/pulls).
+
+## Communication Channels
+
+- Issues: [GitHub](https://github.com/sap/cap-operator/issues)
+- Email: [CAP Operator](mailto:cap-operator@sap.com)
\ No newline at end of file
diff --git a/website/content/en/docs/troubleshoot/_index.md b/website/content/en/docs/troubleshoot/_index.md
new file mode 100644
index 0000000..9340699
--- /dev/null
+++ b/website/content/en/docs/troubleshoot/_index.md
@@ -0,0 +1,80 @@
+---
+title: "Troubleshooting"
+linkTitle: "Troubleshooting"
+weight: 90
+type: "docs"
+description: >
+  Common issues and how to solve them
+---
+
+**Usage of @sap/cds-mtxs library for multitenancy**
+
+> By default, the CAP Operator utilizes the `@sap/cds-mtxs` library. However, you can disable this by setting the IS_MTXS_ENABLED environment variable to "false" in the TenantOperation workload, in which case the old `@sap/cds-mtx` library based wrapper job will be used instead. As mentioned in the CAP documentation, [`@sap/cds-mtx` is no longer supported with CDS 7](https://cap.cloud.sap/docs/releases/jun23#migration-from-old-mtx). The MTX Job component will be removed once support for older CDS version ends.
+
+The CAP Operator supports usage of `@sap/cds-mtxs` (which is the replacement for the former `@sap/cds-mtx` library) from CAP by default.
+
+This enables us to get rid of our [wrapper implementation](../concepts/operator-components/mtx-job/) and instead use built-in (into `@sap/cds-mtxs`) cli based handling for tenant operations during provisioning, deprovisioning and upgrading tenants.
+
+As of now for the usage of this new library you may (depending on your k8s cluster hardening setup) need to add additional `securityContext` for the `TenantOperation` and also `CAP` workloads as shown in the sample below. 
+
+``` yaml
+ - name: tenant-job
+    consumedBTPServices:
+    - "{{ include "xsuaaInstance" . }}"
+    - "{{ include "serviceManagerInstance" . }}"
+    - "{{ include "saasRegistryInstance" . }}"
+    jobDefinition:
+      type: TenantOperation
+      env:
+      - name: CDS_ENV
+        value: production
+      - name: CDS_MTX_PROVISIONING_CONTAINER
+        value: '{ "provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345" } }'
+      image: "some.repo.example.com/cap-app/server"
+      securityContext: # needed until CAP resolves issue with folder creation in the root dir of the app container at runtime
+        runAsUser: 1000
+```
+
+**Secret/credential handling for different workloads of the CAP Operator**
+
+Libraries like `xsenv`/`cds`(CAP) handle credentials differently in different environments (CF, K8s) and on K8s when using credential data directly from secrets, any JSON data type information related to the data values may get lost and lead to inconsistencies.
+
+This issue is now addressed by the SAP Service Binding Specification, which mandates the addition of metadata to these secrets. Both `btp-service-operator` and `cf-service-operator` supports the addition of metadata. But, in case this feature is not used in your clusters, the CAP Operator avoids inconsistencies by creating `VCAP_SERVICES` environment variable across all workloads and expects all BTP services credentials to be available in Kubernetes secrets under a key `credentials`.
+
+This can be achieved using the `secretKey` property for a `ServiceBinding` created using `btp-service-operator` or `cf-service-operator`, e.g.:
+
+```
+apiVersion: cf.cs.sap.com/v1alpha1
+kind: ServiceBinding
+metadata:
+  name: uaa
+  namespace: demo
+spec:
+  serviceInstanceName: uaa
+  name: app-uaa
+  secretKey: credentials
+```
+
+>  It is recommended to use `secretKey`, even when credential metadata is available to reduce the overhead of interpreting parsing multiple JSON attributes.
+
+**HTTP requests reaching the AppRouter are not getting forwarded to the application server (pods)**
+
+The AppRouter component maps incoming requests to destinations (applications or services) which have been configured. If you are using an `xs-app.json` file with your AppRouter to specify route mapping to various destinations, ensure that the `destinationName` property for the CAP backend is specified in the corresponding CAPApplicationVersion configuration. The CAP operator will inject this destination to the AppRouter pods (via environment variables).
+
+
+**HTTP requests are timing out in the AppRouter for long running operations in backend workload**
+
+If your backend service is known to take a long time, configure the `destinations` environment variable on the AppRouter component to set the desired timeout configuration for that destination (`destinationName`). The CAP Operator will just overwrite the URL part of that destination to point to the right workload, remaining settings are taken over exactly as configured.
+
+**Recommended AppRouter version**
+
+Use `@sap/approuter` version `14.x.x` (or higher).
+
+**CAP Operator resources cannot be deleted in the k8s cluster/namespace**
+
+All custom resource objects (CROs) created by the CAP Operator are protected with `finalizers` to ensure proper cleanup takes place.
+For instance, when deleting a `CAPApplication` CRO any existing tenants would be deprovisioned automatically to avoid inconsistenties. Once the deprovisioning is successful the corresponding CROs would be removed automatically.
+The provider `CAPTenant` resource cannot be deleted while before deleting a consistent `CAPApplication`.
+_NOTE_: The CAP operator needs the `secrets` from service instances/bindings to exist for the entire lifecycle of the cap application. Removing the service instances/bindings i.e. the secrets from the cluster while the CAP application related CROs still exist would cause leftover resources in cluster (and perhaps the db). Recovering from such inconsistent states might not even be possible.
+Such a situation can easily arise when using `helm` delete/uninstall as the order of deletion of resouces is not configurable. We recommend you do this with care.
+It is important to ensure that the secrets from service instance/bindings are not deleted before any CAP application that consumes those secrets is completely removed.
diff --git a/website/content/en/docs/usage/_index.md b/website/content/en/docs/usage/_index.md
new file mode 100644
index 0000000..5b7ea62
--- /dev/null
+++ b/website/content/en/docs/usage/_index.md
@@ -0,0 +1,8 @@
+---
+title: "Usage"
+linkTitle: "Usage"
+weight: 40
+type: "docs"
+description: >
+  Managing application with the CAP Operator
+---
diff --git a/website/content/en/docs/usage/deploying-application.md b/website/content/en/docs/usage/deploying-application.md
new file mode 100644
index 0000000..056280c
--- /dev/null
+++ b/website/content/en/docs/usage/deploying-application.md
@@ -0,0 +1,127 @@
+---
+title: "Deploying a CAP Application"
+linkTitle: "Deploying a CAP Application"
+weight: 20
+type: "docs"
+description: >
+  How to deploy a new CAP based application
+---
+
+Just by defining two resources provided by the CAP Operator, namely `capapplications.sme.sap.com` and `capapplicationversions.sme.sap.com`, it possible to deploy a multi-tenant CAP application and start using it. These resources are _namespaced_ and so the CAP Operator will create all related resources (deployments, gateways, jobs etc.) within the same namespace.
+
+The object, `CAPApplication`, describes the high level attributes of an application like the BTP account where it is hosted, consumed BTP services, domains where the application routes will be made available etc. See [API Reference](../../reference/#sme.sap.com/v1alpha1.CAPApplication).
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  name: cap-app-01
+  namespace: cap-app-01
+spec:
+  btpAppName: cap-app-01 # <-- short name (similar to BTP XSAPPNAME)
+  btp:
+    services:
+      - class: xsuaa # <-- BTP service technical name
+        name: app-uaa # <-- name of the service instance
+        secret: cap-app-01-uaa-bind-cf # <-- secret containing the credentials to access the service existing in the same namespace
+      - class: saas-registry
+        name: app-saas-registry
+        secret: cap-app-01-saas-bind-cf
+      - class: service-manager
+        name: app-service-manager
+        secret: cap-app-01-svc-man-bind-cf
+      - class: destination
+        name: app-destination
+        secret: cap-app-01-dest-bind-cf
+      - class: html5-apps-repo
+        name: app-html5-repo-host
+        secret: cap-app-01-html5-repo-bind-cf
+      - class: html5-apps-repo
+        name: app-html5-repo-runtime
+        secret: cap-app-01-html5-rt-bind-cf
+      - class: portal
+        name: app-portal
+        secret: cap-app-01-portal-bind-cf
+  domains:
+    istioIngressGatewayLabels: # <-- labels used to identify the istio ingress gateway (the values provided here are the default values)
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: "cap-app-01.cluster.shoot.url.k8s.example.com" # <-- primary domain where the application is exposed. Each tenant will have access to a subdomain of this domain. Ensure that this is at most 62 chars long.
+    secondary:
+      - "alt.shoot.example.com"
+  globalAccountId: global-account-id
+  provider:
+    subDomain: cap-app-01-provider
+    tenantId: e55d7b5-279-48be-a7b0-aa2bae55d7b5
+```
+
+The object, `CAPApplicationVersion`, describes the different components of an application version including the container images to be used and the services consumed by each component. See [API Reference](../../reference/#sme.sap.com/v1alpha1.CAPApplicationVersion).
+
+The `CAPApplicationVersion` must be created in the same namespace as the `CAPApplication` and refers to it.
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  name: cav-cap-app-01-1
+  namespace: cap-app-01
+spec:
+  capApplicationInstance: cap-cap-app-01 # <-- reference to CAPApplication in the same namespace
+  version: "1" # <-- semantic version
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices: # <-- these are services used by the application server (already defines as part of CAPApplication resource). Corresponding credential secrets will be mounted onto the component pods as volumes.
+        - app-uaa
+        - app-service-manager
+        - app-saas-registry
+      deploymentDefinition:
+        type: CAP # <-- indicates the CAP application server
+        image: app.some.repo.example.com/srv/server:0.0.1
+        env:
+          - name: CDS_ENV
+            value: production
+          - name: CDS_MTX_PROVISIONING_CONTAINER
+            value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+    - name: app-router
+      consumedBTPServices:
+        - app-uaa
+        - app-destination
+        - app-saas-registry
+        - app-html5-repo-runtime
+        - app-portal
+      deploymentDefinition:
+        type: Router
+        image: app.some.repo.example.com/approuter/approuter:0.0.1
+        env:
+          - name: PORT
+            value: 4000
+          - name: TENANT_HOST_PATTERN
+            value: "^(.*).(cap-app-01.cluster.shoot.canary.k8s-hana.ondemand.co|alt.shoot.example.com)"
+    - name: service-content
+      consumedBTPServices:
+        - app-uaa
+        - app-html5-repo-host
+        - app-portal
+      jobDefinition:
+        type: Content
+        image: app.some.repo.example.com/approuter/content:0.0.1
+        backoffLimit: 1
+```
+
+> NOTE: The above example is a minimal `CAPApplicationVersion` that may be deployed. For more supported configuration and their explanations, see [here](../resources/capapplicationversion).
+
+The controller component of the CAP Operator reacts to these objects and creates further resources which constitute a running application:
+
+- Deployment (and service) for the application server with credentials (from secrets) to access BTP services injected as `VCAP_SERVICES` environment variable
+- Deployment (and service) for the AppRouter with destination mapping to the application server and subscription server (for the tenant provisioning route)
+- Job for the version content deployer
+- TLS Certificates for provided domains using either [SAP Gardener cert-management](https://github.com/gardener/cert-management) or [cert-manager.io cert-manager](https://github.com/cert-manager/cert-manager)
+- Istio Gateway resource for the application domains
+
+> The content deployer is used to deploy content or configuration to BTP services, before using them.
+
+Once these resources are available, the `CAPApplicationVersion` status changes to `Ready`. **The controller then proceeds to automatically create an object of type `CAPTenant` which corresponds to the tenant of the provider sub-account.** Please see the page on [tenant subscription]({{< ref "/tenant-provisioning.md" >}}) for details on how the `CAPTenant` resource is reconciled.
diff --git a/website/content/en/docs/usage/prerequisites.md b/website/content/en/docs/usage/prerequisites.md
new file mode 100644
index 0000000..380f52a
--- /dev/null
+++ b/website/content/en/docs/usage/prerequisites.md
@@ -0,0 +1,105 @@
+---
+title: "Prerequisites"
+linkTitle: "Prerequisites"
+weight: 10
+type: "docs"
+description: >
+  What to do before deploying a new CAP Application
+---
+
+### Prepare BTP Global Account and Provider Subaccount
+
+CAP based applications make use of various BTP services which are created in a Provider Subaccount. So, before the application can be deployed, it is required to create a Global Account and assign the required services which will be used. You can do this using [SAP BTP Control Center](https://controlcenter.ondemand.com/index.html). Once this is done, a Provider Subaccount needs to be created, where the required service instances can be created.
+
+### Create Service Instances and Bindings
+
+A multi-tenant CAP based application will need to consume the following BTP services. While creating these service instances, some of the parameters supplied require special attention. Service Keys (Bindings) are then created to generate access credentials, which in turn should be provided as Kubernetes Secrets in the namespace where the application is being deployed.
+
+Other services (not listed here) may also be used depending on the requirement (e.g. HTML5 Repository Service, Business Logging etc.).
+
+> IMPORTANT: Due to limited availability of BTP services on Kubernetes, certain services will need to be created by enabling Cloud Foundry for the provider subaccount. We recommend to use the [cf-service-operator](https://sap.github.io/cf-service-operator/docs/) for managing the Service Instances and Service Bindings directly from within the Kubernetes cluster. Based on the Service Bindings, it automatically generates the secrets containing the service access credentials.
+
+##### XSUAA Service
+
+The parameter `oauth2-configuration.redirect-uris` must include the domain used by the application. As an example based on the cluster setup this url may have the form `https://*<application-specific-prefix>.<cluster-id>.<gardener-project-id>.shoot.url.k8s.example.com/**`.
+
+Scope required to make asynchronous tenant subscription operations need to be included. Additionally, check the [CAP Multi-tenancy](https://cap.cloud.sap/docs/java/multitenancy#xsuaa-mt-configuration) documentation for additional scopes which are required.
+
+```yaml
+parameters:
+  authorities:
+    - $XSAPPNAME.mtcallback
+    - $XSAPPNAME.mtdeployment
+  oauth2-configuration:
+    redirect-uris:
+      - https://*my-cap-app.cluster-x.my-project.shoot.url.k8s.example.com/**
+  role-collections:
+    ...
+  role-templates:
+    ...
+  scopes:
+    - description: UAA
+      name: uaa.user
+    - description: With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called
+      grant-as-authority-to-apps:
+        - $XSAPPNAME(application,sap-provisioning,tenant-onboarding)
+      name: $XSAPPNAME.Callback
+    - description: Async callback to update the saas-registry (provisioning succeeded/failed)
+      name: $XSAPPNAME.subscription.write
+    - description: Deploy applications
+      name: $XSAPPNAME.mtdeployment
+    - description: Subscribe to applications
+      grant-as-authority-to-apps:
+        - $XSAPPNAME(application,sap-provisioning,tenant-onboarding)
+      name: $XSAPPNAME.mtcallback
+    ...
+```
+When using mulitple xsuaa service instances in the app (e.g. one for the `application` and other `apiaccess`). The primary xsuaa instance can be set using the annotation: "sme.sap.com/primary-xsuaa" with the value being the `name` of the service instance, as shown below:
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  annotations:
+    "sme.sap.com/primary-xsuaa": "my-cap-app-uaa" # This let's the CAP Operator determine/use the right UAA instance for the application.
+  name: test-cap-01
+  ...
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: my-cap-app-uaa-api
+        secret: my-cap-app-uaa-api-bind-cf
+      - class: xsuaa
+        name: my-cap-app-uaa
+        secret: my-cap-app-uaa-bind-cf
+      - class: saas-registry
+        name: my-cap-app-saas-registry
+        secret: my-cap-app-saas-bind-cf
+      ...
+  btpAppName: my-cap-app
+  ...
+```
+
+##### SaaS Provisioning Service
+
+When creating an instance of the SaaS Provisioning Service, it should be configured to use asynchronous tenant subscription callbacks. See [here](https://controlcenter.ondemand.com/index.html#/knowledge_center/articles/f239e5501a534b64ab5f8dde9bd83c53) for more details.
+
+```yaml
+parameters:
+  appName: <short-application-name>
+  appUrls:
+    callbackTimeoutMillis: 300000 # <-- used to fail subscription process when no response is received
+    getDependencies: https://<provider-subaccount-subdomain>.<cap-app-name>.cluster-x.my-project.shoot.url.k8s.example.com/callback/v1.0/dependencies # <-- handled by the application
+    onSubscription: https://<cap-operator-subscription-server-domain>/provision/tenants/{tenantId} # <-- the /provision route is forwarded directly to the CAP Operator (Subscription Server) and should be specified as such
+    onSubscriptionAsync: true
+    onUnSubscriptionAsync: true
+```
+
+##### SAP HANA Cloud
+
+A SAP HANA Cloud instance (preferably shared and accessible from the provider subaccount) is required. The Instance ID of the database must be noted for usage in relevant workloads. SAP HANA Schemas & HDI Containers service should also be entitled for the provider subaccount.
+
+##### Service Manager
+
+The Service Manager Service allows CAP to retrieve schema (tenant) specific credentials to connect to the HANA database.
diff --git a/website/content/en/docs/usage/resources/_index.md b/website/content/en/docs/usage/resources/_index.md
new file mode 100644
index 0000000..acf49d7
--- /dev/null
+++ b/website/content/en/docs/usage/resources/_index.md
@@ -0,0 +1,8 @@
+---
+title: "Resources"
+linkTitle: "Resources"
+weight: 50
+type: "docs"
+description: >
+  Detailed configuration of resources managed by the the CAP Operator
+---
diff --git a/website/content/en/docs/usage/resources/capapplication.md b/website/content/en/docs/usage/resources/capapplication.md
new file mode 100644
index 0000000..4f83066
--- /dev/null
+++ b/website/content/en/docs/usage/resources/capapplication.md
@@ -0,0 +1,67 @@
+---
+title: "CAPApplication"
+linkTitle: "CAPApplication"
+weight: 10
+type: "docs"
+description: >
+  How to configure the `CAPApplication` resource
+---
+
+The below example shows a fully configured `CAPApplication`:
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplication
+metadata:
+  name: cap-app
+  namespace: cap-ns
+spec:
+  btp:
+    services:
+      - class: xsuaa
+        name: cap-uaa
+        secret: cap-uaa-bind
+      - class: saas-registry
+        name: cap-saas-reg
+        secret: cap-saas-reg-bind
+      - class: service-manager
+        name: cap-service-manager
+        secret: cap-svc-man-bind
+      - class: destination
+        name: cap-destination
+        secret: cap-bem-02-dest-bind
+      - class: html5-apps-repo
+        name: cap-html5-repo-host
+        secret: cap-html5-repo-bind
+      - class: html5-apps-repo
+        name: cap-html5-repo-runtime
+        secret: cap-html5-rt-bind
+      - class: portal
+        name: cap-portal
+        secret: cap-portal-bind
+      - class: business-logging
+        name: cap-business-logging
+        secret: cap-business-logging-bind
+  btpAppName: cap-app
+  domains:
+    istioIngressGatewayLabels: # <-- labels used to identify Load Balancer service used by Istio
+      - name: app
+        value: istio-ingressgateway
+      - name: istio
+        value: ingressgateway
+    primary: cap-app.cluster.project.shoot.url.k8s.example.com
+    secondary:
+      - alt-cap.cluster.project.shoot.url.k8s.example.com
+  globalAccountId: 2dddd48d-b45f-45a5-b861-a80872a0c8a8
+  provider: # <-- provider tenant details
+    subDomain: cap-app-provider
+    tenantId: 7a49218f-c750-4e1f-a248-7f1cefa13010
+```
+
+The overall list of BTP service instances and respective secrets (credentials) required by the application is specified as an array in `btp.services`. These service instances are assumed to exist in the provider sub-account. Operators like [cf-service-operator](https://sap.github.io/cf-service-operator/docs/) or [sap-btp-service-operator](https://github.com/SAP/sap-btp-service-operator) can be used to declaratively create these service instances and their credentials as Kubernetes resources.
+
+The `provider` section specifies details of the provider sub-account linked to this application, while `globalAccountId` denotes the global account in which the provider sub-account is created. Within a global account the `btpAppName` has to be unique as this is equivalent to `XSAPPNAME` which is used in various BTP service and application constructs.
+
+The `domains` section provides details of where the application routes are exposed. Within a SAP Gardener cluster the primary application domain is a subdomain of the cluster domain, and Gardener [cert-management](https://github.com/gardener/cert-management) will be used to request a wildcard TLS certificate for the primary domain. Additional secondary domains may also be specified (e.g. for customer specific domains) for the application.
+
+`istioIngressGatewayLabels` are key-value pairs (string) used to identify the ingress controller component of Istio and the related Load Balancer service. These values are configured during installation of Istio service mesh in the cluster.
diff --git a/website/content/en/docs/usage/resources/capapplicationversion.md b/website/content/en/docs/usage/resources/capapplicationversion.md
new file mode 100644
index 0000000..b1b5243
--- /dev/null
+++ b/website/content/en/docs/usage/resources/capapplicationversion.md
@@ -0,0 +1,318 @@
+---
+title: "CAPApplicationVersion"
+linkTitle: "CAPApplicationVersion"
+weight: 20
+type: "docs"
+description: >
+  How to configure the `CAPApplicationVersion` resource
+---
+
+The `CAPApplicationVersion` has the following high level structure:
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  name: cav-cap-app-v1
+  namespace: cap-ns
+spec:
+  version: 3.2.1 # <-- semantic version (should be unique within the versions of a CAP application)
+  capApplicationInstance: cap-app
+  registrySecrets: # <-- image pull secrets to be used in the workloads
+    - regcred
+  workloads: # <-- define deployments and jobs used for this application version
+    - name: "cap-backend"
+      deploymentDefinition: # ...
+      consumedBTPServices: # ...
+    - name: "app-router"
+      deploymentDefinition: # ...
+      consumedBTPServices: # ...
+    - name: "service-content"
+      jobDefinition: # ...
+      consumedBTPServices: # ...
+    - name: "mtx-runner"
+      jobDefinition: # ...
+      consumedBTPServices: # ...
+  tenantOperations: # ... <-- (optional)
+```
+
+- An instance of `CAPApplicationVersion` is always related to an instance of `CAPApplication` in the same namespace. This reference is established using the attribute `capApplicationInstance`.
+- An array of workloads (`workloads`) should be defined which include the various software components of the CAP application. A deployment representing the CAP application server or a job which is used for tenant operations are examples of such workloads. A workload should have either a `deploymentDefinition` or a `jobDefinition`. See the next section for more details.
+- An optional attribute `tenantOperations` can be used to define a sequence of steps (jobs) to be executed during tenant operations (provisioning / upgrade / deprovisioning).
+
+### Workloads with `deploymentDefinition`
+
+```yaml
+name: cap-backend
+consumedBTPServices: # <-- an array of service instance names referencing the BTP services defined in the CAPApplication resource
+  - cap-uaa
+  - cap-saas-reg
+deploymentDefinition:
+  type: CAP # <-- possible values are CAP / Router / Additional
+  image: some.repo.example.com/cap-app/server:3.22.11 # <-- container image
+  env: # <-- (optional) same as in core v1 pod.spec.containers.env
+    - name: SAY
+      value: "I'm GROOT"
+  replicas: 3 # <-- (optional) replicas for scaling
+  ports:
+    - name: app-port
+      port: 4004
+      routerDestinationName: cap-server-url
+    - name: tech-port
+      port: 4005
+```
+
+The `type` of the deployment is important to indicate how the operator should handle this workload (for example, injection of `destinations` to be used by the AppRouter). Valid values are:
+
+- `CAP` to indicate a CAP application server. Only one workload of this type can be used at present.
+- `Router` to indicate a version of [AppRouter](https://www.npmjs.com/package/@sap/approuter). Only one workload of this type can be used.
+- `Additional` to indicate supporting components which can be deployed along with the CAP application server.
+
+Optional attributes like `replicas`, `env`, `resources`, `probes`, `securityContext` and `ports` can be defined to configure the deployment.
+
+#### Port configuration
+
+It is possible to define which (and how many) ports exposed by a deployment container are exposed inside the cluster (via. services of type `ClusterIP`). The port definition includes a `name` in addition to the `port` number being exposed.
+
+For `deploymentDefinition`, other than type `Router` it would be possible to specify a `routerDestinationName` which would be used as a named `destination` injected into the AppRouter.
+
+The port configurations are not mandatory and can be omitted. This would mean that the operator will configure services using defaults. The following defaults are applied in case port configuration is omitted:
+
+- For workload of type `CAP`, the default port used by CAP, `4004`, will be added to the service and a destination with name `srv-api` will be added to the AppRouter referring to this service port (any existing `destinations` env configuration for this workload will be taken over by overwriting the `URL`).
+- For workload of type `Router`, the port `4000` will be exposed in the service. This service will be used as the target for HTTP traffic reaching the application domain (domains are specified within the `CAPApplication` resource).
+
+> NOTE: If multiple ports are configured for a workload of type `Router`, the first available port will be used to target external traffic to the application domain.
+
+### Workloads with `jobDefinition`
+
+```yaml
+workloads:
+  # ... deployment workloads have been omitted in this example
+  - name: "content-deployer"
+    consumedServices: # ...
+    jobDefinition:
+      type: Content
+      image: some.repo.example.com/cap-app/content:1.0.1
+  - name: "mtx-runner"
+    consumedServices: # ...
+    jobDefinition:
+      type: TenantOperation
+      image: some.repo.example.com/cap-app/server:3.22.11
+      backoffLimit: 2 # <-- determines retry attempts for the job on failure (default is 6)
+      ttlSecondsAfterFinished: 300 # <-- the job will be cleaned up after this duration
+      env:
+        - name: CDS_ENV
+          value: production
+        - name: CDS_MTX_PROVISIONING_CONTAINER
+          value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+  - name: "notify-upgrade"
+    consumedServices: # ...
+    jobDefinition:
+      type: CustomTenantOperation
+      image: # ...
+      command: ["npm", "run", "notify:upgrade"] # <-- custom entry point for the container allows reuse of a container image with multiple entry points
+      backoffLimit: 1
+  - name: "create-test-data"
+    consumedServices: # ...
+    jobDefinition:
+      type: CustomTenantOperation
+      image: # ...
+      command: ["npm", "run ", "deploy:testdata"]
+```
+
+Workloads with a `jobDefinition` represent a job execution at a particular point in the lifecycle of the application or tenant. The following values are allowed for `type` in such workloads:
+
+- `Content`: A content deployer job which can be used to deploy (BTP) service specific content from the application version. This job is executed as soon as a new `CAPApplicationVersion` resource is created in the cluster. A workload of this type is required in a `CAPApplicationVersion`.
+- `TenantOperation`: A job executed during provisioning, upgrade or deprovisioning of a tenant (`CAPTenant`). These jobs are controlled by the operator and uses the `cds/mtxs` APIs to perform HDI content deployment by default. In order to use `cds/mtx` APIs for HDI content deployment, set environment variable `IS_MTXS_ENABLED` to `"false"` on the `TenantOperation` job. In case a workload of type `TenantOperation` is not provided as part of the `CAPApplicationVersion`, the workload with `deploymentDefinition` of type `CAP` will be used to determine the `jobDefinition` (`image`, `env`, etc. will be used and in such cases to trigger deployment via `cds/mtx` APIs, the environment variable `IS_MTXS_ENABLED` should be set in the `CAP` workload). Also if `cds/mtxs` APIs are used, `command` can be used by applications to trigger tenant operations with custom command.
+- `CustomTenantOperation`: An optional job which runs before or after the `TenantOperation` where the application can perform tenant specific tasks (for example, create test data).
+
+> NOTE: `command` will be ignored for workloads of type `TenantOperation` (for non mtxs based scenarios) as this is controlled by the operator. Also, [`@sap/cds-mtx` is no longer supported with CDS 7](https://cap.cloud.sap/docs/releases/jun23#migration-from-old-mtx).
+
+### Sequencing tenant operations
+
+A tenant operation refers to `provisioning`, `upgrade` or `deprovisioning` which are executed in the context of a CAP application for individual tenants (i.e. using the `cds/mtx` or similar modules provided by CAP). Within the `workloads` we have already defined two types of jobs which are valid for such operations, namely `TenantOperation` and `CustomTenantOperation`.
+
+The `TenantOperation` is mandatory for all tenant operations.
+
+In addition, you can choose which `CustomTenantOperation` jobs shall be run for a specific operation and in which order. For example, a `CustomTenantOperation` deploying test data to the tenant database schema would need to run during `provisioning`, but should not during `deprovisioning`.
+
+The field `tenantOperations` specifies which jobs are executed during the different tenant operations and what order they are executed in.
+
+```yaml
+spec:
+  workloads: # ...
+  tenantOperations:
+    provisioning:
+      - workloadName: "mtx-runner"
+      - workloadName: "create-test-data"
+    upgrade:
+      - workloadName: "notify-upgrade"
+        continueOnFailure: true # <-- indicates the overall operation may proceed even if this step fails
+      - workloadName: "mtx-runner"
+      - workloadName: "create-test-data"
+    # <-- as the deprovisioning steps are not specified, only the `TenantOperation` workload (first available) will be executed
+```
+
+In the above example, for each tenant operation, not only are the valid jobs (steps) specified, but also the order in which they are to be executed. Each step in an operation is defined with:
+
+- `workloadName`refers to the job workload executed in this operation step
+- `continueOnFailure` is valid only for `CustomTenantOperation` steps and indicates whether the overall tenant operation can proceed when this operation step fails.
+
+> NOTE:
+>
+> - Specifying `tenantOperations` is required only in case `CustomTenantOperations` are to be used. If not specified, each operation will comprise of only the `TenantOperation` step (the first one available from `workloads`).
+> - The `tenantOperations`, and specified sequencing are valid only for tenants provisioned (or deprovisioned) on the corresponding `CAPApplicationVersion` and for tenants being upgraded to this `CAPApplicationVersion`.
+
+### Full Example
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  name: cav-cap-app-v1
+  namespace: cap-ns
+spec:
+  version: 3.2.1
+  capApplicationInstance: cap-app
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - cap-uaa
+        - cap-service-manager
+        - cap-saas-reg
+      deploymentDefinition:
+        type: CAP
+        image: some.repo.example.com/cap-app/server:3.22.11
+        env:
+          - name: CDS_ENV
+            value: production
+          - name: CDS_MTX_PROVISIONING_CONTAINER
+            value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+        replicas: 3
+        ports:
+          - name: app-port
+            port: 4004
+            routerDestinationName: cap-server-url
+          - name: tech-port
+            port: 4005
+            appProtocol: grpc
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4005
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 4005
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+    - name: "app-router"
+      consumedBTPServices:
+        - cap-uaa
+        - cap-saas-reg
+        - cap-html5-repo-rt
+      deploymentDefinition:
+        type: Router
+        image: some.repo.example.com/cap-app/router:4.0.1
+        env:
+          - name: PORT
+            value: "3000"
+        ports:
+          - name: router-port
+            port: 3000
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 3000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /
+            port: 3000
+          initialDelaySeconds: 20
+          periodSeconds: 10
+          timeoutSeconds: 2
+        resources:
+          limits:
+            cpu: 200m
+            memory: 500Mi
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        podSecurityContext:
+          runAsUser: 2000
+          fsGroup: 2000
+    - name: "service-content"
+      consumedServices:
+        - cap-uaa
+        - cap-portal
+        - cap-html5-repo-host
+      jobDefinition:
+        type: Content
+        image: some.repo.example.com/cap-app/content:1.0.1
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 2000
+    - name: "mtx-runner"
+      consumedServices: # ...
+      jobDefinition:
+        type: TenantOperation
+        image: some.repo.example.com/cap-app/server:3.22.11
+        backoffLimit: 2
+        ttlSecondsAfterFinished: 300
+        env:
+          - name: CDS_ENV
+            value: production
+          - name: CDS_MTX_PROVISIONING_CONTAINER
+            value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+    - name: "notify-upgrade"
+      consumedServices: []
+      jobDefinition:
+        type: CustomTenantOperation
+        image: some.repo.example.com/cap-app/server:3.22.11
+        command: ["npm", "run", "notify:upgrade"]
+        backoffLimit: 1
+    - name: "create-test-data"
+      consumedServices:
+        - cap-service-manager
+      jobDefinition:
+        type: CustomTenantOperation
+        image: some.repo.example.com/cap-app/server:3.22.11
+        command: ["npm", "run ", "deploy:testdata"]
+  tenantOperations:
+    provisioning:
+      - workloadName: "mtx-runner"
+      - workloadName: "create-test-data"
+    upgrade:
+      - workloadName: "notify-upgrade"
+        continueOnFailure: true
+      - workloadName: "mtx-runner"
+      - workloadName: "create-test-data"
+```
+> NOTE:
+> The CAP Operator [workloads](../../../reference/#sme.sap.com/v1alpha1.WorkloadDetails) supports several configurations (present in the [kubernetes API](https://kubernetes.io/docs/reference/using-api/)) which can be configured by looking into our API reference:
+> - [Container API reference](../../../reference/#sme.sap.com/v1alpha1.ContainerDetails) for generic container specific configuration
+> - [Deployment API reference](../../../reference/#sme.sap.com/v1alpha1.DeploymentDetails) for deployment specific configuration
+> - [Job API reference](../../../reference/#sme.sap.com/v1alpha1.JobDetails) for job specific configuration
\ No newline at end of file
diff --git a/website/content/en/docs/usage/resources/captenant.md b/website/content/en/docs/usage/resources/captenant.md
new file mode 100644
index 0000000..4297b4a
--- /dev/null
+++ b/website/content/en/docs/usage/resources/captenant.md
@@ -0,0 +1,32 @@
+---
+title: "CAPTenant"
+linkTitle: "CAPTenant"
+weight: 30
+type: "docs"
+description: >
+  How to configure the `CAPTenant` resource
+---
+
+{{< alert color="warning" title="Warning" >}}
+The `CAPTenant` resource is completely managed by the operator and should not be created / modified manually. For details of how `CAPTenant` is created, see page on [tenant subscription](../../tenant-provisioning).
+{{< /alert >}}
+
+The `CAPTenant` resource indicates the existence of tenant in the related application (or one that is current being provisioned). The resource starts with a `Provisioning` state and moves to `Ready` when successfully provisioned. Managing tenants as Kubernetes resources allows not only to control the lifecycle of the entity, but also allows to control other requirements which should be fulfilled for the application to serve tenant specific requests (for example, creating of networking resources).
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  name: cap-app-consumer-ge455
+  namespace: cap-ns
+spec:
+  capApplicationInstance: cap-app
+  subDomain: consumer-x
+  tenantId: cb46733-1279-48be-fdf434-aa2bae55d7b5
+  version: "1"
+  versionUpgradeStrategy: always
+```
+
+The specification contains attributes relevant for BTP which identifies a tenant like `tenantId` and `subDomain`.
+
+The `version` field corresponds to the `CAPApplicationVersion` on which the tenant is provisioned or was upgraded. When a newer `CAPApplicationVersion` is available, the operator automatically increments the tenant version which triggers the upgrade process. The `versionUpgradeStrategy` is by default `always`, but could be set to `none` in exceptional cases to prevent automatic upgrade of the tenant.
diff --git a/website/content/en/docs/usage/resources/captenantoperation.md b/website/content/en/docs/usage/resources/captenantoperation.md
new file mode 100644
index 0000000..de41cc9
--- /dev/null
+++ b/website/content/en/docs/usage/resources/captenantoperation.md
@@ -0,0 +1,44 @@
+---
+title: "CAPTenantOperation"
+linkTitle: "CAPTenantOperation"
+weight: 40
+type: "docs"
+description: >
+  How to configure the `CAPTenantOperation` resource
+---
+
+{{< alert color="warning" title="Warning" >}}
+The `CAPTenantOperation` resource is managed by the operator and should not be created / modified manually. The creation of `CAPTenantOperation` is initiated by the `CAPTenant` for executing provisioning, deprovisioning or upgrade.
+{{< /alert >}}
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: cap-app-consumer-ge455-77kb9
+  namespace: cap-ns
+spec:
+  capApplicationVersionInstance: cav-cap-app-v2
+  operation: upgrade
+  steps:
+    - continueOnFailure: true
+      name: mtx-runner
+      type: CustomTenantOperation
+    - name: mtx-runner
+      type: TenantOperation
+    - name: create-test-data
+      type: CustomTenantOperation
+  subDomain: consumer-x
+  tenantId: cb46733-1279-48be-fdf434-aa2bae55d7b5
+```
+
+The above example shows a `CAPTenantOperation` created to execute upgrade operation on a tenant. In addition to tenant details, the `CAPApplicationVersion` to be used for the operation is specified. In case of upgrade or provisioning operation this would be the target `CAPApplicationVersion` whereas for deprovisioning it would be the current `CAPApplicationVersion` of the tenant.
+
+The operation is completed by executing a series of steps (jobs) which are specified in or derived from the `CAPApplicationVersion`. Each step refers to a workload of type `TenantOperation` or `CustomTenantOperation`. When `CAPTenantOperation` is created by the operator, there should be at least one step of type `TenantOperation` (which is the job used for the database schema update using CAP provided modules).
+
+`CustomTenantOperation` jobs are hooks provided to the application, which can be executed before or after the actual `TenantOperation`. For applications to be able to identify the context of an execution each job is injected with the following environment variables:
+
+- `CAPOP_APP_VERSION`: The (semantic) version from the relevant `CAPApplicationVersion`
+- `CAPOP_TENANT_ID`: Tenant identifier of the tenant for which the operation is executed
+- `CAPOP_TENANT_OPERATION`: The type of operation - `provisioning`, `deprovisioning` or `upgrade`
+- `CAPOP_TENANT_SUBDOMAIN`: Subdomain (from sub-account) belonging to the tenant for which the operation is executed
diff --git a/website/content/en/docs/usage/tenant-provisioning.md b/website/content/en/docs/usage/tenant-provisioning.md
new file mode 100644
index 0000000..7ad8299
--- /dev/null
+++ b/website/content/en/docs/usage/tenant-provisioning.md
@@ -0,0 +1,65 @@
+---
+title: "Tenant Subscription"
+linkTitle: "Tenant Subscription"
+weight: 30
+type: "docs"
+description: >
+  How tenant provisioning works
+---
+
+From the perspective of the CAP Operator, a valid tenant for an application is represented by the resource `CAPTenant`. It refers to the `CAPApplication` it belongs to and specifies details of the BTP sub-account representing the tenant.
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenant
+metadata:
+  name: cap-app-01-provider
+  namespace: cap-app-01
+spec:
+  capApplicationInstance: cap-app-01 # <-- reference to the CAPApplication
+  subDomain: app-provider
+  tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
+  version: "1.0.0" # <-- expected version of the application
+  versionUpgradeStrategy: always # <-- always / never
+```
+
+## Tenant Provisioning
+
+The process of tenant provisioning starts when a consumer sub-account subscribes to the application, either via the BTP Cockpit or using the APIs provided by the SaaS Provisioning Service. This in turn initiates the asynchronous callback from the SaaS Provisioning Service instance into the cluster, and the request is handled by the [Subscription Server]({{< ref "docs/concepts/operator-components/subscription-server.md" >}}). The subscription server validates the request and creates an instance of `CAPTenant` for the identified `CAPApplication`.
+
+{{< alert color="warning" title="Warning" >}}
+An instance of `CAPTenant` must not be created or deleted manually within the cluster. A new instance has to be created by the Subscription Server after receiving a provisioning call from BTP SaaS Provisioning Service.
+{{< /alert >}}
+
+The controller, observing the new `CAPTenant` will initiate the provisioning process by creating the resource `CAPTenantOperation` which represents the provisioning operation.
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: cap-app-01-provider-sgz8b
+  namespace: cap-app-01
+spec:
+  capApplicationVersionInstance: cav-cap-app-01-1 # <-- latest CAPApplicationVersion in Ready state
+  subDomain: app-provider
+  tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
+  operation: provisioning # <-- valid values are provisioning, deprovisioning and upgrade
+  steps:
+    - name: cap-backend # <-- derived from workload of type CAP (when workload of type TenantOperation is not specified)
+      type: TenantOperation
+```
+
+The `CAPTenantOperation` is further reconciled to create Kubernetes Jobs (steps) which are derived from the latest `CAPApplicationVersion` which is in `Ready` state. The steps comprise of a `TenantOperation` job and optional `CustomTenantOperation` steps. The `TenantOperation` step uses built in cli based tenant operations from `@sap/cds-mtxs` to execute tenant provisioning.
+
+The `CAPTenant` reaches a Ready state, only after
+
+- Successful completion of all `CAPTenantOperation` steps
+- Creation of Istio `VirtualService` which allows HTTP requests on the tenant subdomain to reach the application
+
+![tenant-provisioning](/img/activity-tenantprovisioning.png)
+
+## Tenant Deprovisioning
+
+Similar to the tenant provisioning process, when a tenant unsubscribes from the application, the request is received by the Subscription Server. It validates the existence and status of the `CAPTenant` and submits a request for deletion to the Kubernetes API server.
+
+The controller identifies that the `CAPTenant` has to be deleted, but withholds deletion till it can create and watch for successful completion of a `CAPTenantOperation` of type deprovisioning. The `CAPTenantOperation` creates the corresponding jobs (steps) which executes the tenant deprovisioning.
diff --git a/website/content/en/docs/usage/version-upgrade.md b/website/content/en/docs/usage/version-upgrade.md
new file mode 100644
index 0000000..5b65315
--- /dev/null
+++ b/website/content/en/docs/usage/version-upgrade.md
@@ -0,0 +1,120 @@
+---
+title: "Application Upgrade"
+linkTitle: "Application Upgrade"
+weight: 40
+type: "docs"
+description: >
+  How to upgrade to a new Application Version
+---
+
+An important lifecycle aspect of operating multi-tenant CAP Applications is the tenant upgrade process. With CAP Operator these tenant upgrades can be fully automated by providing a new instance of `capapplicationversions.sme.sap.com` custom resource.
+As you've already seen during [initial deployment]({{< ref "/deploying-application.md" >}}), the `CAPApplicationVersion` resource describes the different components (workloads) of an application version that includes the container image to be used and the services consumed by each component.
+To upgrade the application, one needs to provide a new `CAPApplicationVersion` with the relevant `image` for each component and use a newer (higher) semantic version in the `version` field. See [API Reference](../../reference/#sme.sap.com/v1alpha1.CAPApplicationVersion).
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPApplicationVersion
+metadata:
+  name: cav-cap-app-01-2
+  namespace: cap-app-01
+spec:
+  capApplicationInstance: cap-cap-app-01 # <-- reference to CAPApplication in the same namespace
+  version: "2.0.1" # <-- semantic version
+  registrySecrets:
+    - regcred
+  workloads:
+    - name: cap-backend
+      consumedBTPServices:
+        - app-uaa
+        - app-service-manager
+        - app-saas-registry
+      deploymentDefinition:
+        type: CAP # <-- indicates the CAP application server
+        image: app.some.repo.example.com/srv/server:0.0.2
+        env:
+          - name: CDS_ENV
+            value: production
+          - name: CDS_MTX_PROVISIONING_CONTAINER
+            value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+    - name: app-router
+      consumedBTPServices:
+        - app-uaa
+        - app-destination
+        - app-saas-registry
+        - app-html5-repo-runtime
+        - app-portal
+      deploymentDefinition:
+        type: Router
+        image: app.some.repo.example.com/approuter/approuter:0.0.2
+        env:
+          - name: PORT
+            value: 4000
+          - name: TENANT_HOST_PATTERN
+            value: "^(.*).(cap-app-01.cluster.shoot.canary.k8s-hana.ondemand.co|alt.shoot.example.com)"
+    - name: service-content
+      consumedBTPServices:
+        - app-uaa
+        - app-html5-repo-host
+        - app-portal
+      jobDefinition:
+        type: Content
+        image: app.some.repo.example.com/approuter/content:0.0.2
+        backoffLimit: 1
+    - name: mtx-runner
+      consumedBTPServices:
+        - app-uaa
+        - app-service-manager
+        - app-saas-registry
+      jobDefinition:
+        type: TenantOperation
+        image: app.some.repo.example.com/approuter/content:0.0.2
+        env:
+          - name: CDS_ENV
+            value: production
+          - name: CDS_MTX_PROVISIONING_CONTAINER
+            value: '{"provisioning_parameters": { "database_id": "16e25c51-5455-4b17-a4d7-43545345345"}}'
+    - name: notify-upgrade
+      consumedBTPServices: []
+      jobDefinition:
+        type: CustomTenantOperation
+        image: app.some.repo.example.com/approuter/content:0.0.2
+        command: ["npm", "run", "notify:upgrade"]
+        backoffLimit: 1
+        env:
+          - name: TARGET_DL
+            value: group_xyz@sap.com
+  tenantOperations:
+    upgrade:
+      - workloadName: mtx-runner
+      - workloadName: notify-upgrade
+        continueOnFailure: true
+```
+
+Note that in this version (compared to version "1" used for [initial deployment]({{< ref "/deploying-application.md" >}})), new workloads of type `TenantOperation` and `CustomTenantOperation` have been added.
+
+The controller component of the CAP Operator reacts to the new `CAPApplicationVersion` resource and triggers another deployment for application server, router and triggers the content deployment job. Once the new `CAPApplicationVersion` is `Ready`, **the controller then proceeds to automatically upgrade all relevant tenants** i.e. by updating the `version` attribute on the `CAPTenant` resources.
+
+The reconciliation of a `CAPTenant` changes its state to `Upgrading` and creates the `CAPTenantOperation` resource of type upgrade.
+
+```yaml
+apiVersion: sme.sap.com/v1alpha1
+kind: CAPTenantOperation
+metadata:
+  name: cap-app-01-provider-fgdfg
+  namespace: cap-app-01
+spec:
+  capApplicationVersionInstance: cav-cap-app-01-2
+  subDomain: cap-provider
+  tenantId: aa2bae55d7b5-1279-456564-a7b0-aa2bae55d7b5
+  operation: upgrade # possible values are provisioning / upgrade / deprovisioning
+  steps:
+    - name: "mtx-runner"
+      type: TenantOperation
+    - name: "notify-upgrade"
+      type: CustomTenantOperation
+      continueOnFailure: true # <-- can be set for workloads of type CustomTenantOperation to indicate that the success of this job is optional for the completion of the overall operation
+```
+
+The `CAPTenantOperation` creates jobs for each of the steps involved and executes them sequentially, till all the jobs are finished or one of them fails. The `CAPTenant` is notified about the result and updates its state accordingly.
+
+A successful completion of the `CAPTenantOperation` will cause the `VirtualService` managed by the `CAPTenant` to be modified to route HTTP traffic to the deployments of the newer `CAPApplicationVersion`. Once all tenants have been upgraded the older `CAPApplicationVersion` can be deleted.
diff --git a/website/go.mod b/website/go.mod
new file mode 100644
index 0000000..e7ed3ea
--- /dev/null
+++ b/website/go.mod
@@ -0,0 +1,5 @@
+module github.com/sap/cap-operator/website
+
+go 1.21
+
+require github.com/google/docsy v0.7.1 // indirect
diff --git a/website/go.sum b/website/go.sum
new file mode 100644
index 0000000..d9ed4c5
--- /dev/null
+++ b/website/go.sum
@@ -0,0 +1,5 @@
+github.com/FortAwesome/Font-Awesome v0.0.0-20230327165841-0698449d50f2/go.mod h1:IUgezN/MFpCDIlFezw3L8j83oeiIuYoj28Miwr/KUYo=
+github.com/google/docsy v0.7.1 h1:DUriA7Nr3lJjNi9Ulev1SfiG1sUYmvyDeU4nTp7uDxY=
+github.com/google/docsy v0.7.1/go.mod h1:JCmE+c+izhE0Rvzv3y+AzHhz1KdwlA9Oj5YBMklJcfc=
+github.com/google/docsy/dependencies v0.7.1/go.mod h1:gihhs5gmgeO+wuoay4FwOzob+jYJVyQbNaQOh788lD4=
+github.com/twbs/bootstrap v5.2.3+incompatible/go.mod h1:fZTSrkpSf0/HkL0IIJzvVspTt1r9zuf7XlZau8kpcY0=
diff --git a/website/hugo.yaml b/website/hugo.yaml
new file mode 100644
index 0000000..34d6e73
--- /dev/null
+++ b/website/hugo.yaml
@@ -0,0 +1,167 @@
+baseURL: "https://sap.github.io/cap-operator"
+title: "CAP Operator"
+
+enableRobotsTXT: true
+
+# Will give values to .Lastmod etc.
+enableGitInfo: true
+
+# Language settings
+contentDir: "content/en"
+defaultContentLanguage: "en"
+defaultContentLanguageInSubdir: false
+# Useful when translating.
+enableMissingTranslationPlaceholders: true
+
+# horizontal (top level) menu items
+menu:
+  main:
+    # NOTE: the "Documentation" menu item is sourced from the front matter of the _index.md file
+    - name: "GitHub"
+      weight: 90
+      url: "https://github.com/sap/cap-operator/"
+      pre: "<i class='fab fa-github'></i>"
+
+# You can add your own taxonomies
+taxonomies:
+  tag: "tags"
+  category: "categories"
+
+# If used, must have same lang as taxonomyCloud
+taxonomyCloudTitle: ["Tag Cloud", "Categories"] 
+
+# set taxonomyPageHeader = [] to hide taxonomies on the page headers
+taxonomyPageHeader: ["tags", "categories"] 
+
+# Configure how URLs look like per section.
+permalinks:
+  blog: "/:section/:year/:month/:day/:slug/"
+
+# Image processing configuration.
+imaging:
+  resampleFilter: "CatmullRom"
+  quality: 90
+  anchor: "smart"
+
+# Language configuration
+languages:
+  en:
+    languageName: "English"
+    contentDir: "content/en"
+    # Weight used for sorting.
+    weight: 1
+    params:
+      title: "CAP Operator"
+      description: "CAP Multi-tenant Application Operator for Kubernetes"
+
+markup:
+  goldmark:
+    renderer:
+      unsafe: true
+  highlight:
+    # See a complete list of available styles at https://xyproto.github.io/splash/docs/all.html
+    style: "nord"
+    # Uncomment if you want your chosen highlight style used for code blocks without a specified language
+    guessSyntax: "true"
+    codeFences: true
+
+# Everything below this are Site Params
+
+# Comment out if you don't want the "print entire section" link enabled.
+outputs:
+  section: ["HTML", "print", "RSS"]
+
+params:
+  taxonomy:
+    # set taxonomyCloud = [] to hide taxonomy clouds
+    taxonomyCloud: ["tags", "categories"]
+
+  copyright: "ERP for SME"
+  # privacy_policy = "https://policies.google.com/privacy"
+
+  # Menu title if your navbar has a versions selector to access old versions of your site.
+  # This menu appears only if you have at least one [params.versions] set.
+  version_menu: "Releases"
+
+  # Flag used in the "version-banner" partial to decide whether to display a 
+  # banner on every page indicating that this is an archived version of the docs.
+  # Set this flag to "true" if you want to display the banner.
+  archived_version: false
+
+  # The version number for the version of the docs represented in this doc set.
+  # Used in the "version-banner" partial to display a version number for the 
+  # current doc set.
+  version: "0.0"
+
+  # A link to latest version of the docs. Used in the "version-banner" partial to
+  # point people to the main doc site.
+  url_latest_version: "https://sap.github.io/cap-operator"
+
+  # Repository configuration (URLs for in-page links to opening issues and suggesting changes)
+  github_repo: "https://github.com/sap/cap-operator"
+  # An optional link to a related project repo. For example, the sibling repository where your product code lives.
+  github_project_repo: "https://github.com/sap/cap-operator"
+
+  # Specify a value here if your content directory is not in your repo's root directory
+  github_subdir: "website"
+
+  # Uncomment this if you have a newer GitHub repo with "main" as the default branch,
+  # or specify a new value if you want to reference another branch in your GitHub links
+  github_branch: "main"
+
+  # Enable Algolia DocSearch
+  algolia_docsearch: false
+
+  # Enable Lunr.js offline search
+  offlineSearch: true
+
+  # User interface configuration
+  ui:
+    #  Set to true to disable breadcrumb navigation.
+    breadcrumb_disable: false
+    # Set to true to disable the About link in the site footer
+    footer_about_disable: false
+    # Set to false if you don't want to display a logo (/assets/icons/logo.svg) in the top navbar
+    navbar_logo: false
+    # Set to true if you don't want the top navbar to be translucent when over a `block/cover`, like on the homepage.
+    navbar_translucent_over_cover_disable: false
+    # Enable to show the side bar menu in its compact state.
+    sidebar_menu_compact: true
+    # Set to true to hide the sidebar search box (the top nav search box will still be displayed if search is enabled)
+    sidebar_search_disable: true
+
+    # Adds a H2 section titled "Feedback" to the bottom of each doc. The responses are sent to Google Analytics as events.
+    # This feature depends on [services.googleAnalytics] and will be disabled if "services.googleAnalytics.id" is not set.
+    # If you want this feature, but occasionally need to remove the "Feedback" section from a single page,
+    # add "hide_feedback: true" to the page's front matter.
+    feedback:
+      enable: false
+      # The responses that the user sees after clicking "yes" (the page was helpful) or "no" (the page was not helpful).
+      # yes = 'Glad to hear it! Please <a href="https://github.com/USERNAME/REPOSITORY/issues/new">tell us how we can improve</a>.'
+      # no = 'Sorry to hear that. Please <a href="https://github.com/USERNAME/REPOSITORY/issues/new">tell us how we can improve</a>.'
+
+    # Adds a reading time to the top of each doc.
+    # If you want this feature, but occasionally need to remove the Reading time from a single page, 
+    # add "hide_readingtime: true" to the page's front matter
+    readingtime:
+      enable: true
+
+  links:
+    # End user relevant links. These will show up on left side of footer and in the community page if you have one.
+    user:
+      - name: "Ask for help"
+        url: "mailto:DL_64A676DD6A9245028D2A9DCC@global.corp.sap"
+        icon: "fa fa-envelope"
+        desc: "Help from development team"
+    # Developer relevant links. These will show up on right side of footer and in the community page if you have one.
+    developer:
+      - name: "GitHub"
+        urlL: "https://github.com/sap/cap-operator/"
+        icon: "fab fa-github"
+        desc: "Development takes place here!"
+
+# Add docsy as hugo module
+module:
+  imports:
+    - path: "github.com/google/docsy"
+    - path: "github.com/google/docsy/dependencies"
\ No newline at end of file
diff --git a/website/includes/api-reference.html b/website/includes/api-reference.html
new file mode 100644
index 0000000..e4117f6
--- /dev/null
+++ b/website/includes/api-reference.html
@@ -0,0 +1,2234 @@
+<p>Packages:</p>
+<ul>
+<li>
+<a href="#sme.sap.com%2fv1alpha1">sme.sap.com/v1alpha1</a>
+</li>
+</ul>
+<h2 id="sme.sap.com/v1alpha1">sme.sap.com/v1alpha1</h2>
+Resource Types:
+<ul><li>
+<a href="#sme.sap.com/v1alpha1.CAPApplication">CAPApplication</a>
+</li><li>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationVersion">CAPApplicationVersion</a>
+</li><li>
+<a href="#sme.sap.com/v1alpha1.CAPTenant">CAPTenant</a>
+</li><li>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperation">CAPTenantOperation</a>
+</li></ul>
+<h3 id="sme.sap.com/v1alpha1.CAPApplication">CAPApplication
+</h3>
+<div>
+<p>CAPApplication is the schema for capapplications API</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+sme.sap.com/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CAPApplication</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationSpec">
+CAPApplicationSpec
+</a>
+</em>
+</td>
+<td>
+<p>CAPApplication spec</p>
+<br/>
+<br/>
+<table>
+<tr>
+<td>
+<code>domains</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.ApplicationDomains">
+ApplicationDomains
+</a>
+</em>
+</td>
+<td>
+<p>Domains used by the application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>globalAccountId</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>SAP BTP Global Account Identifier where services are entitles for the current application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>btpAppName</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Short name for the application (similar to BTP XSAPPNAME)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>provider</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>Provider subaccount where application services are created</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>btp</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTP">
+BTP
+</a>
+</em>
+</td>
+<td>
+<p>SAP BTP Services consumed by the application</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationStatus">
+CAPApplicationStatus
+</a>
+</em>
+</td>
+<td>
+<p>CAPApplication status</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationVersion">CAPApplicationVersion
+</h3>
+<div>
+<p>CAPApplicationVersion defines the schema for capapplicationversions API</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+sme.sap.com/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CAPApplicationVersion</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationVersionSpec">
+CAPApplicationVersionSpec
+</a>
+</em>
+</td>
+<td>
+<p>CAPApplicationVersion spec</p>
+<br/>
+<br/>
+<table>
+<tr>
+<td>
+<code>capApplicationInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Denotes to which CAPApplication the current version belongs</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>version</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Semantic version</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>registrySecrets</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Registry secrets used to pull images of the application components</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>workloads</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.WorkloadDetails">
+[]WorkloadDetails
+</a>
+</em>
+</td>
+<td>
+<p>Information about the Workloads</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>tenantOperations</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.TenantOperations">
+TenantOperations
+</a>
+</em>
+</td>
+<td>
+<p>Tenant Operations may be used to specify how jobs are sequenced for the different tenant operations</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationVersionStatus">
+CAPApplicationVersionStatus
+</a>
+</em>
+</td>
+<td>
+<p>CAPApplicationVersion status</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenant">CAPTenant
+</h3>
+<div>
+<p>CAPTenant defines the schema for captenants API</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+sme.sap.com/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CAPTenant</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantSpec">
+CAPTenantSpec
+</a>
+</em>
+</td>
+<td>
+<p>CAPTenant spec</p>
+<br/>
+<br/>
+<table>
+<tr>
+<td>
+<code>capApplicationInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Denotes to which CAPApplication the current tenant belongs</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>BTPTenantIdentification</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>BTPTenantIdentification</code> are embedded into this type.)
+</p>
+<p>Details of consumer sub-account subscribing to the application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>version</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Semver that is used to determine the relevant CAPApplicationVersion that a CAPTenant can be upgraded to (i.e. if it is not already on that version)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>versionUpgradeStrategy</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.VersionUpgradeStrategyType">
+VersionUpgradeStrategyType
+</a>
+</em>
+</td>
+<td>
+<p>Denotes whether a CAPTenant can be upgraded. One of (&lsquo;always&rsquo;, &lsquo;never&rsquo;)</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantStatus">
+CAPTenantStatus
+</a>
+</em>
+</td>
+<td>
+<p>CAPTenant status</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperation">CAPTenantOperation
+</h3>
+<div>
+<p>CAPTenantOperation defines the schema for captenantoperations API</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+sme.sap.com/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CAPTenantOperation</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#ObjectMeta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationSpec">
+CAPTenantOperationSpec
+</a>
+</em>
+</td>
+<td>
+<p>CAPTenantOperation spec</p>
+<br/>
+<br/>
+<table>
+<tr>
+<td>
+<code>operation</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationType">
+CAPTenantOperationType
+</a>
+</em>
+</td>
+<td>
+<p>Scope of the tenant lifecycle operation. One of &lsquo;provisioning&rsquo;, &lsquo;deprovisioning&rsquo; or &lsquo;upgrade&rsquo;</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>BTPTenantIdentification</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>BTPTenantIdentification</code> are embedded into this type.)
+</p>
+<p>BTP sub-account (tenant) for which request is created</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>capApplicationVersionInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Reference to CAPApplicationVersion for executing the operation</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>steps</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationStep">
+[]CAPTenantOperationStep
+</a>
+</em>
+</td>
+<td>
+<p>Steps (jobs) to be executed for the operation to complete</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationStatus">
+CAPTenantOperationStatus
+</a>
+</em>
+</td>
+<td>
+<p>CAPTenantOperation status</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.ApplicationDomains">ApplicationDomains
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationSpec">CAPApplicationSpec</a>)
+</p>
+<div>
+<p>Application domains</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>primary</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Primary application domain will be used to generate a wildcard TLS certificate. In SAP Gardener managed clusters this is (usually) a subdomain of the cluster domain</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secondary</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Customer specific domains to serve application endpoints (optional)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>dnsTarget</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Public ingress URL for the cluster Load Balancer</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>istioIngressGatewayLabels</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.NameValue">
+[]NameValue
+</a>
+</em>
+</td>
+<td>
+<p>Labels used to identify the istio ingress-gateway component and its corresponding namespace. Usually {&ldquo;app&rdquo;:&ldquo;istio-ingressgateway&rdquo;,&ldquo;istio&rdquo;:&ldquo;ingressgateway&rdquo;}</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.BTP">BTP
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationSpec">CAPApplicationSpec</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>services</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.ServiceInfo">
+[]ServiceInfo
+</a>
+</em>
+</td>
+<td>
+<p>Details of BTP Services</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.BTPTenantIdentification">BTPTenantIdentification
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationSpec">CAPApplicationSpec</a>, <a href="#sme.sap.com/v1alpha1.CAPTenantOperationSpec">CAPTenantOperationSpec</a>, <a href="#sme.sap.com/v1alpha1.CAPTenantSpec">CAPTenantSpec</a>)
+</p>
+<div>
+<p>Identifies an SAP BTP subaccount (tenant)</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>subDomain</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>BTP subaccount subdomain</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>tenantId</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>BTP subaccount Tenant ID</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationSpec">CAPApplicationSpec
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplication">CAPApplication</a>)
+</p>
+<div>
+<p>CAPApplicationSpec defines the desired state of CAPApplication</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>domains</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.ApplicationDomains">
+ApplicationDomains
+</a>
+</em>
+</td>
+<td>
+<p>Domains used by the application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>globalAccountId</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>SAP BTP Global Account Identifier where services are entitles for the current application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>btpAppName</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Short name for the application (similar to BTP XSAPPNAME)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>provider</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>Provider subaccount where application services are created</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>btp</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTP">
+BTP
+</a>
+</em>
+</td>
+<td>
+<p>SAP BTP Services consumed by the application</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationState">CAPApplicationState
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationStatus">CAPApplicationStatus</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Consistent&#34;</p></td>
+<td><p>CAPApplication has been reconciled and is now consistent</p>
+</td>
+</tr><tr><td><p>&#34;Deleting&#34;</p></td>
+<td><p>Deletion has been triggered</p>
+</td>
+</tr><tr><td><p>&#34;Error&#34;</p></td>
+<td><p>An error occurred during reconciliation</p>
+</td>
+</tr><tr><td><p>&#34;Processing&#34;</p></td>
+<td><p>CAPApplication is being reconciled</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationStatus">CAPApplicationStatus
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplication">CAPApplication</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>GenericStatus</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.GenericStatus">
+GenericStatus
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>GenericStatus</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>state</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationState">
+CAPApplicationState
+</a>
+</em>
+</td>
+<td>
+<p>State of CAPApplication</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>domainSpecHash</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Hash representing last known application domains</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>lastFullReconciliationTime</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Time">
+Kubernetes meta/v1.Time
+</a>
+</em>
+</td>
+<td>
+<p>The last time a full reconciliation was completed</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationStatusConditionType">CAPApplicationStatusConditionType
+(<code>string</code> alias)</h3>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;AllTenantsReady&#34;</p></td>
+<td></td>
+</tr><tr><td><p>&#34;LatestVersionReady&#34;</p></td>
+<td></td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationVersionSpec">CAPApplicationVersionSpec
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationVersion">CAPApplicationVersion</a>)
+</p>
+<div>
+<p>CAPApplicationVersionSpec specifies the desired state of CAPApplicationVersion</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>capApplicationInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Denotes to which CAPApplication the current version belongs</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>version</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Semantic version</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>registrySecrets</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Registry secrets used to pull images of the application components</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>workloads</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.WorkloadDetails">
+[]WorkloadDetails
+</a>
+</em>
+</td>
+<td>
+<p>Information about the Workloads</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>tenantOperations</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.TenantOperations">
+TenantOperations
+</a>
+</em>
+</td>
+<td>
+<p>Tenant Operations may be used to specify how jobs are sequenced for the different tenant operations</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationVersionState">CAPApplicationVersionState
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationVersionStatus">CAPApplicationVersionStatus</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Deleting&#34;</p></td>
+<td><p>Deletion has been triggered</p>
+</td>
+</tr><tr><td><p>&#34;Error&#34;</p></td>
+<td><p>An error occurred during reconciliation</p>
+</td>
+</tr><tr><td><p>&#34;Processing&#34;</p></td>
+<td><p>CAPApplicationVersion is being processed</p>
+</td>
+</tr><tr><td><p>&#34;Ready&#34;</p></td>
+<td><p>CAPApplicationVersion is now ready for use (dependent resources have been created)</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPApplicationVersionStatus">CAPApplicationVersionStatus
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationVersion">CAPApplicationVersion</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>GenericStatus</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.GenericStatus">
+GenericStatus
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>GenericStatus</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>state</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPApplicationVersionState">
+CAPApplicationVersionState
+</a>
+</em>
+</td>
+<td>
+<p>State of CAPApplicationVersion</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>finishedJobs</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>List of finished Content Jobs</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperationSpec">CAPTenantOperationSpec
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperation">CAPTenantOperation</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>operation</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationType">
+CAPTenantOperationType
+</a>
+</em>
+</td>
+<td>
+<p>Scope of the tenant lifecycle operation. One of &lsquo;provisioning&rsquo;, &lsquo;deprovisioning&rsquo; or &lsquo;upgrade&rsquo;</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>BTPTenantIdentification</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>BTPTenantIdentification</code> are embedded into this type.)
+</p>
+<p>BTP sub-account (tenant) for which request is created</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>capApplicationVersionInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Reference to CAPApplicationVersion for executing the operation</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>steps</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationStep">
+[]CAPTenantOperationStep
+</a>
+</em>
+</td>
+<td>
+<p>Steps (jobs) to be executed for the operation to complete</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperationState">CAPTenantOperationState
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperationStatus">CAPTenantOperationStatus</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Completed&#34;</p></td>
+<td><p>CAPTenantOperation steps completed</p>
+</td>
+</tr><tr><td><p>&#34;Deleting&#34;</p></td>
+<td><p>CAPTenantOperation deletion has been triggered</p>
+</td>
+</tr><tr><td><p>&#34;Failed&#34;</p></td>
+<td><p>CAPTenantOperation steps have failed</p>
+</td>
+</tr><tr><td><p>&#34;Processing&#34;</p></td>
+<td><p>CAPTenantOperation is being processed</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperationStatus">CAPTenantOperationStatus
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperation">CAPTenantOperation</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>GenericStatus</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.GenericStatus">
+GenericStatus
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>GenericStatus</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>state</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantOperationState">
+CAPTenantOperationState
+</a>
+</em>
+</td>
+<td>
+<p>State of CAPTenantOperation</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>currentStep</code><br/>
+<em>
+uint32
+</em>
+</td>
+<td>
+<p>Current step being processed from the sequence of specified steps</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>activeJob</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the job being executed for the current step</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperationStep">CAPTenantOperationStep
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperationSpec">CAPTenantOperationSpec</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the workload from the referenced CAPApplicationVersion</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>type</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.JobType">
+JobType
+</a>
+</em>
+</td>
+<td>
+<p>Type of job. One of &lsquo;TenantOperation&rsquo; or &lsquo;CustomTenantOperation&rsquo;</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>continueOnFailure</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>Indicates whether the operation can continue in case of step failure. Relevant only for type &lsquo;CustomTenantOperation&rsquo;</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantOperationType">CAPTenantOperationType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperationSpec">CAPTenantOperationSpec</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;deprovisioning&#34;</p></td>
+<td><p>Deprovision tenant</p>
+</td>
+</tr><tr><td><p>&#34;provisioning&#34;</p></td>
+<td><p>Provision tenant</p>
+</td>
+</tr><tr><td><p>&#34;upgrade&#34;</p></td>
+<td><p>Upgrade tenant</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantSpec">CAPTenantSpec
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenant">CAPTenant</a>)
+</p>
+<div>
+<p>CAPTenantSpec defines the desired state of the CAPTenant</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>capApplicationInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Denotes to which CAPApplication the current tenant belongs</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>BTPTenantIdentification</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.BTPTenantIdentification">
+BTPTenantIdentification
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>BTPTenantIdentification</code> are embedded into this type.)
+</p>
+<p>Details of consumer sub-account subscribing to the application</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>version</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Semver that is used to determine the relevant CAPApplicationVersion that a CAPTenant can be upgraded to (i.e. if it is not already on that version)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>versionUpgradeStrategy</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.VersionUpgradeStrategyType">
+VersionUpgradeStrategyType
+</a>
+</em>
+</td>
+<td>
+<p>Denotes whether a CAPTenant can be upgraded. One of (&lsquo;always&rsquo;, &lsquo;never&rsquo;)</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantState">CAPTenantState
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantStatus">CAPTenantStatus</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Deleting&#34;</p></td>
+<td><p>Deletion has been triggered</p>
+</td>
+</tr><tr><td><p>&#34;Provisioning&#34;</p></td>
+<td><p>Tenant is being provisioned</p>
+</td>
+</tr><tr><td><p>&#34;ProvisioningError&#34;</p></td>
+<td><p>Tenant provisioning ended in error</p>
+</td>
+</tr><tr><td><p>&#34;Ready&#34;</p></td>
+<td><p>Tenant has been provisioned/upgraded and is now ready for use</p>
+</td>
+</tr><tr><td><p>&#34;UpgradeError&#34;</p></td>
+<td><p>Tenant upgrade failed</p>
+</td>
+</tr><tr><td><p>&#34;Upgrading&#34;</p></td>
+<td><p>Tenant is being upgraded</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.CAPTenantStatus">CAPTenantStatus
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenant">CAPTenant</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>GenericStatus</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.GenericStatus">
+GenericStatus
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>GenericStatus</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>state</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.CAPTenantState">
+CAPTenantState
+</a>
+</em>
+</td>
+<td>
+<p>State of CAPTenant</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>currentCAPApplicationVersionInstance</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Specifies the current version of the tenant after provisioning or upgrade</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>previousCAPApplicationVersions</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Previous versions of the tenant (first to last)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>lastFullReconciliationTime</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Time">
+Kubernetes meta/v1.Time
+</a>
+</em>
+</td>
+<td>
+<p>The last time a full reconciliation was completed</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.ContainerDetails">ContainerDetails
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.DeploymentDetails">DeploymentDetails</a>, <a href="#sme.sap.com/v1alpha1.JobDetails">JobDetails</a>)
+</p>
+<div>
+<p>ContainerDetails specifies the details of the Container</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>image</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Image info for the container</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>imagePullPolicy</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#PullPolicy">
+Kubernetes core/v1.PullPolicy
+</a>
+</em>
+</td>
+<td>
+<p>Pull policy for the container image</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>command</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Entrypoint array for the container</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>env</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#EnvVar">
+[]Kubernetes core/v1.EnvVar
+</a>
+</em>
+</td>
+<td>
+<p>Environment Config for the Container</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>resources</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#ResourceRequirements">
+Kubernetes core/v1.ResourceRequirements
+</a>
+</em>
+</td>
+<td>
+<p>Resources</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>securityContext</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext">
+Kubernetes core/v1.SecurityContext
+</a>
+</em>
+</td>
+<td>
+<p>SecurityContext for the Container</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>podSecurityContext</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#PodSecurityContext">
+Kubernetes core/v1.PodSecurityContext
+</a>
+</em>
+</td>
+<td>
+<p>SecurityContext for the Pod</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.DeploymentDetails">DeploymentDetails
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.WorkloadDetails">WorkloadDetails</a>)
+</p>
+<div>
+<p>DeploymentDetails specifies the details of the Deployment</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>ContainerDetails</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.ContainerDetails">
+ContainerDetails
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>ContainerDetails</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>type</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.DeploymentType">
+DeploymentType
+</a>
+</em>
+</td>
+<td>
+<p>Type of the Deployment</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>replicas</code><br/>
+<em>
+int32
+</em>
+</td>
+<td>
+<p>Number of replicas</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>ports</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.Ports">
+[]Ports
+</a>
+</em>
+</td>
+<td>
+<p>Port configuration</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>livenessProbe</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#Probe">
+Kubernetes core/v1.Probe
+</a>
+</em>
+</td>
+<td>
+<p>Liveness probe</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>readinessProbe</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/api/core/v1#Probe">
+Kubernetes core/v1.Probe
+</a>
+</em>
+</td>
+<td>
+<p>Readiness probe</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.DeploymentType">DeploymentType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.DeploymentDetails">DeploymentDetails</a>)
+</p>
+<div>
+<p>Type of deployment</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Additional&#34;</p></td>
+<td><p>Additional deployment type</p>
+</td>
+</tr><tr><td><p>&#34;CAP&#34;</p></td>
+<td><p>CAP backend server deployment type</p>
+</td>
+</tr><tr><td><p>&#34;Router&#34;</p></td>
+<td><p>Application router deployment type</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.GenericStatus">GenericStatus
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationStatus">CAPApplicationStatus</a>, <a href="#sme.sap.com/v1alpha1.CAPApplicationVersionStatus">CAPApplicationVersionStatus</a>, <a href="#sme.sap.com/v1alpha1.CAPTenantOperationStatus">CAPTenantOperationStatus</a>, <a href="#sme.sap.com/v1alpha1.CAPTenantStatus">CAPTenantStatus</a>)
+</p>
+<div>
+<p>Custom resource status</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>observedGeneration</code><br/>
+<em>
+int64
+</em>
+</td>
+<td>
+<p>Observed generation of the resource where this status was identified</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>conditions</code><br/>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Condition">
+[]Kubernetes meta/v1.Condition
+</a>
+</em>
+</td>
+<td>
+<p>State expressed as conditions</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.JobDetails">JobDetails
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.WorkloadDetails">WorkloadDetails</a>)
+</p>
+<div>
+<p>JobDetails specifies the details of the Job</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>ContainerDetails</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.ContainerDetails">
+ContainerDetails
+</a>
+</em>
+</td>
+<td>
+<p>
+(Members of <code>ContainerDetails</code> are embedded into this type.)
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>type</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.JobType">
+JobType
+</a>
+</em>
+</td>
+<td>
+<p>Type of Job</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>backoffLimit</code><br/>
+<em>
+int32
+</em>
+</td>
+<td>
+<p>Specifies the number of retries before marking this job failed.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>ttlSecondsAfterFinished</code><br/>
+<em>
+int32
+</em>
+</td>
+<td>
+<p>Specifies the time after which the job may be cleaned up.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.JobType">JobType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantOperationStep">CAPTenantOperationStep</a>, <a href="#sme.sap.com/v1alpha1.JobDetails">JobDetails</a>)
+</p>
+<div>
+<p>Type of Job</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Content&#34;</p></td>
+<td><p>job for deploying content or configuration to (BTP) services</p>
+</td>
+</tr><tr><td><p>&#34;CustomTenantOperation&#34;</p></td>
+<td><p>job for custom tenant operation e.g. pre/post hooks for a tenant operation</p>
+</td>
+</tr><tr><td><p>&#34;TenantOperation&#34;</p></td>
+<td><p>job for tenant operation e.g. deploying relevant data to a tenant</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.NameValue">NameValue
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.ApplicationDomains">ApplicationDomains</a>)
+</p>
+<div>
+<p>Generic Name/Value configuration</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>value</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.PortNetworkPolicyType">PortNetworkPolicyType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.Ports">Ports</a>)
+</p>
+<div>
+<p>Type of NetworkPolicy for the port</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Application&#34;</p></td>
+<td><p>Expose the port for the current application versions pod(s) scope</p>
+</td>
+</tr><tr><td><p>&#34;Cluster&#34;</p></td>
+<td><p>Expose the port for any pod(s) in the overall cluster scope</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.Ports">Ports
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.DeploymentDetails">DeploymentDetails</a>)
+</p>
+<div>
+<p>Configuration of Service Ports for the deployment</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>appProtocol</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>App protocol used by the service port</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the service port</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>networkPolicy</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.PortNetworkPolicyType">
+PortNetworkPolicyType
+</a>
+</em>
+</td>
+<td>
+<p>Network Policy of the service port</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>port</code><br/>
+<em>
+int32
+</em>
+</td>
+<td>
+<p>The port number used for container and the corresponding service (if any)</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>routerDestinationName</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Destination name which may be used by the Router deployment to reach this backend service</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.ServiceInfo">ServiceInfo
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.BTP">BTP</a>)
+</p>
+<div>
+<p>Service information</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of service instance</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secret</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Secret containing service access credentials</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>class</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Type of service</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.StatusConditionType">StatusConditionType
+(<code>string</code> alias)</h3>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;Ready&#34;</p></td>
+<td></td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.TenantOperationWorkloadReference">TenantOperationWorkloadReference
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.TenantOperations">TenantOperations</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>workloadName</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Reference to a specified workload of type &lsquo;TenantOperation&rsquo; or &lsquo;CustomTenantOperation&rsquo;</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>continueOnFailure</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>Indicates whether to proceed with remaining operation steps in case of failure. Relevant only for &lsquo;CustomTenantOperation&rsquo;</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.TenantOperations">TenantOperations
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationVersionSpec">CAPApplicationVersionSpec</a>)
+</p>
+<div>
+<p>Configuration used to sequence tenant related jobs for a given tenant operation</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>provisioning</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.TenantOperationWorkloadReference">
+[]TenantOperationWorkloadReference
+</a>
+</em>
+</td>
+<td>
+<p>Tenant provisioning steps</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>upgrade</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.TenantOperationWorkloadReference">
+[]TenantOperationWorkloadReference
+</a>
+</em>
+</td>
+<td>
+<p>Tenant upgrade steps</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>deprovisioning</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.TenantOperationWorkloadReference">
+[]TenantOperationWorkloadReference
+</a>
+</em>
+</td>
+<td>
+<p>Tenant deprovisioning steps</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.VersionUpgradeStrategyType">VersionUpgradeStrategyType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPTenantSpec">CAPTenantSpec</a>)
+</p>
+<div>
+</div>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;always&#34;</p></td>
+<td><p>Always (default)</p>
+</td>
+</tr><tr><td><p>&#34;never&#34;</p></td>
+<td><p>Never</p>
+</td>
+</tr></tbody>
+</table>
+<h3 id="sme.sap.com/v1alpha1.WorkloadDetails">WorkloadDetails
+</h3>
+<p>
+(<em>Appears on: </em><a href="#sme.sap.com/v1alpha1.CAPApplicationVersionSpec">CAPApplicationVersionSpec</a>)
+</p>
+<div>
+<p>WorkloadDetails specifies the details of the Workload</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name of the workload</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>consumedBTPServices</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>List of BTP services consumed by the current application component workload. These services must be defined in the corresponding CAPApplication.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>labels</code><br/>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<p>Custom labels for the current workload</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>annotations</code><br/>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<p>Annotations for the current workload, in case of <code>Deployments</code> this also get copied over to any <code>Service</code> that may be created</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>deploymentDefinition</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.DeploymentDetails">
+DeploymentDetails
+</a>
+</em>
+</td>
+<td>
+<p>Definition of a deployment</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>jobDefinition</code><br/>
+<em>
+<a href="#sme.sap.com/v1alpha1.JobDetails">
+JobDetails
+</a>
+</em>
+</td>
+<td>
+<p>Definition of a job</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr/>
+<p><em>
+Generated with <code>gen-crd-api-reference-docs</code>
+on git commit <code>867824a</code>.
+</em></p>
diff --git a/website/includes/chart-values.md b/website/includes/chart-values.md
new file mode 100644
index 0000000..cf79b4b
--- /dev/null
+++ b/website/includes/chart-values.md
@@ -0,0 +1,67 @@
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| image.tag | string | `"latest"` | Default image tag (can be overwritten on component level) |
+| image.pullPolicy | string | `"IfNotPresent"` | Default image pull policy (can be overwritten on component level) |
+| imagePullSecrets | list | `[{"name":"regcred"}]` | Default image pull secrets (can be overwritten on component level) |
+| podSecurityContext | object | `{}` | Default pod security content (can be overwritten on component level) |
+| nodeSelector | object | `{}` | Default node selector (can be overwritten on component level) |
+| affinity | object | `{}` | Default affinity settings (can be overwritten on component level) |
+| tolerations | list | `[]` | Default tolerations (can be overwritten on component level) |
+| priorityClassName | string | `""` | Default priority class (can be overwritten on component level) |
+| controller.replicas | int | `1` | Replicas |
+| controller.image.repository | string | `"ghcr.io/sap/cap-operator/main/cap-controller"` | Image repository |
+| controller.image.tag | string | `""` | Image tag |
+| controller.image.pullPolicy | string | `""` | Image pull policy |
+| controller.imagePullSecrets | list | `[]` | Image pull secrets |
+| controller.podSecurityContext | object | `{}` | Pod security content |
+| controller.nodeSelector | object | `{}` | Node selector |
+| controller.affinity | object | `{}` | Affinity settings |
+| controller.tolerations | list | `[]` | Tolerations |
+| controller.priorityClassName | string | `""` | Priority class |
+| controller.securityContext | object | `{}` | Security context |
+| controller.resources.limits.memory | string | `"500Mi"` | Memory limit |
+| controller.resources.limits.cpu | float | `0.2` | CPU limit |
+| controller.resources.requests.memory | string | `"50Mi"` | Memory request |
+| controller.resources.requests.cpu | float | `0.02` | CPU request |
+| subscriptionServer.replicas | int | `1` | Replicas |
+| subscriptionServer.image.repository | string | `"ghcr.io/sap/cap-operator/main/server"` | Image repository |
+| subscriptionServer.image.tag | string | `""` | Image tag |
+| subscriptionServer.image.pullPolicy | string | `""` | Image pull policy |
+| subscriptionServer.imagePullSecrets | list | `[]` | Image pull secrets |
+| subscriptionServer.podSecurityContext | object | `{}` | Pod security content |
+| subscriptionServer.nodeSelector | object | `{}` | Node selector |
+| subscriptionServer.affinity | object | `{}` | Affinity settings |
+| subscriptionServer.tolerations | list | `[]` | Tolerations |
+| subscriptionServer.priorityClassName | string | `""` | Priority class |
+| subscriptionServer.securityContext | object | `{}` | Security context |
+| subscriptionServer.resources.limits.memory | string | `"200Mi"` | Memory limit |
+| subscriptionServer.resources.limits.cpu | float | `0.1` | CPU limit |
+| subscriptionServer.resources.requests.memory | string | `"20Mi"` | Memory request |
+| subscriptionServer.resources.requests.cpu | float | `0.01` | CPU request |
+| subscriptionServer.port | int | `4000` | Service port |
+| subscriptionServer.istioSystemNamespace | string | `"istio-system"` | The namespace in the cluster where istio system components are installed |
+| subscriptionServer.ingressGatewayLabels | object | `{"app":"istio-ingressgateway","istio":"ingressgateway"}` | Labels used to identify the istio ingress-gateway component |
+| subscriptionServer.dnsTarget | string | `"public-ingress.clusters.cs.services.sap"` | The dns target mentioned on the public ingress gateway service used in the cluster |
+| subscriptionServer.domain | string | `"cap-operator.clusters.cs.services.sap"` | The domain under which the cap operator subscription server would be available |
+| webhook.sidecar | bool | `false` | Side car to mount admission review |
+| webhook.replicas | int | `1` | Replicas |
+| webhook.image.repository | string | `"ghcr.io/sap/cap-operator/main/web-hooks"` | Image repository |
+| webhook.image.tag | string | `""` | Image tag |
+| webhook.image.pullPolicy | string | `""` | Image pull policy |
+| webhook.imagePullSecrets | list | `[]` | Image pull secrets |
+| webhook.podSecurityContext | object | `{}` | Pod security content |
+| webhook.nodeSelector | object | `{}` | Node selector |
+| webhook.affinity | object | `{}` | Affinity settings |
+| webhook.tolerations | list | `[]` | Tolerations |
+| webhook.priorityClassName | string | `""` | Priority class |
+| webhook.securityContext | object | `{}` | Security context |
+| webhook.resources.limits.memory | string | `"200Mi"` | Memory limit |
+| webhook.resources.limits.cpu | float | `0.1` | CPU limit |
+| webhook.resources.requests.memory | string | `"20Mi"` | Memory request |
+| webhook.resources.requests.cpu | float | `0.01` | CPU request |
+| webhook.service | object | `{"port":443,"targetPort":1443,"type":"ClusterIP"}` | Service port |
+| webhook.service.type | string | `"ClusterIP"` | Service type |
+| webhook.service.port | int | `443` | Service port |
+| webhook.service.targetPort | int | `1443` | Target port |
diff --git a/website/layouts/shortcodes/include.html b/website/layouts/shortcodes/include.html
new file mode 100644
index 0000000..1ed3ff9
--- /dev/null
+++ b/website/layouts/shortcodes/include.html
@@ -0,0 +1 @@
+{{ .Get 0 | readFile | safeHTML }}
\ No newline at end of file
diff --git a/website/package-lock.json b/website/package-lock.json
new file mode 100644
index 0000000..0322333
--- /dev/null
+++ b/website/package-lock.json
@@ -0,0 +1,1611 @@
+{
+  "name": "website",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "devDependencies": {
+        "autoprefixer": "^10.4.8",
+        "postcss": "^8.4.16",
+        "postcss-cli": "^10.0.0"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "dev": true,
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/autoprefixer": {
+      "version": "10.4.15",
+      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.15.tgz",
+      "integrity": "sha512-KCuPB8ZCIqFdA4HwKXsvz7j6gvSDNhDP7WnUjBleRkKjPdvCmHFuQ77ocavI8FT6NdvlBnE2UFr2H4Mycn8Vew==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/autoprefixer"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "dependencies": {
+        "browserslist": "^4.21.10",
+        "caniuse-lite": "^1.0.30001520",
+        "fraction.js": "^4.2.0",
+        "normalize-range": "^0.1.2",
+        "picocolors": "^1.0.0",
+        "postcss-value-parser": "^4.2.0"
+      },
+      "bin": {
+        "autoprefixer": "bin/autoprefixer"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      },
+      "peerDependencies": {
+        "postcss": "^8.1.0"
+      }
+    },
+    "node_modules/binary-extensions": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
+      "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
+      "dependencies": {
+        "fill-range": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/browserslist": {
+      "version": "4.21.10",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.10.tgz",
+      "integrity": "sha512-bipEBdZfVH5/pwrvqc+Ub0kUPVfGUhlKxbvfD+z1BDnPEO/X98ruXGA1WP5ASpAFKan7Qr6j736IacbZQuAlKQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "dependencies": {
+        "caniuse-lite": "^1.0.30001517",
+        "electron-to-chromium": "^1.4.477",
+        "node-releases": "^2.0.13",
+        "update-browserslist-db": "^1.0.11"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
+      }
+    },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001521",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001521.tgz",
+      "integrity": "sha512-fnx1grfpEOvDGH+V17eccmNjucGUnCbP6KL+l5KqBIerp26WK/+RQ7CIDE37KGJjaPyqWXXlFUyKiWmvdNNKmQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ]
+    },
+    "node_modules/chokidar": {
+      "version": "3.5.3",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz",
+      "integrity": "sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://paulmillr.com/funding/"
+        }
+      ],
+      "dependencies": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      },
+      "engines": {
+        "node": ">= 8.10.0"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/cliui": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
+      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "dev": true,
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.1",
+        "wrap-ansi": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true
+    },
+    "node_modules/dependency-graph": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/dependency-graph/-/dependency-graph-0.11.0.tgz",
+      "integrity": "sha512-JeMq7fEshyepOWDfcfHK06N3MhyPhz++vtqWhMT5O9A3K42rdsEDpfdVqjaqaAhsw6a+ZqeDvQVtD0hFHQWrzg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.6.0"
+      }
+    },
+    "node_modules/dir-glob": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
+      "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
+      "dev": true,
+      "dependencies": {
+        "path-type": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/electron-to-chromium": {
+      "version": "1.4.494",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.494.tgz",
+      "integrity": "sha512-KF7wtsFFDu4ws1ZsSOt4pdmO1yWVNWCFtijVYZPUeW4SV7/hy/AESjLn/+qIWgq7mHscNOKAwN5AIM1+YAy+Ww==",
+      "dev": true
+    },
+    "node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true
+    },
+    "node_modules/escalade": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz",
+      "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==",
+      "dev": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/fast-glob": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.1.tgz",
+      "integrity": "sha512-kNFPyjhh5cKjrUltxs+wFx+ZkbRaxxmZ+X0ZU31SOsxCEtP9VPgtq2teZw1DebupL5GmDaNQ6yKMMVcM41iqDg==",
+      "dev": true,
+      "dependencies": {
+        "@nodelib/fs.stat": "^2.0.2",
+        "@nodelib/fs.walk": "^1.2.3",
+        "glob-parent": "^5.1.2",
+        "merge2": "^1.3.0",
+        "micromatch": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=8.6.0"
+      }
+    },
+    "node_modules/fastq": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.15.0.tgz",
+      "integrity": "sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==",
+      "dev": true,
+      "dependencies": {
+        "reusify": "^1.0.4"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/fraction.js": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.2.0.tgz",
+      "integrity": "sha512-MhLuK+2gUcnZe8ZHlaaINnQLl0xRIGRfcGk2yl8xoQAfHrSsL3rYu6FCmBdkdbhc9EPlwyGHewaRsvwRMJtAlA==",
+      "dev": true,
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "type": "patreon",
+        "url": "https://www.patreon.com/infusion"
+      }
+    },
+    "node_modules/fs-extra": {
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.1.1.tgz",
+      "integrity": "sha512-MGIE4HOvQCeUCzmlHs0vXpih4ysz4wg9qiSAu6cd42lVwPbTM1TjV7RusoyQqMmk/95gdQZX72u+YW+c3eEpFQ==",
+      "dev": true,
+      "dependencies": {
+        "graceful-fs": "^4.2.0",
+        "jsonfile": "^6.0.1",
+        "universalify": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=14.14"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "dev": true,
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/get-stdin": {
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz",
+      "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/globby": {
+      "version": "13.2.2",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-13.2.2.tgz",
+      "integrity": "sha512-Y1zNGV+pzQdh7H39l9zgB4PJqjRNqydvdYCDG4HFXM4XuvSaQQlEc91IU1yALL8gUTDomgBAfz3XJdmUS+oo0w==",
+      "dev": true,
+      "dependencies": {
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.3.0",
+        "ignore": "^5.2.4",
+        "merge2": "^1.4.1",
+        "slash": "^4.0.0"
+      },
+      "engines": {
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/globby/node_modules/slash": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+      "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/graceful-fs": {
+      "version": "4.2.11",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+      "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
+      "dev": true
+    },
+    "node_modules/ignore": {
+      "version": "5.2.4",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz",
+      "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==",
+      "dev": true,
+      "engines": {
+        "node": ">= 4"
+      }
+    },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "dev": true,
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/jsonfile": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.1.0.tgz",
+      "integrity": "sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==",
+      "dev": true,
+      "dependencies": {
+        "universalify": "^2.0.0"
+      },
+      "optionalDependencies": {
+        "graceful-fs": "^4.1.6"
+      }
+    },
+    "node_modules/lilconfig": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.1.0.tgz",
+      "integrity": "sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/merge2": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
+      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true,
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/micromatch": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
+      "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
+      "dev": true,
+      "dependencies": {
+        "braces": "^3.0.2",
+        "picomatch": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=8.6"
+      }
+    },
+    "node_modules/nanoid": {
+      "version": "3.3.6",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz",
+      "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
+    "node_modules/node-releases": {
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.13.tgz",
+      "integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ==",
+      "dev": true
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/normalize-range": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz",
+      "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-type": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
+      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "dev": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/picocolors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+      "dev": true
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "dev": true,
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/pify": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
+      "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postcss": {
+      "version": "8.4.28",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.28.tgz",
+      "integrity": "sha512-Z7V5j0cq8oEKyejIKfpD8b4eBy9cwW2JWPk0+fB1HOAMsfHbnAXLLS+PfVWlzMSLQaWttKDt607I0XHmpE67Vw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "dependencies": {
+        "nanoid": "^3.3.6",
+        "picocolors": "^1.0.0",
+        "source-map-js": "^1.0.2"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/postcss-cli": {
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-cli/-/postcss-cli-10.1.0.tgz",
+      "integrity": "sha512-Zu7PLORkE9YwNdvOeOVKPmWghprOtjFQU3srMUGbdz3pHJiFh7yZ4geiZFMkjMfB0mtTFR3h8RemR62rPkbOPA==",
+      "dev": true,
+      "dependencies": {
+        "chokidar": "^3.3.0",
+        "dependency-graph": "^0.11.0",
+        "fs-extra": "^11.0.0",
+        "get-stdin": "^9.0.0",
+        "globby": "^13.0.0",
+        "picocolors": "^1.0.0",
+        "postcss-load-config": "^4.0.0",
+        "postcss-reporter": "^7.0.0",
+        "pretty-hrtime": "^1.0.3",
+        "read-cache": "^1.0.0",
+        "slash": "^5.0.0",
+        "yargs": "^17.0.0"
+      },
+      "bin": {
+        "postcss": "index.js"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "peerDependencies": {
+        "postcss": "^8.0.0"
+      }
+    },
+    "node_modules/postcss-load-config": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-4.0.1.tgz",
+      "integrity": "sha512-vEJIc8RdiBRu3oRAI0ymerOn+7rPuMvRXslTvZUKZonDHFIczxztIyJ1urxM1x9JXEikvpWWTUUqal5j/8QgvA==",
+      "dev": true,
+      "dependencies": {
+        "lilconfig": "^2.0.5",
+        "yaml": "^2.1.1"
+      },
+      "engines": {
+        "node": ">= 14"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      },
+      "peerDependencies": {
+        "postcss": ">=8.0.9",
+        "ts-node": ">=9.0.0"
+      },
+      "peerDependenciesMeta": {
+        "postcss": {
+          "optional": true
+        },
+        "ts-node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/postcss-reporter": {
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/postcss-reporter/-/postcss-reporter-7.0.5.tgz",
+      "integrity": "sha512-glWg7VZBilooZGOFPhN9msJ3FQs19Hie7l5a/eE6WglzYqVeH3ong3ShFcp9kDWJT1g2Y/wd59cocf9XxBtkWA==",
+      "dev": true,
+      "dependencies": {
+        "picocolors": "^1.0.0",
+        "thenby": "^1.3.4"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/postcss/"
+      },
+      "peerDependencies": {
+        "postcss": "^8.1.0"
+      }
+    },
+    "node_modules/postcss-value-parser": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz",
+      "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==",
+      "dev": true
+    },
+    "node_modules/pretty-hrtime": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/pretty-hrtime/-/pretty-hrtime-1.0.3.tgz",
+      "integrity": "sha512-66hKPCr+72mlfiSjlEB1+45IjXSqvVAIy6mocupoww4tBFE9R9IhwwUGoI4G++Tc9Aq+2rxOt0RFU6gPcrte0A==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/queue-microtask": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
+      "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/read-cache": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz",
+      "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==",
+      "dev": true,
+      "dependencies": {
+        "pify": "^2.3.0"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "dev": true,
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/reusify": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz",
+      "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==",
+      "dev": true,
+      "engines": {
+        "iojs": ">=1.0.0",
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/run-parallel": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
+      "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "queue-microtask": "^1.2.2"
+      }
+    },
+    "node_modules/slash": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-5.1.0.tgz",
+      "integrity": "sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==",
+      "dev": true,
+      "engines": {
+        "node": ">=14.16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/source-map-js": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
+      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/thenby": {
+      "version": "1.3.4",
+      "resolved": "https://registry.npmjs.org/thenby/-/thenby-1.3.4.tgz",
+      "integrity": "sha512-89Gi5raiWA3QZ4b2ePcEwswC3me9JIg+ToSgtE0JWeCynLnLxNr/f9G+xfo9K+Oj4AFdom8YNJjibIARTJmapQ==",
+      "dev": true
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/universalify": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz",
+      "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==",
+      "dev": true,
+      "engines": {
+        "node": ">= 10.0.0"
+      }
+    },
+    "node_modules/update-browserslist-db": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.11.tgz",
+      "integrity": "sha512-dCwEFf0/oT85M1fHBg4F0jtLwJrutGoHSQXCh7u4o2t1drG+c0a9Flnqww6XUKSfQMPpJBRjU8d4RXB09qtvaA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "dependencies": {
+        "escalade": "^3.1.1",
+        "picocolors": "^1.0.0"
+      },
+      "bin": {
+        "update-browserslist-db": "cli.js"
+      },
+      "peerDependencies": {
+        "browserslist": ">= 4.21.0"
+      }
+    },
+    "node_modules/wrap-ansi": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/y18n": {
+      "version": "5.0.8",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+      "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
+      "dev": true,
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/yaml": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.1.tgz",
+      "integrity": "sha512-2eHWfjaoXgTBC2jNM1LRef62VQa0umtvRiDSk6HSzW7RvS5YtkabJrwYLLEKWBc8a5U2PTSCs+dJjUTJdlHsWQ==",
+      "dev": true,
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/yargs": {
+      "version": "17.7.2",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
+      "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
+      "dev": true,
+      "dependencies": {
+        "cliui": "^8.0.1",
+        "escalade": "^3.1.1",
+        "get-caller-file": "^2.0.5",
+        "require-directory": "^2.1.1",
+        "string-width": "^4.2.3",
+        "y18n": "^5.0.5",
+        "yargs-parser": "^21.1.1"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "21.1.1",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
+      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "dev": true,
+      "engines": {
+        "node": ">=12"
+      }
+    }
+  },
+  "dependencies": {
+    "@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      }
+    },
+    "@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true
+    },
+    "@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      }
+    },
+    "ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true
+    },
+    "ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "requires": {
+        "color-convert": "^2.0.1"
+      }
+    },
+    "anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "dev": true,
+      "requires": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      }
+    },
+    "autoprefixer": {
+      "version": "10.4.15",
+      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.15.tgz",
+      "integrity": "sha512-KCuPB8ZCIqFdA4HwKXsvz7j6gvSDNhDP7WnUjBleRkKjPdvCmHFuQ77ocavI8FT6NdvlBnE2UFr2H4Mycn8Vew==",
+      "dev": true,
+      "requires": {
+        "browserslist": "^4.21.10",
+        "caniuse-lite": "^1.0.30001520",
+        "fraction.js": "^4.2.0",
+        "normalize-range": "^0.1.2",
+        "picocolors": "^1.0.0",
+        "postcss-value-parser": "^4.2.0"
+      }
+    },
+    "binary-extensions": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz",
+      "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==",
+      "dev": true
+    },
+    "braces": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
+      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "dev": true,
+      "requires": {
+        "fill-range": "^7.0.1"
+      }
+    },
+    "browserslist": {
+      "version": "4.21.10",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.10.tgz",
+      "integrity": "sha512-bipEBdZfVH5/pwrvqc+Ub0kUPVfGUhlKxbvfD+z1BDnPEO/X98ruXGA1WP5ASpAFKan7Qr6j736IacbZQuAlKQ==",
+      "dev": true,
+      "requires": {
+        "caniuse-lite": "^1.0.30001517",
+        "electron-to-chromium": "^1.4.477",
+        "node-releases": "^2.0.13",
+        "update-browserslist-db": "^1.0.11"
+      }
+    },
+    "caniuse-lite": {
+      "version": "1.0.30001521",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001521.tgz",
+      "integrity": "sha512-fnx1grfpEOvDGH+V17eccmNjucGUnCbP6KL+l5KqBIerp26WK/+RQ7CIDE37KGJjaPyqWXXlFUyKiWmvdNNKmQ==",
+      "dev": true
+    },
+    "chokidar": {
+      "version": "3.5.3",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz",
+      "integrity": "sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==",
+      "dev": true,
+      "requires": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "fsevents": "~2.3.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      }
+    },
+    "cliui": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
+      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "dev": true,
+      "requires": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.1",
+        "wrap-ansi": "^7.0.0"
+      }
+    },
+    "color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "requires": {
+        "color-name": "~1.1.4"
+      }
+    },
+    "color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true
+    },
+    "dependency-graph": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/dependency-graph/-/dependency-graph-0.11.0.tgz",
+      "integrity": "sha512-JeMq7fEshyepOWDfcfHK06N3MhyPhz++vtqWhMT5O9A3K42rdsEDpfdVqjaqaAhsw6a+ZqeDvQVtD0hFHQWrzg==",
+      "dev": true
+    },
+    "dir-glob": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
+      "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
+      "dev": true,
+      "requires": {
+        "path-type": "^4.0.0"
+      }
+    },
+    "electron-to-chromium": {
+      "version": "1.4.494",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.494.tgz",
+      "integrity": "sha512-KF7wtsFFDu4ws1ZsSOt4pdmO1yWVNWCFtijVYZPUeW4SV7/hy/AESjLn/+qIWgq7mHscNOKAwN5AIM1+YAy+Ww==",
+      "dev": true
+    },
+    "emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true
+    },
+    "escalade": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz",
+      "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==",
+      "dev": true
+    },
+    "fast-glob": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.1.tgz",
+      "integrity": "sha512-kNFPyjhh5cKjrUltxs+wFx+ZkbRaxxmZ+X0ZU31SOsxCEtP9VPgtq2teZw1DebupL5GmDaNQ6yKMMVcM41iqDg==",
+      "dev": true,
+      "requires": {
+        "@nodelib/fs.stat": "^2.0.2",
+        "@nodelib/fs.walk": "^1.2.3",
+        "glob-parent": "^5.1.2",
+        "merge2": "^1.3.0",
+        "micromatch": "^4.0.4"
+      }
+    },
+    "fastq": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.15.0.tgz",
+      "integrity": "sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==",
+      "dev": true,
+      "requires": {
+        "reusify": "^1.0.4"
+      }
+    },
+    "fill-range": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
+      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "dev": true,
+      "requires": {
+        "to-regex-range": "^5.0.1"
+      }
+    },
+    "fraction.js": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.2.0.tgz",
+      "integrity": "sha512-MhLuK+2gUcnZe8ZHlaaINnQLl0xRIGRfcGk2yl8xoQAfHrSsL3rYu6FCmBdkdbhc9EPlwyGHewaRsvwRMJtAlA==",
+      "dev": true
+    },
+    "fs-extra": {
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.1.1.tgz",
+      "integrity": "sha512-MGIE4HOvQCeUCzmlHs0vXpih4ysz4wg9qiSAu6cd42lVwPbTM1TjV7RusoyQqMmk/95gdQZX72u+YW+c3eEpFQ==",
+      "dev": true,
+      "requires": {
+        "graceful-fs": "^4.2.0",
+        "jsonfile": "^6.0.1",
+        "universalify": "^2.0.0"
+      }
+    },
+    "fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "optional": true
+    },
+    "get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "dev": true
+    },
+    "get-stdin": {
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz",
+      "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==",
+      "dev": true
+    },
+    "glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
+      "requires": {
+        "is-glob": "^4.0.1"
+      }
+    },
+    "globby": {
+      "version": "13.2.2",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-13.2.2.tgz",
+      "integrity": "sha512-Y1zNGV+pzQdh7H39l9zgB4PJqjRNqydvdYCDG4HFXM4XuvSaQQlEc91IU1yALL8gUTDomgBAfz3XJdmUS+oo0w==",
+      "dev": true,
+      "requires": {
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.3.0",
+        "ignore": "^5.2.4",
+        "merge2": "^1.4.1",
+        "slash": "^4.0.0"
+      },
+      "dependencies": {
+        "slash": {
+          "version": "4.0.0",
+          "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+          "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+          "dev": true
+        }
+      }
+    },
+    "graceful-fs": {
+      "version": "4.2.11",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+      "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
+      "dev": true
+    },
+    "ignore": {
+      "version": "5.2.4",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.2.4.tgz",
+      "integrity": "sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==",
+      "dev": true
+    },
+    "is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "dev": true,
+      "requires": {
+        "binary-extensions": "^2.0.0"
+      }
+    },
+    "is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "dev": true
+    },
+    "is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true
+    },
+    "is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
+      "requires": {
+        "is-extglob": "^2.1.1"
+      }
+    },
+    "is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true
+    },
+    "jsonfile": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.1.0.tgz",
+      "integrity": "sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==",
+      "dev": true,
+      "requires": {
+        "graceful-fs": "^4.1.6",
+        "universalify": "^2.0.0"
+      }
+    },
+    "lilconfig": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.1.0.tgz",
+      "integrity": "sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==",
+      "dev": true
+    },
+    "merge2": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
+      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "dev": true
+    },
+    "micromatch": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
+      "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
+      "dev": true,
+      "requires": {
+        "braces": "^3.0.2",
+        "picomatch": "^2.3.1"
+      }
+    },
+    "nanoid": {
+      "version": "3.3.6",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz",
+      "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==",
+      "dev": true
+    },
+    "node-releases": {
+      "version": "2.0.13",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.13.tgz",
+      "integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ==",
+      "dev": true
+    },
+    "normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "dev": true
+    },
+    "normalize-range": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz",
+      "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==",
+      "dev": true
+    },
+    "path-type": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
+      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "dev": true
+    },
+    "picocolors": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==",
+      "dev": true
+    },
+    "picomatch": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "dev": true
+    },
+    "pify": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
+      "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==",
+      "dev": true
+    },
+    "postcss": {
+      "version": "8.4.28",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.28.tgz",
+      "integrity": "sha512-Z7V5j0cq8oEKyejIKfpD8b4eBy9cwW2JWPk0+fB1HOAMsfHbnAXLLS+PfVWlzMSLQaWttKDt607I0XHmpE67Vw==",
+      "dev": true,
+      "requires": {
+        "nanoid": "^3.3.6",
+        "picocolors": "^1.0.0",
+        "source-map-js": "^1.0.2"
+      }
+    },
+    "postcss-cli": {
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-cli/-/postcss-cli-10.1.0.tgz",
+      "integrity": "sha512-Zu7PLORkE9YwNdvOeOVKPmWghprOtjFQU3srMUGbdz3pHJiFh7yZ4geiZFMkjMfB0mtTFR3h8RemR62rPkbOPA==",
+      "dev": true,
+      "requires": {
+        "chokidar": "^3.3.0",
+        "dependency-graph": "^0.11.0",
+        "fs-extra": "^11.0.0",
+        "get-stdin": "^9.0.0",
+        "globby": "^13.0.0",
+        "picocolors": "^1.0.0",
+        "postcss-load-config": "^4.0.0",
+        "postcss-reporter": "^7.0.0",
+        "pretty-hrtime": "^1.0.3",
+        "read-cache": "^1.0.0",
+        "slash": "^5.0.0",
+        "yargs": "^17.0.0"
+      }
+    },
+    "postcss-load-config": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-4.0.1.tgz",
+      "integrity": "sha512-vEJIc8RdiBRu3oRAI0ymerOn+7rPuMvRXslTvZUKZonDHFIczxztIyJ1urxM1x9JXEikvpWWTUUqal5j/8QgvA==",
+      "dev": true,
+      "requires": {
+        "lilconfig": "^2.0.5",
+        "yaml": "^2.1.1"
+      }
+    },
+    "postcss-reporter": {
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/postcss-reporter/-/postcss-reporter-7.0.5.tgz",
+      "integrity": "sha512-glWg7VZBilooZGOFPhN9msJ3FQs19Hie7l5a/eE6WglzYqVeH3ong3ShFcp9kDWJT1g2Y/wd59cocf9XxBtkWA==",
+      "dev": true,
+      "requires": {
+        "picocolors": "^1.0.0",
+        "thenby": "^1.3.4"
+      }
+    },
+    "postcss-value-parser": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz",
+      "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==",
+      "dev": true
+    },
+    "pretty-hrtime": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/pretty-hrtime/-/pretty-hrtime-1.0.3.tgz",
+      "integrity": "sha512-66hKPCr+72mlfiSjlEB1+45IjXSqvVAIy6mocupoww4tBFE9R9IhwwUGoI4G++Tc9Aq+2rxOt0RFU6gPcrte0A==",
+      "dev": true
+    },
+    "queue-microtask": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
+      "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "dev": true
+    },
+    "read-cache": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz",
+      "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==",
+      "dev": true,
+      "requires": {
+        "pify": "^2.3.0"
+      }
+    },
+    "readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "dev": true,
+      "requires": {
+        "picomatch": "^2.2.1"
+      }
+    },
+    "require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "dev": true
+    },
+    "reusify": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz",
+      "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==",
+      "dev": true
+    },
+    "run-parallel": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
+      "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "dev": true,
+      "requires": {
+        "queue-microtask": "^1.2.2"
+      }
+    },
+    "slash": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-5.1.0.tgz",
+      "integrity": "sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==",
+      "dev": true
+    },
+    "source-map-js": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
+      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "dev": true
+    },
+    "string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "requires": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      }
+    },
+    "strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "requires": {
+        "ansi-regex": "^5.0.1"
+      }
+    },
+    "thenby": {
+      "version": "1.3.4",
+      "resolved": "https://registry.npmjs.org/thenby/-/thenby-1.3.4.tgz",
+      "integrity": "sha512-89Gi5raiWA3QZ4b2ePcEwswC3me9JIg+ToSgtE0JWeCynLnLxNr/f9G+xfo9K+Oj4AFdom8YNJjibIARTJmapQ==",
+      "dev": true
+    },
+    "to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "requires": {
+        "is-number": "^7.0.0"
+      }
+    },
+    "universalify": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz",
+      "integrity": "sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==",
+      "dev": true
+    },
+    "update-browserslist-db": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.11.tgz",
+      "integrity": "sha512-dCwEFf0/oT85M1fHBg4F0jtLwJrutGoHSQXCh7u4o2t1drG+c0a9Flnqww6XUKSfQMPpJBRjU8d4RXB09qtvaA==",
+      "dev": true,
+      "requires": {
+        "escalade": "^3.1.1",
+        "picocolors": "^1.0.0"
+      }
+    },
+    "wrap-ansi": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "requires": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      }
+    },
+    "y18n": {
+      "version": "5.0.8",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+      "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
+      "dev": true
+    },
+    "yaml": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.1.tgz",
+      "integrity": "sha512-2eHWfjaoXgTBC2jNM1LRef62VQa0umtvRiDSk6HSzW7RvS5YtkabJrwYLLEKWBc8a5U2PTSCs+dJjUTJdlHsWQ==",
+      "dev": true
+    },
+    "yargs": {
+      "version": "17.7.2",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
+      "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
+      "dev": true,
+      "requires": {
+        "cliui": "^8.0.1",
+        "escalade": "^3.1.1",
+        "get-caller-file": "^2.0.5",
+        "require-directory": "^2.1.1",
+        "string-width": "^4.2.3",
+        "y18n": "^5.0.5",
+        "yargs-parser": "^21.1.1"
+      }
+    },
+    "yargs-parser": {
+      "version": "21.1.1",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
+      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "dev": true
+    }
+  }
+}
diff --git a/website/package.json b/website/package.json
new file mode 100644
index 0000000..ff8634f
--- /dev/null
+++ b/website/package.json
@@ -0,0 +1,7 @@
+{
+  "devDependencies": {
+    "autoprefixer": "^10.4.8",
+    "postcss": "^8.4.16",
+    "postcss-cli": "^10.0.0"
+  }
+}
diff --git a/website/static/img/activity-tenantprovisioning.png b/website/static/img/activity-tenantprovisioning.png
new file mode 100644
index 0000000000000000000000000000000000000000..99e49ccda5f2f78d6fd7418e266708f97bc929f8
GIT binary patch
literal 113312
zcmce-XIN9)^EM1t><CsYpnzC0g^)xAObF?fBqTu;(+KIkDj*gV6&oJ0qlk(ftf&V$
zg339fqKHZr5xW#C(s@?&`1}9f|MTVf^j;V0X79ab&6+i9=AL`DsZ2Uy#89uHE-o%3
zNJLzui^~86_``P_1n!LXdM5?{xEdn~SeLU8Cck%a@r*M?@J(u4oLnV!@rQ^1y7GrX
z;<ZMTKOE-|gGH#MVv|9u0hi#uS}T#q$)%EC&tMQ3d>#Zo4+`f%(Ee}?1PcCwLIa`b
zpy*%k3uRKxzk(2f5FlVCPp*+@twwN3=YYSU5O5og1y|rfaL}(yTX4`Ua0jE)siZuq
zh$1)n!|(_=G7ugNZqK9;IW($2EF4^`<Vq>{haeRzway_DgU}i%*Miq!kU&%*)cJmR
zyg{o5Z{eYk;6O+q0v3b@8lu6I|5+Oz1`Q1QsUTYzCp5_aYd+_)EmDI~4s7t#BL9)>
zd?GaoWxsBd2r_jnKa$AA5l||9B!_I{(ta7iWY<Z5y(5uY<YJ%-%pV>B%q@`%Wd@-d
zh>`zmQIU)QC#y|-HNs*sFa%brAr@H8Igv&P*6?$FCNSze=r1A2D7Zu%%m~KEp$#+x
z6HbamMyUK@Sd7gsMM@o(NV6KPhCt8=qCjqh@p(3}m8sG4p(wJF1Y<;#jV!r1o?(=s
z4Op7O4w0f!Y>1c-H^S{eNSs*CV*@*35jX~$FH$g&ObswP7H)_)%Vi{foHkAfSLt|a
z5|=K6J4iYh6nG34B1D?N_TZHwQKT@+2oDz6xmGPbN~4xUnd1c_9e4%|BoszL$O3L;
zT#%A!5wd{8U@35ej)qW18q7MSQtjOIAcH1~M>WOs@F*#gz=z0!`N+sPqDUQN7U6+;
zu{5TMYFF~@Y#VqxSP_YU+k;VRJC&&i4@Df5MNNn%*@86TNV*g(1rLYQAq+!!xIu43
zQR5UAxy{ZInVf2yiBSruRf96c321DU3L$3N;cU6dZc^ISNEC#lQ5gg#y*i3uu;I{Z
zGRF{a(lUcNjCejAV^RbQBthXc9mPTw3wb&s+F>E9f?0aLS*AcnK`bbpiO<u=N7xBw
zvj#4VKtpwMszR$oz@TIXn(q*aQAnW)!=!SFTpLEIgz4BKpc9-d)G?*X$ase#&H!gX
z)GD?vPDRnG%#k9fz!9mH3K=wsHVR@BX-Hy*g>5&GEMOcI8!a`&BZToJ1coh+#KPEA
zl_?laWkVrYDl;A};nN^mE|SNWMn#xV8sLFgwt;LhqeTWHiyO`1i<rPxWTGY*5p4!n
zc6=0CLS|D<8Wtmxpk?cjoM7kn7|~n}i*JEPo8y>JvlND~XcX~yyCoRn&{~XQaLVz{
z;S!hu9mNM1R2Vt}%2BIfRH5^cfM>x+u^kagm6l|S3<6qUlz2H?!5|vBk&<wc&d5>*
zJHTxvk1ymz!&Q+I@Cyrpjz&od;WTBCLe3QkZQ(|t5o?p;ZAvv?Czs2jrDOq56%k3}
z66512>_~wWAq_VMM~X!x9v&;#nat7A4s#GS8XpxI&I1yizQX2Hf|(+$N@Ib;m8J-1
z2to2JaI?Vat`dPnsDj#<axw;?jHZ~vQCPMbO@s(6LA(eel14EKxIl&oDklm#5ljSJ
z2?o(bDp(ZVCbtBGedRllW)Ygs5Q7K65?DT&7zaTpQFh>>!8(Uf0x?H`laA*^Gud%;
z8Y)VQ6+{zMVw3>Sb!biT7(GcC6s^}Qc@Cg0UPPej;B<nF#bW3cN{cy|BH-cZc07$k
zrGnsv4W|a%EoQlrZe>`^Fr+{sGfShQkPfXZ+H5sbm3j_aBY-H>(g>M6m>b8{kcl*N
z93CkYBS=9CoL&)Z*P}^zGz<lgLQ1$go`5F}M@FEvDh<iN*C4GD2vtXopmFsGh7BUs
zA?eyEGFb@?XF`ZPHqWG0C{5ysXobu~Lx_xAt{iSdSnO&h7h)vR1Q;GlOSMt)U?EB(
zTqNVEcm_@oT?T$<Ya_5M0}O!yi(ohqXp%yXrcneE9)cPvfJR6oWf9H|;V|LxXf-a9
zs<csQAmHKI8nhvbtY$&YFp`bM*TL2DD3zLvga=XOxS)8LS^)%71vY*J-%gHW*l^}>
zM4Umdif8F`EP+D-MPX6Y;9#AC29@#1YAM|);ztHqSQH8>++sm6iDV*GXNa)VK_bM;
zCGcP_+vbeR_;5H*CDGfhaCMM?N3e>`7!^1|Tm!|TbXeKOaEdIPiDwBgQSwMf5G_tE
zkKpRiB&k(GAyX|(jg=)cvZ8}!4hz*_!%Iwxcw4xPE9MEfMgoN&jkcJC(cuv~ff_^O
ziGqz7m>5CfX{Z#nSfMr1MRtuSf+vVn#bGfNw8jyQ*2?HSF&pS;z?$?RSZLThy#*Vr
zic(P2cqm23jgJPgR>x%W9MVXFS<1kZSu&zsZw=<Cu`~))41r7O5;PAIY?M1A2?#5k
zC?T1y7RoHxczPt2j7J)x@mjKt#-Jl%I!h!)fo4mne6<!s5K3$)8!m_|BdEym_(&05
z9fdR#Sju>$Nu;5nq%>(9jwL}egOpqp1qjzFqN5>Ni3v%yM%tKSyb6VnV`w5G=?a{k
z4Pr8I5G>gUvq?AvHUvXwN9m$4sQ4(OHXOLVB|;McXJM!g3^q<7Rx8P3wg!)Y5RGJ^
znxnO2%@%6}S|AC>n5{^&i5nawg<6>LGP4}VafTu;iY$pDNVG^J774tV$D%+ZBA80J
zf~LaL1acHh;7l)Et{qEoC{-*88RtCHdT}HQ+>Q?7n;_0(tR{=N0%bhkd900CyewQu
ziKnS`G7QgdB*<kjvhz%n*knv3LC3>c!mYe0GMrAtVX#aV7!H1v5=dM$HqsG}(SvQn
zn+f6CZ~@H(MYE~#!E9?dnH|B#2a}N+v%?Y}BnT%<;?YD2Luk}MX*9VeE&@$farIU-
zJs7Pf#M=p0la*iuAyz4rusIe35E;jXQ6iv9G~Ou0NWu-wC^<LC#FjgV8iJK3gs6xZ
zV!RwBb*PjigkDV%2`q6kwoJ~mbEHtboXizb`7#GVN``3B;C>X+ig2oqHL3{2AOeF<
z(^?ojB-X&kAo#>M7FB^_>g^bU3NH?lBO-Kq7zV{f2McX%rJjpGILz`WF%@_N%O=&t
z(;^}@5KLSYj2W%MNX>MU1!NU$xB+G|q1ke-6cR<ns#HoX4Ni-+Mn)L%3Yb*K3unNi
z=mL^SX)+5U<vf`Z!4koYN=di?3`S!N@^GGWKfsTKLgk?$aZD@&gBO{Y;4uS<KyheT
z9tkP6D(x7hGrNfObSaf3k}>p90aQ&VsUZA#n8v}4=Tq!#kgf4z;7D;s0}l>Fs*s|1
zymKO~Ku=Q{^$rM(h>hexjU*hwgb^sX;YJJvVpDL@(K0ed%#|8sQi<3R4>mkP%!rU<
z#c~=_0HZ{axEO~Dcs(tMEuuJK6$K3^KqBe3pa?LH+yTNIHb`m@66+N_xsn#ek$~y3
zW;>n0isD4+ac~XUDmN*xXq485F(B0(B_T+nv#I0MQLvymh7|-=nt|?2m_b}Q(}Bb|
z=tLHkh*V-_QUOCiMN*htn;7lDnQSts)+#iautY@^6Cb2@+JtC}#6-lKEH*g8A`cGI
z3NS`#1exv7#IrDL7F-+!-hqY3Yl0(#(MU{`MnY8T;^=~46xB%NV@O!EJs8h13g`+5
z1EJFJMLMe-<4~x=S!SwOYQWi8SR9pO1Pdi#q#6RjPJn6=90p5bSK7f%K0&C~s#s#I
z)F!ZDb#lJVYB0rfp*pHVLqOr6WFwrWlCao89B!1Ji#BnjQXCVnr|B><tp=gt2H6zh
zLaB~JV&bF<N)**dWl#jh2v&3?D;^^-%jH-cOls$uqLdB}N@9lD=q4^ipjXiF@iaYG
z6~#4S>`;w@jtvq82Q!gG1qbKgibX+0QoJ@!Zj_J}6cQQ2iLl~CEN5cTFg0Qbgn;Bk
zg`?35hLL0sH}m5S@Nh9(NMJ@`sWPj`$PR`}EOHA~z|#S_8VAh4L83H{cmkX%V3{B$
zI*KlglHv$(hTh6EK=~wK2`t2*Fw>;Mh$tq&gLoZ|qeDB-v|7q#Mv+VelU{DOfwQE-
zKqELBxt0&JnJFB+or<@JF}OJ3U-%%n0&ACQSp<g>B0=b6Q7|FW!ZNa%K~N2b$qo;;
z8Wfl)hzJD*)2ZxKVZ6~8Y2lI$HkH9(Ghr=J@%%_CQcGh>X`~<~10|R7ppbYX%qq5N
zs4PTKJY5<oj1;ToM1?_PjgY8#T&GP4@gk*I1mPGkB$(Bz23ZXk35%qOco?i$sps*c
z>`uTJ?Er8b6OZEQqBs$hC^1JEEi|HO5-fyi7DlqoY(8IVpki2@pE#69Fkqr#bU9uQ
z6B7usC=l%Eb|sD$E-~{gP!>X>MTzA?6+Rj#$70D8qmc`d%1NpqJR*px0e9^x42KH>
zu7+oYqKR-a7D56#(6J7DgvJ(5P{gSTFdB`+riir!1D-~Mko1vI6%igs5$U0(U}TW<
z;PcFp(P$%{qB1h<6rrBN3f8kB8XZkyQaPasU8yEZ$S{=MAb_g$Oa&&Grr|hqNi;V|
z1;^+jEik4bUSXjqttbY#4HskCT82Z8HY>Hx=m&oEDw9}fL6DF{8wW^)sVPAyDoV~K
zqxGOdKvQIBX*7+B5FzZwU<VG%x9HJ)1cL_y)c}>DH>!{XGd{}3#L9wDS|XciFfoJG
za2-u8VVi@wW(PHz6lGu<l@21@fy03Cfk(*YN?5cGXBVIxadtZvYU4+0kW4)hV5(r6
z)MlikgR~kIQX6a#ICstFR6G)>7Ov-qa|~)N&KWcG5(&bJVv>a_p<XHA>y>sSOTc7d
zxf1Xymgvw#;-z>!DToTuL~yZEiWG!qxCR$bi^Mt)Jr4n6Bl$9JJXaq~2Q@Pl$H0;>
z=x~CRqvjZGP$ohw3D?MYtT==@G8kdB!RS=Dj3*_>i|j!*B9Tos2N_kM-oQG;KUN3|
zH8@*B<~nx;tBK|?<zQljQKy4(Xj~41fC8yD!Wt}BMhFOGMK}=xj{{o3MR9yG0?o4k
zn&96o0uRR#kqGcC7z%MR12#4@7=;rcQF;O!7H5ywQlK&hB#IksMROSnhtV0QVQd&e
zViZ`UQX9rbf#A5XIB`5)$t04ZWOA)tBSr=>aD0m<$i(F%@j|JcYd{+{LbTe9#L@9+
zi7gJsz-g37ve^`D2qxO%N#=+M1Sy;u1R@RA5D(Nq1E|f5U|6wQMl_Bu;L5Z?5Q9mi
zwA<iPB%6g*LC9P@l?ap(V~I$dfyU6<z%T*9p)erHScef46zP-$v+GGTHQ$JEn3Oyy
zkuJ0l$atPJz{?PFm^~bUB7t&Drj4htbrvy`q_jgFJU9)@&?-Ucs?{nb4go<CX|d2?
zQW-KjT#a{DAZDXDUc$Ff?9>Pbi$%3DIKkj<l-<N~(js^k4uU0`jW!MzSW<2UkC@>O
zYg{DRK<9B$uxPj>3WhQ0&1eBT+F4quWj2UFL?%FtYz-C@6%}EnGcl2<;Akj<7!PC6
z8F2_KFaiqc5K?3?2+d^UX(dc(G}CMm$zVW0M7$yz6m?i72Ny@NDzGw$78{MBM=2wt
z6yeb<bTpa8K?R$|@+g}~5ll63bXXae3e|};7#UU_2|znt$Iwa%{CEL^7X*WFp=3Nb
zX(&5E8o`Wnf(=0EfWLopIzI^>@cX}%8a!f8&FoVyE<P?K9EM|C)>JU++tS88KYBt6
zKl#j0{r=AH`Q2?N!zLaSuHNFd>xBGL!z0noXN8sx7|O(=><<i&q?6>63ocGLtnNOC
zQ4Y!CUci33{PNN9AR_G~Y0kui3>@#%Hsf=1b4Oj_)ue?hGB5n-Xij+0`xOlcGPJC<
z>qbl2rLu&xJ$26#>PCEC?J~f}#no-GOF#Ej|GD({dpPs({oTWpFAnI%m%HxhrImZi
z8E<UP*ZgPv)y)&V6)yNa?!XWqg(>dV=+^-dN_o@GFyq~@$#|zoAE@h_!dp2g_kTqv
z!#oyO%slce7d_8)b?3!fsHy$jbB2O<PTF?pe=Fcla$&6*c4XuLw+|m*Nbk70y5UAI
z?`^#HTe(B!1Kbg_o0knj5?38MNO1)s<^U1b90&E`zt*6@y0DJS*mAZ5GUS6Y(G{}N
ztzx&!*VwcJWe=zQTB+G*RSs+Ld^rAOpK%13*z6CM#4Ceqewkr0&CN$qaqH1=&;Pc`
zPxCMl{Wf@Uzs_t-{*SGGo2_E4OBS9s`99>|Nq*l4^0~fXKEzho)c<8>_f`KdQ>9K{
z{5|RHFt^2r&JNh!_u+&6&WK<8l{3T@m$nym?M?B1e|g)BOf*7v^V2k!WCt+Vsf@yj
z^M38nAq%jW;_a8{k-HDw*rky@bYHc~?@d@>|KHloruk4<VmRp;alsQ`OI|hw?zj8$
z)||!zXe4>TlJbQUE3Nypdps{*`6K(|Ao!qV4-UodCE`~d3Y{3xmvg|sZl2uQdcVgn
z<d57F+4ZSw@86ypSAU{r@Y_A~%U3&=_r5@>HrMYm9m`&HV`~@LQGTI&Ac^p{;u#Tb
zNHh<D^l_hE**v@-$qjeAsAN>HC8f+-xP+CtKIw7o)ve_7_1$5Yp?5+H?{_UKov^68
z=HOaV`-HGK^mHM$o))&hzpL9ToX;FqF>U6iKS|{UvSYGoQ%#QvwYay>WB25}EB}YK
z!RvtA>#t}`!h*9bWEcHa{_Gj<it#>@X_Jpl!hCxq7!XQo&VA9E#XR)3Us2FYW_d4a
zWIsJHb$+l9GqxYAu&zb8D#Y!R_oB|cyq;z2)(u_Jx^~0v=UXoPII=b^e}!vT!sZW0
zCNZR+YqsP(8exBsyg1oS;;*<B@_BfncVg$HL_<}}*X)FLTMf<Buy0H5jww;w6V_FS
zE}8Sb`KI^UPi*<V)AJ_=-I`U|7P}&=`^3#3&3EFmvh{0PtGZ%$n)vV5ALcRs9A*;4
zX@-JTWb2>p@9VuhS}@X5S5vy$Z(&=~$lkub&u8r!w9&n1*JlomNLb%AYg<7fxjbV~
z&Bc3=Q|Y3Fz$y3EUQ>PwDTV3l#S3f8{4Vq+j`j+-jr;_^e{b2T(l34F&Ns{Jn-2zc
z%w5^p@MEd&{hNV>3~{AAQD->-ZQpq>$?Hwoxu<2X*9fM^CGBGTQ@(WR<T_=)dr1W|
z=t=G~2PNmMPkwMdfBpEjg)(D`6k6SSGShWpfa2nc<>SXQa8++gsv5fbcQtpXkDp(I
zn!9D0$LE?};=R_osmt0V`8}2_JSzNl5@dAmfj5UEpl1_K=S)jJjY~s4c}Do45z)Q(
z`xSpUQ|BkRwxag!k--tkx#w#is7VoN<~8YAnevzQE7z*6p8K!6%8?U0Gpi<azYb`t
zvM(b$P=ACD`+hYg<NKiSW1UIYPWh1V7|!A`;}CP7RHTmWwf=o;aMC}-_G_aCV|x3_
zMugOTE;Bb*$JcrKUXbs*89<>|Zir6&()nWYi}P2Cs$w4WCQTXsEvE44t~CGdp-ESc
zEOP&mVExKG-f=U{*fl}_WW1)Ce*u2Kdr!;BhId&W%X{aXl;sZV*Wp3DeycpuSlde4
z3CWDAhz~fqmY`9`w%#so=-U^P^fsYIwmyHt^PbCux^$BwEN}~Q+O4u{!{M|qOES-8
z$fxvkcXPTGf60OKkgRRiyI8lRgO|5vmol<uC}Qo;OZUA~Pi~lWFk7w^A{HvTh0xm^
z<Bu`BO2_ppnEp`Sqx4|;#>nn0t*Mu@2OnXlZO*3-&Nwmp?74=T_iH!JWHpA5E{*6m
zrme{D#m5AveBGX@7PYQZ4)1WyURYB0XS?avwPl5jq(q}&c5rO_cT7|JGry|zQ`wgY
z4s+V0Q9onND}s+=q9jJ!Q2#uqz8%FXPO`n2k8J+7qD7VJ8P;8Y{Zp&@dVL#x)bQ^5
z_^vCZfoABYQzt%iNwMj#M1!mc`)camht3FVEr$*8foxv9D=Vd5XFHJ+%l6%`nL=OF
z^6l!!<4e68Qp@Kr`w%+pxV>xO=2~cANOR83N&Wj$RqZD(?i;=opL#TX{o|S)8@zhA
zrp&rExGleBaO`NewL{vGZxi1{T;JE7GpQ}N{p}57gLG>1MytgGQMAt1^Wx6Y6ZllG
z88Iml6Z*QU({e^5M_v6^k^8P;i<R;;3pXN+h?sUK^<Z18PRM(9uwyuDO)CPd8iZS-
zuVU@MP4v?6l{@t7u<0AU^d*-{CzE^?e)6yn4cVzvzWym~?A?6?c4<>&*y&|F^pSOc
z`6T~|8!;F)8&Ruit4m|q<SD1nqrcm0C66@ao9|X^Admf+eev4y10>uC+3~{A`g5m7
zFH0<M!QZ{LvxMD*y18yd@}ePYwK;_8iu~5p`E>k~s~bG{O(DG6xr<81uqr;4xGy6&
zZuMXEG{^pr_qivp^e2iAly6QSlwn^McJWsRDe!&x-a3tL+v+*@B@FQrzthw~@^~cl
z+v7#5)&?lnDmUHgIp(YQ)>3^ez)iIngjrwum`?#0UytUd_k5i@XIcyw{m=O=mh`yV
zFX_4`ujvX)`w8Rq*8vTrGj%lHWF*i1pTuo}?{aD5G7tmK`)#|JyZd_;sba&DM2}1N
zFLVXw2l(nSxZ~8c>2t&60Y2?U8fON6$MSzBsHVv`XN;>MU3~Y=zU!I08skjui~ELL
z><amj<oSGa)$>Is55`oq1T^ETTMi%Y3MpKWb@sp|!OqtKi3J6Iqr5v??Q>Tx9x((Q
z7~I&`(EW)nVY4pA)rA~3mokcO+ln$v#tu~n5O1Y=Jy_-$t&(ppP{{@)ZF&ZRap4B}
zUhLrpQNjTjV)B&$-={C0ee#h0o#5lnn^`dmQnU_Mye?=dZRC}TqWR@g*PZi2*Y-cB
zbAOezzV>W@evjAFvt7&f{WXENrf6s!{^+^ObH?mFb_~zK^KJWCxAEz2S09A2p49ZH
zzh}W-SBL076d%QB`~(Zze3LCpu3f7q^TLZ_XSYzlB!xeYQ}8D>Up9RomSmaz3cZ6m
zVm$B499;ETW=_(w<2HW+uRLgg&%-T?qq0)M^c~;l6n%$vBVM)bY4+3o!MmUT_-(_y
z@n`BSOFS>vg!pNY{jXdS+0vHhr>s}MS0Kk)JYO?X=sx<%S(lHVZ(cU<$@66m$E(_=
zGPoCdo=5hCg_P-7%aqgpY*w@{6e8x_SrKtXMd6mt(A5u2ItA~GQ7(+ZJ<c4~-O2=-
zdCslfb+@78X6n4B^&zvam}tI=_Ltd=us`dT?7pDY)_R`Jo%vC=e%(h?e(!E}dD7sM
zhCyFrxr_cm`8=GGtUI%y@5dr?%#RhHZx1?Ew=<YsJf2Y7YKUoSDH+JhyKvy`)OcJo
zR%E``bS32M1pD>2nh>Vjc=`|VVS4Ga>t83xfRCIQBAKPgZu#?70PacE-wI-zuMtgQ
zoG+T#bX7BOY;)QEd(lS^XN`Vwryzdn&4bh3L2O<<J{MrfpXf5V7T`X=@JUgk^l`D|
zr=2N;J$vt+4X7)x`Lt+tXA^(iRexOC^c90^IwMwfoQr++e*Eu&2i+G}5L3{9Hu>)#
zmvQ=!2ZXDMDqerj$ll71F<Xd>0aS9$9y)n-4$CzFw)P&tJkl*Y2mQv0Gd%!|n{MyF
z<jeHM%*^qE>UAyyHqyZi@1_=o{>Er{oC`~gYe!x61HhQ_a^}6YE(2fze|2Y|BfY@o
zPY8dA2!P(kS0hyaY;t+h_jNkuIyf_rz-(jd!Yc>=i}C;302aB~%{$;<wEW-T|KWUq
zZhNLP3jYhc{=VG2!6oa?hEIABng6eHp=bK4oJaG&d>i(^>j?K%|4-8u_$~h4x2*iw
ze1LI@0C+jq@Ec(J7=ccEe2?Dj=dt@2${l!dRJv1#S6~<B&p&_h_pFPjft8IZ8Zluz
z9F!OPT^}zR;KSqte6r3wBIRcQ0e0Fp5Ey&z%yRsrA?_99f7#{#7eOcc-VWdW2B7mI
zCn7klgbe@fJad8C63q7C|J$za@6bTogTBYZf4jkdy>lKEG1~`5RR1oF{;PmH^cFaR
zW6S=Lzg_IV-uZhqC{xCbk@x?1`v2Op<b$4zE8d|E3!3`7p6vVKx?m~RrQbRqP#d`+
zmk;>8@AlD)EB@Xzw|QLZUvo(p2KU{YwL@6h4~X%R0b8T{AG7~fwv%!wFze2Z9b3}B
zkw{5_a!*n#DSDdxaCVJ<$dg#!!xdYAFB{iV9s@T$>~z!WkadtP6Hd5m{&M>%<K3>s
zPa@Ll{FesEktA{T;^;Z=Gj=@K_6>Ulf<BiE1`qq_HGGZB00SsVGvF^gkc`co|5T>k
z<CAA^^2*Hk))TnDXCNu;-OEMvS%JVaUUm*D1!;RFnDKS#mD6WDegAl3to)S`C%NaG
z%n^n?t^XtF+OW)X>E9yOrUm{z_Q#n2J#4dc*dt}-@Spa}8*p-_g1_K(-`&67Cf$zQ
zIeg~0BSTL1jV~U>cXf69b`X@Gt$W5_C5W<};p68f9-7mSI|eb1RDEuaS24p8S>8MG
zVz}q;)3*4K+kg$*H@+CC`W2a|LpZdG+@a5hEf_P9HuT}f^;7Siok`N`C;#4+fio6w
z<}81^-0SBJ6XTE~>yCBMN1=%!Y2Oo-(MS;>@C*M(Is-`W9B@$c(?NV<`*A%HyGWh!
zDSw|Xm;zUAJ@y|zTO8)*?)!bsf&}0SV4GS7oSdQfbB;WH_=$o5`Qza=M`r!rZJ&pu
z`rRV-9HM9boMzj?<ddmhXC`mprm;qD7+UZ5q;FX3^x+^@8K#5X@~rd-rflZ;96!U)
zdnt>1aFToKpe`=WJM8(5bAJx*e|F8}8^b(jP}^<E$6ToY>|XptQ)wT%{qw-c?Qh~p
zdqdh~^oTpRAWk*?rU7wlBSW@K!_VH9nYp6ns^CmismOB~Q1`)r%g-Gj1KbgYl-jp%
zP65?t%hwOz(>tTF4HlGkEYjU4hvB*@9GptBvu578kPtLMls&qkv`vCbQ`yVC22_uZ
z5AwS3qt?ins)}ldo!Fa$k+u$vJ?%Te3)AEFLO&bC7zObAqn6lXcRYQi8;z2*+o@j4
zr>7sS8^0{)cxIx5KbSCCzc%jP?!&a;f6kj?09)R$Zv3~0;iCq&-OCJ%tx;V_8@cGy
z;`;{{^43o_Y_QZP{HRRvPHY#RiMbjXkh$`Fx8=*^XDeC@##cI@y}$UFKCH7Xw)bsY
zZ)jK3k<!5HRB_3cDVF_JD_;M>`>=7&*@u=IHS$~4ePsRVNt%3NW!~Ae*QFWC&TsFx
zFM4x--?Lp@>+`Blr|Wy$u3Y<kXA;8r=H7@q6(>fO-08mdde@SXmoB_Nwr|FlE0?sj
zn{Uz=HeYnTPVbR@M`z)q{5I9lpWsHcEuY_V=_#Ys?L!wS^9C?rA_!|A1A0W?X<%2A
z__Q?SbDM9@fft4QbA-s}^vOEpuJi!L(~I)QLxYC?qj^WGASyEEE50dw?tJU~c<$Nz
z<C!;Z(h9^2HMRNE@`^P@>X;k3!je6Z<>#hYYxR}3X8wu}5vc-oWXs2aYqoFjx{;8$
zP>vfR7M{y~Mx07@M|?RHeL5KI@r1gF9c`s9U(<KAl^vS0_gxq`^Sxaz!@!yE1sVV2
zs2^Ev<joxSvh2}_d#^sx&adcHXRf<|YO356cx~o{_eV39Eil2~%f{sYs7w3sW}kMd
z1XfvE=961i7S^}2;LF`P;XQMgUb`qhmZDv=0^9d=iFSl^9{<j*lF+ui!<M;h-@Bo)
zCS8>~t7=@F71daD2daO0>+rpd9BT4R*W&7-n-F&z2w|PuLwnvcKCY<mdY*fF{mi`S
zvxoVwjM-T*LsE6sTAyHjv1#3~@gqxhZkdfMwI$KP8&lz-$IB90jNy%=WQW>=uYEnB
zdvkVEQg=zxaQ<Z7U#{0ap1r<$_;h8-+4(Dy%Ckw=emq~X=3{Z;)7oeE3P<j*&+2a4
z@*@o1C+JEXv~37y*F58g6UPTt!FoUIpRKz@qou8;u0-!;MX-tu&wF`;?)Bb<9fQTM
zpV7%!^`WolhwC`NWc7f<_RPB_qWO;rCwvaRzu29<^jJ!rZkhQBcR}l)Uz_68@8W|0
z%x<i+)=#<Sx)Rv(;_{oTeY*a-HPCam3cY&XtlXqbUD1%_b|EtL6z|-~UAx-fUY|rP
zz1#k2eOPT&g)VDVsp*sUP2;Z2MZN8f+uN@0i&j2X!7%=cAsaqEu4?g?iN9&r_E3D}
zZEG{t%ir$yX@tqMs)=6?CT%Xfcsn($msU{f_qpuz1xL01{Ac{Uu+MOQ(}dDE=;(Kq
z;;kdr{*l?&{r0B00k<yabpWaRWmj$Q6!R1>N?(3%&dXhhj;s{Dq4ZGggs`rvvXM)?
zUad^aVQovDPk@6EKjCZ{rSoj|qouh^0^V=hk@)cT)&0)Y_bc~qq^_E9!sYpUKTtU-
z+8KwN-?VnT&GbH*H=5fxeg6mV2a9yblFaT`0qX~Ncm{S~?%q7S@J&SZUay9I)j4~;
z&IYf)P*e3*b8_h*OgpK-cr>=_re<4@|3db0x_XYn6dl^Q>tOz*IBRk1u6?*C6&p?_
zdjt^M+p6!c;E&n3<b31Ss#Gu5{+GBkUBTwqzRqXSd7^c5uQ#p_>lXUdw(s#^W#Iz~
z`Smw?^v@2@KiG~C6eXs4A{IQ62s=owGYa<8K<;Z;o7QT***eV4YbmpF%<q-m#s0N+
zgeW`IaVkBh0fy*4J)F0{oblco{wZU?TBR2E<dqJ&cLrGV=Y*R@=L1%LzV-bHsX~V=
z(x5jTc#GSULrsG}K!rbBYCW*>dY!&uUmc3&dvaXr_2d>m#qNZLmxp_gHq5{I8Bpk1
z7q4e$;nH$#QVOb@I^nutlnj#pdhywF^wOZ0xDf%Ue9P(j@v$peE1EB5Otrrny=Oxs
zEP27$p=n<?%?D-p>^}Gv>YXy?`Ldc+ueO8@OB7?<`e)(21FlasFO{;2-J|!uHt(>c
z2OS&n_|lHVS?`DM+W+m{-6NBJueFl|c5&;s#}yTy*llXU7R&A6#-Y~Br4<`I5!dcl
zwD+_og;9t9Go9_L=twT?Pr9<lOOHSlmC}le)|bKGd+f^18GXfXM$A^<xt~y<17@>*
zH?kM9iU;gFe$X+yeMZyu)*I)gWN=vM+wz3wIZaPA9i)K5_M&w|#`)f_*x=ETb!!wZ
zEtIZF_;Bq*R!XsAY~j{))3)p(J5*t(fB5y#%f&l18Q(JN<3Wb|jr>EM`TWJlAi$wL
zp1xB2_Swx(7v`Lvk)j@@M5fOOx&^$&6Y<>Em?osKYiU<wU%(X<UTlRfxN=9o3rA}9
zdXY2-6GoDhid)TzFF#l+cML0e7(1?EzAJ2y@R9F_9YZ&H_x3Ff-tYvSmvL%rgG{j&
zJ|!lva=S#4f6XhY^Ks^CuQ^f2U$)g~z3=WNT|24-_2ApS{JmbnsZq!`r!PDhx~nLE
z@ANx$wwlY=X8e_Zl-l5r74}wCyesy5))@G4x?*kKWxprprjQ%A-i`c?j6FvC;6Ef^
z*bx|}Ki0m^Z)x+U_m7Vc_Fiwjw4r9{^bb9sESU{+lXI3vEdW}#qC}Uc*k5hO1h1O&
zO>Q|}*W;H8c48m#`Xo)`_|UR?fB(Sr;_=f?ABsa};qzm!tRTi5OPMp^W4C5_vlM{=
zDfq9-rP%!taY<)Q#Wm%rrGrxED^P{icFm7;zr-Q3akrOd>U+Ot^zAo3KzBYlmpE3k
zJ^v_Fvxi;LGDov{gICDziq6`IrP`*Bn=N10J!@<^(OWNmVFH!cm=u5jg)uCz@D1A?
zFHWLZM+Pr_JaB-5uxhW@6Dvro-xKb+9Tn_|8`Zm~zq`{D5db9dd}XpA4lZr;;>*fG
zV92)j{rar|$o^!~EFT4@zGSmIYmE|wo}BrhO6csoQM27wVWI@ywgZ2R47zz303a+V
zo`zulXouj^JQj|6?CA*r&*qK&LB8JT1U$RLS3oA?(xxuPSG;qTTwC>*kE=q#>5E)k
zk#l3~#A$oHV)_Fi382AK@$5(4mdUImOANCfh&xC_`ICnxj|T0W3Df@a*uN!*)h|H!
zasw!-woaJl?5OxVJ1UVS-yf-f^uGxIk-jVQKhh85Kv$#Rf4UkSEhT9=k3z2Bl1*3m
z;s5AdoK(uR8f-N+6={xuwO3-&6s4-%Gf~HB`<`-nz9EID=yO(jWZ~Bx__+4ehfz?&
z+V17gDn1XN^xJnXgA?J<B{SK+VSmqXtNi#XoiX*ptA_R7Pw)OQXMI6N=D>?FLBKi@
zUx{sP+fHl`VMqV2qh0z*{Xs$7zigV~R(KnHUSPqua-W)pf*;R8OTviI)S~Ki#UpP1
zbNqlMI-5A!Uy<Lm@ppLZ{dPP|-cYn|FH(DO25s+{iwOX+4Q%dgonrWVT6MyYx-~zR
zw%u}u<Pd-W_d>-f;8cz{kks4Z0N4#6yM^z6<2Tc3?e+Q_m*l~9U>K$*j#AMvc&crA
zjeZ~B_$Xrhz_;{0u!tjst@!-Z{EIm!9<3prDO>8J_*Ug=8ug!?G!*a#M+QGw-a!hI
zTqnimE>8};-UKW7{&Y$5atMHZ(;99*fI)@t%a2|Iz-B#eK;fmCtl|P|(U5@QsRO`)
z30+d)_&%ul#<y}xc-0huYln0${9eKCf1O&P>zC>oO3iNXC`+2UVQBA{?fGqI4uBIn
z%9BOC__@rQg|EnOE;x1e8u{%3>%q&l2Fg-^e3M-oWjWtoL<UBT-{5sr_jto*T*ZXZ
zq4bphbkzQE(h2>o(-pYzk<WIxZ5j=L<472C<@TE}-=eIP(l@$RZ~d*&$??MZrFV7B
z`NQ1<sQG<0Z+C4M_U!xX{K}3mhnt3ba-3OYL=?L?)#E_5_d?6*ZhzR8H4DQOwKv|0
z5-!}D(YvYiOZrr*BB7-p>qyziLo0q~03W6gaEuV$psYJ7+Y&H0$5xt<9|DVuQu`mk
zjZlWn7EhZi;xF9Qu)HKCV-NMf0`ts;jd>+gC(Z7DKYl3KE9;uCnTeh9j@!foGll9~
zms;nGt0d{P>WyBk#^8P3`soU=OUpmZRsjPzxd|x|04&hk1*Oy>4xm5Cug_v9Yyu`g
z0`K)Q0DAOvM4Dxf*NoG<L;89O`>dd5!e;g~$<{a~>aS<Ex0Ypwg}GxENEP|jlj}Bk
zNfds4SvyW_-_I3n#Z}Ba^)`3mh~!_vCH)O<3!s;Lm<CX@_*<8I-*cW#6D}?O?*j^j
zWS(O8SUqC?{#8Qr{Ms*LJ-zqagjG}OJD*-zy<k#H<wXPnKV7lAxuSyDCOvu#52H&%
zhq8{`dtTg@4XW|<9WPN}2@0@;lW!h%m#oRz9wyG~_M2+BUdQ<2j)=L8w^=<dJe<cs
zx4&4kCVFby7dY(njg-`>Z5yK#%jG}P0j!^qonOZ|t?jy?sar5~9X=-d-?%z33!gb<
z@sE&ci<$MF_e=nFjoAi*s_TJBT{<8;Uidh}*jd(i)_0;JsC!Gew1Y&z9SsBC|1D7B
zGQ`cjB4E|6X&{>UgSwwve&*`Pp)6nCpM6!REc_@R-k-xtC+G#!gDb!ZOq-iFA=6jE
z=`Qsd!aC9!8n@O16T))^R^tJynZK|6(Fo$@!KE+ZCr)giFm^C@`7IEY@tbo$jQ|AH
z^N0z%T>*b0bJ;!vlpK*xy60$3rvl{WQJ?nZ<SCw<42a=1mTbM!deSzEhrxyX{uW?R
z%;1id<7ZHJfBHOi<)!yo3?TJCMf%V3+Z9COF%M_$9`N&ge+JL<7yPGGcNs9*6*uDS
zz@KhBb1cXSkynR_|3d*SJ_}wq+@>`CD$fz%`RUa1slN#X_nFQt@}+ZRsdGfd4!{!4
zt9x+he}?-3;eo^dzrwFOiMzm?dcZm`9nLD)Dl8ie4zKZ*2{i6O9`K#EDhKM}*uP|4
zzYBi%r*^}S&&7)az?{j$-2e;fk{3q<x#eENa3__zxC$(9XWg30%(X6<1P}6L(A?#0
z2b(;$U~lVgP~g3$eEg+66sWp6xjbf?lf)~ZH(?+kSyq7;!A71QhD+Os-r3;9<T(q#
zdnZ@y{yfojwc{-4cmLZ#|2NkxeDE{kCx-&|_FaF|wI(#E6o0X8hkSq&4}H18V^4Ap
zYr0H0`=^<R=Fy16x$l{zACv{y9bGqXFv=TtOx^iyV&I0m9)~)Uq)SWx0!teS#^&P|
zIKc~UL)lLY9(p+7!*oS={f@-2cS8c=+ZoeC=e{4cu5HYn-^8R#a?=oZUuoISalZzv
zcMh0P?!Tj#JSpz@qG|6NLnL(G{~$i1lOOuclO}TpeDDMCd-_VEM4o+3f|~F<4Q>Ql
zoZKBgair7c3r6Rp=Li!=gr)jWj?j4v#m-RRWOIGCxIjIg4f^@Z&K-;EaA}{?-OdM*
z?NuVsUU0tQ(r==t5B~0infHISVzh1*v<h97SGxc9qmT9}PrDT`dkWo_{WS;}*&D3C
z6I1YKLiFW9&`5jF`qxgi6(pZgEb;#A1AaYMv%}IauFFmvihI_CW|g1W@jP(bQt#o_
zU%huE2D~3jIyFoZyN9;t7u_qJ>UP=5RTD{o?)A?N95vt3ly2fjq;20(&6xYg&M_rU
zjdI+R=i)|q&ObJy#RtYMzdZKk<JQA}2FmlYGf55`v+3OxnzSkN(2dQ@isQg~hXH35
zFl%#1h%#5^zj-t}k294ccYf{xTK6Cywf~vz>6cLCT~?VVM##(kX!}vD#ye?`cSFS&
z0bepc{_opCuX}#fKdZi^yyW<<m=}8^hLREZWG_Nlbf*_rzLFF+^Uchm%CVRP;nFoi
zAoc;U$@ziQru2Db)Fr;V?v4pabE-XaM6w2#c46?KL2*I*?yFThXYeOG-W^`>?$DZx
zeZ5`EjHQ-Y_g`$%yrax7$d1@F&Iv6#KW|N{?R>FjRKFyISK8P!Q6Km1I6JFz!cdVn
zCIK@!c_Nsu3<Nppn(ik25k39XlfBFDt1mvnpDA1U1`bxNdhw=eqc<f41YuZ1@v{E?
z`_I{T|4oeO#G?0)gPnfz+#Pf@Cs)M>1!^xvN6ilh)YFw?jLfr*TNcs*;Aly^glLi0
zT{B<nX{$kKpDzmOYP#T>ia+w1eCo-y#pMMEe7fY_fbXQ4`r#ljL;zd+ex03H_ILZ(
z4=T|K?A88ar%y@nKB+l*so5X>X;+pVr|!wx1DAcsEgo5V&&`WWc#%AK>cc;H%TCA+
z+V31dG0NZXcusj1sony5`0AMZivfgn2jBg)1P&2pw&efuX0GT&dHzs9<+-|<{2r1j
zD%H7(#VwQ67q_3i(Wy9KekzzU>Gi7T?)h!iN`&~%=BJ(CKTb-+H)a5`P_e)JJhI^N
zuwSlzXvYAHGRW)ek~2>=NAPJ1z{_31G_grxgV&trf2cK<JsIp>d1sabv*QVE+OCsl
zOD9eQtHktc#-$ZboG`(5s7kd3fP#~nYwu??15#!zj@dG;p#9~h1+RCqFWNqfmUv$~
zR;7v_df)T))Ui+h?Zb3pS5+RLU)fbNE02@Z@pz$gAGUjds;x~O<hAuu^qKox&~GNx
z=}V^gHn0C`oS|#VEBWwXVe7>OlUgrEpJ9+4v)=~F!53A|nvm(=?^Y=HOWb(zv|S(i
zc^!8K!<jD0pvmtGR^)K>bbfDSEc%SAGnCFtKz==7eg3FQmU+gLj>2@cT-P3J`?LE?
z>E4hPm(N~rxwd@Lla8-%KkikYeH6D({gfM)vCMJea(!agp;d}=u>l86J2VB~qe?4n
zN2*lxKfbjVTu$!&H)i<zecGO!oP7I!obltuyfW{;_L3LKzDES_DZx!_Mu-{r88<mR
zOjD&eb;hx!`p$|w6J-PP9$&7}ESwv9VZytYo92%k`cF+M-{N_tL%j0qedPL=7nf~*
zb~_TRBKlHdPiMl0qmIPXN7J0vsu%zeUna40$(#WWz*imDK(=~*8G~54BGd8VMC2x~
z;9bR|!eXMj$>j|Hgz2M_9?tl8zeNMCZAsXlqX(dRMBQK4^KW0i)>;z2Wl=)oCa;B{
zP-pUj-v}<m4P2elmx#RlZAm^b>K&!?)1$?Qk_HrI-C4IIu;(2ita@c{$J@b|D@B`P
z<{HD=00Am~*sH!$H?I5L`iOxwMc*zxTQ+PcN^tDX)D=yKTUWka=m11;%7eVGb?L5M
zKm0RdrVpFj^g1l0qvCkzSXHWGW8WUx!HFxM#|H(;9!yU7xTM}|*9mCcy$MSJ-)4AQ
znVy_`pAp*eY7oQwbWh{fu*5ac<}3AyH&@t0E`2`m4OHWkjz2vwExmVT(982N`}t?_
zCweoBV&_DiZr?NI1^^<5tLFkBf=v072Osp4ZQn>)AHE3$+H)6TS69l`PqD<$6P(Z9
z9^97dfjCVWU!1@D)>dvzZ6oz-nDKK&Ol^av{fzDUfw!`}&Z?|&Z1cu2K(%o$0ivhw
zDBu8>I*CjlGVZ%pzx%d$TwzsSeP8d7?{%$-Ji-+7&X%ih557oP(F1Cx5xuRdO&d$*
zUjCxK_*K=EK7;0UcV!;x-qy!OZ}ao-K0sW*Tot#^hwV3cl;y^N6mMZ(#jAhP_Z4>B
z*ACinw7k6W=eLOk0WZLo5gkvcd{F5eqwU+Z579fSpy%OI-OYj5fKMa&y`#q=cFm6s
zrS5KTyHYr1!x+s!8zwd#^jOQDzH~`j@rrMc2p<6-Jqnll>5JzumzZ4P&E$f)KA-#4
zVMTz=?|e9_aMayVGf%6ZWegk8H2B#-l-)J4y<xri)6K!x-&l8EoO|vDxxD4y)>!KO
z1o&65%6(51mo|?-=jB=H_;@B0l-IWg0wVQ!n(vl`9TEk9`1$xpS<BIPKb|WLojdZg
zczW23y!EKSL7y8(t|*(gFX7d8!s_*5<9O{8$5=Lp{FR6L=XN;j^Lo#*RH|FatZ`+h
zW3Iw-?f>lX57(Ei5B+xd@7Dn>D?MQ^d)4|3@2%)bG~5ulLHsQvv$F8W%h^9ZmEM_h
z`AW^{(V`RNdr8Clf%G}VHMSz3R34VSlu|w7_@~Fip5c#EM}(z4P95wSK;Ik#^T@as
z-`W+HC1e#>Bf6U8tGe!;54+L*dj4R{njW7kOGbJol3zZ1m;1S+*;*X<9<8C}WG8Jm
zk;}i%c1*@33@w?i$X>;52%nU8rzzw|t>@_6?$EeiWoz;1l2E``#Jq{Gh#WJ1&SX&7
zZATOrVN<=WyK`PV>u1!jiyhx|qpM|-2kSJRU;Cw67vqt*`xR_nH*_T+p6LFH_O{EX
zQX6XGix@j|MxRZ1)0BzSE_08)ih^oVsnzG;d7Nm`WM@fyC~Uy~oV>K`v2m+=mYYr~
zj!(pLPD%q<zJa%4nkvH1Rqo>!R*xMzVv|?H^yLlTSd$9p15h<(ZqB>cUaXI$k*LA3
zo_=SjjhP##P?(uThvm4mecBrWWUa24`EeXSnryh9G0%I&yTj{)#CL|P&;K)H*4&RP
zbE?D)-x}%O9^h{yBC}-=_Mf03>o~@@51ve0Ke_x-%Y%aBVJ`u@FzG}614|5bcyrK}
z>;iM?B$n^2h9d8h?(wZzR8eNG%jiU#$Fe&O_n?m&DY2cAxfMm{N`#puL;S~Cn?Ps@
zM|N9I&#9J|hQu5;gasOUIw*>|6?#2y=hDC%q&bTG%D+P(U+Nl4R=3?)LiY$z@Z&a?
z+CDd){1mzWG;W0GL{XV`f)lp;_`JZSef3Ky-W69FeRtW7Zttl{vr>EbSN**M&pe#<
zNk1_E<v~e1W6*+BuN&?!54v=J4eK-J;vXOMGI^}rxZ{K{^x_!WFoR!DdiE*D`)8}a
zM*wS0i()r|rjVN={^E)~t8yLRKTOjX-CF&%4Aic}s)tOfdoHn_4|xCfMh?`{RGEGJ
zwPA7=K9Darp+K5%pEEtZGC<LhTKCsJlsswc)Q|<1!B_I{m06Il8&G#%Zu#6;qO3YE
z4UbsR2on|0+!0E>>kGab^WPD1EG4$MI5p(J%gc1nL3x}2?8=c&SLg$-@OfwUiCt&o
z$7X&_>_GN5017^8-O)MKkB2R38NF<deCUlO*e{!6yG8LKCt~e22U-s%=ATZTpZIxG
zXXmrRsblVZ$=IDgZ|NDpB9@Qkv5U|BG5Yz*({2dF{yx<YFN*q)i~PvTD;nM;Y?su8
zf+KJce9L8phuXiq5(-AoFjbcJqlEPr-QSCFQZH+c>$D(^Zrh&Q@n+x0!C~#mZB;Vw
zrIsowEcxaT-*bO{*=VVj2Q1a!9$T%s-n=?kop2#mS9TtHI&2B!hOVJ#@qkO;>vuKi
z0B{=Av*dC)aHu)Tvd~O`L<0Z(gbnHW_83$6^x!4H-&1w^C8MjYCDQat=*OpL9>dEP
zd0u>-G!8#Wdc09;JY7)R(WWi=r?*+As7%{dB~Jn^z@P&wzx;Fa>Yehmo4u_`Z@wB6
z_-zN2&%Pr;zwU6`%fJx|MRt4nm@ej<LR+82qbvK&3869dHZqt|U7vWmL1rHwy3_5=
ztgsfh`EPY*Xt(H9gKBhPXiA|Jq}~Qas+7ep9@{&-MBL`nJgL6@4y2(Z=JkgyCN|r5
z6l)FtWTofir%uES={G}BdF1YuL4yXZJ{0oN^l9e3hKuB+fYBKn<K;Wr-ZGLp*{@mx
z^iOW~_)iOT%bhef>4)c!@QMD4%Ji{Ux>CJ;ZZ%hWOwFWpe6yO~a}pMvqdd}NH{Hnr
zh;00l>K^8@gt31vJ=u3$$1Dd?^i5si2}@o3M7Ld+K;odHa$B!?&d6Hp-u1k<`)$}L
z&5fR>EzTrI^sxg#mLlDh|2lwP(O&G`>+UvVMt0>E{M!SvQE_9hc1ud<U7370D9@+%
z)*$OwZS&p{XV2ts-f6K!7Y2_DAXgSH4V!UtZA4m$chVwv^SwY%Xm{g*-ID1klQO2f
zUF++)dh(`GN$thSIl|R>V~O-@6@ys5w=<4au7~wSbOl_f3;;B>j-^jJv96H4q&6@>
zuP30`#ot?T9>|y^+4h{H0hXABtRv}5XMDL<$5=3SaN5R_m_eIrNVhHMyea%z&0Ni#
z+Mw&1ucj&7DPvcxE?(fQ`sfv?#pRytW7HuB-M*Y0=eoj6oxI*}n5yqg^bv88-JLjF
z!LQc~oXptuhPDgvxj8*0pd~33c=lGlR7mshxo6yVABX6sdi<yY%%jIFMSIrj)ax^t
zsD)rL-h<xo!y5AZ^B#xY2`fC1)6jXLkhb`Iz%kAKvjsWBck9l01YG3D-P^LTWw%W>
zN1=H2xjE~8ztKKzv$nxEYKG=<9)+w;0QFAY5dN_{CK58KVOZ?LA2)s!T>F|++uqmP
z+81iuA^IWS@rJ8eHGHPA9|+kw`^=smF~`=H4vn{dZGM)Y+t&Sh+KiR?qJs@b11&0k
zliMb*#3*b4tMNx+U%^2@%?c6N7!1o35!3Jh^sO|cEmiO557XZ}oudGao%v%vZ1U>$
zn5ZnB_t*{^o+(wWo%)ib@26s)Y#cjhwf|xg3~*ntKE<Qud2a4qV@kc(T~6VjeAsdm
zkYz6YZhlEWN4!?Fu}g4f$g(HXKmBoTr9Y9BVY=ZrIcDCEH?X~a2n01d_vrA;**E83
zey_Pvj6iftJuZ*ARaWr{J{@!sk51NKPd0fV_Pf6vHnJ{G0WPy}<5tX{YcZvtXn;kA
z{<vB;VqQdQ^i$7Er>GuVSmOb29vC~{Yu-p#QRd6`tWUeZh6CCP#Quu?t5Ur%qoJqZ
zQ01<kblx9smC>B9XFB-h`)8-6<-H0AC0m2$MRTjpwRFv>P}@v)@sn&wUh&!?r$!62
zQl3=kY6?4%O^GzO!ec21TF=iseJte^RER)!Z%)x2OR18TLY-Zx(a$P~fZna@0Mzla
zsIKB6a|4Z8Z18G>P^@b_fYQH&u!`R*O0IT#ojsOP@FQ<)f+~lZqt{gh9IzxFK86pi
zpC3JMI8eVRKdU_js9#UuJJsLkvd3%ek1)pg*)1<7r)0!+q^7z#)AP2mXWNe#G|az>
zdb{8F?Nn^fY{L&v5HynH>k8*=^kl`vCT@RZ$x2C`-7+~K3y^A0<M!4uz$e6dOK0Qx
zqLXc3tn$>^V?MMdzBGQf^78!sFJC8JuUpbx$52&~ViLA|I=VJzdvV658Jlpcz~`*?
zBQGukt!gp5LHDQPpbG*qJ8?+v$RHi$Ngq4rE%3rI_uIZbwA@~_LP1Pj2s$dM2avU<
zH-+)MNcIs}hOM{%v|V>Ip&`!7ZNd;&PsD7lYpog+r|c|VarO8>DT4rje%EsEj!&0m
z@|q9NK69Ez{ykWJXYNgsWi05RG;+Ql0sl{?QRo!8WoBDm`(Hz+w}Rf|P;ElBri*hb
z+ysbfB_QUfp1)iF;Yq>!>RjraEAv*`CTNshf1cyiz}hy$AGqy0-)TAi{@K?1n+5Zi
z-KeY4TvzAbs@@f9fe#X$SZ3QC>a6rkjK6Sc_u3S#&o?(cxc6oK<MD{|7jmuh@~(8c
zD_3`p$yi#x*K5|^R}Vd${{iUm<1AWS@1{59<|gqd^wgy8&&xaZZbGZjdwS}ZwOzeE
z3asq<<!Z&L7a<EDJehZ4dSP4ct%4^0imP9n>n$zHa|OXo1v!ll{U1@73dpp^*BP-R
z6=*@i=KH}lbD;}FC;t5}M~my-cIS-l9z@yeaDFxOsd!ZDRcPB9dDy3|p`Gy$o%NPS
z_qLi*+d?L`e=O`(R_$FmY(TB&$P6?nv34Iq9b9oz`0-&`XqPHNs^G66cqjZH#@;)g
z>+b&_f005qAtTu%TV}FHL`uWnd+(7=A-jx_ot3gTAu=nXWRGmJ$(HeZJat{~&*$?U
zx8L`_tIO;4Jm-1N<DBz2kNbF4*!a}hT0j0OFo+>xLw1uIx-K<Q^j!aFnp|dm95^>+
z=ss${zIB%->=>TkTbWCX7xpSd>F<}P$-H!dD{1Evse%^ATcPLjhrHjqeTe(q&G=m~
zGUYF7kc!78QNDEK+S0FQf6yVWlHzdpC<_C3nd|6Y>-fE^UMr;^qfC%n)r(0YCN){p
zXTi^L%tII><uZ+EI!#Jy+FM_RbANcuN+t?arDxMuBrZ5Bd{qe_Rx8xXVSA8^!P^_d
zq!e7Hq*E|A%^d!f<3Y>wj?8JHgs)T1UCnk9EzFBTDH_+<*rI?<NBd0z+4k@D3Ps&m
z%9G^(HP?B}y54wt5>R3&;R5BD+z-dA_LydgSex#Cd+q_B3?(eW$v7!@vn-!HO<nL^
z87FYi=qsr@+E(0?u`~)gm2D%SoQ_Y|@!9Fus&$%safK_jZ`kXn#{%B)Y?RX0Lt6He
z_O&#xwbJ>M&w}!w-i;Gi$w0zr`AEYz#;AsxQU;3nd<no6J{y~<H^++QEF8Y23E}Ev
zy`(JuLleG0udbWgJ339SdBI4=`;qS2yklwX@Khl7U>fIKq_*$$-f|h84(<XDldp}S
zWpB3s)5yVAobryg+q({5P4o6C=<Poom@&Kk(G*l{oNB$VsCdS#3pgQi$ZQvkQA?z#
z@-0u^3D(5>cuG_*IQ~3qxNi-!+f*@e(m>(`T#4G}_&7(faecp-$K`ES7W>?(n(_A<
znGELxmck&9*B{MiEsr%OdG?cNElt(LuNjJB?69Q-=S8Ed1rY#JVVcqjS^k&4(!2Y)
z!k_v2^H%Vyy@5u?CEEOI$vpP`o;Oj8Y0V8oTAjOH&r?U*=(*+{GoN}j&30(R!K=@>
zc~xAqVD50&m_^8}`esL)eSCvaX_9rZ?$|)#xMe~Hq0%EW8WUPLDBG|>l@aU_o9!pO
z*-GLHImx!m&~DZOd9xE+lvyCBgrj8=ybn1W<o3^R{{D0?{u!_;eh3xbtv+J9-B*HY
z?p4vHo$^g7%*cc6zv1|jfXa<U#&NjTn*D54xRLV)pHt8L;pyF}SiUgIDxU(*gCr5>
zT$=;+81<i`*)@g6NWr2h<rxiVj?KETS|9mQjWAa2&Rmv_^u5=Ub9cURSK~pO_>>m8
zA`ne-$ht2zCR)S@>J%9IX&({kRV|NHuJpT=hFn?TPIu*fo~~#(Oae4839_w(kbUDy
zEwZ(M*oLcIzDv{M`jVx}57Z09xYR&ltp!QswFHq+d89&UqS8bz;Pzts-A;+YNAx?%
zf}C63nUuH^wiXF*r?~H6zoCEcT6jY6rtyzr%Jfy=cRanYr-x7yNF0^mi|-pe^SY(j
z={c=@<1I!2-#{O0Y+mVS=H$5P8&Z9&LCHK$vl#c`4U{8+|1dSjtP<fce@JlWJ*mKS
zeBk~o0=2w8zb2zj(J?+f^#@(?UfHCWW5Ue@_L&z`MoN8|LysGE=L<G3OZe8ub7~7#
zXe;Uz#1E|TXI?1n`_!mY0o|9(P{;6AZ8@y}wxqoZ71Kf{rFed%?liUvxyx>gX^@1j
zErE9DFK{b>BRQz_Mt>g<QS03fmyXc~sJ(NIcH{32Qs0Q>l(5i^0|%ozZxd=o);(f-
zefh-~4&z=LHFCJK^h)JmZEN+_z<uPYKpze{7w!jV=DZOvI8SAo`Wwi*3rdu+*lWy#
z_BfPgfW8-RTjxG(nqc|kj!-|~<fdr#4azGOECDB-mFArlYYlsPXWTiTVMnrW?*-O?
zRTx`TGkp;XWNrbrg6cQ7x~_i|QHvPl<54bfu+?hZJ-K?af!StiHI(F8?l@NCC}S+P
zTJa+|%Kcb-Le0M?jJB@I)A6I~gDmp6#VlG3C|Gq|aqn~P5qslywvg=hNE&H^^d*`j
z2cMhU4BKdIhfMcEKGAuh_T+F`XsBCUrEkMHtzuddZXgogWu`4fdcloHj5-fmG!j2e
z#b?#5j5|o}<!NvhjsrDDgQK#8#;XD*#mtef^r6&;Jiz%7>_ifFyBS~lMSB9#l@f!!
z2)+6v7r8o-QfW2cJGj-!A?Zby63SH^ZF=tGu7ls~n0HSB;yg0tTI=XN&KvD!A2=az
z+;5vSYrkkZ92vSA7UQ-@QmvDFwezmcUJ^k5O*}^rds#fEBo6b)0`#~gc%uz=milFy
z{e4b3w7XhEtABbbEu{PTmK3z28<L>mi_E@|%y7sI_DNWs<CZ8DTs5WlUv)E?en!HS
zQk{Y_JQY%HE~_1L94M|d6dXF5sWv~Y5^ULhb>~E*Kur6c*^{t_=FYn*c|`q<4d&BD
z*zdLNYIEQY*=*1iLfL;<#G52dq;Tm^;Ii=$R<jaAvuNdk0Lxg24^i`y^-w4GB}zGF
z4y(XFu0cOWO|4qnZccd``VJJZ?^{Y2jRtfNlans&m#U3*GoQqyY!qEvGfZd;uv^yl
ztBt&xpHn${`A|-4rbrTS0v{pX3kW203tcs{{T5vK$b^!=7XDGyZ>bhOYFY6cAo!TU
z@KyZk<bW?eE^hsI8^JfX5BJ2AW%oe8OrY9=O}JZ)ea`nQHVdnUf3j>}iJ&qD4_ecc
zxtbA*wd2pRESSS|9~6uzC{8*9$@07HZ4c3(O}J^eY)V+OSjq03_9}7X?U*kd9`7y1
z7#%1UEBv@Cg~bRJJMmTSPc=NoFC=?&SX%Gv@F6w#FSlr6dsJN+wcw|*uGC7t;@rji
z9srX=K0evV*&)vJr%<eanDzbfn|>>w`@Ii7_slC`0Y}|8gi@sy3kUB6&qqtOB|dAP
zyE>w+fxJ4UjZXq0FB^8MuTWR>x034~3EFu566VcG%_Dm0@f)~|=gr=C;mYEDcun{V
zJD|1nZZFG;SZR{V4dRe5C80M$HQq7Y#y>*?6wn<rgDL(90n$SNFjFZI3j3i1l@0ks
z<%_3z<*M8t_A^yP<}PvS)oZ|qtdqXZ8^)yNU5^bZeQ+$%cK-Ww*vYygKp3V*-N*U8
zWU3a#mG;{5M$@vuZ|(S|(pRD!iiF@$%w>rO3>?jgJl}0|<>T_Ca^=Ht;$=jEY_u$E
zvA@tNzWDgjv<1{1Yoetfw-sQ9@A7ce0g!c2sAgTQnk8R3-<>)tyj)Oj6_KwY(+F_Q
zYHmJK>u+yrYC5$OOzu!RG%YRQ2oxx{ai0Xa`9(w3fJoTGzQ4^4CLO52y&&2h)~Q*D
ztKWw;*u=Bh(m%Hm9>h#4@Dr#Rh60?RbStne{~St(u-*Ex;4%@=$T-IrdBEM!=tgz<
za!ui|%?VTKUC+m+qAkyJC?ngs0SUrxy>GfjzY8pQR~A5*c*LttCwF3UNBs&eHj=KE
zOJ~*}$~0XJ7>TuD9}(CuyB+vO$+K93jP!##<iA`?3%^Os%|NcU`-+6sW-uBEWVafD
zLiQvAS6%r>ROrYtWBqpP)0u&zf4Klr5P~(kV^P;`(Ri4YaAuNT5};$c1~sOMDL08>
zfI?iG&@eGt!q_iSf+RFJbo98@&81XAZSuMFYc?(ud{@95-`A0a_`IJ{ODYe^xjl0Y
z7eRZ!MN1N^wg@=Q!e9=<G)L{W|MXhF@^H8MOJ7w#ZLv4@5MJaev9T!IO#t<z%mE>L
zsg~~=knOd#+OS<n()Y%}uvjkgQf~k6Z+SNu8c<TNzv<muQ@jcoUyHX%*7utFeydg4
zmFs*j<b*}9#Zv+xRyl0r`%>c_7ELpt!zlD|L@!xG({0C3xd6x&_HKJSm3@H>f!IUL
zD=sf~C;a?Y%R0HnHJdf52uoads<{6&2jT1h-nj&btGiKqm|FhM9mPR^P9lKoWfM=f
zfckN%#OX#~RfNFzp$47k-jw&@He{+<2^G$(;RoDQ^{wK=4l5q)t@p)lsXRj#tEWl^
zm1+ycfrnz%+6Kvo{;IU`i}S-OsH$C`u0-B|jgR?aXe1m1MY{R@`RdjOzvm8jiv7m5
z>fCIHBqXBw^?L~>Uxfij;i67M(c9=|e*9HBU>eXgcUQB|H`*M?w~GV9XnEYGe<b&G
zh(&wIQX8k^zS`)gs%88JKr5ciouL)yS$JSB@K$@6?!<08Dn4Mc)!yJu_*_58#2LSR
zU6DZPQ1?{?_lrU#o5Cd#fLvan;%WE(=1gSz<6>W2Ac`1l-6(b<F*xb$@M{%6aQK?_
z2teGtUIf?*KqvYn-G@bBp2Dc@WhJri$83qCNJVPVWfnGyouy#rL%V3Jc*@JFS5I&0
z8jagZhD;4IHuTtWbi0a6@9EnW6m41JZ{H4^LGE}DLnLW3<ta8Q3cAfGaNFen{W$G6
z8IXO51>X6~P2h1tcWo$L!1S6O#OM6yiM02`;3NH8Yz&Cm#63$OSG{!Oeu`W*kYomA
zd!T^IZf^T{hFyNMhrb{1qK^L~Pz#s_f(C08cL~N>2Z<4}9V%4jHo{BKai=>6oqo><
za0*imWqNR)s`0{g7v!m?jNrN;Uu@{Cg<f8N#eP0p?9~jC{KX+|5TU7qEI)|;i(Zo<
z3aySi&J;Ki(dKa{G?tK|6Ml+<54v$I_d>ly_vTk&<jW5cmj^lO&pac<w0R5Ypi*19
z4RBde+Pd!;JfM6=`D|c*oeOv$MoBhXiu;;?TqpfKW8ON+<M*%t4-sMCIu~my8j#<d
zDJ~!{nJ0vNc>Ojd=UYwty+N~WjGanHfphR_X@p6_*bBF21*M3y&P!$#V=P^>I#TKV
z8RI*le(3U(9sS|yI;rI$bR|q49&SOy_CYL!vTcuu>`b%ce=DOXvmGE$-CkoIyt5(x
zJL)nBedzMp6aeiE9;$QAGA_F~{)_hIe<gJ&jNib7jONzYdWK9^Km>N*qrUyb>^dgf
zbl$s3|22cA%rMqw>u|4uPf-%*<>wg|okVA|FzP;#X}oUopI{-B19y*Q0GwdXZp&qK
zXSNr`_;M{e$Ix7RImiQJ4*wtN(Jb8g7_JsoTs(^p5u&{EJVOP7=xrHA@)xDiKS<Rg
z%-){p<4PEuhb_$u2nG%2db>140$<joR*<gVyN>QkF3>d|U%Dxv=*PCmr6>`*otZ7f
zC}8a-_RzKFA2QOrrzSc`lk`AFa@5R5-ZlPm$64S>>H`_+h}@T*=8yuG<|^Z252G&c
zV}>zxmhU3as6fCTQ{l^s`@Q!Sdv0s-?5`J5&B<cLfl5+7H02TD10sQo(^y?+uM=Pb
zBOT*7o#zDfTkh&pd8_03n5vf*$&5;E68C}5%@x1Bq(HUcjddvnBJSgrhmu=_0vCT>
zQa&?h33v>lsdL4ZR`Q-cCifev8Fi*q_QjBox-WWDzkVlVB>;Tn_x?N9czUZ#Z6rfT
zPKrVgg(bz<+$zPy0^f4NoHzNf>b-qOu};BL^o_U$8Tv6u<_7Hv;)?x%^mTw6j>L9f
z5_G<BTtE5agX2cQA{DW3>$eY|W-HxK|BOw@iV4j)?Y~t}gJwQcohklM=vQEnTx46(
zAWI9v)-as3R~pH0Ha4+92DKMir!wJx8E6^nFb0Qf=(zBQLj?m8#nbfc)BNXx-_9iT
z^q?tZjS(t2e-;2YAl`q4gq(v=3M1K9SM*cg<mJ1Gyp<v}$H>&?coru2uwYz*9L~wZ
zAAA@kQ4_cJT|mWmDGKFmG^O)I>g+?`qEML^1~DNb+|e;MTpQ6ZOJLAWk{GDWdj6f8
z`$*F->v*b^kaa|?b4P{2zc@6@`iAm+W6}*@j21H$YP6dw$k_?R7(^f`=Ips5_79)(
z$Dg&u(n$=gNt`v>E-E4zBBH7MxzAmpl`f)B5k~7hJ?P}z&Xsr;n27Y0M^~a!=oXz6
zuQTbge?Grqu6P)nU3@!98<Q}ilnfTT)zmx@UW|w%D19l;#^Ue}6h9_tGEVhCtG0fA
z?)P?SQ1<DIzPN2a#>kfy^1Xhs{I`3bF*fL?O&PFZi~!qk27OW1U!;_TPW<npm4;5U
zR(SDnF`#4YPy`g*yFRFp#P#`!$Ej&&oJQtDx?9&T@t!&ofsigGF_5?eh7+cf4u<*?
zQ0rdu!YLaOpq3#*a$QYvq>HLkG^RZ^M-^?I4<jA5b#+jN7`-d>FVzQP=n_I4q#J*t
zN<jjIxOPeQUY-5VjGC0BjvOtQVS9RxL(hgb-<q8b9xKQMU4#uG>)u+^Ww_Kn!#HAz
zHL=_#yr~OFPY`2MiiSe9!KJee!3E(2hZ3g4+I+-paF_Y+)iJyvEy_o`{Kl{g#Sj{(
zC`*T)(TXH9?m?(soWqX@ketJch^>gtmPpt(e;OnrbnP3fP_#=)_W78f><Hm(V7Ek9
z>tDv%)m(V-7VJwtMM_J>ncbm^tLAIU|2h2Nt%6cM-=n>ULTA=f{`a^>CBHLjUXCGC
zI((J=46`ljT|}g#WQGk!;_{an-udp|`xljvh2?_0B)d%t&^80Hy!CpqW5lN#CEQjt
z?j-Rm0=(W=<2b_)v<}<)&Gx2c$;tl<v&{VXj9G?ah3)4$dY7x1OzH=Q`R?s5VMNR;
zNeWB;;m7cZ*CfC`b*Jw;UN9%X#qF{XOdi!B`QLeEiyut8spTg@?be$q7hd5oC4Ic#
zAz|kOJcf@);}-mCkek`xF00(ArzJ%6wO<7s-Lk$5!}aA($-Ll*Mb?11_|~fn&bopQ
zTQ+U!qF22)q+V?p76aesCGdT?oXyj=EfG4tq&;+OJNSCTb^<7dt8`hk-OLuAF#r)@
z4!BoKrWWfBdjs2xKU~KgJ1n<<eIMSDR*J?LDAay4YTu~4HUITTd5<_1^$!bvJ<Cch
za)tNgHiR3nVMnew85B`bG)kv_9n)lWHvp~~DxeG6G6{|ezNieMd(j0AqFRJr#{A#u
zWkr};x8?pPy-dj7;Z_1YsrVfMX8i6r*n{1LUoD?y&WWN*|H+&o25!kx-$R3CG%V~`
z{qYd5&K_uW?+=&qfnH{A`h%}9BC!dO_<V}%W)%a)`V*iXZL|Rj-OOwPgI(f<FL3yC
zH(<K|uk5mqItesJn%yO}TmO??X1K-?ey$XuCHk9k$e^JMz!4zf#B%x-lJ|2k#w&eq
zAGkuf#S$vRS3L47Ua$oq%BVLfPGMx+dN#{#gZ#;NlwNz#|4^|gfT%p}^@ynDx>9_b
z8b%CTh!0fO8SSuGtX7UF@lrE<O}c+pf48_fU{xt7I-h9l0_Bv50)g)C)Fz;}=K~e$
z$C6F`535RXw#Bz&qB&19VYg9QqnLj`TX4;T(b=47{7VLM{=>$f7Z6L4nRhaAEVmI2
zmpZWqxWH|)q&?2GtDTEq)Bdv2m7wpdS#I7l;5w-LrVz^g8l7sAKisfu=aZ}}fa;U8
z)^Gm@1gz9c9Tzjwe0GNsp{na=ri5Ra;as=J-MH@xFJ{NOEEiU5!TkXS<6XAjy6Nfm
zqsx#DeAe0g5ATfrtLtawg**=Inp)?+Jk@-dmqr3-^LQ6a93(i!;r)M4-OdLmvVi|0
zk0lr>YlcyNF!<deaiU7D;}F2rc=Q`DFfQ|n$k9fNY1;<lF_dJ&tXSNnG9Z%?8YK1C
zG`(Z6R#0F~aT#`fRrI&Ak)-TuM_s}NT9sB7k-Lz#ud)%YlcszO#3m8f`)-|RICpDO
zS~0<QJL{^g`03HsIc=L#IbX3H8<CW^n|%-NS~ec<{#dJ9FM5i9L&18m2#-%-Wv+~U
zWdbUw*}LQJ`n6l2`lT|_tLZ_MCN@fceq}vhdXRn?H{bOt%O2=rQfBQ5jYo5nKFc%y
z=kUMjpYG^mc8qieUh=9veM7Bc_Y7JX9Wj0`rqvnGSzi0|z7khw;dRPjNe^rc=W%?|
zm2X;QCW=`K&bl7a@uN=3qAYjQ#*V()`(AGv)3nn!5`#A-K;CpA&C5;=c&54p{QVSj
zAc#E%RKxXXI4gREcJa}&^~WdYlLT$Gp1;2{aOZL8Cm;Y80@dlK-Q+o<7Cpf8@i}+P
za_E`8Q+y8>-va~j>E24pR<|fOAw6hs?t=`PPk3QxQ2(ly(=-&coV$f*A||hU`JEgc
z$TWX0&@AWoIdoaA-|GH+;af`<4JfCtcyD|x>bSzhxoo)Say}rFgmqg--R1G4s^_)k
zUw)d}z{K|>+vV3Rq8ZD-0`DFXfy>uqx}uuy#GJg&v+nd!H3n6T4EodlZ#<jL7?>n{
z$`&P!oT4+pmc+(*j&LQf9)5e~GXKhaX>{VmjaIhCIVOzK?Spoh5qd|x$JUdAC_Agi
zCJSZz@ne*Zil_98aeCW|R|#3M1EhOgnG7{FufGyyU)H*C0j?Dhu(`BRQwo3@i&9u*
zl+KR9GDyJki4;*efw$^R^eq|+wafe*RzopFr>>*6)t1E#yOe4c{Dpaj${_J<I!Dm=
zd#>~8e0bG%>(%njvK)b@#n>@wW?rAaQDWRy%-C?&WqYgk$zs0yqDbs(IOtw7zkqU8
z5~Y3pru;pbr|KRs8YO=ezvS=SRGbiA%F7Clx5~aLvDXr7W|ab(`hdqoWM-LGPBn9k
zit*_+D^XX0@%T|A{QY*Tdmv{uP~5y$3jJbS9<8ZlKFuUF*o%F9_mXcB`xm)~=AwzB
z%PT(ZK)Z<xk_1NxU`e|G@o@=i#`wYr;R}&L34%nX%)!!n0m#O0YMmFBfbumuS)&)#
zKj5Wx#Xt70cx_=rU*9(lMKzrElM>uFTh$wEiVs!~t1fQHc^_m34x4KdS9N9U-oX>?
z=>J(V$8Zu~GHzluWXC$N-Wp0$_fxzo!NzuvGC7@*Grq!}`%iB12iU*DJM{N!xw>71
zPHW~|r)I_$xE`#+;)_gqbL1&)cc8PcGgvkHWu&_n2)sf(U&Gk7zt3(6j(X@EuU74J
zzn7Tr{zpXt{QYcVftX7dU7rM#<~p~XU!DI0^55dPk|~`{2oN=OUDrqV931Lat2%$m
z*lNl4DMTb^i1S{He7QZ))Z`Bbp1KAd9~7;ra#zjDY=+A++JhPpfO#<#n`o6!z-G*j
z4eC6zKq<x<aSD>woqu+I4~|Hm*9mFDgUOdgJ-00clJ9s~D=AvX=#x=v8o^HZy_>yF
zXD~8vN)|i+>g@Wr3LqL9HV1!wdcvh@rx#AFe3T@smi0+5HSp!l#_J821QJEJwi#`a
zE6}H4$@xtAIR7a=Dx{=rASz3O-u;gPe#AW8#|4W0pR3gB5qy9Op=mSkclCH8-Ud%D
z*?ZMG3y!<|pfzr;w0`mhc-(AW^iy_rCmpBzR}bff8sDb6jVN9>@5VhW!HogUjV)`-
z>r^p_>LfBQoy!I3&qvVcZ})B3?sU9x@iwa?rQuf_h#xKdxKiS%0~9ELo2r8!?;D4{
z=g{z#h9cwQG)nQV@+&@5)*si}YAbK_p&yofQguNIx{n-PJFirBQuu4vNS_%t`%K<l
zo1$_m2X<wfV)-m0lj|A*hMm;q6Z;OqPknrkHajpow5bhv{ju>?G<c>4rm6E6NM61*
zTzGaqf>pKIR?hZVqrlj<l7zjP-YyQ*(9_K`Wj4Yr_!DrDwX~CV<2q8%DOUenlXJsz
zHfMGwibV41Pmz+jnZYF7%y-kM>&}}9$F|sQs~78CF>xG9a{EKaAKhX%a%Z21uDQ1^
zRl{(YkU3?jGi<w(L}10+>%O5;;Lg_m%yY~q{tY^AZSmT66dW&0nW)Kb2Ch0*wQ;6m
z0|Dg}P=Mv84~{eK=U25yRcEeK9oZ1*UoMl5WS&p_WEgaEv>Rgv!ZWC}BuXiZ)F0sJ
z?>_;e%zBP+q29CiP2;xM+VS5{k0(wWKAaw}C)ZY)+3IPow09H11u3L`u)MZg|Ikbm
z-;lRSAHB@vbIc@NSe<IM-)JYsvkk{TtJUdgKoB!<XW4U_Zaew2J|XzDE6Q10^-rD1
zaBno&8+`UkZJ%3l?Zl`aHlxxUXXwmz-o1hL$t|}`J*KeQt8^@=)>+n>@XVL!Q>x@O
z)vO1vzd6Xu$L+ZNu)j;8Tu`!ttB>&*SXNISD5Ew;FNRYVjXU@O%vN%5a_R1V$E(Li
zMo&A*Hdp^l5%>w4+)ZI=208SDHrWUO8!Z$nLMhWj*-knoI%M%C#PvVH<@D$nk;C5B
zk9G<2k!U>GDQ1xfXHb%wWY<5qO-rbBL!TI*D`-&OhH*=uzd7xz>q+E$cD@xH^40kJ
zi8Y3rm)7PdX!-)H^P-3a#(-z}d}q;KZq?2Cw_HMAYSxi%S~GpHsc~y$rxC>|{A5wW
zmFbo3>ys-DjN0~l(tQSN)SEYDL0=1wC`>Ov?#K0@#ct?0*+t&~$S-kTodp)vCT*OH
zJbbC~=>XP}qna~=wFjmZ>X>LghyjCS<9UTPmodHK*nY%kJfSh3zDTO9^XMv<N^PR;
zWbrNrmHkl+(`2kcE2B@^z4TnY5=$eJaEnvUIe%^tKg)10)<RM&d3mHC<&;}%$_&Jg
z)sh>MyS1Dh`@IPt_#YCAgywx`d(fgkJ#FLADIPQMC4^XjgQ~@^)^XU0s=6hPlyOH6
zk3{BZYfR*$tbmtWiA`Hzc+HdU213|FtOd;ZG$6YS#JC?ysdzD{o%DQV^6qn=72~oT
zGT6(e?GAma*4lrj$?j(crwbT%{5h^55%B)rwBBLkwhP7_({7BLqg!%R)}!Q}&95j!
zD4CATUJlNti8XL=Xa3ge{?U#|)vmLAE3YlmH8iT838B)hp^+a^#<OO52b7`pGF}_D
z{88R7+=q)+7{g9+8w;x2S+aQgH5)yf=dl4B2p53R$qb?FN`2*bYJqsvO6FqlkweQ8
znk5EOC9N%bYAwyHQN%@tAn^?hdf{*fPrbbPXZ6*G>Ou@4EiZa&Xe+FJ+!dCcDgRjH
zcFZPNN3i=^t!t)6bMOh|y^UUU&s~b#u}Sslmm+iYF2Lc=R4;jZ7sFF<Fi0-4<gx*M
zU>n!&9>epSd=F=TthSmoKQ;9~Gz#kf8S?I}A;*lHgriSj!jmBpU(P6CHU7{IrCe<{
z^^rHV3Y5d6%Hq7@cD^^9-ipV4cTxLxH4;a}#GiEfN_<mG4C^9>Iwz)DPbTcDqievL
zjcTk6-|rStW8uHZL+~mHE)POUX?8{(l<uw^+rjzbttwhsGp?K2zHrh1Cy*LHt}(0i
zj}4S1t*VXRgy`I9S!2O2cEeYarcJnl*8H}6YTC_Aqb4!!y5O}tBNId!<F$$xsKwhG
z(GI%ZKm6E<FFYZ+m2m&3WvZ9ZZm!6)izk*Ajy7%BvwVYcyy5R&O|278_n4ok&{na3
zK@d=b;kS)D??#VJpay@qVlE+Ca4&CJqCP96u_a93yRUjMl>PLm=d^&^@1QeUG=IOt
zedM_Hsye9nNvy~0xCI4CY;1}uBBFueFyWaze)rl57?z)n3!ws&mCLnDNf{FOi|5ez
z1P)OR^}11K=dNT)gVR`%gk|u8L{LP2f&FT&<mk!jU{2`m9DK}AjtjY^Kdy`xS?DM2
zhE>hwb9zvTc~&HS&BZfT`jP%4;+ZksJzn%zJ+7oPEe;p3dEA}YknNsT9N>WIKNhWI
z_gP(9v6cs#9>nBo&3^;=xp-!22WbjUII-K<d2$`v&Z;u>oL!f0H|!F1I8AT}+?2;^
zncZwY9L!72#~wQdZRotKwB@uIz8t^f0*T*wwn11v1r5OV5iaR8O%6;C(Yk8)2Hk7P
z;x4-_RsXv0UfstZx0IOn(tCqJ?*<9JR*i$9L9D6mFv-Zq`#*LmP6!jJYz(rXZGA6E
zw;z`mBr_;6_>!031w2&+v*oqfGqdG;-biN87$hAoF?*;PlJ{|qg{}AyXyG$?Sy7Z)
zgDJm{UbnPpAGK8)cZh*ii_CKSs&KWd0dVm3v}xRnLJ3a~i%%&dTDX19joLw8bcJKR
ztg3*oarDNwLpQdbliwtbT8$*)AkSK&ZE0QQpR^yhIIeB>f<LHd_h8^tWu@A;1>LDH
z*^LM)Uxd5O0CEL*rI$9qGB5xV0^>Ibzq~iCXETSXX^myGsMDs1eYHPe>I%$*+gVW(
zskcMvWu5EO1S&qAb?E(bTMiO^>rn+Q!&};pLJ7Rl`!?%MaLDLT6<urWG)e^3z739;
zI@3g9wcEn8aw^0W;x#VT>Db1|=7tLTN!2sA6`)E$o-$&6PPK)PS{Y;UAxVqA6VT}c
z2Sfizf6Dkp7$VA*oc$nO@yN(0F_G_#^AocroJ$NB@agfyVIB2Q_8=)6N&ni|aHJA0
zDFV57T+3aCGGf(ps#)PUznB$I9i~HBmf)mcoZddY$)uPo|M(y{b%8uFd^GJ_)Urzv
z$+e?`=Yx7)wiX^C+?QeR99g|!U|gY#HP$&y!(uh$IFP_@w}3;(Y?WAIv}?v@mEzK?
z_#R~ch0A`R${56-YvqG7tHpYy^89-~y~{&muTakB=JM1?`54T{VB5ZQk@HDs@2G!X
zKwk98yYKihdX-x?;WL&$a$Uc-`i0`hdl+b5UNgPhs3RZLzor41WyuK9$^GYG<U7`T
ziG-`52N<7!8uL96$Cy>zA0}Xn6KoRwHo7v;P?TkeY~*P%azXp@D&?UX6iHXb5<csw
z4}_nqn?cr*>)ARY2<XdfKl27_p#nloVL$0QY5LzAbXq5$vl8}Fos8#eCeoGv&Vnh@
zLg3IcMr6;U2yvY@e+)z>2C5Jmw+L?88s&(MS~ZfE{=AZ&6=4!lojZ75Jyx3azzDel
zu080X+I&WGQiUaNNo;KjAZ72rhxgnLr15N48sEP|)IBKvK>6zdx#If*b{41muRv$%
zx~s=CxLPw4<q3MGzEz#UTB;~k9JFN7J;3M@`4xwX85DA6N}!OF#~JW2Q{I-1ccToj
zfc2kGC8D>hL1vX$fbLz*T{pb9Y_u;LS%aSHyNaKHX4w3!q4^c{Zkm2L{hCha(1tsS
z<M9nClVsbfVFRI9V3CZ8RAq%WjIFVp46T#{3kai9D8=D-*Y%!kfRvR~Til90pwiVf
zmVWzCw)$kI{yu<(O7kCJ&P{Y3AA&ceJJ~<pkOsntcs%3=A(U<R^iDoOiD}xbymm)n
z+1kZkde1!A+NvhLtU&#HgX=-s;=mIqE&j{6@b=2yd4iOJ<`eJtxPA`)q^gL;<IeoL
zl^5B3!;s>q#z_+;)}`pC4}d3^s^wP>^L9{YiLTXTg$T-zJXBYmfuZV$i}hO&k%D0L
zFuU*<TjUR(OX$Z8_eN@q{64+wzwT^adGy%=>Pv@6ed&2I1sjIE^rSuTLTI4IY5Ybd
z^<A>vdqq$zE-Q@8j8S9N|2NGg9xiTyrC{<iMap+i<75)}u>;-_85HFw-6Dy2R(l<d
z5g*_)+It2Nhv(h!bEPs2{&x+iBh>gvyIK#EoL4Ict=c0f3U`(Vg`oKp_wwPJdcEAs
zN`cWb8P@1^(Ae03jo@iaZIN|wj>z|PQ7Co-iy)rV*=UU;5|j55Qql{|`}hco!`XBt
ze>JeNxqmgVUoM9JUdoOw-u;&gK!65{MsNrDaxn(~!@S}R-CnQb(hxnmd)QC}e(7L*
zM4KqezGe`NP>sW&j!-!E)qw5=MF0clg$o~`AMO=oU<GD>CtX}@h|d)&tgl?9WxgX7
zR+dp$)1UPoo**@O`V^QB>>wsaSKMpHgBwdkQ#4H0Z<s6+XI(SpKLhvr#zc5{Hmu5r
zkFGhJPmD=-Ak!<a4929bSe6+W7<nh@>9PNT^#|JiPq6;Mj!t>JzUN|&f%Pc(n=O6B
zyxR9?y>Y!Y;vXUNTMFXf<OnFi@~Nao85J$d=4GT`cPH!PO$3p@B&`h05LjirZT{B{
zG^ny{EZ9dcrcmZ2P$Ht#xWfvp&ys{4GutDn-tZc?V>DwH?_wyIXw<nCsuk-Mf)C#E
zVB?9a_3B9F)WIQ3%)HVe+D*D|h(k|R!mU{yAt3(_=pVJ|^CvEs1*KM1Zj9BsEZ#5F
zEN33WbvD;3`70%xL_h`reL4}Z0_Mvk0>2kxaupA2vfsv3-EkqqWTM-6pWPPY%e-i)
z*r?=0+yN}`Eq(C>l(Vk5&X&c?+Uo@GDzK5wRuXyAEUxnBNO+Q+g{a_7m6$@gYAXM~
zBKaF>{iEk}$nM&E*-ngN#{7)mzWQ{!jXg$<{IjGD8y-MTKWpCMI_usimP;Xt9qAr>
z^&d$*Bq2z-rxk&!r!8(}n7Rr|VFZN1Qq9jZcBUqCHi~kvq=Z;RVU)2*(x!t44hIdu
zJ<|u-3S>l0<N))<2tWe`p=ym{^Q}vN5{VE<IqwoY_;zjV$5z-ZBogFB0a??z`UpS*
zb<_3v>w@#G-Zj0~&S0Bau%BUIDd7h|IW8E5=547H^cqe)0xTYuT@;@#vd8;NBEL^i
zW~``$9EI3~O$k5jH2}w(mGKwh{cjL3xQ=3Te1-ON=p<44l<I~E3~~;zCoz9za^w|g
zUtEEHt!VTT!%9|xKFw`YsX-y*0KlQHXY7S%Xt<;bH0Fe^R1S?<VnJi=k1hkq4DJ!m
zMg+9r$%LTKCbyv1qVW|EbpR9OF0v0Zpg{8`s`tn903K6kxQ*+msY*eSJ)-*t=SVn4
z^Rl%m9)|qmhYJ1=(trroGQLv=IR4AeujV#gp$85*kIqo=Poc0vRSYbv?jioAb5YF{
zGAMoF1cQ6QkRI>_YR2X!l2}h$1fPY*HR$ZSX~p*MQ79>~!CU_i1Fg*p=tPjyt*Hn)
zf9@0|9#$DB0#P&<C_d;46>#KlK^!mck-{Q+w8=O_`{1c{hBl1Uc+5;aAMC2EPZPpS
z8Jvwuj{*eFhV)wiz^4fcSFpg{0bg&;Hv&FeKGQV~#|Zm}=V4}a&PLyFJ`wx-*?9OY
zITk$s{|9PCs1*Sa4EXmfi6K|!1U#_!J$}m>1RV>bBX-=K2lD<?dP!7IKTL<DzeqIV
za|LsJ`!*aV*-<SvuoYZ~w|MnBn+}!`Iz}Q1`=l&H82kg7;iXyIc9>RKB3l22vusu}
z_rf5&I(#554w_KB@@)7myp#lK(a4pEJXO(zL93=Nze*=}=BK7AT^I~!RU3cFVo1%l
z!}yQ4WB-}l#W!@@x(YC4K`uD*rm}$NFuV}33Kl7q?>5UrdiYKfdU#RK1UD5dXWZ!@
zuJ>S1F0Y=xd!BYsyhPLO>)jPPd_70*Z!APZS6~Ug=Rsm&CQO=A8l?}A=R<iU7SJ`b
z%pewKZGsUNM8-uV7AED|zlFj!!6LnLl7jm1^Q8Fj*Q?WaYf~#79Vv<bdRPTe19&@&
zm5_@g<Dc<?r-(J1?*FO7Fv%pZJ^fTr`u3;lKHFV>kM<mPXN*<4(%3lvuAV4l_55}0
zWkXg^^BoYUU~PxM>Ul2t1MlzZLAV=KQ59g(6PEzf?BRnLfJpAb9F?2j4nK>P7Ywje
zsizS0@_QFyG;<tC<e>#I`lgg2hHoy2v>t^%3=#P$n4u8<bB>NjrgtvJ?Dl)L7@WzT
zm~A{o{g?dJH(Ng5M?T2_-xH?yPWkJ`dkkch@Ad@W0O|i`jjpY5NT7H}@$^=&hN3m&
zv5;aGqmM%GXoFzbnM=WTDD*wO=?CZk==*&eWaU@+9U6`c#N;ZK8T|D78qfdc>V@wt
z|N7U433R4t@IK?CMmpdM@U$w6{h)h6IpgrxYeEG(4Hudjgm{f#W`C_G_!-Tg#(~Eb
z^N;76GbO&W5o`f}=`O!nfOR5a?D>yRX+{WHV7fBBC+T;kA^!WYco~>9(zjlbEYDcW
zpT)s_n1X9_Di=s#Zqt+)!u(H7VmR=MqTeCg`aARTtK`l`yULbCXY0iiiAFGv%Up*D
z`?L0>nexA|^B`A};7D-InZTOt-*`CRN_iud4ypUHio)EKc@h4JMeK2<+0u>M6-N|%
z)0Ga(KQ^aO&HZ?!UT8<ZXrPG0*f97A=OAVKqk%2KXwIB_j9zrbjr1am%4vvS&zZ^0
z9#=)SORg%)RuazU_wQ399^@I)NdIS*gNc=ZzSU4CtX!YSyf_n+dwZnHU040Xn}6AF
z1YuWRUgbYWjr@oZ5krKHe=XP5B9DqMW3MnDjht;`h)dUbrwh4~8Lb%N+>02B=^Gt9
z|7TR4iN?%c*$*zhm2RtAg?bHIoeA87y*WyiW?z#W7XDKDJdH^kU@Bu0moIu#Kw>;3
zk_gC*B<(F|Mx;5%606U@X&BhC*MT-ED5yrlfiJdw?~2PesS$W^CAjeRp``4C_klHR
z`8`t(Zr!hak7lk`i-XOI!3mHZ*|iD>gqVi49wW}g;u!yxC>_aD+4dcFnT!80DC)#?
zi!VHMUI1|&D~b4u01r<|*|1Hw=~`Eepe>?*{Y3z?bK>wu9V;&N-we%khpz%MJjCDk
z##+q`zvuR^vgd^xyT#hoDu|d0EPvlX!CtTg(B1l8t4gjHF7{KH{sCv)q4&TY%F5|V
zy+Y)OY>;4B1?ND{C=VsN4}*c+Y*7OLI7cF%X_y)4)?4sJ3+ylSH_QMlT~b}oBPY#c
zp5mF&&&en*xoh59?n1mLzagz=Pw%;}*){g+B01(+K=DJDrRy+fXz#H?ay(!^<dYRC
z*xRqJUs&FKBmdrof#F0@b*X_K#G+8Y@xylue&1oM%7XUK+{;~or7{^x=>Ho**q~@R
z#spiX{J%ryh9!0voz1bmpM@fO%$XTh5OSY6{nT*uf8sv7&KCAc=VIu2Z_1@QePPq8
ze_UEfuK&YEkTYmLR9W<OX&D^%N(;R6?_KJzIr0O(J@$zf!MA}>lUKTB&A<KERP8~Q
zqq#tz59Ij9z+o;ojuMdv$KqRRtGy~J7*S%o8si=dscPmksX$y+RJ=RaNBWfvs5AOb
zS9u4S%pZMb02pvl?E>Vteg1GD;H7jC%H8|FA?MRwX~h2r<ohj}i`pgFEk57;5Atmd
zm%OHTo^i>dw<0Mkt-$l;50ATA|Bnd3z4MUY9JuBYTiObA$Mutu{m|^jO6iO}Am8p4
zI+*EWQG=&NnbG4I-)oB`KD<v<{@j71?iFU@a*X4<Hr1}wN{8!DVG&+K>;<K}O;}4|
zf2pez=8AJ!1Z(5(^N6g!q>W75W$>c;PGl3nRE1)@Ls^wJ!%%4Aj&aePh<H8Yi_pTA
z#S@p^h76w#fI^M3%QZFN(J|KlM4Dagufy*k{I3TfmG6hA+3KsS=W)m^Mk*{9wI?H_
z2_OIC#38Ef7FSU~7;Gq83`~(qmajU4`Rt`8$2{)wU51H}jsAD8n?ysteatpN0q0$U
zq7d^Mf$5kNxn4H83Zi5u24Kn2a60SSCFmVc!7aX#fCBM>BY-VoXXAQSpd=+aQcPk2
zKj??Rk8n<M7OC>b(DOYo1!~V{O+l&NFX&03iiE!)jef63!ma7omCEFNc^=NXN?;qR
zY7bs_z-lG_M{LK6I6WG?!wSfHF0KVazUPti>5RIMq78X*u_6Ld&f^Nd`e$|KyOV^I
z4B-hm2<g&l&+sOO6Ws<_8GxWO9qI@~dVa9)AZ(gNpi1-tj#?L>xV8oQMgIL2fHwOD
z26eJPD`_)Sia7bG73qkqlyB6o1uAjXGXCoMi*)|lLWl%*jmK`bmHle93}tVE{vm4&
zy82aleI>d@ZCJ$>UqRP8c1sGAkd->1`KzmAV4CL=+gETSbkb8&a?Rcf{Thk@lsqie
zUQA+Kg~tuzX|?5pt&0Rm+V2U2xcJKP0>(RKgMw^C&|d+be~4>F&}C~7R{OXiCY0xg
znFTqtDlCTZ{LlXe(}d-f@*Wy3HIn{a7;h44W7``<Ik6=%EP2sC0~2k5N|Yx5oTkvM
z-12n%es9uE+gw{<RZ7w=+<=0tu0U66+ZHw%vX5fHBA!fweZm_ZQ^C{dOB|c$;o_S*
zdSjtUfHKV-?6SUNl~Mfk-nyfCaUF-dKI6aO!F3qYk1^!=GgE;<RQC0}pXxO}czc+D
z-oc-U>GqK0+Rlh|@p;=}c9jAw3Dbxh-R+bDTwd?2G)Z?6kM7_|_7sX~KIs$(FuKqf
zPF&pqZ_*2uJS(AjrmrLTMNQIucE5uqgYg~h%};*IUp}T_1XvMX-qcATzu>3msA;Yg
z&w<S+00oFF@Yb{%(wXdeY4;N=y!7PAaH}-^fb``@v(=%Sh(pu)78mCp1YqFTp8$F4
z$FWNS&rYYw8!x+!0VMv+G-*i0jwWj94LOB_<x$7j!D;y(mxKDFxeurIoIFp<(Uhd!
z<EG9t9oQd-S4wfc;d>CkVUjR={tg=l-7rS5JFT1?lOW?u#w4os%9mLg9*boJPim^C
zz6*u{ZfwqCxhai_udTW4owi76Ka<*3IZz)VvT)h?WPYLLmiL6CNBf?~fI-&;<qU<Y
zMJWgN3lz4=UH?q^-L7F{$QF+!Zf+@}>_kAZy^(eGnAMxJFk9;dw`N)E=-edvx$W~6
z9DQ@A{k-@GbvKuWp53@cKWE~|$$fCRNm7}3Rlw?DXW_T|cDpOXiTswthr6rca75z*
zoop-02_uvgBuREUUw+cb1V645Kipe?4(?-~e(Jl|&@48m+kV!_(bfXfsJ`@9N|nuU
z%>I68#pxWk9|dxp9__HB;@g~f*lXqexAaRoh<jWuF`jg>gREvpe4T#nn&TtcfD942
zuP?2BUJ5XP&`J~b{w9U#I_#Jmi19fgTQ+jtXWc8{mg12ctE$G=J4^ea+k;m4gPn^V
z=5d@rH<C)&TsqGFC}fwMB03XeEJjR=M*JxlB^PNUT%O>K-F1QI&8E5Chg^+`KW(U@
zQ~_%;#HdT7eTjRijCGIOQ~OHJJsjPg-^EdW7_0S!GfBr|_BGqJu=#eSiVk*`(}iz<
zUDSv0Uzxuh^WHCME9{*55@q$*%nn@kd0p(s{&qCCQTS7j>9cSw>ab)_Y#t^n9q-My
zL<zqSF0R=AkMW~ONeki_(7OFTZjiv+?^kH9;huVDg`<0Zpz~3=geJsF{yga^;=e!x
zV2%C__d<c><Rc-2$}cZp_qckBfHia|r6rHRcjg5Zl1sxEkh#yk1#|BSyazFinmmGa
zoaZk&0!__jQaZS`erbn4@>)s^J!DqBQvG70(-HSzw`f>etXl=o$E%`D>dGIiWOfFH
zzI)o`$1^dj<5Cm1zf`~Tr3nkFc-`p#iyJLh7LUj^o8Y3iBmL;`jg-?Tx(Sbqlo;rr
zMEy{dD3nEWy?LklmaOLR`0Mcer9CU5)Rj-MjrqFPCz}{oo~mY+j0AxCE_2?Y@@e+C
z3Le{FK|23_yKStqxsFr8Ep$dnxT|F3MdO+8#&Dx?EwyajJz6z=k@ua$y3r5qs_UCz
z-27oB|B=YoPWOKaz4;}|I6K;<CX~<WB9$p$?pW!CrdqY{Zk5exwK3YhaWxSA<?Ipp
zN>{71E+ucT)f@T58LIbpzPhz7N+eKIct*W8Gq$Qamo-fNQ>E|QbIK(j!O{Ns3(Ksw
zPHPd;;iiiI7z(sr=$8b_%)4pIS(@a09?ysNy!u1l>&q)iR#+ySaQfwm*7$w;>cWs3
zT2WpTsRHi!<hi~Vh5~iRvO7}}7wKKMb*SNoC!9D`At<tY%(!Xa`_mi8W&1gu=%!W3
z;icgaoJz6YQ-t~NR=zoyL&R`0<Fz!WAJr)^dYpp;`WlADjQsh&V!z|%pPSMzyEJ;H
zUboMtcR(}W7A#Mx*Cc#1oqSm7H0M3V8lTMy8>vL{XNK9vps-&^Zeri-WBu@4MA|?6
za6|RQKK#<8J?748+aVsy;T_r-U461qP$nxR<g53uvc&A1Zl#}kC&<3G(m0`#+t!xW
z@?l`*#-2D{bKi`#_h#5IBfX+sH+py5QDF4#>sCtF(eQ{n7*wCHOiP>=Rln9FYo&Sl
zP@rDvR4az!Xy%^t2mFOb19IlH<=!yd<B+7&U6R^(ttkIrqLfFsB)7dKrG)qo>?JI#
zL}ewa-mKj7>7-^phDAJHl-V-{=~JWoxv;WZ^V96b^}Th9awmD-G+z%D!|hYtMBLk7
zx8HzJVT3wW80B!O+1&#ogWc1Ol|QH<wL&#I?q0-uZ$F8{QXpWw&OOV#CoQkv%4oqC
zb)!HqvHcZ&(*buP<HC&xL~0vu!tP{aAE{|zxahE8xB{s}u!wnX8{qj*{pK8f`zFn*
z!cZ{&DtIV9MuEc{`MCk~%hBmfE3YsL=$dM~Db<Ipu@+Rkd}KNmAX+4eGV(rZz#g+f
zQiIjB<20Z-=SfSyhpn8*gN7s(xU<?QI|n~mYBX#{=B8RM-sWkcrrPp-@p&u=wlNk-
zIIOQaVK5pbN&2B06Xcnu=8*j0y-!sFFPextx8gafo@c1~v{LMqC=44$=zx5&h6%}n
zN_dLY1Ed2P=V3%}35aO}Xwj9>ymx>G+g4cp^R{#pi7*)OIRNnanbjA|plqh)^#P+n
z3~J#<EI-Zw*+Tadk+>E*G-6f`ctDUVC#F0oAE+-F#8zy8--9vKx<e_A=Z>&G+46xR
zOZ5US#>Q>mff94#k|=n_vX0R+sT9%GjdO+Y^0Waw7_3%-uUq+wNMK$b)6`QpJpyb-
z!v|95mwFAJZPr1RP7Ec+9r)B>$S_p#`Nx|gl!L2Xd&x{amcxnl-Ji+J7x1Y=^pBU+
zCv^sCG`=f+8WS=3^x_brfqvPfJ5|nIxC6F}$(zvI?z$J}u%rwG{Y4@roMqz7qZ^4I
zqc^?jh@`^&jOyv&M0fJ~3I;N*ztYi!KXNWx7Sf@ooHhr{>X1i0V7u+O#u1b(q5z#n
zhsjf=HFsjYgYBStRYDlQNG;#mx^g6-tC;Aj5sg5<=7v?};WMp5LFy*^-z86d=2hU-
z5+-*j!s&RskpqGBvyGY-0tpRScNq^vvKz1*RMR<F<sV*q*|EIi`TWOSi7OyoRxcaS
z5Oqa2PjS4k_Ti5m{8e|y^Y}VyAp0kqXvs^|LgPl-ln!~?BRVCgHI8g;5mx9OG3<+A
z4(}W?nJMl;=v}5&SOh`s6HIV5Dn}{7Xk+r@XKhm)d2E}Z5;U;+ZU;kE)j~B<tI82!
zR3kswf;mURgDq%gbjTys>25o(ah!!ZJeUL?Y_yPI@k^&K*>P9(<!w`s20e*)+SPVD
za3y#M=6`0nrd2VCO~7vFfyqBi6Z5*(Z?!X6skO?1>S3`<#H&F@!i9k5QK8y8^vbWJ
zmg~mNL91WR<~jF0KIj$SogG_DBDds*!5Kyd#|tCQ_^9i|zPslSx(2#I48MrY5KmW<
z08WfT++A@DMxtLw2V13(#F{qop&p=Cx;yB1ttjA>+@x-<<)RTXw{l!_X@A5YhXFx9
zLY$HJos0+vPCg96ed$WAhFrCLytoOxD>p8I{b4g$KZZh=i8a1pxUG$aBH1pmbX#CD
zR(I6iKGZ83TuwmSSNt+w?m^5-62J}f;Q{mE(CxZbCuXr$pq8HuqnMK-I=;t!3w9k)
zqFfUAvg{R=f}u>9sQ32a2hHL^3C74(VAl(SGbw^N8v#LD7_ibi+aCo{Ao#}7Xz&yO
zvr68ZU{?PaNM0`!H~)AxoLoWSV28meBY>W=d|xKnt|dkE$6V(Ca`H4?fM#qq&~0ha
z_OMg%B)jR-GYE3-ri)+Zw;;TLd)Xg|;IG}+f2M7Gd?SEH#8G8G5ml&NZ3Kzg<IOhm
z<<V;Uy`I6lC=L9{^v|)-#&z@nXWjLm4a*4Qls#pcZ%fAD)=8~1`0@Vw^=l(xZtPWY
z@{lN!L0m?5BH{aj3UD>rFhpgcd0%XDKw-X23LgGwk5)p~#ErU%KIv|jY;FzvFcFqR
zQ8<cyAu~nP*$q|4g6selFwF|dJfkcDP9(oDCA%{_ahfnu+vwlM`52v1pROjSxuaH4
z8y&%qH~IVv1t}D?VJ6=bIv5t=Eb~z<w3bvkui+|%&7Ey(lCYgz`t*wW_5<{;lb%Tn
zxeP83!O#$li?<={q^=}Smk6`uVkO*(g;NiOoygJ@RPT{%^IaUhoNA)Av-+;{>h<Sj
zbISfW`zcqN)*djy{{N^x$R@?vh;ICgR5Wr{IwE0NWG_<INIaRD_WfHJihLvDIX%hb
zk-Eux?sdWL&_xH+eB{uPL}!DIBAQr3(3%udltQOxuI&zJ_Nhu1FQi~&!ENSHe2_w-
zG;M(ogYJ(JCJo7$>dnuN74%JVVlz)g1uma6g&q_aq&=6g3!~f|E@eh~{X!BS-f|X|
zs%xeK=XF=KXg?kKhDvRCyF4TGm!5|Vb3yh3+Sy0_AHYY2=eQ`TVo~L%9T@5{Rys`y
zt>2lhFfTO5+z|g*BErJ#-|_BmcZXqtM~gY{DxfnOkfU);uKva>gq{9V0&1bv`=Hz%
z$%$zLLg10I812*Wogjv$^WIZBU(jG=7-^eCc+qaEF~MixJ86(Que>V11^=kSg11hP
zu)u?^f4~rCneR+*_&WizjFPGh&|wG!R%&PvXW>462m~M+T6ZY+Wa+iPue%Ekn)IZI
zL8>w&=a2Ka?nufS#_Kl|G^l^Fl8OwT0xdmk@I(QnHL-AwnNX}YHRC7Wc=g)smI&eG
zQNlTwj=I^DUp40}#gS*mMMCe&JnB<sQt=E_W_re)=qK~E2`AChrc_N}YQk2=UE144
zc&`-My!`ugCRk$k(L2owVQv~8t(A0N=9(;Y#>V4Q@ZU<8f}cqYb2d_>{%UxZPN^dK
zK^Tijlp3Vf=H4)$=WotreZmkvB^|C?jEHnLx}h`t&&%D0m&?Y8|EeYDAMTkyW|+#W
z)1<vXOlk50wIJ~ne%}4kLTik0QVSz8^qI)ke(A0g_1N2wmqU~wOlxK}dd@@NbT(pi
z1)WqXI<Hm)pY=Ec4>{kX`3T`$<$El0a=F(3c~6wUDofKrkMGrCGr9%Y(VNm<$k6#?
zXu-z#5rrJ;qA&}cG-%Wk*f0E5{GI7%0?wY+#0G7oIFU!f?D9w&T=4fmnW1T5NODfT
zL93x@%0ZD`{`Kq*5}f`xFvIUBnMNRpU=4hWL&@P?z(lrltZnp-TPOk4>G=!-e|*$B
z+BZB&eU#{z3qdpRRKTRVLvvikFjbK6wb4qdW?lB3WrfaV5@}!=5Ti7^mV2mC&RGI&
zy~u;%K<^Gk4)n8_{0%RlsyE?03z<q27K#K-8M7o`vBex+7^CSCvuM<Cd<ca->euUj
z@;ZW&#|gnh*SKl&(Z(p8$1K(A(3`A-ZE$|5CGuHDCD_LL6P8$331c+;%LUL=nkFJ&
zXl0xc&=o2c{*<r(<7f!7K!|vHh+ZObHMc-mTccB~qh$Ig_RO{uIjYR649czd`><rN
zCyyX^7`tEf)!MOxZbv7XBsQYoWxRfxw%GU1ma!M|CNDxD7-jc0hKbP2(LUkiuW}a(
zPCexQwjdNiiEZFx{JoC4i4yhaT+Q2$kAC0FOQpm_t08atj!HYn^E&#?^k;c(b@ZCj
z@9|cr95NFdw+!?Au3K(#;dywR3i^9dKGhyJAf08{48K|CEWi0db5zP%*56+5w^Z!=
z2UHS&V&-KYsSGp7#Z8zP`rOJ=dBOd3C0aPTCwqHGt;LK~=6a>>RnPHTR1*>DW4Vp2
zj`z09Qci!4M>BD+9C|aSlUBCai28@46udvHlrcpfD787=6A3+#8d*?Y+Bugoe=C&z
zpx~&USN}bsc~MuWW!b~h-=4-lUw)XK;HYfjvEZW0Yzxp+8~(hn^uyRD8HqL2y*`7>
zaRDguo$n1C;f@|AbS&Y*nzP};n`SffFFH}5!sq7OpXhQP&dtBDt^m6J(Z0Osq0sHa
z2|4QMQHAU~9<^V8N0X<rMV{Dp<<O<f%ITl5H%Eua3GvI~ZK|FI8_<PY%`r?>Uv3IQ
zRq^Z1n*<aEGVb)|{E;^=B3pg`f@z0|?8yp|@9!r=HVc7RY*M><Loxe=qq3j&^%yQZ
z)RyQEyiW8e+s|WmAI}|3SF#;WyoA)A%wIoH4&8s#ap*6f5^6xV<FY9oO6}<-*lj&U
z&rlP$>TDEK8uT_F1B;ElgYDQkzw0C40$a3xI#u$OVw0mFx*oo>VDN`vz}V2}r$E=~
zyXE{c1ow9@D|hPevUg-2hn*$fR7`a|frTqh7R*+^#DuhuZk2c2SRR<&cT4_chel<8
zbF;A~|Fm(U+FD*Bi9S%?vhI5Geml2SUV;eGE0@Oe!&!P{$)ULSB|g!-^pjh{yRh-1
zO8d>Lyw{_OstjZ1uUEG8^AD7<mP(5{;zAs)SfaTcKAB6OriRolnf`y2y>(obYqvH!
zCm<mqDc!Bo9THAbB&HZ3ASI2Yf=EqJx<N`BR6s>KlvFxIP?S_Ul#mh;5YBj9YrXs3
z-+uQw=ljneYd!P1pZgy7$ZK5VN`Np)c*x5JveT+EnT0C?Hv5@r(!57v&9(~EADewo
z1#HU>+`Mt{cvY-MAGyPbj)KOU3XyLGuZ)G>=xtuUG<k7PokH*l|MAt)J95c;-|BEj
z^G1yqy2_9H%w=4>eT(a9qjpamtE}4;5JcTfbp67n_uk<6?Ry^fOCtNP)*szDpReaL
zgr&4e*}QkqJhZj1Av2k?eK~^3u`n#Vs496XZ)_;;$?ob#Gsn{``NLG5+nL(R=P@va
zeIVKY&`Bz%TTkNbYxmPwjL7hXq4;;tS9Y%vPDysgW*6CC^vox2eD)^9DDV8QBmWQT
zF>${L#%$el@huPNPASSVfFUy>aVrch$<8z5BYEJDWlw(G6uz}+5??dNd$~WhH&~CA
z(ZOp!;&5w2*G1W3*!<FdYYIE5#r(=>rI`2HggoxuH38?g&&5;=De0n0Nv_<wD?|3S
zad%1l9=mTv%h!H!91e4gf<akYBKrr!jsY8igm2b{;_tp~$~*Cpz18Q`(Z#(?flpnT
zM$(oA$whgKv5^&qnECAEJ?6AmE`9K(rIR|`JR%stgQePmm*V#6wxl8++V&_8^$dGS
z8UJ~rPLB&=cQI8}<F!VXE}de(0+I0=8}#s*!qCIbcuhTW*NrBR`Sa1N3MZdkDS2b3
zyl>1LLhir8#9tV?t1|z^exCX4xreJmq6vnWTFuy;@B!Yqo`k%_Q%`sAbfjK*ASaa{
zm?C#{`)zUFJG*ldD>{#R8uK<gwak8`52!1AJZv`d@V`A0&d7}y>Z*69pltB`5G9+o
zr=#fM8x5Y`Ki(Aq*cq-CD=f7D6*{oSOYZKB{+NL5P;X&VjLAEKQg&r5i2yHq7|;Dn
zog9y{&cx;1qLO@|FLYA+emTnrs+3JTr?zqZU_Xx5Pl0S#h76Rhc7|?e=naV_dDZ3=
z1@P(z9iA%=ED$#NIWG{?79QZIt{m|GX*0F|CAlF=0=UBwB?1ak+sr}RvO|kfRC2+w
ziy@+7!(3(r<dgqw`~AJ#jK>G=xe5<9Ql0KpdV*aRN9;18h-Wm2eWXfm?li7U^#r&A
zbDFuM*b<JYZADV!$pzXlgWO!Khb1>fr{prN+~NDVjvDaa&#Qso7m@ikFHxnNq>5Hj
z!1;lqysRI!y&ebbU;wKJTSQ#JUfJVZRZH$u{X;$UQim7uJ3`^f9wdGD%dej*NrjQ*
zJ~i^Bn53*NwE%CBK`>!R%*75uB3<Mv_Jbcfo!M(I3U*ixkIP=M%45DKlIIxtzEP$%
z_X?#^ETVaXiNkX_BNAu(BMKj^U!m2Y{>z1I2M@()h2^1bG?+PN%vV!PIqXJllJu9z
znM`hbHy7}0=0m^q#9EUup*^`m$WMRPDS)5T%FTo)AAI<3!~A2VqdMN>?b1XAc~jf0
zZq=Q_GVDy3;HLq(Bf8!kZH-nrF_N>N{_-5lQov(yGQ+fzfq(slrSFJhsuC57$3UDb
zf*VI&03?5U$`|09y;%>z($5SD&8p`&;;PE;Y|PvYJlx9psq^WggVT3Ha5Y5mjYy|d
zQAgLWF^y7W0@kcyc4x;Om4h$J(lU)wLQRc@a<JFF75*X1&-9w1hN|DkQoEc5`Dg}k
zKUz_0(w1kzZ%?XUl0|Kyw(;HAaYrOm>L^zpSNZCbT)ad#ZPmGJLl3UCWnL~eHdzUM
zhN2)4WoRix`H{4gqD_xmV9LX?_m^OM)`C+AyX<C|P=Q2KY^Y{?KfXg$uI<RJ{)o_^
z8v9t!>t4@CX^=PL@(J(dl7ZW(zc3$xg8a)VoJpcovd^ko)Scr@#e2&cs27Cm>XGWj
z9t#Jlr@pAg^d4+mqf*gEX+@9MlN;r*3pHZabCTz)!aS`cuQ$E_z-&(8)(<erWF%Cy
zaE1HDKxe}NDM~*Poy6D4C_Pk}aDc?iPtm;2ZX4MV?}l`;oEsNoV{XNJ9_oZSy}ts?
zmn^S)W{=6Fl)aV{EADOF%iM~#xWSE>tAS)VEDbeAV$uCTKar?-cN(0+jEtrFTdg;Q
z^xxC>E;Kbhc(=4Dv0AN|<$hTCVfYBYMMPpEZ@Q3Ddt@rpUNT&Ek+HqI0}&ULV!#^?
z@aF8#tGrmLf0R)7f;jCQ3A1U#;>@>U)CG&p0n?Gn4=W^H{f~UnEQ$WZW_QV8&3YHw
zbuzauzV6XLZp3+<f>h5ppV$n7F`D=T#&_slm;L<y2lj%<$7QhdVrSS;SLbZe3VcB;
z#HPn`O}McxUX6r5hc3c$(jNNCE<O%TA&2PXK>`?J@w-{pd_ism*X=WZ3SWDHZ``Jg
z+?<|~^37pycHu9r$JEb1R>GgMLgnZc`%CNKNmK1I;+9d0E)m!-nRPJkAu?OBN{s&#
zy6eT+F9$b18E0<wZQejaVO|KF3+B)*(@82cc#w`fmg}oZa+^w8z<zFR{si6~rj{_z
z+WUm@DtiP0L>2<LqpX0ddA>_r&ISX-Z-rb``+eNI%m28c1fYCgm%+vnbFJ5+0?2b+
zgEsC&?aFyBT!OA-?$(1d%`ts%$1kH4&<!#&q$6S^H#Db?@Rmq&Q_NEH?!I4CTN@w_
zIpf9I?^8Zl&V@+fiY~}uK|UE$5qgz+#MVNCx~p0G?NUrR^mQ%imO}r)rQ=L5_jRx5
z@46=X$haL!ypz<9`i?FepD|j@Olzwj{N~Xg)e-d=5xQJKv@i!Fiw%b;GtQ4rByb_c
zvW2iiz{L89RV5JrW;qEpF$PC^Ao?Ibb^3rl%XmzRVcCJktH8e_h&doX88(XoK5-hC
zWN&4Kctx68SZ;ZVPg)xA(2awKAK@ZU4D*zTe@YrSt!LJu>h9N_03R`T0kmU3g~iWw
zO2~xC+eR`Crk87o<C#wJ&uU`1SpyuZdW`h%J@vgQPBF2?D8z@RE<>Uf9ac<bG{h5B
zto-UROMOP%jA-HYq>X~21d3+KYc|gdRX;XLGZL-+iarT)VssvtANn{p&sYO2Zg^}`
zzQ!%v=Lyj$`rYnb?2uNNITI}GL+-ch8PWJZ{WM_G2f-O$&@LA{2hJ2A`zx>a?+Y7#
zF1^@%tB%hhxjg&+b@y-L6p^z!vG*aqwS$}M@h54b18*uD5<4axMS6gzkcwG8hb!;L
zQQ}48cl?R^86YlcrPPwf;2q-zA+w;kZ6Rwqr7*?w(EdKk`ZKY{BC{on?DumNa5gO`
z;b)yU2v(6W9e%c#-KH#*^g#Shy7ipQb~IWY=gDUMCk7+~8)8Y!lffAj4FAH4hRKVv
z2(PocQR_;=`&|eMwqisnGQBy8KrL91LhxC0C)g_<X9hN4WIj&ZsP$L?V?&>qM<Jm#
z+))O6M15GK!G5=@jAkbPku(!XEZB80b;ClmI!cXi_6L4-(|v!+`YcJ~%#aNWZD%SA
z30Sax_{q5ylvfT(&?ss_^04piBh8-*c}3GrC(M}9^t)g0L~ohPn<gR0d#+UWHX~8{
z2CwEhh_obNS#k=v&vr<mV=3+EWQzo9PqVa#iH9-@POQAFx}@z_sZf3&spuyOO&6Q6
zX#CTk&mqRl6fza9>ZOAVMWCDG&Xa+7WHCDNK>i~@Jm9V4A61!ng>hMXiLOw1HdnT3
zP79v$;DZR!j;L(^0_1nuStb7O<;hSj#vC0#!Q`g}1GG%13Nh*b-=8*mRABw&|7v}{
z|46=}MP*%!NSUWxl`sLrG8r*vi>w6;+@*LNC&&p|&<zP515x<b@dX2-(AHy3_<H#f
z8pNWXVk~YoQFR1u3D2S6vz<9%vrg&{P*9ge!2#DFU<sYzXYZxTX#`;2F&GfYE{dH*
zRDKI397w221tYZp1N`flXHiINI@*E_XN)@OU{d~1Zo$Z2Mwct72v&rRNG?!RkMY<|
zFMxzd7ZNOyaa590yT!wMh_V*ax*JgkR4U{xf#@atT>KVa)Gho0`WA}L4mD40j&PK9
zmOB-=TZFU0h{N-bNS8kZ&qmYx#9zlF9~6S(L&v8o{Z7ZXaM@lk;>JNLM&V6xxl0(k
zb474|sP30sArN0ZNS94l?c4ilA%VLNwfTc{c=&MOil<Ye^;O!UWl-A#4@Ztoq1N7q
zpZIt+X)8zUK?IZ4bN)A1yLw;`zh0q0GP);VKR0vxl`8qbDBqf)mCBc}j=4i{Flk}v
z7u{KIEYu%p>%->|gD8ZJZx@FIvi0S-!0F6{YtlucSpW6`5-YnK4u$teOU+OXG{0UD
zj=4i-@^R+CF56+^B;&GsH(e#0dW_Xxase0YS`h3SOKxRvA5y(wmHX?fmC(Nkeb3KI
z(=NOZe<xPNx2RmHm{ikYq<_9l_J^S3|GazP8T}<@>2Ia>(6THoVQ9bHgtW?fb;9qY
z7G$_E^h!<F3vZ^EXXjE<Cee2oTdqW{kXoO|E+~&%%SMYliY_T<`*g_V$M*)(QXaHY
z@A>+6Ks%ntfZBF2HTxDMz8`q&C-PZ+Pnfu_M-#3KqFT``H<H|A$19GtTthXZ*0nGz
zWj<Oj`U9gaGYXzQyZOSO&zTdNaQ+A%2YL~Sg1&^XK&2Z=uAVY7blrA_>`-Rz&!Iwn
zb}}YOVthg}mF9ro1NGjn0CQ0)W}dxE<l6jO`rne|BX#cF^78Trt#|QSJWxj~dv}D&
zbHtn@xP$wq?A{c4!jSU6T$moj;-ojeD^F7KghQQ(jQ#r2@wNtZc!=0WS-AHI7EZO%
z=(iPN3*2D5&?_mXs1kqZ-G{*}j*2@Y)^~shXc=m6u|L1tKfd_Ozw!DJ1*$u}g<n4C
zYx4Q|3@9~VE>`>gT>F8{q^Ij}yA^LdJfKW-;_No1+HQQ|wUVam&pw`9mlz!4hEg=e
zl^rO285kkgb@>`aGyyf}?F3?T+vH}0;!6u3mv48c2IXPGte|^C7MOqs0d3S5E#Rc7
z;JwxcjX@DMy(!Z`7_lP?b&k~KAA2^afQwgzsXE^>#1i){%p6=$+oVvB(W)~_LoU-p
zxDBtD{<tA<``7B?Z`{*CU7(f-BWDhUQC^n7ChTQmX0d$bxls@dH?xLec8(8vnPgs#
zJlGxLJ0Ti+b5rAZ4J`iTDfO6|a3fF;ID$8@WU5#iodif9f^{06)s)(lVfozX>pcN8
z4br4<K5YDy(pLdv`YZvQ^W&`V4y?6j>&IO)k4!~#akAA=-%F1#8ecCRj{649H~zqi
z0{f<LW9{&|5)E)6v?+Y=Y8Sjift%Bvw!?$#>|*r61H$KC<ZXSNlKgadFKmzWk7;yi
z2s+*;NOmvR2htTfm<{)CeY&+AnpDWx6lJYxM$8oOn5CUtU_e$mz+Jmf4`82tyg~X_
zWc;Jf*Pk_S1EZ%Ou-x>lOab{+RsSFIsX`1Iq|f0XojG4I3Pmfm5*17ZC%$pF@yqP?
z2mMZ9jkU=MsVX83f}zLw&?j6wH#%||YDxGOx)kBg504mH<p^-PX4f{;%Z`z#lba~2
zD!}e#BE=aWdJhyQ@kmwC3CkCB>JZ9Jhw5=ttbHmOH}u_Ek(>Iv@avd*yXuKx5KzFJ
z0Cwn%m62Uc$rWabDH+Du3Y$ZPI;bL+d~_r_DHu9=cUkB{mOP#3Lf>nsIaBpii!^R0
zUOjx0;qnGyA*j+D@yL^}E{fl~aBKO~Y786-OKPj#o0ClccpB7hP#qv&H0wg&=dkF_
zSGr&Pi8imuGUl`*CL6WxpiQs`>?$KRj3o{_Q-Gce;n5{nmq77Xl~~l^gtp8%t<&-~
z8Z6%alAwBLzf~>Zm}b{=644ysib0!!d4=V8MUgj&f;zcx!)-a-GXM<_jKSSDS^fAd
z^=!&uq5%PnI|>3E(vZ2&Jl!vupT|*G!=Bndi6`I6p>O@C{!Eu)eFr85G01s5(mZ^W
zq__EECHXULz1Qj+V9s)f$#}lazMI|r?S)y&3VTZh?f``I8ZDVF^#l&5DZrQQyf6*e
z9@JDApR9AYw##|Cs(O#`wxEpnn(4s@<==*jYZT?4z;kK@sAao2myB(0|B(ZT5!0+=
ziyML8>LZI1O-(LrOBBC7<j-+i;PoI*8wUZJ`Q#7IzN)9h>f{O&?hH6xs~#A$7d=>@
zIc`Z;5`JL{xNBa++{{ajL8$8y6Iu<&eclE3x0MABhY&MuhO4-JynNLsuz4o(G)M58
z2ZDx*R0Xb+O}cS8TEC&a_3bn6o8~YB2^w?R0E_pwf0lpqC!p~tqv%C;2&jrHL0joR
zAE~g>N%h!Epfek)gQ=PL`wq9Oc&`hjmn6^Hy;)J2snx)8D=B>XQ?(F=m5XxpsI=6q
z90`jS7FmX+rr_;5CU{Ve1WB=<z9fuBDHDjwai8AIKFW-kw$;?0TjX*Mmld;W3-32$
z2DY~QD@FDxh8TLOTjsR@XNsb8hhel<Jw`He{(RA+Ic1!YOeE+Ec_efZ0CmSe3f5T_
z@e<kTf1?ks_r<S%wM?R1aFrIa*HF1`JI`CU;YZxEe5`QZlq@O^SY2^Irb7X2%1yP_
zR*U^vS(>W10*hyPN~lA6DB=)c$umC9D{8bGQA~Fk1q=7cPdft6p><q)=6h$z$f;?&
zbKa!t<n+N0q#@}es|pbTjZ1z4PrMvBHR;@w&sw8Urh#J)g+AjGzi98_8bl}I4vVL`
zqU-V)3LNE+7g`&wR@F@flRjMQAkGlDB*I@cgr%lBqaJVYQUP*+198RSMS0m}J0rB-
zy!#hGHwo_AlY%R333^H(`m`J+AW`70*vxV!6MT!h%+%BjyiLDEQ=wx1>kq^Tc*QP}
z(Cz>H{{800)wsiwmr4N+)(5*AW{KS2ny*gYS{Ctj*hr#(kD-v`xn-sCvQfjC2uio%
zRVx*b%$%%b$xZ}j%JdfJ&3M4PJE6ForSd^Y845dYuZ(_(a_|ZEaO~=B-Y%wo@YDmD
zz-UMI?e|EwA?DYk8#yGAOqNQ~XD~<>iVBI4h@;!Jb9s=nSzb~?)m(md*>!mz(4862
zq}<iX&*tT`<X~so!9>0aM|~T2V0^@L@sf!3`_gPRYykVV?k$6t&vEK>QeNM`K!pP|
zlGO}=bt)>PW&@r_PM2BJbIv}m?B9%Bo-rEG<x8}~{PqJw<NFz~Pwrj1{F_Cy{J;!d
z38u|QL2B*_-Ah$<7deDVslh~V4qKZRZl?VEtNz*XN0}>Z#?1l#QyUB)^+&`O&0eVG
zkSIH{DR(REjzDqjf9`w&^F9I2oPt@JO#keUOG`b6o<F`Zf4(_h<0E2v=p^uiUg%eS
z;MI@^Kh1>%MXq{S-|JDxHTNxM9=p&&Os&<n2IxRG<)dHk>R0X(Q=h(6pZEy7Nz+Ah
zNsm41u3U1(rf%H|G4>Y`G6=+bje>-!d7D%Ds!00go8lMW{eTfm-W*q8THpg1WYz1z
zXf5h@f#j<ewZ}UmEo(!yoOG!Ky6wPqEyh_YAd%M;M27b`v4nU&c1PX`V(Kw|jnX77
zLIC`vK-kejD%6@CR7r>`gv<!=e;a95J`;SLBzjfnyxea-Vu$a*3h=W@>{FcY{m*Bo
zCsRZwO?zuUzQ1C?Y#Hz*RSqWU%7;V)xYKL&i^$}yXV2tJV$6GDSmY|A1RkYnd@knv
z?FR_O4j7y%9QZrZ&zQaE^#<v@)RB7Z^e*Ox?l8%X1F&QC-i{+PBx9=o9lTRBXXErQ
zJGmJX9ECPjaQbw{6wop^g-FI4Ig$_Rd9Ru27JHp7>VL?4W}9Ey*-MglC4ug%rkA~z
zFnPK6U-;BS?{S^VOs2!t9|3u-IcnILc^J3)8n_vc-#&PJ`J%f20hi-aH_L6bU~G{)
zz$C1J`Yd>l8nwzgA&qzKWS7%n6m2VXUXQ(?>DraBBo+QU;spf&h}uvj6go%Q<%DH_
zBk2?cp8BxV^}Zf*lFh`)wT&pcrw!&S>p2@&=Z6L(U|%DPIO|VtYqE9@lxC6F8@5gs
zRy|uG8P|v}%G=};P?%4P?lI4eeX*+^V>?TawFa}1RgVSgvkDq@zl?-|hr<W-f}!K>
zvVrE#c#MI3&OzG$$;a>!`i4ofy-5|x^y?Mh``U?BFGoq=h~Y2+1)4XeLW23BhryF%
zhRCMO@*S$>?opiR{ycr;ZxE=O-vQkspXT}Kis^Ya!T5iqVR%$(J1ZmPc;let*7Ys(
zM-2TxXFI-Z@x^c0aebeDdMNlG4v(W$-Jkfwb0H57+z*tJeMv~W^cfE&yt7wB?{+r>
z8^Ffz?}6-hFX{%$-PV0HbxGt$$%~W+9(VP~N2@uw!VZQ5LvB=#>t9kjek4ZaU^038
zeXZ-HQGTfToPm$>&_)tRf+oGx!JkECDsz<n67e9T-{*ciSj`2CdUMha)Mh(P)jbG1
zeZWW{sS3(qmFrP^luwLJ?&oVXy@>GhynocA{rd@x*^s@rlug<*-XBm+h|OMFI*^Gh
z8rOKZI%hBw$;18|h7rcP0^OexG_a&v7mR*b+o8FQiK0FotVW(}AZdSa_*oD@(YKEk
zwb$m%fn-O5Su5Cfx~%KR^IIV?c+5GaSG`$~KU(PRSOoRyl0AnSj7}+ybgk~QcPT43
z62}7%@@*IhEqm8@lFA<am7dpv_*I>}L!FU$F8TMQO$|hiKd!T*#-DyXg`kz7k3q)V
zX{25ZuipE6X!z;sYr10-Cse}9JMJ;}{1H}FAIobb=I-esbW(3vd>!pD@gtv3$=$5q
ziQL=&<7~|7{SVKPC;m8^N-Dd(zBYHgI}Ga3tuU4-AQQ&>{xWL09z$~nxDG@E4(>R3
z3*o3b6w02x9uS*2Gg{JgS|jwy_k%%i_g(M1OZBI=S!p&s9a?iFuZ*QwpGOAnjj{T^
zA2+PW-Jri$b$YcKs3sYtosFjSxc$9Dwu@6!of1C&c)h70rF68xf0X>zaWNr#=}OFG
zvmtkQ&bAb=4}Sl)h*;*R+}u5AW%hFJf-xjNRVE)l-lDHpke6>Tl`8QvDmD-rg#zaN
zi$i5jP5Dxw`Y4d7y===~p5&1h_=}Nl7-@eh+_FB*TbuwQJkDojX{!W0VcoEw{I&t4
zE#!i0-&+5{0@RFW3^WahvDg-dHf^c0(kIeyARu;;`EO6JH)aAAFTTe0gZbvo84-~k
zu9O3qvKw+<U|cw;WF~iIXgsOl;`w-_vFoSL<*U?0yl*ZmCs~^wZl3CV8_$W64+$j|
zu0x&5E2(;RpH0f8T%9es<?7*!7aA$e&t|#5jf_CMPHt`KSVG02`_hk(Z#DM@rIXn;
z-+koX`Rvw8p2afOZqThnLn}3Qj3Dq&304f;gK%`rWi6lz0E_#5?hq9qV%ycLmgcIs
zC6j)#ii<;J{2n3sMRg^DsUN{Kq^zxPJsg)5gbyNY)H8`+MQAF|<TXF&bvb^tDqmrZ
zc|nu>nG!Kljm)0G9+pLBG$u99Uuj7$`M%Q1o6P+HUO_k>w?_1OTe7Xp8n{RWTR$DI
zMubaO^lB2YP>DYfou-$1^y2RJ#-3+u(czCB^<9S!{cp=Vr`+2`Ua84h8NPW(pdJ&f
zfA<g0RtZ^jYgS_-ZWaDDGM)Dr)r2s9%mCeGbt~63s*DzB^9lnZE!}TNlr3{3<S#Fa
zT_W4}b|jcDFwi#sG5u_o-H|?MFH4?jy7}qV!0yxuK1a=aE7=JJ{9MumKT5`akW%fD
zHf%qRI#V*1uyc?fZC*8a^K$+98;dDpKGXVs&$h7LTEA~Tzuq`D9>e)Yv(oxZi5j`T
zA5<<gwpj(SYB9h!a7lJ!H^Rh|u>>kuWk^ahDhu;L3%VE~V|%~!wm-P&n@2FoNEG^H
zZiZd1;t~&n850BuJoX16-W^^KZkH>>bginL`Uk_u_P3k_SPoxVdOLRMkve$7u+T50
zhrn&wz^rsFg6fck?(XO#MCT10qjfN8ix%<!s&fa1U^lYzzI9O^3>5BkeL(!)rBGv_
zMCDDL@$W|pQs)oSLF5-qHJ%~KXGlr5S}hJpS`%#c9J)HA<RsOw+(b*duNq7}7}%gK
z><4gcT!mS&HgPspJhVZq3SLt{71I7hH(TlUG2AoEWl6)X&|mMOri1W_X0A5x(FI${
zI_i<j#qw%$^5ldxOzA@()_&<q)qtmb(FF6U$x!eGNf;78OtT+Ovp4K*R#8ih%@1io
z?V9!K#$v<3F|wB)My%$8?NM(tWV{!M5^_4BNPTsPazB3oiu7%8H@+dmSf67m4=<$s
zy20xjq9BzhaRc%4d8Qyk@LELxKWKE*#t@KP;$$N&41$gfIQy~)ew5!`NIS%5;O*9_
ztGJXJms^D}0DPAJhI1ptk-ZEqP_AFOGLYo(t=4-<CT>YnWUk%Z<3>^Ht+Tc5-c4Is
z!u8_8UJ6wT((k|RB=O{jwy9T+o6UJ2W}SYuda5}z+AKR49Lms?1a8f{HkYy~f7SPV
z;LJA|n&k)QK@NL=qxtuEb9KXSp2c@+9qg~4e8&C<8-x==Y|u5s`}v_#FV@NA{)x54
zn?ucF9qeLy7!69U92q?O7>d8ETQ46P=-PW=XG69hm&9Oe-m`Gvqj^AiX7|F#4E=v{
zLCS2v1-axD3D&QJE-N&;=+ddU;pHD}Fj-q3cw2<`&pc8$BhGa1V659;tH%~!^7^>^
z<6Rg1h8#zQ!(rvA(2p;OZ)b87P15G;R9ma9Qe(BR-E(oSm;;~3`#-+W0bXc&8hPOx
za$m-cZpZ3Z`Ot^SsN^S`B5W4<`X14^gF{5gSeYe0kTXVCI}PVwEAbj~tae8Qq|;E3
zFDQ4o=>^5x)k3ypQ!VeO?tk)SY7k#0(-(Z1m-V^DXwA!~lII~oRs?glKGL5tGD!bV
zxuK^Yzm)<`+ZdJoj_O{_)+83d$+6c;cD$pfS-80iUi^5c_BRZ<@0UcvVAr@823sJ+
zb@C6!%nfwV{n@sQE;MDF`^`=S;Nh&6`=igGMYa1_q@5X{ulblZPY*vkULx@=a2Abf
zU9!Y27;%CquSILDU1<$uDW@~>xmVYO4lg`9yIr<wI7IvpaP<#bj|#H79H2BN!lOhk
zJ^SbcU}6<9@1=pfFCSA7vd_CaD_=W^S!z5WMEw#&`wuob=F!FC2Gi1E5&U(Uu&|WJ
zU(Ml+x4!+@n~t77Q(pMt>VO?=u*=hrj;Wgx<@BDBOkeMFnjn}vPKZx=Z^?&Uz~cl<
zL5%Ls=lXCuxkm<)ePL}+fB~8ah^>$7DQ>7mGf5o>o%Kll$*Y?^kPX1Wl$KebsBVQJ
zGWVfF%Orxaxpa7W5?wa1O0{5n)>>9(yIX$2j!RlOlIfqa;w>nA-J=4Bo)U8Kp&9P(
z(kQvofMAz^93_8I`vDFz22m6M|1khPK0AF+-wBV)$a%7f74YTl&`-TF6D9HqJifIf
z?=2EkFZw{jhl!Jtp|#QX=ZipySxQ7hV?<*=haX9lyU%Lex^-)JeAbSO#WIp<TDF`P
z$qiJ&`~Ms#bX<c*tQl7(vyjB;qZufsIBLVJlYf|?o*!E$Ma7|Zvo3$4>tyICQ)rsA
z<H{}-aBQ3HxQ6JPGJ4oEvg3cBR3sh!Z<JO)o)7i_g}aV=Wg^+;f|~35efi`l&yxmx
z3nHAdbX!y^+PS)~qaw}PmrQe`l?Aog*&dcd;(5KG$TF7K1XA(>NTPuE1TK+m^3%$Z
z^ep5^D!n7^GA8bG`i@MRG~~@IarFnjthW%s-xYVt(cdf!caJB!y`v5JT`dq8q?FL3
zY2h_%BKFJHS@`RH1er+7cT!v}mk3vjTJJfDQK`0-JxaHGSf$?7$H!|Fy%&AYYB!+(
zB)bf%DCDG>Dl`|7#-&?re-$8h2@VNc0;OZy+gwAW?m@3brHJtV%e#?!8mH=?x@@?9
zt~a-xdd{wHnJo=~X;(<eoBGBUlN8TbvCOGv`9q2XMi!{YoO_jgFTW^3mQcWvN2807
zi}DUT?kc)L`5fy>as=2St7n`t)9aj4wYnPRZc*xL&j?vCYq*563!)F1p<ef6upIkW
z(Sv4$y+sGL*Wns0l>u;HJ9GPWn@>tPbCy)I94Ef50K7Uk9v-B9U&8Vr4ypB=fV>1!
z4fezHc)LP~^0>**UI{Rk^m&JTsiwY%xk~}eP_Fgwq5`Qgg3>`KZ)`3j4{*{%GNs5p
znpzP3a(vB#qLdWf)F;kyA2o|}2hmW$3x!)GN|5+AUgb6MI&Y-~MYW$SJHh&Q)Sih8
z|66V}4FPOnaQ^;HQHqJ5oJfm+1qt$#vcb0TI2%}@(L#K1#+D_@3B_`0-QD93PmAjk
zBYq^}_v0ZF{69*&$P3Wxr6@w9|BDxRisJZDEZ6?LfCHA)3q?LrLP!{EwQ#_42rVlF
zok#%DacdadN2I7kBTLr8jUxQF{RQRzj^D?qO}6Wv{61v)1bE=VkXxsT=D9_gTQWOx
zUOu9MWyct#8Ff(xwW1XXrid}C<>>&LhvSj_Uyp}YJ*G_zgjejGG-XhWCi;LB$IU%t
zIrx|IePAQl)Mu+b{-ue5XlD=1E(F^ea5~l$1ux70lvtVnu4V<jMy(xNKWhK~ClMe@
znBYH^d#aokEGh+GRz85{ImFQE3{$<&C0?BWXwaeh^v<X(B!1G7lv`45ufi1&A%Fe9
zMSkjt$c-6iJtOn_A%vC@AQ$qpPcM<%usn)PjX~ff5wIEJKJ^XOHaka4P0Fa2BfRz6
z!DkhOBx-!31T81fEX*(YPFHaQ-k&vZCGcJ9=t}zd2={D@M(F?_R3!M3Qr7#Mk`D<k
zLRO#qcH4>y_qsbu2X%0^I9`Q>c-^LkK#xL9twWVq>kQPoRq&A9ATcJwMl08kKy3(W
z94we=44wlG!*L5LoTY<z+m3b%9-d!%bqk4HnkasYBC3*UD=YGz1L_5ln;`C(+(^4H
zIE?=lEvw)a0}dnM_!a4~`_SYegJMuU$76s8`se)A9FBA6Kf}8tLJI&{!2uI_;GWNR
zj`0{=f+r%s87p*3QMXj1G)5iRO1RJk@Shplzh1H?MPI<<zzaL<LyHa<Ckz<Dw^NrP
zk?)_*wH7XT_>6}J$%S9vQ7`b;BdDX3F^KHV$DpYszMuv$m@-n_K}N3`{Dl-6Z?rfN
zBL~^xS2TYx1{r^03^quhQH2f_8#hVdB+Ut!_@)7XH{|G7RCP6*+^d(Yc=WCbF2r$d
zP((=U$1mbOLXIdxVU{;xgz7Qt&yB?8g7oq02wF(GGptB6kDkZDTRznbT*m+LnQ7v2
z!YM~-0J0k(=!%}1uO4v-F68L%5-p7^6>fse?cxESQ6&kqD(!?2s*~^gC046fm{|W+
zg6(>!w9gH<iUqk<o`OWQDu{x${71n~-9UMiOfP|k<x?lOvw|A{GWynFv;^>1#eI(x
zn5?BQz}u0%IzP8UeIgm&zWC4E89wZO@^FTiC&6QI*IF5`KDJ#N0dM|GmBR-<Dyb`v
zKan#3IkQAKZ!EQDs$Uuy1tO4O1P-GVWQg*kYgzo4tV3g6-6=YZdV`sq?~Zd{)^e8O
zuQMSrmt-rkaPCOe5zA$ldZ(!Gkp1(of2@nri78XmEb<$=e~gPH1bB-{&(9>9IXnY?
zgb1LOv-<e-^6rYA`iI=Igk=1Y6L9&&;1&oxF_$|<t%VeOE(Skm4{5oBvcuaA6G%2n
zAz(qEHP}vG$@-|=ys`YUg!og>;P%C%P++w2|2EnT^v2Y?csLSNQ<_cTN))gQ!G+>q
zm-Av4us0a#8suJi2nNFdF&I5rEMz1MkSlFvI4?~b+~R<`QQMJv?tu*zwOba*<nURB
zw}&YR*3w?o7@k5vlz?A11yxOe1SWM|i7j7IJjP3m#$G*5S{(dvA|7}-nA$u7^5e{M
zcS6k&YltYyb1#$baiS6P#(?P#Jx3Yu$5epMq{}}O6^~nnzt*k2cH4={EeH5nGM)Bu
zrX7d5k$48Gywu^w&|{q*aNi$8WLGe>Ch~SF9Z*}(1pi=ZHlQJF>I14j;{TBI3nsKW
z0|pufBciJmHAtEG7OX6C%`#RW1RYx4JL_q)^-bV!V_a6~djw5nQ#3J7X5`YnPh^jb
z8S!bQp5KZRE1(9%=bO-pUwdU@%OjMCfuaQ<Mhu>OGG+{rA2Ca+5bu8>ojTHR4VBX3
zpbgSS#p16g8$31^I1Yl3wYM=$$=8t1{IF&tj=P77MsX<QH!MP<{$vgKm~PE-o^$mN
z{tt8~wNq+ziwi1{U|k$njba1q%4^*+oe~YNOO$JP)H<K9lsQ|9FM6y+hWQAkL^Q>X
zvPHoF>_xN@+Y7-It{^RfrsGqys5#!CIAd^6`Zgs8nSfTCcIzgFU?d$SOj!2DE|O;;
z-jpdkQKwZovxAEESNY12g-eXz@6~JHFQbU?7|5m!V=~$U$fqu%m`$0<R(b!ekrlvZ
znM5ZD%Sc+rQSzuR8H_J#n_%4z_5H*!85FW_;4R|I61EI;4c`dy0-vLr`@!$;g3#bJ
zaU*Wib%qo*cj{Z9)B7@h=WtOm+vrS<h#iB0aDdWbsM06^8Y6O%hqOH^gar{wv9Q4j
zBLF0wh+FkSC01brz3_HV;&`VsEVZfab*7rpyUH;a=_Q-6iCO11S&mPAtPv_xVStZ*
zW6)C*y_(-ahiY2Ia4G!cL*417eEJ(bK{9m;<@B)1hX4l{%hmng$uW0BFGNg4yTxZQ
z<v18hq?D<ua#tuDaVnxCy4hvCG(0*r?zo)!iULJNAsfNR$JerQG)=|!-l)oJ_-WV6
zzJTcr3vFs*^(i0JXOtg)O9E={*us8HDxF*;S8ZNbKc`YR+<%=8k(e>za3*mVDwZMc
zVc|GDj>(-haTM?KqH^fdAZ(|_e=_@|W1>nx%{t*e`Ee%B@CvPqc$<tVf%Hl_Rh*yr
z(HU^@%DS1WLI_qka=(9?5++yhyQp@0Zv2W|lCa2~Ks=6f*UV9g4|c-(O0jCGo)^gR
zAZ5=be}19281==Gr_--OEIUK0ynqN7f|}DxS9}}5ugs2`+UpRb=pKFq`9-~i9Q->p
zDyM<#dbmr2IkC=gfnNJgV}CAX0p6Y4+{2eD3-}LJPVfRmbLt?TGiaDep)^fV60@{&
z$_#GOd!${nMICR?g?#P3+u*&mkuxGfn=z|38Wi;94TLII>$PiS_fis7c#wtd>5;$O
zz(kOnFmZJ($7Hc`X?1beD<0H~&3XT3=4z!xaYcqxa?XVMEnH@m`x$7AnRDiK+#OHi
zPV|seYs3EVHte*yMReqf!mpn7w9K5mIFg%7MabF9z~iRNZTE1mfyw!yZUT^E{a1<&
zRNL2>c79KXku@Rj)p{n}gkL_p>z>}MiGjDKdarh_6q;U*JWwx26CGa0Suc5@iM?Uh
z)`nxHa^w$Ld1Ew5sXP=*_S>7wrKh?-@kqTbc9t1W(?E~BdJ99`8%r7JTM=a?f$}jn
z+<6$SshuknQ91iOM}6duJt%s*vp)8if%r7p5E2&MSCKcXIXHe<%q_6VEp&$w99QM&
ze`FdS<Vgv7PKczd*0!QWF)UMyLmkg!HIwD+*AGh=F9#^;20j_#&)^GcAgSYUB<3EK
z%WET|BIPMBROC82F@3K{?ZhbWwEmi4y_obK^}W4gCtgbX8P5ttvYbsQ5a4o@951GN
zkc7EUHhM)QUn9QD>dp5G9reT~O(M3|W{A{@307RYhzB0MB<=+N&F~-E{|27~<KjVG
z_kuH<mDnO+cD%qNajK~ITnjH2<CpJsp=(u*OB!mpu~AD(TcjM2-7Au|=}g(?)zrVC
zsRa!wt|s4>{R;&hyULRSk8y~ExU=hzq)FK6+4N`1P2^FfaxL?6a+nKf^-FeJwj(=&
zI3^Qas#TnD;mD|{%Tj^qcXc9BVB3{hL}KUKa<&bGUR&u-`Jt4~P&@ayQZ#Wg6)(PW
z&+%#)iw@RD;(=S9i@~6$W04tSMeD42mC4m>fKD@fmdWI>I<!lGBdY#v<6hvjk_VXI
z56?=QPDNb3+J5u?52QVFd@+vzWBpMaX}i-XO?B<_h(1?Q)5|_O!!)1p$`9<|dtOnB
z76sImC*!)D*Wx6?+Ov+1qx;^djvR{T@$X;S9dbX>ZOPeb@W6tzd3fvQl5#4u)?5NN
z=S9ut5;YHNXQFjwrh4TA1(8SB6@U_BmER$P$wP5X&}F=K-B3L#pSsMSEmEE>MdV+h
zvvP3}rw9S^ZY>U1JogZoCgtP%!s*B_ePo>d@U->n=7@Po0t<l?ByPU3jnM_67W0V9
zjD`Z>Zm#^K61t!VTj~+&3}{!5K=|9{&ma=gUGc%>{G+r;k`9Mz&iqi8)P(zaep)Ry
zc$s0QJ8U;65qu*dlw`myLEw$lKtmtN)V?le&NuOcTb<n7U$eKKdP=b^T!0pF<vjR_
zKHP^#LV<oog$j8pm>%79p>A1oG>@}e|D|E88T<Q9ZxS~)E1rM31rFypw08n|!zqOk
z3p=OF5nGgS<FMDaL47qxgl6sTl{T`MpXa&PD1uUw;I}(eHjp1iP=b|kyVK^oKf#{N
z(1de4wtbJ0`ha*lLKR<Yb+Fw29V?v7@F^A3eb>d2zjF_)bQr_8XWnKd=MO^AS6H&t
zv2}6I+L#H_DSP(!l}y8>4>^Rcwmw}py*Ebsszd60v-Yy)SDoZ!R;Hul7Al!N&oOu>
zsmd(bDu{`6-T!iuwDvzBNZ6ZioO57v5#k6-?NPJ-&{PsCsgwA1lr1{srqJL>f@@3P
zOaIJMSsVKoC6PRVb6VJYMn)4MUU=s5Ed?T01iT2R2L1dTmtmn7+cS)3r5i2~L@@33
z69u{R;_y+=@kLo%;x!U4{QCShCa2q-ECSK+c)6t9g$@c*L)9f0e`3L993ipb#LdSz
zUHl>b^tT!6MyI9-ieK6*rD#&y<Z07^nREQ2&Yvbr&i*3ztP@k&8jMt~bB>>i04G}1
zX7uF>o^&6krXtUb0!b$2ez5m=0^5BfG9wGZ(yBiVtkagQy=qXyg#ijU-iM;OvCl4`
z%bGa(8YreZP?lC!nDw+#N~wTv<7lqnP{p54w<n!h!ZvCHFJp!%Ut_*Sn0YvBi16o!
zD|(#n*2?j}X#Oo`lSJa8aBLB0r(OVhYRc+9mnPN<SqN{(ySxk}w=apUvEvTn89f3q
zU&4;5;mz|<Y7S|MA0;Pw>=o2Z+vFSTk^iU=;R;@fr&Lw(vgkTGU4G6>f2p}SH|PQh
z<*B&Po?>v@Xf2QW<3(4OZ$GHZS0n#?y?j3&HOTA0Mgi%=K&26kG;%f-jDo&`2$RTT
zH_xv`#rGp*MF=j|I>$M0WszB^juQ57TvJt1D%=dy7Y%wz^_nOBh|8;ehLdDuU7V`Q
z5F;}wVzpGysx}nA_idy*H+0Hf3ddZP$#OT}z)X!qUWv;pXiRt7)m)8+_W@K5Zei6T
zm?oWgl;~cod)Y#C%lPQbl{?7ShlKT^ZIPrA^wAgwAQ0`2!+WShR+S_Bk46s(qA91&
z^%8gVYy6$!VYX6yS~Tcb7%G~;LYG*2u1CAC*pxxFHiuv}KVJIU>QMM;$KANjG&q|t
zBgd?`PL2?g%&E78`UsSkS5D#~T2H0WL(7*6e7$Q1kR$>3>@79C<BUE6)_rLIHk2Xm
zl%r&CF{c8@T!I<nBw?;O$uloU#aSIb=%&*!#kStkBkz8^ArZ;Mr$p$?ZHIh?9Jj?!
zb-0EFT3_aj9{%}p=l}J`yXrDN>*WU&@}InXE{vL6t*fp8EwZ#5!9wnEdtaLxi)sF?
z7TdWElv@$s^dp(D5#<df$dNhQVCq>AG`niy;9M87RiV-O8j{z~+)P2yU$gb`IF#u9
zpym|qPD49eJ*d~`F#I%}NgpL!Wu|(VO>l<4#iz@IXt2Q^WL<5x{k;n{G??256cka#
z(CcLIwuGb@XaDU~TTc+Quiq>x5PPaIv26OdX`*OT7Gmdh<M-D<=RChnP9B9|eOVkq
zW3(f|%gAB1|1DGd(KXJo)CVYQMZwnx-wcPk;?DX?>)^KHjkBGF{;Lau6hgtW0YP5z
z2+|U2x%x*Ko9O!GJ5*9^_-<+SnA~}&41wNN`Ip|s;Awzb6b(*@Y2#@LxpKkn`2rcb
zqfX+*H_1zhF+Eb%i8`}b-JvDYDczr;80gc;C$!Erg0H0Q&0!%YNkdw~2-It+Qc>o+
zGe8h_l~}aHY-6b2>kHnL4ocW@<vk^KRu<)n_B+-xidu7b(yB^<r$q@P)!`${54s2A
zaU`IzE*RWkb|+a65fPUA<Qampo}kljbXwFzD-unyLW|CU3~C>>L}(#_dPx;>f}{@k
z&f=Ze3L1srb1iVt7Y*6VEphc2`v#-2Gic$ezRkG<yOhF+PYkns0=DC!D{X00%O1?Q
zV$@pSC)yni_-Z#caro*HB#kMQoy+P#oraJe#5vQ?e|QM?LPIN?pl(21Cub|iIGgX9
zHH=70yUAQ(G8>4#6ZdJA4;5zTMCi*6v8n6{Mu<(Fk)0qE83?UH@Z&L}|Jzz7Lz_&%
zE4zSpySigrrb#V&4nBn{+PUqYmJ_WcB!{~MK!%!|<5vQIe7tJ2sI%y~lo!@N{jN_;
zb_$2DH2Umnsrk;=4~5YRQFQ~6J3cqBKHM@_I5&EfEtY-OljbZN$<%0vOH3-7#WEjT
zqlza7r~ZKEj#mZ+XeES+!wb1b50$S)GQCsWiax+}@vGx~4?Nm02iW4fyrKlIxlPHp
zzuqaCZ`r(2%DG>?bR9Yb-PmyTtyiq%sLOzcfs-`rT+$4{2B>lrPrR4-2MfUJ^a=x6
z8T+Puko~Kt9xLyZ$0gqmSUA_~tmgjLB~p*r2#Cp~W+z-nqZ(1SWYAqR(l`3J(G#xa
zF>fy<jhlF(cDZqr==jfkCaf$(y3&|jfvtE(Cg*k^JR37fh3~Qy9Mnhy?|sq^^_a=S
zo!UAW{U!!@CxD<97E4+7hOqVv)lLK-{@zEJmn@%23f21lbU9;GhO+LAZHK9kpN(IP
zzDx3gmMKBiPp*HG;{tVi;+!)f7oOzcK_{f@PTpg6DiY_v$y(l1DsV}^o{6P)yUpf7
zEAv(_0}O5zNu@uvTbzm^wxFQEddI}IQECz9BN;xzhR~gUlR`S~b24AU$Rs}n)Ic&r
zZxT*|z|=Qgmbpa@#lLi4J(umj6VZ$SGj68)xluBI;I}FF-}iF<{E99^#<c?m2n-Gm
zPIs;o;O0?>FP;6)%U&N|$fJH0j)?{F)u6q0Mh9=6gVJQkp#J1q^U>$5moP7c4xu*c
z6=`Mx;2mwO!kVn9|BsJfz7M^d`)<BJHoV?05>T%5^7M;3Jg)OaSyUCf50wLzkg<9!
zfL{6Xf~1lC$R!#n$iEM*m<4ECCt#gIJK22uDwkmd-1qk#Fh~@}8j!8je{Z_Z`gNa3
zc{k|iPXt03<?UbC0kD(BQ3(Xr3&VVORvs*V@tyCIY6zfEK5#SjU9H~j(p19BdK<x?
zy_B3TYI!czjQvzYnj!u{Z83|duCeCVp5C@?$7=ZksFBiZM*Qg$P+2I25w6o++`O)Q
z?5QMw^8!`>{QePGij4vnv%DK#)?O?=0LG+1qLy>1oton&)NVFx`OMlJv}j=#jHMMP
zwE$hvNT<G<7Uc#qUM=z``2YY&L~VL#oyTiRwsyOHC-<-Gv&h2O*#>LQ3WeEFW|tOq
zdb2szE1j1vz2v}RPFkt{-i@nS0;J^kP4Z-F;kl!EY)xbrS72%Z@1E??T0-DKXW$C0
z@uM#=Fs7kq4r>*5;1BHtW@?nb2o1-QrGZz|xHQ%e^Q7mirm=wI9Z)o<KHf6yc|FE9
z`>!hHOcrz@+}-;4H~mt|drKRJ?fxtUclgY^M*(MlZ-4j_4`s<-sPBrSlm+qcCB_Wy
z_!Qk(n{rD6Tb%HKV>t<&UIr?uTW3mQla~}kXTq6E*7w!Pd98Mrmwdzy6vQtXU)BgX
zf-x<(7KjFy&l`U=^ePB%$!|-DpyBr#ou}eEK@^um`~6-!Rf5VrT!{!xh3?G=`%0_D
zGRxKm9~XcT+%oMZer{C$W;~(}_@<;bZBS28BWB{X>TEAcwhR)|J)H%S#c-KQ>*B>y
zhYJDe!rk8^p(|?ZQA{4UFipP<<K&-ET^Wj>WjUPXR8?R*$PdkyyyX09E>UNFvo{fS
z_*t_lFL7&n?*(~t5$Dm7OyHKxZX3VS^y)YG2}hzZ7He#NsQk48uV8~A`(NGQZwyA<
zvkl|3u#RT`*j3<m>*v~M_t_X3D<J31BWeq7=P9!v<Qg?Inyj?be|)i6(Y$n+x3*`i
zo#p0N4VziTOY;0~EenWM>`W8_wnS(g`^D#_N8XrWt04L)TA1nn=i)qeLn<uh>|Oug
zi{~w{=R$?u1hA^CK@ou7h;3bg%5PBTjYsb|us~PDb&P}lT7p}(P~TrYbR#EcbAS`;
zv}5%(_U@pnzndjI1y%<1{=HcOD&0_n=QHsRa44*<I)#TGU&teVQYr9XU8uJBX&-ha
zYRT~RWIIOkLxowuu>ueEhD<9=U~RnraC6ra&=!K1UIMPHVe9FY#vCs>sRu3azYO(L
zjTUp(i){NbpTCgcDs=gr!DWpxLlVu)`2(<KIVmo6p8vjP+F5SsAesGfx3Lp?Ut)pd
z^Ry?!$^iMlNZ7h7%b&rmBWz)kIa8RdOFSZZVo;kW9$-H)ZN#HEe8i(#c!XR$ivd?D
zELYIp%QVhkd~?j~w<Wp(Uiyu<pBAga`rBZh=XH@h*Cx#Nr8(MQKbrm=z@@+&yti?}
z@H399HcQJ2`+GMcfI!2=JfTzMZqfMVU>9Yqf?7XJL=vvek))B@9@p<z+IKzxlGLva
zqwTITuFBJ^{DVprLOPy@62u=23~L%LuuK5eS0O-NJ#l^3FtGAj-ZWivI<OFvApIM<
zGN13m==0`Xe3$5TnC9Dhv-UHeg7o3vU=s&I^M;@?@e_1$XEYxmJ)JKt><Sraz@Rd%
zkK}7qx%8O48pSeY5z~aE$S9G;Wp3qI<`O=voVS@FLFJ^V<(^Pn#|2p?7e-V>GR;gI
z>Yt@c)S_*9hsrcyE2VdNR0EznelL0+aRZemMxAQ@c<vd9JDPWXIYRew@L2o%=iu!a
z7#SCxg^ckkqm9{{(A0=twCQc|6FwnRsvS$OH&)ojYX?^7eD673y1jQ7x-!IWbWvW&
zQTkkOd+^2g`|75I++I;n41?I4{e75)E9x=VrDyV({3TlFMXf(HX}G`F=Jy%Sg%NNW
zX`+^RH;8igjIrKsD<kC?*-uE5h)-DEIcW>qnG0T44{_vM@n6Nt8~>dTPt((DC6j6J
zmF3qfh|{M;Mg?_F;zzG-Hv`h4c*@84?(Y^2W|oI%bt6XBfv?y{ll5c&@s}Uf?^DP*
z7R9Rc9QAS^iEwowEg7#d*?;$3bU=^IbOb&4K^<>GNXx<OKu5+!JvEAA5vy?dHGz4c
zp0_+fc`v1Fupg{c(Mck_JM9)*&Zn61eBNP3qZ1op42*ir`?^;{_)vSaUsEP*@kaUe
zn3w!FQ(kq_Se_caFl3<@qlNzPN)#cVB9}`3+1qvzWiI5w7GqZL<)a`zw;))(e9o^h
zK*@1PKtKEr4269~O#Swowi%Tok8!p6P<*BV*NyNc&U%R+4@vd;VbnSXl|=3@J#xW|
zU^6?cf?3e_)L#Lk1d%pg0x`>k>}g*ugA%~EXdH6RB_T9k5Z054NM|VrDVp=`;qNwb
z#HYHC1{t(<id-oY+fygKtQVWO^p4egVmg9#Z-eevBhOO`YN>7RQy2AIx)MLLsn4Ib
zrrpqposrBwfxgoiUVdpxY+mjJ9mDCc6a>EElVI1(V<8e0hgZjrJMb<IgBnEa>_!q$
z{nA5wq)N634L!Q<u<C=}vZ7T&>#pJV3ZS5^zK2nZDK;#;3napL_gDG`ye+E6iu1hO
zXn)jcON42&B>;X(Kj60zO6Jj;k(WiHO7>QKw|kio^*X3n3l7NL?2>eC(7YViKQtl6
zV)~DIl3$qr>bcsW=CW7)tmait{vUD~&?U$UoKR$`%TMP|MsX?MeL*&Qnd6t(i{`_-
zen<P0-#yN>o9kU4N<CvdlZVaMcn32&XU}X_LAcpzpf+dFiH+<ta(T-L<J-vGg>c@L
z&o<pdkky=ywlBnhe9F$9d3YX=k&1zDSsK;(Yu{4}Y3I1nCh9IjD@DzH1E0s@bWp=}
zzP&#*spX!FdWi2+vnghkI#!Z5>6i~lL(iMLy~PFmd++9DyC+_Hx&!!j3R=K6SCVE0
zH+Nl?1zQJc=5v8n6+@5%>RovZu*g)4<q2nq=cG>9h)M5Y&p|YFe(4rPI>8uad|R+5
zsw=Qw(Kw2!!s1$)1^RF^wRs8<Mq4jblO-B9C4N1@vfY+?8b}mMEv|I95oZm4#`V!s
z|5c~>qpRSdj7u6%!1M(Qk>-PnpD`bz86_Ipn_x`1{>j1COr{C-H1*8#xC!F9AL1J%
zsAdGP1<dKi6NK+#qtvHhl-$-K`OW8yht);}r?>4lABG(#Prlb12RG+nq;hcuA-ItI
z#E-wLiQ1fO%s%7kC}5dq-W>2{kjls9<@`zTU_a8Z^9+6lI!bpKR%SI`a}&m0F4aps
zWK{+O+7=HP)UjuQ-Mpz5pPn0EPn7wp$#(mO`j4%II6oeyw+xR39U;`Gl79OX$P^IW
z?bCQ6{FQGnaB<&5Xc$97-`Mu(P4$`|iX#;9-*a?+W#_FZvM>c+--^eC+dtKTbFG^b
z8e>Xrff2&^qyC~YF5J9NfBK*n@fhr)iro9eIxQeZ$g1b>h-F<SIdOhFell?V9(y#e
zqrmjJYTlbC0DhHf9`KUie(85nKxOzb=ynPA5ZnVzmXon{H@%LbrJ8HvI&@m>VDr@V
zsOw<ZTcZd)$`lV5G#^X9^)PILQ%xre5*V$5-h(4)h%zU1!9#T)@E(0$?zS!rrKW*C
z+E?M^R+%eBOOwrk&RER1y<;>`xTv+)c`qxN(GFZqq&<(9?rr7xyYw&HyooyY@~icZ
z^RLtF)LMEf9x+-Mq?#0G=ry|&Y(Jj6zGZM_)>@etN?`>zC`7)xy#&*{TZ#5#YLPp1
z^qC)8|K3MjX^2r)djD-#TLOz|@{vC}*h*-3PvZCqyM40i%;yKt+r1ymU7AX=HdH2Z
zGP5>Z0kWT#u&I?T_I00OQ%6?Wui1qnp{lGNq1zeU)=e6zw(Ki%QkT9&!K}}B<Aa=<
znsdb3m$0olhO@QJzi+1cF%P<Fh`h~Y>MN!?>j)*?8!2AMfr=JtjAaX1?)Mc>KmP#x
zm3d5~brnh4xf~71OTfF-X76y~THzx6yt}Cwz|~RpDp`#nj{RVYDBgKxQ`1En8=*8$
z_#hX$61*Ijd?bff`Hk7m<`n@jU`(^d#-Tru(2~jV6nxEWZB7Hsp8WFhNu1JNQJ98T
zt&nLQ<ykNm!RHs=4Vwox_I^LOeL2K6aDTiGX$8FfqG7YAF+K-|R(_Fs3IpPrIlU!a
z7r<lLjJ?t&_2Q}WuhIJ?Gz~l-HU)eQWu6QMxxt8XjN+Qpr{_UD4HQ<{$!7uRdis6G
zezy~wxDq9Bf<nwjI16+(Ky&dhRRj;B;K?47p>SKT^7C7}+T{o7v-UuaL)@%A44bo!
zE-SfKayPit)GTWbo8Ja>`Hl3>K5EXuh<ZCU)tL%C_t+#G;@;VC?%4Ii7vG|A&>=|t
z-40qZH+!@)zS*hHCyuZ_eqlaDNo5HX@O3btMWK_5XGHBQx1+JyQ24dsTRy)M^ZsIa
ze!mTkV;6qD-nqyfKdks*3^(HT5^^j8wMTMyfl9^g7|tKH@|%tkcgEZC!RT4Qajf{q
zHck<2`lTB|i`|Nf!jB<C8cPal(O@+a!NP2$b#gpp5NO46_RYuc0Z6>|ev>CgjcD{T
zC+NnBSyt6cc=rSC!pAK0?nf#4?@cXaxbA#Y`ZbpXJgo+c!n9wlM=NZyZ@!wEp|=Vp
zW1NW)-<(8P>%X`_P+M1Exb0w5JF*2M{wzkyEVGGul;oG6S1S4r$-+pO^!^;}`otkf
zUB-L7uT>(X3Vj%(AEBWg4E-5wExQ|uS6Q6U4bLuY{AWXuMr6T{`sJF+zpR$W7&F}C
z0#LNCCz;go_=xBJAG+Q;E~<8o8lD*t2kDTm8ITerq+1%KML@c{L_ld!M7leqQ#u4B
z1tq0)kd$sgq(kDn=XuWazUO<-IsftdF|%jyd*5+g>sr@ZXS@i}y-LZQ`fsf%mrXIm
zT=G#=<7ZuTsN}?i44suzllgYPr@)xr4A>gZX+|^DAis=USRG~&|D34m?Tcd+*ObP_
zb^GKB#AxPlI%;)|54l=@OLG{vPTn_&PB3&Ilbh2!JO+~gU%f6?h6Lwlf3k*C)uG}P
zj_SM)tX(F;QJR;1r-gnE_dmNdwqwYCqC9I8vCf~??R9$@osI4T&r<LWeq~=ZetOXx
zoY(Wp6`WOn3evZ?TM_nt$s<YN<kP6cuvz~MP|y5S|J4#j2J9ee=mksQ4ba#WO)DyK
z1_t#)>+;vA3_;ex*1Ib2ljc2}H41ckW0jTNJgU6EX=OwXU!hz^x05nB%{J8>z~!`U
zABgh4oF?3p@)YW8$lix>a;>8?kmvOU0AlyEc~!qj&U3+aaZW@;nQ#v)lr?7;UsFIi
z1DF;(){XPLMc~FKKLVu1Q5u)0pGh{=cf{h1Zhvs9*gmd9^%5mMTK-o<+H`Y-EP0j$
zfS34bO#raFo$`YtYF!3m97CnRk$pEvY(3ZT=J0TYQciiqnz?rZ5P7(dX}S9=0+O6+
z7hMqx3d)AIa$TRh@QM3Gds1MhTcF`F0uADjwO50a)5?%GSA(|Hg5K<z6{w@sQp*IO
z_Hd^tb6JK_pCLqd553Ex>+@MK_!0IS3fk_PjO9PVt3;HM0$bSHm!kZZH{WcBj2$GD
z_{*Ve1=^YNdj4t3Q2B#^H1kKr7@#A+**rOi3UoudH~E+pabIR9C**toPHEc77knki
zf^>u?prCm5HqAOWC^1N0{O+a@_jc!)dmzkTfM}qWSuGefsXwA6zFMXjii8vMr~f!z
z?7#!%fWNF8^69U#sLW*XltMSv&DjNhw&<YZ$UVNukp~=Jko)r>`kciV?Z0MG70KZ>
zGy4Ir>j5haXe;sEP(3zvbd>BBo#jXVZ_E{dvEqcULRS3SMe`n8*rB0I98N|GQR>CN
zu~x^>y+OGEAz*>K1txjb;nw)w{ibw~z`cCc8vG~b<pwOU^)TCazuzc0q#E6<5!-$!
z@ygTwR1UB7SvQ`b``T@6MteoNSfEPRM**}O6yp5`_L8iH`KPBqdr5PtJm^-9%W4wl
zR|%&Q_1x|RaZrS6hM18`EkK}zU+8_rLe~ofTyyYl0IijLhUgV;ed1KkmWR{<Yw?c_
zV3Jr2lq>#U-!tLF26}<FpJp|1Ho~D!QZYrmtPVLnY<jxP(5Uyx>%xoYFhlWhCE0ss
z%j&9S{_<WsknndG<|VR}K`Z!Es{y$`LLMo}Ta3LTOld_lByqHiL&oPxISihq1zG2K
z%=^zgIAqD4n1nZzblZJ`Qkgg(3r1~t7)(_>yIo{*eLjI`VLUX@%$xH^Hg>U^6-}w7
zaPu%Ut^p)PI{XT^6WeU7Ix-2<G3`xxuuT3en$;qnJ+`#*S0=cPfVi#cUk$#&tYt=5
z7MA|5ETnVt_`5df8yUPC$5)9r>BfxBt0xi&Dtov5*ozNv{OJL4-WAgE)PtiwLqVJp
z<1@OZqIb1o`w}45^Afxv5WRWU<0iwin^J#Y+jJ1e<omMPJIUbyySS+NN>v_-JOGyf
z*$AIZ|MSfzU?H;<6VBhVGNI9OKm6rt<o)5!AJ6BblnZPB#sbpwA}b1(tL^C6OL2r8
z6TnHHTG0RA@eUwVJB;)-a@Iy^A14^!TJQu)Z5vZf-yiQge5oF9t{?P*5gQypzQC&C
z0ji`T6^KeDm0uoh)d%^*&XCOOS_|6uEHlQ;5>G00bU}lJME4tlUf`j|^WyhHwS`&p
zOA>Gr{6`aoNR<cI>F)?JF#x0>>((ZD0btLF(YK9!4%D+6pMSi@1W^nf;3l;~7cd}z
zp2Y`wH!b*)7>FPRTC!d+22urH!$ymVUi~A{Yu@lh8G!fMeosx82R~{4r|vt6QJi`j
zHt-CB14FTr-Kn}_tqPq0qj%%Ou;0FEX{5H>0>d&lx(0JCfv}kT_fJzMbRZ_^5I?Gc
z{K8sL59$ET=EvhtUIK{{p!KUIb)odqg!x1@m@M-;e(z!adjQ7)`S-7<9OmG8Q-Svi
zQygoy8&Rxm&cXUf?*|XJmX;F^H0A4;TO8}5ty30=-m_jkL`Uz3K&gP(HL4Q_B2h-!
zRu?yQ!8U;<?UTjGV4l8>4|q{qQ-3M+xDKcAHHkxKOqkn2w@p>)xIKmytIQkx&jm^e
ztqyWN$BB=^e8Ux`oW0|yjgvVILO}n_G_^Ts7il)G8holf7osCpJR<?15+Q{|c93M2
zE?F%zEszF<MP*{`I_UXH1_rp=WAc5sf?c5*qKmbHc0PAum8~i&Rod+H<r6>Y<3FMm
zX#QVe_)V+cfAHV`t_#o0b->09)m_Uq|GHih3Ca{^G;GvN&|>Th{6G%VdFb!w5CIW!
zDym&#s9z)2bGxP$;c2R*KnE@o8w|p+KbU?we&>fDa~{0nHtmEQ{+u8H4Hd`11QMRa
zgdffS9Pdni@VG1BG8aj1;#<=W!1`++AP1L>acU!~@ZcRTv8xjuuaLXIV_A^Rg>O8L
z4g*w!*ozzYp&U23#r^M>E5T~ueT^^OoDH01%<e_$!JqU)VU_JFz7(CdkZc%3qc!ac
zpqx#ncalNkMSqe*=%5THj=$M%LUq@3-Cn%Ok3_5LSX!1#0iOvV!YBlJLNl;~+~09O
zk>yOUFud_w4ssWIL0_lJVz25M-G@iv_ArFwgE3Y$zh=bhJ4c`GFa;*fMG6RkL1Jul
zjc)sh@-*YUfx%#$XUfDT14Ke+j}qTJd!i|3XH6rQ_U6l|>D^&4h>NW_!hwXC`#?tC
z<-N2Jt2L2-H;RhJg3H?Ub;+96_NwspYpEv#NZ&Nq?w!K~v{2n1oV$JbsRidlbY&97
z!#BtpG!^AyP^%)=cfSwIXhRaG^<RxCJ_}D4o`-QCQ}~DkiLFV#qGPpuguYP4|GW?f
z`O&v`<6Duy(9lG_({WG!a<Y&|+~LpvDF>XDYn3MQJNTqz-1_i**Z6vNT|#$J^~Rb-
z^;8rTv^gE=SG@16rN#jA&0o6jSx2CMuIhjP9NE#o;Q0?LgPo(fGCX!)nKD6`xdGPp
z*vIOcHtg-$W|HS~UM&Btg}Xph=pToKk7+!|Ztm3>H7TDjQu1$RZl`mRI5$Q4yLGGA
z^U^_ko{Kq`Td{#fk}MKpO?fAFEzg*k`W|Sc;-LGxk?Qr+<sM2}2sMtn>F4m<zywJG
zsP`1Jb2`kH)QI}tRZFzoezL~=(1Ht8?sy4=Ebsx}#`X5)N=UY?l^85?_r<K<pca^r
z93Hqsyvhs}a+jJ>EweGd=GsJ^TleHuG6aT779BYxg8oxE$PXE~zT9a0cqkv>!28~9
z{@RVsKelklI7+yWxA$T`&3#F`zc(!EHU)X>up-=l_xNl2^)~d^+dJqHwfUbT%2#_G
z@L#Mr<fE)D`v234Bi%9g%xXXRnNv_r%H1p1ECW&>yDtHY4At8A0b}2lQDB2b@Iv<P
zGLfloFKA3k289Q+QVZMUam@eMLL_Cp=c~}dzYZ);FM+?h`yhJDtmHj!Eu!ygYzxcJ
z**`nuHEZw@iOSEO{Y_F4sSvnF8$<2z1T86omNxuOEYt*=u+(>^>ed56xr-d&$PTtL
z&v&L@gLKSd=~Ea5kGbrI_t34%Cv{lB=d%|el|YUrCV59`3baOgCO0ofi?%Wqo#$`=
zobQmV1PSM`N!#JqhiI_%t&f`L*!5AIKu-+)Zqz2oiss&3qs<Hxox&bKnzqW`x%MI6
zZ1Xd>?fj=Y5%c*~z;+wX>Ep)@0$0DHlue~>XwgQ#VhTT3KX8LR*tZQ?y5mBt__<Xh
zRr*xn4(XD8NoWcq@>WQS)Qxr${UUghHG}j`o~=hpaABrmSrw?9=F}gb9`ljxgGN1v
zU5~V%SC#7z%yxx)X%1*DhQ-%gdT8#;Q{GG*T(trUO*sC3T=KL=8N~FYqDs;e$2&8B
zw3JRfgx3lkcWiJKUwyp-Wxvq;XpyqC`Dwq$15rR)S%Ky$CTM4S1D5XOS6#n*0g@mE
z%s5ASi-AJdP)}6CZiDUE5*lx%&3G_>V8un|910O6!9ys^L8sYnTjvlHA*8OO;d<e!
zSkQQ?{)J(kx`<8}h_4KBkOUASYWI#KEk#gQ0(~Psr{P38u)EvI!%Fb-+|fSms?_QT
z{t%$a1&~Yur(bhG%n29Rp8&@qm-8>BnOuR=q{q_sp{L*^qK^MU)ae4vB+ct*D#JQ%
zV@hmjqzplgT5Y~Rma*UX^osEAKD@?;o?!n6C@gYFI|CZ0sw^;PaY!d3&wC>l4$%${
zqc%%>I{)w$&Z^Q)XXaWn)oC_r&%ET1ggF5>yQ3Pk!XZjgiBuu>g~UPhgM-stz`866
zebCGTGno&{TP_|c_l%|wJ@w{@fuG5baNkiz=EG3<C1*8XUO@32`(VgJIeSIQu+(aW
zCrv~YNOgFa-M1qCICA?(%r2QnB{x}WyTWpwvKK3avbK2`tvWS{0XZSZX`1PLWlYg2
z)`9iBDzRtl!%p52Xyt2M8llniSvHuQ;8*Y}KjV*k{QTZO%d*HSsZ?0JQ<}Ky1KgcV
zJ-~C`Y1w5fo<04C3&7?BiYKCEUWI=$!t*qR!fk&D-aZ~+X+LhLS}c24InAhy2<7zX
zNb-~op(`~zVHDlVg-6~q`k>c-PxsElPf@iE=dD002518)*KJ_aO553hg5!7oLG~@_
zYhxDPLq$TwZtyALQkR;}q(@TwKvEY8vx;kECh@!|@Q%3)Jikl^DG%BrapP1<`-fx&
zzQ~DMb*rIxDPV`YrcE_E%0vvMaa!FP6)1!&LtsPRc!Ih_7_fyIf2<*(1X7qr0U7%`
z){Hwxp1N%}bcjf4Mci%Qd&Ro}753UWvfas={3qJMe)%k#x529R6#Kr!?=3Chf|Rjz
znyM|FTKl3Dk}`70n<e_(8ELel14o#y)GRY(Z)zfr8`s=|<>#yK68Ab3g!Gv-xgykn
zJdRa|Gvs^W@J#w$)aXfOH2!8Brgwexq%KQ0%GxA7(Lx?5@>H%iiX2l5I@h<ifcQJT
zPxxc|Th1i)!KZf-ShDn@r3j}jO_DOzJ%T;T!i>r~P%O((-yjq~(va$uNp6LvQnQsD
z>JZVoUA!ZD8m~G3@NBfN+<R8VvfI7>k-)Yr=PR&^@I$B_3Q55#V&lgh=M4`G+rGXJ
z^__os52Mk7`4}(WKUhY<$-5mY9xvTBm*r+tGV0^?kkjURN0=A$L2)Q9i{;U%@1M0V
zoIpW+&7@&fUa_x8ebWb|c&5PDN2AvyGrE?Q_GtOWxhAB)KZiuYUlA{^V&4G*92`vZ
z=d6wOWagjkbBcFKohWIJ^k;9&CjF2+5@A<<fF!~6VKGn^_2!Gs;Mx*MR?GlE#S%z5
zKJ)a_e3Px*)Kv1+lA#y;puS;Ul5!v&(-bSB)-)Ak-yHWkDmsU0#fN!K^1#^0F%134
zSO4>oJB6l9#;;W149z5g6NPUHan%-oeo$$Q^$?vho9EjK6O((Zti{@U_fW9wJj7(H
zZ|@~o6T%^FK2boGijnnfi}j5z<*{4sN9|teL=|D3e1Wblr=~1a_0J{uS$V~H?t+kw
zX`t6v`27kZaN~D`P}z%pahCb`p)+6-mA+ZxST-ZySf?hv;aT%1NBq36KlvzBL|n5Z
zoH(A5%gucaeR2V3P7GnJ{CF2{RnjeadlaK+=Kc^W0;R!}En6`eQ}6=8Py8DsO(rz{
z#`OYCX?-D|?TQ^I!}PIa0<UOs1-~n^!I=29>?z8uNQ0^)&WRw-zveqS8aC|@`NC1I
zGmsBIESHjT$DHzuf3A~BxJWvit7DdRJWd%Zz4T$h%~Ztm!0c6G;i5M4DF}(yq|lN%
zj9VrJsYgo36}&T1-cxnMN4;G)hWnjD*XGemQ>e4ekGG(Zd)tGN`qUdUX<_w_mdrpu
z4^#g#@@oIbuK&b<FrzT*u-L(uB474_<0EIuJ(5y{m0Z!K0Gaq!ubRem!mnw+E}YW1
zz}?qb*Tim@hJu6WW&QBKFKf<xc(4&l@@CG&%Nsc5GxuA?yd^Ligj+#5^C@tX6I^W{
zoe!P?MRMwUqNO>OgX4+z`7FW&+hLMPZ=HcKzAvfwFH8^q^7gbk7tbH(E-d`p*E(L(
zKvPG)KprSiob<Js#iL?p99ER|A%l?M4vUEhi&L)U{*%m5z7~SAObQ@=XghF{N6)X7
zu|vctucyF$v4V1~EgZ<ti*{}TPKTa_6#yHX4gVVZ{`CsswPxe*;3!n}I;!M3NyN+!
zOH`jY7pU2vSsa7+m>p1M6$N-}_s8J5?!M}xh28ilBo*ey{MdqWDK<h%ixIIf<ya06
zeu8Sm0M18-?}<Ip_+i45eM0HH7^3m5B22c?g53MpEssOlHmm0!yrf6&n@UET>3;Rk
z5B;#0XN;7UlQ#4}TRk0%@kebd>#`710gW(ccTG#Vwy5d_W{N&lVz+N$v)<+-oOvBd
zy1i`Z|Nm?QrLfR@Ny>5(SGa){_?Pi_otf5qD&FF{ypOe+e}?4WmME!y`o~aiz20GB
zSmdi^M^N$H4vVqx`TH4X2YKxc4gT=`F(o_%`Kn&Rp#ngRm=xQ1Oj&3$qYX+e)Q}2(
zRWUM+%i8Q;^EG+DLfUNxGP=G56uIYQu7Tl*!;8tusx@P=r^JPxKj)s+yITm4MJbk=
zl_YCoc5!UQ-2B}F{L7Zk*0Tl6NMGNH`3pB%9ZZQp#;fc-QDsEjuY|c8?bNB?$#E)g
zU*|7%gb7jD)f(4okl?)#_s*LxTlQf_jadb!U90?*_G%$outrk9mHOY4uK!9B-l@*@
zVFM}lyAwk`DX)5k2wfK1TX;nfj-1Ef#tB5;mxrBFbQ<%UFGpk6M~$ECtJ#NMUJw%)
zJJAJmKm9FUHFU;FZhdtyLpJCm6PSVRB6P<n+*5fP<|wHQ-nnMp!>JlZ@XkH^rc8SX
zo5(t&7!{&F0p>y?&v>abBW7jWvA)V%u_xjEJ3{-cyfS@wUMq^>G^$EVxx06Qyj7g+
z+gZk>G7ZhU#P1A&K_r&p(|F}M5Rz45#SO0i(bb|N5ecqe7?P`B`k?dHk7TCI<(__%
zvlVP;{}kf=jcO_>K?v~Dc7X;yg0#XGQrv=W2JX=P^yZYGKM2>x8nkO?!KYX$+r&Li
zXP+PhW0qCv${(o2?`Dv9keF4ONIeRPRA%ka5*f?Wd7=<_pz)nk@iGI<<5&0(Ft->x
z8&`#o2?^q;T%a2ZuprAQajMSO5Vfky>*rXDdApRD_nq=6O5+3~K9vy&lGJqVH1mXw
z`j7-###|8wGC3sMw)sKoOD@S$nXAO__P&(u<OcLwTny!>{piPfaxvw7P87;t_27K5
zFC~QTnY{{hlvQP267mHyiqWYr!#Z|?3r&;f;aNi|TAV~wk_eJ)9znuBBsA-Sl0`ai
z9($WWzV%1K1u@cp-%69HFwNV7kORgYpv*)e;$Gr0D{XZ9C+h8lo8}f(iX%Z|wqn!X
zy_jCDf^A($rj6qD?5Xi6Q-Pb&7Fx%s(y?Kg>hY4gkLdATGu27Ko*8wOl82PmV9IrI
zyk#!LPTRu@)JY#bf%;0kWDH?GD&jyckVA)M{D~~iw9)fnd@a{4gb<!^Y0{-W&z3Sc
zSz~ci|9v9K%_-m3_}j*VRwS?0>*t!EvFJBCM=8r8qbe+Oh^-w1EQ3TRdxf_+K`UZ)
z4@9DQuZ>kPia{_sxF+n-4Af?04Jj)0H~-LHYl)w~1#YYS|Gom9W2zM#xRn`y9Orrd
z$B<Z&Lhmk`@2JNH`;I_28caXJG66qD{&s|NYU@WjQP1)_{vcOsT1$7}_C0k4Ff_(L
zxd1+`2vC2#hc-?$9PIZf2J(=C_du28@YfG&&#vydVIb$3w-x`i85HwahlST^;#zQ}
zTx9TOF%}*}8Y$y#zML>^nJsh%CF>8|)czFh+zYH8_1`D=Zaxds*Jx+5()N-w^xbhV
z>3*zhw7OvfoMw4tV>k`on|205(T;;Co1K})#%a>pB~S{l+dA2qAqN%g8Ah#cI$^U3
zJJ5ub>?EhY+EOOT^7cjE_%P@cF25cD&c@_)S|*Dms2-xTw;3X4>m4~iEXAK=Hl-;7
zMV&FK$ghfx6(vTlfI57mH=6%ZC<ymSsa~^FDlly4`3GA{?1FPx4y)iYPIVF3<WxlE
zh`Bio0xXJyScX<|bGEszVe#j;;utx{z7Tgb_9x;|W+BX?B_mLzwu2I#j%VJsd?X%l
z<*T`=0AX?o30oJ11fNlvN>e}>+gT(Kn6C+MNz?VsuM!a}OBi(cw;eqf&szd!t!@{-
z=ZBlB9&*2cx=?!0Yg4qYltBMu1qA`;SzB5kE!mf+ne{9yfg81;CwkDNFtZPh0=uF#
z6`n}2$ADl{++KS36`>1=hkF1-m~-;r+83zBl08KRN7@&I5|76o;jD_>8`%{fCVpJJ
z4-}tV?-OD4Au?j=M-dG(8ZTRMv8Tk|kp%St!ZNAwCr1V~Ohx-oVFEMCw}Pq*<XIq9
z5&N~2%72QCSojaQ&%Aq;4|g;BV!(ks>3Y#bD<kk3a4U3&ei4`^AZYP#{0_yGp@=6B
z+hrq`lKZ_ehMU(I?pqyj&p(fZ*jspyS}wAmV$4t3l3h!tCswU`LpI#EIFxsfP0-|h
z0***&?s8=UJ=*jKm|Z#%k$c7$6VWLbg)y=cozp4d$-KIU#p5-l;*RM`7{~>ktV%X~
zRz>kUA|G4W!J9ph1-c!X|B+()v?-Zf*7?Pm0cV-(Gu)lpFn45ZiWh6vhSs}Dkbn@0
zt~hc-F}vca^7d6A^BsWq=sNFra%c2Lfa;b49uujFKpu!`U!UFWKd&M6k$p3>M^fy0
zVVAD5`H-uP6m9j(=kLO46T&7ZfoCd{<zV`%o@DxDyZ62<ws5lh=i9n`jBJT+p8H)_
z%_6l066ExvfZLiLiW6pEqF}F>7<|P#Z_w;!Rre{!xgdljY|&F&UXEQ!J6c4<JmuX=
z^CF0GLPt*&?J+5h`ceH`*3x|u{t&fT#x#fs3kJObe`sgVG|?9u2uFDwE!O8p+Tlcf
zTVjdkilzGT=yRCZ?>#L!j9D=XWBhTJy2KgN`B8$0(K-F4>IYe7)>`S+ZyE}aR(bo4
zUhTus+l_*M>||{hyIu<&X?sC!#D74_@0YK?fgJO&-ml-Cav`!KP1E4g>fXVkZE@MS
zCgV6%#1p5I>Frk&cmZN>tI2-R&7S~AsL1DcW0Ip~9P_XZe#554h&BJrO_T(f5<V|t
zg*=&2@g+weCSNNiDvd<%E>%2CxwkP{!#MrkDWdIUE(1%A4My*G7?+f<xYmtFEua@y
zY|!{Cj{c7z#2VxDiE_(>hA)WN2CqKD5jM6I@RWUpPo~(YVMVpq*LrR&bbvuU{`j3v
z(sX@|iA6U4>`~*Sx3t`)URV|?R^(BUik&ipeGF>!0I$StU&m<GJalPbkacvn-A^=H
z;@q~}s72?~L!EEgvZHFGI5!4QK6v~LAvb;j_4iX};a?%651WniC6l(_JmYsq<|Vrn
zuuTB|tNFFzYA0cKd`Ar6^Tk&+KH(}3NhEps;EF3oWNry~RUPI!OjN28DX|xa5K??)
z5ubQdzerZ9NkD+u>smn(&Wmo9<d=c4HevopiSI~%mg-Od5pGgfc%*rBDD2DPs@vI?
zav`#Jfum~)q#xD9r^*sVG6YHAJbh~;I|0$$QLdNMxRs&<FfZTH2VB%NaIq#SSLwcc
z47!0ug~_wUkg-W#tTB^y>O>6Spn_?z@lL?|3?f}JJ-$DQrN;ewD)a*rK`nO#bUX(+
z_oWrFJ*Y!w!;!)_S5m{KRm$AHDtJ8l45*kPk{62v-wmE8IcjeW<VQCb5Rnun%o-m6
zJ+^+y0Ed8|wi>%7WVeF+)M;7bEEwHp`c_j+@WZGy`Yp4Z?>}u>{WR2}?TqW?b5{b*
z+L|Vh+-c07bTJ=`kqgTNdECy^sIn~CZ+}>vHUyi5<g!qV{IlnrZm-3#z5ghwwA+kE
zv9U{I=A|>LlwRy;mGYJ9S17mR0uoWTvH)iXqZ^(;wl9()xbe$~o5vAwPA*qVRxZ>9
zIJGV0I%&k1{DZDt_M2NyG@f&kAOX9u=%M;7zYyrw+zP;IU&P%r{&1&Cb?+)SN&u$?
zXtUoICb-g<os@0RP;A)U#FiXCDkoZW2s@(UH&d?SR+6?jY-2?fJ3fQU@+$<7Ys6d3
z-7t-XZ%x&)$Vby)BlgZnaiEB67WKEdUd@_5*5l5v`X7EpnNy;g8||{**is`2;ULuy
zGPNjt$vE1g&3^d-fZ`%RaUbnmO->Vi_#Ci<MtT`z#E>pob5%O;<`c!A2J0&{YbaLi
zrXdL~CJQxJg2T^883ix;bgjB+s=}vEUb@G4EGaMy2qSG>@T*oeh0Lqkj=RuJ89<$q
zw}j*SAU5pz?9-c-z%*y8(x^qbP-|0t-2SoKy9+j!A9uY4zX}oD{=vK*00;YjFeK(N
zPE=<{%HV1*dy;Ysu)sD0ya{xr`4*lcmFV@?hg@dB!CCLUBjv#A{&z4<t7rnqYbrIl
zNH=_ls7HfOLF^H{l}IEG(;Ol4_vsY=%w>LqeWaPAu}5u2EYToms^$eD*oz5<9q(kr
zX^h#EticQGHmJANYy*MZL*Ke2I+>p?so?6_fOFrOI>-IFMnkC8@ZLzNHoHmgZej0w
zBC~HxnnXr{O1{t<yvj(;=`dvizuHg?&b`G!muca6NA*A>@`v>!FS)=1d1KB&|4q1T
z+GVy)?4vaYHX$6E3F)AAh53V*Qi%uIDaTK&)iIaS8L7+yq$0>T-_8R)xb=g0M&%Cd
zQqA>MpFg)pojqEU555*9?!7D4ZPrY&@JE{hJoeXL%heMd>e-I~LB+*%viKj&pr??Y
zi7S;*c&ZB+L2599f^j2`dqlb0NCB%SGt0)Tzl&bJ_)+o1L9Jc)Udn_Hdy*zwGY>=b
z8P@|G%i7JRb+}+GY`!E>2Xz^L!?^!e)oSa~lCFA{+cIl!M&^=~aI(NxUV_hGp9sVU
zfY-G$4;p9**Yo^elxlw{)35l&)d^JK=Y*Cc?~gXRn1Cjoo1l4`b;k@I1c-H%50g1Q
zE`5&J16?J{`7si;OexBR6JWJCL7W9qi6%TsoZuz;bKb7@4fh)<Rd_la043ryY$#ZR
z({9i|?CeYdJI+7^SG%6`w<6W8$OTWode$<NOJ6{~c{1^cORqX-Gu^HDZqI8)3J`3L
zkAT*OCBPvG`Y^0-#Q7sv=H|~W{pPFbidg_XhXRt!%m-K-@P+n~^_iTZyl<^?-*I(X
z+av44*Kehg75WXzS*o(RAS@gl-~9^+rIQvpNzi6jE~G-lhIp04MPIyyzmN|s2(c;A
z<L-tt)s$S{gY*;o$446gO4cX<ecU&{-T?ZMvLKY?TzaMMhZ$Tw`QC{dT}=dM%|eo{
zajEmn`yq*deuLhr2HYzp>GVVCk7Fm`bTSYJ<TB+$@qkLRlQw>b@1|hC_C(n2iN{l2
zeaX<?ELac4fR-l>qrvlyi7FE<A(WG@z%{@!-^9X**?7DUZB^3wuz^15N6^8+?Xjip
z{%dv$$t>crWtsFWB9QQ_DImp@ogqd57XmFl2M^<M-_VGpmuy!`ZVe<fmvMI2+7U_u
zIlZi4u_wO7>4LT2_)(%K+E5#G1w8C~X?>|wXa?Z`w7TNA-ep?qNbQNj$GTgq;Zk1@
z2vub;BSHGr&6-J?tc4lRz)wnQ0%N$_LxQ%p7A~Z)(yWMrBtu`wf7gRtCC953SmjF1
zM+_srZh?3)udZ3CUulF0V3CqLUVQFaGB-^mQdq?itW4<-SU6VLr@=;|Ul4q?VRZ-(
z{VOzl8B2A9<aF2SuFSYFXixD6{v~q-^OQ-2|A38MY#jKQ@o(QOZ7|NT5`yjcmgP3=
zIlq!tH@=So<R&y0Z`~ilwD!CzaY}xbUMWGJ{vqmaprFIb=XVf+Vx<SFDfRbAYZrWA
z7Sk7858D+$!kq9@wSs9qR1IQG?#Hy%NB1CB;Pfz`280+5(LNi!f{E=Q&!{~*1M7fR
z36E{veY;x?L_bmm(f%Bt>Bbg4FFuvhidKr0nz7h1xyc|E0O+4=574#5zHifv3eJLs
zLjfh~Mws!LZ)~ZMrZiyl?m-lGk|KfR!Bu1zy-2`|sfQ$zOXT>_x(4Cvw9nsy>%sl}
z4ev>U*vKZ2tEO+X|4q_eT>;vMr3z$CY(;J!a5hASo19LGFO^&5=eKwBjSE8jRpeO0
z4n1YxUacUsWX>6Tt=C4fxdJYU0@-SWFsON6OT{0=mP%;g6WK}!7GPxs!3m+x14HK!
z@>`3)nfw=jTkIS%#umg#vM3<#lorjJ$E_*MpSG-`2#FsII8E30i$pJZUdT!gAT3`#
zQo{q_wMUUknt7b0T0zLba&F2uZ1T3O)>V{-|G`Fn%u?pF;kbYS&C#_ls_9t~AFyFc
z!!q>{BJOC265evG76VbA80;b!$3}Wd;i3!CIqjvuP%4~98~A)+m3M`G36x}usB93t
zfZBuFBhl2CWX_9zt9XU&aoFwuCu~NQed_>#LIx|ZV~Mw{<H5=|1r?3&oGk1?#q2C1
ziiurY<L{o%I5jR31f0s$S>|i$(iI!%tvqXa`{cu=?DKSh^XGx+0jNyw@7X}M<K%?L
z)pQ(J<I~@SM~V2*Q-aBbe3kq%ObTT41V%#Ni2iy---ktEN<&1w7^g;nu)YUQ+I3os
zV=iXQXz^n`_!Ndz^apY3M|F<OV&G#ki~Ply$b~@gz#nc9F~B@APi4r5SwiXeaNa;1
z)@g$Z)<PdZ{JqEI$QJ>_5%Ai!O;q59zI&h1E;@w`yU^6z|Nm<Nv_(P+Gc@ofxY9bb
zKt%5UcP$6#tdQG^;;j2ORj=OE%Lwcs&;&@9z@nb~y%IyJHyryp#t;)f0i{M3GPLt8
zoLlRau_h+qu*_#Coyn{daQWE%^(su?3jpJ!7wNIdC>k>(mwOYhmGe|2WIHiopk7nG
zABL)2erqbtZ1w4-l-7X;N0tTSXBlut?l~HNqBFn|zFP1W@XM$F@Cw>z6sR!Cgr5j3
zoD51$TyX=BJXRWDuA+fc@%QgZWtjb(aHu8nhoU%DZl9@6-^ejcrBj&K91a+>*lv6c
z4h(tw(+1K(LD|4KDo{9d0K=7Azx1Gu7tEljNb1-vAK-xIt<KGV+x}37rJzR}(ha#N
z)OjZ!Xve>#=(koiev#-LY~t??urnt9FBX73CRSv2hnZgiP?+@wYp&?v;1BC8WT_Wx
zU7+TkI~tJrah&UE4ZQZ|=%b_jHvnobzW+d<8fW1E!gS}{6`}yu(|;uM>qEkb$b@2S
zE?SX+gz>ULF=|f#haBV{q`I4|G&e<afBq%|5xo=SutF}mWLNg~?M*}gIqk|Be&D#9
zfk{-g=H&<6&RKm*gv*xP8@{fQZ2s`a=>;KPKA`6*#!fE`OtG{Nmn-K#t9pS=<D>ol
ze3N;q?{H99G%2?r0SD(R!<#=3`yRgoc1LInf@qzJmG#bflK1T$-{aYaX4K<9{*ZbH
zW+0Y!F&tUV0w(juZ8@O7<{hBpd?>RnYrm200dY-{$1PcAmw}X*#bIYaW|yQ?4D}er
zDof+2)TfYA!K1M@K|0SL?g&L1T^;dj$-oIpS-kseDBCh=OyU&aDa(%MN`9piz4Bia
zg~5sDJK$g!Ph}jpZybG){k(jMeabdEN;$?8GWUOgEl0}7qVg-ZN)aQeJYA~0{=kS4
zQEt-FK4l|Ml^-hwNAod2tCxJCR@`|uw3<JbK}Q*ee(y}@0|Gc;Aw|I`(u^?4kFGLv
z#t5<uKtszEIq?IXTxqx>X2^v>+-+j<+<*W%Rem|C5-}=}J7u9X#A_5nUc^;RXs(1K
z`Q82Gb}R7<A|}LWqJAIPM42ZsmzvGZ0YZrdm5zD*vtYv7HZl&qKu|gsb(BO_?8@4g
z^u3{WZi42^M|Fwrw!ZQ@STo!FS||kaufGv61k|fq;^&VRL0L7BpFaI~qeb|sT;w4@
zh1dYbv*!H+xLE3~9x39K{$w(d^97)~bIkjlbI&bQDciXv0Mk@gA`?N!?-}-ul>^`z
zeIpt_48<z2_zz5W=Kf@-QG9r9N=FENigeixPs?^f!8zg{fn-3RBIUCiZ-&8dxqMVJ
z-x$M}wpa91nq^mz_%H#F$%drnt*(rcyxw98|F#!*PoM9#QF|<NIBThb{YF73lD}wz
zIO*0Rk{Vp^>Vj1fyuk+=?@ZntWP7P}D?9S_h9sF(UBMxOgCWL!fqdw_{(Kw6V>NIr
z1hzKQ8{gu-K#)6|^~EA|=o>-(!aZ1)hy<j+2od*<QCWL2KrmM&VsL3YA_KzVQA!ES
zW&mMQ^>6|GCJJZBX8^hbyo+GD;K`%d<-6g*akXxVaue!@vEE+^<i3=+J&11oWcO(E
z1hk|S_S291cP~4>b$Tts(C@{XxmK<U;@8oep%9|qfl~SOA{_<tZHjoB3U1np?YG!i
zT#_E&!!4ds&&*?$1^<Z3DG0fIfvbc^FicVlSBi>-)Os@$+Vb_vPlbWwKLyLO+yD1R
z-mKz-rvs&EGWe5%KqL!5*er-(z%Za)&JF$qF-EyHzkdnJm#@saL(I0c`(2!V*g33@
z5!T9F0+7p{Z##}GY6a)5xBHt|asWvk-d?f<;>S9FL^hF3@;dvjiowb!zxIv0ypL}(
z^eUfO-V9<|&)v?ERlWZT!pP5S!OpIXX)c4F-6mSyoW(uAFut|Kl&N5%wKtIbI@9rC
zX!q+xbdTGlVPz>Io@&oxm~2@gXN-orK^_EK*YOYUeFVb)<Q@h=tD<tC$H$XcMiF*<
zhoK-uY-=)%CPpK;7mz2?k-Xbs(jLTev__hkuVgiGo2}e?|KS2q@%4olRS%MXl~otg
zk3ne^gsRz>8#WVz=-*DnIsUfRGDzY+gRV<1jd>hXS5uifb1gWNIKiE9m-iWu&{+kl
zdYg<09`yHX2`O3f6b(C9Q|BlP#g~(Z$MF<@r!QV+apNlhl_fJpyvt(}VY+W*fh&uq
zd835*I>qctQMRsyD0jpt*hKVa&|$LtTi<;p!0qGOI)?S1$k>D8DHwGy^m1r%=ZI9-
zmdj6U;nKA9Pa}Y4sJ$hRmc?Jl6zWluQ43U$ysxi3kqM?WBBOMi<+M%+CcH2ody6cl
zG_sRk#0EkgCtOChhx03tiT|ZVZ~D{&2E1pVV(z3a0w1sPO8tg1R8iEdZ&qb5K`9~~
zL`AWT2x(Krt2bP}i#TK-5xPxV1w9~0%=r5Sg`oQM)uKS+u?%9Np6LcME@sW7c#;V9
zV?xDlu|#oH$y0kYpF#hd1`m>u8m5bpifPIeC<-Z||8VzCE=`~&#5qbe!=1k%x`(xb
z%4nT^wMhf+EE7-lvBqL(n;|w?cu5e_{`C73n+MJ{iZjb8D2*|y;~Dh=lPyv4ni4fM
zqhv#`-Zt*WD**Jq?d`rdPq(*tavC<!jcClKdHRV6-7!-xoA=e4isbb`g>a1cacbwG
z0feP+$fYF41{36nUOK5a!lcB}i%c>+5U6%cG}gA}fvSxm-!&r8v!P|}1Ud?nx(S(y
zSYQn~?|Uun%AjPA**jbTtQQYbLy}U#UH%`aWao^(3--3~{HQOp;7{(p?caDwk}<^i
zp+3uddWxX>FET-*o#C=l3Lrea%!R}IqNv<nmt3T21moY_$S+8s$LyqgrSj$CRsZXk
z0bjK7(1Y>pUH{+bdXZi9h7o&`zfpyb0dW5FdU3k=ru#VR$Pbwl-GlZ%C@Xb-p=6NQ
z11gI#Xr%;zVO-iboDX3&7y9OPE@3mo7J0D-{i^G4MOSBC$gBb~K_JjxV*&?d9Eeh6
zDP6Pv(Lv-_Timx5nB=$G5e{YGb3&fz*n&LiQ~eOpweh_a`ghvwJHUD1HSp9}s_w>*
zDBDfU;K4NZ-n;{B_9%efxlFU+oPMb`pcS`7dc4~D6(%*khL{e82ZN|wp7m5um=Qpf
zzpYt)>ap_qS{JRkKEIaco-H6#idvYALvhC#X%l}FQut5QL)VziF6oq%G6*!<VCb6o
zd3b>1sL-wXVjUnXx>eVueW@!YyLOpx+%UOXhy_7Ruq2-eR3AZj>QeF(UFY~6lJ<!0
z9_dR9kQn{n=NcyBg!UaxyO9zB7ralP83qw1i$<xGFh#ufEjdiu4Ly9x0uc~TGMq5O
z69J$jQ2D@SJr5ldx=(7kc>|<o@dp`k1p<e>8SnL(LhEu-%8E3C!ddGb?n1u)%jpFz
zy+@#;XmWmm*m?G;ac~vrG$<ElNKND`5CD72z7MnoAX49yNuZ*9VA>l^``x3l&U&Z|
zV09d6;3bX&-3hAB07|=H>94_3)9bl>W^zWn=wJbtB8)vm9!LVTfdV1bHwdoPJ-pqV
zDP^}@LJAQud2*js^q+CTG-SfR4AAhjYO@<XuFyG2x%%~=_=l|`g`T(_rm_E-6~~iW
zOyDEe1I(_XV<d>xrjYlI0nXM4jU}h`-4Bz}S<Cg!8!@H?vpD3bB3mrnk}BvM0EGpd
zcBUJo?Zx6Y-!c`qwo=+8KIFcjEF}U3$pJFh|3$gYoF^)20sl1`aI12F0*WnAx{&kz
zt;7P8)&r^+cxaIkuz&vsed5}UPBYf?H!rX{9U+nrZMaI39$?lA5KwN5$gL8A4bH2c
z{f{i>ON1*`ph*<9AU+ARp3nX_CC5`NErC^0&_MlMRfiD0ya~bsrE~;IOkkq~o!Ag>
z=!PMt#cFE|HIxJ6H!jeUyh=W}s`bfch#mI|6<~rzgBhA*K?p@M!1aQAs{D`cW_nKB
zy;urkaXsJcvWuPky-9Zslfq{lT*{6?gG{Hrk^Hr9q>KefXrVOP8N0_A487zh%0a@i
zRW6X&>uVDTHN+9?_dUqR_L7m_28%+M?|l)v4o#%DWAaW!xeheOcKWU+z)X6e%K($j
zq0G%)V5lML<7vlUn4W$q5*zqZ7g?(5dXrW0q&Y2gcy!<AH~^yP_HgZ0D87yIumoBk
z&PC=}3QS6@A3<<ZYN&$rt55Q##ZA!8dk_oQLsn0@c&g9u12nxyhGhAYC2%_fFir{R
zvLdlem4|MFue({Pd4?2V`Q^Yt8*N8j(obS4CIJ{;)DZ*=MfN=ileCps3GV<Os4%0G
z47dA4WDnNQJ0QPB<!xm#?iH@#gR*b)eY+Y_S*`rZV=m?0Re|um2FcbW^Tu&;B5*BV
zytqY(C5Bf~l|Dx~NJY9^B|#T0Ivbc(36^smIlsmN%BhuWa*vQieRt4zWcPi^GrU0l
zsgp^;+h>~dv(xQxJYwp%A>ksuoH##I#Kuh#EMV+YPjH3<)_Cyl#$|+6!+$-w_J(jm
zB6+#eiNmDsp_PUn){!+nV&V^X_=7ykj5t>>rwtutsL_1hq!`@8^mbW*w=fpP4YRn9
z_&Z8Q3X+%+&DLGHKxZ)*CjRIBbj(cWqVI<cR=arxgD5FJhXw9JPM_`UFff9Yhn<PP
z%fdG0-^S~s_|I!RDFVo~gE8M7;vhq0rx$CAHK%j2qCM%vvD}t0`4I#xqvL6?fzMlA
zyinpI{zXIys+4}~AO*To5mHKf*GAHr0WrQ&joZnUMv5xIQ?jRc{f)Ti|GpIPBLR>c
z{=jgru|!2ow=kfeXqev61d>2a!x{3@^)FZ8z9Uia^`k$KQ|?UocV~3^esHhr-!8Fs
zWaUiOmFA#d*QBN2jvhgmKV+59FQBZM{ZorC841HD|Fsl~af0`=S#Cw&X>p+g%W;jT
z@Y5lpb12v=gYeNos+KwUa%z90AI^kmJk{&_!lEjeFXbF#M|0Lcp|>vzDQl82M)b!?
z{@2GjFn#~}!o;WGK*N4kvlXAuD7p*;Oo;*gHB?xsmkJxtJlyrm%1ry~pR`I*U1^!L
z%rI5>3#5Re?Wl#hEZC(ZP3uZO0m?_0*x@IXSW#lC3#O3uzSDfyQFMX)qRKEnNsu)h
zbqD<g19O0t%6|#0YnJ`%3)}zg3&wr;_x}X=)rk^QGx6OL)`|bc2ZoRgv|!VHt0rzv
zgGVg9J^F9A)*4Gochl5&XCzn}IokAXC=`#FDhg^5rU(|k8J*6*&Ej})4l>*!!vl*-
zuI|O~pNCqE>sZz&9H8UsWDQPM!{a<Fq>^g-RI>H`IJGl}6+U|OtF_~Sc3v-ExvVpD
z7gABHTkK_`9v>*{-yT{L-sMt?%A`*H!C1QZ?WWq#>4u+~z(a@t^LOyb2M#sNE;J2=
z<E77c7H}v3dI|>cRB$cxF~BO(=8ITw?O@_}b2jyiDUgTI1I!3As`nWVPT9!LNfkKw
zD2RvpgatTWf_Q;ZF-%SdaA?Lj-X2`VqxzbIrT``k^$nDChe}!8Mh5`gFh=klZYuDd
z@2r{0+~)RlkCeX%!f5WFy?0skR?y0KW#+PclLpY6slU*hWPvweraseSSNhj7U7tj+
z_UzR3-bCVqC`hkL`;I}=TpS8LOU;m@gwU%|{@~CXNOagC+o|PPMz}!ZFh}#>-Y9ws
zgus8lsYJ+f5E6lBLc)^GAH9aG>m95y6rrcJFJmW9!e7e(fU-7jo~dv?S@1M?2=ky&
zbg71@nlytQQ>ZsxP$7;-oB{~-D@>Xu8GNDR#XO>b{QTMHa04`!)j`F`bB3yqF!-LF
zvU}0r=e^g10i^yF6t54LIlNn3#!ELEGPB>~7$q0T=MIewlRy<P_pf9W>Waz13*KzN
z<G=p~+!T5c<a)FP6dplwF@C2|G3-E9-Z^cdY}Pc3KXEX|p76+MF%HgAN<9aI4#pc9
z`wX+|YP6p^D@-6#2ZJJqv#Cp(6-U4e!=r7aQMwJ9srRnfeZipehoaDws)XR#`>MDf
zO7?uxq4Vp|pz3FiblluO-XJZu0Im{8@bX9xl6|w92G|Rr;iCIpk<&I=4T3ZKAx~K3
z&mH2Z_C?FK?!jDxx-(qcBIB?9cb*sF1-3Wz5g%oh<RQg@PL-$8+g-@$1VNce3N+Q=
zF5`-7>;~aCiBx_sFUtEL)I;$A?WgFyyclKR=|)caZUxL$Zs_E&K~+3Jy!^d?L)Gi;
zoq-eesp+H|L`=D^963K(amz+AGV8FWu|`1P)B3V;g4IB=lD*}Cp|$`6?90_IK~uG)
zd#!M?0{rGt->13a_pb4;RVP_kOA#N$oeUs*oD<FtLQ|aOSr=dhERxssfZieg9@byP
zX6utpM?=y+ay_U`L6z%rjKG$9a-8r!dYF`emo&2@%r$~j)<nRY{JVc+6+o5%6@^g>
zRpj&!veaIVz4BasMOl38Vf4_(s^ue=m{{go;qjw{^K*S^qWfCW1tHg(=_x#n65~pY
zKNG8PkjKEyHw}4o=*Iq4i3rY1m)OBRb=>go)O<o;_(_5qjQhjd#Ia`zN)gx3P-GK;
zT{O#I)!Onoui6kd`9W&h8M-YkgV{6AERbf&%*QbVGYi<r6zDy!d*xi-ly&xf{`baw
z|GE)m7FTMHVRQXORwzzQ8H)VRNUdDtZ_bHdH_XJfWX!J9rn^q5`De#Fjy@NAXXKEj
zn>+k5kQOw5s2D{6*&Z^p#RXzNJvn^LtlKmWDseQ}?7T(JV<G1>90x6qU6zam3AcI4
z2Ri_nkj#LtA@`9NpEep*&o%6$qs;4z_1-@c32)UX2&t@^7MoTgUt5F=1|D!*Z%gD{
zaWZu&-_(+c!|`Scj>S5EC@7j%-1CaoDGN2)@h;`AjEf+=lxTQKxJvck_QiELcup$N
zY7pumu48x^IGNA0?bzy_z_=1ZV&H63v-(C}n(#C5r{$k_^J3vg&EPb+YFv|LG`Dfq
zblfRlkMbFJl+o&*Ppts*h1tR!s!F#+d(*!%s=I|pmVR?dbv6(UGmFVY37Y+I7^9Sg
za?1_&=d#=yS0XK5X57yxcOmvTlTK&NE1)aQO+eZolt>?s*F1`+T9kLC>xq1Xs@#9f
z0w51!^JqL}k8<S`U6%SIi<WTN@)Kfp%aUbnV<o))uw|5*(9iX10i`G!swAUn4CuYB
zOJTW5dXeH;+^w6^p;&)j4zw?5O@H8g!Bi%7tp@0PPY{bG$C;GMZ~fno4VQ^pMRQFX
zRC+gSXe$<Z59W5@#nt5<%_TdI&cOt3r7)E)x|DmfftD;B<-KHV(cYeSP6GOOd5ip&
zqP*j%%$<adk!S1$ncmn7z<2Et>Fd4{^1tAif{>}2)HgiKf?D}wd-$SVQO=i|t3Qz3
zD?Z}a854?ljXXn`ogO`4i>@QVEG#5J-}uy>ZGtS&OEG^D&Rh$3v-mttX>e&TBEFgM
zjhYJE;Bl|=3TwEyO~_W;ObuxVPFHLD>b~2BEGK*$C(PUBVK8cxyy>Vlt{|kNW~-2I
zU6PCSvjOuq4RzJ~Dcg#^)bmTcXTb4z-<0j8fqLY|;juwm0U^O&!Xrl3(vO)`i#<!@
z4Xp$~$q_0Qm3G%b!Ak+!#BWFvhB{7o)E$N*EIgWd<?h9v68UYsPh@d1`4Omm^_@SJ
z-Jz)RwHay4%`-W2^Nu%e%aZ2`Bj%BhkBa|?KV*pdBO|iCG}<owom_+1YS9zFW^N|n
zvb6#%oc?XN)O5V8>T!Sj96`|h4Kw3;x7P@MFfl>aD~P3<ymnzjta`t;Yq-X`zAq&a
zY^x`NDjd7X6Uu%-C^l*25HIt}yle9`?1FisMHPu#n!ElzewoL~Nw{Hub==yAv2nN+
zI|sHP1KEK%-l!&k^xNFwN_wB+#7kzU)|eeiP?o}(7yRM!Qy7r3qg4|;?-Qv7<+J!I
zXMWAGHt!Z*9knsz6{TUGFjg{g6dq?@_FExc<1M2b3l98WW%A;VW*((dOnj~YOgG-S
zNyRR7J|Kw^Y(#V3Uz$67OWD)T>!B+K#N*S0%f1rqR^#u_<T5X2J%5I8HGg|txh4Ad
zi@YUcUm{oa2+QpWYutZ(Zc_7fE+6kr)%<y9F5Yk*dFKytc<qEV=iRdBatFaQ$0-H!
z_)!D*h=O7PZJtKNDf;#^&h2{cVX%c=HP5CZVlFG9xqs|?+ENFapeo%Q61l%{W{32-
z)N{KHoW=Dv8mbBNW75~WN~!ze?DBBdtw^YuEhamdrnUSnHYOPRv<=HI%EaGNq3R{V
ze|Aad_5a)tj-_-#?VFaS#|vE^P)2?IJ>io)%nzagHz#AyXgH=cLqtTkx329CSS}=q
zDo$8Q3dBs<s444NxaHI6C~C%z9im4ap*6mmM1K)b^Gn{w*7+x(`qCau(IQPDLFJtI
zJH6VtQn3a^b^(KOT8xdAz0r1XOQ-0emwTahWaYB7-vR^aDn7DC@#zJNP&@z`HW39|
zFnr|}^d9~*t6>$7kOKLlFLG8G$WCDa23L<VqQBy7f1+61C^Tbn<yc5Umf--+0c*vc
zf}-oO_wb`+l!NF17`I5oN;b#`%d{BEi1|BeiU^c-P{H6%Z06f{SjjtzERY}LF#dAI
z3to83v!@#bT>o#-m1kI&anzV!4Dbr4>FEXst4D{jdQ!Nk5sV@%(;PT*0XwKZ%0ykc
zj*zGX9j=`#5D~_Hj%JcJ=VfyF&Rn{P$CAt&1O9Q43N(z-$saw$7B7cbM??BZ9pm>q
z&{AsFg&C0{EPmrtj~axNr0dlXaS#V0wr4Nn&P9pCKRr^QnZi|bmp~1G`oGQXo}uH(
zH-+(^{!U`9{>rkbbu?f{6?kL+k-al1JN9`bzJs_cLkI+vFl&RQsCr$Jf9F@Sp=1B>
zD4Fp{M5kPvB&(ABX*bY}254C~O)?q<vr}IBJ1H!}>|rXN3Q=rGgPF@j>nZj1?eQ#j
zT8B!J5h?yW9YQ9fgkOVuQq0vXiGK=GRMeZpEq$!*ILI$Zj$+hZ=q#=&X`n%r!E0C;
zC{%)*-@W~JP`h*l(MPR)udZDx+igN9W7i;bA2;6MM&9F|#3$;bfZ5S?P`--aD!L8A
zLAwUrBi=Bed2}?E$T8{iefW6*Jcl;00&-l+*(%B{`d;aILAeMVURsmC=7Twai}q1j
zu+<vqfTrHed8d?1G*H%pP=?m*At8wM>}W!aaAw#OIfk8O!FNqsyNPI!&<ZP8Bo1AJ
zi84zP9lQx8d?^!<YS_Tz$zg^c)CO%;03(wF5xS;){VlcH1ae9XN%L9u4~C>}#+4t}
zBW^u#>~k4jARG%Mhcv;YcAFkp`p7b1z-2+tIRyHc;}%$3;pTS732>Bx6j`zh#J2FZ
z4}Bn$>5SU%P$?BKFrnDC0trH}H_%fT$aP%j5W?+Gc=>e^28Dr5^hpC^UkUvKk0F)s
z#{XzTBH$q-Fbas&e&TNgOm=|;Gmoa@QyRPgog9_k$G(k(g&|C1zMCe>n-{S<c7s6P
z;au9&P=NOOX6HsKqX3i1*C>bt7K1{&wNNZ|kbo>*D4v|PB0kG_J0W%aNdL$IC*%Zj
z3i7DEM=4feQgcM1_7`ikg2!Cl;8y#p_ew;FxFi2szj)mXTA65Y;>F9b*KWaqvedJX
zg}ab7*b6LRf_J4k_>A<i?tJO0I`J8CRB-~e$wZYCURmIdPU8Fo@;+%=ZnTK<Rnf=`
z+kE~&u8HWhOq>N1dri8ILyZ)<P^maVxSZ_^2Ih$1JAcv<;8!gB^t6-Up8~;h#x4C3
zg4A8vL%^P*Q#!T!DV=n}*p*yjzfqjd2aw};a*q^085)i#K<GBVSIkU|NM2vuTkd`1
zqHie%6kVvlR~p?d=xKz)g%?lasGEadoY6zLATMgk7MFDK2U#MdsC>nqV4B-r)@5IA
zi*|?L{fR8y6ZP0aJ)iUc<HYsJ0=I3@k3`fV?2ie6DFS2PyQ##*+(eHABn;g8CwQNH
zC3Rpx#cK7bq0=IZ?$zhZdQ4Y)r!m$9huM+J=^gUx^3~H=xov$&?c`d*KMXE25yDYM
zep$w_;SAgb0mxH%`_>y$&XZ*)eX53T_sO#zk+Ir*S^{IYs`wcJ@RFJs%p1rBiRF3r
zFHq*(C2V2&(M>QD++&aovG2F9jUbtNIQdC}<iws|iX~vYr8owchC9>kc$ge$4lTFK
z_xhoLH6O(=e<BTGekPuJHR}zfTp6cGM+Nn_qonQwr93wR4aL8(1i(vLc_b@|tj~U$
ziTIF?pQ_rp98@GRX(!J<P-03NCaq=S=e4@WPE81X!l6Xt6d%Ub@}0Ln8)JdOM-ok@
z#lRPWm|QH8?=_G3;RAg_uH)&4(L&@u&j1H)4=7_UW?x^hTwR@XEH_LTcTYDEm(=vu
z5qH8M2as|uGUeu9oM1m)Q|-R6Y1d7pz=DQ#B{0&)b7&*)&pJ2Vs^=+_vE2~4>t;a;
z2^+<6<G6#1RZcAqQ=0ot;<x*CUOI7E@Um?rB_y0CkvunY(zS;3|D)`!!>a6>w(-pt
zbyKow>24*IkVd*&kQ4<)Kt)ixk#08K-69|&9V*f&AT0`#QlgZA#5ddfdEWOuzUTdp
z-|_qRzVX`Yy4I|jSu^K(j%t*bn3U&yq%0=lFdoP3-0XwGsbZPq6+2LoQpe5(2Zb_!
zKwy&oS!W%p^~yl+12z*o`tuG50l4i=+Ely!np*|%TKPxwn6a0?VU9s6wp#2?#sLVR
zO(OO**;zZpRVj<{4STDFxWTG;+GjY^c6n9_aXh#_x=l_-p;x7Qn9#fXnngzMA2?q_
zgf&anq<nFhw#U#!3El}?XN~R1Yvo7uZ1HtzJhuT(1t`_Yd;m<}I&0cvVg}zM$Np>?
zMo>>35_WHN;qY>NyIOrP3)_l{&NLlh1J-3rP6r#w&sT!@viI30IbYLXMs6t?vv9Mk
zC2GG!JwD=yXzLkczv7OF4-uDF(|cD?u4`yQ5(;I=1{bNBvq&YV)0czw^P0O%-h~FJ
zF5jzHZ<8%rfZ`SaV4Yb|11rH&`!JTOSs`|+i6TWtPwbWgu#xWt$?}nng{PVZ0n%Ai
ziA`wuPSMDBM=6A=3tv~nK3fc;%VA4IAlKjQ^m5m3X9_w=l$uR=>z?jj7oLAT<?b`J
z!eNk^neqVL=F({Dt3^-0IFIKlMzHY-awoB_Pt_8LesyC78Op=e5JsPyfUlGQxg7yS
zO?Z&PlBYV<UGe7APW$b(!ffT+9jz4PSRdX~3zBXtRn$5Wr<l^gyY4qH`p4&|CSn}9
zue8^6r}aEG_Nj%f$TLL)^%l|HV3`5^r}~wm^udN2+=oBI$o!%BJ_l;4@4+bY(h{G{
zV?G6Hi(so-U$q?jeV1yBI$p61KEVE1#XU8%$~K(uIJ3TF<AM0!;alH>(JyD)@e#Lr
zT}1PSvI>-h>h<g#(G$e&W<8lhK(|>1X*T`CufJQ3GQJkS!djxX<H2IG{3HERa~xh*
z@3vGu=h87w*xnpbwEqsP<-<r&DG$LT;|P6Sd}grnp{6f!$?Xx8mrm1A5vj9$!X_<F
z^sSlL!lD4Wny)ys`lUl$is2Bi;{;38meBj-dZjykcC{XEpw(OsM#N1I`m?EP3KkST
z--4*v#O$4+$N%rn6Sc`HXXWvLY8%|VJ7U+Bevn+-!1~4v5GM0v!i$>zJmqkHQCze^
zB*l}kt^2*v$t#$DtcitR>O{}%%ZiR*%(@1u7ZDuS1s86U>tDka2Y~hrC@xoGv8mWe
z?$t9sq_5s^YND_fb?x``lWOZ8(gd|a89)WcBOYkQM~@UzBjxOx33AvSA@nirq8>YD
zdXTXfF?q8JexH2&fn;{VNl*YHm#1_S6*bby`#YZ8eJm;x+>L`Zk?!MbxZr4{p!@uh
zMFb(4f2)R8>x#XypI`I0&su<vx8}y6Qk4B7?6*^v6j{7k`ID?=hJz7Z(6oDXz_!~X
zfc&kp)gymFtl;p^%xP;!xydI7)rP}e@L*j4#=q37rZ>)5aBB^)8+!S%_iT!<h9juP
zsfEo5?LLX#L8NMulj1~Qh9dD(FBcC{BuCBZE!<h0h9YNhD3%wZ*6ULiCSX$i`GrFx
z1l1Wg0f{LpCAeBIX+DHBvXY+t9yJc%i<$>5_nnI!6e9Qwsi^)w?)|RM9^E`5vhuiE
zulBr`IJ9Jq05EN{DYx~c`QKQ8hGhmb7vrjQxopoLVrIU_yKbObJlN{(X>_AN;~&He
z)xO?ukUb#4;!0ttvgxkE$IlLJ^nkzJV()UeJ>&`^!~<pY&~#1_bzlG-s%6{U^DO{X
zNMmL1u_D2s*W;4#Ys}Q)HaLrmGCp4KT<-O!_+wQgxsv-FjCc~CAs*lrT;x>@!up8r
zH0%*o3NwapzV_TyK>T=xcIdWx&wC|5tB3-nYGv6so(^`pzMOu!*rC%5p6k^xO-I#^
zOK$!}(+@iqoWKVYuWa=fI)Y!Z0v5?Ct%_t$$;ntjwQQeRSfRS+gE&Fk{(Js~%1?+R
zfhuNWL41hNDaxZG;F+$f^@}6T%xt~{46SI-gkCUJ;}b#BnL?^2g~b2rNfvSV17Sfz
z*LJ+&FmEICCzaxWDSZ!W$yh18Y8L!x@l`IYs&hC7I~q$rA&5ar&~Z)yRh`Qsyl{Hv
zd~b!DU-*NY!14KHqZU0P_M?9OxznQ|Dy_h<S5glq1T-?mN5icj+i6QvImzb9QC>E&
zu4VS%36P6<J18@L+zYqb*X#jU`E)~r@aT6voY~WtOcYnxFYW*z4q%+NZ*M5tP3-E_
ztK$ZbcmmK6%dVb>j(IhU!osHS(L7_i3We<{$l$&`LoAtNAcNbU77!C7<eUuw%049p
zzPn<WJ7CGyByS3)Ne_zVy-Cyy!<sr#bO4go@{X>9qOI4O>C9Uy_=H88FEdAg^!BV)
zH@PDrTqRZkmfYQGcEV5lMA7cKaZS;rE_vp~!I<pt9SSfK{4%l-IywV+EFG=kDKLxR
z<eM7+Zaqr&$i<lI8bYHzJcpAfYivxtld$R%AUZk7pezNo12C|6n9B-bbnHW{DnNg$
zKX0L@w8B2oGhYxgTOOS~QC+R<82WI*9ip!z;M;p|QCGyh2=m8+?*2dD3GJeLS_(eT
zrPky)q4}Hd$-%O@Dv=^SYAiefJ9=O*)NnAL>S+@fMnU8RkiasX%nN~2vl5HFk0Uy(
z{`h^(I?2>J_Z`ql&2(_>-nmaGk(;ONh{Z-3c0_~|R>vy>XKY-4{6-v&i$n%Aj||D9
zSgZlAea36I{FY*=!C{U`g%4%>`Lhg+wyWZB0LD-fr>Wziq}u`DC)}$G4txehu|Y^d
z7Ck$`Qu-!N#}fDLz0+g?|Ln}iZ}BLHa^mr{(j5{9_2Nj)8=u-zM&&vzfga97Mf2`o
zc)KO@^soYYUERg?F45`r@_4-6sZTL=p_in3inTD`yX<yEc2$THXZ1O$*0**=09fo0
zR;Fx+dZFcUEsn<Hj;`%*P?}ddJvkPH!5$hZ0&m2{*%Z1!^ni81$0$G+Us8H_#2Fk?
z1&IqdBog+ev*3`n@2GAc=QyN5gCY$2UE<O@dA`t89z^>$AkIyL0^>Ch21$>jdDJDk
zqv;LMt}vZJGTX6;kwI4KX(2-pbfDGW(QI2-eQdWG&imrNi%`eqgL^HXRo1(-*HzWm
z6q6@dl~&^vhh5EMetc=#bUaev6fWQgy5sBUzNcU^+#kah4)(thS4ie=BfN@psj6h@
zAWDXwx%>J$Za-6dR5>->Hdjz<oO1a~ZChDCtG@U6Y{J8{StHD&C<rhEqjt`10JZo#
z_yb6o&%G#kjDoZNTo-3);M}1j*<&T~&>{j1q8O(_7M5>0S^PPQW6vos28~N<&T{H%
z{}F&Xlid16H;>6#6i9gFI8u5`bJrFVo^@pD%WoxKTltot|IX*^^V!|)?9*oBtT<qn
z%;h}0fMMlwFodB4r7myhxS$zy?e#tFni#N!$-3N91~Vc{Qa`v&56Uf6;y%8L1rrI6
zUR*@`BbnQ)7l$U;ge8&h?*u8%_94bp^*(@-?ib|s#pu|1#;s+L=Xj`gpL-ERMeP$!
z!BjrgmK|0w)_rkFPYiuB%yw|B{3(i+Wo@hPuSC-2JJxRk&W;grL1}G7!XvMaeQWpS
zAra@J4OM!v3pIA5JiHC13weVv-ELw&dCiKo#h8NC#+5Ep@&lG*=eM<43_NyLz#-EF
zQkN=G9akKH%4QmWP`3LcPE2m{YioC@+7)zBjs&8Fu#GC#!0>HvT7(0#1hJ2nl|Y!{
zbZ3112ZD6wyr&v2lqRYdNz^bj4E}ej-?CtV4?Pt5t7ZC}Y^(HrT$h}1Bz`2su;!E$
z*?IVonkS*T0LqaRqjmnL!i39B86miF%gL+YC@_hD!|yof%t3?U9X^K>tC?~Vd0v2-
zOezPXz?6x4{J_160FZ=C)hf9p`#640=ZP7nFQpdKlR!P&t0POnfL)!4b2omPmPI-5
z)_Pr?8Kl7}Vo!>^yv6)H-@fiT%*B#PY2@&kkk!~qf=J2Lp;)M|!4=>3kF?*%t7@!d
zd-<3ZMX<SN5C6FxUWt)SSwD5U@O0RD+#HKZW!{#pIx|3WQP_?gs|a@RSO`IL&HX$x
zq?PAxLk>Tsb0-Uu%s5W_w3UeCs4MwG{j+M^3Vv4Q{=~5(vrODb<UFFA*glrgsQd>E
zh^fF$_1X&ZGuz~OP4u1i0Le<<LZW9y>!)2PpJ{fV<laf&S;V@6HTHxMPW9uD&2Ygo
zYwi`yVV?<M7yk=}=Y5oHilP*&@Z4*|$PGa~R;8*I;n9~#X3)kFZEjA$zk2E(_wmYm
zEUOBD3zf@TO71EfBIHZMIWcIQC-7lM-(ccsmgu4|!x8YLmf{SWl?`#>@({!myMhlg
z5QRlmQw}~hizK9A>j$`XMP{r%|4rzfozuIazw}EVM-tD{rc8+7MSoXqGn3Q1z8OR_
zzU7n0j?byDBHgJSj2TViqFFICf-yWI$tdJ)%H1pwFqtX`s#7<Q$D6ZMZWWkDCl9?5
zV71@u5(QF6FqXgrbem{Av11px7d|(fKG!+S7??|EgO=mMM5xqC@r+1;q=O7zfJuQf
ztTRNkAF>5nwSF=%s%BIDzeHTbAc3sS<_+U3g{TL(08_Y%pd9OtPAD_ER(tL1ODiX<
z`OpF-mq;zmXRPRZx~F#$Ye4o1gaay7e-5GH&@InRmgj^i2rhYuxj5x}dR&d2cJ0aJ
z*B0y-bYlRRn(qjs8xsTozWb0%P#bpY{)2%{Bupn%^%!#5n9BA1{p0&^A%VEddMHri
z??5DcbSa9R^!hAtx!%HmsRFs;2NP9qJi=<6*9@EZ+HeGD+dq=(VxsVobPn8m&q}&T
zfc{RKT}Ca>^kC1oA@BJ-sKSRs%6`^x6$@C$iiLe`@ie`%KAr*yrjbLfxO1SWS=Bp`
zdiDHr#*+*GO8KfvTQQt>+4SVH8lEiAfgE;wv-|dA$VW`GRU2S(wu!IN!wCuIz&<~m
zGgThDcHMD=&c~%_)S2@aUWM~EV0D^?-vjEI(grBH)p<+>tqLYswQ$3yy>KPEWPF%d
zap+q10eB>7(DPyp^g_3|tWWrZq#IUsKWRPZBh+Ud2d|SJ+Xuz=CO+}P{JnzH24+Hr
zqY&nfEiN~)hXB2;9PWoFde%UREc1c9hG!QNDXiRNZU{pf6(iRJng0tFc44xrN1rcQ
z^af9&=_1F$+W<1(F0rq3UDGNN9PsssSUGZIGgt+v+Wi1eP6qm%L?bsQ>(^)<nMwX7
zYG$(V?7_)mm#)YLX!f-q?yd>m>%SO5sIv=l|J+?47o*-dcG26AP%6_qCn#Q1u?`!d
zYEVo19CyK1{*b*(N`Z<Q-RQDm*K!@x#(PKZgzuy9xY@j#T_}UxTa^E8etrV61GCL0
ztyolU{>}zy*prnCdLKSjXFTqX&Sb*BL(UxFv;U4!ZPXpnN~Umb?c#qy*%X2yPD|w;
zyObKF8B`cv?rc_$VSp?wcK6RHlxn&OufOSGVd6KnK4$5%GJ1aVHn%=cqD6&axs&;k
zFMGN93)5w{zBu=H*rO-rbk2qS3NG8z9UIP!$H*)Ysg;cq68B)yrR8A^0+LnK$`!*3
zle;S{9YG_bJ?9k(zb`xszu>56;m~A}h0ocrr$S^-%+D77eLhJ-Uix%uyfqj!C&pKc
zPg1T0u;^lw59Qkxj}`H#7vm-23}WhVgqe^Q;CO%G>0NRC0>oRd5tu3zNhd~Xlj)pf
zbjg^H6D7GfVU;53ekF<j)(a1zau-?+3rtbb8$CJ)+bX$0aa?L;fIkSK6qnEWYXeNN
z4!DoSCy=R{bO{_uYjybhTvAwA>5|Tfj_j^ZfO@^LgEyp0GfxxV^O?pG8<{x<?YgL-
z{5=YS8QAmUY4)rH^783uOQ}l#_DYE;H1i(oD;ooeS}U+*bJQ^<g0HbVe7%ZM7*E}<
zTQD8U_2pX}i_ZYLYK&mqujTGjhN?-Fie;e=3mOmJ(&e28Fgeoz221P!#Q``G4wuc{
z7Zc+UTDg<gv4xkaF?B}YOH|U9&KqZYvtNFCHe%QNE6L<jic$Z^Yb=0o@m1^RM7km`
z9v*M{GG4X$u=7P8M5Ck{-(EI(>m#HfvW+QGoB7@pM{}E1c-=Z=MulipS?o1ymn3;Z
z-fvaE=TxQ4$_hJHqWJq&1)Z~Ro?#R2@N23{cQUVki^txi3f>YL1fbj?pr8A>2~_oJ
zsM)+Qs<aq8oCV12HZB9fBBMWczR%0Az!FYfn3@2<EZfs%*Mm)WYpDgd2*Rly{5|n#
zc+z<A$R%^s)AK*W73(T3qTUh9OeeeSWzdM1GA}=1Ck~dx=+7saKC<m){+19SPwJ87
z`J+Ko`O35k5i^N_1;Ig+R7}XK-|>?h%3C)}BpIDPXy!??&E@NA5hX?%^i(THqL=~i
z%AQ(EcWWqLl|0S~3M=z)IkHppD_cH7x4c^z+5eP%QlR{q4rv+1Z}swV0yaL9n)h-b
z?~!ncmk#~kB<*y?<YA|0?f-%yE9A+~{AFpI{c2b-^P>Oe7D2pb@OtDvUEGLD;bcj|
zZCs7Jr*(P4ptPmYZOq>m(@HWP<I=4g3FVucqRAzu8awH7JGAOMYX-Zf20K=a9!@%c
zNJ#5I`8xgPh~Py<>+UFaC*CkL5djrn2a)KsA53L47Ofruxcmks1&r=-3Mff8+etT?
zhKVR)=~W=-O}&h*x89LfvfX!{``#B1XshZ{2)g$YQk-$aHSFkg_>z;sz44nl^|052
zQoY`7^*S@d>j_Ux9QNbpZ%|b(9=+NyFuX;)B3c!cxK?`tBN)PA9s}cLlUHt5P&DX5
zx((QyC&}}4(Qc5+Aa^?<s_bvP0V0ECMut<#aVk3R-~w32s9NFHBy3q%um87Y+k{Ia
z5zp&=j#|EB3{nM@wF7ky-VpmR-Ohmm0Y#5i8+)lwmANwZs_sgt4>53nOK=TEo;tEm
z<mZ4=Jpm|wQD-#AILaODHm*|j;s%Hn8}h&RA($;-d)j?Jy_C*@`u&w{yQV1cPpP7p
zC1!DO;v)_t5R!v=iUey@FCa=z$!}+q<JB-54Us<@qHHDax&KX|V-RW>mgbdp_Tzjj
z$L|pg{al3ZhUsv*TuXzllD%@6u~JS+L1)Y&`2sNgZkpHH-6#dBPuPTx$O=!{Cx%5X
z(GYXz(HmpB>SC+h<F$SB<cX!EfuG3|%6aE*7!;1sU$IuX>dx|sfrMwgG25w^+w=Q9
z?TdW&sc^3m<>k~ZKRw7kwN<RZQf7yZ6!X+foeYdDw7T<O#MC|8BtPc9OK#|*F(>pD
zG$9=q;*<?f4#(S)aJp+B$%NG$N4`!B|COY>?o|5vGkAbF^(Qs@BDfm-tDA9sY8PNc
z#wvE&B!=$IZ2TkKg`~tv5NjMYvT#>ik~AhcX8J-yWe5nyB~1qpxZE+b-=pwn!O)yX
z-sC;!33IH5DsQzZJg|w$)9KRs^LvxHr%4!QUf7fID?oW5{kfMp2qbp=Pl7WFOK@IX
z9*(IfyHDJ+$-Wyj600n;ROV_@S*|SKz4<~7mk+W7f;V}bEL1H!P99s2>(+jJ$>Sp*
zVio`VhhN!f<DdZ}kVQ8y1y}4FpFoyGT`nf_RVutB$#eX|qEGOWx?EIT4{Y*pj>r(r
z2Er(do9-NYaQAr|kiHk)22(f2-s)qru>Gho+wq3>LqOg;9C1NXZK8LFl7x$;lzBYc
zTV_QPE~gsnVQm`)erhL|fgL0vrJdw++{B{Ac4r=j0osOVRY{aVFq;{bz|UW!2poA#
zdudO^S#sg50gVdLkon?S1k-pG(TBO&7}aHi$hwrn-g{mwmW&W(ypY{<sR~Ttir!s-
z;{OaM;S{g>7u*BsVC3X2jyF9u!w#(nMb7$>mli<k;IslXxDi!iAH6@g%><6PotG_-
z{LKogG=isvrM@HVVz}W-c2AK%8{01{bC1MDv(47sBB*>?<*>R@(An;PCcTum%W!@C
zML9BjB-R&@<&+pUb55zJ*Z1;y^*+3auuxhpvz`MK4)dLisiEDf`Mg`q*&KTERdM;E
zwKl$pbj;8Egu2wUUrA0G_~lvN;J~<^^OBd%>)t&*{ddWDpE-o?PSCx>fofeY-i~SG
zo?OAlv+b*(xB4$liCt5~3FkfGi3}NB>9eyBp@A)HuOnV|@Ua9#o}`L>g-FEX8oFPx
zk`$`ayDY-ZbTfm_uIi{V-xo7aIU4w;88Q`Ouc%Qm`v=CxmR#_B5ebnNsL_ij=mrl7
z@rHy%6{3}AbYw6;v-N0K8BxTxqRstKLU{gi;l9pgto2_{W<q{L$Nr3La4LYl0p%#T
zpW>aCO>h1Tg|Q1!?b<Ljv|+KJ5zcz*{6fi~E25d&MBuDK6olatk|Nl=3;ua=H2+f1
zQrSCZV@#Bg+q$h{5IA+zH@YVJ<!QWCo~9HCyWn`V67^&=$8_t1WK-+Gy=mZWX^vN_
zA7H8R4Lm!_r_-RysbvQh@u}Wr=9u2y+~twjffI8`UJ^?T63OUq{4xGenp+ib`UI<}
zb+CK|(GtH?obWm`?H46EW2SYy;A~QIXQfx>i2i}2f!wXOmq!V%tYjNkK#k(lYg1$F
zE(!Q^-9`I<>EWz+5(ncdvuaCX!-BP&QQdhP|L$4PByFdh{P-GWboccbmcqV+Vu_{4
z4Og&x6`$|8=tPZq{PM247<cme{L{XWtPF5dK=7dh$&jSE)lPD5o3=NAxrH+Q+-uz-
zhub6#tHC0>4PGKpD~eEvOIKgmBWYN){xRJ^dB76Gq86CpzFJz$);rAO3W7*jVmD|U
z)R)t0?6|BOK7OlscyU>&FTw`P7M1%6k}KRN)Ckj-5nh$lk*K;V7)1YOrzD@rN!89P
zAWa&Q1l(U7W6a18C_-rV=$DV$t%0Ihu{hM1u@~v{4JV1(uTb5>70?&Tzm!(S=(C?o
zCpxKHVHnb5!ZVe`{Y3!MDy$Zr0+Sr}o#}{YU9nUc(068JE+98&`^)~u5@8xIb>U`T
z)|;W-5gv5Y*HvPH*l$dtA-AKt^AY&y=_KxYN}TNm(Nq!##nQ=JtDQO6i_WTc#<ijF
zN0{QT6n%1ESK?^Yk{YvalK8u5tj0x!GkL+Cs3MeynYmay`_Zm`+mDH;1u~4{jxS8f
zWZF(chlo$+Emy`ljhj8u{FK<cYGN&xR74h~wV2?;gXz%XoBFKlc1TTN2Rr@q8BHIl
ze<w=Ct&?bL?s_;}h^ocmx`)vSZ$7LQbn{W~j!D#5hYD=Pqp!`z12)7s7tdPe-*Uf{
zeGR?=sVEKw6Ecg0i?meme@G@~;oP~-qC@NtsvZ|#uAE_7PC6i6BCA41iPrij&#OCK
z>hsZ1mvOq=HfKbiFAnw6OQZ@iNOmK}a?O?!E?hqaG!gZcj^0Wu8D!qA>gUUex?S2k
z^A>V^Tw;3*?;2Y@JUxa@M_<QVgg@2k8kt_0{5+bkrtsrmniuwr`H#?g8@+e&<Q~+2
z5wh-5;uN+fsuURd{3|`s7#qkl9KvLUP&;P@^xC8i-g2|QnV`1GAkmCCi#de;iz(jg
zz^E~Xo=idN_BrJBxVjer$WB+B%$8);Vbhy8L5N1vi4BWe^oF2PWM!lKw6ZSsQJS6i
zi{8a6@$XFkl-TJJV8SoPx89{N5+%NhN}TFwVt+qMwjy53iTezV8-D*Mro;$Eb3<!N
zW-&qEtmmwRtxo0Xp=+Z|6MbT-Yhd3-5p!jMQVOdWc8dfAd3BYhNK~%;Iqj*<xS(nL
zUK-kYMli#`RQzOr9<Hy%bnXjr*zv=|(YNm$dIQbP?bmy%>O1f8CI76~+-!Dp+=Vzc
zy8J@9TB5iouOq?wT@kj`h~J~V!1hmnxd_jnC5~onw0mpp##fUqW+VqXcA8~Qf6f%a
zkrJCqM*Yu=@q|RaRiw{^UIcp*u%5cA3I0S$s1+#~q3~v(M#`~V$Up^n6m;e(4kSN6
zj3XHuWw^_dU3#AsV4Rx#bth}Oq*{RivpFyP3>zmQY{)!4_@A0+hgCEX<c?Unwu}|p
z)9A=fhQ9NN663@gjCW03UmvTWy>M+7;q@!xR>!jRZ!zrfz6sDXcp2)<l__(wZ`BMj
zdVg8wG_39Pc+(BW)m6D{m~f`@;#@*7{a&pg9_8XK#sgQiR1p_^@X@Q1OOOaf9yWs7
zS-M7~ly?CtYjHF$UgHUU1(JUqt@3mp3A7QeJ^XOl(C%oz$TY;D67C3My)27s^fgt=
zkFg@VtinfoGml9A7L!F4LnmThgNj*|@~4u$X%@rgNDC!9x9eedw*q9RD0j{6y7U(C
zD}B%WOl(Hb-<CNcoNdGDrnu$QZ!I7AQ1_`5+!6$0yr&?ekSgdXK*O0L`5x)37ks;E
zQr1sQ*ldIRelvWv;_{fg@s*^Z7idK^oL(9)1SnkZX6@=&TO4`JLcC7vRm_{TtB||L
zn{dO^sb9et6l;H$C9nFn@ZP(jg%)FB{j1ecEUle-<$bT<T!N?k7A90OuA*1<RX@}f
zDn9PIr0BEKZd282ob!Lhzxw;!AW?f8a$nN#BhGyyrXG8J18enZ%Fkyl&-?iz-OjY1
zB4Tx-V&)73H`xDn>#K^rPp-~bsYMcCP0Ig~Rf!Gi&yAA94T49sv=khVD$9GzKVRIT
zJ^R%7Q22$eM40z8?u`{u!S1%*&#ZZ4$_wQ`y;UFF-wGedY24l;Gg?4K)hS6AM=O_T
z*7$h6UEAP%)Wt<(UTwCyNA_okEGYcb2B(J)QG;0V&<0DRg~#dIL0gM?VfLZf6vbZ^
zG6hA<p86I2H_GPc;Vpefh=ibYO?&b)MCN8356?_+<JnH45T*GD7(a`}@8e;CxTZBK
z5jRf1S1B3%-IYsN_Nw08Bi!&EiJ=Sa5)j~=?B%f3%>zFccIz`tv=7|ZZ4M~#m_#pk
zvyQ8l4WxW>_bmSTu-GY={I~Ap3YXt;()nY}rzr~l7Nf(eM3v5YJar(u3vrwVgm=^S
zL3mfUHt~9cQkUtuKiY{>EIBc(OCvu~G!b`cunS7B{9hJy=NF_d)pWk=|EO}h=>OQ1
zZJkxHycS2QrzORsVS2KmWH=$Zp|zOtm8&m`Xluy@+XZ|A+VDXqhU0)LXSqb~I0PDc
zYaY(-Nqpw`VxIigQEc)F-_g!b0zLXF4hw!8w|q%F1)X|&7}omw(KY=7ZK)Q;YzU2K
zAmqIwl?jg;p|zG0EXdlg0*#!37xCo7Dx1%mNnF>mk5gpPoNm}jv>(JU_lWusLNcys
z1<RAwi?j|0&w{1&P~V}tdG0vxFNMyRH-6-247GhA6ql6T2scQv+?)i`2-Uv{UPeRm
z;95>h)=%w+6PebNA792WNYTV|Xa=CsTGm0yAJ^}$+w3iJoMC1sf5Wsq%U+uMV1M*R
zl1HA*km=iA<;aV-<A@uZ0d^t6uAPuhnL)~}=AGClTU!IPeJLk~iI1C2i!`w+l+I_1
z(Q*Na82;tGFVWd5(a+#kW*itAI9MKv@i-=+HD;;r8Qnqn;99Eb`1U$VvCd!a+OM*&
zJy6C*mZx|uvbY)GT(7sOAi>wD=6nzdlNG=X-;)@^YhObqX2kqX@7KD%F5K4^d!F<g
z(>O)%ITMiu&>v-CQ)|Cmtdwuhyg}>pXM^ytHo@bi>=&sW(+dkvq$cxxv}SlqbEm4~
zIm3T`pQ`0$E0Y_q$olGHH1_A4g5C7vcSKP3H~4fTQ+(wqOvS9<<0mX-K2#S{-<V`<
zFS3*u7_W_ttTSUZ`1xTHTe1z1z-`jTHABbBXJJYVC@Z`|WzDdK3If~L^0;qVb%gZf
z(dl@zf0E6d@P2@=l|^|(L8@6V&S!r6Ao1T=fLt2AF6ri_-m2tJWUM@?t8T#x`rpT8
zR;~S7vdUPm?4StAAlp_@j6(yGfjsP_e&wOI6PNQ2ZkZhBdzc)1fYo5m^)VvC)tg~<
zM&Nf(0Qt?=vZFT*rR=<^7R0&pP6c-i@TI<n<LC=|+G1}(;Vb9Yg-PxQLUyf$`t^qk
zjn<QY)Ef8McOP1Xv2aFJ?C5Sb#S#1?R=GyiEe9=Dh1l>;9Wm~msMie4w`HQg6$O%&
z=8{o)Nd0+;3Ln8T-!GBMuH1<k`3dWk(-3<*$6g#PzLXa)<8eYDkvd!O8}xmj=d<aF
zJSYgZ{VyQ_iXErzFO9NV29at?ou-00Jcj(4*viG71B9nKZZiN1-|^~QvLW?1#GHvK
z2v$|$jzB2{%R<c;XS?gI%+s|oBA6S9gi|?BYY7#az{jzg^>hwHF{UbK4mnN}^tEi2
zgxuJL*V#f|71phggQ%2n!3UV7oVFDX0`Uec!yceW%oqs6)=+q2t$ER}CsZ?(Jb2-Y
zl#$3Ou?Pe#jR>gPJ(y`V-%2zXuQ28OQz?k>nfvS>Zp6If#>-%R@T2<g4d0=u##Mod
z3zE73mM)LmV8SHlq{i5hzgTn(^yGC;pkVS>=yCnebp}rh!UpyZ?uJ4>(}zo-G^lk1
z&h&wc^;^{trMm3zq8asyb|~r`#-KP_Ihe1eV2+xceZ68781TLDuyDqbCA-{;S=^Sj
zM-?z(_Rh+fq%u}!k1rk`YxVd=ASoxdQ1QZtH++HN*ONbC)A;$J)O9LU{L(OA4O@!U
z+o?lnZRv&Fy@V?lBRZGDh&zq_;ztuHQjW?%?LPKAuS#^9Qmy0$WuL&VK|X)1bP2bk
zC{mF__yS-@`d|bO)!T*f99HiDzj53$<M$ewr~Ju%ry%{*f@n?}ZDq?5?J`B?6j%3n
zV7o6gmz6R#SOv74jA5pLz-7tet-o>>+?#-K*giK0EJl4bwo+!)4rr*iy)Z1V_#m+<
ziN%KQM4(X%sUz1wfbmy1YfKJ2|5k-z8{TXKT8E;Rr^{6L@~t)3d`Dma&tA}r{qaP1
zb7t@#Ny%^6ZXknv6E2qHSg3%Z={<kaV#X(9SZXk}yE;k$Mc9tpA@oY8Oh`&3f6ET(
zIbw!L7^9tQ#^(UnejA*9`fqrVh%Qsh?=MY<*041kb6Wi;n^+V$J?{-@82R>tv=40e
zTPrN_F*xCSq--33E<))*vtZePC$aL?{h>S$7=@h#GgQ?MHQtbbh_b}v-BBYWn2`gu
zJ~iJm!*VL*zW$rrf<xZXqGVk66oRwiWms923e$4Ig1#|I!*yNID(WXV7E}x~e6EXn
zEO2b42T9w_5$9CjfUx_Wh3+^2fp~=n`LQ80|5axfmnLXOBP1e%6bf1v-6F`pE(D#&
z*4Z(2w8EiS=In_e$YfTUuv|N>HGYP|#cB%(Os|gqvl-J-pq#R|6X*cF8dVq*#dJ{i
zudal1#eI<6TM-pg{AcFby@9kK3SPsTEtit}>;dS+1rnd19u?=BVvG9$%=B-ueTiVg
z>w=|N)qvx4WtFHF9F>l9j4Ws>_;&rQzzYI`EMT<ahza=<)r@YGj~*A!0yHe@>W6D*
zy#MSeW=nfN27HuA*~d-&Xspm`B)fW&<*&K-Zb!emehn!z8q@r@VxqP?)m8yRm#I>P
ztrO(_-6do?4_VNH@KY@3Qs(HvD6V%gAt$dxsv7lh*BpUS|Hjq=dH@g0L+G4TO8;92
z*PevYYdFjgO$q<+9f-zN-+p%vz%}Op;Ze)`hZcyHN0%~NxB?BKhbQu61Z(EuQQD)S
zvH`GFD(EAmsHR?id#BAf@F!J?HaY%~`hjZj|I(~P?whLZUdl6}bC|4dtj6xXgi>*l
z!hZ=r>%sGK_|g9BSkc(}3UOp?GwsU*n46t$!caa-`sv0KNyI^X^0F1;GfuNHD?f0x
z#rQLMWo5R6zP^-v%|Z{mjxT_jRAfOTVBdkAnK+2GCL-puX#WYUo1z^_wGVBL6N}gV
z7Rdz7{ySV48tPw`WvaOU<|c~~z`uNoi>*-9*MEqvm>WxIB@vx_P{{@DWhhF8SJq@-
zz_NCH>##<9bqocJi>RL$r`WNCdv5k0N&w{Z2%tso5FMT)2|f20DmUatS$GfW?^s)t
z>2%?t9EXsWg(?g#`kWI=0}O(*?X8OIUJBkzM^wOcRR@{2*>HrY#nTHcXrjN^u)JTF
z)CO>2cHtjUvj2y_GBf)`HjU147!(bK>ne7op`A5c!erPpJfnfhbz?+OoZi5izfz9#
z<t9m1VWfP$vLbklssd0;d+ewg1NOqm1U|go9q2*L3|(V-LBM}F8DK6@Qb&+hzX?Hg
z{Dse{V0Fg+{h~;qp&&>?L6^P>Btdqsy-wo6(x@FS{LjOjYmWSz6tln|%X;J1|H=zN
z```bIH6n?!(Y511Tkf59-a9<SiUOD*PVr>pXyg$ZI6vp7PHENe;IW|Ta3o4~mq<!x
zEywJfP6%K_>zUf$3!A?q!Z|$W{S2k>>@QsMzGQ@6n5-5$mhPO>TA)S}Bl13hrRn8L
zB?2JT{?yVs?0r-K3c3ACXX<I%&(vnnWWPA}B=rN%NIYL+DG>=1Qqo6`vE&){>l6Ra
zug{JYlbba}fGl0Go-YS77VQE|AbebL<i3PoX06Oa#5$tN=(5`U)!Ob{uBjpo$m{}G
z+uu7sUf;5aZ;f*$sPR<=a0#%IxM!@I6qv4}R9<!7Lpb5eO1&IP;EJk9T{%lJz=Cu=
zv+u9@%N56rcy{TMOQ<-RKN8;487GpiDq<(fuf3Xv<i6iuxZDL&_zg*>zm$vM^Mg0p
zgpi~azuFKBCGj2$`}&?rwt<~V$WU1W*jsvvmy^lrGu^F3lh2;A{9Q(7mTE<)Y%h8+
zU-)8S+?DwSGkPhLXSy_Eq9RSn1X$A#qGnye^=2i#$(?}u$@5T@k!wgSR2B!e%GXyZ
z>3$R=vOcas=m@84IQO5Ykl^>;ON0`^I}9d`wLOYg>h1s7oFsx5pz7&(O-+*uiCJ*M
z()6E}CaFDSGqDo)yWL+Hr}k&Tm^*CjqCt~fN`p}UO<;*q({bO`hNTo4fm<L(`@50M
zHUn4RBF4(T6x90;4N{-=qH&CH;TdXC6Z<LGsIS9}PT+KP-~c{sg%Wh@&L}Wh;9lDV
zS@ZGv36nB3>Sf6?MN#P$=0s*>kP?$dpmFR$<)CHFb{5I(+|*TrAYPT3zd{Tt|5#^y
zd3CA~3))(jKOX!zs3*$Opixf@gu0KCgQfLDcCdSV_%I<McqghL)~3l_`7e~^t9Qn6
z`7_yAMJW((BnPXq1w4R~$))R3PqD8fQ_n0rljHDz9RU>PIJ-cJLqnZCOqLl98dSKc
zr}#KL64Y>~dm%5MVv4g9HJz43uYU2bOTlYmO8-a$&i>^+!ButKtq9qRdaP|FRW_>F
zH4Rg$IQ-d(+L;PYy9;n^0RK+zS=up5z~A2q$si)dVQHVSJCqGZ&(4X<cZM6^IQ*;2
z@D_aH`yjpB8JYCL&%l>oy{3l`%l}4ViM?fUzmY^LTA0;gRT%s1s(^)#<5$=Jt~sPb
z5HWVftwhW8{F#fymL=Mm1;pM6!t+0ULR+neL~+N%UQ1V=6F{`zGON<@5op>w4wA06
zzg088i^wAI7cHke?|&(};^y;rL3)=2YT^j7)S72X`MnBE#i*Zk;>E!OZgt^}^@g;Q
znh5KwJlYP3m)z0MCcvE!w3C=E>Wb`s4&R5>wv|*j-@*+S-xTQxBPa|;SIb_9AgHVJ
zuI94>QxNu1K}xx5T&r_aQSF00=RDcE9BV~?+08c*wWAQE-<Z?CHzDY7EG;(%TJ*&f
zQ-thnG&MVWgb(x_LN32lSjk7F79!YqZVURomd+>22$rMt&IkT&-Et(2(y(jTgkv~B
z3uO|_3!C}W7oL_LKwfdJ)Z;o+gjJt<n_TiYIc}jq@>m?)0P9oE(m0%VdWtMMXxz6)
zhUa0Uk-SaRr2ct)FIt+1lCNai(az-C6$H^)eMiWmaG5C#M@2ebmQu{+Hc@Uc`zAZt
zU433x8c%b$EEk9pW7+7=XOt;5dc@$zoF=VTSJI_ju&EVCBklurwY%~XrH;`qk;PXL
zLDgs~ml>TC_`C~&2C=J(nXa^HqWyBExsNHCklfcT%{ID@PiudR=(r>;w*2<h4wik%
zg!iG_T6k1XB|%M)<dUl3eiqYQK*vZ`2mV`IW>O<|FNGbZ$8WQk&*M;#qzo#eOU@Ip
z6z2%W)%Au{h6&{csB%+k{?vKci0oG(HN#Wo@cioRu&3qfve$p&k+pnsxKZ25p1Ryn
zxps0~*|7BWwBh%0%B`Q?L`#9CLrh$J&k(qJoP!@WR}Bwut&*|GqH*t-n~ne3S6&n&
zSc<YcXd74YXjrx4Nwm6=^-S0Hamo{Mp0?kU!>Kf<4x{dbiH_%aG>G&cEFDE{H4x=z
zo*C*@=CY%xiK*3H(}?P&zr5&fxK)1F&Wv?M9TWL=@rib?xQt$PP5w)fNbZ1A5(QHY
zZ&K-#2Za~j<KDN)O;8QM^_NBBni!8**|8zAn3)j%3aD4xO^t~s$tuHyq>}zOsm6C*
z>_)_os*j4sQfLyF`6BPx8CZy>mEM-Vr+09rNy5kQ-AIXZW<%wc<=})S(YyRHEuwcb
z>#qeENqE|LTt6H97~x8%S(LZ#8^6W5@<Er7LnCU|^d1XYWbNiy(D(<r(jT*C2pnb9
ztCuCBzkdeE*5LL(V%mOBfK(;D|1`w7BBf%djqQoe^T&7{jr9yG8bsS9q}wzrmA@7<
zX`<3-63@pNc0Qjj9lCXxsek-5T8*q@L1@@{l;d1c=bIv>MJ?Kz?YyB(np&4zk*^{`
zGHJf;^%U4p+Rs$<k?801vGAe%5D|w6g&k}BqnE!FN<xPVP8Hc)I`yM!XQFm?;<wx>
zJ1sA6XhbP#M)lTE(unEjH>bB}#ONOUBHR9z*!zdKl9!Rk&V@5UM(uWQ$>dex7YR?F
z6_m4m;n<K-*mF|7m1OP0KaFwp7NLDqK!0ttC|J;^?4u$zJn~oJ7wRP%t8fEpk@1YW
zx2ZG(JQTlotM|S%mRZ@2D0ZBM@TAM=7n-Hve@i3_MWLIv(-zwC!L3a2chhR|?G(<C
zlr!Re5*({i#{~~)BKLm9zh{?{;VwOT6=lx;Y;L?zw0qRC_k2W>4ALsNWOpaNx7aaZ
zrXbyZK$)XR?TYui4!a%az=Cl$3bu_nA>CmYRV(%=Zu;0mrTk~cjgMZ%P~5n3g^^W|
zKmYpT3%YHG(csbDLi+)!#h6+Hnd1&gyk*af(%Y)er*Au_U6pST=)Y^b!!f^v_xR9v
zyT3kP7<u&4Hj37@P}%P!nc?$<a?wno5ss=iAzKR}F~g+f)YDuxtH%bdX<`LZeO_T_
zaTxIiU6pl+^xt(kaoC__+i$=F9B)u>1t4%S9I|cdY2SULmh($*_eUD3*=Qx$+;Q>T
zQE~E4R`O80as?N|E<5vnMCEnfMIt2HPnHP&aqcBB>6@s*%{#h{zuXNs$1IbT=GW^<
zkx}TJ%{z8NdYoowa8R;2m$54)U=)={AQ?z<X585fl}ZhNVE<Za5RZ%k=a8>R$>8iq
zYi0zF1n&M_s}KoYW`zGb-r(j-n;-HDHKy+*{ohLx6=rtn{t+;83X~ng{oa&9V?0jx
z3l@OF``O1KH<Wq>mxW!nEy7@5{F6wN@F9C@aoyvjbHXqo3f@~#7*oNev>lEpKJ{cz
z9`D)e>$E=z(8xNWDtNA?5$>}bNce$W&=txh$1ue4N>QiX@=I1`)V`))YeeZc*R%27
zrnvpvV*|Hu(A^xRRC)wjO>GZo{5sfENpnu`hD(%L?lhGwJi7n#342BF^7iT)ug{h>
zL#LAbbUg|gMf&%1nDClWG2u||;)Jh$PuRaZUm`$Ktauu6^C+QMt4*D{%H|yvQ4}bg
z+Cq2Iq{X9lY2a$sxz1o4am<U)e_!~K5!Ym)nxCR~nHzO;04#v({5Wdx)J&f(!|S{2
zxBHVnG%g4T^*+1(;8jH8ALhqs?3X<!LrFpgc3!<tt(|#Gg!&ApnK^Q&tueGdM-jQx
zMET~di>apk87o$S#MEfszrXWhgvI?PQ+wW5<c^B`Rv(AnH~K7*<Bzu;CAFh`mK*%=
z3S`Q1{j1{;w}buK{r~=xBMk)&zfY&Elrr<B+kG5Xvw`L6ekVp$Bvh|d{Cvh)>SZ6<
zcMrBtpcEb!eZ$ADE10)dg#iqy9d?|os$K)E>Y5+onD1-A{a*OP&^nzI_qo5%4x^$t
zBZokuOE}v3Y3-0mbZ8L#9c3YLhK+jgxlW~w_ivw*asIW==8}tOuueqLIbj42szc51
zy|Y(u-QD|^4?2tl`mZ@6cg!`SfCqsCriQY#(>VhRc#eD1tf}%STQ!Y;g<N$Lv*V&F
zs<!%&eHR#XPM_~4n~Rjz)fIjwM%i}OAMbsxYdJYwi#O>B^3-FkG99+Z_^_|os`9cQ
zKd~FSSa1CI7w*{yuVH^dNYn3@h$id&IXG?l$Q=pSAPI}%WVTGEmCu+g%uYZ-1qT0N
z!GKnj$gI1QeMmtMMuTV|Zbw!1qk3bJfqa$*>x9q>So#}EQL=Jv_`Yjb=fbT~VDHq?
zkr+Ch!&^?5s8?j+$)db(FA@{0HyRFCa2HG@RaXOybs$~zW5L}M8)y6jLF+BtB$dYN
z!(#W7B&Ru)3$Vx2_=*_=slS(PdEq4gB-L<7O2iY`i}?(;Ax?$Uh*n&^GvE}69`>C{
zZ+np*gI{pGRKsp{Mn3<pxp{r{gQV0Lp;U93=Jmg4eWFw{PyD){Vhh<7g*e={2YIoR
z<*LJ{&6vJ&>lN1@J-bq>GFrAFO1lrzuZRc;P4gyEUb!M6(*L8a?fy55N2<XHZz_G(
zRJA+g{CHI*zx71;F|99Ov2XLJ)~WKGzHBfXPFByp-ts;oHP*TW_q%T{kG-$Or579a
zI;s8#1c&mN=pKQJ;7B6EC_)NVnUPBNWA>1cB4Up~6zn*W{d;B0Ke#tXK94hv5Jq!l
zl0Ld%@tM^&uV4eysYb(EYC24ttCi*Me%<e6IY`5Tqi1gF@?=t?&t}RQ`Wmk&y9bu{
zt+^FBs{3(X{b9R2z(#Yu?5|JRFAYtB@D}?1qvh%n)9WBi<Qv_CIl^SZS+YDn*d22P
zvq2Ud%JItq>MO4~*}kx?D04^2OjQX-5fKs*s1-17y~DI}t;ny0u*eZ%Er-ZQfQ6%d
z<&-2M`^`vH>aXwuM~Z3})z#a{O6PX)bYl?5l?=?SGd%Fj3XJ-4>x^0&_lnFX>ee46
z=P%M;q;YmX@OZ<hV#2>d->TKV-HbJ!tYm=|@VtCvC0{Gv@DU}CvWTK&nedR8Uc~35
zOkZ?Rqv7xIq8lD7zyDxi+kJPJf>ET)%Jd<3oW=A7RS9<bBny-hLlAa<o-v|PvIt};
zNy#)kDQZOEssJw2EE*Q`BlPwM$EnNQ%d%=uiZ#>6+F-2kdyJt(EHO8mwqN$~LaK;3
z%etU2O$EgZ$kLbwNpWgS=P|>dbi#e}=FUQpV6ub-eIccinjU6dcu*qjx%!qt|DDAy
z2{oMe0KdtKA^x5t=Wxy}1!l4MK-m%Op=Foxs4rCRp47458wrvs3T|0ty@JbxX7i`U
zd|3bSL;48_=XY&PH#`|092{iM%*^!cieYSf2uK9}3xtG{96eqSQ5Zx##J@Wn?Xcy$
zL+>t2$$bbmsVU}z#jf9AjH@7<-SJ%`#Z7E)FgG_JcX4q!84?3%dADtGrptFc&Ws#j
z)Z7Pt7$CfpfpMI-ob77?{egua!1#6Bgx_r=zHkAwo!;cA2v9SExAxNM`ABDM)>KIQ
zAB%tKjC5CBvL%;{d)r8E!6}g6)bxiIAm?Ht*&nq{sw}U+i+6{f*MREJ&+t=Q!|m<u
z#gh#~0^)oRvcWREgClj)5fS!vJZJvnD^7|-;2C58DeX_d{^j$`Or<)XppF0QJ(E_i
z21<Sr<wxIHRDais;JaSW;fCl?^w`mn3_h_a4(~JdA=We9fn20HW9t;i|N1PJx(?>Z
zO0t{7pFTY~?oH$+#!eRboYf6b==_82<<k?GR??t_aleDlk19}w429!Meb+t5jii(B
z-;x-ZZR9H^^{Mt!X!goty2s$i*YWw+;h9aq)BeDxB+eFhw!0HQ(d=Gx?_<`($S4?B
z7<bX|T$!fdiSpe7Meyq;)~2*nQYQ1A<^yCoV`(-?BlJ~WBPwM{7rW$<msX|72mBKT
zK56>2`W$<(SIg&nNZ;$~gkkgpGHo$eMd)-SrpdqiezUXpym#rvL*B=hUOSJ~V`6J^
z$JR>;JT-_sN0qJDaIYQDG~%AH4}SS_T=Vto*Z3(h`TVcX2dHUVT3SAW4K=rYt@UC=
zUWO!~78U(@mDJMFoJzNdDo44fKL3JJ#bi9=zupn;=jV$1ArsJlnK1k{Wkh93TWU7}
z=z}Go+-wih>}k^8jWE0DQ+Gw0pjGE<=qLIlb+w2DMno_na9mMU^)AW;@p%7XGhpzu
zRQ@ksyzp%S0&z^`?};%iWYPq%%=ke8U%j>m=Ek9%Z+Nu&{rli>p}I4`oFc{Dx9i6N
zL$e?B=FJ<K-3Zc2h_7*EmW~^SI5{Dv9)TG|wfD5mC#>uy%B5Mrd03F741M}ka}P?~
zAu$QNt=@m09<CJI1M41U&wLJzPZzSqOoruxAc2`xXC(En#-4c2ba{F0#Ro){tAW<c
zXbEr<k8U9T*X2|Ams9auWVAsO-~v6j{q_(BG;Jtc?~Qn-n$v>(F6JP#SEUkW+C6pk
z_4Umzpk0gV`i%{**W~=(*Rskb49gPN?V!YH?FO<M!3L^~yn#G`d&G?0ws<JQXNV6g
zYxgT_9UdMkeaY38GOe*<&Hfm(uS>p7k^r!~3hIj&_j6<ly2-)UWMEGaKH`5nL0YF^
zr80QHIs7&XpqRZ4EP5&RsgY5#&+n!gVX54@mW_urbac<%XP_|dJgmyu@)}fi^V1ko
zXqg1WaSj<NFqH5iY~vn2G~2lkxx28opNV~zv7T!?gFb7i$sIakyao2%q}F~)Ukmib
zI9VH;<t&&8M0W*frq5moGBS$+?k0VzP?w=&easEOwRX}JcLC#^CUE=h*WBFPYLzqo
zfp~+br004c|G@*BDZe=QzxcF&4ln6N1_qI~s~3DyW3tS=cSngb3w6Eg#7yTqX&vZ(
zv2rz-eVEoeVzfZ3#3GLQucr_?Be1(jf%_l32#)L0YK8i&HZp%>M8L*&XD>}trlO_4
zW$8iGDwTw=$$XDF5lPOea9~)32~+!A<JtS%UjrDp-`>4XsHtq{m;FS8NLejT=mA{F
z9G*263o1+KvsPr%WR!lht=^A=+><!ds~_{e*0e15Kg`pV6EamerECIIpR|X?^`8}I
z@9Q%%+*3Q<))CUy!}=VZ|IOz-K5TQwYgU_GeIG%!ya_ERdHcJWou9O!Nj&`J`1p7U
z{h79fMe(IHI_LBt2a_%Kvff2q^gq1><aWHss~#R6V-LPG?*23}PLIh+sS$>AG4`{d
zKVG}vm<FgAiUXb;+F3_`0Lr{*ph`=_kU)Sn;R$vKJbb5cIRC>dg2%Xp+t}E6vI|Xe
zX&<0I3X^4DwTT|9FdZM%*Xh^Sh8`39_E4e;|MpP)|DV(RmE@W$3>$EL1Z-)&ihh`0
zS`2e6&A~5SbnXhC%mx2LC<O>G8W?h=i2_E|#A{%ed{pxolu%<MguGe<&YkIM{(o!*
zc#0E}?>~N=7&|y@szQIiC$uL$ChwBzYmFee+<N<WUa6VXOXd0b^3YGB|HaCAZxANy
zq$_twO9%-3^f?8!eu&><f31xFQ-|BXu>k+O-(ZJ0|JS`|dcoKdt#+?h*7KcFQ?1@j
z99kJAE1!z{ycF)f8plQ?P)JWx|Jr3tV=;DKRi4QOn`@LI{&O$?<?+9AJie{1{c!{4
zB1(C|@Qg6cJKIYGX;PlA#prgfsQzXb5jb;w))KiRQ^s-`p7n|4^He>|Zx#JvmxZVu
zldLKD;U`t3q*vQ<je)dVef6?;YS%pgYhA@n+S%DLYjaxceYdtTao<{}M&9b==%913
z9!5?^O}`UH-+u;?oXBlj9Gl}kqCovW&zd)qO0BW3t?gERX0@(E(h^}5*l~Iv-<=R8
zDHAUlW{Bc}vRC@AV-uwt<o{`2{{-FZXuN*xhIK;cKYCz!J6_3S+P)$+t?TvP?(W0S
zFYorLpE+|T8=lUz`X*Tw(ih#{Hc4#yLjC_*8QK83?BeWf{&{lpKp9e{56qA%P2~dd
zDgcH!<$)#Hg2$SAc{d`<_rzTa(uO9$!G3FzmzO`4zIM&+ObqBRUGPdJJpM>kc+?mF
zzSex;MS`_Yr5XE*i0WM_zT};|s^cn+?;nLL5C<Y^m!e~_nX_wIoW>P!1=3Fzba92W
zmBnfxd+G-y5govxKB&UeL!P?0{GgZdIeHCH*w$-caVc!uwaoY|8pCiCmZ7?V$I3}L
z?&2&d2e&$W%$`abmu*u)HKtQ#HEAdK3wam=3de4Mo*A1||1e-pwbp_g*;QpNS?~ZP
z@BrmNlmHPW=tm2OX!0jme|>7$+W+l4UF4%%*|Ar0#-?@Rv9$yxcFb8^2<g~N8jY=v
zffhE+)p-ilc^<t<_R<h@n!WdUm(JJ?5M9Uq&?5sDW9(o0LDr1$M_}^+`Ht1LoEr6a
zMCNk+0VXw-Jdm2d^P#}t{P$x6;jyBD&yNVin}ntZ*+wpv2><CFhAPOq5i|9FKTh^<
zTA{K{wWF@4E&uHjk?T`DK{C667iHKl+C-u9^zSOMzl}!wr%;Y7t9m3CxT<(~u2_E1
z3V9`IFl>zRVY020cPC2xuqU8xdr(nuOVwjE_sC2m$i!YV@uuD7qSns_><ej)X%Wn`
zoH$yizx735LU^9yls&c2W@a7XKyS@WrBK<ZrLkh~-vuaA)}OSh+Ug!<JKayLTsn^O
z#)kD}I!p)}HecVsOQCuAZT_A%YJolVS<N-cKC(9|WJt71Bt$5|1VRHvrjGZ!zR6Gh
z3qJ8Ki-Xt&Js`uy55MO-!zg0gw}E)#Fei^IR2+8?^kg8iejhcuH43fs=Tx`6bb)1C
z*}CSa`dj^QCJv`?jFen5&xD|QlS2=FHq6o*-35uNs~OWUw$RKfdkUB1oiib?>MbyR
zi_)S1%m`5${qW(#H^_gNK>>*{(_^*N<D=(SvX%)|9MJgi$pvEX_Yj$*+*SaR_BB%r
zS4KxiUk;M{Mya~g9~^s2U0huJ#U*ll{eHG6vAv-fAA=E-EsW9F6eQRoA;H1no1RY^
zrhN&CiG2q?nGlq2a`1>3Ddk<G?$?C?OivN~3T$Kq;=i6U-9u>6k28K;bP|O>Pv5>G
z^khlnvRS=O_Tfmekk8Tn{h$H6ISJPvBQvMRGi$(A8v>AK#BF$fWpGGHW#W$S%U;&}
zYa=E~Irc$#C1Y~mn@SCkMM^w3sYe8{zeX1L6n?EAt~6KV>CKt4sm7Nq2Np4uG@}rg
z3d>(KsxkhV=*lA-O2qSp^k{TIbmloEc8U6p#XAaA$rq#_o~5cC!>=XZ{M9_>^`nWq
zjOVspL3r{TdS(ddB+M#jkm&9V*w-fuL%2K6j>lik_*_qa{`~3L6-j;7tM78%0$<zF
z)_sL1-g#Kb0BMltvA^Ff*)K=So?63s@_x5jxqGvvutu)P)x~AC{MK<<iLh&eP_4^i
zqS1xT&vk&zSv<Mx<~EU0JnvC)Fy*RG1zDJL2kv7(C=*IRlLJnQA-vyn%NUlDn25F0
zv7w<~U*vKHegS-H2!=vD1)zm8bCPzv7l;u7s)a@Bc<0m7^Qes=xi=4T5304F#41#{
zGo^&oE?LbC6p#uCUwNbP_YVE{Jfq2RW?+xH7oB8i7#J8_VW##faJEotk!a2*U)`5i
z-kfI?T7Iw&|MR4(Alu`Lw%q_(Zm+F}fqm=lmwp}`eb%cZxNv>_mpgfb{%PxY+(l1M
zuT6y?)B~fDa$&xN1*Za**%&Rhlrs0GAgcM?`SZ1IzwYer?X7;<^!XiHC*)zyDmWlK
zur&F-KFZ7$X2h+u{`v6<v}!CSfp?y*e%KZ@ZSyNlh5=Fm8Mv-ghM3q}oTaj>$j`U3
z&(*p1e#m6IbW`LO;^DM^>CidJM?wF!q&QOSlKxL~Umj28_V#T`R5CW$6tRs_WGrHr
z!Zr_4iOh2uLdp;#3EQyEQ<QD0aL5!w31J&TM2g5RDw)d6d)>S7{LcA(p7VZw&-1+R
z`Kwd+zVEfJwbnI$zt^fDFeU|J;NoOm+qVv18H_V+j%W5sZMxkr&#|lg*$21<i`%Ut
zlOTXjd;Q)wz96%AfI>U}`L%cYL-}$^=>2s)s(60OBR{pEEZstJ#ag<}{YO1{`q!aX
z(1Sr{70&3;L(s^n3($1#eI}mUn$~;EYfAk#HX<aNwws5m7Cxsh5^dc9cQg^Lvilj3
zBK<l`$KDcCs^F&bf`xQozWYv35oZ><bF}-E7!MOBCnqh!{Z^X%IHxO}ugs<_y{uh5
zW8(5?!&2Qwg$#%K%tP%EP%#c$!fh>Sw)u<U95Va171(qFf>r6W_t5etKu_siN5>4W
ztBIcSrrzQB2`(ZQU0Hdj_&K9@>)`3P>iKEVfTbR8*^vGmZE{b_bjitE5i2@~%X>y8
z=@jrwh^$lQu7?e}_%pj1uS`*=T_z>vVQpTotRuua@eSdwE`Uj&2<C9=tgG|iSM~A0
zD}Z@=y^|X{Ey)iiSFhTMP^-q#J-oL3d4Dn&DX!yPsmq(kw{PgKEnqL-)7L&+YIkmB
zCZTqaE2r0^RD&VrOup=MuJd`s?k9__wJYkPz&8OL=?LX4mZ5;qwA)()ILw9zpGaa;
zy2JY(zvwZ_tH~?fekW)8jL-WjTnGQ7z2Z_VLCretERa31&DtXl`5kL;NMb2f<f|FO
zK5WD9YaclmsHUG;%ulQ>gw{NEI*G5g#06iw{KPh2LQ1$WZ;(=aph-=*wl6eKd_XG<
z9z7&8J49Nxxe0lgyfxX_j=m`Oa>DUETE{Cc4*5s)1C1PODugGeZhbD3dSvL_*kc#R
zIlp*}dw*W}-1B$(Bha`NN)ehc3Tes<%ONzzrpDUQb6ot(p!r>U0;OWQDlT}hLhd1q
zYd&{nLHS_2io#6vNbL|bhvD7LX7s_5>p2v>nlQu{aa`(oub+u`HEBCE<dJmk9ZsZ3
z+Pn)sSW!}2tLUL$|Kt#KQfe7ry+shk+V_z_hdO^=OH=JJN_j51^r>L})d>N`f#F0{
zZzroPlB<vi(i8+A0unEZIdAEN+52|%nMTcxY5R<@Hp~hX`xqoMDlYeTeDxEtmb`C9
zSZT5KNR$aBG5Gf16HL!BS7_ApHEgt#lM+_U)>{;hX_2+5Zb{fHC#9i9%G^J+*zQSO
zU**Er;Ij%cpWN<sNJRA*2|pkA8q&1x!fgr7dq&4sFr7vb<~6hp?FTY402vuJyP6)R
zD%fA(Cp^yP#+`H7OL?HMMP`jREzewo#_bjKItb-bVILnAh~u&rw^4#cyQ9hA)^W0C
zCT?|Oh~eiR!Sqqx%O+WG^w^skB&1rFl5+Y|feb}bOpkZZSjLwDY*9Pk02#}jYwuw!
z9y6H?5qahehXW+g;KeDu2m-~H%7a;VQ;W#JyIyuZtlL!<5wR8WdHT>g!){_27p=R9
z#?LfqYYewU-iTH7vS?2i^qb3^!3vR<qHhxP*5;8!Lfd9bwb*nGi<^}*gKiz$(l6*K
z)ZO<<WAFax@}j~uv*v4Q;W*GIg|1i;d|ue)3zVIpy4x=CAt(I=sn~no3CE>)7S#F5
zEE@Y#e~0HBMb7}9?{@EjyGIk2ootvKHazb6BQ$-Oo!Lw`o!Ra&n2dIabPoz(#poYY
zSFHJ=S1<M6JH3?Sx0GY%FA-f%w*vIp%hQ@AXg8*rb=#!Pr8cMiCF|u39c}LHn|~#l
zl`AKmtqhrCK&5G|Gh&WqgRfX}%zv$qMcT>1-@i5N!!>-(^hv)jCzq;fm#b*AAM+_N
zFMOz7bM&1}8Ilz8GwM1V@0QamvN_7;Qj-INz9n0cxK!5)*6iFbZ;qcbK@+!Mt#bO#
z-GVMnnOAK5t0A^uz(vuO8S=Tm$E6hgl1kr^vhTKKX>eXZ9`lqohdz?H{pPp!v%2*6
z2wwTvlFDJewg2t5?Ey74H6uyf%9dE@mZg$^dOLU9RK#;sHf^?Y@>u(eZ{91C<vm2T
zF9o&oMSl2#`^Um}J*d)nK1z^dJm=QXh9>QMBLcENzQHtwhq*eoADk*CpwtJ7+_vVH
zHd@Wj2sb(4(oi3Jre@xS5Red>?9Te%r7@P4s`lb(faY+mtC7a}Y|GFhqz@D{Yxj_R
zGSVin5*idpK_cZzW1AOu(@oW97xE1hX)B20*jH_%p3ow0jah2HBL55dO$*dq3z%-b
zGVfaYigW!3fCK5Vv7z8fk85``pG)93kwjw*B!W7S4596pr@N?_?5;!Lw##c!4uy#J
z2ENS0-Q5n_j2)WmR7x}KN<<}?TugGRUA_2l`PJurB%>?!jv6?_*XMeZUFfnKfm<zg
zW#!VgO&cT{u=uhw+sns{?q<2N@CR7$*1Rs09ekP3epo8)7><MUo|FcI1`e&3A}-Ib
zBmbm1nmS7!LKH|BT!+HQ?obl81!PS7Mw>4UdRj%=LE=D*H{aSJF{mx&p=HEDWyAwK
zapk@@VkO@dL#vimo9l~?D<Avs&vz8{&Sz_<7XZXmN$%puP635!dS5Uk{p)?+tn1(;
zMjvE*_GK3*To{?#uCRPgqA!O}s<xCnP0cQ^SNT9eOC>^)+MjGfifbLS(#Q)42w1K1
z0zDeZw%(Q~4|n?MjyZ+R>{J0?U@Z;R0o^3m4zZ8FZZT0BbA()nmBYQ-+S<g{^4it&
zNnT!nZk=oQta0;$Z2sg3WdW;z)`|Q>QV$?-Tx{^x6x|JN{*LonO6q4C&jTEFZ=*Nd
z3l&;=X3bgu0~jm|@#_<bW9fI*uGs9u)o|uZ^({MPUSh3{kdR_gY4P96Vy62!Ly$m2
zNoREwGSu`W!N7`|inXhR{V6h2q_(KmLgkANCu*i8oW=G(c#B`1y)!tb`+#Fqrgl+t
znqg{YtaZM2T7r|v(cIy;HrpVRVPhNeps70i^2kyvv8g&QZcY*H+Ys$@=1!>*n2uWZ
zn2dYr{rUQ9H^ujd8)oxE5?@a;C;amK2h;V+-24YlfZaXri=($txN-nbYUCE?;Az_B
zY3w>^G@8H=t;TBJ5-ZejNO;J!eSWj)!s8>0Nk$@lc@Ns3h`TxT^oSJ^ORZxvSB8|=
z)wc3?w4~$IuC(=rW|oq?hR$zyv*-g9N-#cvlOMcmb5~WUx2nd0cWqFu%Q(3-;uT6*
z7u)o3VI*u>vG>hw3sCgB3i=sKZJ+J9baUmE9#ucOE3bWP#@lpt;-trbea^PFt+Ov)
zUfaCmP}|e@HnK@Fue18N)CNXEZi+r1P_=c4^(d6CBKmP;KK_^}Cbw0%)|t3@mh^h(
ziR{;{l?jd+13iLnckgA*XoY!=ro7;f5ZAq<iBk*AFMchoxr4RJ$FIL9S3y71OW<i9
z+!tOKku|Zt@3WpzN0U!&b$8Z`r3tP#te!kKHdjb-JD?+CDR+V8czr}yl^!C8Aeb8~
zQI~ew-1Xtnu7)4Zu<h|XS7sevZ;2nuNS2BE@_NOPt7IXm!^dXb^z&Xu+I(qwxcjkr
zL`BzU@qP309VP_Gs&~A<1fE6&{eXM^b2*u;fhV~JJH~dgH%1Ar``wSpS}Dp>YipJB
zM3VUza65y?(zcV<PxhI7iHMxpbDuW}6_>4Edc&r1e|n1Ud505M3ibLNs0){B9mVgh
zENEFPwDlkpQ5rf=>tWGn@$VO@e#GkzK~p&k=~Q`WmMD?NcCWWdTe!R@rCzJmd0*?s
z8}R~qtIFj7$FU&-f3d7WZZtPD;=)>{0CMAE`=Jl_W=e9f10NF;HT#V2XCp2{cto}h
zq%KR~s@YXJXJxM?EN}L)FIrJ8CW^ShA)*$}P!kue5jg{Y&|qkCY`b3LIHtm?U%%<%
zRU4$>FF~s%3$6=0xGuH?x_!*1+xynLS17#zNZ|$j55umrR(^H(s)3tnG9aF2CmF1L
z@LH@>opmPdpJ=QQv)z$c8<D`MFXGq1N#`)ReBE#1`ba<LbDJCL;jb@^GQ_OIF-&P&
z-aZ@ta(zti%C-k=j&Qk7UOgxd<ASsKQjQMc7qf$(-S;s&cX@~M;t-S`Wc+4jDxo3n
zS3mbGp9nPxTZa-$hZ65><u6U@cNmY00%_VeTls!=a9(MQ)*)<)^tOjOI~>~*YEl*>
z1+$e&PwDBt+Y}0#YJuVIktJ6w*V2n71^(G%)O}}p53fF{o|be*?@f2nz4BOTaqwD8
z&h11uIwGqEv0JF+9nT2`_J%>nwNTS5EzPQa4W78j%U*4swaX?ky{vdGPtn>tKB$6H
z8%+jQTS87u;%9@D-K3#Ap6ZD?k%=esBhwQD<y5?vuyTN8I@O}BD6VZFZi;Btc`i01
z-|XP#X|QXG!^EvIrunm0%3cR_zO=_HPc#OSW3a38MUG-pEK1FoUp5y-r65|cUXhtO
zIu5aG|Cd>*;(Iq+R2psA%acxx-DiNLL)rFC*Ywe=LpGD;E~2G|8@<NNZ|*zn+7yGl
z)Mjb)dS0}U)74)Q7&qNQS;ZP=U&8V;2*@kkIu4&?l%K*d@su36F_WU^=DaxEWY~yZ
zzB$`2r_HFaka6L`V8NR=Zx~Z>8||Ak?0g*ZH(8BE?3oq4zd6&#&h9AjC8{ygXg2?I
zS(dtljHQF5QkdgU<4!@dg_3JW-#WybqgB_AnvV$Oq~3<Q&U@fgt7taSRZl(MYy|g@
zLSH9)u)62=vu)yvnX_!_x|guE)G#uNdT9QSUZ0OuNrJe%XnLEgzY<^>bPJUgSDaN;
zn#wm_drXhiu4=~O&s+em&}E&+3-U=XovJjEl>HQxye>R2o-~Er$o{Cg{WsgkAHx5x
z!JOvx94CcNopyw<yJN?u4Q|6BA4*A%Lz)jM#H938G$=OGL8XD3CyI)O+YEp!9h<%i
zUR|oLP&k3V?Eds<W)F}j+@BkqZ01C_v~HzzV|xE1QNmiG(#40r__A5BD7VMRLNJE?
z>8#Q0gU|fD!*rQu-%}+~2|Z_)Cfv{hT}YNLY6GASw#SZ!Gd~_#8ifG{!vH<m>22Fn
z^FUQ^=L&S#9oe$igo+e>pLAm<^e>L=Ei^UV0*Q^HJRLzmHm(ym4$nSQd<~h7EZ8kL
zqt;a4>FLJjrSYv}SES_See!Kfw;vtS%tB`Os3ju;{NB%r+ynr6St)}NWuJIYb?r|n
zu?FZxe2i=Ly^2R8yY2fPeeLJouV-(*f1>I57-@W4V$+6N1(sLOeC@jLr&m?wJB1Tk
zSDRp4^%48C>>Dmx89Rvb?xD&rjaqWL9p|4HEvQB777O8u%C$YB;8J=(xYEO{!tpKh
zXVvZ^`%v#WbS&Dk-kiRIorF$2y}By9vfyvnaExa&S;c}IB6i8mP24S<7)vnig~AC^
zf;~AjS3y|jTmAeL-1X8MtO65I5n?UvHI_QjH&DC!vX<fVi=xaWUnjcK?G{7lwLUTz
zH1?>{@CM3i0qSLxDtb3a9|h8Pu*>9<ecSLw4xJ`sA3@MZKa}t)jiLUQ(p2lR#9v7n
z>^vKBEI&)&Oi1bW3q$AcLSAU#aZ}q(sD6FEp+lgjq(f_gC}s6%MVLeEU43KGZj-^6
zsh2KdRa7V3@3FMlUVjkV8%2;oKQuhBAMi&82`uhnkdKklwa6<?TyoL}F+F43x9@8#
zf_D?<w1>jXc~+=V<Dw{)q5d|I|EH2ER{#Q@xQ&Kd@^^oFDh{cF#wz_?UG@7j0nAV?
zj?egOVd0nJ5ktx>ENp)%r2?dboX(~MehE@Zx_bNXDoNj-38+JI)ap9_wpN3NA)kUU
z@ji{h)jyE$vH#_J{f7do2{W@Vm+#pskw0Aw$=lWlk8{yb8_AOWcZCcLJnPQ~mQ8(_
zm#!7?A<=(_4<Xl5SztaQ5cZv>;yQ8)>NYpRcRP(UUy$xeKI~y0nP*<O6mkxUus^Uw
z!6`Mn0cwC{f$lL<QMCHInVsr6li-i6hB~<P@pURp@gOFizZTq}_Bp=Z%f}5CtB!?o
zDV=YMImjB8<>~*sW%(6j?nEkB^r3%|1XK{eYhWr~1a@=e@5D-m-TX6Q&EUP%O?`Xs
z?;*dpAC|$o=}?&}>;*l}zu609Ak06J*tZH9B|Qu_9<sn90g>Dya4L=||K(JaAv(Z=
zUKKKwe?X*eOYcKt4mC2q1OM69`o}W(Ay00m|3KzH%`L`^46YLV%iw?M2fA=XKhPZi
zizJ}1^Iz$QUH~vd<^7)t>oWFXR-wX&eq<*ABp8;V*mBnyG;A!Ph`(&C|EVK}zzhD7
zn)$!jTK`lA|2;DQp>HwV|6l23=pUE<<s7mT{4p0n)Abich_b-OVpI9^#tP&r8vTI<
z0C3O$&~f`8(d1+V*+1Ak|2;PGe@PJl-Y0bp@PGfv>|xI8Igj7%@RCNPfZ>({ckSb;
zrtLStqJ{pgMf;yPZV15eKhfmHi>D*U2LE`_ovry{sKmb80(<ureoyE*i#t+%G+BVA
zt}u*w8?y&8wjE5;w?GBvfT~Kx^X6J1IMsJ4_(pZ%ia5iOeqvmSaC*nx!ov4&i1ja2
zQ>X2yFRBg*jsKyM$#PEvVH-Tsrv9Nr;aD66T`WLz;FkH7z4qCJbqzcD9oL0WsJn*w
zT>xw?CBwXJ<r%_pTN;+Au^;#z^42E?E$#mXCf@yB7bC}?g{N-h(4HuIhS?xO3VK!W
z*0eDPi9#tem9tTqbinsi*A6~k!P%!YlHc(B=$}Cnc%#PvZ+VoP6=jn|5XTo_?c@`J
z^Xvgse=7RDI{qux$bs(=8LY6v_IJM`b)XNU#}k7Z-K-OJ8DOYHYcFh<03hZ`(e!q7
z2svW```sZ#ey<ur5%wVn!!JvmN3Wjh%BPP=n$tO{X0&G<M@#GUw9~Hsh3wHT9&EW}
z)aC?Lb#zjF&N|i3Uh<3XZQ}~~gkW};Q9z#KHiM*W$JY6sx53lW9vfBnJEGY1M&N2<
zPRU#JE1~g9T_S^}osS>1eLLtTXqQ<?+wnrortuxx!~~TfaJgsWxnq}3;rp5Aj;^*o
z-~m?<*aNX@VdlQvW;b(QommPUW1m!be>4KtX$jQVxI}~$6#y^d_SY^}_deUjk)U3w
z+Z9F7!g@XzlQB9V*>WM=;#_Q7_+8-<4$Dz#nJjnyz4w(yX|elKtlR6<4l*N5m=?aq
zseQoM_*{JGEiL7rz_SHwHci0?JEv)|L-BJb#tT23;oHWk>YYNkktI)T(h+XMF_skr
z)K$x%u~A!1PNKyoSX_qaSVh2YopKSnwiO%0mxM~zKcqOi*hN|LvGb2Yw(r=H04W5)
zcS`^O-DXK3vtkO$>$a|+YAQ&XRI_|(JmV(#*JlU#%r6#JejV65{>TzCN`X6!T^>DK
zthP7#^w7)O`%4`)V|6t&3Ac3cG45LUsvJHt`3iqFW^ONlIgFZbWoV6S0fWfp4mXzn
z41DeWn5HDSt-HX%_AH?jW!>I)ODOr3kFcjhVr~`smB_dwzIZTCTrf|r%3hAk{vP3Q
zyDhutRb&k+{HS=+4~H#1-RuunAz6S%32D&2JRwq`Ps{m!YD_|^(IAOEPFtyYMgv!<
z>fm=qHN!$&^c{JJr0!K?X^DWi$hIk26&(CCuyEk3>q(0gDCtR5JxGj{NgNQrel0nT
zo%irSDW7F#b56Q3uRRx+db5@fPbrxZ^z0(D_)kxV$-nLloKk)Ie5MM$u25ZKc#Al$
zsK^0!mBZVj0tOT+ZZw5jX$Q74EAEC1BaH}|F>y*z?kK`)A#eNuF#v0B)j!#1^E|5P
z+0|Qb2IQMJ{tJ!j`?H-02$KObf<HzVjt~>jj}woqa3k!OsZ70QmhUg5q`QQH&}t*k
zhFA+tAZ_q+UrSQsB_C~E4}ITn$5axY^PrBZK<iSGDFio)t;H0{l3K|<QLJ$dB$abD
z?g)5?jG)rwnVP%VP8)j*r@ph_fy4PI6xP%zNW@*n8+t1UbX~_}e)~l4roIiTb@G1I
z<#Prr3{N*B1|AK9j;1?ro-9%ziV?7it{Vh`&CHoXxE^b9C+fs8EAmgH<K(;ZA&q;}
z3j|}qhglCZSe$#;Hgd?f@z~BJiZ3c2PgMOYn|eZuCX?K5KuD!V37}mhk!?8Eoh}ph
zVUC@ZQa=#okKy~qeq#R4e$v<l2<MFT<7X*^w9*?qLS5J^_fbw1A{50a3XjM<X0y{0
zS;_$LagJr{gG|>gh$F6L=gQ5RyMBt;E^c#lwITPATlOR<D<NQg<gBZR0H+)C7Max!
zOlY^QYZ{MnaDlr2(%rC-%~WX2D@zBOQ@t9Hi~g?LUhIKrXRGJ!n&bXUnJgCMC!U;|
zC;l@11OPO90Klf?2vv`1U`B<AAXN|G2z55JS^d=H{+bX~pYIZo{-VP0OB516O@`_<
z(4Hs$IA9k@lUqxB#PzfeO|G{FE@M-2^RHD;f&KcDpnYy45)~3np1tKOiFYhuzH->W
z&prhZA`1hB)ywxQw9>_ymH9ENy1T?#GGOu+_q<8QJm0cTftwJgJOs7{4~yJrUU5bH
zPT4nGx#3}^Uk``p9bteEN3+)Tgj7@Lr7DDdV0&}G-2`Tc6gjymCjfL)S8St(gL2G}
zpb)|jISTRlW=&mBQvJxlE>R0&&{CML2T21YI;GDf4qi5MSVzwu0E#Y|zTFTtGI!cI
zhc4mP2bPSr37(Ow6!bdti73i=DSZb>6D=uYU3UR~4av>eg;q*%0b9k6*^<A<H2jW)
zEqpvM{b~rpseCdb;X!u{5-&S0Qxar-xAy@&`F$k_5vX$981h2+TerpjT8Le+5T9HG
zCeG00DhlsWCO;AG(UJNqkP-$lBZr3rjaikV3vIp1L*5kzof@>ib_Lq3-EsVWl7Cat
zJFOJyd_Qn8!uayPUfM0KpR;zZOQ1}YDiM{4Dszae__32P+_F>%Zzqpwkl2;hX^g!)
zvsk^f6ne8$J{*@F;7N8UvOmA21p*_5KDB=R=S}?HKYhbtrhsp}p<OM_UrvMuH{LP0
zE9p6DoPYMA(JYBwo7yrH`(_Q(<%RuhH>0rcy8mYyF)1-ApF;B)=Rnx_<&=?UV2*{b
zNvh*J#^0t#xyKN=4yI+vHSaRBi|u~=!Va6ksJ?WYz*y=oBXgwAlstho!~IF+nsq*t
z#pQDi@BCgiHdBE5Re|%f`^MPmJFRG3v^&oB@=Mk7Y#<jtD`qprmuPo&#j6Y}(=A}h
z)97g7`*4izk6dlYyTP8?4YZ5Pg2@6x>q&&`=v|}OnzAm==Rh8`!^S6|ef7E&%m4Cy
zU{AiJV+UP26$@rg|BXC$*&BaFWZY1DMw6#)FJFGtoHBKwl$BkH`8m!#_R)khsHc3f
z>hY=vxb7~8>F__1=kBDTL@KcSE!WhQcmb*)c|3^`C{2Q}!7>RI1>2~a64s2aXdTm@
z64Ul=##ZWgd1NMXXtJX;Q5=oLg;c^__4$SwHm3SHbF585=jMDik$Fs=8(ByQS*u(L
z1}QgJu>%H)*kao+D^DM;D9;Y4UOZ>KZ(JFxgg?ah%AkJGuDR2$?uB3q`$>Z*GL4Pr
zuf(dIIi0)<C8HYJjB(t&Q)VMsY`jk&+vwq#hv(KCWnH(yQP>S5y_8%j%X{Clp7Zsk
zs|05RY?&|zY{Y&1gEm?((V8MSbA@0%dncbiW{UFj8}qz`TmI}&<Ttu3)Q}yD%I^-v
zEpRAYPRZ)2rvd#kTY2KRGR4m=$0R{HTjalp*NUFohjrfn$w5q;d-H1P$*w@y?aRXe
zvGH_wc3#$(wv?Z$qu%d4P|}=;;!2QIa1Y5^{1iWzjG#)5y41FAz#Y4seL9l-g@>p&
z%Rf&9tZ1%!#)X{V2bU5EDSW<~dhv2nw0s_YZM}t?8`TCzPqtWX2DGA?gPDVs;kn;X
zb4+wGm_-eotAUO3Shr5Gy#DB3JhA^^HK?{JdgSpS(=j5MRr*cGavM;QGMP!ZYX?Po
zJ`#71KPwPr=P<Cfzqi|*e~enGFuG*_?Z_;Gut=a%9W{ATcgG3|{WSHIbQK!IYS_KX
z;u6Ac&MhzOIy-YYhY~r$(62@gh+P2f$HMCmkc;S3;^I+$2);nE4XztzQVj+h2eePB
z07H67t8*o0b|uM-^I)jfSn7J}dZx;~nyb%Kk?v=cc3zl$-uKmR3leVCae;f~SHjcn
zLQnP<g7(Tw1Y#bO4>Zd@q2O7>gr@iKoP@{>3w{*Z{=jw`BLSW67j>O>y97Otavvp6
zfjR!LKH`*Wi^91pf^*k!M}GEVbRA_QZE$cHOEfD@DnBynH|_y=<4T}f=Cmd}10~@J
zN@DPNFmVK}BPsn&Nu`IR3D^^IQlDT$PD5Urml+xUa1O5p_=LRM)AN+LFTg+$*G>*=
zHVII@#e9I~t@><%TaNY!(N(CCRl)NCbm11LtoYGJ(Nh8y2q<Rn2qNeWl+&aj9x%Ac
zKv%Epu`9Ew*!@%0!qD@WhTE`UVcDpTux2=$InbC4Yi#}X0Enyl;Izu#1K0e43eAy-
zLa5O2vme_G%!7<T^bU&d>zK{te;18qDF5x>G2EBo1=yQHyhpj+p{bJwuG2Af@n_u(
zyt1S4f}3>5lbKvXD11RP-@1T~yN8&c-X}LU!rlNN!n;tGx0C_Y^i!mu&_B&YfgAXN
zkPoZzCpDZv>`)Kb$-62cpOxyiQoc@o@kZ+e-2%jruncaicyBQBJ>~RKFJT#+5nUY@
z@q}8SE+wXJgN+xHY5?+i-fP7cs-~b(=Z_1`1d;mytg9yrjvnD=N9GaCn~CA(C(k2s
zBJF`8)OxhBzi)sv3TG|jlOZeI!=O`WvxB`2u*yjY5{lh{3T7PvKGZ>ex^Ya#F_?BN
zRKPk#kmr=|OVxj&L^P8B6Dwix4fVkaXucV-Kx#-b0!g>{nP{#;+nc%`y6nUxx}Uy{
zzyA=;CAX3CD^`q@9Ax=RPedgCSR7;>WJ6#?f|~%v225-a{|_eik2Q+g1cD+U{w$Lu
zc_f`1+TZ>(=?H18E`=4&i$1avh#=KO@f&}AAKbl5ZY-B6#eC^XFv!0@JKFD}E(oVo
zk&Q129z^D6djAP*x_)G*NvGbR3W%cXlo69UddHU3g@!@|B)v>y<}VyX-kJ{U;$s*&
zsKjq}Mf!A1&^?#0ZYgqbb>bQ{2NjJkIkY@=jOb5ZslWrgL3d$AtL|*M45GCMUp7lK
zae7ZDDnN!0mvF-F)5XcFb(AzDH6s9cKJPm@*FrKsM{{z|F8oEcLn0MPd}6nZsVv24
zXp9lUl*hHFjG$D)K&glpLr2}ObSs8k8rb#z*J6VVl-vHM5rMK<>GVc?uez6t*{qt?
zp?`yj7o}E$eh=EJmDsMx0o1h=O92=ETe`skMa)*GeZD0bp7xg>6w<%}46|wnOvrl=
zD;Bh)5YVi$DB||)iJ}Ow2F^t#e?ZYr9xW;<Bx7I}_J*8jKz-cuGI3|NGRIWKa}LNs
zea4+Y1FjRT0p&6=o!~%7m#k@Y0UI206u~#b>T;3(08tH7c!IXt(mQV3J`w?HZ8T3m
z{k~`H0_wgc8bk+MMa`KZhTDX7mIONa7MyfAju$P8cUPx=;DVI~3jF~;!a~@&$BR2Q
z=+}SK%io=QOr0NM_b0rzYTubMB}&_x-3+#To$xKmfXm*36SlNG)up16CuM2lqt*31
zYxz=(a>{Lf_o`<r;0Ad1ZKlVu4~hZTAKMc2+lG|iqjRPHf~cIdysk)^<o*QrOu`;)
z8h-MQxl@Uiout{XbV8YXc1x}%lbD>OQ&iCO>5ZstWmbcRtlwv<n&{tOWWJSB{zz9j
z-(iELu#bk=YeAOcsZ}&(*yK}c9X?yKx&{}_#w^dANjo~8Cpfl?Ls94x5nPPML9xP5
zc>YpU;Ia{a=N|iFbT=a@w!Pz0jXS`5B*mnR_K7%w2KhO3j3Ev2>&#D+zxt&{<}OXh
zC}+S!{BES%rs5^I`iwKJBW0se>HNf}PtV~B(5V@?r2{T8cg2pr<cO|f<@v3_!a=qY
z*W!;ocB$J=E~x|ZWc7Ij5xRtYh3I2owCNQx&0-#%2Y|jE<Quoan#NdNbnx+mj+PJL
ziq*SgK5BAO#MN0eu0-EbN6)kMNJY^$Doegk_G8MEm&3rHh-0Frv~*0Vy^vT~vy-35
ziFom`@N&Toh!-=-Dwv)pUeH3!^+AO~lNxKw%$CkmCIN)rB$R1%&srJN{DT;CZm_FV
z%y|27Xwq?b0~NUg#oCU$Geiz><!<;dz7II~;W6iShl@7hb9Q~V$vJ|-!3U&u>942;
za04>VIep7C*oTXrd~k$9zn)>&QyvpAjNN0c@4;KH0zEnDpk#y0wuPo3w#0%>A`^c?
zzfn0bSh@5;k!qLdQ))_6@NyPzvt2IxizA5u75y>isTkNfM0cX5g8dU<#MQAl$OzWm
zuEClaZ-tty5`;kEu^Ke+DCiSqDd^Xb8=na8d_uTb?KU>IeyP-!#1xVSs^jY>vo(0(
zQyK>p2cJ@X>a%HGY~1y$!NjW%j%!fp^IA+N9s0E;V0R2l1yDnm28O~?^x}5#u1bJ4
z{d3EF+dZ<F45SmmqOqwdmz*RgQxID*A5{HCop1kUM-hFln*4hT!RIa7z9jtJA@I%n
zw(%(bbUhI-h=S@1eWD4fy7q3zjlER7m}eXL1-pOY>k(<*M*HV6XMNN_LGB<V0HU0x
zj00}4pB=!2>Fz+D7}*0)MD`L(uEK5^W1{}9%D1rEK>m+{Mh%t*v2YXtmk?29N=Y>I
zWYF>;0m6YtN&9HH{{W7Dqy;?5&BRElfxA><lMU!+j1{Or6@J-n;7o`~<&p=>3?5yG
zj(aw7yrKug34cA(nRFUd<VMi>y4!vqOKjSo-|*sFu+0<_MUkx>bX&suBJ?<MWdcJh
z>uwVd>-h*qc>>{|{T!ur4!Kv#4+Dva3!3#NqK-5-TcP;scuhF?8a$A1{<chmupn;=
zq^;t4U?LFBOaA_k@a}MsfE7)$m=pMRF6xZMe-<@&=O*}>VXkZBJhJ-|qL2#f?_Xfb
zrajKY2hRvvM>=(-u5qQk)c_Az5Lt>%zfb>vZz)8kr&;fC(}G;Ya}nJTU<88f`HLW#
z*daL)P2cVg+5-_iGFTpDXWe?Qk%X)jC*mq>O-tgV;dT)NLbw6=t{Cp!@ZM>=HjV!8
z%lDhKr;_X9@J><gafFxXI89tDpYQ1|DZJCPS1_6}fR@fBTN!e9$Wi@mf&49LfD@Ta
zxJo#T=T{rp2f0&md?nw*H>cVO)B#W6*dbs^M8W+gcq?dGiQUY{9+)}vd~e?Vm@RZv
zl&!EnBAYRnet!;rBFX|u^1b**gTY#LJ;o|YBXrC8*Ra%6S_fEu6@bY@`Xe3l#fjmf
zy$+`?JP@KbX(!M+zWz+D<H;VT!{92-@limO$W28RS0(i#i#cFeV;Td(IB{$X%?v)=
z66d%paDd1Ru^k$-o=GleJULSLvA2RSC&|{{6{6&3bDGCL?}*S748+V^ge6qK^V<$`
z^&rc2E0s;TaxI}DHH-QBFma|9wxte(IMVeiumyQ*9h^{PTR%}U3noZZRaJEi-nZ>=
z1y)?Dq@<*~D$ws=PmeY^a{v}P40y1S*aM~<Baa?ySR!khIWgVFuFtE`mISQjDdekh
z<kKVapYdM<2^;HyK8CzegF$!?EogsBouq?s{!76e<!(k6!<;Gc88kP*LGuyLl#X`-
zqNo1IcyszN@Ej*Te0W&~?V1y4X=xSO+Ht|pTyF`$GRiZDO1|U)v<O0<gt*WW;=;%V
zUJvALd_Snf3C0%fROdgH`Yc`$J$o)<u=6;6((ydo<W+xfc*S6MQ21|30QuuiDs@1Q
z7MMP`F!n|u-RHu~V>d68*xS+-*XIkXXIeb)L{|MvN9w#`Nnfi!{TD4k@vr?px?lcl
zzmH;7uz@^2M<Gu9eTU~Bsgr;8_T7iR!jmj=l6RV9<fLudQ|;FleN&5$tS)N7k32Ut
zbN%TzbfFke&-o50RA@WA-GT#5u^L<k)&rN6NdZk%GhM;NjYQ0Atxqj__VVTON9e7x
z{NXHd1CvW4MRsugNEGT%qi5O`;0BlETzLoAX!7HvXaDP-8=IT~T=)_&!V9N&&!bFm
z8>Gx3EBn^!057O#KQ$mbe$Qej$$*&@{ngTgYrH5Q?qunPTdxZkIHZxD%)ISxaIq-#
z2?^fqx8jOpm&hi0kX#Fa$uzw=Ffh<>LR5?;@+O#oIX<Qh{@+3lHVGR%BE#2!mC9s6
z7H{FWnKH24lk?A%?^e(oAZ7AFdyl=7#N7D<Rnp|%0?cvIXJZ7krLPCyZ0SdRv77Nd
z3Cg1aA`m_-oHx8AJ7o5!5HyoO>C<f>Zh!YLBMo7*z`1R@Rce+PnL7973$9Wrb4lSx
z%Z=FYeLQLx>xXc36ws6oe3e}2B&!ZDBnM7RbbylF|1F$i+7JN9|MYvOibi^(6}-Bh
zKhG*F#K}`o&}v|h9XT<yI_ar-|I*8sud|_%N%DMBWQGU;LEB*QHl`p=H-;(T3~hvd
zo;{G**WM*g3G-Hgn2VE4m4yJB2O4JtorGQ<{pH$ehrVPur$j~}G$qYXU4o1j7aiq+
zLLrqNS`2s9rnz@v3qQRm8WlVd;2#O+!RG`nHH8oSrqdS2jFfai5W4RO#S@X0y!z+P
z9VABuuM5!MT*f_K`AZu##o%zRE+VPu0QUmHC4St6LZLV|Sn;!Sg3%jBTOXBz%!Z;h
z=rCwu_S1oks{>G^OWR=EY1G4qq>szJXGv$>%9Qg@?mOvo=BammZ|8*sYbv$^Yf3s8
z&Tpz6Q^#bML+e2iKmuV)c7)3ztN+`-qqY3MF(Q~jBZgqCvVS3<ktZv({d3YQ3Ypm}
zRp4M9)_h9$r-Ky|Q}-Nhwr(GSi(;?$Cf7h(EH%IA{L8Z7@kD|2#QTy3a0x>4ys_7K
zR@E~6hko^9D#MtL@;Yc^Su}0lZv%lp>azaUY37)Dd+I@>awiid?IYsahm)in<B6kY
zDqfm5<rm2cCJ!%tO!H>5w>k{$%(!YbJ;a1VG$Q-JnSxyV`erpPegLLE!DQUM`@s}0
zkDMIcA#zH`t@5|?6kcgr|FILuuD{OGDTLm#uV!In2XJNAC27lu;u@gA%qLpzZAF{i
zG_k(vXI(?=J#-d1PZoQiMs?ht1gOoRW5a{cc4FuO-28#f)NJu#v+ggp7G~SjV8TIa
z{YVru1&pv!rTcgY*Fm93IY1kq2Nkq(kFZgR>Z$Pv7&7LB*G28|$9?a$NI27Bpw|&n
zI$@fM`l-4q-{RFLY@8L0id{#Q&%@;lK#A#@8}GJOxUKgY(c3`lB{$Pp^Xi-Ng;XO5
z#@gels1R6@7@lTXIHJzrxzq?L*L+h3VoF^deTAllG1>|TUHLoYXTuRq+UUz=Ymbgd
zpp<~DUbMK&<I@Ny8$kbHg|<SVe()PPn#nG@?%LtQhsz61s=iL;>F1QmK6zAr9`5r3
zGb(*O@GSp$%@bN1ZUAWd=b6*Xn@hlPQP3Zxfh;E{LhV!CqKEi~om2sQ@S46t;|DWS
z=!@qPccEtAb;txadf=VT@8NO^@OOjrmKqZjq{j^=ObBDG3MOnbn6Uj;JXmBaXR=i2
zbUlQwEe>zPanZ^LZ0$tOR=@CB=DBF61D72`A_=QWf`AMW=XX~rNYzXkEP@O$WG|dk
zNKcpS8a?Z%IVfLNT3G1(5(tiGQP37h($+5M)Na=fdVOA})uh9JG6KVl0d7^5l?9(Z
zeq6~!ZpDl0){^_w$*LuL1iE%TgImK&;O4&b{l&*S6xXW}Udby)#g!?fQI8)NCuem)
zQ`r*lfh1`-R+$IS8Z-Q9c$hkA%31f=f9jQ-6Hxa7tN_GZnw8=I@+M@?7zdD`o>FVw
zkLmv=i61}vv<V7;p2z8DKtjd*0Fh0Wg$A47M)fon%t>|yz0Hm9cpkm2K?u#;4EmLH
z0C5F22KmiV?4ZJkI;>Bj@7<T}Z&*<Pi3A;HyG`-Y4~J7V1zt4}#6GkEHl>M904IC{
zvUz^exvbF2fxJ58M7>pTGG;sI?Q**GPT03VOI5tPKo1crdFYq{m{1o#abX_<o4&f~
zEe!MpH{gJer2WhYS}B7(fFfV43JC+z#{v+im_ezyL-@+oA09=Nbig_n?F4gY++kS?
P<Uj0jtz!j8&943*z0FcC

literal 0
HcmV?d00001

diff --git a/website/static/img/block-cluster.png b/website/static/img/block-cluster.png
new file mode 100644
index 0000000000000000000000000000000000000000..066632493548aa599b672d8a0d2491187e189b3d
GIT binary patch
literal 73905
zcmbrlXH-*7+Xfn}SV2VW(nJAUDoGT<^n~;Zi2{a@o{%00f)zVO6cw-n7Az<h6vcww
z2f;2N7F1MJ#6nR-(KEs4{l4>lYn@+bt&n8z%$~X1T=zBi3~M<o%CN!X216i_VKgd{
z2Z8iWgFyOxa2){d=x^lj1s^UJ9t96Ma(lvi2*hKJl@w*wCn?lAIV1o<`1>sY4pkW}
z)&K-C01hYV<T9(-kO01d`+7sXTA`N5|NRXPg(GG_5i?*20Tdg6z`;@A4ThYFf*~b;
z+e?-5gnv6i&4hvu0wdK4@rFbT_{tK1Hy9M$M&Q9W@Iwgl@7JUdWDvN6Ga7aBNO>Gx
zZ4H2vQ3&)*L<qPYNT&*zi~u+ReAlV9a_~Ws%d`gPBk^Ww;!L#xG>1cHVrIge?FlNg
zK@VDyVbGA7(3vPW5<3%y#e!e{S2r>oHWS$^AYZDGn$`cW@tkVg<z|Z-*r3-U|I@Sc
z7r9lc{Cis|VYAuE0yRR$G|KU8vdGM0{xyQtVU+)E6EC-`Wk3{o0D=U}9j}%u%~Cz+
zM*XivX{tz}g@=vhQ1DvA3=)GZ6!8Cck{|^-^p4K~Mx6os+X-3(Gm1i(AruZ0mZ0Gv
zxXB2M10#n=8evKCbR&$SfJV|NPzhZ~QR>k^s{lAYLW?tK=}IJ2A8ATR;MfzHHYo}V
zm)l7R24%b>o<TwpNVH^*mdnQCpt?k|QsID#Nm{kkphrf54rr1H9bG^sGw@OlH$ILo
z5E<yegZRWGfkA?dFoqzB25bb1DU6V#aT1+D48u^d#w0#BjzD4}7{)|6PlP}ja3m?0
z#7(jw8B{(SE00J*>4Y$5vPdc77&MkRi6IdYf>g0^f+Pu_E8tRyMne>j!$?xbC$dOl
zv%oCVs|m?)0#z*3*`;ViqLqqC5;6=)2%$~Lj)JOH35iBsg2tkfGjwP^uoxZ>C0Y#H
zI9?=L%9XKHcs7ek=ZYhFR0@rnz|_j{mJp&rL(vkG2+7pA5E>1o3L(h&d_Ez8NJel%
z95jwfrX!-rA$EAOh{d49$7zWo6W+oUGn6K^nIudgkzh(H0i8sT(_!gytxg{$G|Kdn
zcnm7i5l>*EC9q_!7S7X~xpIk8oa~T?U=ow?7Kw&{#nEk0jge;Ls&w3>5G~!Lz$XFk
z<L$&KS_GVf;3?TSJps%bvOvpbqctidLZg<5l`tiZq<2ILnI?uMiWz}pD#dI(+<=!j
z<Wee=ua*e$EQ(mfXL5BcF_+|E;gD(rE0I96+1WS;QNSc85_l#7Nr;Ol#WC@CBQ_C6
zBI(U)G1tIC(y0~>9%<5}<VYD!MZiHRLV?gmH1VP&2A-Y7u+umZoJ5;Ntx>8hAu5>I
zs8mPTMLbrBDS|GtS+Vg9t(C?FdPI@&3^fmkpDZI-_>@R7Q6OQf6KM$oy@eHthneG9
zFt|MtXEU0(Vj6%5GFpNmi3CwPGm;UZ#YQHX#9Smvj7^NAk<1)%BpP9dbMOWt$sDI7
zAUPZjPfSpo%p5s`X0XZNO1uNFmPJbScmmQ0v-9M91&JgvP^^XsEeorRBig|b%s4e!
z$~K_of+P$LAtgYWNG?pwgK<R$m61nFK!^?eq$H^buOjF;@nV9J4OQAm41tZB5QR08
zIC?0VY1BbgdIO21ma~DHbc>9p;fj?2?#KyvnM{EZMexjA3f~rip+}hMEVzuHm|&Jr
zNVFssQcBX}=mu#>T(UwTQZR%xCc&mo!YHw1k{E}?!VoBE5?3iviIGei3cwj2&DAIg
zG>VBVWAiAEI9Q~E!jN&r5g0B{DdLlv8VXT{Gm*q-m9w=J9bw`#)iN_9gl5E%gvvw#
zSB`Z4fMQvdIyjXVk8ng-;y5x9UVtMp`2bk)XfZQF6Ty&08iaJK18$R$%^a$P<j~UK
zyhJ7$k5++}ES{X5Y)O>y;M6D*%3<eNm}WLFl1IScWp*f1D&|PpA_B+3fa{rJBOlHb
z%CI)EMoCc#p(=cwfEPg)C<$DOMMWSPZAgA3Fc;MtNjBpWk}S$dDo>`=S}}Twn8>BE
z@FpuwOam>zoORHd0%j5yFGEO~NfwD(Mlspw28te!PSi-^HFS#vL9`GO=qNiWSqVn~
z8Pz(dLPRv{Y)Fv=7O#X##B81rE;T2LfwD*nR!!IGNX!V(y+y&HM8(r-B)e2#VAw4N
zd=%V3P!Qwd;235kQA!{aNpUtcgGA-ZY;+t38DUBy#PM_pJ{sd-MNx@ZIu4{hJX~cV
z+YKDhV;mabJ04h^Y|=={3UyqZ5Y50?Ehq%biipxnG;wmO3MoS?wTUnT1qo#nloq>8
zhNU^MngqK=L1mkm4mqDF7ecA{5VHYi*F;%yb{HM>NX5u>3^dumGoZ8*v6=`)6L=bw
zAyS)2Fp!88FfM3Bjx(v~4l7S$Bg13@BV0$~VU=nu9*Z;c1v(rm5xAQihqtoSA~PJy
z6+&%t10exVhb7@{k#Tf9!VpKmszHi{$<RPGvPEb@iL@l5l&%y@oG!s7f;W<!VskJP
zbsQnaluXz2C9FtY1X7}gLX`vy-C{>EX$HA84o+r4C0au=HxkN;)C)!Q2!RkhO~7Kn
zI|mM?4BjjPZ>mJD1^^@8jJ27~Lb}oF93N^lQq74-jRB=HOT|eTB9lP3Bb-k<v4X=g
z@HJ5+R<cNECRqh`5;ciTRr84edC0T`qFzd3L?+OMCK#8@(r_hQlZgyhi*!&ZL4c>@
zS&<^9l@o_HgPe`$NkuZAl}i=?)`MsA(ORjHu3=KJdSLz}tPu*+bEGI~l*B9+k^n~{
zQ^i^$+ayG3)rldh__$=Yi6ta!X)+uuQNjSzT?N&^RYVj|hM`DcRE8Lej-rcbI;e=q
zMoSG*W__~UL<ez<<Z39%R4BlFvYc-<+vG$$O~;7fVPzp=WC)d*z~$@VD2))qO^PJ&
zY<eo0CWmsBDs{42grr3v)j~!b(?Dg>1U8$~ltzGf4w6u079~1Jay<ryr1SJf2l&ON
zr@=|o2nkQ6B7is{>)|0uRH+2cmMgUyk=iO0Q6&s29z})Wu?DT#7NUu_aOv?p5-Kr~
zqEC#cuwgVjActl;j)ue2_)?wSq{opIT#J~9b+F<hiE^cmm%x_jz+h69j%DSWMf?Pv
z5ouNn6lflsiXx%lM(`t_%(57b7Muo`46e{2crM%IFd23D2n10Z&yo`OAu6>#jzQFl
zoeUJ8h(RJFqL|dAL;#Uyn-j_yM6;M|hdMJ0*1{6X3?c**XcBLw5uKDrDFQ%9COHr?
zC`KL;0tO|sSah4tBBC&q5;50GqQD8sP)4#C8>Q4D)rmL-g-+!wm{CL=AB_W<GfAaZ
zCm|RdC4*yCB|9XR1daud)FjF*AyiRfGConq#K^@sk|;r&sFz?hbeI~Wx02y#j6Nw5
zEn)z60|qs6?Nm6_K|nF$jS^@QMj<w;<PjFFmW)N}a5RpQg_qhGS~P+Wi-L-6Iu#kk
ziR6eZ5&<&KD3fB0{CK%hX5y=Lng}g`dxS;lv<D&qD#GE=5s?6gVDLz++{R2m8}U&B
zg_sI{XKLi8D5ETdMd2i(;T)#I$<z!WI>?+P4pB~1Ga|7pktK;>rIW>47J?h;;FAz?
zzKU!BlN%qOptcwoBqa}NLF?kJ&SxVNg~`$cFiXkFSePIr(m~c?xNxDu%7}<$%OasH
zlSV_)TclE)DMGAOBC&A_30f8@B1_;LjUhzqB-dzul*SPcxIK&)!K0Efbc0!-k4MtY
z@fK;4A~^vMMYAwu9+IOJ3+O0{S*0cEpi~e)2n^I7fo3IR?3`p36$|H3IaZlMsG>w@
z%mR*5Y6H9;&jNo6P82W?S)fAOHI{e|RcN=!c_AToiPB7RpaJOM?cfim4$(Sb7K2qG
zLL=BjHcA);j7F9^<3?k40vmuAJk<h^vm*p%u0SjxMxwwSdNMYdixXf_1Q16Ugh9<n
z<O-zDP7{T2jyV~@gClJgYLwi}kq`xFO>&}>e#Wb@ID<ka;F03A2r*vc#BdOscnU|L
zizHgGHl864s*szVB2YyZ0mvL=R(upWiJgG4B`_5UN%2^VgAH&+jtP+^>M=H*17$Q|
z9k37?2Mb3i5GIveV1rThNW4}lWs~$25*tHFM#NE=z2opBNn|P;4V8otvFr$DBq!Mr
zVoOL&Vj80iM0uRXkc>em3F8tq0C+iUvw{NzP;yaxECMF6Np&(lMUkM>a_msF(1xKB
zk(3B6+w9~#PzAys7YABvz=aCHiC!Z&+AL6&*lbrviX3_*&z9tX$%#oaJVn4^$LZo=
zXc{cUDC4RUVFI|&X*;1wk2J<%3|1`9Y{n>1N#LHDq9z%nk%UCGNJ=5u49<2UezJf~
zQt_=E7B<pM1N~5h5o)zK9;8PDlz|1L2*)=HS>#9#OoT8qQFsH%ic=>tByfJb8K#g%
zC550!N;nFsiZW6qb{Hu>MC^z_^GPr$63H@K?N+A1rcX{*qfi*AgcEOY$Y6GA1SdqO
zXK7$&48S2WPb-D-2<C(&DL2Hy*0T6Il2sUol3G+&C?-lzl<0NhI2hC*l$x+n2$ebn
zBg7@g$<anG5@``dAp|NRmQ5xboj$fDBPbY#M1xkxYnW^!2>~FQOo8Hf8ZD7;rO3oe
zeo~al!cCw+85$K#s0366k7B@u4h334Nl=IhG91tfYeqX$2OI9}Q>EwFr155j39c2=
z^cWcpWu<WA6aohi59KRG&H*e@ktSLMoe@Hcce;*bS0~z}Q5=0D4h2V8?Fh9}Z;Fh7
znQ3~N-fE3gDHU|Okz|p;jZl*?0%?LJfyIEu8CWQi4g)nH^irWhVv91MBqnf|%r__6
zL~5EsM&ghX=@yVN!HSZjm+RDt2)GiFU=aZ>3BwpHG&@$7lwg(cI3g!$;nVr(I5tfO
zLs`vy2SK4q#xl`3nsX+?$Z-;zMZ{CtDI&avoq(pI6Ui8@SjFM<>F`Lp+JKY@;}{~o
zn1bLi*!n270%fqF@Jt&Y#k5*r46-ztX$=vWcq|?lNjF$REGAUER1`&(8znG0M}Uy=
z)nt<}gl%HLEnEkfwPb=?q|lq`Xh*V{NwG#b?2#l%h&m*RNP%hSCKNB;4pmc}q)#fL
z^B6jFJei3_!5xSwK9NC{S>g5wJ<^6{34yH{GHL=t<Mf_LfW$*V@F|!m2LsC%g|IMO
zr|w#jh^YXd2qwd6LW6;jq>w3SQHcapq7{dM%T*dMDe*>_mM&o;;9NW(#Zrk9jHF~O
z#w>G46&4~Ap_Z7$IEzpwQ<Iqz4U6OiatsxzCbL0&IPsrlN)#%g6s*{UXUV{Il*tU<
zEf`@4AA^a2G0+4HHc4Wpo3Ruc9Iga3o}VO;vEU%#CKIeg62?Tani&+G6dsX)5kz7c
zm}FKIJRU5=ql_T?ijpyaxH|&_yzC+;Kqyo|8&L89@BgWK^p-%t^}j_Y1gVbQvj76|
zfzXIx%^&me{IGJbN4D=h;q@sm26mIb`k$myha$&0;?}}GI0{dW+Eg2Nasne~@+#5J
zr7IVne7lx3oTo1#_8H|-z2XN1Ibq$su7^jFRP)1k^J5mhr1a6a9)ppyYl~ODCEQ+A
z@-=4aPo3h^B1Pkg=I4m^i$~WF!6+4<%a&;GJZ;}q_N^iM#p-_4rT_ify`|q-4OTNe
z|G#g8RuIp$?foXt>+@eP4!@6Q8p;;Bn)%=N=YiYX`~Fu`@Z|r`)&rJhK{kY+M*emm
zK4=4E(1v+TSB`t_)q4}B^j<;+A$?0B^9)UQ@EiSHJbYX{irriWU+(V8_YZJh20*<l
zgCMsDmJX>jLg<j{e#YRX1M_#^m%Z8GfPAyM9;y!?P}wlyXZXo`&tH?b&4)1hmewrH
zxlz9I$&L)W1$nV#AKoMFl(%)^_c4}QTj{r_iTeFJ+T%Yx-*vaLf2O6Ot~{k|+g0`_
zn)YyP{^C1vS&khUeM^T|_Jd5Dlk!=k{Pbmk#~1w4<#&gOLL!{@!i|J_AGD8;gVtP8
zxi05;e>!4GNy@Zjo;u@FS$N&0+ZgQkBYVJpd;fxyjyzu^AurH(Fx~+xxWLI){hsb=
zKVpAZHhES^$D4HRd~q6YOIS+T6NY<!-RjinePuT;+^*K1c|7FkbY0T)L4s9~{!;mZ
zf0p$cPSfWt;n8$Rqzm-gZZZ@pQH3p-`@o$%5S={7ZQg>(%)*Sed-l$kk#~NkLhAaI
zpBa(oIp=ljdG+dvK^}`vNx0{xjW4{EK0S8?q#|STy(b@V54<jK9mf@odbBSp=UdvL
zl!rS<9=^FD2>Ia4eU)58QDUHbP-&)Dv!*SvgiR*p4%ZShE)1Agc)5+zylMCPZA*fu
zY;0i9Y24E@8K)w<w-y)wnA3jt!H<d})7-p^4=nMSd(QxEu3nf~P2HA$sX7pv=Ss=@
z)3)dbl_<#4Px;golUx6N8lvLTx!XC9l3Hf}^jtb?T;1}_S^uoAqTleD6)@be{g1h6
zW#*U7TLU-7%=kXT@;tu$V^ZLtG~CkV(4paX2Rj2MaO2Xjh5z(@*a>q(sQbO7Wdzo(
zAGU0YTj9n+`QU(5C}L&S&Z+9$w=1@WTCb623gdUkh_$bk8-MQ|fqxJ)Dt#Oc{v;IP
zJA3Pt?i|vF;xC&_L%bh|elDv!d34lKzh>&xpX=HwC#cyoZc@fqe@>{rQ~qQ3@-GF~
zpQ4&`FLbF;fAY(AAsch_+kKElji)7C^~Ac5xogT6BnDT0)b4(4n{tZUP}X+rXsTs#
z@T~Kns?Qv*+e5Aw7U#_}ZS00NOT2J_b+<ZJea^}F))<T*^L-;dwWRLoy3o!|&nv8l
z!wp3HwL2T%HUvMru&K`T=agmp`USdTaZU`_y|`cX=@0N^M83}-w!drVOIoe_hbx<j
zKCd&*gmt}N(W8NUyHc`!e^0LABPzPuE46#~bhj&~ZXPch)AonEYTo97Zxk(eQU>A2
zuISmI3R`n9mv!sVOa!WC+-1cqH^GGZ5z3dNry2#s-1g@?Wv2F72YN*9C3!ySBjJ9@
zubcfsI~tFFtNV4c{I>qwo@3Vz58hth!XWM(dtUqP)fKPux3&|{JV-TZdx=3cfw2f&
z?iBgMbG!1!_EmgPAL=kXh&i@@?53XiYu=q*uz!MbCBOyI&AbVNow%@P@@_Xy+n0xR
zYxb#fu6k-}c;u#jFO@F8QvFv}AxYih2`2^|&HM6jpl}hjjZ^V>4dlSxhdK1QG5vRw
zQLkS{hnX%z4Y<G_RraK^shNA%#gs9#n6Eb9KfgEpu(+z2tWJjS`8e2p6rsj1##HE&
z@S8@gS$v?d^-0j?ni%3$l54Ad?~+uhEECIeKX~)F|31Z4NlaL7p`~yX$}q)M@2ebw
z=P!L+ck0&?EW}aZFJnlCjEfXpXSkg9|Lu{tsYSjr;C?>n#`Pd{pU?Cj{ffS-)nGEu
z=}4OC)Gue#yamLX1(e*#w7YvoMyBr*hX-$YHTXt7NiHe*v*}cI#6eR_s-!GCK>qOX
zxr1)y!9%M9*H84-T|2b>#EgnZv_8*LZW;ny%OZEkOodgfWjZfk#<-QwF6_bY&ojJ*
zDY$tG((3%4BjT$k^L(ZU<BP*mJuAl!la7gex>tBFU}AIns#4F)jRzAbt@(p4m-pd%
zraeB&-^uj_Ibf7|%4)n5>VgK<zoK~8zP36xz`b)&efDRMWl|o@2=34?YCxrRL$;zk
z-XC9eH!~t%d+TFs@Nv=Dj1yB^B*+nNCAIGP=XhsNcdSOOcR!c}Us-k`l=J%(BqBKC
zKEu7C@KVR=8HF2(5hs3Zne6)Du<ygIlW9#=9=<1IBVHd{#W^}>(fIKhi$m7u?;Dk7
z-ahu&LtBcPM{W&N^VXG+J6pHn7-MJj%vja8bP&hg%<6^59@nd+E69y|-2~lVretqk
zG~Up;w@SWXGq>I4PWshB;)*Jj1Q!?=bfBu}@#=k>{^?usDYo`-mFmRYo3Cn*lqCn|
zROK|P7zMFoes0S<u;lGHCSotAzCP$^P129;2ll&kL6&~*Q~&xzk*9uYi7yhHf8*-c
z(|or_S!zC+gxpgC4<;O+ruq=GrRMFntl%Q}r|HW}!Q^i`{(02fUuAWZrV7VCqVA4<
zIwc`EengsLc6ohU=u+?bB!zXy{to%*#jsXXPyG70!IwQp&u|MugCuDFnN_<9q)cbl
zoYW8Buo{~6wKOAcP`&!8>GEwa$u-H%=KuygoHj5!TlK!c#qg7Kp96O@$Ex2fPHpAA
z{W1B)GD!b|fyKIw{}O}<^3vs{@xzPGIFtQ`(O|4|)Z-JKVCuxvS>U>@J9CS3?0NG6
z+B~^@V-xK!=h*E5uBW{u4`1%=>iEdrKGnC=mH!St?~!YoKz>rA!%lK`<eCp6{_dv&
z)BmLuFS39*;iq(Y|Cg^UpE3_O=Hw#PgnxDUAEmnd=i%OE&6q!>SHiz?I^UP=2Fed;
zoivW}f2quG04LqDTU-7k_w;^I@{`kd7VhX(839z>zU(;mKPvmWd?G~Q_uq?m-nh8}
z$UVvP@qmA&$k_(2&-74QoPAa10of6=cT)cyaI^0`T-4Y|vrlio8K7lIOz3}z*g-0=
z^SYQfxlXk9=?@0=+>qq@Z?}T&pz*bd)i1N1cJ^=?jK7^x-ESXjM{;9#XUkr{iQwzm
z14oY<HvOvDzrPvzd;0{8cT)71uovIM?ml`{25rx%=p1wy-jF{ctJfA09=m-G@0s5-
zT(fZDyvE5tTi2BQ4WIgc$#VzcH~uwVaS#wAfA)nPQoj2sLRRxeF#6It%XaSE$!w`R
z8vg8j|DCjdbt5<<iyS}2C#WbjHI-Wx82;Cj*G9biu<pXCAJ3vEn7<L7jW<uNoVB^C
zqW%_S;D7-G&LOMGf9<}}*@OMB8(%X)(l!)!s<M`sPFnmn5VYvyUzu~SasuAco6Y(-
zL+i!W!qwnr;o1}7PG5|f{NhmY&_n6wjlEW4g8phBer+APjU;a<xM6XQvU^6K3;le*
z`|57Z2<?riDmt+GxeG11Z#>f`67FPzMjBS7tSYd-w5Hi>H5+i+SO9aKo#)$c=D|Ot
zXHIq607QDI*X9Br-7Um_ceCfs^xy}y?vLBRP^W;1+Lq+u+ntenZp3b%j#a1b58Fz1
zpD8)%D!Y++?ML&jSoLb75!j^D2k4R9l~**`8K{0haxYqiU+U%{dCu}uzfGA}fO?!h
z7uHpkRs}YXaR$Z191s!AiH)~Qqt{iffmXCtO)E;MJ1iba`uOeR;}wqfw=dI1vMSe&
znpP^mwdGRdKPI=(FA&z;&WG=|=OL7F|7;8x6PAM6Q!;gDQlFOElJ%M4&D$-7cF~aq
z*w^**4d+LVUSPbmA#B^@ulMP*Nc!hX{`6qp<nRZK_y>FRT-)GJ=f6L{Nq(>;y24J9
zooU{=sIcki*$=_hyTZedr*?jLGzJ#e??}a`*^Hf`*zO-6AD`f7S)QEI=Z5Gd)?aCZ
zM*2Ouo-uxO#-GZ*Zt2}Q;SKvccExA?x~;o2f#A_>f9rY&Q2H<A%B?;f3h4O1(dg=&
zTlK#O-9LMHxv{mOEE}`&Vr<ISYt+}%V=shyEcbhD|5y*}s=!*_E_{4key_Z<v51nD
znK>S%5llWvbf5e4;|W5)!U?l3@^O>@cyX0v*ZGeNTA$qAJ8T4#_AL?Ag$p_Twl+*}
z@`O!$b$?QGZOMH9ij(KdO)<&u_uk9h&)zjDgV5brZfbhbh1S)(54w6~_?+n<=3hV5
zbM>+Rjc6dtyVll;o|`vD%rU*XO1zC@g^eTiK}~%Dlb?JWk4<q#X|WSByStw|UW@tU
z)|1R17gGcs#Y?kyy+79W`S<VNxO@9Ypx1iLj5&vy9ZTHMbFa8)aL|d*)9tyf2hZQ%
z_3VOU`x@@3Xg^nB$He4!1%$K%u9Oi9^iyNsPZxfEsyD@0YEWHIo5Rq7uA4q)?^<8_
z^g`;-uu$D1VvaUP_+*o16NZl5;tj&A)HP{(@W|SE>S4VoGfxTvb_gN*KqhbWX0D5T
zUDzn7-Lu*&E&tPj*OOa$w>Nk2PH@um1|PVgY1qGR9&;K~yLv|D$?*B^`R})wGxyoo
z`5^n}29fo+TqH})e!#VTJXL<OzjWi=ZD_+Jzh4Yo?!${6*WAGTi2_4iX&YGL>kRi`
zcYsC9N3ZuLXmF}^p(P!8p1#OyMcYS@?mYhFM1SR+5%`SY1`HFXJQcq9SJx#glh&g1
z%GOSC-E>{uaBn*PV5qVte{;hmzWcuS7rTP4PXe>}l`B-9)83nTs6GZTg&iYHaEpM+
z=a)Pi8Nacrs~T}<=n>_nUGE!a&)8GgG61lr%zE`}wtu`mjdN8sZBE0ewEGu4H)NNk
zs{PZ<3!Y*E<_i6a&%V7ALnzjcTe<0o@5%lL)$9rEA7XH9!cVy`z4k@iTlZVk%1G{5
z(bySHy4^LsK;IWQe1cDH$=bstc^dn~hn>7?(zFfvqrz%BZYY8_y*2Sn{IK9LBu`qz
z9#M#1K@s5sxj21ncTVvBtk5><$xrMsz-R(yAk^Dyt{X&iA04CZqJ2|I^UDvG(0U%~
zV=U(;b36dDz3c-ypAkNUetEgV2~&_kujc_A9k|A(y-aey4%3Ks?@eHwNZ-0>nxf#E
zjJ8|SFLYlz&t0TFXhimk>de9#K`3WXJaa75kAiy_vOm!ES^3xL9>slJvPkkk*F#Vo
zW`Hw}jXogFLNfOI@VR5#{w~LFI%#XzgvY(Kd_$$d3Fsl^z`NFh>wjUJ*@rP!KhlRi
zwKq4{gZ92tNs2y>z3GZixl{jQe^+qumEfZ7^PK|yTTn=ubLIA-V#b^hu)uasp&*yo
z<)!;DSe^6A$C(Y6RfC8^_%{veRbz-tR#4HI`Ws|tu2|ZyiUL4BC9I|V8e?p0`4E*8
z!I^_V@bmeF6GHx`*#5rFONY34Z8rU{sGe#1KCj<9JDk_&C(z>c9wSKL@9-JTPC@5w
z>z4~}m@;oC>u(0c-NfDvbJ>@E>duB4&fk~%yTp>@QSyiPd_yyOrC==`aryY7(!SqL
z6f*|yK0$X1pR{A?EL{1#hJ;^YYW?4#I-M-RJGMFGK7hHG_^|n}2ZT4T@|wOuSy}7d
zU5YAVP0X%c9p~LsA2h4%6S~BEuG5F7>?8kAW)Id@6^EvM`&PAHxft)~6Gr>#9^t*}
z^_j+ojn`HOyE<m9YQ8mnaYvM3)pF>$1Gx3QdDR`vl$8sQESQ?NuBte<y!iX!s%3#K
zOA|hx_xE@&?(dsACiBLL?z^689WqA`6*ngHvucpjfP$64^}<l`N6hyAFG)jwpNyhE
zeiGI%VL{iDY#}4JaA(-ZUwh173ud^!zhUmq4l3I5ef$ik^OhY1nelKwWyqK;ATKeX
z%U!Z`g~a;OZ%Ux+oX_Y7eMWop+*iFJ9J_umt2h6tlK5#}y$RmeiC32vl&}`8tD+|R
z^_PxmuYBX116KQu2S&{d+v79z)@m^IzCiBz^~T9EJm7g=%g;!5aNM^%*)=n6`Euy=
zT@_s$z=!wQ!FUieFI@^rf4#60IDC3POWAB`mFi5-d#5;8+Rm(Z3j!YnhkSt9ri9Kr
zxu%zu?*1REfsl&ZdUnmA!Iw)Xe0oIyA1S~{JHu5YoJM-M85k*gZsYUvAlD~Nb@xt0
zU+vdlN{K$jZvI!?Bg;1cA%0~4Rq!#GKwF-zm{__isA%HSowBXHB2xywzMJC|!~)r6
z8JW2_e)GNUJ(X{J-S-KYq$RBHgzI+-;luCtnSHI-9zFxl8X_Ux$2=By1h|fdywm>@
zkMRnU5PAdm#U?;f*=I-Tw=FMynz`3!`sqJclSg~Q@nd#2M*n&T0}KRuE(rf$;USs|
z)>Nm%qbK3ViU;5NAK@=Qmu=<(gYR>l;RJ;L*xS6Lw3x9r`a`b`&E<b>=-XeK^m})&
zu{n_-=xm)Si<<WN=(1udckClZ0ybuQ9Jb?sowF}}RWn7>OCaS_!343p*((?COSeOk
zGoyPAK4Ibp0^e!IYL}GTOicH^NN(N(ND8Df(M4C~DAr~6y2@uE7|UhORKWw_K*60o
zCvNpxXyTK?O!HSD6Zbi-F{{Wsb<pLGRqfQjVH4qu(40Bz#}4f;g>6smeAVV2fqQpr
zd_wD45Ic7>%I=(4;55|3X3pckXfm%7_@S?zRlE--NB)0}vfg{HXe`r!$#QZ&0BW8f
zRwK@wD7_>&Qd}La^}haVNW!>&<sW`uyq?B?9@g*OmVt}Yw93Zxi}MplWKK%F`r`BN
zJB3TGZ$0v>c7v=j{72NU)`qc|uDg8)TOt}V7fiwvMyFkT+OADm9OL~vzMJ;5tLAOn
zCjA|m{PV=}U#qfSzuI-~3B8Fj+WYMc*CoeVE`C8bAHDqjv%?RLZQZ`L<=w8x@U%PA
z-(T9c>Y{Irkw0;heR%Hg<oDMiEjxxB7>XKh{_5XfDyj<I`F9qK0t$%Ix_)B%Z1za=
z8}NBS&zIdx9}IkUG562Z6|eA<LLz4-MR!a@yiELhsl5?Rbgx?SI;n@c?M}iH)6F~h
zyoi}@1)gdDJU>+A^HBSm@SqW$G^4(b>j8^h4sGpxG-ye{<G1D+a5=JMzvJ(!Z=M8r
zQ%(C?j_V_g7@IM237qq@Ksd?I5Niv+{p;P@t`BA3hpwGTOS|ipwqx--eMmG2+0-HU
zIcNQUr5z%R-!v9opX9aH?Z>lp{vY3Quds+eN>BC1ETZd;UC?oVPR5Pg`LvBcUDE!K
z@8#&cVjs+>tFZFl8#|Ml(;6pwbY^H{{luE4l4%!5qxN#+=Pz7SGAr~a@6!nAgZ(qZ
za@yP5iqe0a#Wq&TZ`~fBzGYk8ec#m+F_YUAF>dp{9aGl1Pr|&a>FTz9AHH^a{>Roe
zMPt{F{`N}y^~a%Et=G@Dgfy*hJkzi7(~}9LwPj15+-S38Xd-?hM(<p??c$dmms-v|
zemXnlq3?=3$e)&j;kVw%oq;=Qvvf0e@txlF`2VbcDk4a7-OKE&q(bku5ja1$eV=zA
z7ekZBOm%HqTsyoy^p4HpT0^HI$FKe;>UWQ!hu!qcu_Vo(axq}tZC0L1V?8@~#E&zs
zeH@%!i{FpEcX8K~W79mcHx5<}@#4Gx{;WpFb<34QyZQZ}-r4oT?dIp1vA^%(F8Q|7
zJL)`>{WQqbsD?+L4?CxY3>#b*nyNVc=GB$Z{slpqP4^G!vvou8BRYcXJ0*FuTaXJD
zeVvi}c#&u_y!FTK5sCVr57z$)ZCl%YBjte4W%e)3`==xQ8sDdE+&b`;taED~Jory$
z`}x~5UQTV^b^*=55&f(69VK?T(PioL>$_IYY<h|Pi{@`81IS=qv_1TAaL{E@OCB;>
z&~I%hr0PoR#e}D`$M~+9Pbkhl6k11p^TxV$^<BSy1wrFJEogUtZtimZxVZD;*CT6X
zh3`IAuUxV!<8+wEAX4;_ea#C}YF3-BG+$Wz-Fi_54OWpyG3|Eiw3*5BQ?pvDV>^#g
zQ{Igujq<*~tA1)9LLs*zwnsiQyGV4w{#CkjIj0rjuW386r}#ikefsZ%l|LT}m#mr<
z^P>cZD^8tUG7OpOGfShxsV=y0c(->QlV7=Qx$#ErE;sR$;#un-exH51`qXS+*T1>{
z?3b=Zy%-V*rr^5SwaujmbKv<?@PTfJJ+K>)#Gc&uI$uiPrnk%1=LX{4t5$q#o0f2;
z|JGmJoIYLQcV<u8_W8*w89U|4Zpi8Ne{ObN9erxyrd@}8a&B()>d6*d4F8mun|oU|
zgvCGn>q=~@zsDkpj{0OYF0j3c9sYaq$NF!fir7^9%xjwb=qoeBI(%I>rJV{oyQh?g
zxThcOxTj^t9{lzFQ!GinbIKxhqu07qKFA>h_l`(&d*0KvVe2saWM1q5tHeEddN2X^
zu6_L`eQ*5!i=vhLg!_sa_s8L*5rNzTkJf+ASRnPvfEBSl(|*)E+_v@C5OT)EwaU|<
zukK3u*t5a2`q|N6=rHJ;B}Dx615s?=$(!k84sI^FKelGgv55g1FW;Pld;Nmf1x|UW
z#;GX(=$9#u`Xc!u0dMZ7yH7cv!;RHe?Tf~p+U$e$Pg4l$QFtmYx6yWc%U?2i*$>p6
zwuD#3G3EUVAnb$i;8C9Ju=eu$cWFPCj-NV)VBZ6b?1wMD@a|$0*SgD=lG7d3=U)2R
z$M1KZJ;LUb_YRAmTB{pYFm^7yD6;j4Z_e);oACm0joY;?=YEa(?sx6!7E<@|x~2mL
z0FmSH%vp~{2isrQ#+*JhOKu%r-Lu+q?DzV{XHzpG*H`7X5Zj{&W7he^R}~*Uw63+c
zI+5zEeAIov?SGV4Rg5p?k0^UV;&tF3Q1^DNIXv~@YN4{Y|IT-QQ`$T{N>-_dTqs|&
za6v#7`tzUbsRz@qkD8PHdmG7BUZboKlGhhQTY4w!N%?1jDpLDM8?pFz^9k1ab;nd(
zuM<_pXP(!d8(y>PhA`<-aFP9C?O}NGi%VC0h0+>NL)rZ68}?SI0+(~vU9j40KLWci
z2N#tjaDL70rHsxB25Dl8B}y0^+_Z^btgl$Jwy>YHxEg=r*0t4+A(!vw=6*{%S+@|u
z%5*Xpf;~v@-<vDHfLhsI|EC8-n7F8fJ7+`FoD|XWKTPpj)+9dpN?&3xXIa{Bu#-@`
zzSY=x*K+P@9K}CWAU6UYm+w0>?C>VQ66gO@TkOrA(~8tJoIEgH@$-25R*1b%l1JqV
z$c6qdVpDC`?at!S(te9UwP?eMODpH?T~}2O32evy<&atbp($k7xe0UbspnmROc?Yc
z3bMa1#;sBY2^;ugEo=OZ-@OH>D!>d5eT-frEAr{MQM>4tvxmDC^WnA^PP)igGXz_I
zEek~-yJO%B4TSIV%i_zDPIZD9hX8UN%9>n3I6|)~)=CGLzz@v#t^c{d?AFC+?SJ#y
z<K!3TH(hs2=-z2huL<!-KY^Z}xFMp@<ZZd~)rsZ@B_BS_Ii`KH+#sz==bJjp{qGN-
z+G&~@HdN^D#odfT)h~Cmb`%{ggcpd$_KbwIxSZRXeR=uRzzSgZ;$Z+>8p>y1Tvofc
zcxeBZhURoOZp`U_91V{(2G&k%j0l&zdd;REmY)ZI!YnU$`O?z%P28Wly=cQty*ECx
zqUm;#&$+(m&!3MfU5Jw$zR<5=%-ttlO|tpxPd2Te!}43{7q$Q7gWkdqphIf_$-9}C
zoj32@a!w&L_AKwih=s=Xmh#l<Dcjq=U7GvedJ#TXS>5GdH0=GwC3i;No1{1%n|CTm
zoAle>I`mw}t3&tRK4B;Pc)ua__C~+7vx(BDUt=$P`12}!=aR8Eb|6C<4$UyQNM}DL
zF}gg`6q9Gn44!&n0_t0-YE!Z$YxcAD+o8=Ht_)8*|MHw}>C78Dt=B8Qe7N;z;<293
z&n}MZC^7zsjqDk_FE*L%IU;9n%j>R{u@y$+1B<?Hr$2njYuTsMA4L-{{^u;f)Siz^
z?r!@!x;>!SrJNi#KRO5SgOJp&drzm`e_s0Bb5Zz`x8eCQvj%1+AucR_cAjt~U>o7-
zq@01?$&mc$#=4px<cH}CPB%SoUzGIIWXO2Csr%F8)>-7=AFg)3e?<W+7vCXxQ=J|1
zAWF6G(X(Y2oeS(`A3?00Kpg5B>$^Wa-)+Al&Cs)sne_7U)&c127wq3^x+-j=Nf$i1
z=$_+<!qr5_(z>SCE~5Uc)`dS_6O*<ytZT8V`{y?-JLJWdjMFta+)=r0FM^u4_1yfb
zVNc3FAR77bjqk(N8{Fr#2IkM0dE|VTSM|ra(>xk4Gt$akAwN#12yW(W%Z^=qg)-pU
z*)BR7y0z)i)X(o1Q(mLr$M(AdSkVgC@YXwC`899XI4+zcy8k)oqnq0OxH=2ukN{Vv
zH@U7FglZdwb#>rA#+s|gQ&<3KscBPdmW=qczBa}DMY7S7Q(%Vjli$p~cdGO3BTL$u
z)YKN6cCY{&^I-WLTk6@adopg`-Tp68keI&Ei;w1J_L>G1?!mSObo{JIJ+qhjtgo89
z*R3JE?$7$bq`IrH70c&Mg14?&73A7^DK_)O0~%B6`|6rkTAvzE<l7%}PW?`~`8kCR
z-@2L;yZo*fqixBX$qUkC3$6-Q$~O9(yu*y3BS~ZgPSyQfr)?_9n&;1Wh34PAKIr+m
zl$KWn@JxK5CH8k{=Q}pcR;%u6C`+WY1nO~(y5CdxYMv~=>$z@U{mHt`4Rs~IV{g~B
zJh?Dn{n@bSUr{n#*9}P6kQZ+4XEW>no{*?)0WQXlT;SR-$hFm4wr3!Dlyc*`z~y&Y
z2*HRrifd~VW0^AC^Tr_j+U2?4%tZp1_j81TpLU09XMn5TMQ;9OZ+v^n%AFIyxgNJK
zxnacRfu9#o_*46*V|Ol+w4E5wj4k#Cn|^z+$CJOFA0f(6JmR{4=$uSiwzF%=lJvFv
zv#xyql;o*oY+Hk>`!fWPfDoc_?~Xsg*RSrk{CVx|e_`V({eJZ>MEjEK`yef$Ti1Zy
zfo*YLm2+Yyc(yBo5AKWw0c@U8i;;JfKqkNbwP<FnB=qm86(6vB;;W=6`V{O-KTCFv
z?pHuhg9bGSt=wU~riael%S-z<KXc5oU12?!7j9-%1g2}#IB8D`$Hsayq8a0T8TtO{
z?iUvSbPxaiZtX5o%fbM7*PYluVb4=4w-x>w(yp*PO&?63UE1?!&-k3%F7Mg=)YhDq
za#hjJsjV9M6VbPT=!!hU&e}mU>k2(n-+%bf#_b4r7+e&={1)_d*o&H0bMueC{PI7$
zAMR%E*y#EDNPft<j6x<&3#67-XkFhFbliUAM&V{D4rJ%;*z~I3Uj>eM>?doHeJ1y}
zGjPQuX?#fx$kz++BJq}Cpir{+*`vB=<4dO6*1AV{p82G8U1^(q&MRfe@o&6?2O~V~
z&%zU~p1hckjISvHrO4)sM7PLif9h7WX!kM~f#*MMtaaCz#(;mK7(I?RU(S42K$#R;
zKIPHvnSmd=t!KREf(@p`tW0lsW%a(ypGyZgi#QuVM()4k!y>Bhkjr~CD@qQgNBDYV
zuvEx-D_4KX2`)k}c{%59Q}sal*5IQ2OvTap9pY#~^U7O<;#nXQ#O|7L>RLiio+!1a
zot+ACd)nEx;qqLXko@M?osx4t>oDu0vWuUCRqZ<C%{!!X)a1g!H*R=0Oqwr8CS(>z
zZT>d7<ZI8S#+A>G{yr`el2;a;nHjmhGk2EcV@p87Z!OrJB`r;zg_u^8f8%l8X|Lk7
z>)k&bTb(sKe$6}Np>!`W*%zz_i9dCT?e)E||J{{y)|$bQ+L5l{-+$WYX_A-siW@ld
zi*W4;)%WXb{lIqK$<bAhcHJs_cdVE(_665{%O(2BY_Nr61&`93kNXTAe!Q6B9v`tV
z4Lr-n1>Q_)t!sWV(GK$nvicv$G-clj)tkN+bbNl2<;XlXTz{r3d-;ZIUp^T1#&i%M
z*T81m^ey1bagopTV^cw@4w`)VKXs6TsHRtxed)6YT_(6}@B89b?esBIwQ%`*9;D*(
zHs8MmrgcsNGqgFP^K#BTbH#(+ip75wu1IqHQF!pp1$^@AzEOQ%h#~7C@BXm+K!;VH
z`l1;4w;1!vS^T<j7Cv|70>M7`hPlJ9k{BHKWa}Ej183F53Tge}NeS<6u*c#2B~wNq
zyq`#3;~ogzBN~JIC_{#xfmAkxrpJx%r6P7fMdaTX4*a;^=Od(JLWR}gy4R=ro(mTF
z#>rwPR5m|N1Lci<>7r=&gWuowt!Ke<+v61$@bF%+Z5yTeZo8fYiZ`nk#hmYDZ*NKA
zyX*@<tt{8=XXt#>*P<JRaG__~aXY7Q>85R6t&<?lmSNJJh;4dM`O9(coIVcqT6G?5
zU##-pe%R<7-imK+o$RE5$(GfYD>D}Zl>n{$=>K>3)ds57Q3Gc+hm!|i{*~udTX>5A
zw)mu<Xpgd;^(cP9j1HgC;c)pwv3msRo*eQPx$Y)aV4PjFVkOIAC-<4`?p#{Un>g~g
zm@#(P<2faIi*rz2P1#L<r`%C{R^RV@1J<4-`3H{Nids5w=;t+o9|u6)DgiTU;`W+t
zE->4p_5<HX94k&wyc#p7SMH7v8>=&V2_!=Cc`B$|fi17F=M!cd!6^alprZqfE6YUC
z_s!VcswurCzEBX8x0((uoW9p*==D*oRpn0hJG<bUeWO#6^JlJ{k&X^eW{kB>qAZ&V
zs+urv;j*n`e-77N8oPE()$_Dp&f@euy>p3B+xe-lvZ{Dah5PMZ4-UO#xmb4T+G@`<
z=?~7~zg~Fh(ok1u?^kegN{efqOYU7&{-P0EF10wPN97z)dH=j-+GCgXRXOz~z115j
z_UYf}L1FA4@7BTi{Vaz^FWcV%oc3t$M`em<+TwDr`v=$Of=O`|bzqLkS$ET%TRHJv
z??i|kJEQvO$KJwfmGkI<Zqks-n0@I3UZjOEdJU%QTfUkf4Q&4I(g=OX`(B$LTp$;O
z254RDu9l~de{dR`<(LhW{Nb#hHm+WowUi_uOxdYj-7Dgmv%6cbJAGCk^6lw(V@DAv
z!1taiy!>?FHuj1mK}EcIZ&zKfPlo7px^S3xr5&Pehh>%Y+70XM@_}Ju+1ZJ>dhV6S
zKYW&rU-WsN!7%IJ0zKF$56h=`;(QLd>2XnM8Li*G{?R9U+-a>}8QydC=M#N!efx>-
zd$KCkqy7a6b4*i~9?PgId}{ZrpSEHZ2yRar(3#pW>isR0{G{KNqt(y_{iN~%vDwSw
zzZL|!PJ{od8tUI$IxIQvGhz6`K}#1ywz*923msTVgghAkeosX(q5$LWtOnc!t0bsD
zbkd{|H^Gz-e){?n^S9v5rT~1@H&|p%;)kr0VFFxKNVw>c;gt9N?(F4v&lIPR9hMVV
zaAay|S$3G@6n(|F-UVd>h&c;Ed}tMX(B<Il?A6DXxrnb{W<Peln<#IuZ~1oLK<K%i
z!&Ty<ZVy>1>Rr3LfJcTbT~IdjI6wjQuN2ITqv-b)=I+eJPi`1MAzyI5N`;*Tk@TJ`
z?e8qML(GrP-joRTMKm>EQ9I7l8aF>k?3gcIUOIH-)v~JMbY|U%+sFZDJt{*Xi>jbW
z4ZWu-E;x^F_|1Q54|2_eORm3XO1b2tpcMNp|3=O|IKw>>R~+}{G1<nQct|$~wyv;r
z=#l*yU^0dQKX&h#fA3TtJOUSW{Qy`<l8<uT8)Dj{1pB~%LiZ{9S(o%vt6tcg1HAyz
zTab8l^G6U#!S8D|ZtIqpZvVZvaaDJQ(`wZ}YQ0AK4UiMMA3e>zu>Jc0r&=4l0b=}$
zsyz@e`0{K=g`aG1Y2beU_ooXM1Lse{6&D)Jn;tK5`|dlv`TR1c(O!dXDroqYGWFV^
zB2Zs%ir-%vSX7q_AJ>Ee+lkGBeUF?d;yxX8yD)m>5vj9SGUn4q#;Nq>rRgysw{YBN
zLco&h1oZCXjkaOF{%Ol*Z&ZMoN+W@er!UF5JZ?nV+_`i2m&9I-`BrlI;Q>Cnv$Ipb
zaY=jgYxfT+?>>C^FzN}$;MlRHXK~r$p6&;8Q^W$UdvfK~DZOjgWZ=_7&HT)pvz8q;
z6!%E3)ShtP{rULa!Oc<KC1YYiez}r&zIU1!LCY1ELBj@bhj_F4CUQo$zw7n=wCe@{
z>p(fhr_#}2g|ZPG3YvbVuX^#zeqBZhrtRtMJ)g}4v5L?!A69-S&~?4<jhJ54dks3I
zf0~yci*X6t?v)vOdieW_ryQ>a_a4#E1o6n<E|A9l?j?iVzFaxuzMHQCkn^9}KLK~F
zU)Ma|^v|J-iaxjP5igkEG2e8U@cF=wGd|-V99=us=ezIFXDuhQ{s+(=<F2`$Y@f%2
zdF~xQJT-FmR?>h6hBqDC+zv%IFFzb`uHe{SvfI)O$Rr3ja16j9b<C}hUi(Z3Lf(3H
zKxhB3^=S!Y3nc1USKF=Hh@X^O;~yV`c$GB@pfk$DHuOU*9XB4|II8IvAM(^-E9+m0
zgglwRaJ^?}8u#i|9Hb&YU5$Y}eqh+#R6o%u?DniX<FovW1`-LuJm`vnFL_>_wRu(5
zCFdR(z|^wlrJ?B@_qQ#wx`7*0N)~Eo_WRWLh3rqr==ldzGF|bGpnzFv9lrB_&+^{7
zmEap=G0D=~54heK3)!>q*3RHL=XW1FbGv`f%#Q<0$5z5276_vs^jZF){=-&2>vbgt
zDAoRTW$4EVPm=mB#`*UU7u$tJj-I@4ir=3ek~>%zOBEr*@9(;`V)eO|Tkbd@AJMIE
z&$^y4&{iDtPkX!V=Vr*;fY3cR3DvV9BO&ihQ;`=iof8n<%1KARO;ivE9npolPU)N#
z8q*(o<|`$0^iTPD%AD+#Dd*;#991{a!~0ZejjrFj3f;K{S(zj0Z3xE~*4gH(odK_+
zKjGSV^xK;jEnCxl*t`8g(RaTyOKg3|Jh-{Lyu#GDWzh!59oT36{i9E1HL|kvdw!np
zn34Js`l%^g_0+BD_K1r3YJbSh#AS|I$hx!FGX7yKdD!YjTxwvBnJ>!pozQq2rK1e8
z%`I45w+b58(7Ovf5fHIlH~SC2N%GK-@2;#0y_%k|=FsC|FO@?MJior;^7Nu%BVuoj
z@55iYIYmA9eiA0R);+3wL)pbL@@22IS>p_(UB?<=LAlx)lh4z=;jfonPucyzH2qZJ
zhPK`C1Jc;-D$n8HFnipv?98oS*Nu6$Fci5qb!K*d?9t)xwLhv~eK>vp_Lca~_pi~H
z?fz*Nmj(CB6B|VToNq~n(E0h=!T#qzQwN`4gUlG(nt5jR`}3@R1y2VCoK>!qoS|qv
zAF^-{%QVS<aym6__ZFS~_4FJ%|NDZqQPH*K-)~{fv(DXiFED$jS8S!fzIBdr>w6|~
z%AZM<sO!g<DK2jplKHIQNq`8=>mvjQ>~gaxHP%1`iZuG*X~_fSetW+D=GJq0i{)X|
z$urhuwXi2GeVtK$p@5wXrT%OOhrT^f`m!e|?{TD|hu)p&udZluf0BwRQ@WB!VRh;B
zY2(!YBqzjV?>pR6+u2pV6{-%#eyU3vfh1L)|M~1QIWZAU&YZAz$DG8%ix<7K=6=hC
zpPyKH1`?xn!KzDk{kYGH+4s+RN#Tla+B%Q?u_KdXxBT3ySn=-1INC!SScLy9A3G6w
zCwoatYD3CD`)7S6R##2^^ycYc?T+melw?HHb;YYg-C=3)(MX|ygndA2N#6RZ9L(ue
zATd=d@wu0)Sv?OYP41*zD1CE@@VqTzB?26jKGxZ+_P4Yt>W^#yM^jrjJ~6qe->%qr
z=Iu2v>$mX<sk`A%kXgro)(>AVi<owPl&|ZYybD|Iq#uf%)>azq9dtMQ+a~3nApNe;
zPo32KA0E?MyDvR~Ft8tri%PBUd5j&iZQfhJLAx7I&se@bwcPpVGtqPBvpz`@aE89K
zdP>d5{v&L`SF2qM9Dm?<P$vRj<z5w@KDqK>!)CI3)%SJvKi!vxCwLyuR>j?~*I9*L
zX|$I2n=X7#n%JA6OF-&;+w=*88x#2$@t%G_m<Ii%FJ1iO#$3VVL6?!E!XJ=bH%)4*
zZodONc&2QfyH}9wgRtFIA9okuY#ygRJ!)-r#K{GPscnfTva+cBif?uAQ|AA=DreS*
zzMlPa`I<`^<I!=ylJ3QP-BmLGblm+twBW(v&-_x6Gv$Jq!hb0KrZ$6kziQvBZTG^@
zqx0x}Kjv^VkhJ;T_t}08-AlHub<N&mk&s+B@yL5)-&113BGUM=g_ARCjvN%rak&C!
zj*#49RlbS>ZgL)LeT%?;d{|R%ojhVq+e-bq5r~zfZ{+*7HQ&Zvo{Sq)m*q+lU#SCS
z_ak~(-Q3_ob4tjqn{Cju1IUx8@zXtOa*Fr=7|>uFR=~!owpM-?bW6fclq@cJx8h*>
zg4(C2)_HWVK|abl`*Tgx{gY*w^@mrlf70GM^|+$+=+RjraMd=y?8`eRosr}Hl$6s@
z)Dh~IbBE#lcS1}9NnYI%8Pw)CYx16(kxwPc6KirkJK(3cQ6r*H56RlQ*1akfeWW;j
z;hK?+G}(z`La}>Q)XI`0cXB?@d*c@xT~}NY8xXq5S$*yUb{=xG5U*<6^0dU09y@-l
z)JKlgi{wa}d&DBs<_{Zdr{}wks3B%Mwu>_aKQ~(5+*t;DL}&_rx%UA41K)ksMi6{D
z5PTjJAF>Yx796GWdx}S+<3@<b%WGZ~WrgLRt!v5(kE!#l8Uo$=q3FQRga0fOj!t`Z
zz5L*@r#Tm<jNE<&>{V023hw4(uC0&n-lM`DWm#YI?&0(o#W{DCd;Yo6RX@c?y^F4>
z$zS>AR=^<NXG(AyG3prJ!?O@Cj-@7gWohtBg=Fm9-mLEY_XO>Su5rWWoa`tYS8zvO
zY`1czWn3=_h~E=5`t?e*$J*chhj{Hi9eHx`*{lf_MrqF6?Nc%^(M6%b);@>ZCY)WZ
z@&>6s$jQp@>yZuqF6#zo84)2R_bwd`sg<oA^9uu68~^T3^^~#dD%bi4FJGNLdd>3>
z_s?VPy!U8!X7R!k;0(Jpcr`d!aMuBrXFI;T%y3-~NXwP4HzLR3?;Z(0ctC%ubm5+$
zp^cC6F^4zqO7-*2zp)i6?J5~60;B#{r2szeV;+RGQdv1^+y30|u4vhV@BzD@%zSsi
z?_=YZyTj`iEBY;Xa3u)noHQI95v>GA0r3}89w#>sf~J<VhXq#kA?L62dv<o$;cH8y
zCZ0m^C%Kdl##>r4Fqy{<O-RV`iT!(z)pF+iKXkoiSXEKiHGC*JlpGqQOG-MG?(P;4
zl<rcbLk`^~NJ>g5A|)jy(kVzvmy~qZw+`O-b3NDhzOO(0q37(g_F8+-HRqUPj0J{T
z<6eIl_{s=-N?r5Bkw;uHW9q}sBd3|z>h;<uu^aZEpdpt&?w15LmA`_?=~WlcMx*fs
zqVAXe$eI@aId{<Y8z`K41q<g#&vL(o1YH??oqbHunog?UQIqwx%Xs&LE<hA6VX-wQ
z6k|C(VvTDjYF?M{9YoS0F$|V1*h5{Tlb-;-^I-D=l2mJ2^tq6cXxvpX!z(I9kzA4Y
zCt)n^0Q2*7rT3RelMu5=Y{?VG?Z1CJyA$ZYxUZ`not|zr2On(BAZ21L)Ch!?CD40~
z6kd+J%lIC3mSkRjZ;uB&CWMNpiy$S5&guEqpP3`Jo8c-QH<KpDp2xZ?T`bmw+{%Fx
zeskpwNrhAd<h-SfLv)9Nv=Bt|A-@9}7YF*Cl{cN=Wq%j#|1|%3Z=WM$wCk7+m+!*k
zsbhkF()JgY4$2R;qR3{%ff$f#M`5W+kVm}!ATUn$uGZ;ZMfr$-nT^KNU2Z>i_L7R&
zC<3@`-bhv?Ux+Lxw*87_v~S}0{Z2!cyk}H{@?BR4WRQcsX1))LKL(iUClu#@rb4A2
zTj4_@=z8Wac<9t%(>p(adg3xa^R=tF$~qDkeZ<=SgP>$-XUN_zgahUMX>UY~PfOpo
zs@^vm*Di?(4@&Xo!X9wat)K;O+m_%hWEPQT-0>y%5YcX(UbwK^x9<@y37wl2%H;GJ
zU8>+(<ul3Hq`0Omff*sB!0n%pwjSKC`f1odM$%|{7-SKU&*`P{$H{l`-O1!e&d=I{
z!S4B=pQqWSTok2SH+GM9>TKs9t6p&LyyY~1PJ=5+$MqGZu4W{xsBkmbK#Pw#>a-U`
z5K9$Z@o`2eW|b#+wxtc6#$8Nw(qbO6lYBcp=^9@945yS{8YBtsrs)K{6z1|rOKK_2
zyQq6F=(UP98B)Pkg`4~*Is8dIZm+1$?&;4sU+Qi@^=8hMIwqvFB`trBE*lH&t}k_M
zW%J>lML#qxC5y4Q`CfXl*ak3tSpBhl7dChhDXDwmxfxz+ZN6>7Yoj+B>=pA28IIi-
z<nDgK06N7XQgz)(9oQb>W2yNr)-n|wN>z5^cfXY%(jSH=+DYv5@SLx!daHz|;B$>|
zXK5Do*H8_52CHfPpLJ2ue7Z4y3d^qS42f3Qu3NqRhceMUSZsJt@gFDpq{v{d%08{)
zhd&YDxojZY8TDrvmHL}|ApFJp>+uVf*eYH&9T3q?9Y$O=U`6{+;t(qasOdlz$kl@J
z9Fs-(Slg$*lJ<8$I)*AvqD^))(RgtddmUdEXfWWL0Cw(pTy<p^abeN>Dr&y|JRZe2
zE=3`_o!{uJd|m0rKHf`RT@;UDl2$iW<_&#9X)X^Pm2qD>BLr)aWEx3TrY@P5%)_dw
zSU=G-PUhiCdMM`fnYMbW14HVYX+~GN`z#?GpFR0e%+^P2Ow9J}Dz3k1N!5v`rz#$O
zo_89CmuaA;@V_5U0Cy#NyhD|Qs$T`oJvXBu8L6Tcsw5OpAg7J4Qm2QzE<0IC8|!Eb
z6&iBB{Sln|;j<-~GG%NH&@G|y!c*0sYoZ6dw2KzI9{*UZ^8319<&cod5H0szBIo*+
zvc&moW4H!tZqaxK%as`F^OUma(j5N0>5}?>e?%okqX6RDdHoM!{<Q~EF*gw!iFqs+
zXq>jPwiB@FEoFvCW>Y8Ii<IRR)vx8Wd^=wdtX^8e7x*Q~ufl<xX!<%$YTP(rbksoF
z=ELY(eJB^F`lYYXKwoERH33-Z{4IR$FY8WauA{F(lsxyD_pdrF9{q?@-}Ua)t}y@9
zxIWdI2+n#{ZpUXuycS6SZ}2dx<mliidC6+evii){DtXe7UW=wM@^Z6&Fr<Jr|M{Tj
zQ&~i6jE0CkxSqzzea5G`wsJr74bjFvK1|iI9P<s2KO#PNH+w^);=NE2;52Qn&9yU*
z{<e-azmmojZd=8gZzZm{tWDMMcI_rqlD6moREjHtqmzkjNEd@C#@0jm^H2K33+86t
zVSO5p3guIqzSCWWAh2b^*OtP4!Zo}W8apEKaFOySlX3t(={qude7*MFZlc~yK1g*&
z%6I=yFy+jh!axShZzjbK{;*A+9M+5@=h2}FwSpA2KIL})ZtsTW#ivaF!{_|#Z*WT;
zK<e@S1hG$xqd{rtk;LLHP>F{Zk4z*6yUj4K-y-R?hWY0`pV6PGNN~@^@f1lxq$-IZ
zw{&xgmk>bqrRnKpE6CqyjBiSqBfel4E%S&yGO--9oT2s+F<gH`oK)Ye39)g*rUBGh
zUVDV(O@a}8TdzHaLM8~cQY@a(=0T&KWMDJfI$`d7<bH-jAHA;b>QH-TWAdK`{RfWE
zpsoB$-SzQR=971<Feri#jDl$J;WA8lhP>qSBS{qeIV06lX#Hz2K@2Td2HkRt{(Kv<
zCx9-kj$ZMF)*xVH(tlYj%)|2^b2$*;CGpyCP%H5kzS{~sqoq`x4_S#hsvUOTFsyMe
z-~{P6`mg3kn(g%v4%=-%`?y^)NaFnlz8|fH4{DukEvN>QM+o;2;vI<^5UcfOS}06z
z0KkzhKAQKmU^kL3%US%$s97ZG=^-O@;LrP$tcOZ<)PXpVqHe`q|I@~i+1Z!`difXY
zgIRxece~8vM2mK2?=KibJ~Lvgea$i$n-u;^nztQ-m}w;tSt=M}^WL?=z+kz`yB(l@
zsbq#QreWtFb!}llXBte0yqaH<|0xgtHG)*+f7ce6|3_^h1AB(EfC*`gZ0q@lyZjH@
zEV`Cv?te9=tuAZ2sr^B1c5GtetK!Y<=&1WNLV=`ZVi~|;PEJZ1pNCaL>YQ>l^XnJU
z`KR8)Dy5s!@7Eo_OifHoyh!{K`r74FG(SCJm9^-wI-ffeg3P|5vt`dMi13%}SOAg`
zZou&G*lqb=B?E)skuSs?Ng+8Nh!zmh6iBXUKLle11qC5_*_yVf>+7dN+b?jMkm-xS
z!z**)NZoSmjSu%yhY_W@F6o9WzDAPaB>Xg_ZZTkHYHI3WF)U_47XpB=19L-d&zCAb
z={&uTOa~`CGYFOgDuCCN>b^`$g7WLQ8T?_!H~5N6t=6~YdQqO)oDVR+Pai&5k0S1R
z$x2sTlV8)2_v}x8ToKjsei!v;drT%Iv*VGm6;B!j?(H&zF^Gh|N@_p%UoHSL3JOZY
zc*o+lTTXk}=)px?GuwyVKL8dapdy;*QTi#C+Mmvk)tAbtE^2E%lpRCFrq{iH$S}*d
z*0K1LBk*14uAV^bd{P5F)g1y##Lx=;*R(?bYsaEpzSZi_7lTW01vb8FVYQz_$}6pU
zh#{j82jw);5v;DeeEPM^lyhIi!!8bEQp*p$iXQ2uk!{wW_~9?+nIqfZdU_$UydQ{1
z_jj9EXjif(rWEyI@9PXg;%1CX+Z=!L-Wm&*e7d?7b7HrIC5~BDnY1`)?nm0_GM@A!
zck!fmpYCAe_aJPbyi!@P0&TU0`*~iM`0p#2*FV0WKiSU!91}4>Ho|CkjbWbqfng+Z
z_Eeg=w)<JggDgVfasHDh7ONv}b5u6`U?ghbI_}7ZRaPJht?jX5r?%&1J}a2VB!G*Z
z(7pr}RN!GbPbrM?Nqr}cH&S5DY7-CQd;c#)6>{NNJP(8q7x-{c9Qr`Qx$J8to8tVS
zeO^ezc8F(;IS_1uNbzOkXi>c&$9GlJHb@?^Cxq8di0F}l&bcKtF|j1X<U(6+)d_`5
zR^Wqa!%N$3e|Y8X0w~pAX<vY})@0C7t?UjKtOCOq?rTZ@rVY~q7h3{<AudLQ59c8?
z`6@`>io$NS;vaMDr@bOHm0Ho*NKP*w+cB6WJTgE3`SO16XIbpti`I#c0yQ@M$B?&3
z3!O)+O*nTW9RimYMJa!As6qyq+sjQrKb$|o40ZgR!eyyL4}X#j`lvg!$`^kaA#z>)
z3)YbENu#HOQ>u3ZqrnEd!1J?Q2R*>go)VGssVDvfcQ;$>e^<Bq)@bjbk27`H+xcPY
zH^9r^DTwdeOfJdC<S7-KF4nlff>h=#`pq#{Jx9z}F&=nn9y}KA%GH9cL6cO8q=D4o
zh0yv`UyR@!DgWycS(4Q$hpCwZMrdEF>`z|f9Haj36%5E<=WwOj&^+wrJ4~KoAtZ1s
z=2sNALp25JfeM*Poy+sb_hu_9zkVe-2+KLZd%xSeUR7$)WEM1L-?P39xYg7s*R@Nm
z&;gu3KibJ3B*>kA{XLv?B6B4Cp!QCd5d`oX><&Cj9(q8Cr-QOo^se|#18au(kig&b
z2ZV5{vS=$Zy$`XD@~~2<2zKjB$l-%6d={wis_Ka{z}m49Si7+%m9#Iky)wLA_-`GG
zb=E6AuS{8Gu(VI)B=Ua}!t3i>bzzZ69}H~s=&%_bkH!dz)ZNJ;<aZo+7<h|9|D?1!
z_6l2$bxCV4Ky9h+UM`yx={Y<p(E0sL`|&J#8Bp3lL5OHG2sb{-d1s_aW{Ru&%Hw_)
zxDQa7Qtdi|rb*_#1r$g#mYMcCM(5LEH8|HW?Z_j<0{js{qJFdI0s)z}4@3@G2->>)
z(!aRPXpbE788V5nFpngHu@EBhsfY%9jGHeCWLVh9jD&ElbGh-+o*a!bKT9I`?=-RK
zz92pD+Mud|?4P-PHyC0O_dbb0AP$E@x?-)Ts1aA-<Y_}0EupZ}BW*e1zsL^|{Rkl-
z#u)}J4I;GX3svy7y9$vMbs7&&ZLhO=LGR9tPVLLp8Alz*ZQi-C_Z_z@9FKl4RIrIQ
zdgPwNkIw<uTQ-NQB+opNggv%ff#hyK%Cvi~QCjTw=VbrsRu)Ah2o+w$&;Bq_pWHQz
z0CB8~H6P?JwTN~IPzZ6naha=l{#~r<_3oTzyGlp4j)}-}H19CjMPGm0GU1nfcUuv#
z7fk&gK!>MuKAg?RpPX^7)&yH3u73Ucbvz0-k}af1JuMUC>_A6j)j<!IViO2Zhof$*
zilR&L5}z~>x5jpQ5co71blr(n-xr`(Lfgf6H#Zx+fqr%zeaUavhuW$?E$DDaoceON
zB|tIElnODPm>T<u7r#n%J<k@y=)X5MG-OkdlGY)&iW5D?FN!8s%<u#Am7D-XK;6lj
z>#X_T$vHKx9~^EdL85wvT5NdlqL?C042>^A;3~vQp^GW&B|b;Xm0PCY$&}Z0TP+W)
zZl`v}Wv6ChDL0JjXO$jO8qPv0S-S1I262jQ7!^WCSu6sU=zlnvT444n1s8oG>nM}D
z=ZZZ@cd;5dNbk*_C#3S3WBcya;I7&J(vLLZ*BsC9Nttc@EIjMC7USKUw*UMJ{1JV^
z#l=P0nva$yFKGa=@Q?(n@C@-dSqAQ;^RSvnMZtQ9>bd>MMAXT_ThfGY^AM^|F5ocf
z=yUp4^lT+by%U6maFEuFmvK9Y2nQh~s3ayY@u+<FB(cc_wn@O}QieZGh!z-Y$*m9N
z#3AIUFFv2|pA9EdJ{&?M0YRD2vxcu;Dr5t;E6*}qiQo;PdkTn6?$C~r{EqyVh^K%L
z{{U#Gem-VqW@qwZ2YA1I4+j{@^{)G`|Hz9+8adU=juZVQBPBgEhv0hVx$M1VH(H~1
z>!!^~IGI1|6kI}RQ*Zb#yQjONIGahei&WYKoA+bdr2RzsydDT=AWUb1bWnX~XTYwY
z%3pq;dW9AGW4jKzs6_m3qe6ZP&|D>8s7t7eGbc07ExRoz)AsVlo{J%M8$}s!xRT|n
zAMW+2`{SFQ_v$lfogIGjIql7k7kBa-7n7%W#L^BaF#bpg^Y$@!?#YKlqwblaQ@+%g
zpbewIXK6LP-qiOz{-wX4F@JSWp2~|MR_wy2X_<1j)wPQ<j6h8YX*b~Zl70keRpl~$
z{??D|ADm9K+*}NjHB+TibPi}E!VQfea`RtDLb#f&r4F{3JyAl!aj+J*9~DH8YQXWN
ziWb~nB_5~*D<@{Dl}6H>{SPxN$<=puuJ^*kv00v=EC@qFxAERV)=!aMqQH>6=mPVR
z9FX=r=|8Q>L;R7!cH@CONuJ7c(Pw&tKO}l;TphNQq%IcGMIAr^B%!gG^D60l7`x!z
z`Qk9eqfj%p_&sd7>2NUWnZTL1P3g4^l%loPafZu!Fw;gYnp}{hQqNz&ak~0XNKgSO
zlOHkrQ}`G2E;*vusGFCSyLnx`H`DYBTXUcj%_PaplCO^vU;5i>Kdm6=>$-3DUF=|_
zH^XXgN%(5*9B?^vdNb2<JyQ{U|4FgM_uP7*YL1jyyO-^MVY~lHMECZS>?#C8jml*R
z4_JOZZ(oqs>rZSO`Llq7waR*k%6DCOzHMFn*2`h467BXp=a%f%IS46a0mu3QAt?8S
zAb{vPLhYntnsaWCB}Ehr^0_XS4+@JdE9y+LhD?{`L)*oj3Vs+;dStIaB2cn&xo2#S
zliL*W6x|HvYj$xbf0rf*#dQQ+Xp6!S5k}Qnul2061$0^7J#9JU*R!uk#Ex=tOE$Xr
z=zP{8X~+wYAg7Qz^470NSHsVvOMs)$bs?u8M$XOA2U<;;L;8{eXP=pwylxm;ZZL_G
zZzKy8S9rUEd74R6k|-D<4cGhpEQV3}tqh*!RIvNy$<7EjU9ZK!rs(N!g6sOt(z1K>
zkq5{x=9;_=>b2h9Lpq%g2pB7>X6h2Xy*eBje+<&;vxC$Y3QBtWr%Wnofv>j4apc$v
z<JdkYv-bw_+mFkfMBv;>%5#2DGNCI3e8^_~ffdw~#3a8?<z0+Qe^!DOgpb*dMkhcX
z;Ok(Y5VkdAD9wDW{Iu=CcUb*<%kSR)h-dcwII4=ICw*YcN<*7nKe~xJR3h8^wsN0X
z$1Ttqea}ufzhBGp$ejApKxbR7V?JZ<sL1A1?#IWzeMWO{zJk!NS+Hk%du$36c&-W<
zL%Nd8dCD@sjy6Wa3Ic2K;UG+fqh_){EMz|qcS#no8p@`mJY9<7ynkb)rK4LBVU}D|
zPDdvn^MELeY3Wl-i#UG%kjSA*a%X9RGOtwH%im}F%lXJk2Z_=biOYFRBlipH-n!W7
zbXxq|BPjuwV~qs;u5$On*N|k6Dh*)8ah`2>wa4z2P5I^13yf}*uOevzVl7w_#G~s6
zAUX}BhrQjoUKYPGum0815kbHW_L)C%GH9nDru;DmSpqxGG7=@@dzQRJxkuD7?IoI@
zP;(>2&W-ZJs;mYc;M<Pb<c6!Bho_AyWK}!gn9kH4{ZyuRot&K&WnNIhE4~#2!hifY
z;lqC3Flc-18>@9n#9OomlJ*od+6hdLZ6&iVu+>`904pON$SsYn&VfKyjvXw%Th7!p
z2Yc-^l5y%pG1w6G{4Tt0?0#_u%o`%JLOC0^EB{yqk%bWSJ;ji!DvoA{GRBNug-<4v
z;8|hXX<f2H`B!yjMyhp;U=Jy+G3S6S!Tq9UkGD^JI1>Xu`;enOH?oI*<&~}OE(^Td
zCPM--rKYO>T1*KUm+BmhW(JCE_cVJSgm7+UEQvLG?DSGF#=E~{Pbp}x+00MLDNy<-
z!vhh4zV|AO)r%o(8A{}tE;R%b_UU4ES6I1~gVkJq+o8>>=uP_VTg^YWj8Zm5cIouh
zGxm&7#!}#Z(+N6eUGMxdwy1@bv%ZliwoZJDVaZo}qaj$7`oiu+evYPRTB_>8CP6y{
zF}`?-E{t%RWWV)i4+I<xsu=@69xgGx3oOW0<nJfrwc=C#<fsqp{ch7}A6F3GcXPQL
zhlu!r_mTFZGJP{jidCw_z|OMDrzWr*A@RGGfUY(hZ1T+MC*AaM*yZP=uim(++GvvD
zy<9uaMYC1;Vxz~A^1L7dHVp`-+02}_FJsJsNaj!|!n60Hjohh@mX%@j@2l+|G>36s
zq`1@Cx$<%jYFSe?lsyDnqN0bFYGQ4MoppJdbLb8@S0aE(GMhp&3J&H@TW+sw@0Hnm
zAe;}FkH;QOn(1FB#r9+RSrtm~&h~yBp4j}<JoQ;bBz?!ermcV#KCsQ58;(=i)9^Qm
zcp{s)B%V9t7nac!eTijdT#nf9$l|7@NH!O+V+rdsC&w&Wa!NoBEICb&ynF$c``%z#
zU<ox>uAA|jw#?$vkEnd595>u}ajj_Pav(9e8E&RJehpOk-X=`58Pz|FYiBlvT)DO7
zwjPft1Ion$GiE!FXM_MqWRhb8q3vXlo1rf88&}`sGE+x;$OTu?uL~WEo_SZ@+oPCo
zSI_dD9^i1zcV}n@*J&L!{O#JFP#OK{h_e!N4eT=VxQlA!1qbxF4j|0rpX{F)YUxUo
zg_+oD^sUXDq%9|D9kV`5$(b_ML-$)E$Z4HuKH-17!wLD=>+S!0ALJv!bTf#Gi0409
zG1>1$I_RsGHjEggUVpAimC%16M$kPZJa`V;-s@CT|Hn5sySL5kT&&O<shs+UYN*L3
z$3uj#r@yegWti=aW>DBTvwEX($$!Z`fmA<fj{Id*HlxP+Z8o*2_e-6G;b+bkGi27U
z8#k<SuD7jSK_=MCbt4#fLh(DWEsw|1<RQYM<o!KV;N1lj{Jje)AKz#YpK~Te?}tJO
zU73B@pY`(xTe=830%VXm5=>w5*h?z%;F&jaXxhfVS_)#acb4$io;K;d(LhUOA0sS^
z5-p<Neibw@&8s}r<=Di&BS4VMYB56uztBirxB5;9mo>@W1|079A3=5c&6A^yruu6J
z49Lhi8I7zmNU)}u5m{|=d?08Cu=FRE-b^J3#=MX4<iX<Mi-OrT6ct6=wG7a~4R^Td
zqh0aZ3r<w_4QimY+H%UCg`>cBCrAndXg0uH>sa!s!P4=*ORb{{-#x+_7@mgGHbrs|
zb+40_SQ?5337-NycraU3nAN~skE$9ix3%^%3&a_a>J?oc$l5~(SmBB%z!cx678p1v
zkt?1!%r%i+Utb5O5cO4r!ay1h_m&;y06$6t1wWd&)5e-#Vgjrz9uVPz2`lDB;?$K>
z1^wt_&W-h@XaEMY9&PsqyT0KnNiU8PT|>3iwbUuYwG-D`)JFX%hp}T<RwSww<I)k1
zm&RkMq*EOV+StCf<M!KYeT2NMpLIo5A6Tu<>G@o})0HU1sWQ|426eBNC1B2_iGCZm
zQs2~y;+~p3QUh5!q1HL9!_7sP|Dp&+=Z3c+1}D2t@t|&x9_XZ+`+Fg2dI<w!S=`-9
zoTNax;Z^H~<KQc!a-^8|xYQhd0T6er2#{C5;u>vzX!qBidHrF8n)e%2U)UZaLRF}z
z3A=D%|A!X$;=v?IMa_|f45`Y+t`>3io#MT46{sHRe|m~`-aZjF2D>~%lvD15kL6W-
zV67~nF_%c5<bm8V;soSAgmZ~j6pvVwLh<7il_lsGQ;ppetFNO!(vIuw2ua%L(E;0%
zMsu`WlYIk6Ztbs0l~5U%-sa*V@mmp#B(HNs!Yo~zPA2T(Q2qQH1)J^M0rx3+vVXSc
zQUtSb>u)A*b^<DWf8c)cuPj{6@t{CLJYYh28j_x5fdPLuHX^9Z&PwhD*^U-%r1!Mk
z+jD~4qO=+zHKDbZLHtn`Zf&pFU+e*^(d;mqWYtdRmTM1Vgo{cWu0JdSf`@W778m#~
z)KUJ&GHUL5l@*?psvwc8wH)PgNABeNt)#;AFE>W;l6P<Ih@%ocUOHA5!MC1)PIjgL
zv(<1w$?XsN$ddmo+AROBUgZZ{qdd}C3APh(-3fMHFB6!25+k3-tTkD*e{KRXMcea-
zpc_#5V=Rn9nv>rGSA;*f0cX;_moxLBGOsMy5~~KEux)C=0crN>#V=vCj?n_eq&#RQ
zrC*$pw2;@qib6q;SRtYdV)VUO$f1U*WU|07&1kXvTJuzjh}*8HD!t@m6bWZ61rd`>
z*}7ybbL?I9IidpE@{bXKRUoPs45TJubI=7&M*hvB3@0U5R$PpCtxV$QioUCCrg#J`
z*b8}~pV*L89A(f}<!>>}umXor&h7__vUDYv_5v_eEHaGRUr4F!a_+R5g#S7$;4Ca2
z{Q}p2FIZ?H5GAkL2rrlr&eEg5T~YT<WG9dN<bf1{B%7oSm3>h{uUKy40ohmi%`|TF
zd$KtN@C?ni=4LUQ1{>Zl4KIE~wk@-+@!V%(1bdnQD7-dM{?U>c;$s6@pz}xzERS~v
zg?FQ=CeK-zf*SueU{PNThmC<EPsA}=X6(ibQXtjk1nGk`k+d>EaFHgl7hECg$dgD5
zk0JQ7eBuc-zZ+k3di?zzfrzJPph9~?4GKn0_&R`hyFlP@IU12)?jTU_=wZr<{`=SI
z3WV<)F$qyIzLZff{;DS|j5=QnA};+NfT)nGkGAsBuqwVfte9+Ll)oLHTVyGme(z{h
z-MllJOp{oamz%Y#%;n=d<;TD8A#Mm5n_xEsG=;2522ngK$+r^1UtG<16Z`Lab_w63
z@>)qKM^r2?QA!)z5JpTl3%EBBbx|VQ%X7$$KxoedqNA=K(;|rMX-;2wgbL|GiYGyp
zM-i(0(y1{{(Yx=tOg`_~fk=!6Zzck+Nf5-U{MaX~(|XH0&H=)6=Yy}8Om@9V7<%3J
z+R(qg4C@Ljdh2%>IEb&ndiA2nM#=k&J$(2P4L$uYn*xU@`jNH*QLR-2RV;qC45fY2
zDwpV{t6_e4!^EGeAu;kD7FHGj)?{UwX8oO=_%;A;?L$K0#=I;n7KP>qo<R2@4&?e4
z74qAS4(AmWu%yuNLawDrM!Jo%ILQL(PdsbNRdQ6IPQ*6=b9C4!B3<V{91lQgC4`Wm
z82oyXjE)>HPWOQELU0{CbvG&x+9o2iKZh0RT_2ogF_~ep)^rm(9q{T)GOtfx!qSPv
zlTH|7qF~c6v>f@%qSNik$!NE)t~RUDKp_mkK#vE8={G=W)I>VV(KyM+WB#^VI7jZ)
z@gY*QBlHK~^&#mU+{q9mBzac*{ClWq9l&_#>$5A2#U@?_e-FjEJfHjKqkeC1nV8-a
zx%E?w!i&weHBCz$;ltzMWN$8!c*N@^0^57#oKMrQqqC*~(MPG1N<@7y(l*x_rE%VJ
z?Sso3q<RO*oB`+{*T7FnUw`5&uu2OJSfQtG8xWkQxKXfkS_E1R&EIZ)?0~g9&CA8L
z*A??M=UH(b@KxmPoRCgR4XV;aj8)-3S*s(EfI&S_(k7Vm<RsJF#16T@reQ|_FcO~4
z(NG+6j~Os<+_!l&f^(kqv7#rFcB9OTe=H8SqBt6$xMF8C;4>#tAYskMF-uy{Ehyzl
z@4N?cY1@l6ZbV#LhzjiTL7@8o+z*NOD3>C?WhIX^lH2Ada<FdXA0)igI`5vA`d7u(
zqNZa=1-bcxd)ox~+cKh<2^tExIW%!!AN<7rarj;{V8HpV@#c_uf{dmC@#~Xdgq)B)
z8zc`c7%}9X2_lI|mB2s)u1AS#ECIy#l;&iCR7wMN!2+T$(2;YqjTG4?A*xyhrW})T
zSP2%%?TlPO(TaUOq{x&7@8fKt(0Un~GYE^%<DPit!%pR`;1LlnrbTGw(SHJah7Bau
zBp)4;K_Vk{mprlL>k`3<(slpYj-JuR%fal10>m69E9_7H&az!jF9IaPw3<3K*?B(T
z_WIhOOAj4md+wX?^r-`Y07tBL4}gZu+YKOw#C^Bg3B`bFt}wj~(Af9U|H;luIiQx;
z3+ZX~9iNzbJ%dK9z#<uA01wFN{igEra%Etc=dbUNKu?hX4oy5Lv>a`7=sFb~o8t?;
zT0j>MSNc2ev-_=XIaYXY%k=hX$bvd}a>~(ZR;#dX0Y5u7lM<06M+2CdB&@z5I+8Y#
z&Rd$EvKBpX`y1Ov-r8HjXV_N%HmZ97Sk>q{=7x;!eEVzR+_1mgW!|60Ep)Z_o%=;c
zxB?%d0t^2J5?C_Mrafffy%t1$vloWK*>Y96Lp?>WMcmQXc|du|Wm#?hXNnt?M~a9H
z>Mm{5v5qoSJyJ2>l?2T8o?{ta5bCb*Z2$^y*@C_h3{gX;@tKb~v3L9QG~gbPVgE&O
zAqfn?wKxKbpKy8`z*LY(LrhtO8^9xhu3QU<&v_(61$pc)kR0w+V7F302*^2W8MAaw
z7+3D(gm#Jm)3yl~rU0sya19{Orh&9*D>qEtyS{_Sr(pi-$ey%D1R<0_3P5V-0SI9l
za(AF+>ox+^tjdQsWbf(ZT%No|Vnw9NGyrjr*I`o&WXUIb%@qbrC5Hw6lk?A*bG#4o
zKz)w1_5};^4l*-=HiFy5r+hu&{3O3$<qlRA|1Qr0caNm||7Vd^4w7#x!#w;gs_!=A
z1Nz~a8Laavv!Lxi@k3#6hD(a0Ti0s|&Q&C90g#{}3A#8$FH3i6&lSjy9eHQ&&`&j3
zw-Lzx#uQ<0GZAVk{wKhvQR4ylWTC6BM(Em8orlE<BWb<(lhw8aYQn0REC<p+rq<0X
z)y<ke_>XM9P)qPbE#L%Del?K67a3i&0w1nDgrZQ8tClh&Db|pa#xp8h#Y>c6oK1U3
z9X$2<hufgPoZyE8JqzxILoj%<D?tsww)HdsrH|KgEGGr{c!mPT!b&v4PYk?J#PB6=
zCt=MHtUz-xQUA=d$L$2utu^1-B`y7tLYOTi3fe@mA>7Bn+hLM$C~_BqMZlEyHVWM$
zfsWHqGW!LPi~q^t_SsVhxV<e-Za`NB`rXuXgU{g$f7UMIwXD`&nQ|5e<Cy_&kkYik
zak2l63q{~7hycU@RpM40sZ}&)huI@!$#fb(+7ifFKr=RpvAMdN1j?q}@6$0fsFG&@
z6E*|(h6a@u7@@eSPe?wAM-j8PPku3Xy*aOpd1@^VOb(+?el;$JlDquLtz?MGxewdZ
z)sa&IX&u6fXtTBMCx~o1R$_rWka6VUC7v=QkzrV{Ik^<K>a9p9Vt-&oXn+!(j>VV}
z`l>0(ImDQmlq4s`zEeB}>A5@CfDZv6(-<nq<pttXCM%Vapv2$Kw491TJU}RxK&Ay#
zj6K2@G}8erGbv>bUtqu=LVt7vQ^@CI#hPh+wm;*$7pH6NzxZ8x0LMmZd|HvcRuoqN
z(aHprH*A*vSwEPnvQ{7K>`h_IzeNNyg!SVIS&QHAbbfo6!N=<|>uNb-etQ%f$_|f#
z(PU^fTUU<P+B?l;Er&D_FP@Ih>(hDh+JG2%EGakggvo1@mrau*J|_+cwDe~-<-QJi
zNLPyfGqRXAin62EZD=Gi;yGN;kwN<>%yqf*$3a4PDTO^1(|XTYwd3f$FQ<Tb5Hnrd
z_3)A2M}seMvx+AQ<ZHYA{)rbuZaqNkHt<3YH1YIdN@?GWI7I6KrXaj3ch|vt0M>t4
zL<`vm1Y1<KyogH}R1x;f@Ay|8z$5PcNXt^P!)nJN7mz{zQ}O+N6g)Yc4bPvBYlZ$c
z6-b#&G<cBGc7WF;+oq929jH^#L#)$tTF#cDq_yOdE>f3e%pxRoUF(6JrvkI%Yy*F#
z(T!tKRw)f(BV*x7f;<%&MO?LYw)qL$?b|QPK5oCOZATqrX3PJ}1#tOWzkWZ`c9p(m
zcXu~#+JEhxb>8w@PSaQrY?lG-7~9E+tPLoAm{v7L)7k&(R^sC%i@1%x*~Ztnwco&!
zPTnk|`d0N#0G&I}Z~jWm_U`ML|L(gN4N0cAS-#I&;?M4=gX!SG_*k+$Lnd(NFYWXJ
z3TJ>ax;-3Wi%G1(hqKzPI1{}_poVn!bv54MiCa2iN+q=v1eQOo!Nelrh(?_R6b*XX
zU)!E0(#$()OJm#O-t7W1IraB>Sax)VcK`m3ohAyh!{i@zGU8&RzN8TS3*19v=-y4&
zPBSIQMEG_do6neMo68G2`fT&(7*5;0^3#A>aj??c=F&l!P~wNH!o{!OeWWiSb>QDX
znA!yO0!r1#rl><|8g02l>t5n(0w~z!S5&k_a{Mng6v7o<-{}F(JSj*T3DpkWM^yzE
z7sIHjROo*t%kr9NYAeeYKQgF*@LKgt0P;sNM=4%e-Lfk8hd0B2O)tp7KgSbJJ_69j
zCzii*aa5uV{JIz8FSV+60NkN%pORWjyPO!FTTnHa`ItA7u9u0UP|r7aM7m1UmQBr5
zN!X*ed^X_i)DR+;aA7^80!?EH<QjzAkn-2BqBfufM@~!5oGt-8P|Bi#r>AFycQHG3
zCt2Zn;nuz5*Z8z5k?;A<$(hohc`l-bGbi$CHF_6&HC5XK?)^m^d0gbQ9$q`Bl8cNY
z1JxqC!5X=aXlLkZ>5N1l^gK@YpYEq}Y&1L?Uwi_BOi`(>93||K@Gd|ioSMDQg+Gsg
z04bZeLnueXC&|1usbk#J@WkZy!xk!|)(2V3mob^GN>8PWH8~7PtUoJP<=ZrbYINje
zf7tq45Ld9A0o<!EQw92W_@`rF>2EZ~S20kM;vxqaB#Uh;SeL4CKzoQujiQp{=QC+$
z^O09!4WSk9MAx3m?#N%H)`YuW3p+3^DZ@BybQY3XGqJE5xvE~RREBaH;r{bIwnLa6
zhpIWh?gqY)sWd~os6oT1&y6h<S<RGEl+O=0%RYDNk@1)5b?V~A5RlR(S4$OF2$m&u
z%6?9aoybupch!~qRog@lXHBeW-}oSQ%<}uygh_%1Fa4(h)LhJ2JtCEzWX-D05;xxS
z@Xsnf9iJ6{$qeLV5b0DI;{vTX3$#k;P1jwv{U1+xS)34A%SgHb{{sft8=8K15wDsb
z-_Vv7*D}}Mr8X{n0nR7Sou0jrM&!I29AIBuJ<x}ZYr*a<-g}Uc06|-9Zhd+Ct>7Aq
zm#%zlkq|D~ki?QN*$^U!=<^~puv4OwNSE(;rjh<^S2}|4JJMUAAi>OfnaiT@apBk^
zgVg2+g8$Z^i-r>hbgRe%P6r6V4YhLZnC3qVU>o__-a$mA{@xwz48mQ_{i52iw^Kg+
zHCezGGxqab1@N!qiGT6Gsz@-+FFCfF+JFIO6RwRULcl%sZa;bt>Ivk`&J~wWWh4#m
zagNA=7w#vpyL*(?_r#eis`up_`m1V*6Ibw_sI2AAzn=G-thB^h8^|DW)aH8Lj+zNx
z!FMx@7z{A5o$Ja;lRjf3XNDT#E$t$P*NU(bN2zYek&-kxCDXV%BjND%%h^W5D&X;N
z82VYL?0S7XAuSO2RUG*Ab~2_Kzo~a$FS3u8PmrJiH)g2wFup{A7qKDAfbmNWKC)v5
z(!of+OHJeh*rO52h?AN~{ASQq6*~Rx?s~cNRsKWE|5YtyaMZ}6U1SF8vq=E%Kr>L4
zBthB+lA*L>KHziyUI+Y|@@hF(^#8EjV%|M@wOIt%U#c&3)zyb=0aGrO_0_^qPg|ES
z*ScQ%N!*i7W`$&z&9Rb8V<GUrae2XD`~1DIE9Csxd9=R_wx$Sbn=RTyU-6GT>744d
zchadsgp&V({)h&CF*}l>U_lNg!~*I473FCH#V}_$>F+vMdcc&(fjR<g2yD}dk?raz
z22YLJDTFW}iE*>QE=SsBtu4(SK<3>7U}6+nL4wrH0@4*250ak(zhiRPcmeu&4uo`e
zVuFO6tQwsa=u)z&&c8h36M13*tByex0rB(*J8j@j15^xdT>2P$2T)aD$UuA18~sog
zgVC){a~xaj;!l3b24%q2enXK9e&D56PB#j|F&0QbSJh+h@)QKqUL__H9lSq;DiYKh
zEz{x9NQC6VaH~L^S2eMEh!N~1?FXxU+8Iy4<`1@Rsn{H*jiM6ul^_NUcJL7XI$)B&
z^PwyOJeeZ7A1L6t!F;%v5(=xHz_Q!N5_aVCexLG*#oLFmjBi#x*3rR!<Pj0SiMdE5
z>VLeu^MSb=NWO_dysO>YN5I2@P%bIbcwQT&4QNHL&4#gDFyd*Xp$5Nq?qb0PKAy$Y
z%73Tzph3z3X76K6CbghHtYHK`QS(X^T@AU7KnSh%`fbYHAu;T2-g;y>bD#L)Q8U3X
zpX4t`Abv7l1>pt-l3W@cWIE_NiV$^cd1%5x!1*I3uJlV-=%(tlEb<PRBZnMXBaq$F
z1o<Iov09*Rg)7mh0g^<KAnTjIid<I$5N!+hi$dkp&cE`^m$-oXr7u|6LfJZ%EA`$4
z{8TWQ^~Yp)>kZ6=rEoQ-7(kfdKsBa=|J?V72!t~y-*z{{XJ=<gAG<LipsSl3|Jm0X
z{s7hltkKmM+~i>U-vepo@c-pbf%%<hT#D4R11wR@8zXRp8(kD-0VoQCKS+QTCq@3q
z^Ay|q<gRDg24VyDAR`};=f9V1jfK@d6;DG|D~(f&SKT5nDbh+?6Vn1_-GJ_X33HPI
zH;ORYy|ZBlKD)_*f$Y#QK^YVAz?%CfytDmC57bNknM$Rj+>t4A5%-Cp-$*gSzJ}iA
z=H>3N5JGsace+Oi!pj(ybNC)&d;0?c%Y9$MIu*<gLX|m*x4m7>0KTrg#GHQTN$&+F
zzCVK*!Rdq|d{>LJb4_Rwbg(w8>L5gx{RCXE0%drL5e!luEQ|-LurNCY5-7<c@@?);
z99sG3Lhk^i!C;9IqX_j#ka&XJ6guj<bZ6-h9|5lX&{!l5%tr_68JFRU^^uqOkXHM&
zQSihekRI@|K~fNS4ys}xZqnUGAYlitpq;-IboUTtgDZIJi6FwzZ^RXxZb!WF7x?=h
z-(~VtU|`;Xy$JpF8-~`f9-3LHd<7bQq-WntH1{PCGob(~9xhQfDnx<jgzTFJ{9A3l
znSw>zOyxAXs|C%#3f$Xz@Bl=h`2QScP_Kk&7o@l`q2IlH8;F<B`UgGum0obq6~Axt
zkNv^FU99$v-@Q5p;O^TRLJ<Z9E8wZ;vVQMSt_5bBZB_05T`2g82n9ot@(6U{zegZk
zgJkolFZJ$V0f`Fm>EKs5IAA%tfw9l?L5V5jLc~7Tn?-?*fa?oD1(%jh6z2dF`Y+Wu
zCgD~MXdtysP3Iq;zy5C+R(f^y_%W&=bwfjg_c7gC)9S0IYnQqp*h=A=DuCNYV$DF5
z=RrJR?jHrGwpY0Vz~v1)s8qe6fDRONSSxaqR~Ugf=b)X3#yYtL`&k~s5}*+5vIb95
zU(GF)Xn&ZS0P#~6`J6VW5^<TR4>s1k$bjRJG5*;!z+06?6LGWv!aF(;aXf(kxnAWl
zpd*{uYxV5AY5<+Sq=9P7xT6kF9MafvBXHJrBFJ6_k2o`2!lXq9Gsx(d8i=EtQ+9Dt
zZz`s5KK1<p)K<38EuJ5b)xgm2gWm+kDwVH$l1G4JboPlhY<zTAmz*Dwv6KmXK%AKo
zGzg}Ay9u|~24TN3V$c8e-J6Ovg7;6ppX%y>rcxO=kPjd6fOLb+lZ$|Z>NhB7yGt~l
zfbkZ(li|cNEhxj>sHFyl?$X8oIq3n^$&}tAU$wz{3Cm_*uPOdJ4Iw-Bg%RR;)u034
zXLQqJE?P6xv09X(zGMrNiu8cXn2i>x3hnUyeT$!{zWJi>4O(8!!8!2QmIj)|sL4BG
zeR3>V_zmN6ui!&sIN--*Q4`*IKqKLzuG|1rlH9;aIDuRV)MDV5S{M;B!}xa+*(~|^
zw8`iXBis9(7BIm71Q87T7-b`zk_*du(oKtn_UhFS72b!UDrFtWNg8}7%lIDe&c<qv
z*)Bqz?nX+Vfr!0G*8ky90)#XRcYzgaObK!b+2-~ye^HzjR#Yhu<!7JpdbTeEW|js+
zq0~tDv^ExD^RUdpT!;jw>?L^&h-}P}0C3D@14ar5hGS=!8W4N(+kjS^m)L>SD4>H-
z7K^K%0)zL5yJp#m#G$s+57%V_r$Kid_5;;c{a$8zc(Z8N33#O<>A>tGTv}w!v7~I}
z{cFF`Vh?z<ATJQaP}f1f_d=!o=j+u3v*nQ&VZ)aq5X^R$-%`rpTlvK*b0H*=FWT;K
zR2oF@=FgYj;xc-m)-Cjl!B6+I#0w>amp@zb0#j9w2!fO><c|nIxa9GQss-=o%Qq4r
zH~tp7r$iqz)}by5Ey;cBygH@U?~DM6AYg|g9!rO4%h~Vv-v`dV;3yK{zq^+_Qg9rs
z6phH5SjwrWq>xt;jym_nN0b6k4RkuGjcQfE!-0fo!+q4fv&tGM&tlDA;$~;%y?^H`
z;J|C#lgA^WW0{QCj%mC=fsCPG`LT1{)>yiG<3ASAB3%gIjJqjziiocfk}}qOcZg(s
z&n%r5vwjD7WtZBAp(jWfg1GVahj#TS7Vum5ZtF#GGFfF1XGNs(Y_dY5jvhqy68@uB
z@*$og3@v+P;LL4*>b?i&gav^@0<2#PR<viI5eDE%)j*Lf)c-<F%8TI1$C4ks4=##0
z`(`-mJ1Onao0J$Zb^rCUXO#x&V~Q&yg2=NF@sGUu(#y>dZvY%bh-!HviHwFwqM>|^
z7;h!mqk12K6F>Byc`;fIW<~&xmD$<e;v8kQ<BR}{Vi+K5Acaw}63zBq;`#qO7DV|Q
z#%UavVU3-x&TJW!I=pbeVaVS2uS{t6`G4T2kb#k=?b;cZ%ipJrP!tgK>@hoP`k>Df
zs;5Z6c7`~#FO%jKlZLQl9pI|{r~YlNbJfz#%K3<TfUjmhQ6AIaq;FvLrA6fpS6`i!
z*xNT;Bf`zKSx~Ph#efrNxtGX9eq8ub0DwQI%gNemJ%wLIObbe~YW;q8m3+vKEGuuo
zJY2VToipyYrl$mH=p^mlwg5J=t~%LljlDjD0Dv~A5T}1c%Jty*ulA-Spe!}RR~BDQ
zSKA_rh=>0niDAkgDmx6M^J~tyU1dJ5R3)L2rJFm<K3xDHHaX#AI`3NN`B-q`3@x5i
z6*aF`i7DUDXJt^UL{a<*k^K$=*B-{yZQjs=lS0HvCUg%zNAG0154JUV9o{o6VgEYk
z&Bjr;@W!U8muB!j-kjTwGUqqK8nUjZgBbt?6T?L=idhnT&aA0Bn)9>8pKJ@I6|j?C
zW?xOnHjle+v#DMnfU*3?v;oyPkLM^-&mR4)t78-Fd1h%gB>4E*h2PEjIyX4#qqql)
zv&khsIC312oUs8VN1!x5cA47Rn%9Q`|6K>?r+}_FYH`nRB>_Mg&A;*>nR~nC_C|W`
z?I2E4A81Aps#uJH<Gnz0jMS8C;M3j4B{Io;nq-~h=dpJ&zT3Xqm%9EC^N`1=g#_3i
zOwzUkx`EempGPFZ3|++igcKIUN|G`XHor0YLEe;ywV&hL(a%56bpo6kzKh9IX$U&~
zCiTPXJ_po>k<>}vArXQIxpQPd0sMaNmK}H*FcmuPD94T_Yo4F~ATg!5HqA?Bg~(8Z
z*BRG3kO5$XGE3NQtawr|{zaTfN8dbW^VyQv34&Sr#e=EFIY6=Rc9q^-pZ4MHTkdqt
zS_WY?p+$JniE@U%u`616^Tj4DOZ9<!Qj8p)?t72duW|8~+Lbyvo$XbFN^83??f^JC
zU0=F9RwrYg&VuEBfu!ve57kf}P6Pw*nC)b<<;U$4!IYX<Q!vI6KzOy-n{Rx*OJz}w
zK)}4nPHSh6zEoRJCv|Yz&duEXvS%6;Z|_q{b+QWUVN5nEyo-`H%zx6SBoT$~szbhC
z&hXlRkEH_V&m*+FaJ}pDpSv9OuUjrQ%SKMa9IKioepy4#sZuRjFY;9KBiEG04$-Qo
z<^TzkB#UVt%gt2%J5vFP-D7oH=K)}mBi$F;C-J`b4Ht{*0I?s4uQwcjl^>~f^pL>i
zuw{$WaN7@DKI8r{`sx&8LT)AI+n3&8Rl@19neU&g#GoacGii=VtSvIR!wDcF4al_n
zgq77vmPHt*GZEAyqiE9UVMSs&y}NO{-u5s;vo3qsCOs|iBTbY;TPMA%@XG}8$V2JJ
z^VRwWe{KirpGQjU$9;3Enrf;Zb#bIlUsqz_iOo4;5f}6;j&=xgy6icM^P;qQsbSj9
zS4E%f!;H50o=FXz3#qjY;*SJ+`Ii*eGLnCw<=Y=hph`+#u{UJXC*3;m<R$+8@E$_U
z6SeZgi15Y&lH!Xc72k)PNjoI2Ykm_B-+hVW-B&`gth5SNwNJdXs;>bVh`>5P60g{;
zxA;8Xk=T`+I-0-1x+u(UOkq@IS?l*$#6gJFhd1dvy8uJq!}?Ch0zigSGo7wSMK7A!
z$HW+}HJx-0IyHB$rYD+1IsNyeq^ZV|w6q-o0+nEO>Gl^;wnCxzc?)&p_*>#v`u1+E
zcOBoKFqiYTy>RmotRVG$v!~8iW@Ff8!{kaByd)$U`K8l5!IeT7#(>`uD?0t2hQ%yA
zoRaGT)j)*;kBg@r&+y?s=0gQkN0&s&rAZz#$t9synUi>WiqCT65!<j1iYZT;Dxb=^
zL%w-GzZR|6EweyH@U=1Ll;VEQ+}E<rad+p}$J(bK4iqGb)IY+wuf#b6DwKrSr+Z^d
zPYRIK+b*O5A%WueLe>mur)GM+1$>g$l_&7J7p|T1QrbVHv97xZxtcuj%Rf4MdvafE
zXndk)&vAhM_Ly<}8%pk!mhXJDu}f&*c(i)8!X&=ozpC$Vxr9Tc75Vt$0O~IVWn9rc
z%~`jd$gO%Ro(_u~{K01QFf1j^(g<E5Pn$m>v|jE$$lg8Dqq+W@a<IP9ZZisA@z6}V
zp^5owep)WwArQ$&^=8la*H+_rj6XU|iaEp1UnasyzuIH-hT)NEc8(=^jC5rxp*t<D
zN)S(1MRcnfU`csG{bbKMSG=AVc`bJbQ(h~^W;U1iOEX6e^5vIo(vDFndqSfwCa%x3
zKRl#r&l~<-8sdkl+#{P5Qqd0#7|Cc>P;OJ>DZkA;U86k`jgq|>IoKT5_w&nM*Z0V4
zx%l;24U=kPt5*c>MS6MgYafQ`pXhGH*fbrGfOQOe`muDHn08w-Wn|ZNP;@)fhkAR1
z-PudImc{jC%DNG#OK4}tE&xCIQPD}b`(OO^-{NXM9s@UOQU-X%xu!)E8KBKwJQ~B-
zA`u;n+I|Qd5u7j$@FU*IpBT-<(V>MOVE-DDRm2)0cbc>~nP?D^3dga(?wPTnXqfHD
zrp9>gATwn;4<mg<dt|D?h$`L0?!{Su^VdZ4ey(T0F#5sG)iQ&HtLJy}xp?wUXk6m`
ztw)%rWA%DBU$95rpkHj-q*vDi&zF_lS{_n}(Gm{D?E+iyLpQSP5RG|K%P!S3R3kU&
zs;nfGwpkvDtfz+!vt-{{!7TDzp~dnsTz2BzeFRLc9exQG)BA7gzNqFct?|ZTFT@hR
zv!0+os!-kuz-{b5Y_jv|?W66-Qv7+6zw@l=`-QB$dC76`x!wRR18sCA+`@Wg;O4b^
zFx4&0VlT$oH@|VKyzzHo>N9UGeO%F__{Oz#``<tUfpc|F>+B|SIRU1JYNwD&v>IzP
zt1wD?FxlZdnlYCg;zxHyFl6CSaj}8tMb$1M_2+|&&M|C!%7!9wr&^Q*zr7aE>b3}v
z)UBI2aH7!ze{Ox9>l~A{lr&<iLg*}F(ThsT5cX1%^tK_-F2{0tJ%KzyUSIS_-|0K+
z?034*V>Tz^<6R$$<5!b49r9AljMX(tDI+3FCduN=hoiYw=`<U=+=4w@62h6g;X}c=
zVg^sMhz`eoNn75xDO(Q-xdC_N1~yRx;?lCuhsPQWpQ(Sc_^o(BEm5SC9^XE340xI?
z(%A2_mrO*@{GIdjZIkhDx@(2BBr{_@%a<zfiXZVKq;S~tyc`Ib%yafX6@P-m(PgCi
z6Weihv8fqp`K~>Nvt9hFLvFXLsuR}aW6Zv#SbtVuV0fhC{Qj*Ml%F<vK!7l2KWZ{%
z6{a?0<Dee(ed`_E#q-H(v>grCN*)it8R=M|pZFoW44LJR*HRY*2fHM$7(0F5jRJdB
zV(U*1YKVBIU!;Ih?Adpd$*9?9TMu{PW=pMT3$Mp(pP>-#G17j7{M6ta$xunlpIfM`
zPAJ02EhpU35964Y7>Fu>;pUirUMMXqcZ&nMku|>#`B*=x>LCO_UQsjS$r<)9|LHUm
zjOXOVl|yqh5>k`oy1K;4@V&8KgA|iLJ}UVy?Wzgz+ueRd$HVf{|M;(9`)??lmO9jk
zAJB`_Jr3z((*YClG5QfF1ut^LeMmU7_zvPS_sh3yn4s9A7S&94@6%)gp`>yW-<V0?
z@-*8pI|WtgmHE4bGL#a1uMct=W!X`HmLd0T$%O^(N~T=>9YIQPX=i|Aw5@48#3Oak
zBulc<W~P%s^$wFTqLTWqD_0e-O*kSU=JpG>98J&s!fdcLf*Sn)MGOSvdCRf<Mg~0?
z0fqF51ZsF|Al@HZT8B~`!qEC8s&*|>-k&N`lVf9(+0aReK=^Pd6|<~7l*?kQK96UT
zvZO%pduP9}ed1@qqfAA=?O-wQ0_<Cu$njJR^wK{6{r#0h_s2fwe+Dg|aW<WG`JX#~
z>9x`Jd?zhLDT&{{LAsAgH%yMI0QJdd#hkteN|D1&O?*FJMaS<{7n4jFi&=x>`8+al
z>9Fiq<A$^*DvqNQ1F5yp=TW+HA2##a(EtE<UuzfRd1MWzg*z+mNt3w~>*StdYDc2{
zlW}>YnuK+I*||LWPsE(hGP6cA@?bbe!NVIsbHPByDRVkH9S>8J4sXGI5cGvW>NfD@
zZS<4O7IgKV&0l3%{&g3YIjbL=003|G4D~SztTUek!%xjfGa%K(!_dl|Sv7_?B62X6
zja77q++n0X*wXsv^EtrHY%;2}P#m8{7e8xLA@;QhdRphQnECzJ@$bmNZnh_V>eM$;
zS~Ef|BjUT<&dqKH*WeJkhwJQ8auo5gyL)ZMF69I+!`3_JQI;m>Wtk*~7EJMFHrZ#Y
z7opJz1$<TFGP7*<IxRxS_Zu{Y*E0nT(bS{!O|1e6I??Vg(IzKucwG#;VGef1QueKM
z_*K~bD&4;76v>p8_w%ZYO@<v%v?CF;+gi6hZ4~?jB91FIE!;Eo^?vm6{D+TI!+c%}
z&=0g7^XM_HlhSh6=uA}22U@;YXZzcQCyB}&J<t%bNBXzyVVg@2GTGn)LW0l&)QKKt
zp8KgkTDTvIa5dmk5*v6xKZ&7ZgiSB)y^J<m@oGDDTT95yV89BYGChs*%76NP`%&*=
zBTwv6*wzZnwfj-Pa-d1Q9CZ^L1ClOQh;i@0Dgmi4?u#IQ*|&M;QupIs;zb|t8Q+JF
zuQs^Og7ygS8;&rv;6G5qkM!dAH#pjL#knH4Wjcp4n3{uekeF_t<iK8tNmcq?cF2Xo
z8k$^Jus^bu*S&aACJV3lD7rW5Huv9@A@kj83)k^}VJ^FrjgW;-{~2zU`|kI}BcLPF
z|LX-83fN1xFHex(pmrVn*0Pk>!<tVN6zTVFcYtNac#Pb%azA1nmMu6WcIi;7W+uJ4
z@gZk0yUk$cs3F+>(W|ri@@$rjLfMQY?>RS|Z2rlLcB>?jOPYL#7tPl@&N&|`J;j!m
z``8cuNY8$GXggKlOm+%%EK|nE_nfH&D*e}E*gVh4^YL#?YwN>KF}x;*GqSo5Q*efX
z^1UwSvOdSX<*KhGbHGSIx~zZ8J?AnrxZKxwKQ?H<@Q8hv!!je6rD^cXF8W3syn@|g
z%Gne~`bv}Rc5$_(^^)^is`Y@FwaH+a@e(u>JpenSul-@~K@;4@@pm2fA#v`v6X?=B
z4VCBQa^cMF4zMR8kTS4v5Ti}r;)^)G{K21Ix2e%C9d>^;u@!LCt_w1G4HZH%6<fUO
zZNY~Gp8BgokA3^3<X-u}q(nJYUmkiq?^_A8)|!z^$uQY<!3yfl`0#MrbDy=6R=h)d
zdBNxGpfjjns$d^q|Er&Rq-5xSxc~{7VzftJHq0k&jNrpADVmxyr$Xyg_gFeegi>L(
zFaMLrv{4GVNDNYT4ABIq3a#IK>Ahaaq^JG(|55jqVNteSyMic#5<^JW&>$r#DGV(F
z(hVXYEhSwdL$`o}G>DWSQi`M?-O?=x4Begk8hm`-cYnus?Em{8$8g{GRjb#z)&<d6
z>pW8;^BdS~p|F3UUuo<3wbfiqzvRhxh5|_edGj*Don`(<56bq&Gg`OP1(&1*kb6Pz
zyA0FPbq@QY-*nIX7?kdvIg7Ip%QD{ERk80_=~k?-{d8Mwq}0{Zc@%G(<dvqmGnakY
zfZrRNlx;x)(B;LiOjSVUhVdR_^5@c77K(7v3FFf<rTt2=51%)0OaY@Pd8u?$oR(V;
zo=Ea4D^xPgO$m~TTS3TZii9E_bMbh7j*)Q&{7YEffSb0qwGb-~LzL39;OsZTG81Hu
zZ|iA|u?CW;1Z%GNo<Hu(nlegChF()T>r1a+y=&T5oKq*{4QH7j9g&>ga8kWM>~X=u
z#r?OjJPeO_9rj61=tN@QM$~v%e_G*#vluBEXv;3`v}|KJO&yp!S)cwC>FmS8noTh`
z*=5a5`Pm|bqw71d=6CNz?r6!Sr|O1K`1oJ@nA4pB!H*X1Qg!*W7z;t&#AUfaC<b#p
z@-srbl5StJyx~FIe&0MfPWbhE+W=gfH}#?U>5;zQKMtronDPPD%w5CQwv%u6i`t=!
z>aq}*_YtDiGR0%NLcBkdM}prx*wkH%E*fd!fiKy+hNYR&>kW(1T=z3f@cm#HbZ`${
zdQTEgx{B50>lum?RlA~yx$kUr2pK%JZ74B*qnOu$naIlP+gd|XI?aTd^H_V4YAqO8
z94mso^fywBE>A|PKl$z##=YOpGJHZ-rraZ^3C}a8llHA8owHw8-4{cgFlH76_xbs^
zSNHE4<(=IS=#|ou9z1(Xc5Y8La|k`*67%3PG3UZ}!7`yz`S2zku~khx__WQ^7S00C
zK3RH-oJ{JevKL0;3M0j7z8=LwZ=#Qs>rU^o*_SCHH9HeazyH>zd$a#5o95i|4G+vr
zkr3<L_5jPI|AWPtC!G&+p=`Bc*soGjtLwMRCojWFqj)=`6MRu~M4$2RLa4|d@>7+}
z`infK@%CpH_^`bhO$Wn-LtN-K9UM~AAt0pyNuEx198V|6r8wYW!e}wlVB!ic;e^Ep
z@A2Vf8nOQfc!kO3ie0z}U3r{%etM|V$QN!@dLH~O?bCGs(0Sv94?3OmU=^t+erGbp
zV&E3FZlZb5>#`4<Wo(GY$gHK~6-qdevvqCuk{fcd!F{d9^XzdCxF+RW4ve3eVQNh%
zBn3ZqItAS{YqEG=6S5w2k?J>AeZYrfp%ETu1Y}V*iq7dVFt@aZhtxoMf=k?Gtblc(
zkKkV1k%yBKc9Z)g1nz5M4YWS4Ln@4CvXGwyf01#*$@PE~+IkY(mCPP55W>@+EZDuV
zQh6(SdspD{gPrZl=MNr`@Ti^q(kkW~gAA`(-UM@VX_}M620tv?bH+f2zvAoH#3M>%
z9D>L9N3k+5w+hI43fxwp=%IMj2jZ%I;ej-=ZbO>dRdO^we7mG`0hHK?xTkJ+G#Sq^
zD-iD<e$7jNVnhU9@!-$A%f=9cgvEd6OWOU^sc7()1hf8Wp5Fsa7y>R~#;m(|x3ql&
z39z|k1tmw<c-eo(OfY}DfNN=A&=~-8U`@I)CJb)sBGQGHrt9(j^~DW8R_Pe+`zGV}
zJ#!DEL^j%7ePc!Dk+jNjgd#&*!q;t5{m^yKV^sYJKj8HaS2{ryAcpBP`kr2EKgwOW
zxPqaX3Bq`sT=oWOnZ5~DF!%-2`+4T4Whw$?XK=2In-muu2@yH9^<&zM!O%3$2P2&J
zyFdMcPI~Xw;wpE-*y#}i0*Bu4JV6myTsj`>G6!(LRtXxdk~7VdafZ|PvB@fmVI3oE
z=%#pNcN(8AQ^MJwedAUtyxGtbD#3uU*J-5s)(4xU*<hRwA%;yBX~v-|xCd>KE|WF(
zP3SM}mZ=rW5p>(R<v6QXPa9EJ+>ZayLsQmVo!g#Jz0(kMf;zldR+4OY`ScqWU-R8+
zNNHC-N1PyE-l!HUUr;1x_~kUw(2cDf0g-c$<4exlWE>ON`vVTviRQ?+uc5BR=(qar
zp=Wcj(SOx<R~W*xZ5wJq`$9EA7ED8m?)#ncoIss#sIHE^Tn6Ix7(})U8DX}BQ>;FR
zV{rp8+al~#IZJ)AyanY`O3nho3p(Q8)@0jr8>f_>{bZJuqmgOQpEpCU;nSj<L-t~z
z2a=f#2r8TWPZWGqO~gJ&FerRxm6GZ`2Gvig#A{}_CM0M<5#vKRjP&Tz4L8y4@EeJx
zWbLkLbKbx*p(&Rp3vG~x(!wZ1vxK_6QH&YnDv1HUo){znLJ`ebJOdxhX59$jxAiix
zfh%AJiGluv$^vVBHgBl6oe+)gF&Y{{<1N~udIX|G{FyCySway!REfb}y^e{FO|~AK
z#=;0DI|b__hMBdoM5iwG6bSKvU&zr2;NwlB_)k=mKI>mYs(?3H!Tdn6H6v`kNDd?9
zB@VF1?Uwx2UIYX0z-`po4CP6@l)%F>akc!my|WCy?!T@sO~*|P9&F9B>fuE#_9yq%
z?kqsS{_10ckJ--T@kR*RPp>_Dw#EDatYVK0%vszfx>QgW^a>}JYQqI@klw%AoWh9L
z&`SF_2E@8)7k-EY5BPGNWVb&%odn!c^=^D91d4XGzAT)eh)VRkB6hE?ZMb-PC)1A3
zR5BpWho~5%UrOl1vhk%&Nx)E0G+qcTAGfPJt(0uAszyshtXfP9q|ImgE4^!<B1VSa
z@2Zgm2eF)=nl&MiE*V-+RWkHPr~@FSL;s8gD~vcuhvN442r<)fJ7F~3vftpn$$;<~
zHgYSKV?<0T1<->dkiZz1qjkDJwy3TwlrzFbjRU2Dw^;@(m*uNsychnYy3L|Rhv9i{
zzyy0_#wbP3^sH?u#$ndrYM1Qj`+%C5$ZB1x-$ZcVyt&pyjb5(kC7dbEk53Exh(*ff
z#`#Q@Y)%0+CtCC&d`lo0U0~m;Uvo`Qne@hn<7XKD6!we;2ehe~=!?#PSiXl0xmq~N
zmt3WUlW%i_FHwFllH<Qi(5RX((ql%(LyjqT07rc?FZ`O6tO8_p9Q%_!6*!e)*y1%i
zln*G-*tGUQPc_M;u}K#nwMIRujG`<a5@F=@Y|5!Ra`JbP!puk0I(NaQ=%NY9m#$;L
zZ{>%931EGv?t9FDxUR;O3x<&R1hou@_H?D?m{)lV8`pT57i8nVaTOxh#B<AHKr{{6
z+3=dSS=#iKnu0-4B*+m2NZ{u|hy*G4n90}A2{1qdIIP)RS)c`vF`tYOC^sV|N9Q0;
zfWau=eRdGf2MqKmkgwGW2ep6<s^_h!?{Zkk0ur_Z@9Ju_R0c+=34_%a_~^tj!6@H|
z$8`n4vK5{z(xSG?KMwk&jRgy4f7=<b&O3Fi8wKHDLk)kp*Pec-Is1NjCg`^-c$*7k
z3tB-fOR8qJewEWgAPDzB3kHRJRVXd-YPgOlEjNW6I#_cjCmYp%uw`?+?BJC12aL)x
zD7vQb8j7o5pF#zW@M^$J+6I!%OiL%7-3&uq#q{hH9Pr#wkHQr-fn!;sLigU@NbQh?
zaj!cOSyLY{C_sXXjC-O0L8G>*;W6}A_~Bzdp^qMYoWVK0sy#snhj?q`d$2cGL+s(A
z)wv%kn`c8uOAU>FrBpWxxfMBYBoNq5&Zmfg;9ti4JM~m&H({i!FfxrVV~mZ50$N5x
z2LzgwO8o1;!;IpWoXv^3PDOZJNR=qQF1)8-;><oH>U8dWf?5Y^E-$YYM*PG@ofeQC
z+ihaMQ-CL`zm}rEo+8pJ<QDGyJl%Q22{{?wQ&sk?7Tl_xThcD%R_Ltk1rZcR8vRc3
zI<z$wc_tQ2B7)pVw+p^F?D9k(>G5SAnN6Pq-Y3N~zxpmAw?3gS9YTjGn3-LYC-BR;
zK!mM|yJ<r>meYw;*}36niin>pdlGW0r>dL9Vbg=ZANT98vKPbQ%h6mj!B(CPMN2Ts
z5+@;k)aIeK=nj5jl23bMxE4jLo(56&UTLLKjcHqpcuTm1zALNQ%{IFE-5Oo=9EAxq
znO|FiZNpVPRdzj9g{jWF8f`2Pm^`UGL*2|miv9z|l=5Jx-|y>iR%t@NfJAFJga`8#
z;|xu*T{Z`rsei*mWBn9o!Ja5C9_rL}?Qzqy<1*)A1|pLJ@$U)T+G4ni(MVFr-H`IG
z8+Knvpd;IQn`>PP5IK8vjDI#b<Rv}qJwDW*8)KXa@oovL-~Y=;mM%gD<r+&626dW8
zUMJqq`Lv4#8xILqBP^wZFZtC!S`avqR+;~C$uGGddKZ%E&UZd3tMp8gsc1nWNLOF6
zNFJh({$`5cikJYo;R99^QzMq)50scdJPwIE@IFR74mL)o#G2j1%5)#>fWTV(523Jv
zo&Ge5wt#3(Ep=%~VBc|O%2%UC4RdTP|3GaOlCSusNB5AE!@8R^aP>gSjnw^!#@qSf
zQ%5G{JW;s%{O0n8x1`{sj3<=I{}9-}DrOJQzZff1B?QE-2f%bEe%#evgnfJnk;&F8
zW@L*W9QnFg6z_`H6BIG0%UBgO04#jgeP@bO3v&)d5S8L-SWElolM;A99IW}jX30{(
z_=pd8pLrZ{L&j*u6XFABNo#$Km&xQt>*^tdm|Kslk(?Jkk$WQlopgQbZim;PP&|uh
z0A5Y-+;M!3LR`yW0uW<{uwKW%Of@PA`t7bSy?R|9{*uNhv_GuC?2W=s&sfPrB0b4|
zlD+NYkgQXaRC8FiFb3frG1ZqXc<Y1GotygO0S;8ELl0Doh-hXAgEtG@A?GDZh70Pe
zlG=~DJ1x5ILb5;IEnw2qTHwnnIGMSFWpe4#M)rr*fv~%dZs+l|<s}vJ$Phz<^MxeQ
zS=Q~hkD6A<k&{<$7)jRCMO2pJgG=K~=u1W*@;IylO8>r2i!Ot*8U&uw#>hcj5)|ii
z7kuhkg$_%cH++t^K?WckxWY*yr)y<XAVK>Jm-7Cvy0Zl?#cH_}XO#PVFQ{QH08);M
z5KchK{Qh!~H0@15H1{5x(PUCLKENRJ1|^eA8{bwr-IjCSrXl8~@Wkees}{)*L6H1<
zy+2W1x&xuVI7%sDa;VDw`<0i77y;;Y{~AhoYSSCRn~l;B(0IQ3UHX2p?9YM=;Zh0D
z1E@de`z<MKn#fF^gMI-ps2zRR#osf5`jdjywMfMJ98ov29S0ao_59kHs&*C&5P!c#
zRBVuR=c}~xEFRQ}?g`Lu@Ky3G@4u33Tn-%PL~A1bs6+!ZLM>FSXL>hBn!o?NjqL2_
z+d2)8n|~v<^x8B<?AN&%&^1v?IgIENJ^G)IfQx6`ac3P|I+MC(Xt{zP_vB5iq<A%4
z$2LiKE7t$gV>eS*%Y$l9?*`Dfc*U);MCo~x+!uit_=GNU4Y5SXuCxX1FC3pXu}}=C
zO4Q8o&xiZyzz-a+I*Yv`C0y;hy1Kr0Cktw)L5gdS7n2>u$j$xs_5drXHxJ<_BT8`f
zYTo=6+5c#Jp~6K7cDodWPoN9#l;pgT;ru+oc|!=9;;ukaxQX-#9-LW8iIZCEk9;0&
z&;=4+)9WcxG$PMxvz;O^ee2C#ZG|$@Fgpal^s<P>KxO@7Q~%P_5<i$)trkt7J-&Y(
z61ozj+OUUk#zm}=AsU5|Q9{V)>E~X#&Kn9y%0}zhQx=TJaM{jVJ1@6p-Jr72cEg^k
z{jzf_F8UB=(2DQF>a+bI$3EhFRkV4E8i^~qJyje%RTQbtT$Oo9RW~L0ed~SaoxdlB
zvIeanrjpkxFRYN0`1XyrQ=P$mh&5%snzBA{$lT3WH=P)zyO|N>?@D7-&y$OX3tEZh
zSk2T=ZuU#nF}2ak=RLn}$ZdabmP!Gh2(`tP`J)Y_8(07s&|2dj(OqHm(&KHfu(R1}
zy!iRk{bQ74Ym^BW;?E>}RoN(%+iN~Jas*3z-19+K4HNF}{$_sp9-haKUS<TTil0`m
zQ98*}@+s2M*+LZ05nSmS)a(J}H#kF1Gje>}j?z<|x8TcoqCuC=p+|m8AQ6X~TMx2G
zPQCO$jsr#voFge8UV;qV`ORN>4<QwKkQt&m_s=`S{*;_|Y2!iMvP;VSkR3}7*R&r~
zx}wA7X2!-R$RFF6`7d2Eft_l7zwU};GlGkClv`)a07Xms9vbPuIa_MpIXPyLzK$xV
zaQoGOCgcWv5P)qomvY+bnyZ?B$cBI-O)Y<F#!Ka4&03YEi6Xq{*2+Slb8b}1VU&%3
z)ZkqUi<bv#gEu{b+l-0q>75~W^Q*>W7!ciCrZ)dFH!Thz6)OkoPL^@S``sdW_ay%b
z97#~Q^i0jBRChu{G$ENpE|TBLykE4jw1L!}B})kX&IQBAJ@uZd^t64_=j;%&p<{m=
zi&HLekML}ku=gFMc~7YlTty;+Mw8{ZGT7fWYk)Ne7mPh$%&A2T)C71CWSy`?X-niN
zQ;J8^lZwxDYusnUw+sSujQ4Ex-9P+t4PQP0{6e16%6F><aTLFRtK1aeDue^Ocuo!E
z#V%Xc%fHm8hmsfi!HL&NrLP&my`Mj)rNA<|zBM|C5`+SK60Cnu`$g!rUf3FePt=qJ
zn9}J-v5qvD1YBN<_Me$bpvd^TG%Yr;SGgxgJD}kGpm<5uf8R%d8Ob#`k4~d3aj!d0
z;Q!@l|L!VEWJ+K(0yT%-6j_7~K5Z#aMils0|H%Q$bHxx1UKaze)oR0-!O#@{8Cu6Y
z{{QjzHGCH7mt50)xZ#jKP7dopo+0>4L<zA$P2#`%wFCjCr5hN4L*}Kc!u92Uhxvz>
zo)AH{n!SjuH>Mb@-qxy<-8cY3^S#nv@j;93BLPP6>HB$P_TDf`1sRZh4{P?9MhDiF
zn*sKKlmQsO)bI7Y9<Yv^Z)&z-0Z#hkabKN;7FiAs${Lb~G&z{wl>)0JSChq14I_Tx
zd&&0ohyQ)i;tk&M>+Ajpzb4a#kuL*Mq>j9Ls^~YWXF54dXMK-roRz2b+1sQ}KU*>9
z@1s|HBiDS)mVFf>n?xeS1w*6)Pva5X=(o#$Huu)Ap7maSw@9zsLe98c{KoS+>uASu
zSPtH-jhPXVqcp0}n3JG9^8V%g(+~IK*;XxRI5w8cb@u(nCy^aNxl7;7W*3arQMa_|
z&q=-aiZ_YZ<9ap4wNKA{W#E>9-7+!1zu130bE|heOQ!j{b>=)3h^+Vc`TMtuU$fZ7
zo^#X;AtvdK_1Pi)fcsEPapwAJ&Pnf0n(FSui`df!FTbDX4HWgg^Pby174-{syMwsX
z^#(IaW6WziyCS{`n}*)KYnxuptj~F|Ofcx4y$`?5<uh{3yUJO+1wVgnDlHIp6>6YG
z55kASzaDoSeoMOR*Yf^-F1xM>48e5c{o`!um##t&EAXEE9Hp#BX13BW!zd#jQZ-sW
zD~U0cL<avQIZbdFg>=oUAq@s7(#H3Zy%q~|zleh#=!QF+%WeGX^7MoRXRG!gP;bOQ
z(AEepmj{d;H}79|JHuxPaEz@;>)f?pg_1DJzI06@b-*RLgC=_VWk8Db&OndIY0rSj
zvq?7|6&Nada79Qr1Fsp^VCM9Ee-z{@M5-C(M%M-0x((nZ<*4)o{duM?96V!%LkwJG
zy}?`N1%ZI8IKFlnKZ08t$q>c-c?cc<SGXIv24R>Dy}VOv)*Q)-@+SSAO7H2I^N|fw
zhWvR<jUG5`gCWi}Y=AEcGk(~7q-$Wy*5W7RBq@vtGHreHXJSt%0dG)f_sKVB8%Akt
zUr!P!jKGzSwI=__BP^QgB#U~=p8-{IL69ia1{@I>Wrms@AEOpoMd2DyW}At3HdRuc
zqiuc)p6YKL*84Oq+#WGHQ>Tep4JUR7^bH5}ZQy>9%>0D}5IFZUucKex>8|yMa(;{A
zThr+;>P2=xJ(?zQ-@Z7DGVT_m4mjl6oGIRzaVtLOI84oT-Ku@Hx~$N8@M7PfK*=#t
zN{6D92&c491$%FIQ}}W_Slo930W~_A_2N1U=oQCNc>*R;x{@kaY3Mfw$5)$dxG>p2
zyU;|0Tz4GxUhrZ*<oh#?21O1dqb)U@pXQEKXs{oiK~nKm#kHP^e2z=hm`ebYF@j%A
zPdpquZWf3r5inyVH$!YuA#2C%j83P8FfmL&`<^W$Cj*h`otvRj2RpJ}?n48Llpz68
z5gB5GUxIn?GVh2sOIgZLhw^2L?yuX)_u9=!$$OE05j#p-;atlU(1pQ1;^>Cm?7D%%
z+x!uC{#fW+P7T%mQ+DpD?7oSG=BNOYs{%#IO9@Nr`-KsDeMbJ+qAGnQPAug3;FTvY
zfiS^+oS&jb0LVD5p-b`u?PH>1QJnh#4;}P4xIPZ*3K0)xLW%JRsDIzoLj2?HW)a45
z%0d+N6v%IX6ToM=)s!Z{R2ZQwmDe<*01?4Rm-^$?zf{0DnzK{m$R-JM74jrpdT^}^
z#+TppUrd>rXsxDp>#t2hix0%0G6r98e&DtBQXqmyQ8poQ#at;{wlAwy+-o&dX8%fO
zgo0>*8(oIbBMuD9w-vv@Ma+P*%Jc4kE~ZRF@XV`cq%#!3_*207s)nGAGukzwqi1^j
z0#=Wt*9{)-;D0yaCFI2`z&9fPsR7C$tfN5q8Rg;Y^})@^<RSFeJ2w9L8qwAIOLqR}
z`ky593-qt&*%LHIy+oE=5qvBiuzlnT+?A{EffYo;%rFh<8z>u#`C~-HL4y&E+kteb
zEyX4Q`fzsT4X+LA57%w;O)L~IUUNE!>6n-Q32vf%cO3Am?KSG;C=kJHR4w!)jbjEI
zDF<pG^NIiL9w{dn2NePuM*Xoq*EwAXgTBM;Vap!cTAycIgu0@OU@~4EBQf|!e?c0d
zeF%^aQrE^rZvjh?{D!Q4stz+k@bY5d`L6v`vVY~V_NN!TBZf)mKD$(hJ6>}VUcY?$
zmz{q#ri;$__)Zk|GWZtIL%&rU_#hUwcbcn(g4ST-fGCa<OIuG+4DZv`^`%4^GDXqr
zwsG1k7)^fz*!oYrA(J(ZMajoE#M6WFJnG!>R14433D-+6g(=Um6QwMFVytO{5GtS5
zeWEZRiI9^c>8=|TDuiKZbU+}XvAJAR&oac72sKSd$I4W=&24N>1k2|AvdN7_joQ>F
z^C*fQzIHSxrZaTl`Lw*#s4%+mIxuYFT%Xi+SRQPh_P9NIC5IvrQb7<drYgQTo)a^e
zI`DYL(#8jFN80na74LHmf>`t~>&P=%&<BRiD`?$L$K4H7r(1wrmHAKwt{nR&vRN~b
z>ba6%!SAtJ^yM39bJc3-d%U20X;@7!0C=l`5<NG?DeSaIJ>m&>ZXyI+a*H61Mqy7v
zB=jLa3<|*!b8xtfesY12%CzM%AwVBYN&58|41rhCk)bcGQ0jh=@LM&dfSyhvCj^#l
z()glT3s6lwJ=CiR;C#^ZQe5CV6&*{U4{f5y?7{lPTdU<a`p+E&r(VQ)?X)xV;?0m*
zq|8=6pIQM0^0U<LztG%<buG-Pt3eV{%qHOSy;4#z)K2@8QEH?k0CZcJcI=C|)~vAV
zRJ+<Os!oEArYSafG~%M$#3y#3vlbTS4wlCzXw3C79dvK*<1nfj1x4_ksQ~Zm{PEM;
zH#(0#G|_Zqs#{t$GR<r9djMvckVLUkvOxFu5Ax!dUf(mYk#rtEe%}&%;_ZzQoVAVV
ze%tAxnCwfiwvOLI2<G3zGJKB`4@SYk``5vs$xwlJ51b(s-$%55OKOna*(m{y0)Th~
zp5?|rX?tgYpmtMy%b6M@7=!06LA-s~g!do?zZl?u&F!|uAnHbKO90l)i$&veyzq7k
zG>n-9b*fXqUuO2Xbx-C2t-A~?`{)9oOvxOj>w(+aI}i1cjF65x-bGqCE#pB*7Zco4
z)3V>lok%_4DSqO--ArQPOpNV9L#jCMwUVF9gO26VcL+KcFIC!(%>nOSBdqMn#_#K|
zIL;;Q8we4k2+i@OZJ(!;!;#;8LnRnNS;Pl|M;E|vU_eL)HKFt)2C!#IF(&fJaY{Q_
z<bz}Qq3kgf+qZ~gaV-to>eO@c|6&2!L7BZX*6jM18S(9{JG!AX&)>;G0=;2!`0rH-
z#{+MZ^u%ftGNnUTJnk6gF5tuSLd&4s+lh2D+gah9?_x|jXy(P7=Gzbr3GLaAvNJpF
zadHkZHr_u;c@b_JZi37c;y`vtlEy(_LvNDdQUL1|in7b0w%OKviKwa#!gYl_Mo1>-
zt>1)j)+3%s=)X`B_rCIkj9$$`Epu4nPHbN*fcFt{mdCD2Kq_j?5hY82Hp-EN(!I=f
zbOCM5vtM|avGBTYZ^y@|vespv2I1~(>6TmeQ_d|DHfC+hxdc0ve!zdyW|`<I4-$P%
z?7>BVT_KXR0-zq|x<x`ibe+-KR4lmUp;6$bD%&pf)z=UUrC`QetWB4zAk^eAL`vPr
zgm`R5!u2Fct~df37F@wDU3RPIaLUa%$nA~?AM7KKZ<aoy3F;5Wc*<33>i-TAgK%K4
z?C~H#yAAna1ekO1l@@*HlT@fyKF_<iZ-dZze3jGY_t4<&Fbqiq32wTT5Q2rk`B#HK
z`z5Xr;_JnT@A^n7B^)Ly{Dq4zn41aK)yW?Z?WTjX$eBTu=Nu>Ne5xnv{Vo}71wh=y
zOP0Tivq>(RzA9aqOFep~e8pydB6up2(tk93P3IT(l%aAcUSY%s>10!I4t-4MpGVlV
z$n4bhsrK!_oQik~3jMOinQv9J3BCGeovQ&Z7*ljF28}rx4@XU-mDrxI6l8jUScQXv
zp$TEL?v`YZnl}TH=KO2xv>hMagnqC)Y=w*Mzmc48@EfzNvwZnSvR3lQEvR}{f2)6a
zXC?OqE0__z3ZUIyd<~L>-#3_YdM5qE7V?7$5xHfW&@a1HG2{-_l<jQTcAnU)5T)l%
z(@mJAv?n@{#)yD5Wbw2R5vZipK^tpQ95ZMs-rR$->fJqGN+C7XTsDQ+xT(%ou<auG
zr87|a$_1ZdW<TH~Pr;BpJh3HD0W$EbOEm)J<~@RK|5zr3#Xt6HKOR1wvZEf7f|EYC
zXF$x3em3_3B68JKpprNspGR1r*|82V(~D@3-l-mu)F;?Wg04J$+JKpPf&!*_flhhi
zNNl|`rrC43XzJ9I>*3k2`0}Nd-Hg6nAD?5P6LQne#XMRjL&2HejBI*whW{iyQ<61w
zq@Zp@VKy=e_%E8y&dNNSInVeoeToi>tv$l)xRTSO@zj*}bQ_Ze>^h_yk3flbr!`dK
z0HBl}MKxP@z8T}f4^e_h?KbF|50-G~^};@?nGbT;5JdtRhXy2hEETs#ZL(fE77P;U
zj^nu23$761<+*8}$@wz}E4;Wka?bEw%rdXLWJ?s4h(NFo-CJ+aZaMBA3A;{A>Vk;h
z#hC({pjE(`&w0OeFPDZ^yb2x}weQiatum?ht;S=S)-$$W<Rs+-Lm&4)D|*au>6S8x
zh+{Pm@jX||0G#o(jzu<j{ASi|@7!LrjVT<szgM8dT1A+qtXIy3b)z0LLbD)3E1C7v
zmBI2uhW3DtLR+}HHgJP8H$^oalIhoT*Wu@l`uRLY_Y3b{{eIO)9u`X{f$inY1ZnX6
zMx38W!iR0~$mZKZHYBCX7hxw`>&*|?6bO~8Dp}4=$e)`d9v9fIZYx04r@JZd9_Tf*
zWnV96T}6~w0}WRYqz=YyxDWI+jykj#CQA0D&ysX~zoV0+>vrwn4<%$NmGFx;e{dU2
zHjN7koW1xRo<8pNq1I6xW>D+7pAxEYpP}dMPGh{qy>Fghm`cs5;Zx~QRN;(BehG)E
zsqzk03#hJeT-5aj(tHuB6MNgo$~&xX<m>WrLh899ob;gP35YDB=$-*6-7C7^0#Q`-
zsPn620%dpy1{oU27K13&z>Rz;r^lH2TXX8VWc#|Yc6=q;Cm?bkj7QV6kFHg8OK<V}
zfRW^k)Y7GX-+uV?`z`3oJ;rj4o(o18wx>afDh8lv`j_{&IBy!8zxZ|Xdk=`cB?4fu
z(e5cgs_79jLI{E$)@fnGGZ{kRbxA2@${KrLfF{4gX#W^Vd%`>7b1H;*ZO`oSstrFr
zMGUId_DThy%~c?d=KwFsiw6_`CR`W;`uAuP`x?KIN_?xW04LpZf09j%vM|vG{apaa
z@47lmt`sm*gfU2Y$b<M%OM}vrXm-ZWyuc^-&Q(Y*z6CCwut;$X@|roFMuHF<O=)ON
zGw@i9Z)m_}%?&h=(nrh}rw3o^#bAhU9hPHB;h?ou$2U;N_OT?~eJ#u(@3c1UI^3=v
z+__+G8jlZ$RV6Z;VJM$L{VSn=xuu)~M{a4v6W0Xzt{9f1H&Fgc2GJk!$OMa!gS0;7
zO<@MV&i;|td<G=X^Z~sB1Aq7h3n@OS82V=taKkeBx9Svv^g0bPrBJL^KusCxf1WQ-
zcYVxO;ezUIb)8RGITV780do1kcNH1{PHORUAznIe0gR`Fjj~4|15JN4Zr#O}Z3pZ0
zMP*~f0bZ9^hbj(=t5uN##-ajJEL+`U9jmOv(yndv%4g>WDb?90O8y9kl7fXFAq`7l
zk110-Y*Z38Wo@KdZUSiq_16Y!ZpncIJoNS3LRUz`=)db9ELqU)g_$L&Hnm9ghcvX|
zht#%3Q7Wqs0NXzY_ZI4eu46p?r1_C&T!Kt1`OnISoLES}mY^0+d$n*Hg2s4DX8<O^
z7?-BK;x0Su!tA;tLV$W$Z{xnt4xUy=%|Ro?iR%}z!I~N^6S?)D-UV-bpa&+HGR^1t
zTR`(*80$ys0*loQ2sB#sCOLp(c=h5D9H5oV?%PU($)I9-k|mL#lTJj`!>JV1hgE@7
zhW#oIs8;Sahfxq%@TUa?9`J-hlU|FAD&d=uE*Rx0T|-PiH=n})OVP)8+zG|@Z-N5!
z2L+%2TRSw*aS#+ll;nO;{2VF)L~N}VI3%v_3<JwmM2w~^rsazi0(?>kYA5^~cwERc
zt2@<2qTJC6BV;k+3{fhT^^Zzj*GOH*ex3?-H8kH_OtycH>3;AI!#^o0spI$Kk%UYh
zM-!^4N=9xe*$H^%sqd*Y<aljm+9-^nWGjVW%#!(cMcgQ&1phTS1xQ^bd0EF2k=gdO
zsT#5hx1(hW^gjL6=EQFs(Lt*#l@&>#dAd!X>y+aRhz{fzb1cqpcZ=pelle_<(JM=<
zdP@WbE6?{*R0AuKfwwgezaCS5d*h_wG$x_>^|!Pr`?uPNrAmGe1&Dq?<!aQaJZdWA
z)^#Fv`N()Vh!ykiGC~5li0~IStip(4T7*lDlGYvZn^k<D3$x4mTumDWJ1C2mLtxoj
z?DTb%K8y&LG>>gn(`bo?ap#BSPc@4_>nT0-0fO$2mpnRNghcHM-vW-!=p#=?y}Tay
z#Qv?6wA(gHa$sB23N0Sb0S0)Os=#czE+hj_)HqMTRJ3BgvQ&ybE?yW|UTrJ*zywX<
zXAUdW2gYPgb$;p&sIJMl>Ws6cDJ^X{J@l4`sAq|N{QOZY7r<}EwI7OvqK-39DcPDK
z!3A!a*^$?5@KW|6jr;GuU|Y*-|0XMI&*2w80NL!KNcQ(I19{815B{?|O;+ZbG+GPf
zQH!hH3_0R}c|Cdei=X`w+kowIX_I$?>=fHgR|PdJGS^#z?BDM4=h71=VDVrQz=4=;
zT2`QU?#<Vo{Ma!>SRqTon<Fj{$u6{apaQlz2--#n@4+a>pF3P5Pm2+v0;opa+gLCx
zlbG4P_pwz-BH)pBDp)ZyAefXI;vawHc?h@cpf!aMp2XnTkw`r|P{l#B5eD!V{@P>h
zSYT!c=_)_a)AdruvesHy3D)|pn50JY8O!7<R@3q&+foeJ3%0Md@vpy+7qrFp7?X2v
zw_h2r+t)#D;Bei|IeB>$2e!VpJ$Q;b0{Q=Y=YVL792Dtj$qaY2tX6$B+5f(1ndN|P
z0{>%sFb=RVSwVZD57J&breF%O(DCw5@va0Y*HSfEU`U?rijgSt-QpvqXi78JWwD&(
z;wnGT2SvD=L9l`tL7ZYoBDmxrg$`D3Wy!kEAON#PfDa11`c%{cqJKBWz?}6TQtQ`e
z3g5O96!5N2`6NUISm5nq-^wThqNtIgXcyE!Hye7bS8RmcEp|XTz|ZSJ5oy*$iAg{c
zz8df%pO=3Q7v?!kd3R^9z@X^vkELs@`;u_WK?rszuoOTRq3d20OD5h}pR42hXIz?4
z?p%6;MmFo!1%8kU&;aR*(D5#@2f?OKC3zL{@xTe+xsp%-oznB`YFRfiGiI@L2k@n2
zaVQj}`defn%>$J{Q(;$u8+&F@9{t!1xC!H>eyyj=!6E2EKUHj4&7(pgYX9}wOr6h|
z{g+9n@M>^(OKH7*?Y`C*&`vt8Zp7LH6gp21X&a~d1d?b)IG-Ikez6{6bKCkQ`2{p9
zUaJQEnr)&eV`ir|eZP2h+Zg>8cs_Z*Rca~vZoR3I<>9i5-?-0;db$&{a!T8xfBogk
zr;85MWgi=$=bcN;GH}A3-G_h8z-VlGS(5@ZtKi(!@Z|WDzseIR4?sFs%EMHn9K|&v
z+1%J_>^8z-wQaa+R${4xqYzlg2)J8?7mk_b_B&GW8;5@7R{&`@pH~hcyJ(RM83t)H
z9yONv=Kvm0mOoMDY$02^1q7p`&G1JdRs%vii3?DLofhbI>pKGbNU%lNbxmiuw?A8s
zcPHcm*`540GSr3-_Cv?x_napdnPJHjNm*KOZ_k6ILR{u%(QSMl%BOY1Y3d9Jn4WFD
z(mzaZd3q4*jd4YKammt~nAkpTL6xgwPsHB6<fm#jGV^*LCYu$s!6`^y{_OWX!bYAv
zKF7h4Wl=FDNN0`hJL$&XsH=o}VChFx9)6%`^veV&2u74VHHgg)fvz}K*uo)!ZCPB<
zUSI)M@Aim%im4gChuTDfM&WTqH@m;n5EfAocztCYv_CT8z8)xUCN+U`^DFhEAMc`o
zS@eugG<eHw@||?kk8fNrzAg}|h{k&SI(w`p&zYG?>wt<#JdzELTj5s6da&Olq+M(v
z1oMX6-anOU{fPw8hcZV72L5O$e7eSQ7dX`L0LR14nN3=i0SDDKQbigQH*Lqeg-*?B
z7RD!v`Ozp116b-m8b*D(#E#X&_B?2Xy?knPYu%}C@x_lU9?3=EGQ~l|G~P*w?GLJN
zH27bSqZENXML8vnY>YK!d9N*W?>t^dBZ9NQ((5ex4<8ZZ!;=E2-TJd+m;)oM!Ox{z
zYIPefpKORY9|F@*p42=$ew7ShwUj;%zt=Sf=;1ft_h#p=<goY?9wM^t<q)9V%jF^K
z0D7_snn0#RU;}t8!ul4>8-!e#tGvX4!#wfL#YQXd27}rTzGPR26NHh02+`LIlTN1%
zQL}xfhdT>ywsdOk?u6|{=Qo_u0RKhddkSq+nw{B(khwuIlg?okI2ssitt{t#Y^o*z
z@D1qbHLAi<f{8%cZcplpgPR_e;vt|sJqE|TCWP3QLoRK3#`l0px__8=;_)9`^9E>R
zspdnZDT-=Nxh5(xKbPsCXw<BR6S)cdVXtO+Q&ZLj!sZ+2@VL$Y5>>3y%gUzCSL}Yf
zek+jcQ9;BBDD%sfnQs5KQhty^0PeHYB$>%HNdJ%MCa*MF6+$Qxx09CS)|i;Kb&5Cc
z3g+3I4x6Ghr|v0v2)zjnWcKi4-t%yW(5>2UM@2c5cbT=8Pj~g>6p7t+CJYslAS>Yy
z2QdQcodx3T?K#^AO<}uH>`BB%lumpP)x`wuP~%<21PXit*01b2eoMX<nOi7^;l*vu
z_)+#D8^jVa;x&1aP=WiSGnLC7`VB7ebNs_|i+X|f5(dNq_vsCby`*3zA_g-IpEg~D
z(utHlV1{sNIMu_5f^x{A%-7O`LHKhl!Il}}8XaTI-WOBZsxe&S`^-71S7DNJn^h|l
z?<<DYe|*wVeZ{a8_ftN6uuzi2CgV4!Rt-ExYELbT@A!vL)*o$O@>|!-q{c#-{Ds<S
z0sj+Y!OUKb;34qLZpekl-ywdt2pbG5a^ky%W%61d<_86KD)ekFQ`h`OnBGV6Q6;@N
z{7kqD@pw;Lxg0DArBS+`tZ#f!5u3Z%zC4YpwmUzK>xxBiV|6LqyayCVYK2VI4%}ro
z3YV20k(kz_+gx8r8TtAL>BE}}fVHR_Wk+M7|0u18@X<GRF2nYq5~kd+O`7qM)y3Iy
zoO1>IBvwEe39s9|&4bvZ;r+y9<_#nkmFDZWh!TQFJ~c~RmnR|m`>`{Q!4Jw9Lys5`
z3Qv@ILaLDQs_>AKUer}wanC`Ihn~an<w>|k*bpq6Hd5`JxH<A2YAP&FH?OP)L#wI>
zze_vv@Zn2Hxi-l<J<<HSN}tn%wT36hOH<`+W)j+tP5Y=W9dATTzVBV>FZd$+F`i|$
zdFLB;jSuaZKX7P-%E|mzZwx#bC|uD2M=XEOth|76fA`y=p<8sdLwoX6Mg39nFf%s>
zJfuPf*R}rqV1l_-ryMtpyrGfz?t-2groN)na<)>86pQP1r?+lqSc_FacLg8P<THhD
zz8|*(6hO+O*XpEPC%}i7qA8m^J8f<A55YI&xW9Zw`O&!E*Xcr4^#;Gk@~53SV-2`S
zv_{qpP^&mWL@1$U7?O&%ixR=0_M+Fril8>tv4w0b$%v&0_bFy$h(K<-@3)CB_QnV4
zoCN^HwF|d>!)f>~v``Q&te_Uw?gyIfj_sF9W{Sn`q>iqJ5;F5pym8uxeSKsTrzSUG
z_I>k%t6?Fe%f=eCADR7BO;bH5aM;&6^6ik_N3p2Vh3k3gu<lo`v)!B3bk7VU3-|3L
zX*>=rWH{>!Sj-Y?>LV!xiK%tzl4nAEzY8U@FkOeUAWfede)QxEo7VW`^{M5XIIu2J
zz887tE$n^MR48t3hb8{;uJNL|;QF`K;?CD4_`)y|1CO+fn%&eVuC$cj$Vuv&Dx7|C
zoeWMtOusJ*&}U<c5866Vp?C$1U~h28RAO6#9HkkhM=Ws`;i)SG#mI$s{rY=YYTRGd
zGCe6p%fM5XJ;G)y{Z1beX!kC7YpFk*dA<1I*Ol^}87G~J%Cgdnl{r=9iH2|ioBEne
z<;qu|dd?SaRpB0&?S#gzZ++c^CrU5Qi#%_gDnqu{8gG)MDR>Ay@mRgJ7dpu$8V;^e
zi_h1#e{mekTRMi=R7GH*0{sq7MziWFVlF?Kv`7SirO!yJlTdh@N|zKE$5(q`{rwdk
zDpCseAWx+wY;cvU@+&Sv!gct?nRmb2kr6K0MRomYb*P+LbpC=as6I3M+(P$BEVMMH
zbGB}rKL7VIzvH#g*qCSmH{_K>UzvWb_x7Uro60Ev=XziSmS%z~X>GO6PT1hI%#7*B
zR>^w!$xcr|qdkeSx8t+hCzD*T*B<pl&F@$C^IvG_rbXIJb#bK_?>iX@hD*@&zy>>B
z<!%L4U-tPN7q(8C-}UXPb#AZP2=4L7_WE7J%gf~$p)!M&DJ|AkW@yiMr|9k+4!ZBw
zUc+ztex4&`dyN$wR)b(mOsF&#P1nS)u*|nH;#ba!RQafHGBBD!rUDMya)NsXv`j(f
z^p)*|plvL3FNq>orLf9%qZ|PCQ@XkHLFYwC;ilc7G`bM%U5w=?4KksanK$gZJQn`;
zoq19~rWJ39?zAPlWBAN162f86Ne7q_S;?ZG%07)``R3v`Qi-^BC2_j$F61Z+VE#R6
zcEa!uji86dqk?dj((Jx2i;KOC(=sk9SL5UH-Hkv(t}5fp1{D#6ip#!aIYj*E!G#ot
z!b)`g=fG`#7`vYK^Xhd0w<a9HM*{E8<O#*1OP!Ht7MZ@vA6n3VCwVD%zj~rs%=yC1
zq$~aeq*yZ?CwNLa^3dRUZj!q{@IO({{a(nvD=)x7omDFXZfHzJOt$I3IV+g4>f6!J
z`=fma4gJpd$2vpY@9c&&fyfh51IuQ0_z!XOMvF$5Fj)lSQoSSmx$3op*lWN2_G|)=
zY~NX?&=b-O;y48d(8bug8t)k4#K9_oz^IkB-|`Tf?~Eje3DBELl~1$9y&$_GDJl>~
z8r@HKSr}fe&V!riJYTxLZoGy!3wkCpdu%cwh9bHqcgx<52Gp{l96C%J*?y)Lwrnbp
zZ2&M#i<__CkPxsXd|iRU4Z@=l$#eF#5PD3hll{!?xc!_d^S6d?Vx>eUw<Il1s2%fG
zaO|w7u3Qe6`R;)PCX*#ac;?xp#4o&*3S83#=tET)RT$%MB>0Qq!5%v-+jI|F+F?nx
zdbv@-fbv!?;5yAxiC>D3k`+8T;0p?=n;Tvr`ms9W#X9`;L@n}*%zwM#)4&ZE&}A@f
zNSh1dDBuZ8fnc=`ROu(a-5lD*GVPz-71f|6)iK!iV{aTc&ELJb+YzF8lr7FA6-TW^
z3FRs1#ShC&uMtP7%;FW%u(k)|w|lm-E_yc4l!qC^7>{Ip{$>rT0x<EE+58@Qof*@J
zz@!PKaVW0IG`}jxBu|^R_gU2^gmYy!gR-TZqozbL1PB2XR1O}l0tlK6WPuFP(GF^+
zRKGq-b0gq+hlC9xw#o;TI|azMV-2JT8c$UGzuBauljvDUD{U}3u`GVboX+4ZC@_+l
zPIOwdi->Q3tWBf2sQyCfD)^ji*<`7|if~xclx=1|v$ozTHPm<^TfdeaU4Vd&oFJhm
z$3c3;m!sDo2sSa7@zA6)=OTHY!F3k!A6J&>vg8_><JuX;IiVHtM1ycq!o6Sz5NX(f
zE*c#*R+<%o6mT6OpUmyUK+ZRT3g8$#R>PpRqVT){ycjxvp{H@!Lo)b!#?p{;$AD{g
zqiwImcRoCp<1|ipfrToR@3cf!P`_Cy8cr>%F>X%^8|b+#%8rKWzDORmxdZ&)p^)zf
z!&tL@g%RX@q0`|+SI$2nH)xE&$FU@@*cQ{DIQ(Fv4)_i_U%6I1<$^xi-9E8|Lv~*z
zX@~S2o?%s;w8@FjiSOsD2n`ZkOS;_4eUN%iamPe8ydm15KY7sCWsR*hoZaB7L(fhB
z>6ka!56|?lztO(q%C&twn4lPiUbv#G1mZAQCfTQNHDyux(?3$FgQAjyF}i5xacW>C
z1x1}<&qzuX$VVzVlMashFe6-Q=>yc#1j$eVkmG`m1#O<gXsOq9&wK-|*6o_^sXGaL
zhRTJ^(r~?Y`|#XI*=uZ@?&7od>rZShw_`TYlNk49<%|~EvEW|;l9_!7uEzP|<k8q?
z=0sD?O>0e`A78cQA*LDk*TexJ58>cIOpV$Y!TZ;6RN7LaK*5W?V!bp4I&6((Ze77<
zLr60Ys!Y$PHdMh0BZ6ybiROJ=aaHBlg&};Etz(07@wLG<sxql_Sqkrsx8yrDEle45
zQb8G*TRmQm1*)QpGK@oI5&u79p!_!LQ5{bvax9ZxA}zY&3S@kUo+fAdFZo$+pA?O0
zvU1H3;xOD}1T>*yUoL70eY-$SR2~8gD=5+}W4c?+)ExQVxL!FRLUkS{En>JZ{I*KI
z_%jqVl6L?|jI)%oG^tUu*a$SQAxz7N&!cjb7$~0Oj2c|axrILb!pwT4;?~QW7It){
zVPTuYK;0NZtY?}unhPCwq3>^x+ySMXh^LF7?N4!e*jdU6!0r3hJ-;(2+%0wA6&0io
zrDkFc{;UjXRWs+y=?NCs8j|U4g_TeBZI|;suo0$%VV6Y#JHMp=q`v^vyem{)@)T)^
zb;t&jG$s$e535KQ9Qk1lv=*u`fPE+GHTvhc7*)#H8=okPfp=Co0ot<>J1rxji<)u!
z&X9e81{*R9k4lxOqZJ1h7+XyeFE1})ugM*u+y&?x{6;I-7nlA1AH+F!R}5=v*{nk|
zjH(|a=S`#zA^b)fT)B$I5P;wR$6waF@|QurZsIi)0(D#VIc^Ox?X9DXMESVr3Z#Z1
z`kXe|&>dmb8+(5nkZ92^0t4qcxFkh)p$}ZL-E>tp9a2T~`nZv#jvJ(9<shm_>e{>U
zkCnZRf!EL)zQmTDc(><c{1!;s78Jgp6C?`q7ghVnq|yT*MCPc#aPFiSaHQwAf9mN2
zMU7rGgz05NeD7rxO8Y*)7PJ5C)*ny0QVQisYY9Ejs(=4Ghn%Yg<U3>+$#$Z#V<x#T
zKk8rVT=QUk;5a9}Xm~P-6i2#(DyiBM#ii+q=>q}KKw-qZl{5tN)(?P(_Zj=@F5nHW
z1#IhK#Sj`4G6e>FcUySO4fk@C!F8_R)80HoD-N#M$(|@RR~(jGYMpepcBONfFIZW)
z)ohu!zT*CFbt#)wkQ_Gu7YktYSqu?554x57iOU1OoMU3;<II&`-oqr^=>Nwrzomfk
z%a!(Mso-mmGp^H6g)I}pW9mR?>%ne8yCVjO3?w6NHx6Wr*$d-!Js_5V<GG-!eMBFF
z3)$Kk*j0DNex(wO0i^PUZ1VcV7Zp*7C4D&MJ?6`!fNvIU31oFuNR4YS>9~Tl;*8*i
zYZOCb;k+n5#O?b<rxJ>C)ajEo4yUf-CoT_uZ_7VHd4)J-Vg&FB&^bn3B^9z1Y<_}x
zto=0JX4WMD6W2^Bgjkrp11ElSK?fZ`(ZQ_@s0fs<@i*EKrowm7lPU|RsA-?WDM6&D
z@YLHjGJ4xV5WtSN(kw2?mA}-_8I-eylU`w;g4TyY{wS^{>|a0JfLItof`1llxKWVa
z=c;*%bm_(~LHWtH&WMx#>sXm$a7gHjv;_BaP^+D)xIp3&JIRAJhKgkHs$}`Gzf>Xe
zf#-?EYeHs0ZF6dI*s>R0xYHQM^|N{f>dXpM1h^ad^nV1f{|&>U!j#z<RoM#qsQ7Iq
zy-pk+1;|br^dYVbjGaaJ7{}xD7&;ONA;zUx((W5%J8y+Wu|nN*@!{*RK{*P9C(25&
zd&5+NBg?O`c3O#DbER=``!ufnf2xfB3elV^5_pr_v~dRrogXo(?=09czA+($zo;PL
zCceJn)OB%`qVv#)jB@QT15nkMQX@qb#5%HMisrj3=r@3hI(CG${kk7eL)p0csa||{
z+zL+qPD)1>VmjXq0>%AOq^q2f6DnYlN)QSdxJ@$hmrdb4fd7*e0FnMTuUm)hQIY;g
zoEc7}jj|j&+dz&Gw)GmQc8cL<9pQpyU(<yvsLm4JF#SbF1kWpscxcJu1a&#eznG@M
zG*c^x05K^<L>h?AjH#l3dzw!fe2r||Hc!vIJOtQLOBv5ucjFYQ(qf_S1cQ5SfEXu1
zV^1V^<+Ur5?DK+!Uo#|e03Qq1%};=CNZ2Sp5HhW_R(7)!BSQ7DY@3xlwbzTS8r*KN
z2NP)}+ZXC90f@e@_ei0jQ@sKNC(*<J|H=oMd)PbO0WCqryMG#)0xUvev>6**2YL3@
zO85&1`*;*}@Z<DmUZnkZ*yq{*2>a-mzi1P9vhEuJg08x5Df&WxWPkIhi``Y8qOkV;
zpxl-G#I&rqlAgGIOL}Q)SMi6=0h7a9AYT9?wox);Ab};-5{z)TKVET=k`>(d!7isf
z?&|o*%kyQ`bWw@VarxS8Tgoey_b^7}T{%D1Ju|*8C@9!z{~8Mo8hhQWbro<WE@BXU
z$7&`3EQAp3ID!9;EEb86PVj`l_9zNK%1El=BbPIXsH5^DRR4eEM-1wQ`5i&ETF!1Q
z!1cJQM&BhvC1?!7ONWw&4sRAZjr}wdwo+T6zsiL!uQ80tU+p^+Z{T-qV5%j!2B1A{
zAVgzLNlIGw4gyAQ4|BZyOQ2Y#=UjLm#dY`gSr{=BQhm?R+BeZG#!r;qAX5M5YuC&5
zRuO$_DBOZyiTbT=y4l$-6+dW+1cZ!doW|=jrxiQg(kIO{mdgysnu0?1dwHb8`GxwJ
zf-PLf??b_j|H_@{dPa`()E=Bx%*j~$eW1+bMd8MHmx2Wxu;KUl9-WBO*w{d4ENt~O
z{yS@U18%8c5}!kjPFy3u&#*XDiz;Q%UMXd_Rfk)8JU4yQ{geC$3u*P6(Mlkq$A@a~
zv;&+|7!wO7NY>U$0UTbfdXlbxG8A4Gm-PhXrxPXqLatN^7h|{(`;>6b*FllNS@{03
zSJ)Myl<YL|k#DMn>2b{HMRb3FiCRNLO2}a>lMzkX>i%1D0Ct*z2XgLar`$+V9uT{4
zC7rOQVL)i{OI3wPT>g{0y|kNqPX-XEhT3FQ86855ATvw{LuH0(J^qp}fj-FFa#Q(_
zA{<Ua7_|Y!^nc096TUb7L#Zb8;1jPv&K>)eokk?!M2(e2GmyIv2}5DpQvNpp-sg^`
zyut2vfa`z~0xUpKCO}8Lh3?$<=N5U?U$Fig1HLHXg(b<Mlw7&S_!o=D=SsvE1~z6<
z6C*z%5&$;jUrMaW2>7=#1<}GH0QBN3|AR`XyyGwTwg?XiABgoj$PpR+N!-_oG0=P$
z26>wPd8Y4ZU~+jO;N8l(lG=K95Vtub<Vuo=>sImj&dgeF3hR?e<~mY(_R!1fm63?u
zMCIEn_OCR>Og*qpMY)){i{HP4kFZFBljMumf&8FD*afCEzeAFq^dma6#6NZl-lXVv
zew2yID8xnq04lz>9Y08qR>qjugX6}gK_dn#J&Ld!WbE<#u!0n}U(J}24=>p8d=aly
z$^`i{aXneRBwcepj%i91f(Zr$<9!A@S7Fe<PkA<4*gcHoj0s);?Wgw1lTm>{;A@{+
zl3AI9A<EsI`M`nPL;!pi=KHRwTsVC6Gddk^`rM8B(69dv0cOU16;#C0&)cVLWD0+8
zGRlg=s$Z7?&?Av+^7jKJFy4K1VKrj8p3C3yY<S<qu<kRN(k-8>X!MJhT31`KbS*Lp
zK!>hNqF#dPd{Cx;;pSo8Dpm&=qP1gJS_Lc&gJX4vKS`fv;zQpb8GLGKrEXTK3<06$
zm$I#_`2PO1C<2rLUBluW>4AOC7+$1S^Gh)4i_7u5uA*o=^(A^#(v$aJ#vLavU3&|*
zWtJWw;3S2aKnF!^o|H7chp6Fh{W}~c=!C&RU(|)llG;z^o$ZnM3tLF2j-3B=24DjL
zUXZ4=MByO<uydIsQ6u^{e)CpZ9B!>-1$}=;<vQi>f-$vd5y^r9g1ZBP7#UxL-%C<=
z_#`7q7m5leD!D<9nY0u|;wEnfqP19!wvuVVJ~273nobb?SCTOBZ+_X;C%a`S+ULFG
zHAE(-71YqU>bTYlG0!3inXEpJwq6ym%(xW^1nQk2${&oN@{Sn+?lm!Rr9s(Y8z0Mh
z$PtDu@1#+OU#j=-;s2p=ImKkUGJtV*N$4jMT)Ea=Fu)qP@`$kUu7&T10U?JiZ;XxF
z<7g^S0bB$Qsp^uKD^2oB%udH_uQ@%xI$%zhk>*j>J^W-8m6N>rxs&)uyr@s+aTL10
zm<nErK=jq+>(C=WqZWH!pV$%(I4TeL4cwmbj2qlA(kKQxHYdq#g4@L$!L5!(6Q51x
z4kkd>ZWc6xM#t=(xk}XrzimS`JKR8BOgpvk);P^4_yAzHT<>ZZr~HOVR|9-2Dn|0H
z!e-=O__uQOr}`03d|hz4tf(8<6f>Vm&>Va0KEMOMqd!DJv)fDUXX-wN>p!n*o_aB$
zlr*`egEDTIyA|e*KvH@5+4fxX^O0i1jY;QTmv0Z+4!iArc~>#(mxZj>xS1nP&vtvO
zzto?v$5nNtz(+DPDy<FcH16w=F$bam4zi>FK_{ulC^=?V=1hJ*peW!afS(eZMnZ*&
z6F%GXiN%)Sz#*k&;C521?`TO)n242Oef#c<n@Q;3b?be7WM6NgeV(ZE@sfpZPk^Wy
z@6P}{`T0BA2D1PzEeJy#8AS)w^$H;=znHbZjxYcQc{hhn39StZe`wnU8lP@*_W+!A
zT&zw^BUtl&n=b&W{eLR^&akMKW?e*-K@^4{K@es@1OWj7QSvY(QAtXUB3Ytjlps2S
zl9ikVB<CPGC`is(KyuDGr`rqN?tQ*}&OP_?gNI?(THUL=y1KgRt+#kxbqUZ~9hLRY
zprViLwEg0b94S|Ssru~b(qpPh3s4xX`piZ(h5zNdqkKa#qvytFU7`0&{QLdx!7_{n
zGpSF36n%VW8StHp05%yrI-3$t2c6BU@CXzoMu+)3)L<6hdC0tr_P@LKv7xd<YyCVR
z))v}3Xpa>o>4ar{azbT;EN_lFb*9Nj+Kdx#Ht{;T_THm8Y96G_AjL>WjEir7=+PbH
zTeAW=%;p3idT_36bX|Ki^YCfK{vG0~&xMVn=kc8lQ_kW5x~u$J$D0so3qk9;C~f97
z%(nEmD}ZPw**Rj)3u6XHHw&@{Za~sQVt0e$8$E7T^mW~ERvJ))1%IL&8P3F<2Pido
zzsr)K@wx(6;4kpTx1)E;7!NL-Q~+>2=j(H5W*tD*C+G1gt{mg~EZ5Wjhd^5*rfysf
z<3zWp7;rBJem^;*o=w+{b(%=Mn9b(Wef_lFsRwW01U-KQX{1w(v^<Ma2))Ot3e~&#
z11ywVlX|ox;s^yp(Bq8yD@b6I4)kF$nBu!#H__}d)cRofu<b_Hi{$)j+olk9;rIDL
zj<C0=;ITw0LrP@XY@F9L=J_*hWeM2MVn3Hhw$c`y>_Y|T3jJhqs$YSrv07#CRK)d@
zb{AQ&yFh+0f|d(W*8j9=tAjAv`ZZ#+(ID6G-T4yOkR}h}g$Z502+Y|^IZ%{IOKkGe
z{7)3G4BEvNaN=?_RChU7>m~}CeGHj-Ich_r1+e^pyh|2l+p4XIW*U}<%R2A@2Ct{A
zaIwS6cUWG}F_|J6lp%d<+<T3_q<FmM-!0BI%d_4ST77sh_BADYwXP$A1QccrCwcTU
z_+i&3k?zkQkWb)0eHZ(d49NT}4HJw%NKD|VwuZ^pW?VwQlSe(dX8KrpZ!^ui@qyzo
zex*hle${T@Wkr&ksaB~($@54Y<Ms^^7}JIJU2*e6fBCC)Uhp2kh~Fp(swSzL#~&{N
zVk=AS!*O!!H1GMw&!Ri<0x6g*|5Cn`4xPVM6Ky5aWA$A3ioEU*j6BG6u5GD4pzeO#
zIRD++2H%FZ_`?(FF*;YS7_z|2bD!Q)l*iM2le#^!Sz^47hjbbo9G=bu<*uco6BV>-
zKF}h1XJ<%ab}?Oj-<mF7eD33V4Yn@5)^XX`Ynm<s2SS^qR*b8VQa^ZPqj14W#@R6e
z+cc`>0y2Hod<7J(<*yRsIs5sMdA<D2P{R-8HsM0y^HfVx|KZnz#?RsckTY8aaWrI&
zG23-+->wKzczGtm`)bMg+kkRz(0E<yo#ikQ4TQ#iY)mE@IJ*GhmK)X>#CwdV%I?<-
zEScV43W~N<Xaq&TKE6EzAawr9zVbxq_d-V(@`z<_)<u3@SoH8FyDIqFG4N^+Cl}X5
zZ@Owglv&tLSfU?a$<2~rz%b-lz5E6`+Tj|G#S->$qIbW{MB7(Z%xmogy>Wd>tW`LC
zk~Ji&eLNv$c_?gtL~`dO((&!YRj2h6JCoq!X|dqITphWaBiyQ@Sa}k_lD`rsKJzOp
zA&E8v(pPyA*JFf6h^|R^)B``pjPLy%8voq5*TVbt1Z%ZHQPMXgKXmgl*JP2Ud7XVv
zz8es8s25xZYm2-748VEEuLcSzJ1ck!S&%sE98y`7b(r<%)*vg%6m8s!T@T;Sz6=+7
z`a}FLkH)S1{ztUE*06|4#qY0JYkaPV%51M`0!JfY`rDm7>pFHk;g(gRU2dIlKr3^!
z@)4~qk&Ec79N8mZ)+J1TZWz5KTynDAc(UNKFfg=iyP>^syc3~yb8UD#=@N0WegQb-
zv*(&E)ZIUUj0YvtoJ+jm6?ya;7Ocaa9QR_;semNS4>tu3OOX3e&wyh#Ab$-FBl1iY
zc9cvoLhk~HPD={M0=X!$MS=r!$DOK2&V;d;rpErLBAM2@O}}R!M&v$_OMV%Bti)}2
z`ey&F_i*3R3=I>(xV-E#<h1$Dl7ts_xZPBExQK~#`#O}rKVo1uT(%oi;+nT`f9LE>
zh0sQB`C+GU5xc;4Uzp_j_!r@z4{b*;qr)^-ULIHMjl0^?j;tP-FHP?lIM++Mp17YI
z2_gC}K6BI3)v|3ub)<xLNi*=4hy${1%&>BqW^hZv?r7bst!ckMZ$enFnzX@wadqwe
zoyXb!JUfDGCgyABPQ0o^OP7zGdfRjfkEf`q*B|;|vT^S`IY%UFAHrfYH25Ig)WuzB
z;{|^3^KTgoy5UYKcsj#tG%m5Rx!CL#l8;XYg}HK>WEJWce<k$*#df`xL)Lqvp59L{
zSdEO$b0lew-o3c)Iyl!~5oM{}2dQ)*g&_3XCMvSs!-NTNr&m|<?`!9_cM@8h)Ob6%
z-5ooNwx11)U!GVv(Udrpp+2#b$p0SUQMu;ENa*^8Y3z;$<B=Qcvg4@bQOx3Dm6X;4
z<WmdH?L@o}2elu_8J#W4_eJcF3Yv0rrYw-Y<Er07U0oNyf3~>E0-KR!uVfDx3~3{z
z4H9yqhL2x(&Eyc|$elricK6;Mb!#UfdQ5^Y<CewO_c}9_?-^-Z3-^0CPk&+Fm#XA^
z&$qaSFI|%+0dN3)>TBo^<Xi0QOOb`$(vA|Hr45R+rc9fJ#~FFA3^nuI1=d3doQ^b~
z)uWveGu{EB96CxZ1xy<GS(xniN4$Ta$Tk;pyJ#ZKZnz)0)5BBq;Aq$lk$qIrH9xs`
z{tlg!g>>vR`&cO$NkA{^FN(BTDIQ;9Bx3WCBSL<^ExtZGvRX*+rsrs>>?j9Mb?eKc
z>oLNa%_0HaE82H02yXS>om72w8*;mk?c7jr6-O{2zc+2?qsems3CUd&{6?drhwAiA
zuvqFYq!_>p$qSOkeo_>b*y07WD%~*}G{{Jxw@#VK&xxN?sHYoC5m%Jh@YQppCgx-o
zH>v<gBE7d(jS!ef4z>tTQ(Rl#HOBkzVs{}#3g^EODb-)_KpM=wFmAMH){os~Z`KP$
zjrb$oOV=V5UiJ<kFm!$(2I{0Zy-LF3!nAQs$fj+=`a=KYWdLqz2ON~bjva(;YjpF^
zMPOeH12EZngYIYTy;1kk@5m<s2E*_&<wD?2NQefnf<|StSKajJw>Q>W^>5+#DP7ls
zjXIGv;)hnpY7F~Rnyn9;Uv`9$zaV992zXrh?aSR(teLT~m%L<S-*9Oosc*lc=H{)-
znLjfhYa+)?lFz2CN!{2goj$0XzOWFf6N&~W{~T`qpDw?mK)qK_*ZS=SVw5vy65g1$
zu&ti2Wa|#_Pj;kYvSmPW1M8P00!}ZF&O7e}UeE7*nE94Ik6h#e7T4@34Q-S(69W?C
zasC`T3bRfS#m>BvwUL7r=s=k;dj7(5#AX{|hNv$^J>z=b=hXP^>z93ILgxBnBlu(=
z3fw`seLQ=94<+>6@(3i|$nsq{<Gj$0)+n@@>*SpolG<v@dFyRwM}k9O>I2`evwIk!
zG|S(V@3OV>7eu$WLv7sTcX$@1IwR4;ANpeEmVz$@A#eHYzSV5@rM(O$r}%m5^(ukX
z0v}t=t5I{eL_tI;bC$Zw)nV_Xp-ksw-IF$Ea&hXE0iLJ+TY!H@2?o9qs-&*~Lu87}
z(63+Ju!1FI`%E4p^}0hO0eMK=jSV<mpwbL-pBLkN9SX#%>|h<t(E{gU316Fluts;=
z1T)JDp~A+6SGy*PTJnB_=A|t|merRC>R`K$YKRYy%5zLFb$ovqz&mO9p7D|28<!@5
z+kBCiF><u`S4eu9V_l!x+HQ8dO#p{E{D&pfT;Qm2nrV<wlh0iM4s#*Q@hSq@a`%6h
zR3^J8v!6p^G*sTLH4NU!WZ9v>LvnN~N-%8ZHH+>JI3^i>Uu)YDT!4q~Z77#l3+~Oj
zHojA%IYaX3Mv#<OD>*B_2S?U?3Y@oDq%g=*o?3g1Jh!7yCvz93)4i^k0Wj1mJ8TOl
zTfhN&6yvyd@evU^1~H{*jq{<AWyNpB3w`Hy7&9NPd0VugstA#0``LGaK1oCyc(E9(
z#@qE*MPsQo7-wqsHn#4dr;5(N(b9H+Gr_5_KU|#_3Rex}#xivRzmsz^r<&ODq27yf
zxD?y#>pFZRIzuJ40pgE{KYOjSdRo!Khu^>{oYn<g`5sDo-&jGZ&54r9EY`*?0p9EA
za_&*#xe?dm`lhw^84Bc_I_<cpYsi?*`1kj$o0987>*lY4(pDtY38cz;BjfaXzzyc(
zk*}lxIQev#ryvY_uqT`hu(!e#KDck?(IDeXk|pH(T^+Zz?fUhXA87ACDxg$l>}v$H
zO&O1xRO~d)^omJqI1>Wj=8vOhr4~3098b8OnG)(m<;a!<{}YQ6MD=A>gKFr@HsYx~
z`u!w`;_#<DeQUC@esz;hJ-AOk@POl{9_fT9Aay(N5+LvzDli-TToT-x;;=jB!DW?5
zXd1LPI)y!Qu+hy+vyL5yPpxo+JYxzl`5zkrawuQLDVECPeCrX1lJ%*wRfrh_WGYec
zf+WZ2y7kiZOC@E(1pU2|=erw_-}l`KneWCqcn^28@X28D`tCmloI8Fv{{9^TuhZ~i
zO|$2}07%`5Y;vfg+2dIGDZ#uH)@vAPB5IeHN|Zigu#I(QPcqK((fil}>&%BvxEhQY
zxGVXT>OEKD%v7l-B<OcFClKnD%VzV<_V%DfTO#8m>x!K6VdnFW@05l_4Uv;mV)dV&
zAUDv<?vs(TBc2N6`<7QrJS<^;TqZPV8h#=J#cP-$;;J&{_;5H`&<^`PO<ovSjHzDx
zbC-?Od$T0&S1E1)z5RjP5iA#~Y=^b+MU<riskm(iKu=$G_uik7$=h$gZKPJ2<5I|`
zo$k1u5JL*EGmBogZ5SCr0ty|5?_$jg=gMl20QTD<xvN3}0O7XIXSr(J(Q2THPOjD#
zfo)iEx6gn~=LwsS&cjYl=oD+ZoX1`ogboPd?Hs>ifYrV$d`-zx>~1RD@Te2`(uUr|
zr+qlxj@?zU@pK9?96+pe$U0Ykd4KdoD&q2BO*~|)Y^#t%0Tdk5>pB_56%JKw?1`v5
zKJcfJEbBZzFQ$6oK1pO6aQ6N2#HFc;<Mx46q|-!%R^~g;<Oz^8rU=2=voyD*KV1{6
zW#rSxSb{RT0Uw86n7h0aBO#1!J^H%$z>)XL`fAMyz`ER_J=B^+;_QhQbwmtrCN7@I
zYO8LfceeHHQRq;OHftB9nD8|&Bs9Trfb0ae7j`cgk&D6br#9t6NcPAW2N*cmtzBbU
zNio^m<j23ZCF++jp6=@Oo|=|U(!KtmA)iiSR@UO4uBiI3Ho|N9P7uN7UEnP`&5~zh
zO_;isK~hzrOc`VymN*5Uep`sz0+u&lRyCtmET%n+bDli3gU}GJA#m>&nGkWS8iR+N
zM_AR_6#E$)g0Uv{%E&EzQ=2d=;jHhK;%M4Tz>=D3ef(oxoS;rBe=Fr9`McClB_9nn
zRl^JF9Q>{8nhk#*^s?IC?WF^@0)=N}h8<8{1qMXQ;nyQ#V%y4!xSm+Ner4-yb5mPB
zI!4=1B;YP)bN`&%<OttS<<y$};?Hprxw?vp<?8wRV}Cil)O*`?DuL6BHr3m6|Iix7
z&?e%-o)#S@2}@AHABeXQ{`_c0p7gEv{h+ou=J-eb3VNGaU5aQ1Nl|9Eip|ak%Q<y4
z*0_W;HZDC1njF`&?%$|o;Zve#5BzLFgZ59Z{OQWXuk24dQ?dPXWBJ2Dw55r~v8qQN
zm8ftp3@Iuhdb`06$_}s2c~1&_(CxVh?T$5u^$Ns>XeOg)AF@TPa>ghN;-O<CQbF_N
ztd)V1W(|A6LP%CVr3Adp*k8WVi%}-MzW+p|cv5}2IaSb~mAOsEC!^}3YZPNdo|>mZ
zgC3!}PE*j;wyU+{YVOR+Z@&s1U#x0JejDh40eR=P!ra%RRuayB8_3!7`{`kRvbPwC
zihNu&TXt@_Fmq^WdvTYL(n;KGW510*Uas|Vx9)`Z_Ym!U+?}^|#{<q&qa!6=ea8xR
zc69fK?`R)p1>{{`J1VT)^HeY0D-V<8AQJ({AyojXjcP1_h&RT5h|XRKym02h`do`v
zb7eA0J6f4&1)1e~v@oO$Y7u!KA_EmNSvKHg2_v7YMreV54yeLTbJtpZC`O4eF}n}z
z&_c_MJ@?+jb1tf-!&KaPNMO~6A>4So1D{-6@rw%eXQo~}Ua>zGm!OcPJ}EfZQrsy4
z=Dm2KWe3&Ix;ux*m?vX=)Q2uLGmoWVe_;V??G3NNF{=xbzJ?>Q+WvV<caCG#E2oZ@
z>tib;Fy6}}8xPG-(ASaVu;Exk-x9y96Z_?n#S+c{QM8N*>=v!I5T@oS8z*~xA@C2Y
zzJyn)jO78M!xhqPeLOcLz{nZ-7p$!?%W~R)uodB4C0K<9*=&}d{j$-!i85c-(!M@r
zBmVZe?H*gId*<UOqw?P+t?;KDSlzv^=b~P~NX}?lP(X;Bbi-SMMSM0nUg9uk3yR}Q
z=xbUcYk-n*S=*9uXk!;6Hb$rcoxYco*iY6LUm{h}hr=a{(&l?LGt&1y!Fglg&u;J0
zR2U!Wn!@iRKLIY#&ZG@;=c?4fO1t4X5~~YYMge}nX!q~9KA@)#(KqsMf7<vtNI5pC
zCEE8Xr(St$ml%({Ct8@d0!Kwk=u`JI_(vu!i9_|)^6w+SK0n%wR(Nqws$KWxuY_&x
zFSb1tZ4iV&Joo&?w;^h-*>#~4?fbAERaW4D;%}e@1)D%F1&%a~40z?xLm`Jp>`H76
zRpK4TFJ%u_7$@b*Y%0s=xWewQyd3Y#ea*vp>^|tyI^<k^GPS<n7cG$wFzFR#h<Jpv
zdX`JOX5~_DGkx-)XfVazo7uWkA05Gx)}&J^eY;);zVozV$nqqMm+vM25SvLOsbSvr
zN;$-mnZ?Tp;Ne+_bm<5QaS-m)(3+M{zNm;~P`(<(@ZliSdSENmD9L(kZ4l5@gkCix
z<-d{ut7O}hmkjBhO5+MaYDA!ar4n3yJ>_T(&Y1^~Km;VQWAMgXAq`ys^`Sv8-NJaZ
z@BEl@Tt%_f<Q0wQ(ptN2BviJbMZG|JIMPNgd&Lc>7$1qzr>UxRnZIZ70BsdPL58P8
zvbmTKQq2mu-t2zdd=DqPN`=6!d?0@d?-IZsB#5dEZ}n-%DEjtZPV=J?43Cm51@$i(
zm!LEu-j`(es#!4e9}qsP)AxGj0K&axkIMO=C#QpE;-+?mla+y{(^AXQEg+TZY;z+e
zPAQhzoH8H~1Ra^5)x4l<)QN&`Cp0Dxzx`QipT%!EiYj>5uqRVOM^;5^Ll9kAI=2!n
zp<q9extW=5lW6}ejX>^p()Tvp<lJPB(-#Ne(6t|P8vMdy`Ai=0Ytr?!p0)S1!{KqM
zDgF)Z)Kzk5l|WI4jU?e&j-<po>35o{Pyiz1McqsG=AGl5YJ!bvmXQU6%)_v3ne)A=
zSs1w(9hFUu9jS1a%oUJ?()wbK{M?y2lDHY#>d$T4m#tU()SP1YOt~SKZs$K;x~7<`
zzlczN0r`5U6jxC5d7G*5s?^EkoAk+DS=1<YL%hbP>Nc;O<wq1}(zU5A*>r;1V^aAx
z^udAy7Rz$U!A8HOpWtqYHM2FyVd<MxJabv~wvL!kbWGh&N7IV6YsE_cqLr|oLaJM^
zA|-IafSAp~a#8nD5<AWF%H3GkWuc8y*Wk;A#^J*6c)`np8bmX5YeOcE97hdBTkqkG
z*0eMA<MDo|PQ#i8)}xtnSy%#XF-?RwM7&Y(oOxKHlCV4_)lU*ldz{FOH>U9tUz5Ii
z*{&em9d*GOR3z%cb_MhvFt97@DTM%O>74hPW_<cU|E7k=cVpo`?9$ZEo!^``e2gn-
zf<j4i3B@cu8suiR$NI;j=a<&`qFs+2cjATj<Cg)e%W_`K(V`el^O^O=e$>aa<GPRa
zbqG&&Z>SdmmCy6+mm@TaF32dA^#FJ+I(N_o1T1A?`seq5U@5%s)+$TIa9D_T2)`_N
z2iLOc5bqywlfJL;{<DYWe)-iB37M5JWema}I?^J;DV3>!iHd?be|!`Im*H>M66@A`
zSoJUm_8RsYa~1Ob`-osyPU?+XG?e=PytG;Pe4;kpM+oI|a(vVur?%ZdkJ;ysqIw<a
zx3$nGOAr)PNyM2(zSAYce=|Vb<Gk_SR<W33<2y()iP2A(ByWyd@D{{2#4ZNYN`s@D
zRfXf4a1=E!(PQ&pj_Uyi<l-G<y0s}*Cu3&GJo64!<r>xUa_LIzh0<9cp(s(NIno~-
zn{6M`?!%B&Ji^aIdH1V5crn&XH*I__mJaqmyMldceYitRNVD7~v#a(Hyrs(M=~uNW
zi7oPo5{w)P^V$GJ`O1ApYbE*u0BSPeBi32S*fc_Ky8Gkd=dh+0j<_5|T1KX-OijV}
zqwgcb=;$YzKZ<I>H+NrnkYkics+ccNq|UNhRDe^p;zLJGTR>u51pryL*Y=$mK#eXu
zogUq@hs^Pg7`X9ezRAY}^%6Qk{_^E1r+flfKKW_62Hz_pfSdA%73r4Y-?1_1!1|XO
zPy<$;#~0LXTfEq;RsnYE%noF9=lPj=7&7o2a5GhSNTXj^Mq!MVZeDzRjcUJB>jCem
z;<^9|<~8YmRrdzJZ^boC5QbyCMd(!~z>j|to6!JxVh)2CVJ~3RfnfB3r*jbZn;+JB
znS=}LHN75N$ETqffKFOax{QbcM`jP^_zF;ugRwm;H<4r<Wc_IiO1~ULjROK`{b=6$
z;E+x2+kQFT@cqdjA-Y#?wKSbUA}<!D;Qss$MVDq@`P^LVz6YB)tHn@*I8JU&aQJ3H
z_df=rLG~^4oz%*+VdUE>)(dbtdJHgtI(2S+6lUBbgm*Avh@Zv_Vu}bPHD@C)f^(Ve
z>HuCW2z^C?%v(_<EUbx7mF?8%OFF6qI-oL)HOdLCqVJX!mnZPWPY|dF%(#;%HNE`i
zhoAMiCIc^?oT`F>;KaH<cDyl58=8{y3FxnX6tX{Dt)oDb7tjl0Bb(`OxHu$D_BY%j
z)t`Z1aNH2@awJQxdQT|u9?kqbbR|(bB6lT$FkfW&ybz(#?x!xR$tg30(_`|BtNKhE
z@Mq(m0tDIw!sPI187B^!R`bBl2|iq$$^|>cDpz2eU&EaAjQ#L52AcLc#RSuPK0is2
z*lDyjAOwI4KN!t|ny&oMeG?;3Neea3*;uET+DVQ5R3bcyJ)S+Py`P}Xsb8$<brvI}
zQA&r|XGJ?_j>c_}6^)eG6;_{|j7HZDDH9xLlx`inF1hTl)3$BC=EAd3JF>|0jJ9yy
z5w=b$pMJ^3>2XXTd|<otBQq&?Aw=6rtCx@<zitLNtEVO(qBXCQj<`<Ldw~;dJbf?g
zQA@x;{g2(s`j3rrfYaOEJF)X{wGPn#`}zV)MggW0!hV@RsaERmQ(A_KrY|)V8DRZ*
z>q*v&cqImwTYBpUAR$<UZtX)Ahgm&!r=en}rlMiRMI}7sy@5I!l?mV@E*N~V^=5hB
zEJQ!9X(TJk{>5~^C@cwHRVi%u6upmvuYI#{QDJfkFd-DQ<_6p(?KIB!Pb^ecohf6T
zh7S7-oJTjHfQsMG9gO<Rjkc0NNn;R(2R<qPgV$#6Zm57SY@1<sE>14CRFwb#ilJ=$
z(*3~S_J&#Cb-uYFK4iX@em+UU^Y%wLU<#G+#?(W~jmO`USkPhJwcFjreEO!&bkd8{
zj?3J3b}yP`IQoOs(O{n+wf)K3S7pY}#KUOk;HSzuARD~8Xb<?`J#HNwssaeAWGUo=
z#7S=oxq!<u@wpw~LV-h9DV;Hn`qxQHLIJnb^A&2gx`!D_T6NwC1Al$^zK`%^2XE}q
zdRqG4wK7K#C>my+R1jLlX4BYo=jDAPgal{q<HPTsw2cBm^;Fl8PM0YGRA?ysH^8~t
zwBc!5`)#HkjeoZL1IGVP$Mp^K?t(!6UKdeY12@1YEz^J`C5(mh98$#q78PJep5Jq^
z6~L6Zjs)L>84~U7ceOfC%;gL}`?hfkDdCBx;l8N(=8<&Ezt>nGraja4{C%>0%cYO-
z>8Uk5B+f-9><xR#lLu4ORe+7^?bA`DSSXW#7x5LfK+)aP@X5pZGO=lh_G>s=6#xf_
ztFCYBmYado&NHn)RtSJedKN4-euJ{^?J~IJa)Coj86#Kr8dwdgJC&Lz<~vIkM{h(!
zli_Gm>%ArEn1*&ZokwLtBNLj}^=XZ;HM{FUrL<?`tiQbG&CL*tz5aCC7>+pX8>!yW
zF10%)_GK%QT)D}EbC&XyR42d;_+may-b$F?y~ab2H1&h~_NAJ(P#YeOSB8aAs=w9|
zot}>1>R+W5=7AdxY5^$3DG>jQjz#e!mEYcqZ8<9<UDItMcT{p~2`G=1*F6@c@A36O
zCsrp}(V|DOi0PW1eAxVpTqm&8@MGF@TkDu2Y|(cmqEw=-Bep?a7s$rce{dnN<rJia
zs_`xAr+~$74~z7y9yWY{o2Ai=#S0fW$xn+vJOYJpeH{2F05eh{y^oJpgsIDTSe>6V
zPWlU&S)6#vKyJusv>DeZ?eC~~ryNYDiDN7GCD^k8<&v?)^|$6|n6%70G=RE2IS-(2
z*&W~i#%bNCcmL>BKw9gP1VSEMCdl|ML%s?YpdbM6<pft%umPwHK%Bh@QKL(u@6m_4
z10u_haGAUh!$&gcAN)azWTBXBPKB~;L%@=_{ZNNA1hxqSM_Za3Y4q}^+1>PACKf8h
zRomH1C5ESVgr@p;%UZyK>&wPVLigkn=+Q5HR)(tk$2xE{>hscLD&|OE|K>%O$^{Dl
z+_`k>#WB%78<>3)r$lREAe{UFf&jk6`Q<_`mx+G>k_AER+9rsw0;C3wrG{cGDN4X8
zfu?qG!w`^-=`C5Ai+xfD<U0^cjZ#d8Hy~&MH?TaTwMhc2TrunPl*gfdN*XAErZ9M5
z3P?o1+CX$YbM(O)KuG@vB?oHcCva@@Uv-m<x}|5sSD>k_;{!b{RNViRf`b5p6~bSG
z<09<Y#ItJV_}j3tqKEM#c|&E6dDX7A1dctJ?2$a$g3TTC<M@FRvr9z4O^9<7pi0s8
zZ|2@Kb4bPWnaB~lMOx>FDBSC#O}hCKaI<E4<$M9upq>~@Q}<h#J$K?NWV7?Ebuxfw
ztpaL02%ZHN=Q5s)De}n_?^HZpL`*?@9JkrPgTI2k?n^(R0d~CnQ;N&9?6O!|-k^l0
zGFEpxgRRYA@DHG43nue>*&)gG|J?4I;31as`J+~n;^!*?6M^*Y1?9gXab$oo4iLH6
zykZ6!F8~0Ef$)hRRi;bv00cug=R7t5pI>Z=Fh{UO1S6hk()LbKMLbXV4T{4xN&w0d
zKsj-ftz<wkBDZ^h6ONnMf3fxh9E1}fbec%hA9NZ(Xz^5q{qgXa;j3;x028wc)m$1|
zxZ8123b+HJo`gb9q{P1wX}~!eum3p++}JhV(gFHNK@6NtqMZgwpq%s~>2dO#B*@&!
z{)4-FgUR*_{-9)_L@DicN0J`!exe|%I#lDL12d>j#ex`Lg+OobO#Ua(TkgFp?on|N
zo)ilr06hB&^B5-fsX;Ad{4J-YTD+;juVLr_yT)&PHW&sFE&%xKy9{(3@Y9>z^g$It
z`;a8NpA-0?kZZbt?B*};7@KxL@m7x6Z%|^sUoelj!NPyxC4vaeu0e!m0A9qQp8JEj
z2Hz#X@o(THgzUNt$fW*n2-i8Oc&NEg*?*b?i@Jlevk?$g8Lv$nL5NN~h&;^fBc$6Y
zWn`~FRwMS?|794tABO!uLkD#z>^wo)p|4nQKu<-0_3{2=1OPpz>oEzIGl5qkF-mXh
z(=&HA{maF$6rUjdq5o8yp1E>0Net)wYaoqwi0p?^62PMF_I>FDq5nwP0|niAif2#J
zf0Gv$9KHhB;wi^dokUmd>giMz#M*9yDp9D55Kq}z@$EAp^5CJ13(fl{{eR9o)fgC%
z-}<27Ei0srp6tT1lbcs<BaPgzVcx%z;dlsP7rXwqkwhBjbrl1$`3tVy-yQ?WC;IV6
z^8dzVCe}p6LxP0>{o+ID+X-9-%)po7&v&88`u^q5Wc|&wg#Hynyi_f7D*IRvYt<Q4
z)eRgv;P!d2hJJ4>xHlQF3=n&^5ETvoLVDh_Hc~SPk7o}uQw*J#einEA#SW7()Mwo$
zIKu<Vk1bamnA?N$wGAUks~#Gs`)?HXVL^i>PO%&FCZ&H3sCGt%nE8JdPSE_{q*=>r
z=XB{Y(uxUqvFC`BX956T7tiG%cwGqVwcXK~SZ@mH=s&<)h}6|{5{hgY1i@cBWT<^<
zyei<(K4jH&Gt5v{0JHmYt}~%uuQyYZe{FkiMLAvNgJz}uidNx^t@*_Ph<oRzMiIxx
zABs`SjhQxkh-A^F?k*s>eY{<`jDO-X{+{t?oVXV!`vfQ@Oub)+zr`rD_P$viW);dv
zKA;7dh2BnJRIOanps}C)FJtdx`8O}rAUYUg^W$&=F#GHG>HxqMfdM>3PbJDSi^e?{
zPhfkb=yx0~X;~Em0Cx>RAD^HL0HfXvkLeHpx0ca>0hf~UyX3$DG9C?keyK_lFpE$Y
zx*WYI1i4=6QQk;rP@ol2x(xE!ijndD_&9b4+e^!38?6!bUw|86ai#2eyM41PB!laJ
z<7fW`o_2@mSp9jVU<V?gp3cJ~3x`8YBobH73VW>o>>e>X*)TjrlnG<mpQ}%4jDy#M
zc~scv=pl|-1vp4+D-wp4HNYFx1TzbI{@PpZHUvr*llX5y$>C%czR;R}1&V|jg>wFC
zj*b%)wuQ@u`CvReLkM&d`2zF3;Z^vK-_DUoiorT0&{DU2H<iU;&T-6~;K;v3iDbRP
z*!*!r{q&%k^+)CW!6#OeJp&A`Qd)2S1K`aJ81u4eF_wVeV0ElIK%<hbhF(u0GwlIP
zgw<BDi-HCq%0i|zs@`~=7#J8Z59O653*vyo_Gv=LQopF7p!#VpOqj9d6970*L_i#y
z_@k%!Gf558hU)BrS!L_@gY6l0f<YLl{#&&LC^u`ZtZ5r`;4`x8Bjpy7%8PLnlP0MG
zz85nYf+t1<NRUGUvb*l7?_@<Ap6&-3s`5CF>5zTm^GOe?V2EM?8&Ljb70Lb-aWqUE
zWFp%Cd@i}Y0wQ&h3N4ST#O0?*uE|wN0ZtmH7-fBKzhtSLaFEbnRO3Z%7@Yxl7C7i5
zb`dl17(NKCCI!n7e6oKJMx_H~kNrxp`nT><!qbVHBYbwconqzvty#9AT^NuC{U^E~
z7+e28n=l;W$M)ysj|N;Ubr;^<b%F$R{BHsM%jUjq8vE<y>8_J>y6a#;G>uq@F;Z+I
zqukyEhuDjey-X3ReIB-ZwFcaOh33wvrP%(Hei6C}^(2hX2V~o%T;18l28Jn18;Kya
zkL3UF`v^!Z08lLmt?7f|7zy6&f0Gpb;#uf72J;}Gvl;^b@dP{_`bZGj`PcY>M5oSM
ze-XOLLvJgm5|U+P{ud|NAg~An^4Njmja=L%qV{;b^86Z}uh3lAX{_f!k7%gAkvV>7
zv{fFYVNhU0jEHL2kkmBD@832d-F4lr>1JV3gn7x01N9i)<Thr^3}K(($>D~1!$*ex
zFSLiFxI^d2HT;i!j#qOlEyvJ>)-y8pfKi*z0k(BlR$xuc?uaF;?Bi86zl{rPA6DLY
zbD>XdfbRfj^V{V3w+#S;a#?N!U@TPtsMz+Y0Z8P9$Y{&~k8Ie^`APWqOL~y6l(P8c
zbeQ2!0EIcFII|!m$PjkgwY1CF#<?o&;)Fg0{uWET!~klu=!<gsZ&^!5IPlGSA=8Bf
zFXQih{x^Z$l>#})U%1YE@xShCkBk8{w3-3K*G4#b@fuu@P{%3!JD_o$J+W9>)=lSY
zyz47_(%ySNU!G3dggM8Z*aW@!Y#zTc(b&mkkye_BrL<P1`pRuF^`Lj-Y`st5sdzUo
zJrE;_9l&N_PC1XBePl8)@OqAx_?l66j;DM0e&!lsi*;~ul;F#e)-W#Xn6QJP&qVAq
zQ(<k9<v&MSdD~j|`0dsA_)D3YzR4e#8FyXJ1DcylNN8A1oKzgo&wMsN?d{akehCNF
z08=flQ_Q0;eKTAIq&q&hXr)io#X~wsv+`+fn-F4bC|g$Jbnn6R=-M}hbHlPXsU?PD
z*meXgtEhGlSGj6&8@2L@_iJlwJzKUH`yXSt@f-ovIwo%cFs*qiir7!dqCb~17Xf(q
zxSjmVi+Gsaea19jyDuFy-RGfd<1M^?8L`Sk$YZT)CmX7e?R|9f`)S?UP`|{JjJT%c
zX_iz2vw^cZ9s1oAd23YsE!{)>Uc$0N#kCKIbKLu$kG>c^csjarHlVPjLUQfxD?ik{
zTf6U&W^6#;&zTdA7`q`+{oBt071(rh7?=2NfV$L@-H;M&NP=F-y1l#NmeA-ycWSv%
zOin_Ph4-EjAN&PxmwvYwdw1)8ski$T-a2utGdOS*>OHE_t=;)p7F#FD5T?(M_inv%
z*(`RO=W%J=-CMUhp3zO5ugg#`B+Fw+!&n{64SX?a0gw~#bf%K5EMO*>f|TjjjD%ZB
zywG5;8D+H@n%-EZ(iMVXZfH?HH&GhV=Vrq-6g_PWQ2`pu{yEiEuGzK3`OJdcR{7X;
zM~<kl(6w>H)v7evDTt~!f8qMT(&3t6XD9{js&j3^pLamO6CL!wXQ(=dbQDoXUV?g$
z<+h7`1Gj2dt)z`&;%tTAtL=TK+TihuThsA#D3u*v%Mx$q3UrUKXz~x=PH;K6#|Zrj
z^#c><tNVTT)e6_6rL8^hn>Eh5&5~Vi{%r9#w2TFxU56XoO##L@4qT2^ZYQb9(_>Qe
zid%bxT+5lKPG5H@)BoAZJxHRsv31<@YW<-O*__)I#B9v?qC%IqG%^LisL<a0XCv)R
zVQleQPO)~0O-4+rzFt_^Fhsl3E7Uzi^PW0Abh+@K%W>T}YFOyaTWlzO7FznDr^k{b
z;KVTN<LmF%&WzN_zH}DSeeisQVnYP+aINv3I+v!z#0zU4FfvbO&%rP_Rgsl=P?y)b
zv|`$RJo<U3)`|NnY(WTDCPcnQnMqooRF)tC`3ei0@&X)&hoRK!%|O<GahXW^GwMKc
zI`z40STZDAaH=jcf~uzAa?f+~$2O{K{$&s1Q@roQhMzqhOqD+!|1+527DJ!YTVRvd
zP>5zj9$nC#j?RB}r#y0wbH0ZBnPG{y`^Tvw7y>i^+q{87ERrz0wLsn1Y5#LQ9QL@3
zbG-K<kb&X9WWW&{r^<=V6B3vF{6DK5r;0SoyXbb8K6mDw-}3hg6}omC4g`fT=ATpe
zM^KEJ;~lJ+P9^IJ6OIb9*)aUy-JRnM9}nt{Hvm%}&<IWWnHp?c*OGLHd&3DtuyVW}
zY6P?tzCHW16v7FBvXNf9PY>kEB%UI%7z^u?y_A@U!l{hiQ+_ofde?OshMCi9n`-=b
zga6(5nEjsJ+y61U{~8{O7iX|_icohq$wP==rKH@TKarM^VNRKS%lQ*4F0%-ElWB7c
zjiBztPpitF<5WB2B~1h^lSA-)9qibXW=l|MDId4$dR=4A;W@MxyEJZ9Nt+wcBqw}$
zb~xdUIPp_oPiM>w2Zm|EMYC~7VXG;_Y@f+1CNCt+p}_LEn5FpNjny7^(3%i0E)eSU
zbEhNJvTB9=v+_`g8=&Kly2Nu}*BIJu5Sv#7G$qP+(Mw?F<#MUXf31EY&`oD_4kb2B
zfeZmxx=vMcb(WLQ=5gz*)3?aSgTubGz_t+nepqfCF~t{e6aQPrJX_$XPr0Zrx9nx>
zQ5(t(0oygZQOYWZ-bhFTfbQ90<DfI~ao{khAD^3ylEbcyKF7nH{XWwT-ux^4Lif>}
zRjUG6Y=$8@NDdXZ#Is0E30(ddkyaVR#i~Y;)4uS*R$szqs^PFbI}t25Ic#ZMbQa&g
z1^;wn(G|DhC`2^qbF^)$VO*0@DwpICXbTkwx`M3}7s94b@BbNm-C*pc#;qw4Z)MF1
zb@dE3(#?Mb8wdW55p*^Efch@b2Q7|MTx%C~^f~QL_1`KS(jbCtw07cHZk|v#O1zaK
zUy<_c;9)BFmuOp3*%!G7`<&~`ocnvUs*n1+DtSt2U;K31XeA8IC?$;O(<*LHcUjpA
z^1E?cTAG%7C%v>q<3)p4i{bLHNv*{TFMH<#f7hd#%9>kAgaVJsHkS*vOqLJkm!^Z*
zU5%&IZm(GO71E>%;)d6Wo52tq4sIpFnlw&RW6YmY9^O^=_5PZT50n&GW@DG9NMH=y
zKe8^-mNq=7yM$pc-WC7iH+8-$Q8fJ08|8|5PTe{dTQ5=bSbvnt0kNJW7=%x`SZ>*z
zl>A_{V!+!~3CRw+aFuw!SbIBAY!}iobG%NtQL`k>VedU;blsks`!UJNoxU;ydHE#F
z`*R^$rUZg^ozyQDL#A11D~n-rJaU?ao6OcL$CMkJb0cAb_Rje#c#8#Srn-Z5U)sxc
zE;fBLUOhs*C-dw}%)ac}R=%?7)Mn+^S?o)BoQjfbGU1K9!6V08PY>R!538n2+}{l}
zJKk<{ji~mEVSQ$G()xCV^!Vqhf|f}B*1%f1={E+0CVN717O$u44J{)k3!~;U?$Ui#
z1H~dee5%$dmGeb})Pg#-fS{M6ByvJJOIsry$EzimA&ZC5$xPZLQ&cnbba7BzKZ8BS
z(ZZuEj>rUpl4<X0m^P%ZfUfOel)W4~T@fQ7?>#g;ej|43TRfxZX!dIEIq`b|OV?nH
zOTmUGs~S0RcE@{_5nt4o?+gm<d>e0DGN%mEJ(=#`s5!RVvRFv6xQYJBKfGHq9=Tp3
z=-b_~94wzwJv{tuA)Ce7ij~qYBc;nM+fF=x@L96y#$rq~d)4&&$8Dr;vebG`#1agM
z;HxrGf_-ZGfx=C8Jd1#i*=tDH<*8QGwgcz(y5rPs6YHL-ET+Q)%EC*<g+DEaA_vWf
z96=^<k^z`xR6JNh6X|j!*p4tbY$LSJKRy|}9d`943oW(uUMa-jR<&eH?fVFI7V}5>
zmt=Ulo$U@a#f!2<WD0V=>8@SIpE*}$MKOniOnVzMaCr1IDEBcUu+MBX5Eyn}R)(Fq
zYFw6?4N7MSUJgkZE6*=hY@aka=sPWEBrNCr9Ml-HWGXBxab>hEX;T`=R<W}cjOKIf
z1*yS?YH6`kK|f?BmPuivTHe%DK!s2!fvL!D6_}7fl>JdNmxTMiw8_m-R;@3ETUqTW
zRasdw<D&1F+TvqY90#e?(!8b;Z!eqqFYoc6tIDes7G|Wdy`VNFH&eB(hRkOpW;H8c
zsx`ED{ADbY8a6aKV63PxKR>BPfZ5)b<tH12)m;jmdR}Th+iIUFZS&0aYz{qSXS{la
zgRX#dnjH4Y%V#AyqFws=x9$t#rh;|$t|(2${O$)11p=8UrQAjqqbYR>{tS5V8)Xs}
z3{NEJSX4AJzpy!YVTrp!%dK5giZx5mP92#qQc4Y5x>-1tmN}H?w@neHBpUJTIDUrz
z)qSAE3Q)kPuFDMAfXoJ1Gx?_`BX?!-9@MNm^-do;@Qs)Ab=msHHh81Sdio&O%<<0+
zO7tC#0mE|%I*pT?-^R&gRo@4o3iNlz##IIPQa3K@2)kuJ4v{~I{KVZew|z0TbiHpW
zSpFbA);pt-3$uhB>+r)6*0fbzIUL`0AvV2pVDP!VYc#TXRr(bY30DPsEd^y{7t|Xy
zoLSCP{p-`+^2JTbgI{axE(g&MD3-46Xlir2JukJhTX0uhu2MY~#6*?Y-G}8DqGhsZ
zS*{e_L#UPPuG770R1RW`Kf*!t8Wcxc^|feeN({9oMwwHV&$xMb?XL(QPL}y54V8Eo
z;A42c_b;a|-;4nUdPY`rl)%XkbJrkcZgJ$RS73jR-M<ls0#c3e1}oJ&ZARY2o^r`<
zSf-H5uJme`HFf`D>&>wKhYV-I#z6pf0Jclu;wSgO-p9;XVHYBgtrNO;4etJYDjA0O
zB>4)JY{-_30|YObS?<&XRtoYha_%vN(FfP2K)VDECn@5ujn-Y_>k=m)pOp`<-C@4!
zt=#Y4zO2TS`S?C|m0s==%&~67Fp_ZA`_N&56P|p~HFeRw6%I+z<he<~!>=7AhFRtN
zo?-OD!e1OtK1^8EjWt)am>9U`6y7qJDv64p>Pw<^(#tWGMJPCc-T1Q11%^{eI5qMR
zpA=Ei=cvPe7<p5cuf|}$DIpfuOOWvSi0(#BiLFa+o~PaY{R<KP72hp;{RSQ;sNwYr
z9PGrask~=^SVNL^`s<>^E7V<z9h4y`^v5liK}~kLf&cz>p6N;H+hu+$4RcCc3zDTY
zW+m9cQ_oVOHhAsUwCO*d@|hW2ct!Ubym81qr~-xwDjGL^i140hRz2;A!MRz^#vrK8
z&n$?QvB8~|=0(G|979s9$}+&fWuwFcz43pIRq4U;Ry9rn+LFAm+TaGZj_vx~X>)oU
zps80bVAhX$<IvEzX<*jV@G)%hs?v;aM8H6A;=^HEZA6#pKqEL+W5wrzO(S64au2d2
zE`#~M+=U_n4?*2LQ{vtGw5yz?4L%=Dn+lz=tVj^>X`Xm*+%q`tQm@$JDO-8mII5-e
z??H_|1=ll2Q{RU!d;tT!seYhWx8F0uYk!<Y``6t2WOoVwC=+^sIZNPF8Oc*-5y?~M
zJMr}Zx#CeqyDs$g;H!T*VY|ZhECq)JA9}(SVJnSjhRFUx#}@CaLyflll8!?Z)CO5F
zYRl0hw;icrTnE}w=T|#tpg*!#&XW5)tY=TmI;;V|9+K&M$m@C^GU{YshOw8`F68mt
z9eq+sSxjTVVENU}m3`Mf;Ma|#&Y!GQkifvx#RVe<y8o9*5CS8SW}}|zpZ~;iYXrmA
zsJHk_E>L#ZR%v4wbenTJ<1h4I3Ow^m6J18Yt;Bze&ezYk4Cbp`zl0N`-a)eDp9rR;
z#WDWbuXe)0a^Xp7$N`PGVSt&7Cry?B%?%6z2lOEnu;6Ow(*RhH1BUPRe{}`MjzV0t
zXr_cd1%WvW>O#x^k})yRvc%N19yB8~Kn$XbKN0_G=R5-{q(h{^S_^!9@)f+p8Ck3(
z$-mzg`~@ySPzMUk{5rh<_0@S+@ZVJ&%NKu*%jp+S<iI0-Kklz9{~sTW^1}k_ulZaM
zG(hs;#pH{5fsqY;VusGQ%t>$KpwU<bEv(i?p7}K)OW-}1xWt^nbtnXw7=#MJ>GAdz
z3JtEqT=#keB-rgbc%1YzE7o6q?F3_+$ZMhC1BTN9$bC5;FEp^Ap$70NAO?LN{0Zv@
zV%=-4%l_*gD`K#V$mBJsKwY>19(_T@)bsaUr?>t(YZ~)V;{STouYV%sL`F|~P={vC
Tf@a)U;73YaMl2Kk<n{jnkV%|T

literal 0
HcmV?d00001

diff --git a/website/static/img/block-controller.png b/website/static/img/block-controller.png
new file mode 100644
index 0000000000000000000000000000000000000000..72cccdda358cc6f897f7581c8e193e513a0db83a
GIT binary patch
literal 40858
zcmZs?3pmqn_&+YG=!ASwL^?<*wG$(Un3?0|yx9uPY_rWaHrs4cDW#HhPR`MR6gnWs
zN<|5&oR1Za94n_H`90I;`~80Y*Y&?H7u);&yr1{;+|PY@-LLz0$_;0~YPr^OIXSsi
zjt*!KIXQW$oZO;H#iig%rpwAv@MjU<!yYA<TfhFRoZRX&VRk-Y>~I<*m@20axBdG`
z9|j5H^27AuXnh#WE|^LQ<8e9QBe>4y1~O<2YT(~{FbE881c4ht;a(6keYg$6RQ3zD
z3js4F{T)xHQ#t=mWV{OkCfG(`a00m^KKO|90>7XTa2bvQpTG?h#NUtMCW!6eicLsJ
zFqJ?JaAt(*!!X8h<Sw`gxV+8T!3*o653>cIgBdI;_+w9{u(+~E0(oT7E(RA2he39k
z?t;q3+XnHtY%mG~g_!Ju>@tQS%yvP|%)p)h+ZzT3-Gx|KpeLC|<}v>BKH0W~R34uJ
zWUwHS|D9QOhZ;tv|Gg|kJL8>=Y$-m0CN>bBkx!_bH|DPp!o(rezheTaLIwpa1*Q+T
z1L6*3km)=!8%)FaSE6oq<N#6-Cj=3Sr3cv|nK(Z0U&(XGU=IuLcLPE-g8rQZi4P|Q
z8uLxSn=lZlPpA;?i05EMCa&RjFsdt292m|r4iwswP+<g?jh(3*lgER3**T+}kvKD^
z8G=W2b0Im|a2?<<*FdfbD~#{yYGxwFAe`t_ZW!Ohg=i-UHi3oP8@t#!1d;4$HsC!W
z_GCQNm0`*X_Q1OHscf7+4CRe?hf#23PrL&eycbP&^JIEqYy$)$J7aGyI4hKw2?P=B
z7-(zf3US7n!aUeWW1hP`(cPKEAlumc@H`;KflP65Sb&&eEQ0tzoPx0?WIoj08$xz-
zLQ}o$D4t$KdmM)A9coGz1qZU6?GOSlX9Ao|_cTShP`uexS2%bN2S)=hb>oG*(7`uH
zq7W?Hg)VVrGEImyyHE!zlwrd65ZT+<x&)(WL@opF!N!uQ3<%#;$QRp-T<w5bq2Ndp
zPaiBXoP#2TI=j#y2scMM+#Vs~(cJM|ysbNu6$F$S<;XxmL-AxB3_^EsfH^p$?KuQ@
zGh=Ya%>fhcX-j3&Ss{29A^?TLalN4d_I#8*)Y;q970q>FhSGUBDoTVV+Ay)WAc_Pc
zB7z5*XnP?eNQ9&zf`O<xd`EYQh=O8zVm(<l0zSdjUE~qQb#pYPd!eBLjz~1dkrqm#
zl3Ya?aj27+YfNDUh1oESDI@_p#0%l-X5+{KXNF>gz`}_L2co+dLLlVB=>axwL9%o6
z^fKn!*oYmx?cqMAL<c)8#1veGVZHGJuC1N3i(_cG2wXro5fOYo(G)7eIgz}{OlNO4
z7DFU4?J<0qClqDlfkcUzR3;IP!v=&>LxluKoR2+?fdG&4MRbCVo0$`lg(RXO(BL2w
znK28)935;VJ_1v`gy+B%1i@Kc4%$mVV3L4az#_56whR-7qkv6^+ejEfTY`@r$%7Qm
z2{l9c*o%OTL0k}gQxVe<;Z3!}_=JgYG!HPVH=Aw;UI`@xaS-4;ijH=3LNHMnfoF&_
zluia$oT+@*09rU0%cV*XVGj1t5EjLqY7aGqF_~nvE06B%>K)2=#E{{(4p3X3Et-qA
zbMXof4RIuRdjz>b+`WuNXt)a*0in3lot$ZWQ=B{94uhmqv50U22F(v=;2nv0dN@HK
z40Ge)5Z*rCOa>kTbAl5H5<V|DBml~>^I&tm31AUECMX`$gJEZ9Os573@IrzI-@%N_
z3bIAAp)O)mt`OlZa+Q#gfiCvI4FE5R!kSQpbQ;Q4#Gs+k628ET=tE+A6Gf&zXsS&h
zQ0qY8m4G)uIilHUW*91zf{-|YD}1a;c!<Cw9P7!ZOXw^gGooE^fVY?h6B6k7U^?&!
z#tbilSY#Ut2BX3qy~R!_TN2ieOA(5kY{ErUJX8`+wGDN2A&P9#3}=SBH`&bw0S^eF
z!>B|vffL3Q?MQIPNg&~ba01tc;$~)obw`uPln@#uh{&Qjc?Zzh-pnu-go*cdvJsd_
z%uuXAI^Bm%18)qnA&D?h7Rg2kfisvAc9@+|g!8e3;28ldF$)W0hVc=BVeZhNAWk6D
z41*;yLuuY#*bpSfgDl%EA%K7)JK3>aS!g$iH<-`{Y0LE>8@q(Cj9KCU3fYWg!m%ZJ
zI74wlA5Rk73yxs&eb_uZ8y5x!%5bM*DNbQfFDIZr7-xrYCqAAfcEBRcJd7D)FA5If
z66EY`?-PiS*^;NRBb3R61khMcT*p8&v5%w7!J*(z91O&P#&8P?q4ETDX8{-E#dZ+!
zf_$J}L=Pmx8!is!xPZul@{+i?dKt5Y?lg3OnLU+m53%utKm_hkw#1FkBQRKS7tatD
z4kF^a6U?x-jF7NkCnTC-?_(qLaE^9FelVTt;eigq1wdK0czdp`rwf_Gb#|2463HZl
zJx)Y6A&dAVQILlKL#2peEC;+mAcjNS0@(~VJR`)3MKU#ZF$?r$(*#VKOc6ccC{Lo;
z#vaViVmp%fc5FHVh4V((hO=>EhP@L3ZHvH&nJDj2rkAm)kmKg$?nDaX<J`al1T(g~
zJp~1aGr<>6suKo<hdPlcSZ{kQoeV`dlf#it5K}b82g~OANL*a-c(@x3=kCFPi#_bn
z?i@!S1ePEQ#*=BTFcWGp&%uigV>k#L$uJ678QzH#$YXg)I2b$#lqi@dgUk+a63Jfd
zMsNzYftrQcnE`}i!)M7{GRBnd;e{hOdwM!MyBYfgn1(vjAP`S?K9*?42*%onQcwb%
zqX0yI6c_5{DiXSgL-FB3c$^bc5^9R&K+N2kviD#qA;B)ja0ye)k+^u0g1wL-5K}}L
zmE(W~cWI#@H1WbvUf#y;NEd7%kxIh{8;in8JWfc6gd`4kGR4!-CP+lMsVT`e06anF
zNZdlv2sblRu7?MeY!U(^JB!WGVmk+j%pZau40y_f7cRlu;sT6=LW96V?gX|e9Ko`e
zxZ?ut83GK<IFw?8^A2}6A;ZGMgmxxE<8V=c7!raE<`YEWp(3IW0c8snp$QUGw!KdX
z!O4W+<}4z6dj-HrXfGJvH3ZB`@G*1oLAZvQ;+%+hJU7tRflG7?cfy;wi!tG5o;VY-
zLm-X}Bp>Dm7Yle8p|NwQ8;wW}ATWa%&S0fbnvW;Wi6VdpW5_<n0=j^Y<hXfZ;9fx}
z4-5l}q@ipvwq6brEX|e0u@yQ6oB2TT9>JIZcVlN!cpw4e6etjdh9ccDUOYx15lgfS
z;=>(7cr-o>4bBkbOcVgviKK=D-y6U;4Mf{}2sojE6mAg11DG0yEi(fenj+$wg*k<Z
zg%mS9jbJK(lc6Y6GoKI%g+g+L5rc#%u04!s%!8P5LL|mq6B`gM5oQ4r6vRbnPe(fh
z1u=t&Zge)n6z&xcR1Fmf^I;I+fnwkSQ2{RQW=trbX2ZdQZ)RRLR3S3V2TJ9*htpj7
zrU)mV1KS7dN`!F;Y!XWt2)7AwLx-ceWZ-^L2phWqG@NQrF#$mw#WWMqWPlQ5iVQG8
zxRHGv&}3RDU3Lo@0C5wMWIh1{p}BDEkfs!B7|Ih9PP6e2qcZJ0=%xq)EfCzNiJZW$
zF%C?bHerx%cD6xO5tiZN;|%VwNIqf{2bvd#;KB(-hkB3#(V<9&h$K^FDlQ;6gg^-}
z6T5MY;XD#l1QVdbC1zq$5E8-1hav?`P6&@+O7jT|fg>3}?J!J{#K+haWd}Bcam56)
z!|nMl6gO`NK7}WuJD~+WbaH4g#mt@N%mnxvg=DhB0~qLVhBE>NgoUAT!vZKoJ2#<_
ziZw?12pxR{!L9;h3e5~H2zLzQ0fd18J_qF_g9r9JQ&%K|fRx!Yl*f@pIRI@@vIrgI
z!D2f>AY^B-e+(b&3;Y4;gmHiq#giOPHFf5(;T)SlE*CDc_Xds`<L2cp@d)7XLc-W?
zXm_D7)Wls(b>}g8#_(_m66wtFmI;JFq!3Jk5P>{`OqYDvFanQ;qlJ1nd*EHXC>$q<
zCm2M-!%ad6P&XJC<1JH3V;?$j85k2+d^k~P3zf(YfgeH+;keomLZM+k5}*a)va|uk
z5X-U;yHJ8`8aE&CnSpomK(hma90I(!KE}Z5fg5~pq(I;tjDng{LrobTo-AWCiXFj0
z9Ey}Z#l(3)Tw(UW8)IB-0uW**jw2L`jKguRo@gGH<Ks$2nz_=vT!6%QG`6R)%!9a5
z&8SQv#l|a$EE0-*Jn<3)B!md%^XxHU&JuU9S5#;qnIA}Vw+9KIvCI)LTp>tiSOA=7
z%5fG`C=#p}UnUZX>{gfzMi7O8#Bf(*Sct@g4nspcKt6~Hz}pDi@L*pkv<zXBDG)Zr
z(+Awagm73sEH_|+;aHmNjOiZE0mdM>qa-X26Xqh4WiPTH0I)Itlld&9LE!tpi6`8y
zs4m$;PEJqG5pClY?l+vGG@<_T@_gResv}D&ZVy#dPc46U>P(iZ`lemWLgF%xE+55U
z^wzFvP<()Xv8vHQWtqWah5fxIP|WuiZ0pPu2SPCR88$~RpqGfgj15H37mwtnPVOk3
zZHmbAf8u8qxq4Z6Uddqd?HTXGvs3r>X}>b4o+*6tYlXbZ5jh1txkZZBa`Gxci=tMY
zf%resWp~T}K`8yb`1gL>fn%!_$o0qn9l3BZN<+;$p(tD~NcX?9ILVRg1^=I6D^;u$
z=m%6Fi~c)Ik)QkD`4t0?$W>Y_K6XUuzYDTX;IEP`?0?p%w^%_%x^At4%l}+hxL29X
z`p+0S`E`0nAa9@Q9gzRuje+4R(*2A7cOEeOmE59e@zSM>)c$AlvMG;1`nCQ$we?a(
zy;?X#G2#FAQ-eCt{)hn+|LAiPY3}sVdwyaS>+$SR^Sz7L;PjeT=QrQv_tzUY-R?iD
zV{T&Fe|kr*;-Gl=esy1!Hur9EZlacO`Q}>f>(#~oS&W~;nV-JJJgVKdUH%pOPpsB4
zwAT?_a!EwI&PmNe8U7qn|DZU2qJa<lzYSTZDrN<Zb`<69^egk3YNMw)d}wmEJoxk5
z$JwaG%kbzjv%{mE#V~sPdSYSlwYA*RNL-#@dEW_b&bget3R3r>*^%_r`Cn=C=l5~T
zjeizdDGn4%*6zEb#4r7$x*4P3H@RA8&q?vxf#!QjS-wp(cy`&h1j6PQ)BjoaDz$Il
zgL33jp%jc>MyYV5eOFoF*Y`K0^7qdF9$!3GvM+6J9!Oznzt#5_YBs)>k_naGlnr|i
z9aPz))^bIs=Ev{xw*=j7lBwZ!$vMgzRZCaBVR)U>ehl`y8*ccYbI8J^CqhK!&4cF)
z%ZEu%mh(HDIq0(GV-Rv~|Jt!aqZb9g+Y4AbHbrzk4m}T*4yF{@20lt@${`^2HFU^+
zBZi+N7W8{z%BT}cUTV@pH<RyDa%E@uZQtv@*o4xNS;cYjxOB-;|L0!A&!bx(XOz1;
zD2`*4cvk-ry0?5&Ky9R@baMIl4GXEzKF2cH>-gt?tP@(C&iwd~WQ^6my{`GJM)Avo
zaPeov<<|~W%5AD;RopfGj}4^z$#Zo14--B#YF=LSa`JJhZpe6f^Z3VO$~EkwE)6e6
zK<#7?CYgoTsOt{UIAM}_SwH(=zv8$g&#?a3{~7HO>!U!ql`3x-{@)%KDK<LGk^Od?
z$p*^HODEHa_c;Oc6PG^^w>>-tE9&Gq5A3kDv_~=r8nZpW&3$}!>{yt$L2?M{+-5wX
zHeT0~bPJcF)t6r2?^&X45jNIs=@3C3h6>Pa)!%IX8ruVm967Z>^_i|>-<cy-%LlJ#
z-}5q!*D^Ld*|zT?4NJ8>(On*~>}aX;)m=7baWD5h3UXJOE@C#_IiP9M^=%_Afu&8U
zI&+@*kmhZY0-4NS<z8t~W2HW`{;wRPcB%re!9e6MkvH3XfcNxHD_*&1<X&@b);5zB
z0TW~DJMbslUR?KoawsaM<B}&?$DsD=PNIkEIPJr!U*r7*lW;{fDJ`ZDGW)skSbZDh
zz^;XJ{3lwjvP^HWBT}znxjZIe_x{KEzT+i3_7!ouUMSMl-{(S**S8iZj(>U{Q^cz7
z{s`6?(?-`_PI?w+vhlAMAj^D-rpgiPE``puA*GvEu}-N;t#tWV7PXSlNXgX|J=9L_
z0{R^g@x6({sm^NYa>qsgJ+K?rKxp!TiASu@E44y9x9%PGCitp{nYkn+t>w?*$_KP!
zN2?M#?hn9ewTc1FlaNimz0V7}fGQJE#M&oUclnY|v0FkeZ<|%5ZvWx!*dy~^eHVf2
zOzS<-r1EOzBIMAi6ZeA>94=LNhL_bXRnt0~LEc?;jKlpC^6SghH=eGR>WP<MM&Az`
z?KFGUoxx_lI=yRCWPggt@S1PN@SBy^E2I7{^%0Oie>?ELMg|9BG9GoVUHPv?J~|0R
zX!nt!A+PfDl3ZnS&c8aXcNEh9U#mUx|KmNua-+>!{-eBd3NV>SqHLZjC|ZB?l;0YA
zn#Q;<k{{_REjpuPj+fS_X!pSmj}){RULzd***5v0_?$AdW+5n8w<{!Wsy+PUV%m)^
z<#wRyOg#v-=8~4v?R^L*YnIcCQ)&h^6JI~rd2VTz=+(0HG2#UiaY(ZM5d8}%{)f>O
zBS4#V6()+V-GCr})tCzgx0I|qC)FgxPi47h2DUw*2K-3OVUP;BJrz-xH)GBynk*Y^
zxNiIH@Wqzjt(5pxe+~~^kHK3=V>TRmT$^aT<CSN34q<okrxV(JgE@J*;kB%L$nEjP
zdp6eYr}MvzyXyY_D7Wm8W?Ilj)2BB5wrLSu&*NsFJ8kvd738<CY3K=rM;D(Sc^Ru2
ztAr$ikdU9#KmK;_21QOpjBA&A<E4k9pJzIhCZg4F=Ta>rY6jkAE}jLhS1Y<;pno5y
zm`b&G8y6QyF8(96Qe&UCb@5!VrgJv(hL2nF{Qa9A+*-lski4sp$g4OUKl0tr#5O_u
z`@M}@g*aZ<OV5rZ%Lt*~d+&qVyNe~obz;7>_WWp9>9SIh)>!eMp0m*SHPRWC{GfLk
z!pTG-tv-1jiR)3>Dayc7k1!M#;xx?p>GYu}$lGC+fVB!2^cz6FzG8G6`Oy5_bdg#E
z=21>~Ge7J;y}S~{s!t;a7^Zb);_*#Gb_oU%Y<KMi8-1bn%4ORMUH&d_#lU0MImg9t
zOX&{$UB%DsUC+DR5npvMkp}I-`xp5vT0js)gCo@zLz|-`RUA%&(Z3RnS%Cu$*VkxJ
zI57nYyx!{g>E+b>l-h`i0oCx=ggif;=)#@8B@=MyC|JGjc=U-A%zr_^BA}g`@(NC<
z^rp)Fy>BBQ+zwiM`cIo==w5mBFRR(%54nDp1kI$xOQ*MX#QN^8EZd@K*(EdWbE@(c
zTpv~Gx^<A+Bi0X<5Y7q6j?tYhW9IK@#mcQq7ZzG)@bvRrDg4$F#lF+PVt;-5krH%~
zdrfP>ujsid930aWMAY^Qrw{g>w@1%UjP>mO`5f%=hU-(`@HmL;p_K;>+WYqX369Gv
zpGy4w)%Ea&tNw?Geuw7-;^{8Ym)`ijxJ*X7%uE~B$ZNA7oj>?#h5xyGh3!s-Z8Yt+
z&}yAykXJi(!AiB)NQ3n*y}Vw%Rq;^|wf>uRg27?xPu!!|MLVP9o{Uw@_I--kaHV>~
z;r;k~q^2{pEH!Yr*13uU7=FZ9dC_oD&mmre&9Ws&EnV%OSFR6Dz5S`G8K!cwy-SVk
zcjn#v%iV`mgBvG0dj1sp#+dXR96umx<aCuR(aprA?0F5K(Ec;H4=ZHWxKY7sW?-`z
zI3RS-+CdsW@yhf_Q4fdk<LP4MmBLdp=)ivlQ6=MYf9yYFjJa~eI{7Cip?_AsVIqFU
z-tvniYrtwa|9RlkBa5C%UCc)wc~+R8oRn$(8oh6w{I^Sz+AP04UCeuHIeqf9$g+`d
zB^+-3=(=Nd5Av?!IR4CPHY(i_cyz41w)?#?bjL|=u(#4=QMWk5{N~{O{?v#X#_bf1
zzJRgT`;^Vzd|4QYLaF@(VfyGqaf#Z*MOUkJ6W-IMk3Sw=(KnD8k1H6fU|mp=X0Kim
zXOmtGrmp)k)I4hbu9?yVyu`LlOx$wLHVN=c_Vs4{>&-r&+&q|lmM_!5ONmdrL_J1V
z_w!C!fPF7oCI}fgAxa8<;AprXD2L*>*NI~oy>qLh9v%NxA{aW_a+F&>d8HGm=Y#O?
z0bjdHMc>*wi}}ZJL-Z1*bK6-~{`m)NsLSfJ;$p)1=`ut9Qu|A5M^JlyN0Uh{4HY_~
z6>(v$YR{>{=E795^qQV74|u!`;xb^_+vzC+{Jkc(zu11gJi$+V^Ncof*DDeTM!Vk$
z%u9zKIDatvRYA5(Kt^s0l9T_c8gv;l_Woup0Iu5yvQAShC*}<wHx1=vM83YD{~+My
z>5t<Dtd<(!mZ>unUmwuwwASqj3;I|LIoi=kz$SEz3=TPYJ~<INu&K4}A^lCV86P$B
zuH{;sZiO1#Xe8)P+p}ZK-Xw7=)&*)jmL{?SfzIUKTwa5c;SmtF=xLGodeh!BdYMfc
z`+_%u6QtALM{KSw4%_IaCx35^wB)B-dAs4`Nv?WN;nn@+oh1R?igfMb)1o?9#tLoo
zumP2mV)Z`5N8Vo5;#zEJA=0<Q*gn}(SbTTCe7nfEHaqluwT>vcGwcJF2wi0^JF$Px
zKK)+3VK=hpAV1&FUNe^Vsp1G^cPAASQ{$5EUAg~w5iSU$C_@=tkc9lp`EF|JA4`sQ
zEAm@90AT47)-8_OQJXpZ`hCHV_s+W=dnzKo<Q<;NN#@mT=Yg0<du<Uc3&(B_^0!kZ
zclL|A1V0M$B8?QwJ2|BziSJz(l=#-i+a8LKPFQP1{{r#g805lZH&yj-w~|jh_!(Zy
z9xGB3Ln|%nDWeqE^2{&h?`9hFiiH~vetUKxwBJ|M^@Z=`OKsiwXjgEu0>Bap)&)AK
zc#9tn?_OSCwm#%3ed?scosI>Kc2vEs3-UDJV~aQCQ)-)L*`KR7NCvJu`8XLtr8$JW
z)n#7++FNB&GbQi2x%PRx4xDxd1Vv}C*1`jUjY*u2i!XLK19fY^c|E(du|h}KYV+q?
z%wC0kE(U^p+aQlE*~{crwyjwd5#zQh_V=jh$&TG+-%ugSAO0zD+)y#SB3k^uFI!pO
zXv?`JWZlb=FIVyJKg>i^srTQm18GJ6^Q4r^FEyl`QmeKDS~`Y3r%ZBFH2n`kRr(~q
zrN}2rh39ae55zQV+2*kf$W%ez$~=0sWGMH?#0S@9UEWa@b5k7#?SciFqVIdIQy@9(
zvB}---GvnbFju`t-O6uc^MA%py}bO;HfShs#ZKU59=Pf;W8BoMO3rtT9hxq^5++aX
zUNekX9wh}?FEWPpkl6%D0cSd7Gx>J!{K4S;hm5s>w6!)?#DIfU!RZCZG;k00YV*Fo
z)GP{&X;{@>yZ_0dIms9_R!y$^vYQGB)Bt5!xF=)tf~(G~<AG%F&AE-XNB56St{+w*
zDI3?zG(-iLPBf36sUW|k)L&MLk_X`Jws`_DoJ-y%a^A?t4RuC{9oF}jnMXJOo2vX)
z+){3vHI}#~y13`3+j9A0ko~%f67FChUG)_b^Go;pT)7Nf;l7HWFL&2~ym4*twnwkG
zCN&0HfH|ULD`hU0x%FJ%>g!FTnpLLJ;=1QAlvG~r0%>&##gm;e_q%`ZZmmtGygmmr
zkPiaTV!t60(JEi!nr3CZ8x|1L5LSJy88}m(nnOU0+k(`2{;Y|L1Hff|T^&?#3h#eB
zHDa_lBWd5k-`}fY0WVITwoXHGQ<D$PeC54&G<ZGP;y=bVHIJ5LX6VV>@(aZq1-9EN
zE$(kzk@u?GuMA}3Bg?Z}oYmTfuJnzHtY~ee2F#4#_bJs&%~FjyO~H}5sHee#QBQgS
z%-wt^-aPO8*vO%(k*#eG+ID7|<ka%>jUno*_Pw*UC7rQuc`Jx%<ky=S`1~4+058hQ
zv%DnB!`w9F86zrA_$yoe+!;#zeff97Q(@H8$-;KVs+;~Ro*#v9Kfk<S-DFj15k<?&
zu#wm1mfatI^a1xExb1;;^3YgQe~@(bb*mB2r7}l$O{r{lwDds-r?jcSHmCr3_rwm}
z@vZ)3keTc|I<$&N!8Nfs7E*HQhCAXxr3HVRYGIa-f2)n;?Em%)`2U*#<M5uZLcVGu
z`0L#8{b2NJl5aWjaPOb*@#=ZSg?V`mlk#5yh`l-8Uf4VfVCqt6-jv1w=~Z}loMjc9
zJ5B%iG|I+*4+xa?5qbSt%br9`kHUgm^V4g;eR_VZut|tjqg(uGn#rbqPqg=cWK~(F
zv9Yx;&3-gz`dSb>zF6pUSTv~LlBp3dekfF|o6~Dpz(3p9JeDB~5II+q?owkKn6far
zeN~20ZGofuEkh=7%sH5ZJmNzP(DTg?X?08kk2tv&ew>f4G1E(rCQDn_SxUk}_(irv
z$@HkNYL#Wg)ZI(&HaQust>n#a<}T$V+{oF7_Os~%*50kyL@%YZcdI-baoG7nS@<zG
z|Hp2Y5i>UMWb)gHL59VjO1p&H6VExUTkU8T$hNT;Rr~h-{-k{D+!Yd~_G0%&gs;aV
z8FouIRd6Z$HC-`nSquVC*&h4|fVk6@t>GK@CFE@LRt3u#*1OgDXY|kP*j2k&4R4DM
z!%O{d({^k6g<p3`fY{7T4r!h|u&-}Mk*~(BnEx{yyL>83MHAWWyX0W9rD5%4zFlG0
zhOU<l2XD_eS46)oVVN6#jDzGgyGEN;mVNi9@{GNbf{d4BTzR)79dj<Jnf1En0x-ST
zlc|Xd$l>CVK^*~Z@O#aUJO%evO{>$8cS*~x?`(1~`5Af1XO)_CYuR%|_VtZ}-kwn`
zl>MNp)UZV6yY*`Icb>89fGf*mEIK}Ib)OpOkDQ%i+rNsw)vCNoi$tmPaXC|>RPgTN
zNJBDn4xIqVtKW`WC6a<uCfOEJ$6=Mkpz7?EGR1wZv{GjeLQ$t;;=MEV_s{RA-T_p3
z0#=qmvXE|_c%J*(H<%a?Y2k0hC9i!!1IVR0s=v#!GFogL@#yR}*T;u$EC1vF=f_n$
z3Z)L^)uJ{gsa2K6`JRh@fT-F%@-R~LXTs=e;oLpu+sLQLp?!^?-kn}DSoirrUfuov
zft$`(m*P|f(F2ktk+UAIQ}-U%`qd43;)mi$hcA0a_?CV?q_(GC(&PU)gk1Vz_%3@&
z0`+`l+J45?CC@%`Hg{Y#<`oEr`p1?jUn!sNHV@%!73kGo+_cU;-l(=N!$B=qRh^Q%
zSAGuX@1Nv$g?ZH2u&VR-kw+EgqmMVA#43;PDXr`T`O$;wI4I%#Jye%(Epz@So19y!
zGZ=W?BoRC^_kyB(_}Qk~q~FJIk0l#i!!ymJw+8dx<iO?8{yIZi8kWOuW%)1rjgTd{
z#ld6_LA3y%)l74+n^n3`qrq|nE`!_sN08SA?L*I8(u|{`-)$bX?D?HLTtKgSjf|X`
zDDkjp`B1boZ5&|trLT7Zb3gnFuzUIdGKudNH+APHUR0H0btfO+-3jsru?n5Di)X&W
z+3Unbh;p@>tA+dPnvBY3zu%1L;vHpOoS4WlO8nfV5i8%M+hGq|y*nPIbr!_aQ^mIi
zmiIqirZV1eeQwK+6_sVL_qHY8nNA7HG@Lx8lc%pyzO|Q6GG)#$+Z@nz?B-G1{%2-<
zslxW{fG%|tdj`E_oj&mW^UKRGhZ2{ML@m=*tiP|be5&kb+R*b0xtg#QUnVaXrcxqC
z*=16zbR<Wuir#K4|0;S(qEN7?T#4&7TPhgRFtwWM<h#B*PL~9&O_xAMkXLESD@wV!
z)regW3Hz&zA~#?E9hP!QSLQSHAL0`}yog2*mfMJ)c)K3%+`pk3K6)>A$f&Tb-QrP?
zlw7a7L2Z;#5ql>uHT2QLv}^a9zYjKMUmQ4A98uRgl{nOVl4j{|msC3KSkUt#-R79p
z=GuZ?<5i?tovpP6XB-<2v~HPnOZf1$A5I%9Xz|Nv2ML_+`N-)mWZ}N1<}Dj*V|m`;
zQ=4nXKa2Og<e}u^#U+aY600J58+AC{Yuoo;|J)%~u3Lx^B*SU12u}P;-`a8MwFgzB
z_-(S;L*FYq)jJ5j0&lxVL&b(TuY|00*tPo^FweH5wWbin>ZZUx*t)wQQPaO=)awQ1
zF3vy^hwl;!4;1W0Zt|GDIT<a+WUf(6D7r3O3Z>*JWx9VKY9F#X^Y~i%#4M8=l^M<~
zomza-$Z&*JSr56Tq*-g$F7*1b7>Ryfc7Jv0p|HCdRnVOmug&Tm&|MifP{=Oo+1Al=
z{OrX@%aWFZ1wGMX2z*`R#KCd%Q{xF8%4@cI8IEn->-g5kAnhRU<J!4jZx8E64_D~`
z00%rqyhqg_pX)LDA)>1GW%5!by;^MrpWd$ks_ZXl`f+h6H$AcGX0r~8HSEMWP2j^G
zAKkob|8tE3!vk?Y3ws;8E<FtW>Yr(HiC=!6Q})=%ls$G^^1H6`*S1BYv~Muov8+Xt
z#M?Je4Rv}n^zEb{%^I(SNmgK|ak;x)k)>A|1k3M*2}RYokyHDYQ5EhOwRRaVpPGCG
zVs24HKEHYk*r@jGn4~CEH@(q>f3I}pgc6^h5*-)eb*6Z3>Bbt$XhpVO@=eQ68|Hsj
z^Iq#;ePyTVyJcqV@$>0bJ1Q-ZMVnV1w-(4Njt`!>u=A7oJ3I@{v48s*dJoT4eUc~D
zIkOMKZGMwb*M2EpNynW$N{jb6pR=iH>Om<AW(dEm)Bb7sl&KB<>OH%J9Hf_}u#nJr
z=81NN+7-(;ezybB*Ojh?%&z}ZEIeMEVy!p0sPgLVkvaUbi#uw&j>lDPX4BU`v`sv7
zZ}ix{1W}vDtEt7Y=4Z**nkp-C!H04oMer-xafYeJnTcJT1PD_3a%g4eer@t53#Wuq
zWgo@yspur=-p#eK;r$t|H}ydoWvpRC_{XRpGE!RAe!c45DdaNU@hOUyx+^QdAA3gJ
zisH3&3`uIA12-NIe(sVsfV@T}?uMl_x51^7GP<KSXXN;GUH(3mlFuEw;ubzjx1o{3
zF=>x=UafNZUbXK}VjV@-p!PZJS~2`W#9ZQhY4-V%@r>>lt;&8=shgzy@g&7qsOX~c
z&nggnI^u(jboo7{YL%T=|M{YKZZQz_`jsBhr*@Z5c$||T`)~HNRR0u|tGv^2@$uKX
z<cLGPD1DbHjeEY&S7lg8X%|g;&z}MFzC3&10+(R04v<B?Yp>tbC9G<KbbGY?$?wX{
zd6_T^;x!>JbY`oDuQ*{XU(J5(ji)Vf*f$T0**$V~PU9s<^rhzVWu2^ESYG2AimraG
zVEqVkhcLNB2gU66YmGfS!g^y-n{bypb0quv&QRTP<`bpJp^Ip|#`w8)1sj|W(R*f$
z^7N}Zr&qDEj~8o;sCkun^n^Q>P0gOS&8iKQ8Jj2RpY~4+a^~8hXW0d3;GvN_NF@*e
zvI!5y&_k@tes2~pU8z#OeS@eol=lIPTw-=-c6w|#hzI9;=0-&o-s&aENyg9X71cFs
z0??%=Rt%W!Ih065KRg2<6Iqa8(U6E8%D$btysqXm?bZ(f4BCf_-(q*?d{PzSH6l-*
zB>m1FVPLe7<FPvR*L$+BcGrLWLYso64(A8ML)+XtW9vt+TIoGr;b(jiYh;0~T2mL8
zakv}ML?5G`m+RJ+Zyp?nm<!abdhYI|O>?du@9N1~X-TT8XZ8-B&EE;LYTq=9RMkk$
zTseIF!OUTJ_X*e5Nf-Q;DS|SQxTdTr`sNQlC7a2v@2~b`rQ|~5_j&tryNIT5ClSTE
zM`-u$66oZKahC0x*u7odtahVS)#2lH$YXIkydGz5>j`<jYVorQkhk<{`YhTRzx?KQ
z>z2g!<Cyi^u*N&TSV)Odw>UU?=ZI2MVs+>AA$L-|I6<+fe9P#au-WQ9iT=db&KDtH
z<^LJKarZkfRCk$qeD-oqB(`7L8K)+lNh#fARWrV3a*Mx_KP!Q5U2Zfu7e3iUSo|zq
zcm4RD=DK-pYJ8;F{uE`FZ<Lq!qhfA^`$qZj&*#Eoes5J(J$*>(hJ;2|Mc|{?e+{qA
z=^|a2>lS6)D`)~?7J~yM&;hH~pv<_yBzB?dDuKJ}R}fc-EWsr%pur3tL@}L3%;qHw
z5<~7`{l?MC!2Y*WVa%>yAAmA#KVF=K+cAu~TX?#A=a2j}J@1oArjUD{{*g1%s3sp%
z^)@Yg&BBwJ%@#MLm+w`5FOH=Q6Wl|8kun3mdL@*WMzzIqD?KdQrlP+HR_(L?ax43N
zOmgPgJ$EiRx4!t?7JGYmt@EsLinfTEH!w{!y>zt{Bwk(T0i`)~->DorWBy^813yT(
zH1bHFjF6OzYF^`p<#n)&Uf;axr`1>JI=HO>68~m;a7XP(RQ}uhb|s@%q`4MFFN;#H
zA`Jtd1I_p9_EE1a`BL7NUEjKYY>=;BSvcpedt_Tg<&P2!)#PMNuhx}{H&{)L>7_3Y
zsYO9tnR~9M(o`OUH2&D{$A|xnryU!d{A9Un77Y(h$1PC*KQA3&8vAa!SG^;zY}23u
zR<;PFx!>_;XVj!6J_f-Zl-czy<2qND6>5-muf{a`eWc9%qk*SrBqezF2s=w$E1L6l
zT8AI`+!`^Bm>|DgADTCnF%0TI<X^!8^Pw!Hs^a*KTWW)ht&1MMdR5>0zIG~08-Qau
zg-WGl$zV3GOVINAfAa_kV9$(hLI_8}eg^)h7r=dmC3fXyZHlh9)y~zV-Um72TDEei
zWo74t%@9<3Eqdgs)DL<qS@KS><cXO7@x<BI>pO+>&wq@b5SK-ce2;?`dAc9}QV}PC
zr_aSl0I^IbdT#p%^%Riw@_vBZxfpb8k1S=d)=PZ~5Q@RF4F^Nq299g`oddjU_lj#{
zi8tOaAJ4kG6El!_Jc+X!kL+QWL#2+2d?dcROYiB6_%uKjW+YuoIG$Vqm1^x(Z$3;&
zh$+Y+WLG_(=@YDqc%}HJCSxjS{ne^bd&_N)#Rst)T>SjZujWa9^}Z-;*=<BQeiG^`
zvIcDSjk~8iHX^c3vH<V1Af*4veU}{FZ`=%6;r_T9nN^Z=w{$&bBge9oUN-DcEji+`
zBzrkuO+Em%)kUi8nWmc9^x#2)&yd7Y+J3hDse3Oj^FdxKSzp-Q2sUy{InlOd<jIcO
zI2{^`S$Zg~ELVDG>NSP);6W?J+lX>@x!AI{N-gngWir=f-8+klK<f8Y|81=pnatMs
zG_JnxSZL!bTc6%HqI{zI&}iw{mBp(~tq;w1^fX7mT5#QBEP8t~QC^JOdl}&cV2)Z`
z-dpha`#V`c<iW>E7DS$Ixk!!h2QYZp#*L+2!Vcpls+DEieX<co@-)@llst=jg%4X-
zS6akoUMRzoL3+@$+<1ZBJhI00&(Gd3(j=}%<eNW$8b3LDw&U(%a`(;$jVq!w0M%3^
zCy7lA6Dc;;%9)Rq@ni2^C(1Pb<>qh058u|TqbF~S-}~or@cow>&$e>sW~cLVG8ZZq
zf=^$zC<e+Zh+U!IQ-YGHmrHH4b{(=By8AG(Y5k<^?b}vG0ds-1E|!7{!|LYtxzCzU
z&iM-4Zh~|-*AbP_5|^O1@th@y#9`GhL>cT`-lMCp%i<3pOYF~@em+Svaqg0dZ@Htj
zrpOOqrVPi86Q(1NJ{(;skg?mgbCc!%00&mqzE*jqAtR7_0dTrSzC5aOC%Y6edrlY7
zK=csXcX!cRny>#>eLg85I#OwQNq`Ts_|<pOW@BC0?d{BXP)tDQFObp(N0XfN&aGNl
z)iZDs9}Kb2?;Q3!^y^D{TO6|6XSMk-WF6$dkpWJ%tZI-bZP1XpDVH_jqs9H`Y52RB
z$<v+u_=6Mg?4wdTf*)e@e`Wk(yo`cymk8RUtuHFBCFjO^R%&DoaB^qpHJ7$y9~@ym
zL|ON46l{hgTSmcI?JD_%2ZiOpp?gJFK;2`>=aj{=MA=;_Yv2$dulqo%aPjgELJg?!
z?dCq26PAt+>Z+Eg&73kwZS`2GIDX~x?NG%n&QBG`ACpw2uVHT`>_M{@qZ=Cz{rsf&
z@aY}zoCh4(l&l^fv?nUpx3mUCU8C8NqO|p44K`7?%dW+YY2%~CaQmo|jptxdOkF-@
zweEP}(kdX1TLpnk_xN{de<p70HGTn1nr2r3>EY@SS!H#bVN{$+yF<md<GWws_p#L#
zzv+lNq2ZJS>8H}IO5{{&7LZk<i{7rPve($F4<vxmy%aKl0ODJu=%x6xdp9VMBUHAj
z$WHRuS8$Rn^?NpY$xlI(hO9g0BOokE)=y<{xopWX+lwkevNM19>O{-X|BgMvNq7+U
z)k9WDU1J;e<F&!E6<=NI`(GH|+N5|1@S$Zl7P}V3I)WyL+R&Q>6^Eloq=jiFY|^<s
z@a*0OTjf=-c|cw-;*FJ0Z}m2sv`&8nSjC$<l0ANCpb?wS8b%(q?p0{?v<iHsA_ml}
zc3$nB>!Pvl1ul5SkPs9Pel_JCQs0^13lz6q?OWvY(~$m}DC;QD5%fXF1@OVXIYF!B
z)AU1tx}5I*28ilP^!I~vL;hD~)%wBV_cxvM$t$#p`lqkeEVq6t!mg<-lRJjh)H@)X
zp<Dxazp#55#)=289O3Lf1c2LXK$BnDrrVY8gyh^;?t0{8*$<KuZU)<Zox%?nP*pvD
z67m+lEjY&donn3|U9x!)NQ<s&Wb^T%Lh8XEj%JgMo?k#G5O)1rK-X>?YRS8bHEG-O
zDkkq&#-s?40l#hWcYQVv+Vq1Rp%3=to9wKOTD3?qFkY@S;ud@>$iVhAH!KH{3KVc0
z!<>J_?yfL(N0-=m106oPM=<?jy65oTZ<mJp<1MFr^2^O+B)WFgiD)q!>%K=>VOMeA
znstEj4;yIMs4NYjtXw3V?)w4Wb?GT^n7au3Lyu1kwd{7+1EskADq4JCSZ{v+8m9t<
zy(;5<9t`D{Zf#$E*(TjZVNgR#J?eF<Vo<79!aN*nRJhHv=<5!deWKR*6fnK@Qk!B^
zCccAmTg|WjwB5>9KM%M~{`}rc1#(o6q*MbR@yOug><M*p{pAm5pI)t)(El}_Hh%`v
zUvlKgvPC_onllYgTc>YV$SoZ$(Q~e;L-urDni+B0AnsE&n;m}m1ps2EWFJB<s!a8p
z@5N}y+m2TzZGP&~k^}v*{=Wk*?#qxU_N5&eLnqCrzCTvB#`Nori-Bp8Q|ICJrkgMC
z8Ys6F$<NggDlRxhAmpRURKCd^+&C;_d)q09s}iE_pQGT}eJAVRpSq*KDf^Bg%GzVz
zvhzN?JAO{<*uAtK5c{IWZ8ZaLg@W!I-$Ua`Jq~YEEk6X|fJ0R@1Hs@}-I<z@ouFS#
zT9>35*cnn?26`0U%bE`+oA=p$@HQE07}{0Gx<j1XCMjQV^-D_E;B)sAiTeJoEr`P3
z0Ebml{FE)~x9b3b6owseYX7v2%;|OTM9+QMefWI&RJ-$^nU*KFOg3HhlVtxM;T~S0
zi>e732p@z3GFaFZH&eFG<$c+$MDkuip#i9SHK>QqO}51Ds(P1DDN$CJ8jcD+D6W=;
zAv=8tyZw<~UXcV2SRfU}9dp4y`d-^yt)tJ3ftujb9#A5K{KRQmXvG&vp2yL{WaV6%
zxw|fZa?=K2$0LJ~{-GGqf031(Qy2`Y*)~Zt_8neh(}0jJFV6>ciin2z(y<Ej0`kG1
zpJEoDn31Np-{*AgS!XW1TLuL3%v9DW2S{U`gC?TU&W~YpF1Dc)Zi|>RdqIJMSQ5r~
z%97SzTcoYC+4J@-X5)D6eAmoy(b~bU!k6sEf{#;<Z$_TX|54Xwn~$*c?^fjh8A@8k
zzxQ?W+f)a4SuCTeS66s%+v4&+okI__A}Zd>${@n(TeLTYfXM&2K4mSI(?;51^KYY=
zwXRZ@+xvTcaVHDQyAof^+7)<B-URRHj9Xe>&u&~_k?0|8zDu+z>f+5@<8F)fCA8%F
zF1ER&{Ud9DFza<P+n3dRSE=1>Fe}rrhhg4SNv;Pr^%Yd8n|O|Adt^1z&cj}Ac=Iz5
z<H+V8?c5K@k$KS2BL6No<`c(fU2|xq#T_duvodx+Syy0`uuS2@?#Kg4rlA=wX;!|7
z%xjUYDF69;>^2I+f1mqY%MZ|wbaMEKnR2|iV26=*&#bKKOQ)1+6{5<&+)m~>xxIaD
zkhcF}%YMSUy+AjA^lq5<!I_UB+Q>0Ffxrh};U1ptSk-}90%D6y*|O%|@}C4hqbX#l
z_F(k1cHixCRi|Xy$FD9+$bHN&&zF{Et>q&pUhcXb@Ile56g!zbv;4m8YO^ihDrLbh
zdv%jZN3fcOSJsiU=KDvbb<tKKt=*i-LqkdX%@6fZ)um8mcYpp&V=jbj#p!(fanb93
zlAE?JAiNuvZHPECL3)^{&mSpf7xxCw9|qOw^K-5dU8p;no>5xkGIQVkDm|xYzrilc
z#(kfLj9UoFG9v%?pXn#c`uD4KBVI)-sU2Nn30l>xBjhX8j5;6KKh<#NJU({6Ir?tv
zMunLaVuPl^m4h0G6B|}0)jy3|y!ewPy*~MLLJlEesNDK^=IKg=a@P{Cm-#2ce*%s{
z`1!=jYkcGN_R0}a6r;+{XuY<{?MbF&4$8li^=#C2|N3H8DH+u>S3l8n=vapGfm}!n
zBsHJ)1r!|U-|2~(;VJB2vbZaduYb=dEb46i(rdi8Kbeo#92~f=d-mAsJy{QU`wdQl
zh~g^4Kp!LOusNkidB8T))_h9|B44qT2knrGTRKQBu}P1rEew-Ru>CD7f6q<#Ts11{
zgq^&Pn{D_f&ai&c$}0zg<ZkZVxwWZ#*V_0;mVSfK_&aYSOFv2OKhIrKy1T|(L}*6V
zlGhQK-vJ-EwXhsy?IrkwJ?S?hbsGGD#AK~9OCIxrxy4`4N){tZof@y-j{%k1&~F8&
z`Ca#oh8upGsDF_JCA<OLnwMNa*dqDYDqxit8F8cwTRxu9Y^@wSrfjA7`L#D>l@?;#
z&myIm{N6*}KNH7lGwcfPr>^Czi-et}I!NDm$YJR<`q4+n=jVFnQ?{7ol}!A3pY3Vz
z?g>j(N@`vW^;mZP)F(o-`}f~9HFq^3u^a0$-et`^GE#fOsd9f#4@=I>U1C1&<dum2
z&_fES9f^_a=myF;P1<<r<<Ns#?8ay@=Y(OWoBC3%p{&CbUwxkwIgdY`_&D$G$FF1L
z+>en2ZF?hnGTY^|eE$1}d3Pmh@pN~@7r?01n;F-FB5)1vsk#*NPvYI3LaDlWAKG@k
z*Y9;uYE1EfXm`cWfFK-8&4e6H@kuzNM0s~SI!;mxs>%Lup3HSTIrS%HDzuGyb;)+E
z$uSb3kMM!?>ifhUdpB3r9lLbmZq`Ldc(1HJJ_Nt!ajEo=7?`5r_s>EN^;r^R?o{mV
z7MK;$uX80#lB!eB2mOJ|O0!OY;d$!M^=s=NRi{pA0l&^oCOflE{%Fm%ZW%fM+)p1w
z^NJs7pm~`0Y>B4Aj+)5TzJf#D;{Mm7it!XZ{mlRu03aB6^@#XL2<7I7{Ga`M=Zj?x
zEg6TALnlc=9e1Zl?s-%08&tgdN{Rj?vNGEQ^A`?6>x<22i~CbArii-Dex7GxqDZSF
zyKcLVC(ep)rwH$S@v1?kpHl$X2_;O$Q4^0WF9DE$+pEK=Q=x$MS(Yk!X!>B?h^Bi&
zDR;&DR^vzOD7Gn|6b`lk4&GU~<g3(H)<>~EV)%Z>MY>Tn=!h}^6@u9P5hDec8_yIZ
zyAl=uiIYX<M~6P74XZU=It<+Rz26^~?RDt#>1uW0$It(``oyK2trcyJS6V>2L>(K~
z(qU6m{^|0F<b845^T^w2=TFf+ZH7}$JW;8ZI-lX$8GJN<r;)OF?v3uEI*p9jbxo=l
zrvP7(WIFOC>c|2{*TulAFcC|NH29to#kUiELVb<$e!XFtA<~Lz)NFl|@+&jjSIEFf
zO3--o?%}$<i|StSTFEh|D!#hRHWb~Lr7E(<6b2F-q4LTSM4$SY26btBN`CO-TS;3>
zk8sw8wfKsf8fQ1hTfkm@4#;EXWy>$OUFe-LR5)uUP0%a<_|ASqic^Gev({)9^y9d+
z&Us;@-GHO#TOBQs)EXBRb6(^FHtiKFuUw-qancMi*Vw#|YXqD!IsbWr6eq)$0Hp=5
z3AzcH2OVmLhkw2CKYDN!xXPyn3IKF&s^uSg8T~SW5WA?Q?8}pxraZLfGDfObT5rtW
z-(<*ZUEtm`#C2vsh2~Fb;8j4g<_=pTLi4w*Y3#L9s<4NlEKl6>aUl_T`7Y<#)((oF
zQAH;x3-!$5ra%Vt@rkT$5&qT!Uiebh>yA0Qe%&Q8=pdkiwz)gcP^VGpk7XM4c}+T<
zs2?)(^|o`GRU~>I_%{WG616*j>HvB?i2B>c_)ER_#Df8oXaBY;pW<|A3kGs9lL<pm
z$;7~c%<Fjvzw8(}JwG>gSkrgs9#9AV$e&Co+BAu;k5L?7;Q}ZGBZz#-6?gf)Gw<U2
zSpKt#13iolF}jkh-$PIS<P7xul?-U-eSKM_@TaF{czptN^Q+C;2KC-$X@X{=y2moz
z@O04Pw))w;fB2^*zW@%~_iGdsdRHp!1*Z0GI|!&6G$5!Ww1)QuHZ!93>b>*hdzY;v
z3V~~Qlyu8du`g9lcf3=XOwsxIe8V3-8Jz1BcCfFjuUZE~*IUg7w}FmxE!N40e_Iia
z<y-s@ms|Y)_FUFRaHIJaBg-~s^|Si-Nt_bKAp3)!!Ves1+MQN)dG!a3^i2)_tR%xC
z^4wAy=iSd2pySZ+x<;0)ok33F{ibgqA6t^m_fEbo4r<N?0mUD{&}+1ZkCsH${!Ogj
z{&u^?I#7L9=L^Wp&%FiI-B%MAmddM*U~48ZzR&xT)nuqYf4u+A?kCAiS43|M=yUi2
z4jWtGt98t}S?Q;Yh@eMq@ho)px2gCgO;Q}cRQzGTl@e%b{57nD?@xIO5^~+}+@jWi
z*v66!zZsA-r0d@w$rfBVq2~rtg4rdNWvd_CSuG*^^}V~vbySnZ8_v}ky^pr(pvydC
zmL%(Xw0fzwJ+stFd4pA%zWLd$?-v<H0V?3<LKhrE?g#1K^6{c>$&S`_mq4n2QfBv+
zs`B^r(zl1oRDJ1+pC9%h>@r6$-ybRLxYe{}#5&y#B&Nr;>Z{B%?|%U#fJtRp=%q#(
zKbL+JP#jlo8ObOy&-=X~&$$X>o=@1KZL-8`12FN(&gBtTmh<Z(XN%uP=H^G<pvVMX
zV{MH*H3T~7zG)!hdJ|c>=K*55tG`|A!@vf%b^5=Zs&Q_+J{D_L{s7K=Q|$`V!m#aP
zfMnP|j663h{8l^&n61@QcLsW%Jn2zdb!pG&<6c>ZC1^{#jc{9W8<n2$*Qdss{Sizr
zC;K7y;C9Lmt1voffQM0ZN!jDweRzKEz~SYV3p@*wlRONf#;JW-vwj1&1iqz0Y#GNe
z+PeF%4;63t8a+ZF{{aUoYYt5gsq<PE^;zcZVq5r<OPcbod*>dl=hs4ie2(2+132*Q
zPkz;L(R({UYv!7f$_%?$v}V#S;)5;kB%l|;ZsS7c=XXifHEV;`zT9s0Xfet<`&Pq3
z+^|jOU)usX{O9+9V;d&}WN0!2IV+>voA2$@>@#td5c*}6y=RfO;|Y8Kk0!xCIkmja
zJx2#(GP@hL9MB`GQ6R;4o*wO@0`s^uIn?q7bjt2rXt)K*N0jw^_1-_{P2)feBj%P*
zk=pogE!FapmTz?13b+SYT%o<ccfwFEd(SD^`~X8*DOt=6Wb$5Zj8Vwu_JsGwIT-+W
z`|v>2;R`WUmp2^#{r$ngUq80w+}x%3&*{JM;`)j5@AU&Y4v|f#Kz!CW{zsOJ?mM_<
z0urkrYnsw?K7GO<@zN>ZlCbljbyMG+Z{U)k5-#0cGLV5Dx(QSK=hP8d@0a*I#xklx
zuU74dgZj;lKwYmaRn)0l9|g?XQl($Up)Yp*1(IY#(AbA<tOpdaUl=?S{AY&&X*bB!
z9b`?*fKQ2&$VWm$PtH%c&R?=-do79zkeN>`HmVy0xDy2ypk0>tF=|<jtP$>o%OUVF
z@cj+PAAJ{Hx8e=dZPHKv4GpoTGpi<)$lY=lIHP})(t(hzO0r(rsaA^eueP^`t|UYn
zq=b2V+`bnulxuP>p4M}t$)p;8$e~A7x?e?R0eT;ut?gcbKJXiWZK}BKwi=k?M)1E~
zKZ5M7ZG8Ymn5kE%@fW51J%HZ7uh*vgW@*W+5x3_<pv)RJ(}J{te+Dz2W6OKqayez(
zAmec?I(m~!1d8L0=RX`cEAudMVeZFe|4^WveU!i8Leozvgq_7CAXP)I<ut2YnV)?!
zzd{%zqmn)=-Pm5M+P^<eHthp@>wek>@+crG;>A-{k8f&htlf7yt%@(Bp4m6{RZ&La
z-;wWE_y6s2Wh*2?_uk%Gd+Op{cK$x^J*%$2yHoKl*DJDVY38tMP}PgHa=!poS^WJC
zzWq+V1L^k;{<CY(&Rwe)S>*m&|AyxB``4DJriEAArC<5g*7E&Y3B*2`K9o_J$W!?i
z7qw$qT%QC`b|&uwjMNTq9trvTZ!?V;*=P~g!#P@9a5<-dd>ycTD)#ADPA$GrAhT0e
zPC+E2Do<6Cyh7%>#0t!7X^}G3kj7~m+v=%-@1`(v$k{VstoGM6y)BBC^~Zr+8!Y4t
zYTqs-1a;cGnJ28bDmKDG11mqSUk51QnXv85sNVpwY?`@!c>d3`4GUy~N|4SX^TEt@
z(}Za8P}P+y8_z9|qPeWkUhDS&)9R2FxELqeC>PbK8gg+PqW8~f$lESz)H9W=IBWRU
zv+X<6A1N=2NIqDz&}|38(`J<`=<8QzbH=or(b2`OXL)|rw?y9?Jj|5PMt5?lpSKwl
z&qR!XwLE%i`pYe2rA)jNO6a<`1+}ua*fna>8#XTUsOxr$Yvn`DYFO7y^+?*l6*k|-
zSG|r|LzQ9S8?JgqvM%{QFHx~7SywXGKWiytDUiD@3L96-Dlt10Kqnj!g4$%l!-og(
zyEYDQTd`=vyAjV@JIgMN-UfBv54(E%Y)`>tC->gqTr_05K#M%;e43~7N^j8yXus#y
zW4=359M5=uJ(0W`fI2gv?r&dPlea4TKjz*tEUPYD7ga<hRCuLZUZfkOTT&%OK)R&6
zr3FEd6zT5n=B1@OM7mU3N?Q7i3E#JtYoEQ=KG(JXoFDw)Vlw8aImQ$BeLre4&60h`
z5he~o#@aqMKd%TnpJb3gItL&w-}aR|-`BxGu1ERf&y&oi6|Atz4h~5*GW(!#49Y8(
zja0JmL%{HWcK!KIrZ~!DiL3UW^`(4PS_HGAqnqGHqi}^>Jb{3l?AhWdi=W?x#_Z9C
z_YN2}8~-QE@<}Yz6bSnQJR=6xsAx(ovYS}7T&&^L>&04k@YXy3%Uj1yeGtsFJtB|Z
zBfGUF$i?1sEVQR$mCYow<ptBW2&i2A)VF+NF^xH{<{)eIJjK1N%=(Hl+C}FDkgdSB
z207jav=Vf{@_}AP5Sm5v5K4v}cy<1@oWMPBhkS$)GHo><VZH0uwcVpr6>r2U1k}X;
zTu5N|2-<;Xm{6~#46)&MCrIKy=&i!xs8Cb$B|llMc6D9~Ajdsxmb5>OFv$uQFPa8#
z)%|-DL5~(n#GHOkBSvPEx|-K+o$=>J4;Nn5l4rMqn?V-DitX6sV^F=6v3|qs1P#;x
z(}|iM{fa{6Rq#;iX$*+PwCg90=HIA$^j+lYWjn?JaPq5VeEYvl=>K6EkE0=`>YIzR
zW7{9Tcs(G<u?P{3+z%%^n~-3`yeEg7>O4kYyl+Eb(70bE=yLI#GPNLTE>EHm%=`~^
zwKs~<Ol1*JJENb4Q;k~KDa&e9TPFU?<%)S?{aqNb(?J9!0=``Kzty&B$N8En>K8D%
zT<_AMO|MX-m@OL#tQVE3ve?xl;DlhEpHFQX`l@sA{j32=4$c~7JSL5aqBuZP_5VTa
zID7DG^o3=^f%4jLx}<fI*3s#9lV^WZlWA4<u|NyI%oH#)iLWQmHYg=Civpam^Z7e2
zzOiTx3h5F`$RBdEfqmzIzHW%V$Ex4aRiIi<=iP-ukF#7U81eRtOzx*OzW}p6oy8Ej
z2o|evZQQy=<82YNii-fko6llZ(ePxDYup}C^XM?FdK8Kk-B*W2ou|h`Px<5pw;WbN
zf<xy2p**BwaG4w;=Blng_MMn<zUK*dz3yTDhRq5Zunk3O#DNR=#GYw;A%klV&>1)}
z%R0&nl4StCceQcdqN+)~{;ka;V$JQu;~D>S5VNlT$;vTrGFvr1@OCeXNt5swYjtm}
zmI}M90(=J71j3ukH|-GTeNrve6Mv*<E>~x=03lQ%a-+U(G`pkO&4YWuj8O-XPpr4i
zk%?o44C&?%u%y(Y&si|r$0OMF4O}PF-y)t)?0W)kt=Bm~Z7N$c#@OT;)X&Zb_K#f*
z7!)lGgK$bLAOZU-0t^0@YfvY@<=O1IROd_aYL}qa8v6H;w*xm_Z}4a>x;1`k`L^zy
z-RfS8huLzRydmA;2G_llSjH9^fkO^<<Dry66ua}eWm2bE6V<({4%`#LJ>9V$=u0^T
zryiv^56YWQ*Qd*uqR4@a`p|H+_rMyf#>xxCWkkDZ0tC}XeLwT^i_nm3T=lt9k?6!^
zNazZJJJp!)2zUZms+WAp^a+T*yxCtJ7OC-S<mGx=0qCE}uw{VaHK%@}5#KM4N6EPn
z$o4!YgqWu+QK0HksdyR8t4B<{CP4B)gHSi$f|hS7<;N4cfx8%_#1ZIwQ+|^hE`62m
z6jA2I%fRlS!yq_m*g>*FEJfX9UdXL-j=f8E^rdaW%2juvgRhSi3n_KJy<w-sH&c*?
zKz5mMcrRFB%CBZ8v^K=C&kI%OUo619`%#xXF2La}E!ds^vTA*s0Jwf?hzB#jDJbSP
z{j^$Tk3XD`*`IC9C-UV^jf+nB5FK{3cj{Y;HJyKtJNiWC<Gg0sZI6$10J}Opewihf
ze}4Sw$fnF{SC`a?;(2h5y}pO$O~dijpIsiBmVtUIkK$NS16jwn`^;PpFeQ9xUj@=X
zz#^4!t8JNSlrY!bLUW~H<Iqy=CD_@VdWiD?3rFA5CxO1qe9knTF>T{6Hecfu?qyYs
z%68E@E7zeU>N>aUMhS>yZZ&>EA({pp`8)gvE`dazNB5<$Z|xz7I$mxcxPoM;vRI{U
z5L&lQ!*temmgiw>971AdUM2>>efBVM0On4?MpU)MgUlJj2snDzXWn9BWbLC*Y}fan
zK{@(J0(4RSs1H@t=<-=>nj2E8skO;JagT8tz{Rf;u4oUWHwOfFSJvz(2fVyBqu{rF
zqay^kYUydchHqSX4)|1zCsXkp=NEhsr@!^kM`^+geCnpKa7`D+bmwFNX}seihx^F%
zZ~|%Kfq1Fs3!7ANUH*faoE`15H_!OIG-P7(&ky6{B#N|KXDbMBI2T+}4r*CiW*7o0
zJ<UWv-213mqn6*vzu^QsP`4?z@;RpdAqKK^#V&lpF)HF>S0S^jdvli5aGDLWAn=^Y
zvRQOVqfjY&ZmIPz;8XUQ9mM!Kf0*6*7{FTH?z^rV{E){HUy_k@Pr?_m^B{ic5!Wk<
zUvU+kBBJDO0?S#Kj;sC+mdy>g8oESBL=ZTH3_in!*`ZI$aiNg(E2o+oM0FNO8TzMu
zxbGBo@)vk+A<dgwd8Fy}$^21z9fa`6z9&;(YZb)PLae)GN0xC9*;elQq7v}Ob-1B>
zLHl+*+|0G_6?ScDk4x4L6Or6D#9k)=SUB?yd`&F<A_p@UPA<(fBK?hkd#7vxJw1AQ
z*_+!k3{_|p<1bXLf}DYA!PGGmVxtZCt_DBy7`XxPE*{^s?h;TQFi;d0EIdhZFgD{O
z#T$Mc>M0iTfrm*w-EZkM*|1;`+GwqSsH_>nW3!TQIqnJTvgPGI7xsaAU|{IDOL|#Z
z&BBziGOk4+{+=9X*vJ9VXvmCnUu*rtlSz=%9%i!2n%*(Ye3^IWbyKLz)Dcg0j)7Ze
ztF(k}alHDMjzs^~B6inEk8+EB=!lN9Fj80tKxg-p<Rcq2^wOch7B+V=gW{a1(U!%}
z4*~}{$<Zp`802ymPfW7e-<wVNp5;mCl5!1((`|i#UTP;8KPdA@N<%pc7$=BJe2naF
zdA%0WAQC1gzW1^kxZx!ieyDcyJ0ZPTWYJdYr)!3cHsv!u1_m~rLgxH^qM5oTM$EY!
z^nrs1M3D}X(_i-vYL=qZ+Zv1dT0>9O^OwP{Kp?2hsT6dj4n=dvek>1SoN9(ewy!Y#
zeil1}ZkLGPlEegCzQ7ZSdSSTMxgp!4Fq8N3=&|!DWB@*!64N|@=_LGG=upM<r;xWI
zbtTI)S!O+QFg%_}bd0U{E2SxZjO%$~J6Or$gojrnB+U1rpW#(5<=vdz!9{)d-(T*E
zYghit?_*(>pBSln=3wBe-qI7>F0|au-V>g_k~h8#NGXwm?k5#5vNJ8jHoI`Du%hF&
zYY2s^HN%l)_BN(AB@PA~X*Qop;1xrW4~Pef%;PGfS)0?#5Wt#5H+^fx#dXGJxBC|H
zQnwAy`j!`zI5432XiAz@;pn{wSxIix_j))&Z!CNR2DXMQQpdE_R%HJ~EPEklFhBa<
zlSHNd+OOeP7PlRJA4hv=!wr$U>2W3ZdToAn7)>5KZqAgc4SXxMh&?NFO!}Imk)hE2
zXEPylYrTnPyMXA(7$o}(2ZQqg7Bj2q(A35Cc4Gs2Qk^w5gMeaXLV+PH1kG+UdMXn`
zUg0<-f6_uvsI`NZ4x@yG(4bt2Z{wmiyjUQsi0hFIa{%<cj}&wltR9@mRtOT~Q<FW9
zfcRXW1h353xC{+6yM;9e{n9+ty&B?dT^`}te&U(PlPYcpMaD_F>R-nk`9+${O|;ph
zlc-o!uN<iZYd2<;z8!p9>F|~)%yOFNuA!f6Rj!tt)aOiPIky#9K0%!S)+c?C#ztuD
zJZ{NlWm(DJycJ-_Ra`u+&F5G@RqIv3k1VJ+kS%>OqQR=R5B9rD?_aj^qdxtZ{O_!D
zO0Ln|?&3-^G2?N!D%7T^RbnKU;G=~x7P_QLvUP>A=xJ4#quaCNs)ulj_x=1OKBGps
zmlGK9tqx3(*L6BIDIbYBcVQVIbs7%ZWaWw{uF+qeTGp>tm;82zL?VXX>U0Q`pxjJn
z!f`sQfJ9l}3d53=@Cm(7d?Vf3S{vllJew*i`{u{O+$%LA2b|8nf4nHWHCCsFd<DKB
zL|uduSki!;ocdbb7A1jY1%#Bvwke04S&ZZ)ZX?KdaoshI!F;gCKb=1=^ERX|R_s;1
zy1@AeU~9B!G^{lyU8wmW8bo{q)_e@y{d=k&Mup;qI`d>%gTvYH4u-s71kEkTe{+ZY
zDeZhaz+?({WK!m$(h&a{M8NL-B!G^g)i$AH>4rmfNXTASKBMJ>SK*8u4-9O=cj61!
zO#NI|ImUCBe+C02vcRS8X2<9XQU2y`{#X&)P(rZ+aT+O$o3ArRUH>iLVwUl0EXN>(
zJEMvA%*7Ns@1`Fz5F^PZ>S>3R8r-2sMi&)`3ij3bEU|L^z#^1QAtH(CqXJwH1V6xr
zcuhEzm;G71QP{3;*;dh=Y1Y{k&p=64?w?rsxFEq%h$%XkXj)UwU3XGu<1R^m$it4o
z5S-AS#)k%S5t36XF+|%QmF8?f8zX0fuBdZHb7;+y+QP3aqw=}7^OY|&nSj=7fV1$b
zXeX;0_%0qO*RIg=fPPZ4Zrj&1*rQPAVTp>J3lK38WCRx7fB21%K@5?>)<T&XmjMHH
z!bW>12^;Ckv88qGQ4R$cd#kU_ZmJjogeF)6A-U|q1YGh@FOaS_DidGw&2+%N|3?{U
z=nc}c;8c^R=djRW>W{Bi=&Vv@5TtF_pIiKr;ezrc{9WkkA?=7XQJ_XO)b_i-+Gg3a
zd(|u0GV_1(K7|uHXY5k}Y`8ifEdI-g_riCseL{i_wKZwIgy&p~!1BWELiKvQY;;9$
zOwhmvo*WC3V7RXw!RnYK<c8)Z{`G1pJ&!{u{VeC{W&%U{2>Tt&;MVilP`;ZE;A-7V
zSY-d&a3E>|5n@jkUIb!F1-%=5^Fxt}_5E|@Ffg9?f6o=vD1=`6|Inz(z#z)rerGh8
zS^S&H-7VSDdUq5QW|8r;Ylm&%P~;=)p_H8m2y8jf<PszGQ+{Vx{S#qQ6!~pSw3(DT
zdH3q<0`U=)KbDWN4Z^NcTQ2&~UtmflT+MiRjV@*G5E%9s-Hz^ThO6KR^!WsvKVH1b
z=v>r%g(E+t_)byl{@1`)xoxfkbycX}>cT#4pCjoeZSHjPqO?7{@|~JB$e`eJ;}p-e
zpj80K-azOw8VXsV=hq%MEoD72F9_pM4Ph%?w}lFP>lZ9t_N6t*L91IJ(!H9TlRhj?
z-%cqt2muGV=H8~?195)6KJVM;Zzf7~Cs~*llnd0WWjjJh=z&;{H$YYj5>(^vJ;Ia&
zqE|Rbz|YJv_@YA*sB9aAGD7~z8EGU-CLBcHrC%ig(243;ktUJ9ElzAWl}u0lIX((N
z%Uy$%v=S*PAAM3qY9zHA@p8c{e1j_-cz-X^Slyhe-zcVecd6H)FNT%PY>WYNa@${?
z?g2-*Y7ZsfnoPi@Vzsp@DLt(bz<<6V07T{!eNoL*Ui;NYbbsocwn_cn#`DcDgdosM
zJ<t{L?3gz1*}wMrD1fhywa`7z33-an0JokAxVa+n5Qn=`biH~WWy0##w~p>`>bsm1
z$<ywH+}1ivsgxUgK-5Y3kFh|x(cpt$b-?_{fC#4m<aj4xLy!#QRz(Pw{G$b0g+3w0
zE<>xTl_HW&zeFK?_SUQuh=o`bMph&lAkjSm3`uR+NQW{7{PbX*8c^>-u$R^5P+Td#
z*V(T<d^-gUagS`jC`BTPU_vEWNzr|Jm7;q-JCK8AvDUO{w=bgi4|3)sn)7`|R>ukV
zGvL|LVc@)oVh95~%-inTAZ@gC2BcD|Tz?N$9pFDPmS0`rBxB6Rpgl?XF_n4{bJ!;;
zHgW4&R56};FY{Fzh`&icXbBV3$JvY-3GAv$<*zPLs1te$4Ks(jJ`M>i)$N5zR)ODv
zFZ02rPw7t{o~Ag$B`{sDV$<&y*0!bjFOW%ibSCpB`1D=sCD(j@_3YcNR#N_%TFsl5
z12*&6H4Y|02+}G|)A;}#`ZvI@-Xyj3e=)dQoEB4c1zp9nJ6ltF2DYa<-w=pGn-yjp
zFkl%2X`z-GttWZz9I0egkE(ogV9V%uOy+(an%0C=S{AyNt|zm1?;WI=<pc{7uk!pl
zuEr~`O?}dVc|Uac?wtj%@!te|{L~wE0^<x9-#qIab6LoEY%|7NrJ{;)%<1ofn}eq#
zRtpybSEk&0QT<%BIhb|)GT&HfyP7CXuPkI@C5J`j2SJt8w+9BS=+7$?i0B^Po<4|~
zzElZCFuq$qh&g@pl2yy9I#hS=H;rycXZ;hQ+!-fq-K10Uj9Ug&03f!vI&zeTSyEn>
z^M?c?>{}1NEeU?a$vRCZWz-h~Yx7yxWhNc1RR$U@Z5H{}Q)kn`xmEgon}4ib$umq;
zrde#hXE6dN#@AUR2(c+M4j4HS>80yb%hPT}PXU<S38Q|q)?cywTMYhQ&fqNm9!n@9
zz(ubwa5u2qNC;$~shIlqKBDK7f6_);q_LWvIF_v_EdLa>_q2IHEiG2;$^KJO?v|%~
zOigFD&cAZApO%+R5J(3_Yltep+GyGv;EU9lx1@RYdd~jTtND#AYanIoQ|q*{)>V8l
z1MN~FF89%0P7J;X$_+b4ZN><3U&O3Yw4_!M)<z%LSsc$kqV1jiY_UaIjK9Itqt5OD
zt!+WN63P>alrHqg>0e)QN(7aYW6D5S&lnaXmNGfv28Qfpk6Qa*-)K)e^mO}?yA-t8
z%Rb0KQFKdxv`0foNa8@u%t_1UGhOLzJf)BE`|hoA{w&O_D;f^&fNgRA=kb$qMv&_m
z;)YJhov55^wI&eT)z$i-V7a~k^1##>LT4qbrY_gfbr50(2faBkDvZqd<4pSjz>T>U
zWtC|DkA&iMsx5Q@U!_EDc*&t&B|f89^T4s>2gFtc$`(TSqH@OVagh2cKrD-M5Xtnz
zRdf89*D%UfW2!d`02%feu$BDW0IE?sM<UNl7y)Hbma@dQud*jssdwh#%H2XMclwD6
zJrEvXQYc=dLym*4OpB!3S5fmDNY0P05`9U2!_r+6vlT#MeA*yd^I=|?=_7edD1U>X
z9lln6`wh5kN0dtMY#UsUqJYj@H%Muzy_*}l{U4)|X8>6wy<j7AD=5>1IQf-t0QM8}
z)oY;;J~V1$#+z67_*jTyUf~f)N)^@bK8Lb<iWbowkK|uLuT(gdYwD4FXV&PZFB=+8
zevMPOx2^H544{5`LHDQt)<lJAqg@K+O=2^U;iCp(8~#wjG)p@6VN8CD_+|0k<knQ<
z@%LIIAUd$ZyK*#ero6yke1tZ;SUTm!QY?`pJb$!4F2_{63SXP9w(@cjSGnrqBSxe~
zt)_~NR1$z<0iUrk1>s2Y#rf%7tq|~WREsra<zKDbCv5PsUx{t}03mzITDAw=-*3bM
z^xp=6I8y%N(1bEGH@q^y2^0>0CIHw4(HDgH04tvWLcvfTFDmIaP_6`%lHv$vZ7SC0
z4zelvyUu!CH6CU@<Do|o>hc~jH_M8^7q{z~yA9q*pEF_@3thTTru>L){euWOo<9)$
z^ZnsLT+wxY>m}&Tv#<<O6dz#VMX&a70|dg7>-=dFu_GXJ{5SpL-tD4T$_SVJOcBDJ
zw$E_mdaWv<tnEM$`y+YuoBYd_Lp{!u>7jyZAwm~#3HaYy54d_CUrhy2fdeW)^4a}t
zV82HjSNPo{fOitxN&ohPp!#4M<mo}r3)^Tgyrw|c%@!ipzd|A~Zbx<Vk@}$moa5)s
zZ?A`VA3SJQGh*rtp6g{FV{`js&9j>F9<m(%H+@He0JFo9spvuucBxph+^PSY)j`?&
zs(lN<D+8e1xh(*}NB<A=?h1e`y;`oDlmI8C_TP?AG6<g>sIkN+*mMy5_q}2TnAqd7
z>PAYC7dQOqBBOGR3!w#bl_B*K11wW!)15{DdU*jb$p+tY6f%u&-ng2DoJ6qi91Rn0
zda0p&XD#+s9_UR1AeP-=D>qS~>JYw{q;oB(Sm6yG#QA1YE{!~ey2s{_(0H{6pp6H4
zRA$JWU2!54BTtan#TJ!dv6B_JIl!0(D-s~B)8L;%6u{rIU$}()$E(r}<t6)fJ(#no
z7?Vt)IHC8|-i3qZ#4~xa_JRt4m)Ln2WLQmW{p+dWcpRCIbl2NE4QvrScb_%wUhs&z
zAaX7Ni;S2cb{P6gv#<}>yITs3RGd)e<nuEya_I*z6ocaE;JmpP8MKv(v{yaFhQ_-}
zA$_R^5HWMR<Wl|bp25pX{iS99r>=PW+hd3A#l7T<yx#c3pa+41E&Ihw;DwB2-rw&1
zDfKsJg0Eza!S7$`EeeN$T^0BwZl5w7JQ7PBm4(ltC06w?tUUgIY9-a*9u`KH`QNtE
z7JO3XuR#N!#|*0zdlTu;KUali{4-dA{CaSo!Qei%KF=-_18J|!VU%hEGMMUyTcxzv
zhk&kKx@Avwu>n}v7ueDkHf$EQe>B<o&iDGOx$7mdMV^J&6n|p{Lx_kyX^pnos(<Y#
zkbra(r41Y?Mwh!o&y=WJbm3)H{Tk;@q_rmU-%?ZQqhp!x-Y0wvR2B4p&kLQe$=L$o
zxak#>x4lb~l3xEbPT}RUO+F=kS><!{7JSMr#e!>1(zN2^PvCSSgOBi#Ik@DRk`SMW
zSVurt?I)%ntT2L;V+@bqw|D?d&HxyymMR+%_a>03R?6dKBsp&IAR*w>pdc>8wM-)h
z(!q>qg_=wu5w|B~NJFO;$QDo-TORK&L6nl7T8GH#P~N}^r73+D8YC}MuqLA@l^3UK
z4J0SEJFFb8Kz!A<gTScm@H+&+0ja7OwyCI&B(A-oSWPE#5{rhL*3;{c;41!IZX?l#
zgc0v+BPUJZY?MDm7>dvZ>+{Kn;<wOXh*GsLRoe%fvPX1Q_7yo+JQkPaMYrWnu-^mR
zapj!o)W=;&;}9h3GV~>9?<|Zg0EEydbmn^bEV*P$LFpF>@u#h6bapQv+G#5kXXdy*
zU*XI;5yoBhCk$2F#?c*JcTd$0S{N4SbV{hSDxcn$)WEl<IGQH3@x_yjq4qA#jr3{1
z%Vhsl-Tc-TEKIaBn24I)5LtFFuM;9$fV7d?);Qeu^(Yo0{r5eJr!k&AuT{^)#Fm{4
zXi<m=$mT{RD#p6URIE><Mo^WuFR=7Um-7z1w#ns{q3%C%ThjGC0DOw4vfLut0}^C=
zD}&KMh+-IfLQX7>WDF?hY&;LC%YH)FM^wHMUarpA7kvMux|p5rqld~bpe_<nP8*4s
z3#s|DYYE@|3Xnq#gn7F_dv3Tl1wvt=I2;3pNX3~Wyo_yGj4wzcFxP1MEt5ISnCX|7
zg@X)k7>@;Bt%sqIhH>(M75%u1SX9+$zGo<Qm=>Ike^FA8%6Kz}=|klpNAb;lcK2N_
zgZ>pq_rqYbqJs=e^p~f)UnY#I^DS!5QOw3WNr{@Ks+yMEIkB?)M+-RQFRH6{zIv>#
z(5>FLI;hPLUY7A$7a2me5m8?_L|Onui)y1DD-%ZLF;*3#mS6Yj@i-nZCet){NMU;m
zbE1B;#TX`Co#7W2Si;lzj+bZ)@U;Ykh>nDK1Z~iVb^FqlM~PVbwBJc!!|q%fcOzo8
ztxWP?lRTqKXjyJ6aqYirafEX;r!%eE;Tqs>_3iY-FO&t=(75o{WsifW@vgp9QSuhw
z?W~k9vPc?2S2@1X0&x;YjPZ6`m-`cOaB0_^6@|^=Qm!L9&1Q4K5xc$y)yvtJMwl)9
z@mRU^eH-n`HgiZg@q3U^7-CQMT=NeZq?}T>^;J6HOPg_<>g(HwxAW)osTDmxxp)!5
zOgxaQbdo9I`crfjqN?V_xv)dRZA((&Cn1g1{u(%+KX#P7wm?-m{UW}}y0U5Mt1{s}
z6z>%<sW5iSE4Mg~rF#1Qy5EQO)%U)nyu-&6`nZ1x4;}IS_zrt|tu+_wv)HScOP~7n
z1=C8$(BD1fE$0EE4M%s(goGy;eu{bZ_U*Sz$8gR^HEHc%awt4RiiLl_xU;ZD9_PMv
zJD64*NDUdasHC}M>M{Zi&CHKH^CDttWtAY~6X(^(EwjNRwSv~bwKi`!Fs9NXapPph
zEN$z)<7?5$En41;9`Pe?)+05NTR6Eca;Wj){pYhYk{gJ5oMpiy!^$rWch`-!2zgIE
ze$2H7XR#dBl&q6)kP<jragK}jKBa*z$HobX2BQXIJdw-iWt}Wm+gG~0O^9LKe(roA
z-#|ggJW=&M`{5IO+cJUDU%rj%>K^t7@;NB?18-L~z|}HODQxw-XNe?VnZJI`v!t7J
zXrVrej){A;!IV+yZ00F#?hw;CbM`0wsnyK5x8UJKSH5qlk8}J?cb`Wf3@A0k@VP$R
zhb>pl+K|&7I&C#=);x96Q2X`e_X$h^1!?lJe6N6*{!2@4fSFo~ZaOoNX#hxJ{YBst
zjN8e6rHSzm&quYJ=Fu6{Jk&66doxiRo#PsugympWqMzIAC}-2z+92uM-;FhOD2}Rr
zYZ=YXE;OhP@7KgcH$&QIb+K8MpDi4l>tAq}Pqt0R-&YwG#m9M|2jhYW({mQ}mAm<?
z2bDi7Ol)GYh0OLdo`v_By-2>zzwA94@MJ@LFVjr==Z-Q%1<|;%7TILWOd><Du1&a8
zj8p63jregjM`{a<AQHB8tTLiOTnBcb2W(ll<xOyelV3_ZKsvoua`!V$(TT((^DjZg
zEKb_%xg=EBlynj8Tgm5BlS#s}<Drg#x!^SaZNdTGSI#l6Bg2Y{eDq1J<@LQg^a+$(
zq%VPJAyU8ldsF7aij@qtEe^|=U?Mnyp?26d?P!9ef?XNH$<H_Q*R62p@E>+oW3@jM
z*bbQ)88p7(EGvwQg5+i$Dduu}!oth#(QdfyEYRcv(G+R?q~!Y$WOK$PzftD1qS)dI
zozWV`kMC7%O)waaZ+w7%<DJny@>;if55mH6eNr5B&HQ&xbyzDVA-gftSTP?#;<eqm
z&t2K8vjJ9u=TRGOoK9-Thuwj5ILg1wq&VH1N~9KBjkWb&E}@g3DIC3JW;<J&7UjuP
zAa`duC}PR2`AwtXoV{hH4WB4m3WPb0m<}D#aF&u@_UmtjYxX9ca@^y19wWJf;c7+_
z{XlK<w2=Tvzo<Z?3GRD*TS&#XXsc?Osq5R&J$HkgmVRR1Zh`q+#q39d@_1e+#I>u6
z3%BN-CC6u^<U%*dBpzGLMIFjhzq+65?_!aOSHrYCd^^r%f_2$(COI}^5I2lnAD31F
z)s9_veV$h#{u5a++4${<<xwLbJE&XgRK$W|Hr}>;--LZ^JgElXP9>&JLna<%VL08@
zrB*+EJS`ur_C+|CeC0wjbpoG*dyGHGp86uxt$?IU>3qrfo9?!l)3X@bTV5R~88|%;
zIq$~a{$U79BEqt4(b#|*9JeiIwdvOdO#7G*uAyuzI6sooR00Jg*IkNA@a<e>$6UQT
zV%Oa@ghB&ZkAD2AU+Q8%Qm*X1-&?UQs=&JJlC+6kQS1l$rcNKT?uEbCvHbaIa$$>x
z=Z#<OoNx^x#qAmoOLV*2sjPFSiJlk7X+LNM{XR65SS~O9iv^HQDo{Wd;SP}H6!a5N
z^>udJlqRlysOI_mgn~opDLc7OVT6;fRVBXNX(w5gEuZ;PV*?VO=@Nn@FLmdv_NB%&
z8npjM%Zh7snW_XhJ-O&#V5=lbx18v<mHe=<G>u!6aPk{vdE5{p-IwUh;aurY{Ed@`
zkl8<;x5sku0Uv9!pTW=4bq=nZSZr8I$)&T>wSwc+AcE^9hw|;`jLG3oxysIgRoy`m
zUamE7XMvE>LT+Lk!xnt|qG6%p%8w;3+Z;BrjXm~qHX#1vw<QGdJxcKl4h1v!%ydcZ
z81Wpe#<n*cUopp2Zy(+XP&ks_Lm=etl|6htG1WR#eOkeTI{RDZ)Wvv>2qb*>SRI<a
zMYVKQDGRK|O$`aWdYy|${<=Or@a@kBng!{Bj#CdBQVt|L!bp%tao-tseqC1m`t@0v
z^K6<SO2*R^<rP`>5y}n+Zqs3Hx=+u)p&Uj0dOusng3EDVSIhlfnS6_MK^3F!ob6r%
zRr2UPMiEEc{;v-mjd5``7e^e8sc?gt7rRKk%KU69HX`*7nQk+93u_{q+H6&rz9;u_
z))ZAAe`e5>-6mqjLj-;uw|^m9Mm<Jjg|LW0+Y}D7svK2@;J#9!q%I8~Arj|S!;zLV
zAWzCT_lLh$SY=!z3BGm>%2B@knnA_&%47XiudpK98A6D2w3dqK9YyG8E+2HSjuu=f
zFe3vZhi+1GY6bNew-sVGT~vIr(_%+mS75YeF;HxA?o6lo<+XeEUbt`|F@SsgzF$iM
z-};!+(|52XhkGd5!jFOgnofJ%SGK^#r#-6kU{QMtH;|MT9w(`QCy+yPsoz)|T6t~T
zQ+v52@DYyL7Wv=vH&(2cQ&}0HaF}W{!F=})>PGR4r_{;<Gtvx#4MWHmgmb$j$u0ln
z1zKP^<A`)swnNJov-xv24qN<8aAw>POcHP5K*$N>zd_4c9G;hTHgcQu8h0x%h!o82
z6fx%VSt4RPEwyv)AxQo7)<qU>(!zys!Wz^}kS(rBES8`FJ3f2-Bs}1&)d#&=aNHt?
zt5jOhjJ&nD!qeYCGN1rH_q6}W{5SBdqU2oJ9f#<4PrR^MHN%_tuUkn1f7#=AnMgth
zt!Ug+giHLw-Qe=~H#Gin6&C}_`k=st7Cmc^Xo>`QgwSiL=8sTdS3i8Wkof54$Tj-c
z0r&%j`f|OL0EWrjEgaazCBEngn?&$yW@TT^;ipHyPw{5SMMHwr<d+akF8*Df{!)Xx
z_OVIV>;502{vep(et-22?C4|HgQX7P>j+tjEO<BX7aKxkH`MQ}N0gD5w$mTG-ow8N
zTxzD?y?O-*4WjJf3TJoQLXi!l`nrHFIBc@&zwbgL6TAs4%%W$+zy<9p-h~S0ni?fM
z4+w)YA94Ivf*rs2cPpI1Ulq9W4!=R{dundk_wSfNh@~-OSKHDIcFYVrw!Nr(igE2g
z-v*;&d?y>e1P5&lzIDP4TY{GvIM+(cT}Ko|Kp&BHU*aIQKtU5bO*aKGt%qTZ|6L!3
zo{4GUhV}Obd(B-hS0ZTN!F%Be%AbeL`dcsPE|)lQ!c@fHl%F~Il3u5I&_T=UHxj9O
z#X)zIb}s7u>uKR6|C={pN(lQNV-H1mHw%62LWadE2h4qacJ<Xr#WlZz4GV!Cc_sTW
zfKmADT`rKn|7S;l_Xr}>wYdFyRe``@xkAnU`<F*1NO|qksC%@E{-)0e*$%FJ`F~>^
zA<c3gyI3MIcESG<QiVcl?a-W&-iU+rVgCs{zIz9j!j9zc$Nqm%3I+7;e-QKkH%fdH
z%s=AJe~bhS>eEfI>i6y;QT;t0kU-=3ceGa#od4^pF}{=~04ztqX&wXV89+5sQj(X;
zfeLvyj*13339miM<|T;WQ30njlyQW?8p_o{8rfCU4#tT<&De6BtX1zvi|=L}q+ff>
z@Z=n*D;oe^z^{O)JQxEg8MZ*bI)_2Mis6rCn?H>4M<h1IF9^IbWC{kT9C~9DY*HDD
z?`U>=mr#T+Z<X;gi^|PH400C$hpmE_wUTN;q>~5*2>?9|!d{k$&~_MAiu6lj*_p5S
zlBox6zT1z%m-9X4D<vq8fQ3}`djqI^KjH@YG8Nbo9n&ZgKL9PR%^=Dr^xUA@E1mTK
zKFg-xagTu8I%Nh>Nkn)kv{pb7g^KdGJ3oaJOx*#K4OMU&l=Bgzo`BRp$^cm^P+hs#
z*cAwW-tQr@+5@~5+Ezad3_*1uAFcx`C?4!jCr=+D7K$C?_1gn*ytrnT^yg?+S32~C
z0AN!}x5&bbr&Vl_{XCh&O!?78>jo#r-G7zIZ9!VG7b4UIWY3a@L*-!fm4nMIZjD1>
zKrem}gIjUlFChU84N4uK<4})%3Ixa@WPltbj)JMrn*<h>Ve_`q0C|B|-=;2=cX&*{
z<p{s|m6}S@5oliD1H}C?kgGNov>;80pGs|@2n`2jN{1j{L_2PsBO;7KvI?tT!maKH
z^9d%aK@T<$5S@9`%UB)pPictvcY|u=$u^CEjhk?K)O0DZT1WKjp}|p&&BD~d=>6zn
zj~KtZ+5>0zp#6*O3&LSE6wib}#|JU3^>bu4DrjH#>sz||$fy=BoX%f*P+HDDIG6un
z)>ef!%7Rh$QC(&54`3(JCFxD83jtc<^B@G;Xo)Rdg3_WyyXUlf0+*H6_XZW_x<eBX
z=fdDW1IFUAZiZSAqAK-}0K*g1?4g4T^lU*P9V+P<d1pJ_KWp(pKnT4WJ-u}NZkx^W
zSLmFO#|AqtE$Hz%IC$W`hyeKmmi(deg<jyCx$a~GZNS^%bcRj<PU@J-YI876PTygT
z6#}XQB{%}kw|4amlu`|3PRG@nYMD&1V&1aH>zu-L_d#gRJ+MLmxmtSf*(!Cihx<Q-
zJHPl0;xiuu1!}sped5Y~KlbRWl}rOcJv@WQYarExN!ur*j642*6U}J4H=lL6s&mGF
zAo+a52&$SSFITCq&7o`A={nsp4eV)S$r(()$UrnD)>!3lt=h#b80d+mzGt5)U(k`$
zR?SweOrzMfu7Oe;k&yDJsRVvB{r~HQ@=7sgH*q3<p^i5NcdF{Q^#7D+Oec_j6=N2J
zP@NzE5LF{;g;cZ7f=*OBz7CC6t&Kl+V28NJuq+Mm?@1&6{0yW=S84UJoj{V|vlqj2
z8l&&itZSK=(iP~i!~%6(`Zn7uK2(nxv4<}7Wnw^wGz~bU#R;CB0IKL)R67bJl_CuS
ze>*JO)SY3%tu*f$6gxipKoYv2h6b#xla+7#7RvHseutL;j`txBpEM-{*q>FL#Cz6h
zbDn%!bGKhJMzjOp%J2hfFQGnL;Y7;}4uFm-VQ3F%oIux1z*BH}MTBLL{dMOcKt^@&
z;I}USe_j*93Q&}o?eqRW$&0H{`Z(w+f>bc*uls}s4VWJa5}!T(I)NACfB`t(>bLXP
zE5srDrAO*3#?>`=b*Xu2K%cD3AC|w0e*HZg|F-za4D3h^46=@^iyAu7|H}t-Wne&W
zvXucQ<NA-*>m<tcEB@L`|6U2gMUZ(X;D!&){y$gC-<$s5`=yHmjI78HW8uoaxPI{e
zZt|Y`Iv2V6{5>m}U9?`nneDj)XA>98TCTu|0V+EGb_yueV6wE-V<x6z{WX!8UGz6`
zmak3P{}|FgChrqyNX_q?QDCv_3PoXXzQC^X;8)Gp1;U2#!Fcq~xFHcaP*>zE(Em(C
z%n>gvJO0}QE_^r0pPw8)GIcSVk(G08kfcG^EhjV`Z{nLN;I?)CeU@dh#erQ>@ZC$X
z#YRrAxq`c1R8GFXpc(ql(n0Tpc~BBS39W!G7_I%0ka$M&=m0OwSy+q-GmMh9Lhfob
z&jHRw>*U3a8=x~1sBYzq%dU4}$98C(roU!N;bn-CF-iDtjQ>Wo_x&f3OjpV`u=g@a
zJ$S(o-^4UC!po$^n4WicP>8?rf>I!r@Umy>=5-y3W-+}6w38z2(3CxgN>@##W-ox3
zd_X0pf!m3_>BP3!n5$Z~Q-mFp!H!cbzL*36AP;nd*n;gC?RvHbY*IjLs{OMY4Y#%E
zS#F?)6V}?kR(~D%p+qC8?EaIxP<Q?nfqDSC6VdD>wm2`IA&I`>DlT?G1$V7*?%l=>
zE3R&S5C`P}<e!5b{PF=`BFJE~Nq;}7`t(`(ZQg<I_g;7!f!cnJikKyKSUg)F`pDJZ
z{s1lq7SU&tpiiJMlDB{TFjdIGwlW!YVAmHoTgK>zp{sL}4a%nKMyyeQ{^B9EiZ9Z@
zhVRj;a@SUDa@IQF27S2$Z6$FiJ9vUJA_P)la>$m(y#yXIAA-he_8P<%m+npa&_WZ1
z1{vU8x|xb#qGVB5C7u%Umhp=o3NgVK#KbO_ufHWKU^#NZn3SN;FvqJI>=``R+N)L`
z6Ku_iD#Xw&lP3~HP-8vPpt0rQ>}}9k6v_r2eEefq)0=J@n6tcCR$!MXK{@(WjS}n-
zFivaH=YC+E2@fZ<#i#<hZW5GVhQe*1Ps4|TVn6Ue%>_W#cEL^t7ii7{^&Vyz*~hNt
zAcr3$ut{aHxxN_97zj9-Vh#3(FVRb0sPaTa^BkN_QEY#^fVlR@kd@dXkt!?7b(M`+
z@XoIE7ogge7e8!5Ld=62u08l^*vP+25N`YOgLw-!G-<vd$<Mqo^pzD%njf+j7EBYl
zmY1Sxo)Yfl-{l=N@t)vn*1&<IwfZB|4)kmQWo8VQ*Vg^c#>Hp<dOG;YQ5`|aU97A1
zOakxxEh>E%Pzi})+*)EEK6a5?aC&CT5LfH9rjiA8F~MzZL;mQ}LA&s;Ly_i@mx|aT
z3QQFaZ^8>JuA<q}AiL8@4Zl<s?yyINKI4B<lK8hl#g~|OE_n`LmT=&<q5kF!@c7KW
zg;y{h39$#y5t?yV)de71@+F2)A~?R;o(nfDk%%wG!*@N@rMd&KEzZOJgRsNqvnHry
zAlHHh5`I`?zIg-81_60WJh}xX{Pbg&EPNLv0&&ACEyyY3$SH#tG+=9#@XoAZe2c4N
zt2rAigT{SmcFIJ)qr%o^sk&x|B9jBUCb0Xy1^Z}Wh9!zGdcHIcrMfz2n}IjCVhioB
zPb5fnfnDtub)FYOu*tOk3ST%I&24t@8BvQbreRN|p<W$~*3hB!`07v!eP_vL|IvRR
zE9}zZG+mdepI;)dYZ(5uDK=Q1>*|&e17EbA1Jp54OroDcP*v>ET>Zw0VYu|@-J6=$
zwekLErOzzn8Lu9G1@U?xULmI4kqGzB&BObN$>DbKGj~R>J;Zy!M~VK6>-%2{j$Pjm
zP`@&Oa_>qliP#%;*m0S^Tdu`kkf$EX)oA~D=o2f_B{iJPzl#XIo9BO)$(Xny*<Vqv
z+EO3yzcF7`xK9c~0EUj<wSV0_k3J!JT|Nw(5A4#1?|$+xkS^<g?Cb0VBcOx77Z<bJ
zsp12`hP#tM_-!#?`#jHW?S=Md8Lrt^oKwc>k58XoYfk=iUl_+ULoD;{rpv~9z@OW#
zZaSCIa#^Ev{&9QObCccAu%cE`%n~OICzvzAhlPv=UK@8QrQc@=q+>k*b)N{r5R^gX
zj3735^6AV9VP)jr-+cu&qadC#J;b$#Bo%idb+ua<{3RDa5Wl=~U(;f;&|a~oHblbb
z_y&w8oAC{$F;v8h4M^zm0DX#IY#+k^%Y@+}U8#})fKl1^%W9|P9i>;@q?Zozq!M3r
zpJ7Lc$@{SM<gw*+Jzk)eeuW(Lfze-373t}>P<BFjY;kfXeoEwff$35cKgEQH?h*Lh
zyaS7z_41c`Oe598_OPFurg}b`aPS~w<S46dd+JE}GJPf?^OyQ)c7A@o93E~DT=65i
z`{SZ-d8Cd=d&oBwZ{Ex7{<*L)y0Kwy0Ft?&hMDi^F+u=K2TA%JD$7l(X5^R~Sk_Ox
zfJ>o2kigT`+p9=VPcQD)fYK~>1IIA3oG?Zxh30uuUS8>aBF<OTGI1H8vct{$guj>R
z48835t{b>+&8zFN_2Gu9bUf#Mz#3NoBJSxl0WZ_@OgZ0;_Zyp2vSc&21gD7r_E^x&
zjK<@~^1BHbfB!$!8)UD50JO!$MI9hd^)nmMR3E;E^EtMe|3UN1JW8vf6fZS-`II1h
zR_|{1e>(r~NWS|v16{qa$jD59dyLYv%o89(PU%sMK0(?O6IYm1QmRyZ`SKwylZHQV
zcgt^rVgLJ|S98E3qBC7(Q6UnbrmQTH$yleP)UX$gfjhdk$;c8K`tjp&^OCLR2oRdX
z#>1mv3i-U^CPw5H(CTNiDu0`fK3`r_^ZwLyIEEdvaq&e*FcF2I;De7JQKgJ$r!+cm
zRO+eUK{3DKcb|*wVV*=BvoF2TWF<V<`G#D)KgkrT2Vv=N_g4jZd1z~EYZDbFSbBPT
zf_4ZHCzsD98&lVjT|0b(*7M@|^9l^49T*9+si|p+<+;%B!G84;i_-@Qg6_P$*cjeX
zGI38tjx058_GARYKA*X^b#&aZSFSP;-udw6x6bJ&dA2Dx+E)n%*#Vr(<UFawf+pO5
za$8|{l-y2q6x7t>a1(C5X13yCLf*lS!ISrLdHM2lt<8djZ?(w1yxFImlc@n{4D@sz
z0g>C@b9A_pdw*V6n9t(NED(}c*@z~1YDss!v7c%aI^TFIb3l-gcLI~dPysqj!RoiC
z`g1&+_*hveNIrUagvD8`J(1gCu*z|hlEP+e#5Nr$yDNsi*TwVVefBf%W0T(%AqBC<
z>g^yaDLz|mMb`ekqV#!GL8^j|AaQd%_LHIL;F>J{GU65~qUc`V$=i0NCDx^<gU>V<
zhANHd?Kf~kmv`{Q1brTvyiMB`ny71d$X7-DrIDnm@syRp4yD5|IIUA%@L5aMK58-r
z@7*asWFO<BOdXr3M5d`&zMshV*vUnIWb1xt4*MzJ?+nU<iap#Hyn)Vd(5K$k*0$k<
z(2zk#LlY*u|C6E&bz`QI2*KRwv%4!Am&TPz1<$lnuXt`wJQ?8U<tX_;Nq;u){e*@~
zh<iNe$1dlM!PT#baK^QXsHzg4+VCcKsb(GRyiHuMpA3U7eI)L5AAEm*`8`r1|KzDp
zN+`_0z(C>YRz&YoEn&0GOPOTWWK<ofPErY|>w=<?IQm;GWzouv<#=+XQb>EUlxM59
zm}1J&xTo1$`n%2~ZT;S|mK);8hjVW+J4two?DX|#ZwnJtl{St;KMYiwjTcF?t;q>X
zsxi)OiJ!@pXyiQzUuMGXcL8`#9|*i>XbQgDIccuH_0D~N0YI;Za>E-6G=0hfxhs{M
zw7qEuWk&X&Z%yM8P!xaUCP~baAFdxP@fa16*?1-=+e}iO8T-=9!URq6)swPyQKSc_
zpLw`;BFp*F*||Cs)K#g!%L!Eq@*S~=>HsqCDhTEn$04Uk55$;F?t%!0-j>D*H;gRo
zxz2iL@}tuqk{kyohK|h^1pCOoq1KOndklLN&@qgNb-Oz7y3ANNsFY4b{m`lW{rO8C
z2I|^mbiw2>laVv7p=B^nb(L&0nTM&n@|Lb|GtdKMv6|!mm1fW{t}`d45TTft$2o<t
z%O-A6Cy1ZseRsp6iR0~rwVUfc{>zc#mUll$NFF)Zf2?u)q7{Kl)||=6{N=MRI=^LZ
zS5**GQ%PE(D%nH*GG^7(Q#18^XfhE3%QL;aH?_~cotV$G(%sB^2|`rp*y6_uN~2kD
z7P33v3l|sP6sSv1NAJOMk+YiEZi!pry?4~?_Q*2I$Xk2cu$wfOwmJ3LMvj-%eUV($
zeIhD^%T5@FWkK}mjYG=QtdbVhB;VL+qXB_JtdjNYF{7WPjwl%!89L`KQ)9$O0nKi-
z@4VQJ2HHSCXCtWFomlwYVMjlHMD8<Q8wsllOS{rr86mPTjA&24Tnvk$2xc|4*G9>9
zRR;DazBq;Jd*rORr=M~19H!%z7>?d7H?pqGjiFBLD6W@VW7Hw<?(MO9)E{oGu)$);
zZeccgUV2oRjSp<q%rN(%E-nprq_w}OWQ4JIBD6VK7#+H`s~5UiU(9S??#{hmb!)|`
zJR#$i_f3HLb~)P!7dEY(zRb?|oJK?Jv4_1?O5psE-I#Sdg7E8WJ1vIx1;nl2heTvQ
z%i0X3>gwW`QXBbH-{aXv>F?|3*6i=j>zssd|2z!Za@eopFZuYu_qeX25ZmtofzO7G
zzS%*E-V5qUi}6nF9}Q_1Z}$;=rPgB~N=k^1zXoEdd@s#CpKYW&8(nq6$|@XPY!bS_
zW@*}87JZ6B-}v}s$azO>OwU~P5^<<_@_XKd^E6pvrOpA%rM<cypMtbu^t_IH@aS?~
zit)i<11CPMlSY0ijn;1kk{}7Y*9I0<0*UPN#Js96EUn!8t)ot-buE=0={eJ?_Ogq`
zmxi}ZC*`cPS(jrH1PQTz?Wt|W@xl+JEkjq(KYagb=yje}%6-{J$h<sq8ue+Mj<0U>
zV_?l#mszZv)&$8k*?GZ9uF$f54?ehNMZm4aYQHK!0%umMkUI5V0ixC3=uE#iU75Ar
zc5W9ns=3Y=e@5D)ze!xPQP%q#XdcJo`V;Yn3OC(!TA0?4{IeI>z+e?9g_m~}P*sPg
zS!x}6Hd0vW{YovSja)k@_cA23$Bgmf#J5*bn=fOjc_up0hd3sX2!(HVVog+Ct6_hF
zO2eg_@-^aYQ%!WA$Qq+jz_CC}owwieqBiDu#1h`TaZ<-wX}J~THWiY1YjQ<}ETFSz
z$&(|Y=U45cf%9qhT7>gkz9y5ecd4@w?>W+e8mX&uEjij_X4b0F=9zm&s+Q#|#hRM^
zQ~vnObQ3u;>`&HlkAky@Pb}?kt*!Cus94gU@0;-#k|07Eiz7E!Yu8HH{6?#6bu25b
zSf<nuMs&Kcne2RcS*RZXS{M%y$|ABL+nc^wAS)x&9>?LZ{jT*kVebzjFJ_D=eW_*Z
zCxM~udwZV!TCoJ9BR}&o(sE`Caw+k7mvQ@?Q(yJ61?r5gwlFdmJod|OteDWW))h5Z
zt=8@x`pDp4BX7TIPcV1Uiz|O8q|7pc;3$eUx?BLhUOb37Ox#Mku{kiO;CMNy`o3bL
zt}CW@l7L51Y~k|vx#!OC$$6Y~<C~Kt{8C(Mdb5%m>zhU9(-Q2_s_MMMmUC>&sTJ{a
zo(ErQ8RCD73}>CxU8dN#Gkq!^-f5~H{CYv}mZh+9T*<b4aY#==_Hd;^Rr~WeYP#Jd
zjWGq)_)#rdvN^B(dbgiKv&Fah9Fk+d@6^dEa|1l-cJZI@JQ*uHj^`L1W0+s_@IKlO
z7phq)`D}C0p}K73hlq8U3JLCt`uQmt^X-fJE;+K`Dd$~nx%xH2AKemqBuzQbD2^1d
zc|(h8=;qGbJ`AL1Yc<^6yR@=M%#JP79(M3f>cH1z_V?mKtTdiEB@~>Ij%!7yP)3gx
z&MkPjFeIIA%{ot<6BXVpd>DsFz8L<q8~(^<b|)kG;#mdhr<xle@DlV)Oyrf)sjHdQ
znA|y!5qEH<^Pb_1+g^X1)ILn6#}Q&FboKG8EUUkMonz1sO0nAkB)0stphiV{LCvb1
zI`PXHx08L7rZ;^iTY!g~Qc>{=y|4U6y~K3okc$5we`zGM=i@(fy9d*zg9};MR(M}L
z|LV=Vy;ON1n3mya56cQndi`7c*nhZP<D$^~h>P^}tN77-CD#h+E~_}r9LBDQTs-v6
zumHt4b9)h-%-b0$3bcU<s91qNTf?`9a2>*6k++cI26H0BHSop8<OllXQ9A|-wGjqv
zbepVZ@0=0IdZ&Jpzc&`Mho}!`?nhp&`5V#nmr?T5GGvc?xID;;=<S5=pB%1x*1bUZ
zcm}+D;I8~Sfg;WAz2zUIA1V@pkIx1Rm_HsSC6TV4tIlL7W+j-{>J4{xx$rB|JFueF
z^q)~x1B=3&G0{_EC85M?7{Q2SjrMuJsw|F``n<s=>iD&RrDI`<DMgvV7xc_kq5V4+
znwf3>Z_9MCt>cen<|VZ7OoFrH=>)98Zm^cY*2LCV8Wvp4Q1P7kdB@ub<*L3#SE7*q
zd{z+Cx#~i$twKXH*2`%0^I$y>UpwLteq`AYhe!lE>@I5(*Ey2Xh2EH4;YlLalwwI@
zVq$Q8J^$m!kG}(zvztm#Emc(8jx!)2GIbgiPAw;Kdbm032}G;cD|Fm}MDXfZVf<L~
z1J8&uf1=w{MF~iIA8#Zjv*;p$`t84vs~FPnBcY??QFuDuv?Q^n{JMQvm<j8P!t=jJ
zz-Vp{i)8MQ;8;FkU^f^KI_W_tLuF!$JGq^BK}AaGxbd}CR)^`X@EqGi+Z#)?EZOr*
z=w8H6&fJ%nf|(h=HI8B6HSI7LXkJiu1oyX;^pQ{17+S1})pe^<DFAx0<H+=I5C$4T
zy!l6Ny#y&Aria0zsNPMM^%o~8#f?V{i}Ch6H!?PIvI*_Z`RGq{G(GK#J!|!r6T&To
zza%7Be|m4j=Y`-J*!4DxL}a!TvNSBOjvG6lAHLFOO1gs@yYE#aXdG#!)5I&k7FJ!5
zZccHc=@BYgg_vxf=|enU57|JUTO6AfJ;X^T+_RC(BELjDbmG)*L}ac<P@f~=#Ka#c
z=6kI89G=8k_jmyLX?gSlZI5FEr(nccod#dg<*XuK9RsLU=WjBSW#V-_vX5h3%l`Jn
z<V0H#9@cy|KHppqen{R=FC2c^WXv_D+B2>A)XVJTlHXZaT-<0W*EG~4;$7W*))Dbw
z%e+pIC7LV@i<rDFyE$R13mxIcn%b=KM#k-a-@N)Rk23QyF$Gx-83k#Lc6t2OmY48y
zu9=YeGb?a3|9T}i_`*OOf&KhYj)w*(6aS6k&P$s|XFXkhZAdy}(feMA#yPE~6#NEa
zn&{YAXOl4+mS}CkY@YW1hBNQ#i-bLU%U(Gn8kAiQmLqVI=|eNBhSs-U9;Q$x7O@pm
zNWz8IC!QPjNxdL*?yYMXESQ{H_zV_9q{(bN%SvDUoB22)T03CWsE<};Z$s3|OwPI8
zp>vg2eEVsvOxEiIR78WS(1AgS_2vsN1dS?;?d37bxgf|)I_Ye!Wy)H4H54;@e&!$K
z-wTS$TnTcnaru<Iv`hJ7!6Yn-o#~ZbwkJZ-Gj-%rGiNooPy8GIFZSgV$?%^@8G~Z0
zFI4#rv<^;=DfG9B!Ic|?z}hsV)F(Bs`$&{nx4r!lLx^U?RAwnf&9hu(UM6<<zM(sT
z9iPY2U=YvR`Wlt`8;xgo-M=#$JzDzAZpHkH==O4w<MS}9IfJdVCsN4bCqW3B_+3dI
zOHQn{UN!T>GWq1-eGOxc^IGcXch+5NX{z^dU;nx^v`>Fwx5mC~h-7!}N_ax_46Wn9
zKxX&gsg~1ztSJRz$t<>*z)tSOremg{I^Igs>j32FD!<~KlSh~Nh;}5H_4QAWmNL2*
znq{<i8mr*um5vFO;eA>RD%9{ZtH_KKtfM%}G>^$4%Pc+MSl%bP{cPX3yphn3rwb47
zf;IGL*p#uoJ>K4(-t&E3)~swWBJoB~7s4%<6;C80d}BGcgP(YVN@y~SY^_&hD3n9U
z<bpOCZ@0H)S9}6IOwzP#6pTRm?h~@h_qb&+Xu#o^s)xp!Yu7!!)`RE!c+<FUn*`ar
zo|UR5Fhnyacg?_l4IgBy^8ua~iIcL2go+PdH3(#WUg4_ciMr)*Tq|NnIE&IPmjd>g
z#T!n2rn3GyM*|qwu*5jJd$6;+ZD6xT!nUT1#*aCPucpDyCAaL#Jxn_W6UHQpSn(<s
zD$oNOBieIF)<BKX*PHF~XdAaQ^#|(8xclqOyVgS!Z|sK(uDd>A)FzgClOBW^exZF5
zC}hyRs42T&r!|DGqbH|%KD~9~-ggj6F7B#YO`VnfUTY|<oWWJFu%v=M5SpBV#*H3$
zhu!B{{>`3;Opf8&Vo~J{wrd|e#vdIIBh1m$U*hhB+-~?S!FRGc-&(SuaxoVvE-2J4
zxO_rl7}P@}_DIHSB7d-;sGPZe?s9!PvYmlQZiTadg;t;GIekJceIOT+0%pD^8f`HS
zcD+#2G#T?^L5`A#ZiV1zHGQDQz$$o<6CKmw`R+-+r}yJfa&NuQFE$d3JUvCKlIx2b
zFI+_QyWAVP8Rt{NF?!^N+AJBBoeWafUzI#peXA0s?PLHmVCawM8t+lf=@Z}R(W`I`
ztfvoj9N{*4@PL>*B{JntdW85~r0)@HHEfl)^hL`5Q`NcnGrj+DeCGB@RvfoZ(sYV6
z_gmqV`&8x@hO(GT%QdnTF>NF!w-B4d87pB;jdIJSl&EcV(Xxu-5Oz*jbC>k{IKTS+
z^cQ?CkMHC0{k)#9_xtr;=!GdN5VD#nmF?~%>!%9L(_d?I;#t9_#k-G9Dm#MYhqk5M
zkbhpqc7&Fkh^NL2Yg7dN8;$LIn9{he;k~3C>eE4+kVg<`bk>Oe1u3bsO_^IWZ}&*r
z_J_cPD{~*8S@S!&low(9j3bhHUEHG8l6!g*m&>W~+~~sYfH7RvawAN7jEJ_HyDb@K
z5+%`DWTk|xrWaWWd}OdgT&i(>o9YsHV5A`sxrP%1n#&3&XC408t8(xLUA~MrESff$
zD~A<pB2gQ!P;%W++6^ZpwwOOayc)L)JU_4TK{lXpO*1cKnJ)kxn@u}LOHJTw<kDz4
zpGUeq7EY{Fl#Od5?3vgPNx8E+d|Mq&Ab^msd33f`Hex?yBZ3F=vk$`KpU6Sq8Ceh>
zF<;{n4`n`X4=xNFJnLn~X`?n1#s>N<#9Dw})|?7Rvvzcpd41d8_4u?BDSjvNh)Xr&
zZ3w8WD09sc$y3)zltC~*dfS2Xveg3bfCs|tE7esg^~c(=`i_@3m!06CSaHKp0HU^r
zJ!&|^x+1P~56I;}mi`;#babyshdZzxKXsy%s1KIgI~8#C!5U_$K&c?Kzx`J&SDwZ}
zx9kIrS<iRdETv<hzE-OeZ#G*o_VD-J5kJLgvWU4FOTkU6Om;IK8ae;n>RoxQ8`ht|
zBSs1g#HDR8H!XMB2m06Hwzd2#%}vJ!-dc!VSgf8q+MK2Y1ykuCw#Ls?p#bQJ!M+!J
zV7a^zIbCWITW6%#7`uhUn=Zn#@qH%M`Cl54T~ETd-LM%Y`<hG}GyP-TJR)A^D@1ok
zhTbR$_AP#>sFd|-IhXjTJ-F97@#7lK=`kGl0vWx1t~Jkk4{+u9Z3&H-iafwLHgQ8`
zb;IA^_P1jC)IQ`=2D&;V99J8p@@WLWz9DvY&*^@G+KUD|59#nxrx&3cZ=QQUa9Mxh
z&*zGil~)Rfz68NhY?iL>a7I(ts&I!`D&gs!gvI=|uOz3*!|1w<B-_=F;d#;JJqUwf
zVw&^r_SJoywE`pu>Ey&sD&p|&mX$$3IZw8mBC}APh3`K#+P?S;o3lC8YOtU<y`Vkv
z1)|o_PR4+=GmTMuif0p{cc8o7`48>f89wcK#htcF^mxRQ5u0-#a83T%VWZajg!F#N
zAdXbVo&Bn``@=C_=HA)Z#cI6ZB5ib*L}xN}068m(X~uYZBo1hSSJfr)xH~o}Qv7?d
z+8|1Ad(vB$eUipdOtV1?R!>=3?`#gLrQyuv8yU5h$JgRlB$G<@i=}@*vIPG$=toxb
z%?@d~l^*0XCYRZ>6}h|0HI83sIgGa-xBik#l$&f<)akA3L;j9GSV9cY4AxpP;mVo0
zmqfm6C_k99-7H~V=jjDFQPNhP(1ls?gJ92m2b~q5cRt&*B(=eTIRE;%muIGu_6Mb2
zI_&v=OJ!Z(eGYw14(X8ta^tjdUtx$d;$-8h;G{|z<JpiWFURbB)7IUH@Bx_@JyGA1
z&IMu}&X*F{1Rh|W+8sgx90C7Dg8sP3w&&=4Q%Jye%ac_6t_{1bVmAR|H4D0mCI(yf
z%}))Yl6%B*HBb}a;koy2d3+40gmH6sPX>iB2CXJRp-=~6!{=j-tMJ9~F<pKGLE438
zsm5xiM-G9p&t(aXx0;r2{CVi`YFl@W+}Fpckplg^VPh8-;ZVr-$aY0UZ(Su)bw+5;
zDcN}#pkI7Qs^3cx1uPaC8oEZEH`u8bRZdihlqucX8FgN0Uicm}eLXz~3<fh%AGjge
zrR*<Zz%~m{5}S?i^!6SZr(M`|Pu8VW*gDf|H`0|Q4~M69c1rBJdrHk6%`e>XI4WEe
zJ+q_S{`!)8Q%qs0=1a;uiyidVe1#Pgw)5zbuM7s_dSzv}O*369!4uu4WL<F;JQFn$
z8KPSZMk(k)D^pfhMqu#0dfjU_#s7IdSH7%R#N|5GGnr0gGWpF&O!G3-tZ^n~N?2&9
z;=ISXz2M~}7?I!xIBmgN8(RKFU&EjL0+N;nNJCBpaWxK}s&3Rpb;$jxRqRd!mE%>`
z1jVmG!l8~QJv~TUTib#_Ts?LD;uNCcI+KFlfqCmwVd;l68WU~Vtd)^h$q0*hbP2`-
zIgoo4G@T%mdL7d1whqpbj)UHn1pOU-2B0=;4*Vc8=vt->22MO~P*&w8$vo?DsHhrp
z>7~_o<0jS8q4OQ0*rqq~r%U*a42euR1cwzH23@+zU^sr#{%+dD)+<mh*LsNU*Nd9V
zqf*J4nX<E!DAUQrAAZjdyGDZ*#zQD7DV4KWZeDp|PyHcoVQ9QR6mRHF^AE#GrNh^n
ztxZi$(dDpL0*(U+uttKT)v&uJf4&iGA2~Dpm@F8bPO9+*M)4(>maZ-uv{fgV7y7Mo
z4yL^3EAio^W=e}Lkp!87Mwj}Pfugl?=Rfv_ys6UwbyznDtn~Sj(UkvrQvdGpqJr2m
zZX-c%V)SXg+4)&5HirYIR{3usFYY0pgXoAyKlfH!`IW+{!+b`OInIz<($O`ylVdLY
z>?+9xLK7f~P^>Woade4I6G<Qp`Z;ly#Iv&<zd?#1AyVqfkf`y$T*E~^>r62$bX7fC
t*&0U7hh%>h*{C~Gzm4W}9LW0ot*X`$_33B?9e@eQVWf-wEn95ze*h>vPrLvC

literal 0
HcmV?d00001

diff --git a/website/static/img/block-subscription.png b/website/static/img/block-subscription.png
new file mode 100644
index 0000000000000000000000000000000000000000..b6bda3aadbfc8f9b5c5130f1ac37885f5545e80a
GIT binary patch
literal 88912
zcmeEu2{@Ep|9>Q*$dHmHjBQfMzGfR^8{1e)Ny#!8`!e>u$RInV>>^7^M1?3N?L<g~
zk|-rf+HC)GkC_^&=Xu|!p7-~@|Lf^`uIq81`<!#1^IbmQ<$TXXV+^zy88{f0EnCK@
zqm43Nwrn|i*)r;3I$F>Y<Yjvo{Ey1ZSPQxAObge`Wy>te@EW`DE`D}6XY4XTN%e)l
z1SK`V-?lg_drvDDK?yOOt)L`IP(nf->u!#>_mKC|wa078I$Bz3>S%yw(8JZr1-sA(
zV`Y!sDh{<0Cvox9^0aby(08-NI)i?;eha;1#la|OpsoKxgSf1O{6dSpC;4;4StP`u
z1`}KWX?}4rQa5j$E!K-Pc%cdJ=H`sYxi4<CadUOW+Ta&;wDR<H^IhD{&dr&$Nzzx{
z!9ErZf*MS0tels&n&E8m4hwzdBxD!X0`=C$;_MyBUlx}k?a#%E+?li!F9$1IH{XTv
z#3mx)Jl)*DPz@qa)UnPG@yK*p7^nG@w_n%qiFGA?{Er8aIN@XE>`mI+!WO*n{^ZSi
zx_P_WVj%*F2}&Y;9dLN8iMy2z)ZG`b7qmIxU7W#_IQY{G@9E}*B@+e60n*mW%Yir=
zdc82Y57rZpB?-e1R!nRn3lP@L1&jCe2NWO;kRl5KS$Jefr1YiWgcPaGfr1NClB7l}
z68G)D&JCzQqA2*o#g9nxACq5_w1eM8uirorX?fDVNCc4}6NrK!QnEiFh$NYEzd{hH
zB?K|?w)V2|#JS^fZmxiBURY1S?}c8!PpZD^4J4BQz?{|HoZUQ$dL(IMV`nEX|9hlO
zRz_}N>15(cku-*axZ)B&Anxy=t@M8%ZPnE^HGdmzrAeqrrmZxIj{gbT$}FL+uD3PT
z(-n&chDAcm#@X8o{{yiFxCL-^DdLgE&(+Np0OKNwBsEz%<Lq65fZ70L1`|snAr!;`
zo1#W~;exZZg)sMr5W5(JNo)TV7?mfZA({B%BqXLJz9dQbDPfd6?pHvAWG5-C&LZNg
zVRQfsOnwX;K=a)p+XHMYWa5x+c6MG^Jjq9p0}V?}&~G4@jND?7m6TbE0}^B)rX&|x
zrhkQ8BrZ^p3yZh06_k*%a)HdRtF;&OKR~j7sR=Ax?1w-M8R$PT?^d2RBuWE(`w^+h
zQtr9n{rnDtFC$Jex+F=Jk|F6Xg`|G9?Z2D!B!r?My}BC46zggQWRK{>{%w@}-l*AP
zt>vu0(wvMpf)bLFGLrI=z&-mNw3d@2i8YzlvP)?#E=J-9C9Qu4Dv<q_#l%)~cXtLb
zx!_Iwt+M-nLU9=~<^G7`KXPZu<9-EL$e2$-aTBbKCl(J(;D3zNB>T7k+kcZ>%gQcx
z<D`Bd*FQq<-$G=PN>LDb33a`k0HQ--B!sFI;ndgQ32G-|v)AI#>pPj1kdu|xfTFG?
z)U+f118>~jaIS#AAf}f_g8#%s#l(Q0sV*ie1JqhwOi&sG`|89Oz##z5VD*by0V4jO
zl{m%sJ>`Egu`F>;QQ$`|o*L>-{3yjDBmm>U_rCQ7>-*+A=~-E0oiT1+I3heqqO9HU
zcsCc&foz9<>TTiOAe%{cCS3eLw!_^))ak1aD2fBg1BhInI>bLvR_-`xz>@g(H#isa
zWaJ}ZfTRp5s-m=TKZr4;NJ9Nf5I_R+f20%08By&2C#BPi2-|;`fXYb$)r1Vf9~h}0
z1;LQ=Lc@MZK$m71{(;ZMkVq2T|7!TO@q}E|zXd*JrAYB4SvtwF8U=j*P&!GF`b*MD
zQjCA#^M4vX|3>MQm-!Am<(4K|{x<1cn&n!8o%SHL1i3<<Zg?xal{GQz4|$uEo+Zge
zUl{v?>^<q6g)|y;BWaeq)wgp9;;w(1)t3_^4I%3=`HYA{hkq0W{f_jCI0-%|LV2t$
zIPW1Hfsi(D;|=oI&?yL%CZTZAz3^6^cs1xy3B0p$w(|1A*$|NqG;4yyG-(9Z)t20e
zG$Cjqy@$x{h{famNx2m(Z@e35a`VJHxY@h8S~=^vLEb9y%Rfp4LaPO@0o_TWwTSLS
z8CXhqPpmTts(ls@{1FtAhGL+&0oZcVF$_5}BJt~cJ^-TFWAUUhzy<hvVD*z}$RGA{
z^Y*mCE*S?%XXQ`fNVqQqF~GU_@#@H;LRy`~f(m{+<5`%GIF@+gqeVUn`quOZhd|;a
zx8^qp%-7)eo3udEKp`#PMCzNsKqC0RCNST{IDb`O$kY5Tf%%&xgp@b@iG+O9Y>jU~
z0}z<<p!HiH3hn;^(<z_`>xaYd0ze=pDh<gHc-l=yAMiH{(p;i&K@ZTrp@#)b|6>G!
z`jGVOtD;DV{UU(KeW#<+(j;T`C!BTh`wl|>bfTYN(O*z}vR(TlZ;#S+V4bbqd?{H>
zYygyZaP!0kxVhr3fO!B;F@**BW*ojV7nFQnWI2|kI-H@T2-3>N2{P@jw&au=Y39XJ
zw&)ynQ5FiEu6X)WNE7r3iPHi+froGM1iktyP=BWof`bd9eE`b<GD-5Q7TCMcM6~3;
zT~uY|Nq|oR3rVsZ{QIK%-9+SLdGbU*5!EF!|2+yW9D)&b`J0gg<v0J9StEN7e<<C~
z&Y;NVXQz}DGHT`JzEF8%hx3EnrXPfU-+P>ky+}yTK;00Q(kERct@e<wMH0vb6#Ic^
zO6dtLaBZn{P`H?6x>6o(klTI{@3t-u1GbX#Ze-5?9u5Le3(B|r5eLaBPjI~LYJ+n|
z`0O+=w)WDuN1-GPF#a}v9=g`@rY_==_6B11YBIJ+cVjiAwY8zGoxO&unLEnF-Q2~+
z*aW8owu8iKTbubBNysC2=oz71QM>JJZS<whA#YCt>5T!-s3v;1gR!|YS~tK<+r&fN
z2(*}b<212&DQ|Ue>)i%eKMA9qSP3=R-RfY7kpU8?BfHDX+0oa|C%}2PvzCmOn2Cd|
zuXup7hl!Pkt)GOMpVJO;KNA<MjjXS>m5pqGnVFUG4lvf)$7cuV;kW~QThram(^=2T
zOU}!Ahn0pkUdPV_BZ-&M)-raG^U^U!<Bc`seRs-B`?=U64b5;)0e%>Hq?nc!PJRc{
z$3;@x-v=kJX>H@D@3C7=&)HLcr?<8FPAfMF6I&@SVAzrF0X9f$Ia51-s4fX9qrJmK
z7Of>A<?5x2GWC%21Pd^cwDZIG=!3W5LEL?p7IJ5RtBaehzbww#N8U)zKvG-R+T2h}
z+RVh<#K2zO)(0b}z6nVDpPavf9!s^v%Gue?muM}>>OiSkkgrI5hRShB@NJ8u)GDl>
zyOk>x*+43{RBy=@YS7!iL+8j~N~v??wqMjal1D*;?XBNsBY%&|EzO^k6rIBNTWoXx
zgvX0>WDxs)3VW0>x-Hhu%G(*Li1?Sl@Q=fBneW1J@<Aa5RQ|A}Oq?7Rl40$y)YwTZ
z&G>>dNh>@S=n~N)0P~{;P>$jxUWT}FYoK~E_7Dj`cOcNDPK!>E0nUKRk{_RO{(5nb
zGu96J{QqrfkDN3q4M386DKbGRxF=5bJSes9w=j<+{eNVF{<G=;PWEhZz?=Qf5B?2W
zvZV5ol*6K+^WUf?OLKc(R#skHJ+byU03pCKL7u?x0U_dv^3Uu5B?y6X6l*DKacc;*
zeglDJ$yHV)NtPuEHU)wIw&F{2F*k)EBTX?7NkLs2&W2bexD`BNJl%XiH9CMEF)wfH
ztyVTRAm{>#vhS$>{|&Y*&eKBMgmy~75eYKf{B~#|*>4JtEFts%H_`WBNag(1h<$;G
zf1Uzb9DPgtJ$Yq0aXC>bN%^n;76;7Y67r(psNm~AaweASZu}&Dyd-{>BRiNRV3GJ;
z>B!&XQ<AcWe<<kx%YitNssAm3_}>u~kUgnC;^04l_&<U8ZwbVg28;`c{%7g1Ki5Js
zN>W;Ka@#M4=8H=<wvubS$w2;Fa8#1yF8+}g{z5GBf8`a+i<1K6Kk$mlNlQx3{f;Y1
zk|ckRf}~bn{;oC-o^Gyg-d?~H1UFiot-;~L64&h4J>Z`fbN*+q&U_zVi~lGrAy<7+
zGJtFq$U^>Ck|UB!^G!=A{iBi&C?dlyh8xPjjeHLMvmo!^z?j7eO0YOm#6X#f|KseF
z{C5cqIg-3n1Q}#f{&w;%%{?t4FSwBV7tcT_DGoyA1veHjW-)b%Cv1yZwV0+*2g(#L
z@fqs{u1RZ?@4J3$G9z7!g<5`^NL<+CpBRh<(Oc@akt#wKgAy6gDR@TeK*=&v(=RE+
zzmRbHhhyM!|JTF7uQfbm9+B(_`SI^(+0xY2KS~Dj#?YbmpC}nQ-|`=48OdLxu=`6`
z_KU96_lWj=68-0QJAMt;{@51DLYG*e3>S&wTgAz#0tz)DdsdXtMsE8hY$L^{e?)b%
zv0rRMAm8+Rg8qW}Um(E`?89Qi1iJme*h~JTDuaT6<YANqB-aQ1VxU2unyfLT1(MnF
zdjgGrD`B&gQ-5+I_<b3Ki<=Kcq3*9q|H2jTKQrnStRffYQnHHNMkeZCacs%#rZ};n
zOy-gu)Ft<?C~8iAR7gc^(_E;-g<K$t%F1u0Ruu1lP+|AOO1$rRvKagp@nlh1)q*Dd
zVY2mSEcp?2NsRlhB#s>Ykz{@$Rr~E4&c9n_L{=SA>_=Y5Pm-<Rl$OHTATE&D^almC
zQlvorf0Xx&_3^(-623>j?^yU(CE>fA>2H(-(gOdH1PL+9fcY0N;V0Vr-^Y4VX5$~$
z|8CZkO)D9=|03(ZHzU7M>q&Wle^~$9SWimIe24%4{gUvnWOKgVnLzzdSJ?jt&-lOo
zki@sjoImtI$qpGsx&1;ICn2_g9t+uuzpDt~yYj=YKWRrsu%AHB(sO=tu>RE({x1Cc
zccGBHfZq}}O8u>Qu%%(<_X&Z;!8;TkeIL~<ievum;@^c|4OkjmQbv;`ek_V6No~Iv
z_-|dDkly+|_Wd3f{tJ0AKt$p%mi<$4|4+p|sQ~}4RopMu=x<2=gS;GN?C>wBA=yo!
zR6}yxFRCFaR3riLR;llfe14A>F3pqfPy^N9P~Mipr(7JF|4GtqF|q%z&icRq@w*=#
zHIuVFl+61b*=MPxSxxdU--)?HRj*#)N(s)@9uOH1e(%p7>j_=-0%ZTb8sEjr)f-d=
zfRbb}gb&UN{BNO>*2c}o$sLE^v~&cy1xGIE2fytKt~EhpzyHz0g^z&@)7QQx7^ukq
zm!{a^inGIk-H^(Azi#w9f%^55hX0NW1JF-@L0cm$sVqrJDGarQ7)cr^rHp)ufb13h
z3wd9_sBgb+y^t#W_8Z~kWFh(2$H~uMf0^9T*2#L=GTvo6C^b{ReXp}treZawd=qGl
zbl|+&Oa~Z57!HKl>d^=yHqfBx)l&t~>3sIL<k2m;Ec5vX5V_jMRIppSb<oLj13eD|
zM*<&QdN^A<-RJw@OtoDjeqhfI`<wu!saIa39n)8ZsOYs-sr7}#&NMd5KKejgxA%b{
zFBLsr>q&5*(y$3jVi=78#)O&>Ss`8RB6jXWJYA&ma_;h5(2H8ZT+HZ^)K(o;YL;T*
za1<hr^C8#0#GX=2=}17A2sE)0Kj^Xnt(Xi=qeIOa(cWD#wPwp${m1@1OzDt<cRMuE
z7X#J24&Nar1XxV2Da~4Rp=VS|5*Wf8UdfC>q+MriQKx1}R22uWuDko1LNl`<<f$T!
zZ*dR37Xa%W(o@Y#mE2!<lsL$d1%ue}z^%m`8dOe)NDa_v4}rRA=k5ekRC^XRLo=|;
zP(`+%P5OKQe29u(Dm)BXLcgy|6Pi7X9+7InP24?ixC|I0x(aH(Cv@L85C5v{LbJ<-
zzIClC^Fewlv+pZj<i|D-#%}9hzirpXOWV@9QP6j{g6}#$)r^BEC}vF^%!)R%4EFYn
zg28e7)wfL4r<v{ZZ#smZ%tw}RqLulHd;puRVInRjL)9{(UHk?YYp=_Ny~uzMkL(lD
zcA9UpJBB^tH(F9Oc--ks^bMZS?VtPGw0O9CUF%$2HyR<HAL@#S*w+yc_TnSj$qOy|
z8a%NM15d8HEpkdA1@0*2^Sb+^-dT++O*_o?rtPuS$&)%={q!2NR}Ou^2ZxVNmmtdD
z+>6+HzS~--cCT<!>Stb7@q(wb6A7VruS+u&TAb}Ef%=#OLU*>8aR@@Bb)v3e5M+?u
zQqjbsQ`={gpd>R?Fr01^FTgl{WRL5u!Yc=nIPLYHAP!N{7eF*!u|U(rQ<&Q=LM{!T
zhdtVLgc)@LVz-_rq!=p8UpR+mDCFDwWI2%$xfoAIh;50>ZXAMJzsBG^_ysjCACtrR
z%HZ~2E^B?~TAqO{d59V_gvcLE&u&y&?pCb_J;>5{vY|CoYdykSi8H8f0Q|lEf^9?q
zT6ie*Hrr@4ho4&q^bVs5&;@kZll=iwj$B9R?Ul2mdpnOrOr{Z64>)VF66$zdpVv2U
zNC|y!-+uFLQ0G#xtsPUDlSe?m`<&D@bcInoA#%gnfp6#~@3x3ctUyPWSGA+X?`%2O
zWMZhq_Rzvh-<T!S=Y5;jjq|;(icjmqXAgJT#>yW)k~^*oHtWCyq}(g0tPuKK59~z^
z26^~(-FQRAK*;oU*SawoD?PZbY2~wbkHX`0?LPP4-dw)@>7JF`c+BgH8yhP|vI8|`
z*(Pf}%6}qdhLP>PZkM?;oGW!Q1K-rpcSf!=N5J$>ov9tAxxLn}+dd~aS(_!Pu>M1j
zQ~n)n`K5QaQM`S@ANy`8ayp+?%k&>UCjQ7aC9cPWq0orGYB|KwIKEtr<Ka`%rV#1(
zP%E*aAJL69F&)62sToFZyhWq?YF0mC`#WuTA}#Cg6H|FeTop~QCDhpqQ1<vUr>zi~
z@5if(A~$g&baMhnvV5(9WMn1A%VH4T0cReHnjof*7ta!bXB!|;aPTQCM4(zeAWPQN
zV{naCq8ImP`u6)*%zb%vL+RsVNu%R?orX#{mmiuujKs-R1?_~scMgcb@v+b{2sVI{
z+-6>*cf(0z;LR43jc0&1sdXw7wJ8N?Q+7xv5z+csUSwcy3!#qpy{Q}DINmVrswZ(v
zpkjV*+R&7{yf->wNItS%yZCcFq#t%bKcpXwn{NfO!OIV@qv?vur^YpdH~A9|bNh7j
z#mfy68vNDsI%GSTh@$uo$WNMY9xWuL>}=u42;;g^-xHPjcaE~5_a1mB4w0AT?MA_e
zkQ{~|Vg=I&Q8_daRjNvOKk8N*A0&p4z%=(hT<(G-C{cAKHG|;ML&Wt!1A6C)vZ@MN
ziPKQgR{@53?j~vm5He=5{Gm!fOo98()RA<BJaccOJZ|zuHJzz@!?BVl$bDe@e(|V=
zJRc&sqzUI@N-wRFhCXzqm~JgR^~k<}mwtoM!q(>>*~MnK*5XWQSC3#L+ua>LpZ<Og
zx#P%}XRk5E?)7;jSmS&|*M5!C`}^JgBU#gf^pVDvVu}Q4ggJo4&Z}`8(AM@h(R>j}
zb*-Q3+GQOrn0(9g(Uzkv?XES?kL(JXxUS`ly0A?owN~)C7bFe>WXN!k32$I1)L6G$
z;LXKn@!dYXF3(<^NQfUh-zyp~Kb*eH?`h<-54~=!eXI<Hk70^L;`TsaZBFBWLtjPF
zd=W}L4|ER2#kf}Em>*J#+q=VvUn0Nv=vs7N@;iAVV*q;7enW4K^?TR8I(^On`DHl6
zEjuyf#(+-U9?x5XDdT&=_bPxwjSRygja?nac0pVkgY3nKF(YIu#kNq_tSS`F36fC$
zSkrplt5xY?g}eIBCsv0x*b(a9)NZ!R^6s+Q&^C6Bq0m+5b0(4h0F;P8Nd%>;W)7z&
zHZu#@sq%&Zi;&OHxpBVJj~yNtVmKI;28jB#g_@zz?(-feNW@nQ0L9@jC@9Xj`M{yC
z2*a^eZ2(e=`&^*Y@F#O!s8bbxVg|->>x%xdM<=?@>G`LwHbZ>ogXqi~?g})CO!iS7
zUfDdUc1NGA(q~iDmyspw*NzeGw<M(APwmT6p_!wBdgH1-@-tp?D=~Wm6gsA0781c?
z6`;_w!KWi34$|`9_sZ*teP5GQFy{TtF49;wHAoXsD~yI0@Rl3u4|to+P`GcMExQ39
z!F6x(SC=F)40%f$EE`gX0FhMHX!fU~1&!!%-`LFLr;i&UJLqb;;k|sMv7uN`G_(m#
zz;fxU_c%5|gZRU<R|#r<d3bq_O|nJqS#ib3(i~?vK)Jf61rvP;pn~|BE)2wa7y2Q1
z>h0U+d8RvC<+edB&w=M7l4F>e1Wg<Qa9}FsybT0ciK<vY29akX!Xn@^yz2phN#>M_
z-ZTr$Il2))2klT(OEphQA*2BU4^?Vu;B1wa*huR_GaLo_{S^)z)&YW@n<=X%5)6E)
zMhFr@XjR}t7VDtq<B(-{o_DGTs{!5}L_8em01=NKS+a?}Iqup}w<0`wzJj<!$kc#&
zL`lL7Pvszh@v22mmC$aU0x~g19ce{F+~Nt(&le#`HldTs5WTTgk18NZ(azNc+Y(j#
zoKF1S`_yG{jl6b~0-ptUvmPkssG$BdB<c$*h1Te(rkZEEO4c!gvQgkZG}FHJDk4!?
zUK|N4@%^fAhzLL~=GRORA#*2anzbV4X{AFp&=INZPyZ>w)Ia#yUFZ`X$3V}P{!SSp
zDZ%zj!&#-(AX2WNPY*CtE0V`TZ}j27awT7=-a!;G^4ea+fWe#flp%zMre0XJR5WPS
z>F?SJH9qItKf2dH=&2rYOfDl;Wbz#(v1<%3KudVB;z{DJ@DLxQMR*_$;0@mhi3Rh?
zy$fP74pb<hwPPcZfcqV&Pxdq3yD7XdApq+_>ZgiTi%5ep0Ii;1uJ0!CjI`brU{*G|
zfjnp)sdPXuMxTb0kR>Rl27<zNX^0DY(~%H%oojT&WGm4%-wb9luQ9QKrZ9yBTjGpo
zK2dOVz=HKIJ5@vL&4*}JwUP_6)j&6aM0$o(Pz3suT~#%2D49ee@;fpNC#urZff=ZU
z<%pgi%L~0Lgyd5YG=$Oo57S8=mc9kvuRlK|710ND;smg!WRT?zPhu%Xj`kgdi5sq5
zew0Aiqvbdw)}J8>Ul&V=jhZmnw(+`(mqwEix56|Ab%_HusnMjODfeU?KG;E!^NJY1
z&>+KJv`wq21}1K@ruijy{d&zNH~ztk`+OWNf%J|84G*}{p1mL?`)Im%86H3W-WC<4
z0zYFgKWBlu^k}8mWf)9Lv*}VW`zdci4Zn2^;nSWd58-G+A$-sfHqk>j^5HYVPY9m9
z@#%C~Ib$=fmhcIc6EWtlXSAT^xyvBw%T+8ON}p-`vXTQ%s3x|Tccb5N9dW%<9!uas
zHBG`QG*EXrV03ZinoVP{3J=uGX85{z0*_WxJIrGbii-;-TL?Rm1s}{dJv=K3KOax9
z=O6qcRqBmH1=U6NXz>pw6E1FnpGRLd;4#yrp|<@<_@s_<W{0iPXp-e0yh2D<f`@R!
zdJD$i&YgVO9rRKdHsObw5r*5v6J|~7F2oWvjHmrS#t}YYQKxxehWHmb<!hP`YBOAA
zl^J_2Y#oJ(+~D*0sAr%soXOFO>eWtzyEUD2_u7@axbjtKI*nixg@jK#P?y+YvZyBM
zl7ybmoIZyWS_cfq1Q~7wq>I2?q6xtd#)IYH@zDf9{=s2F`qn8vt`9MEO&=%Hrfub{
z=sVJZ<}|l-N<okyD1?dZsM{G-hK$x`O=6a*C#3D=w?0nTB?SLqAX{(4KiDr-78CbY
z8RijMJE1HH?}{U&!3Q6}Dy&5mL=9zcpMCoJ_CtQ_X+k$&@Q3&#^cA->@AF>t(b0Hx
z9wr`)+LC<|KdS_1(wBWs5QCenM>S=`8c%XJet3wNOduSWfbWYYJb$1<7shSEcg{zI
ziz$JSquCUV8||BciTjIG^-LvfC4~8G*REIGTD`nY`hJKX%O<!BQ^n-1)Mx&%3bj?M
z+L!H-w_3T$<=AXORY5;v7Y~vk4wG@xXwockpS{jIr<pjm9!9`MjIT7Fh&qev&Vs={
zan9#3!!{SpZadl&@xnHkiv>n!JG?(7j0TMa@Xn$o#|ROJksniS%~Xb@e~P5BjVC;L
zRp6bJ|Di&v_Tc^f*Yp*6;c_b1nm2l&Xd-=g#uCo)4<5uZa3ZZnO^bOGMbX#Iic%}}
z5Lo-dPaiYSAyINKc=8gnc&wT3M%&})m}DmI#uAwG!yMX1VIIb)yU8(}5$zjc6Amce
zt8%*UlkhDBsTKrZD*HK;dAdx4?X(PqJ|Fl+H)`|my_-dNba^G6U_<|Hda7>6&{rD@
z8^1i$<4{Hh!RNHg1p1P1VuV9&c=G86_+3M@8M4O<PhaMQspuW!Kl3ud9x?P5iJG}7
ziDsO>RaBD(tVwBVT_(}(?O|q*!#K`fhz<GDW**6sRItUn%=>j~LH=^8NWa_)ojGe%
z;s<G=xYLO;A2G*`kJ1-*SuZcJn^lIN^+M!HsULrLV;4cp_%k!FSs^mE+-uz-$(^Vu
zhr_pO^0$FW_>kz02S!T>-CN@h^QAVV#6)aqSG!!0)@CV`N+`yU=A>RW*lr$aEIh5F
zf^rrUjiYO!-b+`wb9zstanT&1k}s9{K*8fS?aPWP`g>mwxzV`23L<d8H}2`Z1FLX|
zP1h8|&RJ)#^LlYZxLaI6j2a*UOm&itXb{<@!`lk_XNBUzE@iuZ`MhleFXxtG=ER0B
zunXP_*Urg@1@lJ6YtwN0x16$tMd~4vHfl9RO`=h;-FgFkEJh$&t3YzbV~}?f&6_We
zpv<+G3*0-i1HsJp#p2EeVVb_22U6lK9JAtauH0GKCu+}WAoybB>eOkX{gcdZ&a-Z~
z716G6@O|s&e4p*i@ny)8lv%?1_SwpFiUiXpJ*QFbyR@3A3iO2rvyE|*J2FQOFfz8O
zkHV8K7|b=7mmyysAzT#KuRgJ++oLO1O0^{zR&&P~@$}~I&5_3Ya?GdGt{{MA)}+7x
zaKW`1r(s5;#6QKUbUy6TH96OvILv0{$cA2vd!l!{a;tp=q9KfzSE9{;{Vd<fi_`-r
zUM%MfX`&s$G4p0cTor+N1n5?Tt@b$*aN`lYWm%GhrU=ggM!q(YwFtPH(SbA*kE@ES
zPOe~ok>Ef-X(egM!N;f;LHF!2Y#d%iI56QYGo88nb_B~NudFX4pWEmJTg3QYGuw1W
zj>}6*VGz}x@atz&FrytjNs=_ek(|sIP%&@ml>?laLnob2VUVb6v|XrVgLt}#?M|tw
zitS^}Ij6Z>Y_ayKh_zQI*A|`yu7n`4Un0@`nZ$^Z7PkM{9eEbx`*K$dYP&5DS%sd$
z3`!f{>}I!5yK$&($HN4s(*atk{JPj{v@%ysQ=EiXYu62OF>?mVyqBV(8#&m`evWTk
zAXRP~Dq^H?9qiilF$`QGoY^`h&aVKm3|psj?Zg$DxX@Rd!ot!A<z?QW_7eo!*bjEd
z8^1wlt6pP*Z!&e~r*599NbyhH>1TFF35~)jObtY@WSglBOeGBAD|61N&^2y-FrmXb
zWO$?}UH)tu>&PMVF*p5s&eJMguq1;Z8nYH5Ben6<Ql*_O1E{;oY3oAvi>|$ui{#Vb
zbU<yWV5>;`yuylJH$r&F1OegkA;w<2wQ30^nD?ik1I(O`y}IjMdcy<JkfG?!jLr<?
zlaO>V*UTujo}F`<Is8)aWI@O51>O0ieOjjB4y)PPKOOwUe%j-0j+X`@^E4J29VfpU
zQ4zO{<20X8cLBdM0;`mH$RQw9#8{zT_V}FQlun83rz`1FY7A&hN%>yyi$0mO9~5_m
zqP*oeH5s1mDJdiDhKE<V&fe>1*!NgnBlV2*ZJkKvE>Y$Et2027)f#9fi{gzE$R{j@
zQK491M-2_cudl7>4|sLm!s{LzlzGVvo%=k|%=tPz<+jI+Pza(T0t5F%VkJu}U}L<F
ziQHGqVdvvd+9K(bnjRgkmC4_q$qJ{ALKLi)EAh^}#-RfUD>4WhD>zHj#sk-TtRvmN
z%3Di9WdP)C(I^1(aC<o-G)N1%izgMZ?cBxJqVVc;y7$h?p}B|ILGNyTYVmDgy*wwa
zAX0Ob?y2N1&h!ASo^?^fo80<RHEjt}W&G_DUEb9hk`9?4^W15X>0Zj$bRKZs#GajF
z&N6+;za#m*a_Nd>xIHi|9BAO8Vs1E{hg?);7VXm0Fr9$6jVpy&bjqx8{r)5O;JP{7
z){@&X2)<;3rpIO2^Gp}W<pkZ0Ktd#rBaawJCSGBtAp~(<xFwX)w85Tv1~(wnhkqb9
zsTZG1!!}gudH?FzR;szaoK5h`x}bpGK*>P<GJG+<%`Umkk=`^DnEpW~{1<3q5!EoX
zwatw<&h<7o;>YCrK(<@aPpItTk(q=sC7MbRC)3~)>{o;zOo!BJXl!scz9ZM$dB(^&
z49PlKxMFSX%cG@kADR3TFH1hmDU4h-{PI3*Bo1*`H7WA6(TX+K^>n<4lePHo#lvA`
z>+dp2GdX#lsbYCD2ouMd&rnSnmbkT3gZ-(-0pHMZNKYS1q+^V!>klI;jIalL&lqz>
z&3?WXEa&ZF;c%y3$-*KQgDgn&>DK4hm}q;?eLMVuQ|8mW#KxRMMonR#F&0!FQx@jC
z6GS3X*NtQ&T1@yv91h><L#2+NoY)@q0C88Xk@kb&<L6C<Wfnbm>b3l<^bq<vJNaJQ
zt$vf1pUiy;=4%QU_#*FydYn1;G0j!s-3Ab?aexT6^KHsGC=kM6sq43&h+rOM;t7cj
zH5Ey(baX)NzR2!f?AhB_X|V<Vfk5beps(mVc=nhIFWZV#g^_G-j`gW;QeEH8Z>vwC
zGdimgaG5p3S+ulp8;U8dL(WNqDyFDiF_3xn<EQE+;|8<Utmwx(@GiF_YIrd_oojl9
z&mGlQvb2<}&!BUC)Te5py2|8@S^isEY(?~I{Bf<#*Ypq`+tzs%iPL_h=W8*a6@RNN
zlKos+@J-_&{PAg{j)O91Q@7719ibPVX{<MV+q`au%5Yd!YBaTKO&1T_nA~);oCU*O
z$-ArannFuX--x_kcXH&hXe^<u{o};uk6a!qtgXyjr*U7DW?H!}&ZJLz6#3L$3^D+x
z8c_D*bMVk=VvH89y6sfIU`fzR+K(}Kue+KX8t>mpRYJ$lOZ2@pp&ILcpKKAMd7oMT
zaV!d3b%Xx^g2DF<Zvo-#3~v_e`jZltGTj!Uw{!G{l9E5T*R~avaz0-cU5Otp&%*TZ
z!jBm8tKE%#v6|D@uS!N{f*?D5HA{^^1y?4>G+i@;55B_H_Riqmmps^RK7B8O<%8!+
z*hfY_=401}mk;09K{RftKn_K(!q;T34^NKHI?Xu~_F^b-vqqBwtkI%o?GexZx&j#w
zsy7df*P+^&6$&ONf@iKz(-mxhQ=c?7w~(lxq|1O=ZI8Vus1H+%bg+BPbFx9Ww#w^x
zK0#&oDmoMdW~>0rj>{QKLg7tnrs}qFqucGTv~zBAaK7KNwcHFLk(U}x-+o1V6~A=c
z+G=08^`rOHrnk-bw=>hz@xK{(D&NEaw>yS6CLl!l1-X;r0u=L_o>ymmaS~3|rmEwQ
z^WjBh#}OinrR0`1@jP%?eSl9f7WHz>$=K>+ij>IJ8s4Ur>%aIM*HX+wp$@OAIEm&D
zB*g7lX%W$@gQ(6n%6EgScJ~Cxc1e{mKRdHE-@`(z&Qc`ojcz2YO_0NvFNroPQRv>b
zNj~Jt3C$+@Ibls2Bx|S#y|a%Bn|+b1z6n*$>mv?=ZF2o1nP$LGc?K)vSJ2|f)(6l{
z59C0ft7O9ho-C_C1$11&i<~ql?ew`;yzz)en#8$4ZvA}A2o_G)(xx^LlU#V94GSH~
zH#4pe$<gGzxH@f8uHZE6`pt-Tu9un_z68x6@!7yr7<i?c0y|8QhM_IiXVzQcM3YeH
z0Krd|jh(JGoG}TRD#*%O(8G6|Sv%D5gwTu<D>{KuBB86Hx3J%8jgd55mymYan+1&;
ztVBnlg7&#ehPE%C2hqk}ai>QQH?aChbuAx^GF7CxtGe;ghQiZp7%bdHH?yM4g88ak
zV+d<j!&9}5wkyJ!y+A4^R|uehv`2v*lqe`>rfNC7CF^8G#U?veg~z(6JtxrqsFW+w
z7^GgJv4%RrNR?0VVG6yVOdl#mdv<VU?O>Rs@-Yl@29q8pgF#?BpLch#vJLKzFfE!>
zpcia^`C@q<N(E(3D>JM+bdXUgPD-(*hifCu)Pvt;ORN;k=*xTFNr$nzEX?3^=8dcI
zuesJ+zWQ+3xbC@L0RvUFwj;lh65NZB7e$L|6Gh(;j?pY|dS^P+!U7vWn@lm6ep(%B
ztduB;BlsJS6S$1lMg+6Gian<rRBnQLS%*tvfEz8@B0Civc|yrBRU_>kK`8v(o;(y4
zJ=2$zH<~p#<4666>16KREz81KpKGDbG~G_aZg278p#4Mcg3AWTO`Fn_&QL|HDsfoO
znN+Z+T@oF%W<r(b5Q5!EIc8fGICxXUSDwnkz=PxGnB&);R&BD)7YYoKLPjei8uf=5
zJ+8@b&UYZJhbL!_4ZenbaNl@1Rf|T>QY+UkKhabp-+Q<CN@q<jqf6oE^k!5d1-0{<
z*3;>tp7m@+Mt3MRKR>)S&L4A^I>{LrTt_I9W7TpbI*2i_{nxhlgdVJ9@T)(Ke;8B2
znTNXFIg2wrJgFlUBmKI|c)~Ro1HZS*>Z<1U%@?oO1)VTOw5>Ec?=zdkqN(%N=OaRV
zP1E|MBp=2kjprAfy;>y+RW9Z&Z>#!Gppv2tCgp0dVFn)&MvU?BRb?(!$Y=-7NS?~I
zS`1FSZ<%p)rVR$qwr|Lf^s-ImZyml<v#FHYxFdgRqu|W-dP9^#Gy_Z8iDDYqmVB?M
zf`-AM4dW)>Ym79)*Tg6>Hy&Wy4jD>)y2BrMN{;WpznU1%ypRmvM<;kvk19&yaYobS
zBCa8O(M%h7Dbn=i6yHU=6`Ppl%3K6ylSZ4Hv+#{Rar(-zb#T5%yR-8iD<}J}?i_Kr
zYzSLv{DLrZHomfX13c)h9_KW3*x8T(LgP6}G{HSvIH2=ZRHjzG--=)_p}6<;UFS?r
zR6qDA$QynDL>de}Vb_R9e~9pX1^o_8J0r=p0Mcvw0`CgFYutcn|IDn0I-nqJJX=hA
zBh+PFFp*vm#bRGui&H^w%jb3x!O7ZuJ`A$#S^z<nulgW}J4;k$qR}ooA-3FirICl*
zS<UwctHj?_SJoe0RuY(5rT~wl^SMUw(#y=^(989CkN};P3PNe@W9pgEan`r=CuTc9
zrwL_uS_qwvYhUT86AIXy0hugQ0`P;7EuN*&8%I>G*>x_*2wQEFi>=XtMF?K8WX+eJ
zqOFB=)FY|K?{|-^zGUGe=VKywV2}$^mT-UvjQCn1X!{7NaG_O#Xnn(+exr`K%@+lZ
zcu77^Kuzy951DZTNfMNWN^Xi}fxUA`N=Vj6go;61)M;*Rm}1fT7e10vZOZBz%5P#g
zc8Olvd-<_ZQ_ZQgl|d=e=K>r<i#{`#6tKVrFKrTRso5%;^_;1M(PUp=&(%I1Q+lq8
zW`i3~hL0p66hqKoihAc(2A=7RH)x#|g&V{XB(>z8I1KPSJ=-7@J_@qnJ8qb@5KlR?
z=%nPQTpI~~)psg~bqhaE@)ANgVHR65_PX8<)_FYDRFC9|CHOv=P6WQpjt7dz5MHww
zk<^RA1P}l59)g@i{hbn?S22O{Z*;~*IUKh~u=v^-<>psc*B!*|w=|v2fWw)S+;>S}
z)db>JS&eUWe0yZvmj(T3ugSn+f=a>qkDfW}KH7T}t+h!wU)|GIQr=orct1+SKl|bI
ziR!kGf|vjx2kmt?>7kr`qG}^ew;0b6*IFKfZ4&j;@a|$yt1au}jI%QW@s)wWhz<85
zD-=(9X>m>ThKdF%3Bwyw7z(A~)~5)&5Ks=T?qrF_v0Et3i|eDSYSus4CehLZt1yhk
z9G7B4Z%0bes;TBUKaou!_|u{iJ}D%fT&{Rl(DR%<N8}*<;k|Z6LPJJ_EEdJQ+bU#t
z-4^(#gTYd8IYPAhgN9F`a2#E|TfvU!%o-?b^Ii-xx-P~C9l8GKt>k#^4#pg@)?*J=
z*+f@~X^C{hb|6jXc;Wpym3ua`x!xT=fTy;gIXr%`cwOksS$)(dRy3h|plDn_`NQ=(
zSuL8Q)A0QLVLWHKy9x~3w;i2ne{%hKBSE{z(0JbDIG5rF!vU?KGiza};q!Xi<Tcax
za>LBLU*s?lENbsW-k>WlKRND}*}o>OzICrrmS5!=c231Nv2<|zvyECZ^c~qi>OY8f
zsV?M0R#1tuVXxiN{PLdAtz6%cTD+Qi<P+f{->jR{Ef<;YS49~Xhb{~BWo937m8s!M
zQw;1j<v+RcFkQn9IlAc6_twKg4d*j6G}Byh@<pi{sR$>16un1t_v4bL!qWxWNkYwb
zmwGkV9wM-2SjkMO#1V8KFivW~!mseACB(^C^EzFc95H>(C&Zlg7T%)~5nJ5N2AlBw
zBFgDY!*n2bYOp&mf@S0sA%AbSr?5iw*qwr_Y({5w6++=UZ?B(>gIj-o|EhbL@Njf+
zP}XNpD=}O&9ShA`qvG(uLOn#V;1o}&*4ymNn424nRi4UzxpIS!5AOGAJr%mZ?Iq!p
zlgJjB5y8;eMs%i;iAH*^LA=^Gig4xOTLJHQ>4R$&rq*QC!>yfBk25@PxDj5z4sJQ^
zJs6#f?c-C0y|{Gacu#Kc^&u~oVhI2+Y4szIiI{R!bq6r9Z+T+~Quo*CpI}9a#K+OW
zHJq>Rk^Qng3d6?|ao=13KGy+fC%nBcoWvvZ$QMO(fbfDE7MVhOF-@E>#H@j|;FBU~
zyY~wNU!<IOXZK;R3v2AX2sFIAYF+3yw#ZlHodg}k_)vfs$pnej&UC9I=#3<0-qT&b
z{$PYhcO*j9Y9F0O6K95B%+|vw1Rp!|x`G#cPxk9aY-44AuVi0)D~bn6U!jSLm~Vw!
zx(987ztJ1fry<Zjv!R8d%RaDn!aXBzsxM0tiZ%q<fj6;lcf*6J8p93KIS=o@$`LN!
zp!G!J<6S0{)NCVH+jKOZ(GD5qp)i$j<!Ruj_-2i3hhy(=K&19eZ0Cb-)P5*9Zn*(A
zzZ2m-ZS=0D6oj!m`VO`bizuY&P4m*1TfcZDRTf<gi@VtvUBdh1!Y5Q{WmVZu!?TYX
zHpj6r>%%o-r9@=1O^teG>OZ9w({ehsz>+pbopp$7*Gp5LAE@#|v1T}+So3KrG^E1r
zN$9<tZaWe!wh<}XJ7YfpA9Jmdf<I6g-&O$I*0k!Sr4-FFBNiIg1N-BtUWPxKMn!42
z!HwVBI`ZJ6o!|S$5-bZj-$*|wraO>u@5_~ZM$|!VMuF<BPNq45o3W8M;kUzQrCuN0
z7I++pCUtlXqcdHZtVv^po5R|Jyjj4Z!qum;wZdtR@i2xaGex<d*qa`ItkBBtI`96t
z7pjEB<R}7P8S~CEAKo{FLFPXARNQ!5s1Tkxrn}=zsPWuevvo$c^;YYZ9oW!7cjsWo
z4r}ojCRW>^O76km=}rL~SDIs3tqnmV8=a{dVj?4uY51JlbFP(f4s;ow`8p^`1@8Wl
z3zKw=AtwyY+28~uLjit5w8WH-4$fJS$d_2WFG_5%<}|F{YPq4x?h~b)IBVysBHc)1
zkU`!#&%cj7;k}GZ{cipqjmw!<I2Y#_`SJt2C$QE@_vG5P<?lPTjQwJZ-ytcP(q3^{
znP+#$BMIp$eK+mf#El<ozk0T&?RuA{`36|otvzV3YsWe&^tdEKn^w5UA)^~6IH{?h
zYM$W9*K?ke_tmtGY95GI03LdoeX9A03I<_hdSGzvZqwugT&P**pwxhonYAH8a4jqn
zzULTbaP_*Y5t8<qY1eY@CftPYVAQF9wi+aaqmdKAE%)1?r0MqEC!#LUIl`SYkD4GD
zEoSHHj{qxOjX$LcrI-*(;UWe7eCCx>vT(`G1<3G$`zgxTAHm?<&Xv8=5%lobYm)`O
z*d!X6YnHkiEHFNqdgmiKPB6soP&$DaRpuSMrICL7&)w1FXhh<}2*$#BO*QMAHgdYa
z1yK=Q`qKh^u~nD5j-+u4>mR<ku5B~iu)q!WQjLaJqNh5cs125$l<yac+LF<d@j0o#
zxkeQ3{{9XR9G|(z(dDh6NV7jXx`h9{-26fJELnY7t`f{urWs8dx+Lx6z1}!m=5=(k
z`MXnB2*+HLFKA;BoQWGJWWuhi$?>yG#_x{du|Iw`sY@i4`6a5HFq-HXy-VX$^3G_?
z)eBi)igG~i^@~<_l0md8GLz4m4P7`7dqoon&agXH#e9HDRaB|H1yy@CjJR~qJg8*c
zoZ(Efl5-q55i2%1Ij6!*P@B6Cv+D3thh51_3ehNtsY_<Ic{HmPv?g4wAbcDfr!1G*
z>Yt?7jb}k$QpZPih~z8m<~I&s#@S8asCcRQV!ve4=Jpw8rGiAGpxo+i)T?QNT)yer
zt+};aj2@aa5&jYzuO@`RbO{Is?A!WqMwpsZ)J?9q4pao~r0SN{LaA~G)uojq*z;o@
z&_0^<p?n4~ZaPyAm{P<tW%!DONvzbHQ%EWATCEZjRCKvXoM`N&3FZ9QsRLu>MLXu1
zZ%8$9lz0_9=FSXZ3{QE~_{D}B?g{J7%;2AutXmn4*jF^yOD`Cti{Bi`!-F5x;bW3B
z#w9>W+E(|NgH;~omdUEpAVXF9RM;M>w@{_N4tpZ|4s}#peQ-6VoZ~?B&1E<TDUq(E
zlU<@n4b#X}#q4{xBi7h&oC!?ecCLb{9DEf10=^@WQHk?Yc%;Z7$v0Q*VWO=?FC)8K
zdEokE99}{PP$Glc;|!xxX7F&-742*4h$<O5FQM1R+Sq%B_tL<wx(U1@I51s}e}B!O
zfm44zOYiyI<{5P(hIX1wHSxPnS~TcWS3?C(^|8_z2pl%ioAOPaNqv%;O7lfK48bng
z63t@Vo;ey_fVKOmJmn$6Bp5yiuy`t`hM(wZU762cJI6VMPE@U-cTW=Cl#pq{pR5yu
z7`fog;y^<+pX3;kA#Dsz{SwduJ;EZqP-IXBRP4-3qBns!0FLlAFur=krx(Y8r{QF(
z43)}4t{jxb1jqc5pmkGrmjPuXRFTP0c*f{+F0s%1L@<w11kQ{&=zbu0*DqPEMI6C?
z925f_vKwM0zQgbW;~V~#n^-=35JV&#uY>fVY9P!CFi6A?lp2Fi7xPe=jQ_BJ;OoM|
z_W>Vy>Og+**B0WctD$qTG(~BskOvgQfQo<(X7WbRLhgaW5XX}P)x<Bi(QFyU{HWSM
z6$YsD6N)GafI^HlRy}D8dxre7k9uQ9UnvExq*xB@?>hI3_mFe(b!p-K5aY5-lol9w
zpGL2q^LUaW@x3Y(n5?+!>i~6U6ap0;w2GF*LTOW|YM5c4XFNo?QBbjCs*>YKtobnq
z6*Qf<vpAs2-dqVV+o{8+GK;~o7F7j)<Kb!$RS&%*F_gS2u`p1?B)EVk8q8u-XXr-b
z7qn$BSgm*5?Ulqm<VFEn-B(ZdfeLX|sq2Bvjw+c1E>xN10S^9*x9I^7_m4Q$LaP#i
z;+aO>mc_Jsu^G_H(nE2fkcYgiuYxeF5hlq3BDaNY1ZZ8U$BysnF=?c+xVu8}%F|VX
zVj(kr)y8=n-QPB|_zg_=uMe5ycoo7}zKKftA?#^?<;gjh{N19%Q1~bb6(k;@VF1!0
zLU-vJniq;)xt{iT^8w;V?)SZ)3|5%d1T#3{PxGNaaGYJy$9Zz~Lu>M}yGt>Sq41Ex
zzH=aJD7b#1s9QT%3k+7G#>o~!r&@8FGqtH8R;v1H6Bk`947R5<+hcobEn5FW!}-ln
z4IP32G-XA&?=JcwZBSOuZ&4>oDl{@@0ZU4jyNZ*7s%MUmcx^qiP_6b@Y84w=fAZpo
z^HBZOMga^nm{;uy_fBeg(D0n@;h9y?_i5@54(naHljKS3{Bc1Iw@~*z4m^o*>^kmn
zpqimj$gjp<hGUasc55|M6c|S13BT_`vnww(W%=v#V&LOf?<=~;gB{3Ut#%^r;A{2Q
zd=3zmP7Fjeg@7Fyjv7}=eW6PC4(McJn5pX$G)y#J0j#I9?NpEHX6ioIOODv8X6@X3
zn%db*#{<laRw}wgCOhRCfu3=m7n*k_sb1hL7wH+!6vW6<_l4|ZLwiqN`oM1F$=Hzu
zW{uz1dD0vPq;lt*j`ZU|AUhv79=Au`lD>}stI(|3V?&fqUPJJ-{bi5uF;J5&a?Uri
zR~tG|MYnt;<rJ0!?6Y9e2lYgbr6aFgE+9+#=Q?XSAbF=X=!j?re3x$S<WP8fl!hfq
zl@Sbfd||3zx<1@hcHdN`xsw1!A6nhkVT}H~!mAdV!-yJ%QNTJ=t#U_`GCF+SL}^+Z
zholI#+vQmws9g6}PDnK<4i?_v2+E4b9wruY74^2BLYAby@iIOEs>3)|Y`5IH6|fMu
z_gRy`TNUbAgL+VOJ#8JnVqH3&N~p?{u;td(ojYSesjBS8fERh^-+&6#J=UO5IeuV%
z?jvi1O0V;|>p~gMEOle&_vpz#PYw2X<y2mO<nYv$<!hR5sLV|?9F})aEIeW^V#f5W
zIWAUfqrX7Q_Q|^+yDxyVvL=Z;TUhtF)q4*(4>+DGvmQQXA75c}<AclH?X<Ns@9sQ1
zmow{J*`n3H7R{eGtmq9@v>jYuZ3U1!*$EV$r4z1zLnltC3K}k9mu_{)@ALDcHs$pn
z&@w~i4PPAJecTct28vUgHx*^FY%ag#*}k&1{OnbRTSCE6+&+YfXE$!lejMPrBU<O2
z88BK>@yIS?D)Iv$0q5oEzVX3TmY<M8FVuNP@1&1K7-w^B4Eglb?^&GeU`ozR0kR}&
z<35MHNb3Zp4}|J2b0<{2NUCPUy`zqxHq3Onu;bN0h~H}g`0vSk-x@k6X_x8IJQR3z
zug~tFS9=Cx)>{UNE6+S#W9XNy&v!Z8GI**}I4DjV++R4&qVlCJK`3afcVN!v-TYAt
z&s!)Ps2W|TU=+F$0af@KY@cZQ)FiA7b8Gl)2X7H=_%vvH2`Vt|+Uwhg%H0aCC#bz2
zgsP6Wg?_%HQ~J;_<XuX^04RPJhR*vwUEdax<cx1s9KR%Rn^<K}FPxc3C*R*^m*J8;
z0t?mR@<4$q_{|kh4{<hw!u|~@`ZBxm#~->MxxJrD^wQg_(XTHK#%w--uMxLtZW_BV
zkWJtjmLAFUY6dIZV4vxs3EziPd~?y}uJZJ2@q1Danj~AdvjWlvUV7iITLEg4oA1dE
zaOsNH*n*v~QhCAA+t1B@=)J)x`<R&!c5scdobvqVR^edydFUjyX*k6|0SBLa`wCnH
z$-298eq-S43i?;ik6J3Hk8e45H`!gC-O{^rNA%@vaOi7$3924$n22)|7}t~S!;d#M
zdjVNYNC^Qo$_)a8pX$ehxB0&Tl+hhLp#na0OQFYiAULIXe^EIr75B|CUCS@VT)vMz
zZUtz(zn{JeIUl7mV<oX}^{#{&>-}TZ599e0wo4G&D|QkNT#cHNetZ(cAu66zz6$8l
z-t8saB)<ln<y<xyuOzT=PT`8OWag&ILj^NlfO2JV1Le;{(GDPdvHX17jK$;N*_vnZ
ziplzuPosD?LYgHUz|*E)g^QE!(v~SjojL<JA)vn|sp(|4RBfDWzg);<#sJNr&AVH|
z2_;3@3OW<~N(|xGXwz@PGDa=u-W~M-YZNN+4V|AJcm_&)y(NxLwyLN+l5?wS)6^M#
zGBEeyf&j}Q_D>x}%4u|4hHo6Y{NU1|bEfG|!c2!d9dCe(EXU}sw+0PMMu%N|Q~PSL
z_(Xh6=*%;oXt74k2w@)s=}uGnRdc*}=)4=XYrimZjT*iOS0s3K8Px=kEOA%{V1U!i
zsM+P1gG>sDr(ubzsGu<?OWmgB&uqtPMzVEL??B;rDqU8VPtT?aDwx`r0|Sq}T0w%b
zA))(#64Ey(_=8Tv4MoCsn$aug`+Rx@Umd7PR3;d{c*f83SsTt|w%5B8wVfM)(nMQA
zh*U*k-@^(jSZ6%v;08s4ZTl{h)7$!QwZmJ1^bH;3nR&93zBM8Ewau;LS9W&uosQ~V
zi@qi}Jn0S0RcWknwR+wVN1|#ZgrTEpI-qvLSnT>*69J>;aGF@rS_inbGPuuRz+Rey
zaa20dbj^9_<3Q;AN7Q<7;8z3^bT1N5YSnTjt&*vrqv`Q&n9Q<0*fP96ywPp?k+!{k
z(wT-Yqq}g0Y01T_U`MCA_P8Cu^z1*#m>efdO=z~umNY{ZbVt~8zI<S)q6D+Mo7Z<~
z-5%$PXl7RL1B`KT3b5=hnYV|HH?NG?cZ!=%ad<vwenuD;F7-t{SNY3}6VVO=mFhHh
z&~2ik>;Ms%09|3u-1{P(j>Btjx&cAav1MrVcoM!6y1SMAcBrOi`1od>$e~Bi5>%97
zF@&a~oRBX{8a$9fq0+g$?uyfotl#Iyw=Z;dYN)R<g5_0&m!nj(YUbNF&>e{(r_<}<
z`v|q*J^_F9;fnrs`~04wnv&22%&mxRlbV_5G<$-%llr1L=Qe;e+SDn_tg}LI$DpeL
zsN;I|uR0A`rg0oVO&)CTUmX~SkiOPxzT1jg1Jr?aD9U6Km}TCS;e4_pSd3PO@EfWh
zw#}Ficir!G3EXd4X~WlqpixDywa=lIX+O~duDhW2pREyMK=CU~hOY_Yg=qsJ4^5uC
zK5&k}lEeYuvb;4jaZszNq*~mt30>!(MBCN#;%G5l+$5$TkZ~<KOODshd@O8peq=}E
zX}&7$9QC23><^!wB?z|(8TS*Kt}yVajdGU+&~1!Z&1lpZWVPl(cpPF)<`cRHK5=xs
zMv5H4Fsp*gJM&UCvVoGr*x|ZTO%gJ1^_*-EA)dK~PWK9MC%#u`f2_?GAwM$6e2viA
zMVn(_Io=ev_R7w@rZ1`lEKCpugC~9f$e<J*kX%}fDSf*}w`d;%P$=&c_jY06Qe<A~
zDWeI{$SnqCmU$6d>6ROpbf?>w^-7}0cAdpxPqZ|@FAtq{stgyjzAAJKe+Ed$h)yjJ
zW0GoWbTJ+EL9b1_VaxNy3(!fU-r!E3&`3$8HY<{V7jH4E5HFet&fk#vk`JDwaa>!=
z#%uPaVQB5xrS7|uK3#Lu1M{>R{0?;I!V53<W*Ob?zZYR_xAH2LS`*jVl$&dC3Ei4B
zhX^ZQ;&$KWu$Ev&yYqiRHAUZC9jDFM#znKP#Jf8!dPh3zR=Dv49Ry!~`l?y?H_;WJ
zLi15{g{O}{$@1+#cK8^*U~`M{nB2TZDpT)UtuBJ`pcaj+k@%NuJA+yS;K`qXx(JS(
zBxLRlcv%>2*b|&p{UDn2)yO0J9R2(Rsb=*sdt@~J#un=m%xI_K=4l+1QcbD1wCrU=
zPfe8_(E*oQDmxV6)Ihm{XTXjO+UvRnF1R+o3<8I2USgTtaBGj*sfWVI!}?0p^y2CQ
z;rApmf?EcHKGqEcCt$2i?roP3z4|l=WdshD_rA^aYSEE-T!06;3005tQIc{6V|;M!
zdU#nPV@Q!dW6^<rcR-}&_MXf>ndkDGWN}V(v@I`qUlY=?ZAbJFpw85{pcgh(1L~4e
zBrPwg^K>IG6SjQO*u|>{69RIdR0%vRQJtDh`)q%fyom8l$>GI(mDhuqb5O4&@=*8~
zUs&qy+x!R0s`<pC^(HnpSkIwW9OK;NgUZnkzuUBJQz)U<$5ObDdEmmcW<}KXU1kL3
z2xX%dka29SSf}m5rSnRL`n3}9r(P*yg@CiZ$WaA%V6)yB4PH^Pk2LRfh+vt;TnRt;
z-Z}FTGmqy@zDBn%=VI(p9uCekC2Mc^IbW5xR3EkI>aMciagSND>>~o^@|0^8rymV0
zBe4A%0(C_*Yf?hWc%IpuuF7DNBmPbu$PoLS4KL#0@j|`l6JS0h)dX*2Hh%MVIpf6D
z&w>%$C7}hq6C1aH+GJgA!GoM^%g;6Yi!rFbwG6tq`>an~s#1$4_N5QXj^GMgar+G#
ze)~Eov_t9v`{1JE`&a{%FHqAj=Nu_w-qVfFK|MPgUZvHv1}Qj6|H0$r=?4!LJ)UK<
zy-YmK*FKF9YusH4h%#v%LU@ssN@s>(95ER@=M4qzDYDhjfuQGB?c5=nFIfQ(-MCQt
z-FGWD2n8fdw?8QUqM0TuQ+vYYaO27O+40c%h%?$A>duL@+EqfcTSMQ?g1wGyrw!zp
zXx<J}xE8&yO?Z&mLzOS4Ypq&?mO$L39-++Vd9C6-dYM#5;mGo87`6bmm!q4&4r3Fj
zFHak}GV(-Mz~$sIJG3#Q&eYJn<Q{gL+?!XMeIV%Q&~9<{IOBA-rYeK;d=jnv&wURN
z)Ffv-eJ^mI4hkFe>z$fB9a58^h^0=vStOO?nImJF2ozlGsBZPw%{73+Bazh6A#WED
z?cegIh_Q0tlz<@XNV61_XqeE=tyl&kC-2}gMl(cbPd$e)F&v+TuDb}k+z?>}8hGr|
zQ;Pr%kR{xl{9)nJZybo$9cNe^wk(S@w%Kdxbd3#N?Ni>|84jXQ@3;9f<m65Zl!Q1F
z{nG%>{BB-8lTQyf2#+kdyumk1PncDg?4+sf^Xt6r5SOH?L64vI-+|cC(P*#-n01G>
zU^yoqmsRY5awcr`!<iXSC7o%j(*>B|Lse*=(HA>hh?jK2k-%kVXnd0^2qF!UaMny@
zD|j6c-@&wye<%S<)1SKJ1I5o2p9V<}kmor$4Bkrno*jnXczRHTjxT(k?bv(*B!buk
z?~jdiS~IbEpM9_s+@j-vD1`8Ja%Q84qPKjPmfh6e{GiW{JX6_Lrv%Ccma>6Fl;d-Q
zxDx0__&x5^{+eJFaX?-jQ|qLmd!Au5@4%ODr<@5sdMpf9C=qz0CN4D$i7OZig6;}~
z%+^AlrOgyrm6HJt{a_!XW0qy7sGymjp!6M9gPCnC%JP<n>hQwoJHXYll0yca1pzQ<
z2is0nYf^U#EbO53efhaJ#Ct6#pn%)^eW^@m3=~G2ZzvOIDMp05s+2Pn#wc{-e7~p0
zcY$;fxbG|lT|F{-)3u8j>tn9HeoC$dxCt($ZZfR>u-A@SGxhds?hzSdu=u3pNu`Bs
z%oT8HL+~id1hDD&=;wgmGEC`((CRa^P$CN4eaeIG(#LsJA7Yvj3`YrI)WKj5g&irQ
z8o9l3X7#7LIOt7NR4?S1#mbvLxZF}JNyU#o^Yi3^NUF%_{-QpR6u5QWh$02iQ3u^B
zas>DLO}$n+WrGWOf1VluH|ahxUM%aOX^!XKBeLAWq|j6AOv)zfv6==?Z=9vVHtW7B
zNxi&|^}dSQ^k94F7i){89I0#Q3q3#}9pLGMSxpsWc0^xGGc4}3Q)&9t{Z^w`^T0FZ
zAptcXZP=<^*P`n`7AoyL3P@Yq;5D2@KO~acW$C8$$n5YH|B;*=y5vfbi88&uu0!nP
zo}r#Q5y`Kd*qJupI-zlfGtyXRUHAjU3Lp=g9zPKX&;u91tLAE7eek>ObM*hQ_ts%S
zcH7&agaQVsqI8!C3eqXvAQIAwAR-OYjUe4EB?zLVv^0uzNlPQ$h;+|-@Vw`|@0oAr
znrmjh|9*dYArJf6vG&?)-TPkmL+H85@|mKwbn(WG2l~{@Z(2>xUmdjQHpy3ID6a|7
z!l)-LU$A|rM3mR$QqzeT$Bwy;*+T}7!QJ(Os-OgHA7%FI&$~?&Q&l=_)wU`gFsRy$
zaWA{T*8BbQMScSyH`m%~Ro=x~^`<H@_2ajgv5DskKm}=DN6B>BV6X_I`tGn}13b<&
zcPDe?8uU>;?#+hMO)gRxkFF5>;^00^LDYs(jOx16x{-6v1$c(zXolGrsWs%+Epe+j
z>qc(uDEf4OuJgr=7kNd{G9LU(Y?OopPYY_V0yK3oLw`T^#TJ`6FNig0QkBcUUnt2`
zYV9Z~x6?*CKD(sLmwy8uZy=d_SqWQl>Ec6nGN$SGkWUORW56$j7<S!)*iPEnw)1w~
zN}FCF=wrQNr?msjOZ~L!a%S7-MF5nXTIBEKA#G>P@!oP8gPQ)i3af#AczU+JUpEjS
zBc>Slj}oj%%PLv45hDg?-5%9WFliFchvmv!E7=SHC|0%oi9#7t=9YJdV><P$<9XF?
z(9ZTN>-8pv=`QAn|1%{r|1%~3+pWZJuXnYq>9gyO|1I~OBLAv_E>Ln{CO>@SVo}sV
z=W<-k-s#tt|CuU;`{-BP`ZT$F=<e$Sw}Le?mp|KWEI*EG+=05LWM|l_)t|nxNpPp2
zl(h!3XRG>Pu0}RlR?>%Zcg1&;=8p^zUlLXH%4Vqs@jI<81$J7}umxl)I;3&nrt&IY
z8KgA@yETW{j8Wrm^GS~^UR}XYzvX_sT(C%&Am?rWVLjHBBL?v|OK$x^<U)dL<-6lz
zb@ur8S!;jG6u$1_oetV-mK5x9o#zqK*c#4`P^y?R5(>lsOzB%!c7Ca*R@c^2eBzkk
z(psP{7g9a_9s31RB0z2Qq7@zb@&uEXN>P%`R>c$$7%R{@X;SRsrlw1J*@Jb*_rPsv
zPzT(XIA#W@rO<ZrogVG2%5yc`>y-n#ca;@$=|WnI3QNsQ#9qf0u5W<Z5d^yZytFYU
z&lN097f(ax^6Sgzg$UUx!0G(==Mq?Jj&m&<ye=_^RoS#;#5S_#*9!XWxg0O+h1w2i
z-r{chK1}AakotLHD)8ya{=DLW(9VZ<Q|mbVxS2_APW<~bkp;iLUTWIq8ex8)?6l;t
zJ7yng<Y*4PR&0EVo$bDvP|&37+`z)OPQorH<T_&IUe!dl5etP5a{&JRupj;W!|3$*
zX>_z&KpRUff6eC~`WwT``AuqCrr~m{;gV$j??MDPcSej-;(m*gx7zMsuinX`iozAn
zOm;g!*K=7%GOtHV{p{tuRgy`B)o_#vSf`KmdBIV3-Mr5ax!b76mGLEYbCBB&5B)X_
zFlkQN&({T~HHVENDaR}5>7uT+E7|!$2_aP8_-Q}$D%V5SO^Y9lx;2qn?eNThn~l}R
zR}|b<Spn&gf{p>LCY6Ws*Dy$3EKLQT$uSq~O%*h#X*C!LZpQBotJl84%mMWffe^mA
zII)$L$_clErnSl@1UKZK`#c?C%YN#zDPK(DhkpD^QYb*fD4uozN>KKuKriPtu?5M*
zBisJHo(S2-j98uP08VR?xJ-I(G>w=CisA_ImrmG?AVLyTiJP5)voRWUr2xUwY_H7_
zC}2`at~R=EN2}|1SxxKjk{>f%KRKF@oJYhp0A|g>v+3Y5T5+HBwAwgNNTbJh`t{Ou
zC*OLIC_rwz8Cqbc0ZP1EpX#R?6U^UCh8o6d(Af<cXZj!24}ab$t35vLVy=Ekm8_-3
zbv(1SMRr*UIn%c5{OukPgUJqmRu<KS!?fb641%TS6rCIpbkbS9H$GU*3^gko=l#Od
zx10TGsrB<Bg9t;CWsmem+2ML9Y1xDzqKEStxk!MrlwkLhWxe~wiv*ip<Xr;0+9VFm
zl+r53$F_s=-?|9_$@afGcHk@Y?WZIOUaXFb71axD-kC5l5?7}$=chNC$U}|aCvlED
zZFV@E_z>c63c^<0SP?pn$IMu9>F#nn*_>e>y_uO5v$g*%Qn4`xz~~{P<ePg~_oFj(
z!Z~HWWvVg=Z2hV?Yf1tbnLd47o^Q3dVEBzmBld_Hp`NZ)L$k7^{pb^4v7=ys{~sC7
zMn?)cmZc5qs(LHur-_ekMV56rce{5lO9178by!jdretYKdi6OR$^lZG4SeerCWQsA
zfV2vEcC9(D#ft?E=$hnyJ^}2LI#iJNS+e8Y%wZS*rrd9>U7If6TaHE_*43X3MO*bg
z@K$nK+n=8f6U7O3Uaw@`;9@k(&MTCm3hCsXPu$zKaEshaE^S=OrWaYv%FYkjWc^H`
zd$3y@Y5#~kCld;Im_vBy;`aLU-IJ;|qpzt41=nsS(P)awkeN*fa|WEh{)mE+LFAsV
z-Bb&GQ?$CycCw+(XtyNBvi0F=sjL{$>eoQlkS20xQ>xT&B*Vdnb8r<S2`f2jb@$M;
zh}M<Veae3Wpu0w1lYG*N3H`vDBts^rRaJ3@pYLXly3ufG7-L_7qR<z1!_#tA#CW1z
zeYk7?l7ZL`gxH<RA3vw^%Y}`|dh7%S+84RDgTX6h%hH;CIYk#fvJ~4-IMPc$8J>oH
z(?F<q<Zk@%l}oK2Hfaa9;poe&lu=}^TitQS@8hQc=~qY-rBAY!p`gpFUaR;FQZ!Eo
z;UX&3ZR?%%x7U8XzuRud`du7oRR-*yf4lEtLC4MrOk75+?!`3jBg&-pZ;=WC!JMOa
z)U>S{9OhTc2sUva`faPFzU(ZYZ(Ow>zlpJ0>;C(4H`$zc>v)Wo1*u6+>9DsHPTEp*
ztX{GdL$^_-6>=A|i<v<X%E$6d)~9F8{lsR)z7EBIkDAEtG4ILq0adPb#GBDXRs0-^
zG73NrgZDZ2R#y<U0T94?$N@X6?`h)Q)b!ujBNpV5ikuq1wY1!p-It{4X+J6^nAJF1
z*CmVo(s(M`^7>_OFc;a@VdZLt3GIOR*$F{=6p%8gW0d3om=(bjt3EtQ^r`bGC9`u0
z^bN#zBd)uTRud-VE()xC-t3g#^3lJ98M}P4emd0?$Rcwh8;<j>KkA{v&C27wCjYpp
zl?Nu%LCR3-Xo@Rx^cD?U>RWe4tR5L)>#EAaGe4$7LnX;v@7awQ#?CPJgxXCA@bvb*
zacYWNZPa<PKO1?qXF8OJ4sR!YyyPNnfXXjfv=zGCD0cPZ=Vt-CP}S(+-Ln}OKkOsR
z2DK>_oe7>zBqd->0Mwax=!5m+6p1%|IHePUG1~h6SpD@1yg$ADr6RnxBSAap%77MY
zdBXeNT~=N=5tTYs>zxXkAz%h~bG*;$j+Iq!xM(ZOTB2fF*1;+L<P{pWAa^|eyfb&C
zm=oAJ37%1kv$^uK<kt=r0JlxsT)G`K`lX~kgzv(l%NEzJwoOB_^9tTWMUH+kmdf36
z=clH!OQaL&6*s+-c77UX%45$&UOa$3LTBtYsO@a_dt2jKJng<{NyQ2oZR66twY<vJ
znDlGbC&s-UoPh)Yr$0-u9l+Y8^x6r$l^?X(#Y2zh_J2DUHa^OOCX-<JL2&0&+rks+
zNt;-?mY#+Ku?RQ^eL1G~2N@x@zX08S>?K+LY1@ZTS4w&P5jpZW!QK0g=ACyQTnU}$
znXfMr3*TF3?-C?_D9>Yv+<Db&l5Qy;kac&i9Fb7@*6a~2+Dekxs<iVokx0*03~>JV
zoSwioXt&y4)G1?16a7gq7s)@CVl$oj6waKTmiw?)2_&9bt3pN-$sTyL>W%2A$gZS~
zYOP}a@X7w*rV&l}t*qN8D}=Rv^}U<Q@8Y>!b*zUBTXY_z6Ls=+@xNO%e}rrYIIgYL
zjmcP?#vqR^x|%431x{3E5<T;~4Qz*G>RfYQXqX{tyfV2llsqMU-^z;l0VPYoEOvS~
zXWDc1qoes2NBY*(-J)wqW5-)|>y1oEV@~t3&RK$xXKlNFIB&MAJ?-4tATQY!zLQaZ
zmixF`x&C~0wR-0$UUd)uMmPGIHR6@SB`sh;Di51DN13T*uIQc1ojc1mUo@iLc3NeO
z$|~<Xd-8u<I+#X8H;?K2!dO*xH%8R+_hB^Uq<$U{XBO_j#JonyUJE^oMzapH4pUsu
zHWSC7M)z`~pEAc_a8ai(I9Bq!9ZhB!dBKq^hZB<fW+>kdAEkS^HT;lac5Yak?`*cM
zZS#}VgTVLbW7|~dK!RxN^YJDQoIR;Z)~nmE;1}dk&O#D5-Jiuf4LS>rJpGHT#={RQ
z^K&C>yZ3BmUR2M}-B3r`R<%jGR&5^izcFe5XkWcsB%p?Lj>yeArXHYJBC>o<A)Q8f
zUy+XkvgTe^|1%~3GbR6RC7^6aH2%`1;yLPklDk_FF&7JhtZk{#5!KpKYi0TK#3$o1
zSOdJ~G}l;TuQF3{H?7a!p6{_g0<Nu)WOC|*vSS8bS1aKqTBT>HDhxL;x{`z+n6MJa
zloKzUE5~Jc0UpQNDl<t9P}PrVAvVLW@SEisTB?W9TLH1*?Ecx298B*1=10IIXG~h~
zomUGWbLrP*@2n|<Gp~Bq*kYC<EKrHb*SJ#zwI8rx9^WO+g?3scMF8mS99gJFwFYc%
z-s@o^w4ol;b$$m3xqZO}gr1a;`-h%nggglJB;E5J#qx+^(cst%ALTKD9M@<7W}jt8
zH1Ze&Q4A1G9UtXj!uz7~fV=f=aByjzA(OfsfHMzey|)F;&~13Xk$S4i1jl!kHU!po
zsa{oM=pU)oRDS@RsZypF$-ObcW&oxSsWSB2Vci?J^AF%&H5%zw*6@54t&;k`x}}5C
zQ6ih#r#&$^WbLDzRGn=W4R3jtU3h`l3ac;bPq*X=g<o|jGjROa=it;yRe3u9LeuuF
zTX{a6+Nj$w4y0R(r(8o!|G3Fhg<&P+UQAf%qg9ec{djI^fO9tnM6$|z2rTc$j*BZ;
zqQfjxd(7R!Z%zOQY4LT3)zby@24kylc6AKU#y%biTEDJ`YX~Ai_K7gzHF&z5+U^|I
z3{VoIE~)Y5o&$G!K5^!%FUVKjGc~B8@H_(B_-(X;iQf#~h!H1iN8>MUC^q1##-G2r
z=%Tv9UBMEXfiF^a28=b~k~SFx<@+kHU>yhlQI9@1jlb{*3*>u^?xYBizw`T@M_0hV
zzSwKgzz&6m9I9M2QC)$IuypAeM!4`_w+^?E5=1;no{lHrxvyM`#gTn01Wg|QTw%ap
z;DFxd`w#1>!jX|R#W>G{h}ix7{#yfU3(@RSd`l{UDgZZpOLvtjvk_$9P<vL)_x|If
zJIUK;G*skD;5FT3vek15!3XT9EC+9RRBX;_kmJtPe)~0%gwNM}Ca@4zcS=7g^eFGb
z8Rot~2yN9$@%^cl3j(IDaUbUDA8KR;fc;DOQK1NDK1_H6`r2?<cN5`FKEDWm^^iX|
z33=;Z6e)zg=ox^_*0%==56|u>_*IsPkgEy`&l4E)c4!IpSz91Za^nFJt*{<K(53Lq
zgLSEpn0<A2tD$rcn(ijEbV0h;0h9P5B){aWUTqf3K*YG*?@?(m2baXRD`quoo2Rd+
zQckTb1wNB$y32hg)5b{}sQ>IY87d@nDnu#7nup=;R%8Ee@uc-wbvcXSg}~AJR4uT(
zmR|?5*6az080VG@RBWULvN(k*X*#c##BT0;C%903-TqbERk-}qokSZa&v(Fm4F16w
ze06y1)OBm3X&?nn^$`x}9RAiG)N?;h^jG3tOpokz0fk#mGKPg%E%Wlpt~$H=D_rRA
zF1ms_D1)L0Cgeh_SeS#amQ%MUUJq=4g7CEIN5Rubi^KJ{Q-*!Vjm@6L&7K2WAyzkC
zZJgtNYPb}*bkZThaJvk+Xu+iH&)Th5#k!sQ!t~Cj69p^Cqwa8gx8{aW@>7|Aaan~O
zv7n~*cSF-}Ey0@SQ1gnc{tQ57Q5dR+e`vM32wnJJBBWt;Z(&7QaL>%(pE7GmJ)}fu
z-&N#S9AI==1vVT|-yQZ330h%PG%Tg(^T4pE4cEs`eqjBFG5w#Nh#1NOsb_Ujmi=^N
z(9NP8!0#mo{>Xkk2FVXv^*^e4Dt^LLQ4E7`#G;w*S!E)+c*3aHkn)ze`ouiMKAu6Z
z|55-2;ak`;PgkY>T!FoSUGkTNEB-$<?`Dx(KVR}hAEb!`gy=cZq<N;+jE&xtWzXdx
z@ezBx?`#)bL#T)zk%?(%Qzo`7Akzkxq4~54dY!1cu6<U}P7{V~6<vc>^)u6UlCHaC
z<SgA=bH)dKECn5*#M}Qf=~2Ld{)nz%c@gR48$b^GXe>;!k$x<}eTeFyJ-9}gO<J&f
zrbSMAL@e>G6^tv`ru@QL8EH(Nluysz#x%WLqM+&7NGUw|vC>u7&1duyt?=%G3}k_{
z4+h8$AZ&0798~ISGHtB2E~9RTs~cZ%-0qz5eQN0wEk$yGA>=66dnO7C6N@Xg_8@I(
z>@)EEm`(cm)REZ%D-nNuPsAAEJ|cX!aUdshpB`;KZ6dV~0_FnU8<HnZKsM0_$fc`I
zCu4mV$R5&j++g-GZg~n&W$=Lpg*7oZeIyYP`}4erzu=?vbwvolX@LL<NRHqc;qbh4
zkXtJPnIYWLjqjp34L}kTIKY-2N279t3^)`a!{PY?)n?*MZ8qL0IX)`xLDvb8=<Hqg
z>d8Y8D${$=XMM111X{-bkgEm}8K6e$O~J1Naskf@0lMNNV3|y_r|ioOveRv^fwpkq
zVrGiqkMEs;#TE<#=owpkG@Ez$VdRzkRT&tdu4!Qloxf5AfL#blZmC?!2@usYj@npE
z;0{b5H4?tw<eK<%!JLZ8f4tRO0EC4G+F0%1$&$6ls}@a&xHb9VkEYj4bht7Ia}F4d
zY*y`eo4!GANCG~?mC<bza6XJip7}%qgx-rk%e(bmG*aagFe>@5xhFk71N5pNE`Hsg
zK#~70fVLlhz(k#K|EhqafTKMBDOk|$pf{y)9&k(VeuOp)L|r@lyQ!?+b81><*W6Dw
zQzGx~jM-1b8OCTt_~9D`vQ{jl?E$|bVJkR{dpd}H3h0T+xK?~8d()A36~Ko%Y<6%x
zeRYM?4_LH9Jj>fatIVJN>=zEELNi}4xZk4KhzDu7-a$_+e!(H|&n_&66(f?_x<Gc_
z`-$WJV_;3uWr~1c|AyM(YMGvOrzuFkN|}xzBvd2b4Vtt*1qMn}sV`N_d6iSd6MGVD
zgj6Cf$3QH$0ublg-3gaXTJ2BK10nN4?45C9Q4XP}YlUqr(zRfN&))SC`yN>yK*0i>
z=PDMbFOm>b)5oNUP<!;mherHG0ONZp&T^X$4t4(D&D1S7-yt^+LoU=rukmI5{8xhT
z2TUs#-?vC4$y<g8U*UR?i>P%ECFa9M_ovW&8q5LOyfJ=;u{xal?&w{xn-VdZl0|0<
zHcmSLy1R1#q+fztxy8yykgbOnbqVqTK3@*lty`Fj`$hv{C@dzs8t@nmib8P@7bJz=
z_{n+q9Bp=`_+3gCr=f_$=3DvXJvdmiQzBLc<jYe(ge>V8B1H!EaJbsCw@Xw;tm01*
zmi3GydXw#-POO;a!ZN+kzBF4C$Zm6dsRhM!+8xTb!$YpK(dr5_bm+t)-nJg(T*J@b
z(fIrVZT7|HqDUpLU0_K@rjzSapBKb^jJXB-fEt^3;jKZ(-3uSzhy_A1=FzWu0#9!p
zKdEnf2yGVz;~XyA4l1agUYLlJky^?LfqRpWF6!U4N&b)#UPzql7Ji9NX*r-_)R0ru
z$@@iwGiPGI(;h!u%)noM@v+%kC4HOVW)TmHx_}pA+Hq}!wR;T+6po)N_RW`_eY2C#
zf>60n<S#A&J_>c#Rw|Aw!&>d>$s^N(hKOK(V%s$KtLc*hR3ex$`EJ|U(lV66MqFSP
z-Xow9o+xIz;46jqHE01(WD$0*Ar(s@J7@c1k1VUa_f>t{2x&U$1Ce`_LC-N05%nT6
z_oI!F=}yiOQ-251Z}I}$eJ#$ta_sW>(NvlP(hRnRmHm?K7(Zi&0)A*b_B`+PL4iIQ
z;cTVD2~NA1+<Y@Fn5U=|LBGWoa8tEF|9D!x_CS^D`^d(OfOikjYHxy6x%nvY>HTpK
zO$K%>ME{|`vfycBkVa>geTVktGZpQ(vFLuqE;~gj@>J3|f_sx<RE)$J1>Yp1f^RVz
z*7FqgwUvjwXZ3CbaqeU>Pqw@FRnStuy-%D%1MZ*D({6D>`I^^$6>y0Y`5eR8LF@;v
zoS(Qi{>LX`PS5pD4+bMu*aB2>zubRbQo0h<gNDN&Cg%3xTvHJy22`k{aUR9jJqgLq
zE!F&OKll3clv~!9Msd?I@FxVXXEo+zWHdoy?blC9Dw(7e^CUj6<>FoiS#LuV;vggX
zRIw#px^w=`cO{h%xe3aE&`oc0soR&r(EQhnCU$~1LoT4^Ub^>{u;$L2*`Jj#1wL2~
zKTUm-=KBzeO;r53+M!HKQ9IrDz1q^L)0Z)cO*_A;<c5>kBcCHUPpBOx=FhEOJn40b
z?!guBR*_4$ufjE+9>Jj$fk9EHfKsmlpBer&Dt)nvo8gq4dt&UIqn7plute9>tP_ny
zFeyLz-7o{mZUWV6VmSu9aM8(00-}$`LWe_LQ^O|ttK2MKqd(x_k#$N_X2o%>1Mnmi
z3gYmbJeS0^z-JNM4LY}IU~h8MhRST>V4w`2QnYfVuq|Q%=W8CRqS!O~)Tp6)cMVxU
zH=QD0`(YaDrqALr>aXp2v<9v^;QyTAVPew9V0?#gsc#GDmf&P;Mhk~R0Plp}WBw;B
z&_^8-x^razsiz~|-LUIr#jnIoTGPk-?4PQEH~)p4vqAixH@eYN;IBE}C}gwy@x+&=
zRgCDSk)<D%6`g++AJyITF3Jy5Tr^Wr;;vBH3jX_0`pYYXP|p}F|LtOd&keKNID&Bi
z`r=JfEcoT&%IgcZm-K%2<IcKlO?UBuM8E{Fx+9~yBxbDMV^rcQU(FU?pt^IRh;I|`
z!M#os$~`H@qpeIKQiNR|X``{~KxGF)G%LW`4k}XLL$Bm+67RcsUt)<qjf5E2c-7%6
z!>u{t;*cl-blRzYkVb~8B9V`df>6=~$D=Fd_clL#kp-KSL+!$DTGTJkV)6?LXw&Xz
zY4G9o<A|QFpPsP#_kG93Omt0si)up!#+Y)2@9SKcD0cj(MG1;u<NfM-Nr`A_w)o6q
zo(d2r&>V<S2ZuIeO??8*n<Lzh_KB)gV<E4Fr-Sf~pKFlw*N<Kxj+MI6zaVuh{Sn&N
z>B@;?bLFh0C3~@ETwOn6Dkc7|@&W}rBSA{gfWYJ43f7ZOAr7KnbX|o&h>G0U`d*KK
zzrzC(@2}UcroKIebDWJQdmCC|;i>Hlp~ov2aE@X?{j$%dEV+>jLGZt8myodRK;rG7
zQB<M(rytD`3gQ>9>H9xd&6HB94VpDoup9R)&O^*u+K{8C->-&(PAbKu`o?ZncAgA+
zlO;<#ZR;1FH>phMc7+Lk1U?iDvI@oC<#xT3L02~0*%k4xv<*WzkZ?8dt=xWH4eyYE
zCI5kV&fUzMD~(0HE+4miZ_peU*s`?0iV|NNqq4>IY&`9iXe%PNL%z$Q5-Y5^y(ZzN
zOm}U)^%stUtrf4$S)l)%_Iq2Fy@nI12&G9PPfO45EV1ORdrVDuABTW;nSIZ8{!EzK
z7(K!{>Vp%Pd3)U5HqGrk<C8&M<nQ-!7iI-y+V2E185ZR(vF_r^XxGUwX`4hblC%Cm
zB3#H!ygUdyLr|0R|I{Q>pySF$eVr4`@C;_>jY?VLjLzZ6Qt5vl5h#8ZM>7FyPKD8)
zN8>E)r>TplT`NhwgMx7q3!40RV+o);ltm<;^>#V&OvjrJ$pwZEhgp!AIR%~jc~|N|
zcxeu*Zg}*X1h4(XS=!^-ijZeI4HeEr>cz2w)EJ&{o+k;Y;QE;MBMH&m1NHbwWQJa+
z3obyM9ocGMzf#|H#tRfi)ggfRb;;?@AH{1JQJ65K1S-|Ue9zkBW^<glMBdc=5d{~8
zaQ=#aGsf9we~XS@Wm)?FDeQ->^ynl68JjTb7=rIMwPgNj`>&F~vt%IbmS^$OSg=a9
zEYrB7r(Ryw>RCQ94fzC7Ejl`kPU@}9f32WQjZGf%$63gH-*)HGLf&zOe$uB15c4-@
z9|Ey}6vS0@Rru^3cM$cJZua6o1-%RZy7BtM{``m9<}i|4jW-aTrB({igzfM5rO-A$
z13TnP@zv9#XCt7X4pXbH^wh_`>vpu4{yWLx?0<z(9buTW;sb7fIGM5Nn(Ih@@&n0F
zjQT5esY>(HFhAWaI>QYhyZX+DI^7hyu4A-A;~7El>+4ViU-M#cqDO5B84uq?lyEZo
zk?EZDU=3{;If_u_enH8+HLOu|FKcHO2KtfbIGUdwr6&pI-cUPAmX6F@9Q31=9h5@R
zD1@`9vS!IvO*4tJbtc`u72=W7F<wwikF^!)kuv7iW0%7Q;70V9OP!R2s3*c*=d+V!
z9{0ifLJ%>=x45Woc9(!{dLCaYdwi_<<8J!Y807e9+Xj)s{aAZw)rdyEE$yUHQC@O?
zUIoFgA}xCy6Fm&nmNVPp0^2gob($CXh=$_+cJNE!Fi>{gIG2IV`T`Y(BLAz9vy>8+
zizV;??-z#Cu}hZtHU+ds=GGT5hxe;!gg?c^3aQ5xfhuQcp(|5U1qW&2r)2JPGH9V=
zv-~>3b>*OiA->^ND`HZt>v}e;^8w`w^r|d1WY84&lAizFI`h|nv$8`wC_B8Zzt<SL
zXjBHQVXJdU60OuuiQMt1)R>T*zmi9byca&LqlyOaHJSYOAnw=XE1X6orgeba@o9|4
zGij%T{VsPhBpz9TAPvdFY*$?2#{eYT!>@i9_oZ34`mbuic3{U)FTV{eJ4=d?v}~oQ
zYi(-LpWG3t+=KKn7y@N3K?o$T93GqN!Yo{&P5DUR2~HclmmT80G`8~;Sj_Wop9ovz
zt(R1d!h*$&2sw6v!q>r2m)mvZV-qC6xha6G1e@0-T*Nrl=X!v^&JSvUUUElqS0O&N
zTCd)v^D_Fp3RiZ1kVCprq416hzIGb#T2t~qavQ^hsAr5nOMn1#4{fZ0!qXc6SCNK7
z?UsoeNcD!gA3e<}Xe6>4wQ6dJyZbbPanxnA!|MBe4B7{D!^nvaUsM4laak5D?;a?6
zAxG#1qcAS0cypl+fu6*fS1d;4o7Eog+|Rn4cH!qXOrhXf)n=!#hs#EwUXV>E4?S{L
z0{g1|>6i0_awn(n$d8}1oj{V79ApoLm~_+Ce=Gls7ps6Tht$SF>@)?bmLF17XqE!s
z(`oT)?nTnqvI#e5s&nxZkSDX_jl)lTi|gJ53Vt`A#ZeZRB$$;-&jIWO)S{<Qq8WNC
z?=zKu#obs$GZntUlND#xc#~j60lqTj0F`U{NG%g2q5}JZr3Bj*Q2X=hUW2*AD1Zz)
zmE&FJgCATz{iUf_73(4NUFRA;13ijR!t9o8?XzgC45T^_iHv?&x7{ZA5>{f8S5C(X
zNrA)BMpGm!B{qD6sB%&Oy}_S8`NrW&kzza45*0w`*nre7!uO_JsJxNNO!@~O^^TX+
z{eL(?wl<Aa3nF>>UBEe-SSnZWk;Ktu_LiPBI?+^6@OPR>Iea9We^me^u351Km!*d(
z0rFg9_i7*kZ$d&U7gsPrh4FGIejFBT+Qnrf)Oq=UYCMj7eFeVPLhw@n;E{-OM76es
z1WC~x7E*nuV9jJfmh$l>z4}f#;20M}Uy6Trf%?D8R91+{?bnM>zOm~a4i8R2;ww8>
z3Q?kc!?g3nq3&SbZqW#Qg(2rJkwu`#f;Shb>rhkWkM81UPZe7~t8U{xV_7^6;fX-;
z1<k_<<U2Dn8tBM}m#)|DcUYVi!Xhc4KQ57wn~Qaf|2n~45e9)@b!aU^3}WX+7J;1+
z^6~u}rabt7(j$OHrvYS8q!M;G>3gUse?b32bZhS9a9uG?MPo@PbKVV5mqsY0x!FWw
zBZmMe_jyN`^J~dcprDn`tNe$4U;~6ayg&J`Pgy`IvLEt!9jR0?@8Er^3k8>+_;4ra
z2Qbp5j|%{lqO*A;B=&d(8$Q%AfQS@e>-N1a1-HHSHB6WXYj21-Q}2KyTaJN}&hJMU
z6Ji9ksQx8)l^F1ND5)aFqoh<vkjl?RDxw(87au=EVi7@g0mKKHlvmU=45P&`yK!ZZ
zPeAd5owQ6yZy)x=)<pT;Lhk^CY1h9Z9*~wudo7=y$6etAWstGbyWU|jcKI<lEY$!+
zquz0waYor{;u{Z~*2?Gc?}~{5m*rVN2j>Vg0>)ghdG*s1gX{)UMM966Atz^B|CHNp
zw}_8KQ&0;7)wsWs_@h&-O4YlF%S$bEo>>Io#rp*oj+SM>4eJPuB<Y|9@_fSk$&bDG
zJUyH;%CFHt<idUNH@b9DH)v)1r}^<7kW&eyCs`?AZ3t8Mh`gLfs?waj@u#R{S3$X4
zmbpNT84?%*c&MR!o+^-;EnI17i=>-*Jl=I@hybNAIpCE1QKF~R_p+Mp+?mUG!7q8J
zUJN27#&{Xb7aMu9!M$<g$yiixtKkbw;iQEY$tT*U)#k+2BY9??<IDMyQ-N6{d-xPp
zsl<Q97ZQ19pBTZ%e%j=yMh?Z8VS#eRJRQeh2pA_FIW33HXeDN0UbWFkLwe<>NHGma
zogo+<H60-7G;CrQiRVrIK9fKRXp1AA^5h<`m*-ZQCtikvi2v6siL4a|OW6cpd@K(q
zF@)k0X+@Yf>;vduI)&IsuB1xg{Hd=Jd*F+dg;V8;#WOHl0avIId^-_RJ{c)>{VDaY
zy>ZBGiILLbr|^ZkV|U~ug;&K1eI^vKBiI?F!)OA$^eHY;UBqPY^AbBxg2m*8ADf6r
z`-(y%0$-Kp75e%6N@90##r&ywFc}V0w9NC1+S*sV*OIZzIyWdx?fbLWZPmBO)VF1@
zn8e;vL|tdm{_u^)^ee}6ocO&@U08>4-;KnQyk_wN>i5@Piv$kx`kli`v<+h)isnWo
z`M%E(=D~sWYpnRaUVC9{tkTyWPUi4>GAch38tS?f+*{3aue~q7QS$m#S3`G|d8D4~
z9lzu6=A->h0_NKKc(Jhx+sKXtuIz)V*ztV=87V)H=JpEPWtHO}qCTe1emla&kNt_i
zUEbl|uf#s|rFiyf5DV*O80|U`IHf&y`#wHY&Q`lkyZ2oZlaiT!OHdLE>sIk*8iki-
zDZV#8_DF+U4iw4ij9t3Wj2p*cqE>PluWikebcfH8RdTC|`fBaw*cG4a`L?(y7ilqg
zB6U)grr3p1W9aHaZ_8FTu{AzvAr?G&m?2{uDDQXY=lmm0-+Ad<ew`GlqBSo2Dlcgh
zy{cuTSUl0R!x_6O-NZ6+8$2Ijy(C?$bvr(|?Hq|ef>wZbe>OYx^A3!7>3Z>^&ST;<
ziv{WkH3vfG<KBZj44m}}nAT0P4KfT|DB1BK81fNA=YG2xPJv>AKUrxkU;CX2Un=0-
z#8^7!#ymDHL`q6c6%|?}-*r~q?8d*M@0n}<;JFu!j*2^3+16BVhCWp|Zl+|l{Nu-?
z=>1MJ+#h;I_>&%Ma<zr(JM?w-y(fYOIHS@Y>v?>~Yje8JDet^<?C+9=W?n2BFW(Qh
zRG8p-%hwdU;$MXMYwTr=&=B!1G`vivSCn~*Kj~TIf=?prfmZQUr!8bC@!W)b0$<o%
zWz4w=oxzIn5>hCn$z4vGu)<#G+`a4kToKiUYju%JQy$gDe*g04;B!6^Bm8S=C)UFD
z;YCBLT6i$PTlU?L@cp1?u{f_rFhSCzW13}&72_o#Pl8U#HI$l!QftCsT38=Jv^-ke
z*lly_!tswm_T1-*mi&FtR}?(RpW5wGtlBfdqYB&1hqEu?Wl3vKcDis-Y(wx1$G0~e
z_@m>uLvR8JFfE1cy$FXuuY9r+l%@(5%_-{a2e0TpBX`9`#>Si|31i!ISt=#lUL6?>
z*J;c;pQkOgpqVrGm=YzMV6y6kEl#)KE9mA;^q78$@N*bj3}20UD{wuO(%ybQpOJCP
zGn6rkd6kNYP|{<QiTr#lJ}m0TY0@z>?1d1!{9C-4SQ(tIOWawtk%!ELncIxo7@p^S
zls|7dqzs{R=f9CpT-ES~X%Z*7&;F984n;>YE{BN;y~;;9A#V6V!52S?w&VQV6~80{
zvHsF58|w*0Z;=)?7MtpVM0K50%+J`u+5?qWq~<6J3JRDula?7i)rUYcW8vnus+kN?
ziL2%pX^jpC{i~;|mXHbX#B}((1#F~Rp`u_fDEvyRJOoQKJ$=Z)Gg7MnHBYMaPSLIx
z)fhHNXa#SDP(hOq)?OMKAx+x-v&pM6E*G?=VIFUdt$k2{23nKKUcMG-89K4mU+2!}
z?ap2y@WD?(QAf;DrflSW@0Y}IZ~64SeA8%s<<eH2(nT%h*A=&ylWN6CuF6OYFdmin
zV_NE#ypen!+Kpbd%V4#b)LpDm`w{j@LO?>WkCcZIjSpt~`&jBLygm`~Ns>htly#2L
zI6fno-wdlq{BrEC%9wA~)E~B?jQzweb=*yKl8ERSOUvHZoCy+<R?o>{4uHv*z!OXe
zq5Fr?u)L{xJmQ2m>5)e$J@6DAC38)P%`2L8xi6;wZkmDQdiOJT_`}~rmW(K5+{?;M
zd=(=k-$_?>N9;pHT6S12{{Xv%>CQ!_Tdk|IW&+9z-O))fVRq1xmfo^FVBl$v7pxFL
zrn;iUK2d#a$#HNuL8N6n)B_C#to7|f(mvWV-vkrbX|O(pWvM$`KdFogcc8Xa?<zY`
z#=6%^T<000OxHzNs%=Uy4e^m9T`I67_WYb<PaM{MU;pV-)j7Vh`;Xm|kY!;%UW(F%
z7dJ%K9Dd2L@7&4Pa&B_$&rP<ssIBgLATm&SBedzEkH-4wp)mKyd6Mr*GxGD>J|ZoS
zg4=6&J`qL7%LC(9y0+Q#V<Q$YYTXIG8hDCyU0=&SOr&LCO}5A3Vg?P~1}ZT=Y#7nZ
z?ioMWFyh{!Tw3wxFhHfuw-jD~coTL;sr%S4UuU-Yc9rv?eCo{qUrmwz+fCfPdlz;4
zn+U2MJy`4-*~`-7t1_KCtbZSc&V<F^{Y2+BjyLr=n0jww(h;nSv`rOiwn1msYXa6=
z(Z89u&IRY+G4-VIIT-bV3Wlw}NXz}st?q0857rvqZb#=#sE9a+3;*RDR{11T4V(!t
ztem5UKK^@ETx%Jlv`;a)abfN-c>C|`q$yd4vEO`PUCKVhClR%G`E$%aH@%7Rr|A$X
z*uD(*ym{<bWkPI>y|C}5{msO7cSa6LXbq|Z!8NMJZFg4Vct<*QqKrw8ztq)(Ej|Bm
z9X@djJKua2c7B=Dc=hp|XVKbrHE<hI#x__=Z7~?5Ojm1Yf-{w5@bOqbQKEEabG{^!
z5AlP_TCqKcqG&8j;j%(|5Ri^2O8Ms|D1%M#|E4J|Zjr?q3nN<D&dU)@wgGR?ow!bu
zONX;LDh>Xoa>Y_&SZs?d(Rg)kUe#pJQ!P%Cf@OJ3!l3%$&2@c!ee{1F7HAb?0t=>x
zqIfcw8qLB&8!f_K36ZEPF$uZmzr4{SeDQkMDq+vZiLTa2`>NYo`61CN#>z_<Z4TeK
z_7t_KXxLhd)j18aj?;>-m+P3<vir)d6={c%o;*B|vq;Upt(FUxl9imQ6OKDsMT8|V
zZt@g$37P2S=?w=a_T{8t9qHa_n40<e$A+k1E@q4+xQE9wVaH;b=*1r18l$aU;b9_h
zx*g4)$<o@sI+jKi#gbS}ReRzfA|s^2O))jUzRH^GEXdeT925Q2SD|g&#2w?Rz1oiY
z2iQ_RGC_kQo-lqs2Y*f?VGoQ>qI1!z60qmC82CIoFlcadlr#lhv$xE6L<f>?(%vje
ze`rfK?k=Ln`h${nH}AF|rw+ffI2L}?`KN<z{cVF8YLOVKVpxMN{8sNqV|bE^$+h*e
zI6f=ta6Mg+(Kz^WeSf*t*73a=t#SXmn8_rK!)`9Nye9nemumri4ta?$iFSfWhV4b(
zV;{+_vFJ&uwU5(PzvqlJex=s@OMKN}r@7yHc1rK}^xA|$S1iVCxTd{qY<IBX+^=Xh
z+d89&%^l_*BTXBgljWQHo8KIb`=_OOiq}71-f&?!v?F`)_2cFT3G4ND_O0WqzN)T1
zva{h0>lQINJnYR{)5*Jx%|}C_yyLE$)U-2XSsF6^NsL-f8k}a?_$HYl$&ti^=FRy+
zNy>KDSfbT89Oi?4A`U~Ce}7%>Ki@7yQlgfpeIT1`dJtCCx6HUdaVn<C&##i~no-zJ
zRv;t6ydiax#&diSC*qIhK>#k<HcfpflLEZlc@+QHA3?BF6L{JU=Pule3ORC-AsX$M
z{XG#a>rXBgEhD7O?UvFLS4P-U-W!`f81*cG;>2xsio<wl6^k}XMo>vfbJszclX)l?
zy{=I7)l7TKrQZ@`R&3TEB}2$h9$qMpzfCYu#bVr(5iu{bt12=dlEz~wmbouOGs76B
zs+)IDWaxWN+jK<P<I=qh`&WAL)Z~gsA{8O7x)-mv(V~rX#x#;<w@@pN-X={Uxm}VV
z#C%0S)!-y<+j{G}@#6kTpmM&HBBL^IO7W7eY>jrg`dm$!Ld+4Hu-pEc{YIaIde%U#
zB9RkQTe@Hytwy22?-N1`ItSjG3A^UZ<4>C#qdGI?*s8MyMs2O_Pj1cr_NnbVCck_n
z*SM?AgfqxY+cA;FSU=nqttsCo+h$%evovd>yipp$X6$NIZns_W(#1MRU+IIG`C_m2
z>pu5#ui~YX^eDysfb_O730;?>*ZdQUcgt@-)P$1j>N4|n7Vu9(D0!<wpvI-MJ{e*o
zZ2!rI^n1x;AN&d@%k{h0jy0+uXFguX6C9WzI;`UFU!kN0frgBYY`sW~?AWjbuBRC?
zbAu}0w62Z!e%rlk*=XCxKCzT5oN1=ml*o^?C?oMBr27&0a;o_z?HfpsPDl0D7$P1*
z7;>M1ly56DXus;+@763wy|$*v8l|*)=f$z~xLFwnfsL=PdI|=f?@xVo&LU@sX0wYR
zi+m#!LsG_=y4BFo9kEv0SGc`d-KwCytTVtoy4ZW7x@rHxuP;;bLiWOse4%70-PnzZ
zZt`vG`Iw-3DkvnV9YK4TB1ita{B80OpEIBbA68BGkAB>7EIL7tz9UMI+$Q*gs@FF!
z%E$STA@wSIZh4>ahE#+i1+|Pc)zo=TnmWh+*9z}ioFLQac}2DS={m%E1HUnHrKKny
zrM{f);gAle(r^*E;P-y_&^0S&oHG7vqP-eDuFNA5yXoPH4ZIBbSP9wTt&ghH`GO~T
zQTe(eZ|w3Yk2SlZ6rZ_#{3bIN6Z*l>@zE4U_;*{mY4pam;jN;VPA^QW9!oPv;rctd
z8i?9<CFf(ywE6nB?$pvtMIK@_u0QDUR*sikSMf6ZGJYCyp(O8)oVZ88XcE``2*34G
zvM{w!>`2mrNc<l*n<)u`tK`Q6R3%$?tm13wB{*5eawDExj_cJt-Ye5nkUmbUo++Am
z-TY%smPT@1j_JO{EB)%(W<`1e6%>i(t{`O*<DWRL=}P|m(t@23T>gDp@bLWFoXSvI
zNN6}Y)eLI_KS+$rp<btiz=0~{?M*=}^jlF*M6Bm%|KbAF?s=w5MT<Bo9@`s}UMy_t
zzul+vY;_?ojmk(tS0x-fs&l(hw$nvp$_L;3+zwVMfAX^YP5#>8ncGqF${7lbj1M!F
zx+$4Ooek@Htq=AbhfX{2ZkB(0mv{Pex!(HsZczl!p&5z~eovSQUL5U1&bB==*(krw
zYY(z^mCrlo?mQZ@w2PvVO}@MtqSCqbCg`~8-7u?9hWV$P4Jk^zC(9{<tCCyGZP7x_
zGgp%Ok3TKf?KY*)pq)1u_@#>Fjqf(T^5x6#zCfIoUm=?Yom>JLKV0n@!tLE>(_UB*
zUc^^_Y|*c?JD%#@BYAjmAv(-U#Gke1-_A}Lz3T6=;@)>|Pw;y54&CLhm}(5SlPbgy
zYVSR~9eGPDBko`?<?fcveeVmhJ%UNw(VFJ31tj)9SZLb49VSR$eehzS<bCn7y1L-0
zW#yI$hiJy7rk>Baw{}|V%2_|Ug2xV0iC_G*`%$OF-k?1oMCLLDs?V{Y)H*3cTCsko
zU3_h38E+Am?CkGros`GVN>xhlJ%9Lss5m!$rJ;upv*yLnc-Y`;A!^04Jc<#uQwj^A
z-I{<OE2F=jDv21cIh(i+>%D!%Vyw3*5MQ++&$umoKUzuu=jSVhQww(*+WFGF=`VF>
zJ|Ug^SgjuDwvtK4X>j!$ep7dftx|WXr`a><rQ(n2r#Wg6*}0Mq6;Z%xa0UM=tIcI3
zBe<bnNbQfD_v}xQ^PZNOop{`;hMA<6vWBl=y^GcCa3DOOWc`7&-zWYn&at>Wt?CSw
zGEr}_G744KB9e&Rly|9qio8?L{$PMD-*zQnVqIk`*@f-JP&O00?&$!#Y7a(~jO|)D
z<)z_f96mQyEbQWH5&zh6*Xp&Vz1bI^%=&(-(@KuFv*jJ)$8$RPWTAzVig{Uv;InO0
z2Arq#3Ub6%wAB*GO4Irx7Iid~a@WM^X1`-<yQ5KXA-TpT#Rc*YYTAM~ibb&3`B;vh
zl?2T1H5J$>-<r^R(L##P|5lsdUc5q(UAjiMOz)Vq<<4u@KDBKOyo}J@T>{L)^o!tl
z@TR&}r93vXNUJ3hs41Zm8VQSx0Xe$8N;XJLn4{DqOsVO8+1Bymvp_|HyyMIMM4wEt
z4^4lK(zDRJ^WC~xnEnt8zu1dCIE3s-l<k=`>yWjPoMqd-5UXtA%xUE1_)~dFvJVvT
zXnFO@B}MMqQKS1sbf1sD#<wxO@G-O-Kkqfuw?0p!_j845ME3)2*zqT{HoSF)2<n`A
zy8;s2#rA^1Tc<iau59wHx)(DLl*JBllp(tBI>NzG26&ULm)rwK8Dkf^9DGTYLE~B+
zT~yd*uUR2T!d!?Fk--sEw+fzzko((weF0>pd;=vR3vmy<dj_seWPgw^&uSp~Nm$K$
zKQ$dmBWY0+)pKXA4C`Mw%g_qcL=CF~{r&Mi&|k;@#0PJ(+kIQKY99dUQS8@sQXl2L
z6^Be)u&a_hi|6sF=zTmg%}#?&(;F(!2KYpu6j?_CuEB+MF99nMqVGpPOl=5!BFwbK
zMMWv<968V*RrN`uJ51(8R<+a|0d~Wif_{tOtx{p3JyjV9Sy;c$`Qii_qh=R<ar0Fe
z()-8HsNX|wZq8)Rd7TR7Vg|0~(2Dg%+611UxeMYRn=h2&9Ktst*5T>OT*1S5DTt;<
zC!A_vxGrW6A`ml|HC}Ba*?O|#^KeFVhA6o&?Gkdd;6znMO_{}@eM;1#q1mf4oHjQ)
zt^}N$?|*w|g9_u!_1;fXx<O2w%{IaF!F?ql5cZ9I!KT@F+l#cs+>EFMj8Rk`O<K2Q
zVZIG@MC&h8O}ZlZPJ;t~GE=*g5w4k<2@}lT`>AJ7DFJr5h!@wvlBrY}U;o@(2?lt<
z$Dfer-`J%$0<!skVuRe|mNUKe2tyQ=Q8Q5vpf*|CE+T<J0JIq}>kW{JgQdR1Op&LT
z2J*eMSZNLDt_-Zb+i-(1&c6G}2?H|U{2X`y(1Lhp=@WIxix!G;<=!h@M7hpdas~3D
zQmboM`uzdZQJ~NWhN%%QgQ@9uhp9<ChVMxJBg+bb0|-xJU8S)yF7Ae>lRhO%B>}92
zJr3`P8<Jhd{xcCR<CVnHSU-RXXl-|zKfw5kcMgp2YjDUax=+MYoorr-{{j{;Ix9}_
zEGf=mFJQmSdQ~BoIzwS}un<5O)vCrwXP7-YTUG?PlzKMzr#G*B&~p@EHu?p`4ljdg
z8{j@tBmO_lhA@H5mzQ25j5lPe8ZRPN^yN}9<wY1<+PNfoA~}E?zIbT3iot(SeKp!o
z;7Ik(Soy+i1j@C)Su#ASzB)#SddfoXR^GP}vc`$=QnGSzC+VG1Vf7_6J7_!TI?qU#
z`7)A(Iwl?m|NVHTzK(DCFRaQ2!K$<;(u|PY{@;1?-_Z=(I78Gm@y6s4A2_5c9a@v@
zlwso6|Lb|j$sA|b^}S?>A*%w-#_nIF)v9Ebo@R`S5c_t?6xrujk|ZLjVKT1b367f@
zf@$QgkPgEnuNZ+@0KoMxh+u7%%O~O=O<ANGEQfq|s6}^>z$eGf#G9;Ix))j~B#rl0
zNhSc--CPUWGF#?VzmbPUtNwDJA<1BXkC1P|Q)j+vNjS4m76t2HNEXvHX{U8v9Te~U
z2hzZmF=vT08f6>&6-2`&wAi`CH?L~6A6bp{#^dh>LU@l`_xTgV^RAG*nR7yQ5dy>z
z*W(J-uj-Q2-sgp6h?gL{s^MFL7-@{q^D9^m1e1p?^PcD{k{;{1$1W0qw&20jFG;BB
zGa~KGViSp?VqyL|o<X~hx<g&JJK!exuAu@6FV9ooD!7VxO>2x`O4wwAXf%&)!10-_
z3BMs{0k2}&vLU#PxEY;^?`-(+8Y7SYyoQ<@L3+_5c%)2Cb6Q;pHKMB$&~xsCIdL2b
z-;$~$M5#$}VUenHL*E-8?lLOoW<wpHXP{ix32K`D_%+8q{Qm6N00lT5BDc5KXuvN+
z<B9iS0ojk5b<q_eHNMalpg#O3Q45-@0DN6hy*wew789kW4BLvP67L>#@$G{RkxBsn
z%(+6lb-C~+4;Seyit-gGVVsP~20~uoBd#(t>KgGOi#N|kv_gf<>5Qpe|6S-8Z)5a|
zR2W#k7kWb*OdwhXGJ#{F9_yLTE*;6dzUL;i=Jz55utE^{Cb-!tlWn}=+c(TUf=gIG
zk`Oy}4%^|2hn~?p$GX}8zFmgk+tKL%Kqy0Sg8mI_XTmfts&p0VDbPU|TgDA1;8Fl!
zZT^43+O1?f@KQzOrB*o5+}Z|*^Ba$IKKSIA^DxXc{**$=P8eM;PmO`%D0DOz>8LWp
z#!X9ZSW0aBJC#NzFhsLeL85hKR2K`KB?r3%JXqUKYM5(BLBr5QQHsP}c1})CvU6)j
zlqmRjVuiWabIY$6a^QcDJ%g!UH2MbztH!TynR%6j3%>+Y3&plCl|lW2i#dOsqgj%*
zGFtwy=e_(b^?Y4bcZIk+_lfR3$CZn$dW|kcA%gm|stk{_Wki}H>z@H=+7bb09s%@{
z*VBN5=J7dC%W*}_jAQ}lR^WQmaaoK<mD|j>5?fSJ(kmq5O2l2Z#LuSj6hr^&Xn_@u
zz9I)EF+Aj4EI<KGxCl$tRlskAs(tXCN}o1iJ3^Jr%tH6O2rBW5%XTp_;U1!x-kamR
z>B}px|K+{R7r=XQImEjb6MG6c?=-)cPnZExU^ED2NjC&s%XqoibKe$CWU)D%I^wn#
zCy)C{)l6%&tkdq=?fz_aoFzA1F;p7dn{Zx)Z%mKvP=mu2O6i`0a8eit!bxfr0!$Ji
zH*H?K6$Wz9Be<O_0GGjRPFv4gBIy-{WhtU6>{gkgnN%Zyg4F!g=aON^8;%HC+3N&O
zb#zi52qJvbk{I@3nd7MV@vO%hl~GZ44BfeKm0V4Zp<4IabcG~MkS%s(eDvupiJ;4)
zRd#6b%~e)i?SWh^LM3KeU8li9Ls=f@og8M3!f!ptnN~EDS7AdZO-b)iKSH(ASm&f#
zPHJ@^Bp{$xQe>uiY!AC)b?yG}`c>2`#GESOG=3TJ>_#$haW+-?`dA$L_mB!JoL0>L
zDEgZS78MriGSDqlrviP@rRp9*!@;v{!?$IHlaLE4SAH@@!)Mh+Iq#l7!i1CC_gr9X
zgvWjKPxOnxXMYf$j)s9vgDb5Wi7N}NpUePeplR6OU)Nx3Hc*pArJ3{vR7{YFg|-gO
z2y9l;J^`)b-B?@akar!>=v1d(U%#!{Tx{HXq#11ZvNuyv9gB>gEL7e}l3lt^2j;G#
zZDPfYAMs+B|840jlENdHfkFkvBYKM?W%-&rs}}oQJM4y?i5kbTpA-4)6@HQL2o!{!
z!@7Y46;`GiMHz6=X$%Y8V_}A=ssGxTASJAh>LeaT;oTa=NbSdOyVNI*MRzpfyk4D2
zrCMpfzQdUIa`o~pYLr;GdRqF8QCB?%H*ERqNh3CJ!?u0f`58H?)7pccw1>FT+e`fq
zht?=!;=G#$yU=czaDgf9?2zZ;B>e*&)>-KPg^mA-49t9B6YI7$JxX=qxN+OE<&PXS
zHpABRo}fd`h<SzK6^{S(n*-|~mqZ%98pTZaU<jhq4cXFl45&^?@6Zp6rDcnvyJ_B4
zH9AR8s=@m0tH6aHAms^7I(>TB3oO>0l`kAoab-#Q>{R9%X<4|1jJFoLQE(Fa*ET|!
z?!GZ_EbA5aMNY;$zJ+|!5W$^6%eSDXcH1PYc5Ems8pFlLkuo<!R3@+8QoFoAN@F&q
zf3KxQ@#5h#ad>0y!nI)o8dxUk#lp1@aJG=C9+@VhqvHF`9QUzJ-t8qNXG1&^4S1v&
z#3T7aR3=EG5qKVUS=rl%&+)Oo;rVSHi=kp9Cwy!2M{lRaU350dD=`g5r=tJQ-J^CZ
zE|1E<<0~))xj!*9@1xcrN1)9=jzFce<A@w?QsOn%UwXF6q(Ly`6h&G$Crxn<IlcJ*
zb9y}@MCG?sBMi#<rVO^N)k=ErH99^n9EliS|2Y!>7bh=r(<W6n2L?Jk>UmE{8)DI)
z5!0>%NVHv1lWIs)w;S1Y4(mrKoHU2~LD!c>JVd1b`I;LKkPB~4dPsQYu+#S`3H||r
zTq?glE{u8|xj^(%NR_6+g)o4g{5<|AayUJ9HgDbz3G&!QvJpbSx3lgn>li3GmT@4_
z!)x;A=dt#vkPe*xPX|CJ5TjF~G1Oiw4$ikre7^6?li@%b6hcLREDGm|*}}ayBzSQ0
z`u*B?b_<Do4cEVOmO&7*xI^!8Tt*GAwc8>x3xO+AWtuIA{0wB_ik+V)wqgA`ez}iU
zw>A<1gVm}CmXH*NfF0GLs(%=n(-EQK&N1{ow~CR|m1+Sb;>nzNZo7AOSuQrf7rntk
zM<?+%`H@uJ8azHS_NsWI1s>-es$5BU2#?!l84cyrV1BTP3fs;Lg&?Cn$KK^}qA;B5
z1Xay~+|e+MOsAM*Yc}Yj!Vb&fbq}!p+3BDBU?jo2#uGKJ!4}@Pxg*Z0u~=?<QR@)*
zD?CxX9B2iLN7NL<q4fq#F=I@0`YT+m3NV{ej-jW13mpp!+tA0SKzW7vm^n>}4bxn^
z<S)Mn@n&IO>XRohNo1TAZ!P+~@f(!CH#<;bg?XT$7h}@;M4(t!XU$Z-fGoyb156{v
z_R5t@32+(ksr$U^yE3II44Lmg&YllJ=f+;dWcSa43+Sddw>4h<!($|I$i2IU98K5@
z;TxCc%-!Cii~0{DeofkAIxPGp!9a&&KmUMf3(-GM<eZ-*nt1=0f5jNp{;n-1M+yu=
zv-?)DG$Hh`;_>B2SVBrcM(x+($U-HU<Te;5`1)7l3{g3-*`Az(eq0ciSE2p)gYb*r
zmm%W}pnvYG0r6HlRfnA%a^L4Lb5*91{n;fNVQ5^<@dBhL4FtvY%<$8*@MnDQ5d-6g
z%y#-_(RqCMN^GFIMe9^jtl?<^@$bo`j~Ti{Tiy4Xj7CU&+ikGsRW~0M(VE~Q8{{lS
z<4fP0jb|9J#Lo4DIC86b@4O9{kdjyGHxp!MQ-nP;uc2Y*)Vq3AtHzctPuFqFAne&S
zbAqGVYZsd+H>+UBA(N*3&vagv$G6cNZfTw3CPh96lQU4(O=ZwLMngS8SJv;%rHSLl
zj^BN3rOOe@p;dSl5GE5w`|me&V8;!fe_AKA=c&*Cv{V@N87{Zej>XNg1FxJRXO8>m
zj2}xW<CbD&^Qq+a3)7{RtVP{At(tLj1aHk&y&y9wHDE;S10wZqBtO!*qs(wKH2ij$
za3AJ#RO5}1HbFBFTrW(gPnJYOZogPdNV=RElXvBD<?;ubpI1Bv%Us|1`G41t$0B-I
z;*+_#z=$Z}uWmH!)l#_9KgtYfzlfz8j8E79H4_X`%#cyMy96s-@i<+Hjf`500;Lzz
zRLD}kF_(vRuUEaBO3MGd@{|e3mtupaYxm&;)c0em)U%D0hkge!UzL&Qk$=SX_l5d5
zm|OJPxY!Gw3c^$YHn%UM9XL^s88(RUKV3i(3$0+~CI}b)ZOgvYa6;$qWo){+^83-p
z;@9`V{%#CwG0puM+LeE%82{^qCqgF+;#snB#}jLxl+gG;2z%?Os=BprnC{qwAX1x@
zMggU}H;r_Igdm;LEn7rNLQoo{JETh_m6BE(q`Ui@`#$GB&$++%8SguW{^M}1z4u&m
z&3RqFny8<zZZ8*}oE$BAYxY-G2NvHA#WI`wIKv;ADqX~`n5%pd`PZiaHsffxis>yv
zVMFGD_apKXSm0Lh-WLVavLFyN#r6lF)+xMgdg%9nx7t|MJJWe#)ny!$HW@c?R*PcS
z+Od&k=cT3Q8_MQ^nHJr=o2Z{+zk<|x*w|^nTuXmESp28bT4@3bs!DwEVH{L2Vfc~k
zve_>FJz;zxLG={P*Pn)pPVt)<`k0|XH3cL|(^-sUu&FO$1&QT61sXa`RZ%Qd5mA|&
zO{)Lv{n*0e57ehou<uJ`{<`L^vRo@=ZI63lF8AvbvSFA4TO7Z3^P^6lW{QtoIHxpB
zTyO(ApTznx_KzkQ;>qJd>2H9jCS=?u@00G2=RcA_vnSPu=-x0O;4MYc0&i)S+;FG(
z-F42cYPyIwT5bLE#C*V&itC^6tcA}gKgRuF<EwNZ)U84{Ra!r#ZOb~Pw?(JNU3zh_
z)iBn|DDxSTWpM4Yi#ECFvt#q-%2>n+rhjeVDD8~+*hHy5krMm9&i{2kU`dENgNmyk
z+xRWCBeQDe!l^`kv=0CLD1M+<XP<)b(r)svwfF*3eH{q-=s};+Em78Ht~gfz>c9e=
zGvT`e0`bO5cR*REOF%8e2n>Gm&6y28Cq=nR$y}0@gd+Pv%|JW8DV_k7h0>LF<3;0~
zbs#)M6^PWi#jp26FDdE?D0pNd$+^ou&gv9np<qk(>5lM>(#^OpZmRTsc$y+{pK0z(
zn3YEiz91LHPsaDw_nh8?Nq3=qMg1aU^tAN?g*gf<nX)I#xi36`c5Qq(<$ypQ@{b~g
zYEf&_D+IOiAO;EXV?XJ!a2hviZH^Z|l#U=sEHiGxuz!>)g`NG`W+;8M!d%)o(+?Ec
zAwn8S+@@T$FDG^G0$2O*DQ1YZ5XY<zBqvkyJ7V2$0RqS>r+G1^SI~rg+&0ilJgl%f
z`tw7x(n40h$+J|eNK5f_dzzue=Oq4FzG~m;&M%M3Uy+Guq}(@$g)Bro6Q$F>+Ns+0
zD$(f|@?5tb&r)^2XU2;_JICyoSZjN*La<YI{AAw`pP9*|%te8HOl2(4|6fyxLl&{Q
zfNDyP9BjfK9rr7U12Wf#rVLpYms@~9FN6i&v#jyXVYX3QRsu?@US~f|pCk7!K1S?P
z0h(}oeWWJnvJ|#G*J8LiR><(YCpr;yJ_UhWV}<X{D3H;x!X`nN@vzBrCq5VzlWpX&
z@2S1_-OZWRN^hKIkrwO8onHFuQ(B*Oy79T=ji1`S$y~<qpe<y}3SKj74?+e3cwYuU
z(~;|QvME-s6h|KpJ>&xo-E@OnK5<Y5_w(+s>7T=cK=IDmc6(VI$!Of<sq$wq?V|*X
z<go}ibYpYgajuya^i)Y5p_uF)D{3qqr%9ZK{or3nNfK_Z&IUrzahDi8S}!9iSAcC=
z$4@@$e%58g>bt$>qv)dNdvh&CbK1o^eIO6w9_bpebnDzj^r*cHO-_5C@{xP)@Y!C?
zECi-NQkLeGn|CQ^iH$DR*K|$-tM8uY5oZi+*A#ET?V)RVb6Fm9RODSU9iInKVg3JO
z!1YLAzynd%d^+=Tw9HsI<&n9RpESEpN$gXH8LZQ(Og|9jI9mB!zQg}KHbcNA`*>?o
z4d)&kW16s65(fT*f;?-86odp0qsvCA^f=wtzo#wfzFO9_8_#9jsL&CDo+tP20W4GU
z6CKZc4t<^r;2uD85C<xM*m?qs24Ltpyny9-ZLAG|07kP%CzGaE%>?2DaSRc}%n-H;
z!ZRT5rNoxF1^)4PZd0)o9;-+@%8}fowIO!NJlO=DauZIVafe?DcaeWE6Qtfge3%e$
zdto!Kc0HM^NHXq(1$D@X2j|=D%^7QcR%WH(v5W=g-)EfMVG7ND7gYurQ*D8P!J^=G
zz)L++;%>>k`?{Pj2dCP83^Rg8RvZ)1!``r#^DR!jtht-=NF1fqpqEL5y7J`SWPJba
zt_aENPkz!stn-7-QbE18?I;0~HX4?kp0*~C`|wA*$A4-8944iP(C&39P?2)oXHAIe
z`H+dO!m>zPd4`dV8kY$4r^Q?G#4tFcKQKRR8elQXSWlFja<BF$KD+XVh5?b-xC!$$
z6%hj#1{`bqok6wrJ7O3)w@Cu<DX56uUAx(i6~r0UJ4<d(loppo1W8^1lZ=+-Ca@}K
zX|OqLq_u59nQ=&2puk2P2m0xPUV>99(57)9qfQ|ON3<xy$t0toGw3ck*i3trW<P=0
zzU(q`NsVRE27cS_2(Lv5b%8>nHucHNKVJgtF{Q9ac&19H_rWO}ilqj%TF3Yn<;p2M
zl5S6rD%nO(Of}N#U%a7;%_A7tsH44BYMlI$9X66_wKk?Hd@X#+#3c5p?jrYD)!r0-
z%JkEGs79#QNLX_D(@;fO8a7ItJoPu>fud{U`_l)ih6p;O_Uc8m8lqSad~_b1E&g1E
zMN%1R5sHQ_`<6@_1$)TdA}j1h@LXY%9yVQVqf10U$}v!^o)z-_Bfr`Men-Ezm2j;^
zhC6T+lBN_EIz3>WR{Gv=?&)ntFgZeWA$-7B@+`y$%I94EMIFbTI_ZRtEi}ZlGK%o#
zhzr75ZT%x2pf<&UVz2fyi5VfxsR|vMB3O!~a0M)iQt-~{aluyuZAWu8lBJO7E-^;J
zZY}QO%WoxzvjR9R!hIJh$52n<>gIh6z*Cv{<}LT&rMO`0%ijSDsS;!7Y!E4dc?I^=
z^A0hl+VVm<W}sxqZ7%<MayzKmIdpB+`gJHal8UwOgo7&LIG3WH>+k*j-zcmZy;jOz
ziTQ(4XmBqAu!}N%<aLC~bRU*w{9Ygh6=S1FySP7B@%`8#4;GWm6Fxdr$#5&5RCTGB
zGn%5?UnGyw;?lumE%Jv!p0b>;%e!Oxx)b9v!I2znGrp*I^3?VxviIz*b&QIR>4Q}m
zO{#C+18%)YgGDj+cH8g#PSEX7m$VckuG02!IRLe~f6Zh`N4&a<``+OjqiNB38#W4(
zaaam9^WqDi<#*4!p6{F2D!cSVQ;)X#`)1sPVuh)X#>*~P%gj{RLk2M0E;rfrYhJ|7
z<dAZ#4W~!$m(w&|`ZX6EXyXn(?WB-rfynDw<YT8ix4BEwwfUqYuJmcfkVJcS%R0J^
zc9PDQrs~fH`|RdmJo~G^wE&h$*7r!b#&O%c?&kVjSTsXA=7+qWywYhNrTAx8^l8!P
z%Nb&qRr_m~-DVdRASN|Sp`vGp5T85u1l-5M#v*5g42KcR^nhg~M{JvjqVtw!JECJQ
zbMb3L@r|+`N<<(C9^D&1`~pNS#Qf09kX`~b@-RaHj%a72!<nvI9DdcYb%d60Rbb*A
z;U;0y8=z%{<q`nLf})55N99)&W|<c?EF&jdljw0g97mx7*t#r|&|q|W@d{LmBlU;d
z5?c0C73N|)a_;Pv>YXjqRaVb#CFtLQKnpq53^8gxo0|-(`6o*idRWjvCg~YVyZP9&
z2F00Li0E_O8%o=-SDQNg)t7<W8V1#8kuaiYf0#iChGkE&_@+#IneA2f@wRvmov1BF
z+1r2Z8&9zI+w~Euz59rU8d;r0yN{6chT@7Cb`I|$7Tl%_>6KhUyT-261ZZVqtRx8x
zLNhfP7GmWK_XBU4{GXwW46}>bOv%t(!!M3(JfVNt3Er}R9Yhs7#A9os@Urq4pB`Ch
zK6W2Te+?R2(F10fUTU55qEzi9b{|v49;PBi&0!abT0!0`IEy!V?q#<L%Q2;IQs*0%
zMG0^kIb5~$ci`O(8$I&kdU>G05Dr+L`1fwK;I8I@?~}%mJun9J?;iGey(8?V(q?Tz
zy~k)jOz{51gL+q9bWT<{Q1OaCmn6`B|A6sV$fK{`FdwpLX`fNh<is!=R-ppS3L)Bi
zEekLUMDyQ8m=No{;qy4D8Q{3uoJ>ka5cAHV${K>bV4Z!*m@tA~mi)XPf^n8@Z7Emm
z-0ki;s=Z61Gyo&Mhow=k3;m8^(O7Cx%$gzIJ<+?3VDi$#`S3v++7#-bMmX3}cW+&2
zo3rT7aRDpFQ=DFIN}N=I#WpVgaxYygV$jE?Nm}>?_lNAWj%uoikgT$yC!cgr7JCi0
zr9nw9)|#D1hk(}TD;{yJVZ!bYzrw}-AOjs<EN@kApQGERJJePur&nu@Y;#|@Z7lTq
zBOEQwEUHewNzQO?g@TJ+9}bWXLy?`%09OhAxs7Xy$LWs^p}`7RjJ5KtF0*re)FHO~
zg)8`Pwj@YlzqUw~Z#s;=y0F}bT^fD$)~1av`6l*PmEJXjmv}(%(ID$@(1vnPG9dH*
z&<D`BGNM(qVPOu^k4QaYQg@B$I>UV5+;K(27}b6#T9ak7`2X8F{~`a?9L#!bj`)Gh
z^$^EpOc++hD^_foH%O-hk{oov0faLe&0rqZw(1)<_05Ha*e7dt!21cGN%PEO1bz10
zs4uz;fh$~pZ6_rC3s@Kq4HA-gx~rV4uoXHbY2Zv{O=<slDO11HAzHe_hwg9-D9;CD
zpG?Jrap9bm%RxnuV%Mmhe_#GqLNj8B*%7mk`p`;|>#dhj60!HQ!WYBgZI1mjd*!bg
z6QTqxCw}RG`6NoGIQiB4iLG37XB+@Rs5W$xy&}O{LkQNIzfctkHIxo!uXeF)a0{HI
z?~;sk{^!NKs!B&V6fy%rn2U*8g}P5$pps#6;s1bkG{N2et2h52nC4$MWJ%}G)8bB4
zo!D;4zU`W)tD2eYC9MJNr?<2P4cJorq);Zm{f*=N<xhD?+}+(>^xbRX(L0@32}^*v
z$#-*qXu1d{#$z&(Mwy_8D7#|HB!K%A5X61E)8$Uo*-@0@vz@QpV(SlM^1h9X>!SoL
z^O=Z?$vYa~Ix6aacIP857>47?0L<|BzASnt)%U8~J{T<u3bAv=%sr9&(`@$kuj@lj
zLT)ErOvW=<U)DTDz$p%Q!;M&oEe^>f_KPM9I(B4oTo5`oD8w`{xW)6EtmGa#0d{lN
zN>aDi`^gKf=3zR-KrbnHF6;bNJg|Xo5rJQ|E1=B&$%tbTzTwWot##my=T~P5-@JEI
zw$@xkt2ALr2oRUkeUehVP=Fmh$_#&n8?Fg&e<g^m7bQ^v-hs!zN>;%6a2>C{es~EW
z!mo+72FYN8c=$^X&;vYHR4PdFw`vwC8l#C63fV)X%CIiHUxX&_adn+u+dFjE^sRJs
z7Ul&s9J3vSPJ?IZ-6i;6*xvs_HZF_y{(HhfgWCZfm~s~8{5Q<>|9(GWgXq9D|JA<#
zuf5k_FDDZAqioAW8$gL@i%1G9Bcvld&QEO+RDQSgXLTOLYJd#D|Ehjo0Fkk!XHqkR
z@{ET<;3F?WVYW=?i_5fZ_#6T1F)n;WI@MVg->$ZP91R$r<*6!bB}6R;5Md)dFsCBI
zIdebqWs#1mG=D$?kRl!e06`j)(RMX?0zRjL?4K5imnjM_6`%;j_UkfPzcB>H!MG1N
zygqP7YaZwq8#~T{k6SCP)bPthsjAM3A4(Jp#n$t|;_gGMoe742s!>GcN3w?z<XsxY
z9yHh)D}mb-#HR0Y$B5s)68Lh}oNrKTSLJ`@>AeysZ#iD1-8eoF3BF+`K;obHc{cw{
zN315IH*&?HfW{WZQfLlCqi5U)xkn11MO{fY4R}-WIqVClnQy9IPI4)x3DqWW85=;%
z`$1m=JdHfW(BNSpQNe#lUS1~-wwJ4`SkZlHp#Gu7Cw`PJ@x^f#ZEpr_nC=cG&WoL{
z>%(-~HmQ8Jj5dRxsw}?Yu<BRkmhJp?n+1fTE&X1(I|jIo&3RnQKH%YnXmJs@skHdE
z@|93Lp~`Atb7son%Pey;x2dYS4G7M&0#$=%gR7PCFAFR1tU3U(^MLB1$to3?_=5*b
zzVUGIG{uM+%{YQVxuRICQ)&qs(nkIS(8Dp_k56EI)(^lQ27tFfu73fG;Oat0D55``
z{bd;r?iUQc)hfx-)BhnJBcdMvgLicDKtZ4ipzrF9rIU7lasq}v7IegHE+Dmxun$x}
z+Kd~(K?uG(ne9YLO4&{&V$>E8qZUn4?n?C!o_)}Tz|$&1AhT(7XS?PN8YoyFBCvwU
zd+eJtn}p)mP^<m~jg9WLp$u->NYc1)T=IT^4&=WSE{OuXH6LK75NsK>G=L=j5(bEX
z`R;dLp<Mt)KAKA7Djsq((q#X;UPHDpwi!7O;6m|Y{yt@%!<2km48ah@BOtoZ?S%s#
zLH?`woAVgN;NdfxQ3c!n{9JhS4&VYWjTl^>Jb(9UvdnnA0Zd&9lo19nnS8dVU9|x5
zD0@$wl0OVwCS6gbNvw{R%J0Mlkd6X?Ky;JRBTxi@7%1)jZcwp}c?Zz_-!R}&$-w!i
zM}=FM+zLei#74K1ahv=mRYIUc+|BzTLcfy$Z3`6wY=&Hfu;DwJf4^ABg?ie5n$}ak
zCMimYgZJtL9Db_M{;|Eh?UoG;S_PG`=XbtGUti<D2k{uiD@1>NYvA2_BJ_LO?)abH
zG}$3Kd;R~q2@=onj}%_{Bo2Lx2Oq%GR07k->gQ*b&$SdkUOStR-bzQhvnR6amSKgt
zMpFqg`krp<@Vu-0AOV&h?AYnBJVep?SI>-aMWyrUlVe}YXM*|>;0oYe37B;vug#!B
zmQ?r(=$);fP<RTzCFf28P=Y)n!+>$?e6zUxFNz;jnauT`OI>f+^t-cV-(F8tdLLPP
zgZKhO2Z;O&`x{N*y);o@otfH~4{^yj;BC3qKT;1nFliO$n!T6r@NJAi6Rrd>rkugn
z(SGp1@&F=)UDWdgj8Y>aQ2~JzUG1O}&^*m)Cl~mA-*->X4-mrr4}sg0CE@oU7xI&2
z)W)};ew3xc7C-|UU+3@(2As7j4rjot41tHDpyPa)aV&T@3n0kRY8y3MP~FFWk+S~`
zNPpu!;}9YkysU$qoXZGnN|ojGya-Dw&vmt*t@DZ7ALWkQ8rr~X4TCR^rD5N|x<e88
z3vlME;I!o=FdjvyAw=F%`T#5#E6|YU%ur6^NHJ>l)5pNO4+Z_k8|e6TM&NB>*%e4`
zSnYe5p%rLH#O_3w1P%n`LL~RCf*Hi)_`4p<&gHZehzWK~Pj_{|3gO50ADgLciUa_8
ztibQt44wY2S!<_#?^}^hsX^C|fa4MQ(Hwa~L9g9UB4@wdLPXWCPIuk|G!AxgxM~G(
z#m(o`tbGT__~t=aIHw9$14$~i;;;72JZ8bdS&BBWzxZ`rUk!o;kA;Q{WwRid|1;x8
zcg57F4n>!loP_|S`he)~q1K3{n>OG)i#P<_`Pm4sOoHks0lG9H4`O?^ZVv#EYDerb
zlfhbNfEK`M_%t&{pc=>XrN4~0OWD1o6^1S7_IUqXi?7vau3{wWV1rc0v;lX^ar{!y
z?F)UPCs}Cb=viThK>tv98^lZR%mOc2gg$qQTaBTeLB>2Mjv!?i=>f4y>_F_13>Jre
zpdv|}2T5@*9$e%fI_GlaWBNfytkp$uI{4wSG`6#)t4xR60XVi)_Bu+i5@oPh^_cC7
z6qvJ!GYES?eYvYQS@m3lF-QR^;AhNy^GD--I^4=JFnQsrx1hB|s8tZ!5>|tn0%AG{
zH-rT!OEi@_p!X~I@HTpd-PfVuP~#HfXYe^c5KB>IGepA_!mO4K@KH;R5eAuHSQ1Ae
zJ$=Ra@<A_1jx4>6u7f48&~X~pC4d>Ezw_ntVl5+2DjWxf^&>;v^bHQy$F0fo;sWKH
z%ac`bCa_K?{>F$)5@}M!Vh*j+qFE@JM(1L4>r5~f-UJOCe<~=?$AA$lbEN#khYyU&
z=aMh7?;wH<a#6A16IhT#vay+DfK|g;{V^KtWkfC%!rvMe-xd%|JC*egOx3=PpZViF
zV%t`}VDCj6kvBs1oNe+-*35&kRz?OO&_|corFy6EyM^~4=S2k|-=FQdHFFhYhCV!V
z`qR9LP*~mm?JNa)JdFQV?m~CI&?Czr$9|@?__`g^qCvrHO?pkC*l}~-{(50VY^m}Z
zHyc|D8wG>5AFc{z3(hbXk#tAd7_RiglS02+l)eV1I_m<I9o?<qOp~8O?RyGuK0v)>
zYr{oFAy@^tCpo)7;UW*vl+Rt*Gt#!hnII*01YbrEf-K2MIIsYntLVZ%v6Es|7w(u@
zj$x&jgKxI~kwEXXJlmbMb0R*yg7Rite_>8&-jgTA)_Azb^yv))Ecg=4zZXO^vfle0
zn2E!v!hXLO)UbH4ascMcI)ZU0p={e40he;cVSKna+LSxbHdw64yL2y_F>?@M7!?El
zah~cq!O_05EmBPP$%aqVPlJ(86QG?z;y<_`L~yYe7WBVQiL8Qq@AFzKhp-WITS+t8
zf;iYOe4z@epOsS*;F5d{(y#G0QwP(8=jjtFw01yV4NM)gOx_YF8?Ws{7eLh{;4Cs_
z>X7lNMvr0<kbojK6rK9WJR~yy1>)z<NwE%l+`h7~g>Hier$oQH+w`><G<%{*oBbQA
z?;D71*n+ec9t!aQ5uF5I78+4xC4~~9|IQO7js%ox+^n!wFN3fHkjA2}A#qKaB;E?r
zj_t}xlO(e_0TlSj!kZ39W(zE=W5n`6B|gvc_Xq$<5%s_OtN~gi&v^*S)batS(+XN>
ztjT4pAce!(yo+@)Sg4nodHg+x0)Au96|=lt(Kvbx8(i}uRWpCryGYB9(!5$gu8lyi
zlaN_ppt^bvH6oTzfM`q7qj7EqvydjunA_gZ*3sihV$)`;jl$Dl<v^8@v_un^{w%ot
zu2VD>`juF)=8dRyYRm0R2Mv`|7U{ZBph#sz0hl{5Wi!D{o!BX4r736tB&(xJVSn`0
z)V%E;v8WmM`*KmRYW-^rtQSK4O<6!#gPAm+EkMuu9Yu;OWJzFCIk}?Jq_C_O+5c2A
zQhkrhEaib48CV%5P%cT@HCX{}j9-l_=1J7onGr|oC&3UIdc&;;i&!;;)6k`T0XUy^
zAe@wuH%LIr9gSjSKg+n>L^QFCN`n>7RnpZ?L+%_b5IihtEdl4u9lHgUcEWH+TfWLi
zogGT48@NK2*&QCSv{^avX<xfoZlPQk2GN6>SwI`;xA@eKl^GjiKh0I1+&-Bc{N3Od
zT7@}ju1Gf{FY^cF>?j4@mx9n^Oq%ymburC!A0fF!_{QExeRHn{h082>HC4epy2NX)
zj|%LA!I!IQEWz`jEYyz2dIVt2B;p*11ElH}#NULQ7lH-woEccl)&7?K{adu0oc5L&
z+5Uq(A8K~{c1Vn~U)NImF9n=YBZk^1r?Z)64P;$-XryRSUX2bM`5+yGlw&efJqRA$
zJCf8V*}EXd@$)MU^%UG+w18v@$%dLv35tV8ei>|K0*BhNcF}3ZQlX5{lfq;9Y)1=T
zYM6qY?d2ws7sJq6HC!U%A0}{8)18%}3{xgvg?<{N2)w|VbaqQPz?Fp*URC&A9G(Zh
zc9yol-u@^xA$%_TJml^EUIBRt*xd>)$&1u+#<&Beur;`AB5o8}6ef^_Yoom0gcHlq
z3IqaX1{PN5G=H09l@cf7q}rH#RD|#mgdxN=2xkE^LM_v!!S_=KZGYsg0_JJn2jgR6
zSnBMQTd4iZUKa9#g-}W<WTjQ8Nli#E`l&KqA4)f+QG}>S0ZAO*_OFgR=|@m=q%wIq
zQKPM5=#O)-d5@XUI;5m|Qdi;A&mbd*a`?8wGCeyhdvqzyURwphKQ9iO^TH~wn;kkt
z&9LXqSfQGw3`JotOfpg8qTEXNX$ML{8G2awZv*^T0rg*=f(Cq)t1V?vgQjihp0YKf
z#U2n4-M8Q6Z-S<V!sT+6_P*DB+=&Z%2Fibr$cNK0X8#nup}&op)c@PQKAnh^6bX_D
z&xqNpfyTmFVe8$^LqzTR2b5)YVs3T!je(-;Y2)>DV=x#XN~~n<rX&fzaN<GgPU5GG
zVjxU{_)!MvSdUVwzpaC2H<Bx`&Jl`GwscyJmoWw9c}?v{gQZiUGL6RymZ%tw5Jmcd
zCgO+9AX$zQ82o?U8);NR9CS5o)HT!S8+ChacL9l>zar85?$_{!g;Ww^lf^Qk*sw9F
z_E3MnX=b)X0hwGM`*nI(@D!_Y{@@H2cc?EtQ3bm86-K8j5cv+?Y9Q#oB#~&ex3v12
z0oJi9=XRFc8jHRUk8|v2Y80vW9~3~*&jIRQFlai8qv;TH|FM+p_nHvWB?kFuEgLdW
zcXQp&$B|L`*47}(SEaXPoM>xEbSnHf@g`%XhPruA<zZ*w4T;<P^+hf1BCL)se#E2z
zeSkSGgld4l+^8Yj{+oGiFLQxchqo?h4r0{4+#df_D<)kO;2&780?fL{1nJ<atHI*m
zO8Wm1=1_HG{FmoH_eO^?=;&3f6h&aF@owvtBY+KQvvfE*u<}5`r?l7^o~Ryz6s#BY
z>aQd42uoz=oeP`*4WY$PM-YKenIyrY4OnX97``d-+w&Z)G9!JkVPy|;NOd4rg5tIT
zw)`$smw^>XP_;sy4}KCvG~|70!e2o3|8RwkZqAH%)N`4G{SzuWa)DQ>%h+4Dgo!d^
z_JtZyHq{y(fwd;Gb_89j0r2VvHkK5#=_w~}CQsf!{Z$3|XA3G-mc{xn!I#jS0!je(
zLhJ<Sdj_H?c$M?Rc%7kqH3f?G7z@v7Y3~G#08=^*Q&>QKKtu(PMvyOIM5*e*EL|QT
z#3s}%f{?asQ2r88>jB#R@M^EE7}fmhWGkQG)3*qoTXE1VEgiff{s5%Gfhi*1Ra7Fc
z9!Va**ci=&MJ+(}69BPSP=LR^J(3f#5Ub^&Pn#`NA>Bka`BERt1w0oasb6sWh5d1$
zih%XSGikS|r1EK;g6d3J*3C?Ovx7ptAV)G3gU7rR&4V*rA3o=e%S1I7DeX8ShSrM^
zQOx_FrCkbNzFvpWTS0>1Ws5<xU*>$2ASa!{)$9BO-Qnw<=FN~+h_P7|s(HC-TbaGg
z$9?{6U7$$F5Q32TL6PFdP_J+9iR6F})w0pIwNc%fZ!@Jvit=}4smBm&b>E2RbC}V>
zX59yB?UF+Zf{bx{Ak63)&#HyXaq3sefd07b`dy=QFW2DW=4jsAOa3ulvv#EMdC+iU
z6EI-lo>$vXSMj(k$*}5_=+(zKj_oZsKky(Q4q8Wu?nf2}b>1O_lM0O`ze>@7@F8Ce
zPM7qZ<Gj60r!*BvtOb^=50GONPzeIRVR8+IOC{ujHUh>0^$9JQCO7rV>OvCRr*qr~
zhWO{_Q{hM*qeY-TFJc)4JzRd$S6ivVmy>07PIz6(UXpemGV1$8)CCe85)u+!630-X
zklP#}6R>PQ1wn4|*d)iuoqtx7O_M-zX$nrHDMo{e4OXHN7R#!e@yZYl<_duhiWpni
zYgenzqMWn~Icx!JeU>1H5au2nL8c+~Yn^*=giSp&h*%TiUXSSkEkdUYGOh1S@;>^*
z8izzD1eygV*L^QI0oGhbz@=hE4Z4ybT@oyrt2B&wv&-!>CvR7kINXwhp{tsFogC!l
z>~r2q8}FY0@QA8S4SPp=yCa>L3C5y<Zb;|1Kufian^f<3dwtO_2WJwwa+s;n5R;Ac
zf#-rQr^qS{qE>+`COvyDj7EMP@`5&<{P<?++gp&;m?3kGCtnQuoe}yW&m3j2PWBU+
z9sOHEq_g3J09)eZY5lb-6z9H&U}4b{oT~)pf)Z!u_P$^H(%1X`U+aSlh{aZ7XvNFu
z@y-cH9?C>R6Ck3J6XJewX?KZUC@frtBvt*;hC!_Uz=gnkwOpcIBEi=8{r=)REcC8a
zP*|U_EY3rwB}p;PBuSx%C>qGfsFIl{_)^$?kDx0xSBI+u`C%Y45p+U@@g8Q1wAs=S
z_k~0~7D>I%vVml7_C-t=<SVErG<u)6LM9h)0I%Gng{@e(JlfPJe@7z(EBJ#XDPboT
zx<#?meCsAfs5%NSC-E_0<Jl_XwRnhRMx1xavK96XU*l0Eys`(#7IAcHfwXTuK?r6u
zFOYbnX#l)Y8;wY59h&K43I_QeAqS<54DJ%X6bZVxyd`!?OY&SWf7pX;*g}{Mu7AZ#
zAnwy08rj7{z(`oJUkqabjD#x`&MX*$B*uJT{s|;&{k#l~dEsZYRmqP-dkYbUKge2;
zzE3;y1~*%Aojs{_G3P$*FBW)!L_KsggwT{!#<Rkmoiz(hvKp{+hNt+FaA;Ks3z}HB
zVXa->DNhzO^>tkw9pS(Tlm_~{#>)SEebWACHtRXR<!ETEH0d&kNYgx9_)4ub2qja8
z=0eS&WZ*H?jwDe@ZJU)7hDidpp2<~#6r5c0kvg75V%<y)a*1?>3Od7<c5-ZTbqJ_v
z2`xBX4zadZr4lfd7O(Gd<cD&D{yc{(_(i9t0-X7gOa^qg8TVY0(SnvLNs!+BjhFX!
zWzX2CkW6|swJ<Xz`3-ItE4})h6t;hG0S2zj7G(Nswap|@td^zc%n~8?bqLhy3u0d<
zbH`C}MML&`vGkRs&4a&qtXNk~mIgBNrUoIg)2(t{g)wQV$0{IS#ngzhK`7wyW`z`D
zuay$n^2F*64x(NjXhcUjqT`Y&YqHQ$8UmPOwd)N@JV3Y3%gioxi?j;0#*_`o3evR0
zdok#_rrgj7T2EPQ?{#p)mn4vE(Up!Xu5mjtfX_niZCDWNro0T8k0|$Vf)s)k!tQq+
zHUSI9q#0}GL?Ao@;G}x8@sKy2G*2r+5ZE<i0)(zJUS8$eEQa(l$dYuOJzoFCDF#CV
zqyt5XBjzVgl0ALpH!vimf&0VRTJZaww0b;P9btKJIDr&Y>bT>nbEm7cOcg{n6iYUN
zWC#f-+Z4`|wFf$l`{?}F)I%hGF`}w)XKx$+sAKP^M*)My)}z*jI?%u62WANQf!Tcr
zKof$FBPId5_Yip=ts)oK_i@dtp|x|T)A<2qAUsh)2_e!DfY1ZbH)=j7G{!)N463{z
z{O(3*3OB6faqsWfO!|7R5lq_fTZv4wizG6Qkb(|*etL#EblPdXiHI1Ru{XVhGWW&W
z4}zof+~A#NfpK1*;#0vffikk!*i3#?p@gGhzVb#D-w7=sefUre2!8M*nGjSv{O3b|
zYXPt@a+xC9gVj6JS&q@4N;)r~($b!Rf;tTKGDhsVI6<~OL>lf&=ZfwLSEe(F5Pi1J
zf4U!ZFW@yip-z4S9Bc5bk9zoX(lN3kQ@dcSdZ(x!0p`f2F*LTFWQ6J**Mh*4J~fnu
zzKd2M+xQ$y3O`P0`&UT4Bnk!`b`JRsr8)3>A%*Q=?#(dsx*}YmYsiIjQz{HE&_a-5
zQ>q0{U#ed%$21Vc@>BSyY3`m(#hIH4eiCW98xHawLfy{Q4UEO+6T<oRle0GfDRR84
zKI<lGmuId@TtuCT3L*6I>wS)$OoP6WqmfZ}OyIF3O-tLu0^vTdm+eBMhYheq#F+e!
zu=0V(D4Yfz#i&;};ZD!1^P>^OQ!Pk8AbQh<u7Qt*zqe`%Avv$_!4ysEU@{qfoo73R
z=?2!K^Afi?{k>s~q~nh0E~TD!{5VFxf@M^i5y(_z$f_lPWTV8-$>K<{q_D8yl5q3D
zHI@$Rv51g$N}fLRyL(C9w!VE(&;1gKNA&&Sc%D-Op`yk!g0KoqDd}o#54uI<Yls4i
zWGu80eNg_8OAiCP?NzmW8$>bGv;q?^<*b5Sv6@={WT6~z5`{vQMnu{8SCh`1^z!h1
z+l|Ru<v=(=7E~WKX_iiNti{)>R)%yB+b`IZBa<5v53z;EPS*k<dhyx|uX@1W*w?ST
z%2-8M6q?_@$W*~z;9r7AE`<J!3SmT6Ffnt7xo)p@(2#Kef##RYK!Dpn(?I3m|5_ii
zRUwY6R9cabxrD9(z2=w-$#Xb|clYqp>lkeAne7pt31Kl~i87J~;lpvV7D8!>n9fOW
zf>~q|m<mJupVx~WG{E#CG2|f9fj1|~mxL(T1J}bg4r+-y;$8Uk{P5I{Xfr+fCDhv~
z{*_`gMe3yA9Zm+R&O1WK)B{Y5hK#HGj)YG;=M|@ew*oF!$(cmxikfk=z4RL4HfVQ*
ztqLQKNg3}C4eQ0%njdfp&e`Y!z!qWAQH=*&CL;KY80#aFSk1vN7hWBxSsw{chB+;v
zk|i2nmKLCS(C*m+d<zqEZ6*sU71pa^L1c;fYsZdZO}oh_+A{*t+!(nw4;_NW$#71V
zZ@3%nk+<3Wn<PFY+PNvpP*H9lavA=LKuo0^J$i;9(I<LxuM1MVIy8AXw7>E^mhk`{
z4szgq^5gm~2lNUKG+r8kf|*Ud)7wQGXcawZ6zdhoSd?Rx57F;lugdz6F`BgZ2%nx*
z0Lnuq8Q9U+4{f&o{AGh7!Y$VB7PbukZy)w(06TGecOWBP`yY2pEa_up%7r+6yemmS
z-&BLr0RM2tJlAL9M<bx}q!8@Ozk~t*<Jf=t{71v{;Yx-ighvNq;CRXuw1TQ&5DQo@
zk8ZrD3(I$O@%ycd^T%8Q)mZuqv975IVx<v5tR#yY#ykKdHRY3I`>98ulf{=Fh%{D4
zvcac|Ur95d6o~!CanL3kiG39x8!zZmw5_nUdIOr$MFjOm!#`)`3!YP*7oD&(LSgU6
zqR@UHMZk}=k1`fUxsj+5yJS%A7R^`eLW4glu&n%m43J^#pr3u<Pdgk^fJj2X@qB8>
z0xo^MWVOomFsM4r`J9blt~ubQQAmLlGjUTtHU%FX^jx9-f4`J56KlaQ2e7C`sLGR|
zE~ZQbB2-0C<Y;AMfh&<;g77RmgiQVDFOW4enk42g$LRN$>6~#vz%i3a2^=%;gZPmx
zJEX^KK$Y4UY&+N7P*e?Cna1%x1dj@o{@zb`0-ApX{8N6ly{2H`hp?3Su_?5-qV3<N
zi}@P>2GDw5b=Z~I`97F91a2%%?-{{3e`KULG1CR(yt64dqk;lPlF{t{VlxAus?cr@
z9+c4ctZmhJz|0_Q<J++IK~y1v{cC`DuL3MQk>sIjFAxv{%7=Y3NDc9O!5?1|g>;by
zAO}~ivg|`B$ddqNqcD;!%LHh}q}>l`YuZYoc`iwaR093U;R*%pDO(9~_x0Ek(>4=?
zZW%~;YqzJXACB%G1^nxlABk9u8*4;BK5_^eD;QwywfFjkQ?@3x#QZZBrvF2m{+C}<
zhj!RSU=6TcR^XGXfZ*BCdHKuR4~$1EeGC9MPXsDv+yLA@secWH6N(<S^TnYR5a&f9
ztf~70JSFrBMhIpU{{det(7mhTkaJO;s2cj4yc2>xSkU@s7TU9$?Xm!U4+&EMgDR);
zDFQ~3YA+U#f=A)qgD1Iwf6{FA^Y(aU18SS!tB+2T5Cp!FG7={L-b}4h8g-q^vK#{X
zGirYII9&k{2YF!0)&x4r0*$K8<_Axp_EVe)4jo91J_i^$Nc145g8oXynZ*Whgn1e{
za+>+7)cg&v{h1ICfEX*J9TetPfNA0Zz3+K(v34;tNEA*I+MeFFsP!J-zO5FW1Qi{~
zH>LjVQjE8b=p=S$n+84!x{>Y}HMlB95KxafVN}};?V1r*yhO|v2^1eldy0kLn;_{l
zwRDlfBKy(YH+T>D6b{#h%H>HU$ITPHpRhdlCc<8q2hKe4q>?^1w30`eYH32+LLQsB
z6WRHIpz}H1W(DNevI#@62xCnsVi@dYkbFO45Ylj<V&KJsHn6az7(~6N*Er73B$()#
zn>@+Ou@6Hd248oH1US$}XoiU%r-CjX<qDkaGyvFe<(nTFM<V?+aY)!;-3vm}VQU7*
z<nVay8lmT^e0<8bWa<9qwAs%6PEQ=05fr-r<;9m*W?Vo+8F?^#cfL$$`@6n!=4}G7
zMFUlLNHfU&R+Z=%1GfZ!^x*A)#9sjiJjH=5dcz7Y@Q!-NGsqKs<%pVSw$qEydyLH}
z+5X=_gwaFqNU&s{gJ)H#CVo@n2Y@5ZY#Hp7Cohu{I1MMT1*S3oHMwz#r+`Yn`F!au
z!d%b*pn59+O>80=GQjx$Xfs@P2q{AK5D=W6X7ivY+IN~^Fs6B$et`fVKv)kh!1;gp
z7eD6W7~1;E<)eEGp9L0-Ri3NRzpcfFR>4X4!K98wxj0g~z4p@UHscpn(>V=o!|YVK
z#a_#+$Wi;cVWW9w#`KkUNQB|zQ-^p2E1X9*1Xy&<FX7j2)obIi_$&B~nY@6nPYbRR
z+JZdtmFTI80B{X^Tn*4y)b{DbfGK`YzsWJwe)=+R`}z-MgY#mW+mqvh437_LKt+wG
zd3t-bIwDV#)KjD#2N<~&YqX5~J9YV=gtt_xcQU7JdL#L9CoJbpaeM`U4~21P19fDF
z25HA6@j0w|O}k~=T9gs;ch<rH$s;!jr^&Lk83n^COT~_EanT7lgI$f;Vo%kpJ|4->
z45gMo;&cvIhM?!X{;##-MPzvft~z%xZja7X8vG6#KV2*rQHi^1+!Q7PWJ~GB$0JYU
ztBqDoU%}FzcYm62GAWy$`o7KQC<-Ro{sg%c$cfKgtBdrYX+0EJ?h~XV2#dvkoQ8^H
z`OSaz6)D+w47X``>_t}<wnKvOxCn(<01CbFspX&MqT)rMn&<?%4W!HhbJqSS*7)n-
zEXi1esyty{Ktps?R1qRe!mOI4?{@pcI!tq^mCAMgt9S0ojUbbu>QOe~#95Un=k?Lp
zy^F<<&#JZtmaCj5X%Es~RrVbn!kV5oevUai5lIZ(M=mtTix<&qZ3e&SS31O_;`01}
z<Z!&sp(@}jd6mP}<m=0hj0V4X59eInd)BRnmj-2~4pY@yU}ZYNtphxw67aHk6#p*q
z*5(h@C&HFd_}@||+oO=FBap!QW`r=6B+e4V<tg;<&d&G8nlr2nFPdsUi4jXTEgEO#
z@W!=_$~BmKX^zqp&;s2`qD|l|j%H!Uy~oDl<h8+J)&HBaa(vVKftV&R5|wQFG^#py
z?>5-14t9n!l>M^3M<wt|{m;;yLK4@VjF<TN^KWOfQ~B#jUd3j}-c4H{8=DQg4QRY~
z;EZ&Xh;762?)IjU+R?GQ`GNPIJ}UOQ>ObuEKdB$FN1-6|VjP1{>jkHRXn$^EQc98;
z8@QKIo*;IEQ6#j>k)r*ehJ`8ot<9SP)j4|=l)`wM_^rE7YG%JXZfvYZj$2$8B6v6F
zua0-=YSRlSJTaRy@_qMMIjLuSbB|~9I?IMQ`FAe@%A+WRO<HdpW4HqLd*1Ced8;MN
z?In39$xmnk6^|B1GjIkCfMY1=i#c{3dH-k|<5@8=W^#jVx|myS!Wtb#j&S{)lUg$<
z2TCo#gCA}vcHtg=Oe>%_Yf|cHZhJmDyQuT+ibEM{nA)`3Tgh`cTfVW9j-tyLm~MQy
zR@;KjVIr{VtN&#?^YV*{XrtmzzFqilhP|~ymmHhblS!f1MiD=qrhuH@&woEvL|vd(
z<dw~)VWaTo><Eujhdj|m2d#AL-X9U;H-U6nJxx~8tCuw)cqIzt(II1tdN&Z;$37<S
z#>D2-P%uE|3lA1Y@jH6t987o4)Z@be?g23WzV5P~%DMZMRyVde{#?>59x*nb{6<--
zh=j7Set>B?+8BsNyKc~d>GR93kI8g*2OI5YB)WKC)%4Z4Rn9y$>(nz+`-6b=nObi}
zgSr=F+ofgo1lK*Kf`M;oO-j=@$U68OE|pURykU9)`<U<dnhs+0Gffp_4jn0+8g4m(
z3`lM+@XmiW8zwhYd`V*VjxiG#tX{^Cs)&_{9=S@~0mBC4%ZU=#lTGbu(E40E?MR_J
zU-aMe&a!n&^xrzbkj)Kv8=s}qvBe34UfgLa)$!%6478l}K5TMiK7XWU&x7_8H-<5J
z3H{4J!&Y0bc;%$!!7;7nc(y5{+O83g%_*KDtqhKfh?+`jUF<R_lisSB#-674o_^OS
zb<nfsoO97n+HU@oOPi|Q3yn#HQO<Wy9gtW}Y!fo6?fwSWA7@@K3`w-^nKy8)e+;<^
z4?A_F`?(w;*=i_BX<mt2Ig<t0(D<hg28fac*cF)Rao>H?W#Eb8e;-r{>a{44IFTdS
z-iz!%QKCNz7-aZR(fx}-->QY27;T-VXn)#h4CXppq+mSOy;$kC@pyCa<VLFRsIiQI
zoA884%<YJ&;nm3>PR_M~c&Ww-MegujJvwryYv!Eity=mA4@9q`+yio+#V6Sfk<hEd
zWh&t%v%cCG+``H2go-Y~w2k9GsJK5s4rCcw^u*7LGxmHnSETQ}>)T@Q&v=z>|Mn5E
z$aw8odExcK=K9Ac!Dl8weF4XN<ZAM+_Yue{#Q0}`A#VXE2*3DD3?7~n*r&e(rG-Q6
zH@RtNoIw@avHHTs+8*D;)l;dI&O+vGUqsMs;H`_I>*@gG#^`*bJi~URcTR8OT5jKz
zp``s@vKmjW;%BkBUqb>r$zxO^nj3!x_96xc+EppXJ#hd0Ab2$xe|E(8vK!MC*mPg}
zEP?Y^-h<)@wmCN8?|DkwM0YYTN_R4lm+WKpvlvcHuf+RnHDOBc?p4heSzD4J)G_e#
zg50~(yBIvha-E!cuTKx%k9#Q;)0p#Cdeb!GnV$V@%u!-&i(S_gPUA=!Gi<%E){WoO
z;e&#@;@Q4wBq=MsBMo*$h1NANUA_m%w5(P}+>xEk>jP`zNAQ0H6{Jbl=$96vMNtjA
zt@bm4Dk~m=T1S#`KG12Ci=pOr6Z`ZqW}=r{MK}SwINI4!=zLjmV>N~Ss!jMopzm@r
zd+(P2OQpz!zU8}}w;*6~OC`UL@@7lny=UUmo&RWsHjnrD=6PFw6KCyMiK$$wR{^~j
zX@A-6?0n1ORFm&7x{Xnb&n0u@45jH09-f$TaC<yR#%(Ctn!HQ8N4uk0mo1Xo*2FP=
ztJD00PWS%8>%Ftu#EyZXLiYVEe3!5gLU&TXc0vPBotwML>bu{>JL@_RtA86?#9v-)
zKW+kAOoq{w@b1ydmL8|#nIo+)sty|?rN!y9it3Z~F3XnJ=Lee-N~D&4R6Le&F3NAH
z6#hFiPeAb!y^u`05u*3H;FVKj!F5pHJ3=y5hF^rYc}a7%<#DWY+~jwSh1ZM5HCqc2
z*7tY|Xz{5;l#@8`7!}3Ow?Z}cgwaN8K=4o)9sBafL0#y_<BVawUH?q8>$WsOe?_~5
zb@oKNqy&v>!|uDQQ|^Ey-E_tJ9^%P`w4p#7&q9wOq&COtiyr5%>AZW9XWQr6j&o6o
zzO>in;+tzkw^A1FIqaj=%LC?Dd{cwmCe3<GR}J8_lh77fYSJdVaW-J-(HK5EZ`xnW
z2uuPe*ecyvEU)z45$F@-TQIDRJ8v(FGMe!rRNj2%6SPlI<nY%q38-S}Wg`_pD9sAs
zMhKe%J+}C@-s>cr-&0XS4cPr|Rrt)aLS($4q-IY;Y4o!a)BK(g{SKu{9Qlk+g6`Zc
zH}#2OsZHO6hd8YDTHk7}n}6v_&}E&iqh}mWaYtkEYIkTL<mKD>_iC3hfhIQ}+kC$U
z*KQR{j~-kUR&5L;UAPQs^d<3zS`OX2Y|w;fYPYb<iOv618b?OfsrpVG&+O3e{Qc0E
zFks+jF1|-=3@a{5@?8~139ZupW}7chuwLh3v+Bu2(W;k%gGlohb6*;JGKX>Vu#>Uc
zq!Y_S)pXzp=~3Efde@g)4^)YTdX?EF#!WhG+C>OGWSmKhPoe1p`}tO5-RL*$UvF_f
zVY?l#YxI5OcT#ttv%?f;<kHi@oR@$~_Lg1T7P*`5gVfGF6!9pB+w$}IqnoosO-i-+
zfPI?};Nb_@R_=$E^4J^jvOa6g1m$A9GIgy^($FtDrM3XWD(g0tl(3g_XLrhFMvcrb
zPtW2wrbmkd=j#q^4n&0Yb#`_*@03o(8+=w9m8l!#o|eu$%-GqbTN^adn7pYu``~Ub
zqWum%rTW&Fn_kyCLE~{oZ*7}n?=R`Chc8rPOckPhw^%#4Ta(aVeWBlB;2ApEo__Y=
zsr`L-Z66#aJ|ECa6nm`!(gj<wg6Zj00Z{KhYK}$wj{uzpIS1nybRAlDlVzL$0<SMI
zx|nxzk=~#n_~Mski`$pVn}+vEQ#8Slq0zIy_es@@Ke|=+@?X$Ka_~V`X%?*-Y+$me
z@Ny`lfqp#lTW>GLk36>{iYn)$kDB#*TqnF(d3&DMY|G@WR89jSg@#t&gN9b#hTg1p
zP8SF4?TqY7Hxz4`OrKwvT<k2^dbc{D+fEmze!4lTa(57XRy5AVNvm?DIez8SCZu_A
zK)l46@VdEHk4=l4>z-Xgtm!FrvZNDNd`6%E*S(hsvAT`pS|fBa{bKiPb!K%BTZMCF
zdx~7=rNeVoTHaK-4Ir}`@We!=PZ~6SNnt>J_$1EAo0rwMn?R55AqdCDWG9O&lin;2
z+`F5RV$~7KDAB)7TY8o=*K+tLs4<@7qK$~&lu4~oer1CW9W4$=hRdWh?zqSDNHL$7
zk)oX@ML&(8?||J<n?%&afWb!9IF8Up?aW)R<Wz)iu{~ZEm)=JXWmd%h(%p8tDsP4~
zooS%W#*a?r7Ra-6z4qod_v)>Ip44??l*x9crjS@uPYg{X9Q9FL)j2}mdV6!FgwW+8
zJk57v7F}2#Wcq;Y$_4OGh{xi2JC%@o!EbP)lASp87QZdU6sS`rYTnU^8hGyhW)<MZ
z7<kKLt=xOrF(;o$+l(7VMDP298MrpFL$Eu+aX0OvIu_b9&NAuyXHRAiyXH;GB^eS~
zzGl!~SMqN9M-&vQXGU~IIWl@=+;Q_Rnd&<Ao=avZrL7GVu2JXpJ>P@fd|pK-GH+(b
zPZiC*H70?XW>Ar}84>PjE%)!SXynee?fsh1vpqQ@hI7Cx1xZ?C*^|o$-sA5jCkyK)
zudv3W`#D{=WY7+s!&IroxqG5N#g$LoF*5D87+*%e<Y;OWVr=<!*JM<3vK3Q!Mj=~n
zs*ro<{lQ-EOuJX?Wc8)#Pyk4qu>uZrSb_4#rz#Z|n1MaWs|eHTkXVw_^Azg2H$Z!>
z4!pXV0YqN6*WSkTu!>rsNoJEe0TgP%8TW6CvE~P5qRlaAQ3!v=f0oOcH){$_LbjuA
z136Nh?7F2%bN-hDH!*(_ljm{#DfA0=Y$w}pM(yuOZt(tT2-4<AuT}Y@Hk~b&upg{_
z@kSG@pZFexVWa$}GzlYahQ)1np6fMuyHyH@zvE;vRQ)7TW(~jmh6rA*F;R##yfG39
z)b?rR(fw26uTo{%rjp+56_n7pN3b!LUw5gV%5PO&a#vWsJ?+gXmK~Pob&@K^qQ+OR
zmd?hjj$J4;Bo5{6aa3;;+&giUw%s3o#Co-!X7^^U|67yQ*33<n*)yBzx<woB+L0?B
z3m-RD-7L5k>!=c$ldsZk>p=`($s;M*u?mj8o4A(=4$s676t-rTSAT(|`CPn_`Z&?#
zz7?h&t(#j|W8kLJO<dtv%-4IcdM}r?Emx)s3+<sRX|G;>!)V1ev6kFF%XgO@O)rL?
z)fQ=6?zaaliqR;}<#R4}@T4=Vq!ttqheg+^*@Bd~!<F}HY{;R!-O!>~u{HqgY%UYF
znY|dv4#%SvGvY+;Y)SxfAg1U!zay26smh#7beTWjQ^rN%M&|nS-~nrQ;n4c(MgG;E
z(qRW<bWAk3*&v`%U~vzOQ)3({5IcVrA|`n*QE#pMQTdd*sVv~LY!a7I3+vrgM(+sk
zT^IMr*CDzDXIj`7nii|sOZ<SF1;R{?y{lmVhq)Sgaf)1YqQ^g3y-!CLVJqJse3A5Y
z66T=wyDZ|-C4qe;AdI!_i|?EMnQVFa;iSs(f=2(szx>=32aueG6T7-ZpSeP}6tl7g
z^PGAvHq(4Bemt;yQ_^<UJ%1%=J7wn`*kxyXHnFT(pvOfq<59_HcLOhSlZml%UA~+@
zG?<?`P_jC?4DZ@nty5_GFhY05S6O}|dNoBJ=7lnp-?JQtU@jZoH|X8g2DOKt#Ipm{
ziaL;NGJkjmEh#f?;{p)}bz|kGru<oBbq<CeQRrv}O`eN3U-|4zR9yEL(HS9303z2w
z8M1!&&}=M73@Ge2fWpOnYeHrJZjm&XQf_AP!O2^N(4;?kXlHzWcXvB!n6I?7XL{!I
za5$h)CO_iHZ20;pk)DcHSWF@f78J@du1`d!o3|l@j&h#Ghi*%Z#d(~~QGwe>&lW-|
zX(YSJhMfhMq#ySix>MeL6sFw&{Wp)>-I})_ysstydd_XAVNZ1JhW14BsK5SHP^U?4
zYvWMsDnk1c%BR@8YVpLFvv<Ug!gIpN9}I<kz_4F!S__87|7>wi$o3J>UP_5wFiRw4
zXL4wIq8UAU{f@g|8oyXdPi}@k75eyRwsy+QgzyiI&I!Th+#LZyRlxu(iyqkY!bqUT
zAdya*Gp$ZPB<AEIrqWgLrpR~8xNr2ERunN+o`;fW->zCrK~-Edt!iR{^<Hm}uY6x`
z@Y~#t<+H+M@mw22)kM{yr*Q<LA78C{ZR-V6w21t;@oKhgo2p76CfQG_s0t>(BEnvq
zwR`ovF(H0)+@{!2$KPF{uH;s-&tLjf_~q#3vmu+tfdz8Y{XC^V7wJx|7jl1oe9Zqu
zYA+i8K6IR_K%(yDq^h8V+n@SDnobWrA_T(equ&gaJ(1iXC-H-i?N@Sl0oeH{0VYnd
zG$MmAupCHlHZc)m_Qx7}8l!b{#%%${f+mn>9sYWYAzC24V}8#OQ--q2F<-hw^S6ZV
zCp}Nrt$v!ajtND9X9_<*55=B;Q)-^+Fl_Y^-E)@PSGE^Cex1O%7n#@3MHjGf6`HSQ
zPrT&6A5}KbtI4Lzy6l-CviFsZSSM{iSVl>onyHK1j`pGRkC|^xjE<X6^-sPP7pcyr
zQ#uW;HTM}>o#l)7emW@=Xx@0v4?7GD)S)%4`sG7jKuFBnbjMMCd-Bci7azNglm8uX
z13Y8TnVD$nen(kMh%tl1Ax4H!!HV)CvR4$}8`&iScY@{}2E82iMHH2wCJ1=20)p#J
z8`JkDM@8i)i~fw6{K3lOO^m(EEZ>Clf3ohUe^7u<VXr^QTz*TNP867)DCj00KMnro
zH_dZ9G|u}q{QM|LMbd2K-A$FHj3r`bXpp@2v9B-3Chz%s>`kTuy*Jr*=vXfJE_e4i
zJRXFx%Wu5x+OztOrz=9-MO7mJ|GgWYbA0%rZkPO#fVn9nHQ8Fii&Ykfn_U%F<GT8O
z@@Poi_i_K+ONZ#u+G75(B--W#D;4-RiQgC@lSE^;Ki{|s3c;qbwdhJ}h)X4;IAp5X
z7?^G|q*v17UOExQNN|vUlJeUa<hsYMB}ry)moqjlLQ>}|DarZe_%?|zrFE6ugJST=
z_G;a=!DpF#x?)B6;#Hs5XxpCKX!+g`2|rHpQt?Hndb#qj9rr1@{IqW<`5UEQ<}_7F
zmUbX*Xu%{yX!1Dh3Wzk51#rr6$6{~}nmJa91gB}MQFcy_Q?XcU$nx1Uq+dV_Kz*Yq
zBdL}C81^cwi;a}Hj@Y~@Bfp{_ZnfrA9h#pL#_3&eZP_H8=lUm-=o7m@3F1v8m`aTZ
zvmq;KneL$UYDqu)nIE7r^kYSKsCZm^C@j%fr2Oo+sfNM0w;`8lEA#)?-c?6M*{ypi
z2_+T50BMH)2nhixVVI#qLPAock?vLy6p&PD>Fy2zL1_?%ZlxQBkiL7E?|9Bx>z@Da
zKX<Leti_te4D;@H@8{Y3nZ18u+Igl@_^ghz+V+L~-Ie_jyeiO|8*e`Xl!$WPS8X*7
zC_bAMb67&n0?%6@3((D4`}1hh)#K3|B;)jVnMZ}kIl|iBt`Am$nUI)v6U3OU^KqK|
zo#96_{5_qxitf%{VjLVBx1jhFQcJyw9y;}8-r>a80NY7J+n8+?IMUzx3ko}7E$q>2
z3?p^#$!i=AI(!dAIl*bCazp4#!F#0Y4ZL{5p+91L^|9RlDuU3)zG&GVs`By+yIn6&
zK*7S0#w49HM3>(>D-D;6GUk^Jczy^mqpPE2+^9u`N?^f*U^8*aZZh>clJG!^M;mMc
z8f4UYJGIweKH@k;<T}Qusn@`@Z;!sr^!z9y(e^k228;5s7EIBI92dC5WvjTw#36hN
zYiOq(rpqGF=&?NLIK)-VF>qyQedOe|u6J~rrF9#zBegP_l~dPPBLo-R-rfIwyed7x
zD<MQkU?Id<Uv2r4x4KZ}-RE8BK2iJ4U5T!Ih+(|)dpc=EXi{t#K#3W>bKaURFyf%2
zqnmuzRZ;<AWR%`64KC9~@kZ_yfSNRiLpHe2H*F74rdWqWT9pkvs5bq8yf!mI9u$m~
zqcD7QHK;yMJ?FDN)6Ne}F)4B-IfIWwL`h+hPn&g|^^NLcooovN0^*(4sMb?*$e&tE
z<HPMp59>Lp-1%bTzLz^xoqhkcgm5S}?2{!&2K=r+ym6dohO=^??J!qRsul1M(xUam
zdR8HZPjV&7?raVXmtR}4=iL7s!r`A5J>@XC-f`0KDA_K$m*L`bWgp$bJOt-BptZLe
zgKVfosxq&_Eit_q=K-)U1B6kXdyH0^??OUUU%JX_aT5>|#{o<p>k{llv~mux-1rT`
z$TXvOEnxak%rTUl**aw^RGbUS^1(Qo<dka2@iW4+xU~LZW584V77fbaTQnNWjSpio
z6dFnfmNJ-av>#~mSk`%x)WOJzzhoG>mWBwW9L{ENRCx$L;!$A@jEOvqJJi&fJg$gO
zHR*`2aupYXlSH}BRcPcYj`GA6pKbY56zA(~J%tWw`jbjcyFMLvw1jLml<0eLhkF-(
z6q&HdRjvHmiD;d(RPVl7xlH?wc6VApJ?TQNBHv?;N~7zzDw%dL_8_KKA(u@hB<(_|
zppwPSV-8vQIq(XS99Ce`oJBE&^@>9$_{|R^-Fi{eG3%q25Y?q%1^7`fD>vLO;uzp)
zje@o%2*ZdghnrRWc=-TIw4!zo6xR?aE|&+W^rEV(1<9+!EJ^eHKG0dke08Q*g5q<%
z9`z0+hqSU;kCjSWt33o#Fd;BW5i;-B>Vlm!Rkq0}j$KT+wFjR12wCfGKH(Q%kfx}Z
zD1c~l$l!1I|AwvS<(afh>JQXQa|n4nRM2-}kFj64fJEKeQ|aS3+AJr=sK)gt2o}{n
z*fInWpqb&m#IhJc0X3IdXBsPY{z4|x3?CRZWJBCm{Plc)`*@P(>W>K|{`dCyG`@`u
zrTMHIOQxsyMrs`V&S_MTle*@U*@l%nK5mJ(X`e>w%|O}75*S6U1>b1tH1qVVKUVfF
z$OfvmDr_ptb-zV>m!vMf1-$~RIBvI!(OXr0j*c~1-!QThUj@A71qe>rDwVv?i<xj9
z_x_(cl|A+6`ex)VWj-S>-OjnT*q~q4jwvQaitq3lFI>rBs`42r$OSbv*J0T0O4X1!
z$mi(Q2%4nr;gcyubCq2*4R=_aV7=@9-C@Z#9*J)rb^>uC)l0F|g5t)n3zUy$ajs*M
z4{hbqNO^cNB-<QmoKa&E{&t@h{G1u$)bHO-8~>JTbJWJsrNW-aV%BIOA$3xC6Ov!a
zBdYZU-blq5?dI}^*<`l6b2oY3vg(b{tb8(8xNhupcx*l6bC$d`b+-Is&%d^_7u2@^
zy)pG3W$ShG96%yxy+TFQ1K7cckzEu5LQKE{Aq()ssf{1{l0<bH*e$*UNm4$horOpU
zDTQ*igwplG2go$+NQr~@mc%Z!o!3WGO~Q6?sCD*9Zs6?TwhBG4bY6>X58KLs2scTz
zbdvPu4`5T3-o098(-1(Vaj~%&3(L!yP9@ZO@8vTo^Cmua*+w<0{RH7WJYX7<M~r!6
zaX<2w^?m0HDz-`zDf5}MlJV&fhv?lkNb`~VLJdx-<q7eoncdHNvy6c$7k4k4T9FyV
z8WO*)Ge2w~wc+9k5p~iMZC`g(;n}CIyb`MDpL#T6vI&#x(O-z~MizWF(a-8iIBu-`
zgaswYQv~-M3jo*E<kX~jaR~|R98b&bl9gU>q>ug#Sz;!6lk4J_(k@~p@5=_~=l5>s
z*8?+$-4etpb}&ngP!tN|<=2l^jT%%JA?k$<RL(C?-JZ2-;7<)e<WLlve5gQbm1~8j
z)7y3xna5>x>oFomRwl_zB7781HYy!r6fYbl;4v(Py>Dv4CX)p-_PvM!&Qqq0O~<qK
zkHucZd2)6MrwgPS<$2{kS-y@|>MacmL|p5xFQJ{R!c#BpLr(hDTDw}$_9N5v_0kH5
zdR20@O8oP6HqJ6Sf*qpy^hXa~bGVS`_M5bbo(#Xa!Hm#+DJbbmR1uw&RLBtiwZ#T*
zV`gUTX&#gkP#H4sM%X#r`B+F959z$j+nepq!>|1m!IG(QIEyzYX3dsZb^glInYxC~
z^0h{EWSj29(5V;{HnT+4hpC~r?MGjCo;Xo9-!;P>#&F>(QK(l_NR+i-?xc9Mu;=Ms
zw>8k#rCR-hmPNHSL!1&U?n-gvkTrhKgkNPbn*6hK1zS>f>EKY=;u;HCpz`dzF<V|N
zNm<Yl&QhScjuP^zv(3oPy^Kk`oh^n4dW?tgb(+g*96#MooR(;;H5T8N%e;m(@!=Vk
zcDZW~pAW09J5gc$!~*S(OOJ}hxk-V}cp6wxgK{2s2>Uk{;9MxH6PymK9rr3~axG_U
zLQ)=MZetcQ$_CN9oj1-?;h1P#NbUyx#J8vaO1^Yc%sP2})LzwHWKcoh{YM5~tRDC}
zP*-Vff(V|F=Jcn|4JTAKV^nY!%63yI#!6rbwtHc2wf<PU%3G??xxMF+v->o%b7Exe
z^o)jkbH&8Xyk9xldeySwU87Reevt9iALKrfNyuEW{htjCDHNzG`0;)R7d^cc%go9X
zN+cr&J^r##im@e0C7whQCB}MV`VD3!xTC;G(us;1-TdZiA;priqM&-|j`3k_pX876
zkeGx(w`3Nf-4<!xXSxBRw6mxEa|czjua<_HWc^19Yc#y;l5#oEc1F2)oMj`Ag$&K>
z)d`6YKfN;Zc}gjuw3+8-YtuHixHSfQwS;h0g4yXFp3U7)*W6k{n&8?VjqkXP)CC+N
zC4L4x!ZG=s(rCXk^31`ja?d7c`betLXM48UpEog<(}`+&&2qp&f4@Qz?B47#%({h<
zsc$6^1<^<5y13JsP0Nt>JBUB4wo82|aMi5t#SUd-x#d8e8iQdQ+$}}l&26P8v(cp4
zgI#{Mm+r80{ayGJlUkx)4DFr%2RtgAx=wALGzw1MoHLuE^gj~Q<`)b(WAYOshm$|?
z*)XUv*Yz43+LN{`a!$rm@$FpQ*y1Ae(suT)Ve50={+7_^G3$|5bf4ki0%<)~elGXL
z`p)lLIFF!sQdSd{3b)v`Qi!VenOB60j@7uP<uHNos$ZG=d(+0u8=%c!fR-KrfoQO}
zNVr|YB{+`c%*g8E74?vVcbc1zt>~|eey{#&=9R;>)gk6b&~~SNSd@@)V|Pp6_S<kh
z^XgVCVy4mlS(*De?O6RPZVsrn*u%o3$lCOl<QAg)lil~$={s0h;H#9l2%ag1VuO=5
z-Hj_OE`5OksV@zzv@+nO5O43K_1Skq$u3^*#@=GG>Sv<*ney`OBV`#%J^Ou5;4oda
z%0@5a(HlXQjq7~R<c9w_4&qRlQf>EyI;K1E@@S_o2O$t!hy$3aqe%_VoNpAC>CU2-
zu(jnA&)!ghr%~eX{WCIN_^Il%xhx#=ITh!}@-umIt^K@6JEvfi(xUCO++9}+xVjg$
zbX?sVWYj6<7rw|9@v&_2H;9#t9k;$ORJ-<2eKFZU@=-|Ivyaru@rxPW&-Jh}U=T&4
zP{GQOllZ+P&9j30Tg-mqH&W7WzWChT$Ai5`-A`+N+Jr@%eeg4H>MQX~^h^&|AmM%6
z=&JAEawn2rXiC-Y<web~yLttaXgyj=vC?x<uUOnyp-=A_EI>~2^qnI(YRgWom*tLn
zzitZD3%KR7E7;{+KeoWNy?#``HdtqWLQ~?t!>L`fEvILds}y?LwGR%KowuC(iJT6&
zpemiOl@E>SFzQHB(o87iCW;eft}l=0ssg~fY0sUwgt8*@Ut;{QZXM&HjY9+{TjH?@
z<bg%Z&I93T3KMJ^tVWA-0sHxWw<pLC0y40*3+n|3Hj$ITWNL5Ot6!EQf>uSA9lV`u
zcAA=PO~&_#O)f@oF^zC-Cx6%99ZADHv%0P6Z~<TKPYnR4B>V<>u<UoF$XuU-#VH07
zEzFO(E->W=wGbD<xqH($Zs21JW6)pS1Bfp;&?lS+v{N2{+PTfw{^di2*U3TG?>9gY
zEG$|1cYM|LIOg%;h|VVswi5)-!eb5RS&Hc$!~0Ov?~73c()$)qOn>M3#ML@^g?b?8
zbB+gvqvl6TeyxsdOjN!Hl9?w?#m}?H*V=!im0FDvXxDiMbP)~Zb!=<u69rS%bN@mX
z+S(2v#|Ekv&zBwn%?7u*R}|?0leQ|p1kS;_F637rIDxdh_;3^gFMGO8@Lm{R?levY
zsrCvx_FKDXWfNW91c2^?QZZCJEGeQ$<<Ba?N#X164?=RcIG_IP#m#ly|MVKRaZH}B
z`)V@a_$>E|?QmjK4Z=~VocYOtcT&FkMmZu6>f&bDf8{VW+Amwy`3#?1DIEHUDV)!o
z&d@LhQ$=2R@qI!9-Lv&cmI<<p0`-l(@&EyG&uOd)r?;M!m^#R&g#)0s0}kdDu)Qn+
z7<>SDAo!ZvfX(P)0$zGDJd~%}UCOZTHaP0&wj^>7oB+T##w&2T%E7M3;a!|wJ(yOb
zsz#A^7Ly1^497G1mKHgJa}E^%>0(!J+A96v*NAPSd!fgvSI@fCcgobk%$4g?fsI>d
z9OO(k#mM^IA@Z~!wdx%ENyF+;E(=aE;Jd+6TLg%;_p9XdrhLxE9~?1qDCEdf3w!IH
zS(by&pF?iy*p{@EE$H;@*Q^1$zJK@>fC8d4VF@&1F+aXd(8SWVU6jW3CQC`1XBMBf
zkw9Tp#<j^&>MJP87a)y5O2WFbva(xL@TT-vS>HmQs0RbbhLQNLDbpe;U>~OQWj}lN
zNx+g-=@BVQ8<OUXDto+CY>L4=ld66!>R_iROXo-Cc?D$4<rz?~08$+sK!xJ)<gJ)(
z#vRe3#fJU*NNh(&Fb8SYcTe6#T|Or#XBVNSgdhESmc2l?hKGhtPJ1p<<mg%R$Pxm<
zYrpeTx(48SSv<90Oyl2VRhI>d4lLxX(VBTOb8}C2y~}zv$8*HA$B3r8t(Z@K4-5tT
z$ZRa<t@0?2yh%=;k-z{cwgF#aSk<#5CajOn>wX|D8rj<K%8K8|bd27c>(uRGF!<){
z{j(L{50iSng_f!jNb!9!j_o#SFNFahtuJ=I!WC{9fc}ul`u^H>fJ^~!+mkqWJa^IR
z0LgPWrW-><j(Z#)H|~pHYzuWF(_LM%O#|57clvisi-3kpsneQ9^N3>h96;Rl4diPH
zUE&7)X6gSj>%Es@6O@QEdfwo;qN?Z2^TMS2lV(64PyWknl5G(vey)pR&{tB}P@OV&
zQNx7cfp3`jIGCwf=pBK=D@u`hZf@>?pFl_H5(Yaf;0Fv?I)RdiX$M){!&P4ltmu@8
z>5g@`CtC;HK4k51p!id&6v&Rjc6}M_OUKYky~gvm0(4kbpxO~jN-u-0elBD}*!~)g
z#hjG9LXZv2+j*XMQ`Xoogpd(_0)n)Az>S_nRpWyup*iFlt)D#T#8Gm|Sl=gC9X*fk
z3fZT#KP{InDFmmx*QrIcU{zOFNtz-a(A|}}Y$J`}<UKYS0DFxZ%+f185Ov>+0Jb!@
zYt@=rk*syt_>|JVVUa57+F^6p`TQxi)Aia+@*h%+;>r;~E9OmDSS;8>ztbCp6N$!k
z#y5d4xQw*45<h?anj)8GAFwQHU;;EtzWQB_cuhjwCQNH6_`nT$o8+rHPU17bv*Vbj
z+I`=mikpUt(0nI27|-dmI~dw@+4pn@+_!Y#s8;eb+o6y}buL9H1E9#r$mmvqFyDSv
zphGaE7zpr<A7wgok-6sLT6XO>+SME6{8tlI>m42@Vs5>8gYBQ_JA}K3(m?@WZj_!@
zsmI~wgxyHKwpy-c5vQS{p=za-b_GR)L9>6e&8^|&OBk)vl@gg?JyGDr!@$hkRbu>o
z9*kqvOCXPv>Il48P?kCmED(Ps#t$t$8N?{TOoan{9QIHhB?u4+5Fiz04ddkUSPz*x
z0QR^85THx|iNhYKgnQf$EkNUnBZ8>iW$!$&U;q+UaX>3q*NeSOl_1k?2tKJ5m%<Fx
zBLb!at(vT{{oTaB0LPu<+F&dzHC5Gl6o_GO&#_rkmg(=<W%8ZEXbYu?12!$P8Soec
zM#-qOa<!eIoB;a=6h7Q^0T{N0MGkSa9xo&VCdMi6FDf()nPK)FAe$c$#)B!yMD1&k
zW0_D&P`TTfAR0{@0OX|}Pzr{Y5r9HpqXc`6R1l!vvA#zNp<^-v_0Je}q^MpG{19Mb
zVggwZu9GnEkctAA=`Ux~k-m&G10n#QU$isJStR|}L=r|`Z;8YL23YR1T0G3?O9E&3
z&PN6U0HQl=bE`_lLnvjUebkB-g&U6W1r{7dt6?8-wBBB!Vhp_<ID~%>Aol%?JAl_B
zYTSSm8|#Vh6kfkdX?&YCLZ4`vpNBvGGKv^dgh3l>>7QfVq8EpD7+p1V!u;Q_{AV#&
z%u<^b<$f<-jIz>Lzh!dv_x$r1=tRZjH`h|i{_CI%WBn+DOaX@c2q6bA(<O8q?S9Vp
zF#bBYo!B#)J@6{AXnd(Oy7LzS{lbFUBi4!)^ls))v$<NJXkU0u159G5HyEe^TEDf0
zD}OxL2oYZfK3vr9{HCGkJM9KEh9Qvy_Azyk@$zkbEl$9WR*xdTJNmL8nleF8jU%@C
zZJaY#_2^pfF<gFy8T)`6Pb~>}5<wB%V>i(qK8PCQDeQdTW^9o@6_7iFb9Rqa_j?W4
ziUraB5p2BZh%IITJ;?u{{#|?zmYKEHsj}@u+&$&0zb2sQ_A-E%Wd@#WYtVoWCeSdT
za{Lc%;-_M~dshq*--{uN;OIU;#}Y6NLFT?M*N!De4WB=`7Vdw#dLo$Lv4?~+T$dal
z;{0815iK{{NT8Efwh0by{%OaZ{7}Dt-*P4q4IOv~7^+kKJjUpozYD_6LMpASg9hZ=
z7_lT!PuuG+W6=SYTc{DBMulyOSw|)+Jy^YO6{7etwFah{=mF$s1cQ+I+N^8^QbHVv
za!yJ$Q>zR{kAMhDl)<<!QUNTl9qOm-x@fKWPI+_`SpgNbTm?egU(d~Qrx_)?C3tvv
zqIVPDxfQR_J_Z?qcRNY}h(Q1X!e5CX%LWyi2q@*7kf<t6h>8fx@MP<HC1&X0r7cG>
zj~e=R;!(Gw_I09q45ZJuZ^ZkV4&ua4*UG%m?Ug~j%wQdBiUWcs-vDP=;y<-%P^GkF
zN2*~3SUF9#Slvfw-+R!lcVO|R+I}GW*tGnd`v23_|C>VpO`-osDRk8ly^?}-^J^k)
zZ*Rxbect^Bn_Ur9Xiq1_^QkZ6|FXupT!wbAmm#<N5*X2C51Q11;<Y58R;9baL-dz<
zd&%FrOyDH&_g^2&9;1`=&+pL7YDE%J_s?qOAIlheF~hb(!S4T*6~gf@xcry($v@wA
z1u&V|PcZ(yfmiTNXvLv#^!)$+m_Kh{2J_UP=KlReycfIrb1OBPyLHJ;LQfWVE;qk|
zg=A%9UaL0JQ~zo9-%pBpG5Q>$Q{0yv1@FCAZzyw!Gnhb6ZGSF@YTBP(`^S_2gQjWY
znSeP{VqcMES}0M`@30jeYyZ-CerBLQ=D(`<_Ul}5%4%Xy9acQLD*yAIE0|;V1w$7y
z)6>%@NTeS>mUZsES>%#Rcb@|H06hAd1J3+V4<ySHv^PBI7mx@zk&4(00;gOqiD_wR
z^gz#)`u&g^Pymrrm6Vh;8lFMAQ;_byd}-ig;In;?e)K--A((9MJ%73^L{uzREQT%T
a^V^5bQl@Y->oxNg@B@=pd|W7L;Qv3RUW$_d

literal 0
HcmV?d00001

diff --git a/website/static/img/logo.png b/website/static/img/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..966973fdd63b6cd8d89101687a18b578401a2ab4
GIT binary patch
literal 7522
zcmbtZ)msz}(<PUdrBh;om6k54rEBT#kj|Cvh9w0SW$8vjx?56EQo8w(0s^v>Ao2PA
z4e!OwdCtu|&(yh?Nzm3*Cc>x1M?*s+QdLpV{f9IEtOXbF&+iYEi2Va}Z(U_Mw7Mz!
zqkja;5dwvvp*6lIc(B3#$ML*WOuW(1cv=46&;!b4{Ls+oZ&ei_`T>@w`FI_9_P$?V
z#Wdlfmvi!P8rIe>no^Xv>JqSGai|r?E+^XHp>xLaesqE0i;|4|05$<L*16wyuAIfh
z$bK*!a7i*)kKo3_BTC{n5aH*Rs|}Ir$2)u{knMT!*W+L+#QX3$xZoKx`;Fjjx8V8R
z=4FBR=H<s2pd2pq|LSJJVdFkUNA4B3xvBj5PWK&08gmMB;}tT(FWv8@<~(yOU3XgL
zd|rC;hfes!9+}RyLy5D)Jk)4^hC^k9He8NHEj;c8=jfo_*)i09J%d*sbFmfA0#Yu6
zKo^=Z>#L}vaE*4PwDbMTxlJ&$M2;1IzTLgi+_Xk3KxWlp_3eGNbEosigzWvMtgGpY
z8fcA%<RLFvebu$)Pw_b-u(_<c6thGeNkz0qp|Csu;~+VXs0VHH2(%(x=%xL=``ih%
zUg*?AExPa`FB;ktCp^nK*Pn}Ac$(IK?B)}3kgijO%MCG&urr8^L?)jJ^YEpJ_O8ym
zAx|~=d4x9{tDhc;bEZU{l}KZwN8Ugp*EC==eNOjvN8EFsNK^D?a-A-3=n3>92uajA
zDkH+N&4fQtpKFNZqhze?(CjdXDZLeFB?uE`{_TmhoryXzdwVa80J=xN5kH}4M8d7V
zV9iNal>Fu-Yu+~0>sfrGVF#6KAwT;?m0KWuXU)p#SALWQRg9G#(a`HT`veVl)YUa?
ziFwrMkda24RU#wd2YKbA)$J2&ggt&vsmQ(&#p8bq9O#-NPl<Pl&@@-~nzRxyc;@K{
zmJ`ai65en_4Jb|RUsgy#^YJN2JAC-R$U4uuYRCx@0p|OWA!+GH&%t`1I^3?8hkVjG
zz&89PI$&l$8iD880QPb5HKFyQI9>o%9Y4Q39>0^<wC$IO>_boJ5D95bp}^ginx$)#
zv)Dva2~pZ?p)CqsvFx}WI`lHpNQxub%)d(&zP?>C@+e*?=!?l3QT6GvKX-8HHali)
z!lvSthBW*jXVoNQ&P4^#>^c4%_AMhZkBJgH>U3dC;BMRI87g|9^g>w57BwCDjewaJ
zr3GdbaznTFcWg%)fw!iw%8sPK%(}%k@$v6gz)&40QTfnyDrlHINB<QP_=f*S%j#aV
zeM;5l*^I}3{?KXU9}V2yIbjuezS!a(=03+<w}$N-L5(oG;xNtTv}JVC3Zcv2kiiI&
z*WU2)_A0W~=Ll6F4jiPHx(ZNNMHPO-fH(|+OLCky3dW!w0rI|aKSAuu15QrFiebBf
z2;w-GSqZgY6T#3h#GU7y8PpajUw%OXPK1QpR*O)o8N$1y90nCTx2{MK%QWlj9r@7(
z-nP{8TS98OxXQ|<%=NHt=e~qNZNj*^;>|2**(Dw#JXJ_nhtGyuPAunvs99Br9_0Gx
z%&oT~K4(>8Kfd+9_ZlGu6U%M_<U_dk6cZwWH|s?4U&S6}f6>lk{?J*FS(^p(YZO_b
zqoX~)BN2AL&&VankAJu<C#azYH0<X9&Yng{c|Z!2$*eg9%2j`EJimn~#1FOYc7(@P
z(oW8|BHlR#bdPh1u=718t1_Ryz-F;2&7~vWu&-pIl*jqcZSd(SyYwqG3EJ<e`)G{=
zakbD&%$PgkPbiKrHFL>FgEVry()PKeOiPXQC4LEc{C*;Mq~EqETOH9ubJ(V9ey^t|
z#5%=!k2BW?*3sq_zM~pt)~y#zxRK2!7jJWsFL?*a{f&=%xFu<gdYwpCs~BADb{q{(
z^e!cVfrc-@I!r%}4y=H_9*PobWh7YA#_-)upu^WwdQAe)jM{L!`^NEpmJ+{>8Pd-z
z*4uaDqFBJu>_q%Ym7l*aslc2ASx6_%XHW3iyp?GBisMU&oqro)THc-~$b7=0SFaeJ
zbs4`7ADe_FC;lLCKVU^<Erf6BmqC<HKFJ7KSl{O)j0mMy1q4}8UfjYwh!3lI1z|TF
zBaQi#tjsgOU{3AjB$5OXIplnQntDJHT7z~)>7gj}qAXfy#I*M_=vJ-};LxloAr(oK
zOy7APj$=7gn5#gy?Q^o+oZ^mq8nt4b?3|yF++&6K?g#|wba?8+o5v0sY*H(34{L>a
zgkXafAyUnh=jwug|A^TObu>_OA2$0%sSi(t^o~CRI6JpIN#zNXe);F53XqH!yA9)<
z<X04n@k$fqaV7pY%mM*Mzl<J`?Ko(8R19}UEd_kH-n^92xOg;XnY9i0n4lf{Kx12+
z%IrIcZsisV7nSh?obc6y<+0*D#PWKh&nF^#iL;k8BA)3j7&+_BdY^2HZgOn<qO+r<
z@%1_8+*s7nPXfW=Qt>|G>s1_4*TM{4tHYaY0Hy)#M2B5|R(Qb+GN{6BB4OyQli|_Q
zBR0YbgHXd|`DrfGH&hnXYG7TtmlNicxb#K5RACb3!L2UH#PnT@TI{SW-zBkI28LbL
z^96c!$Ru}<MVC0?41P{saR~2FB_uVcUvDx!!}Ir}%wyGn**gV|6>G&r(XiJZTYLc_
zi2`9fgUJD%N0Su;+S3vAB?i)DBuKHZ<jnrVwA?owvh$Up6Z-l{=#kg)lDe@KPT+pb
z8wpoh^OisREXfI{crhMZwziE^8%yoh%}xi;W{m-0s!Jk-6&+>{x_V)Y1#=Sm#ckt9
z6i`gbtcH=UkgXTL#C6zLK%T0VGR0Oe6?$<ZHN`40nDs6Fc;O6(*_v{~laB(Ow8%gA
z;T{?3wUh%R4<Q7V(EuC3tOLi>wf+;hB;)nSht3YwiDgA$5C{=gyPl~4@CqCo{EHKB
ztPI@Y(alJMBmH+2IuyHi1e)sZc*xENYzuJ<`u(LaqoSd+Bem@*v_?Ob5HeIG;IBkH
zv;kCMA@~pyPAY|$>}Zd5<Ne0wWTxsA_M<RkBZb}KRc6mZH}k2VwgRr7Mel-@gaw$a
z>00XtR4P#>ix@-i>(Z01?MUQDy*0v86zCN3CnUE-?&1}xk-oCCrs|Dt2?m>cJSv6`
z=+WY1K7B`TDmpBgt@Z)K_pAWcCTie$?~lFuV%kz#wY;8va@)nkH_8dC6t(Z^Y~0_E
zHMZA~p-gz<-!S^xJSplj8V;lUk|il+n!w*_?d>S-2N<bPd#;jNBaX6y$_$?ZgbMu9
zMj|3&nhpz><)G|z#)$tG6-)P4R~SboD7=*(>OdPU@Ig|W>k~b`Vt~fv6FTgS-Tzw&
z1S7+%+Uk|RC&(*>DN~~*tr|DHHc4{I1T2zEg1Qkj!W%+dq7LnanV80p>seYfiKAZU
z+A3m2#))RrI|RMo(^;0-)MwpUB-g|tNAKg-!WA%Rj^G95Js(+tTyg(JwT5YxxAebo
z=i?u%D%jrYa9v2SG2Qv0yZoI0HNrS4P#}xu71-=fw9dl!4k-8n@N0T#l1q0Q1A}XG
zA1BM?G|CEt3UtHGehf-K#ko*8<NhkKqiMtaL~G7P>u#;jH?k+={huGd?38e0=LF-l
zi>v~Nj7y2EaNp}eYw<d^Q&!lz<PH7ZB?p324TVYpZ*3{oaq(zu`3?^SCG=4=z8CO6
zG5(^OZ${}v_N%u&+eVX5@sF8_7KzyQ*)t9}ENiLSUbPGrBDWQ83o=z?@9hfs5RNz*
zCmk>IHzQ2b=G7<f8Ouye;%<I!z+qf(zd{w0`#vk@;h~fwrR`Bmnun2`d`&G6>Ow_<
zV8YmD<tj3}_hf5yxIOdus>&oxW6i%0R7m|fVAx5d*NJt%t0ZSmhhv#_J{e|i?8R<m
zNGCNII_t~Csnc#SfLzTqdI}<Y^oY;)K1N%$29BWHeV5v;t{E*wZ)|W(0-Wne4RzpR
zXa}hJq+~~%d=DSZ;o|Cu<WDfmEakR~XY2arCrtlRj$v2^n8Qe!{-->>x88AY0yv?)
zXWIiMvsdO<NY>Fu^6w(0&QBP9N8f)7UcZ>nNuPGJyrWIkPf);ABNM!JAX^g|<7q@s
zNd#=Sh`o*l&3<<*_z-X`Vkt-RLN8TkoGYLxcYxxefy2s!q@5A5bs-@NaOo8wb$D6b
z|42}w7C9kJVEHsjD7Wup|FP5YI`TZAEWDnsz`S=YNyf}bt)RazQ?ke9^&(%olPv2S
zRRM(Ppf3w(td9{O(rkJC3;XkX+rO1P-EXSUE|zq&mOZ@I9)g@c|5z9XK|p$nteY3?
zwe`X(`C7RToeP5j@Gyhru8?`y`z&SYhaQ@#Hdpm=y&CoL=6_hazj40RgIaLg_bWl)
z$Fo!3Ih+XMCe}CqGi904Z&Je(hks*ww<V`t=E@v*PV%9LVBHXcx)dQ>QaOvcX>kVD
z-E@h`jdbXe_upqp&5VVeR6j~T83*p^Q4_|IU9WeMjAQPH!tU}MsDaIyhmj}-K{*e0
z-gUg%cCw7wFdh?@;vrI(zID+<R!7QX#psbf(X!_P4)+_IG??hs>yJ{RvIQ72`9Jd2
z<cDi(Ze%WA)hJ8<)gao1bi9+{J%^cfN&+>U;?UD&629^rxbv!tf5>`naBz1_AO`#@
z#4+3Lrc_fm*82?s@^gY>@*cl;!EtoO=J%4^Z)%1KWuj}Fine-Op5+-%w;l%^>(^Gi
zymt8tz8bv`*%^2W<vl-@T5J9_$;b5jUP9s?NI!<DY7|BO6of%`3Q}@E34JxhAUD7u
z%VcXHgp{)VarUx8sOOoU`7Gz!?qo64dOrHGzT*g6FvE28a!!~f>|*R&Z=Kmzxc2o;
zv;z&$5%rs4&u?lwGH;l)Fz9b`9PKgYqr_OOFAof6Ib4NIL_=|yZ}C*LypZTnw%i=r
zX2m~Tn8xI`2)bHnzv>qZtnBe@;-Q|NbDaoSJi8fueEe(fx0`I|;``0{BRa|B<?R49
zN{$B6U+|#a9pp2&ljyo#(KdIu4juj#LPFeKBC%RuZ@K@v*!8}3gjW1`gZkHp{ARtw
zLLb?!j9IgLqh!@Z-Z$JP{iy44vi<b&Igv{@GeJ;bQTTjWK|w)_uVOPHJTtO?+S(yx
zaL+Pc$+-XJtk~lC=d4bE`MBnB*Q$@0{&@ckh!!Xg=<h=W7NK9!z+Va<iEHCwaa)F5
z1wMX%uW_ICGX3+fHv%R$UCwvi8On=iS(3V&-in^*!6yb3qTeIDAdjKOpHc+&BUfhM
z>}g}e%BmJZmiJttC>slll$WmG$MneYC?`AI&FO?4OsF>W9sh3W<K1eSNQ4#Ie;*BT
zc7Oi))?kYSlXK0j#bL$fc60sKgOlobmK(F=<0K0#<^YH6n$_rV=|}1*7{;Z#WW?-c
zbjySh7zcu=%5>XwinM{=`ciz%4ItvBcP-Vm+KPW+(&uy4hC*ef;M7{e-ZlkX@S8Yn
zI?&8Sg0}?ZTKzskBNozdZ(N<P(GK1ubbsg$Q|2uH$uL?`Xqvw50aZwGwF9f|%7ZEA
zJ4EJ-?<C+&W#4ifRJWGr7H{6K3<P-XPo%7gIL=;}aOUOO%f>7o9en$%O)7-c7V-`1
zGsq(?H#~^mbVQxUFhs&$xf{uW7PM&CO+g>PjM8r`zhiO?&v?wsvb<+gADyynMvc8B
z{ArpSdjB!Cv(cR45WDc&=_7i&<n^ULI~V91l4>z<(=yS?m}`j%)-7W;-_0QXU<M6g
z(r2Z2<;2&I{hMWAv3{hTKKaqLV5lU=qHKMolOyDZzKzKivVOZx5!1BW#iz+>T*qXZ
z%jMtT&HVO|GC#Ktsu^LYPFOG$u5@g>5U9#ogLF{<Vu(`>MIt;ExQ#UkYy^V?{IzIf
z8x(VEF<NS>e__))3QnNd?9R;XP70s;hHzTyBqdCm-V$1PH35m>oNgEtSAA0~YDocw
z9lkNW5G)KAss4{*pOeO_Jj2QwS`3JI#j^+M|JFz{wMA>4(hdE2m(=uCijrIRt094d
zwpv=ii?td5l23=fH|kA89v%tqQ`ITCrTk>o4H>c~IuC|S9M_#>6-n#Nxd`F4w6Jz}
zo!jJAY>@ofD04=rBGZ|;YEq_+>?T@M1$qismU6*L@P8k@DJ?TYY@e_(CHyZ&#!b9s
zpqeZMio#5wK<5<I991{c73WW%+heHLKGA8Az<JG0QxkP5w<?w7fuxA_bl6rK4o*;z
zAKliQJ2NuMFcES0%`$YT`NQ4YhaOdvOZM3aIIga&D#V_FKWPW_^-R`>vAm*o@zOPc
z4zJjCF{r2SUs1b{LuuG+O7c|nA?!=uyxhR&v3ZX%{y(znYu<9WS<xYnT`)*CR8`kD
zf<iNY&HI$bLH5)13C+x~VitHe_?7*}1`UyuQ55b3GECG_`$a`Y(FaJ(@#46mdK(qK
z%lJby$Yk;C;6R_@PyTyUo=}~@ov$)cOrzFOeh40bjL2y)YJ8ld7qR%B>vn!^<5=k5
z)`mU^0ZIy5r-)s!I;ra&iYCvrDKd5ass5HCUb&6x@DEWs6bJOZFe_cd>z$KyR_<e|
zO~B>p@Y)rNiyb)XB?gdIeVRBIze#rW%Zt=3+=}M9y+j;Z=8UlY6E~RNAogA;yex1C
zAqo8R8=4mLJH8~Ebm>U&4Je{WuS@U?0|jGCi0Y{%W?U`7=0pDGlJg|4$;tL869C~E
z3Z~K@&(tzrzC4&a(CYe|9E<ShD@oM3w)|1ZN`zzcPu2jbeH<@Dxlfl7LBOdSSDM5Y
z%-)L~W*gR!=D5Gz4C|59uwwI43nFelTp6v*J*UObp@iWG(JC(&&*`XyBpFd_NwNcr
zjJ(e6oxR~sy@Jrcd95j$h5z=>W+p5KZ*6YeXg`)I%1XVNZhE(Eq~h_)Ya7ci9rNsp
zUss`^+=5LS)*!SxFwQMUcC!pmD|2L{6%BjZYy31_cr_7&jmSv2<ki&77ZtzT{uMhO
zW)%9GhTm@P;74*w-j|O`{}MR4y!|gTuIE4N)bKseo$F{GY_(`%M-9|Y!uDu;)1t?+
zY&}+eyBxP+b3yN%hAn$AC2^T-`Hel8_#8x=uKh~1;c#?Oa;dP@=^ZLvd=4Qx@$gQ-
zc6GE&=ya;gXJO-JE5+(H^e(JCs2eaTz~mqi&M3DWXal%(;;;$!Ozr0a-hAb`x>Y2v
zd66lXFaXJzZP#O27uRHWWmCwL#GLw!G-QJiw+GZ>QB*Fh7HeOX_9BQwrxzZz&ZI8=
z1d)@}lizb-M!H?^hWyox+$s&2H@Gnq>8KNe4%ld!J{)#q2#Um3u`2bRkd$nuP@3li
z=Ad;VjRzs#GB?-l$E?n0seLcxt~D{dmQuFA8Z%Um&v#FW?glmrh0dh{V%nw^v@$E)
zI~rU>{z=xz;L^ZnD`e|~1R!XAf0!s<Lb85XS-%g_$1ZoWZG#<lBL#jgx<lO+RTaA`
z>LqnxHe2o>_UdKctC(|NI?lNDmufy9Y&tM;sW-PF8|V2-Xbyf%wyZd<#zD)ob3>@y
z{&mD8@Aiu#NHrU0U0=)P9ZOQaUbE~7hA3t7Oii`Lx=-c1850?KtUgh?Majm5KjDi?
znL#roK9vq^a=is>#l?VNq{~3m1AuJW4pF4Mh#LV+woYl;*go`>__E%b+fJwU0o@=O
z_ts;`uG}QI2QNgB@TWW2%F*ka!X`e3MEU&_d+K04P90YvSu@@t#Vjm=zL1Kj`=`6?
zm_$8)5=1tX#^yic)&D@-vib>AMVZ0cTZ+BLg2TaqKdEM`UJ*Gc`m3`a79U0{lk@+{
z+9;@M@2?XI-KF9Zob}1|EkQRh?<5lP@h?Hwp%}PN6QIwDY53lv!+__tBKbA0I~&JC
z({dmJK5Su~SV$&_8z+YiP}Szd30aeGHNNzcXXWS~lF%WP+QV1b=BLx&nvGKnJ5<cm
z&hi6N1~?PfSM^CB@AG{*#S9y;D^=55nij$gsuQ}zSxbp;o&9jL#U(n*qFI7&1K(2)
zcx}$H2)`0HehbP`#6o1(1d%YPr=setD%0LKKU)u9lXlvPfb$qE%x3|7tN<2X*;*54
zc7t;-9zcEjjN(M95G_m;*dFV&?8kC^w|Z92C6Z^&yK(v<+wsOQ`RC$~D<Zc`uM%`&
zQq25FHFR#rGF_d4)u?x@VN=`+bUTvT75b0Cv<cFy`d-^-FkDI{WP8d-Cv<YVj1aa5
z^>Lh6paz4Sk?`i2U^%SsbVXhT&b<R(nF%Z;c-QxMOP`rlr0>yKa{dT3p9j>^Oa(fq
zn7J9|T>U836k-Y!h2Udwbj0UjK(vb%2?sP3k6wt<)LWGrzzQ5<US+Rem%=kw`tL7o
zYA|_UeoFB6W;Rv*%E<ZBw9!h%2Mr5vS?DmDtiPW@p{gWYi>;B-caU5EP12V4mSy>C
zx5_$&dMbr4`DN9#m~3h))+5~q^ST8N^b-}C4}V-gtdn<Rk+4}2|Cf{QG^ti9A2<HD
z?8C{DV37--bcrbz-|`EfqttK?-tP2{<_HgXU6R~^vKxzFD?k8^0>=aZN{}~~upC+~
z3c49sD3-{f!M{zh^qwCzphZvz5?0bKGCr-cm%PQI|FKQmBNsuV7mBN(_odyDtC@J1
z8}r^v&!=XYYgpBvfg|bbYmik0*#(O&r5V$qFw=QvqDt94hcEn^>~D5;@mX5yM;YSw
z*Xot#a1G$+-w_zm8(O6`I47CL?i%o1T#Co$Uh@PM3vN#c)@$Ruzx|igK;`g1D-~~_
z`3cu&0)Danx8KobqjY_c1Q*seMH#~(0~-O=<2W?2WhVDRWI5oKv7+mxF0U*;@<eUe
zZjXy~6-Pm7=0Ze=lIF$D5|m$D-zY8MrjVa2FdDJ^NH%0hM$FHeW>qZOLM(FjJEoov
z@;0^l-5DxO17~N;a!vW|qy@VJ#~|vd=QBWoePu(~Z_$v-nY00ZBAy)U`aAo>Qj@qg
zoH?2%);Ez@4g=dHm(7;j(mb%9<LvIMJ&5L8a7KRu8@~x5d|jQpSM|g}J}s(m>q(O8
zY~N8sj!@iF_)feUK44j|TTDwjAf%u0VLv8mBcl4lNQ5yWkcPy7R^Po0Vi4uO0*N_N
zO|70+Y9XXNgn|E^DE-13+&!x@4}P&ayZ~7@db_e<mY@dO39Jb*Lup(h%&4Z<213<O
z204e*25%g?s_(58^x23jE}_DWWSUZ#wicApnEDn=$HB4@k=IbduVl+bglY@3CGJ2B
zhfn3Nhe?vW9U@!E`kK?&(!YHkp~MYm7}fb6Ag-A)X8D=VF?<FO%)I)-m1dC%W)TT#
z6wdqgWKEj!FH;ud2k{B;Lhn5M7YX(6L|m$+a`*WXuZEQr72}BqgwH-d$T!fTEC>*j
zq~tLku4&NrN~y}nTJ&}A!cJSjFc>npTYLPPS;2!kkCnY0xwCDb)*Rqy1vIOr^DR;p
zWWv|BBQReVNRHaZW`37Z0?UtvPtEr5ofj}MuL43zDkB_fNpJ)~za|Izsmb=GWAgZW
zejYa(3>2Q9R*Ln*gF63MW^Od3r{=UH%M|q`eg{_~$JU4;aJdNBj60&i$9!11(XVSf
zh8d_^ksO~A_~h-t8&oy2G*4!))Kfs)fpjG;v9nQTKVd3y$Xprr)fH5@#(+YR3u2KF
z!BpxtpazqKGI>f55e04w?$qiq<}ORq=o5p>8oLTx#H^DA+i(LWRnpT7^4uR?iEm%=
z(l4y&v(3x`<XPw^yWrZ_)MN`d*Am!x|Lecd2e<skGp2fhGT~1Q0h@n+Q8ZOWO@%r+
H>!|+&({&su

literal 0
HcmV?d00001

diff --git a/website/static/img/workflow.png b/website/static/img/workflow.png
new file mode 100644
index 0000000000000000000000000000000000000000..e2d2f0b47bdce169d42e452e9349da6aa11e281f
GIT binary patch
literal 256756
zcmeFZWmJ{h8aBKHBosujr4%WpML-%s3F(jy=|;Ls0RbriC8R-0nnkCQ(kR{C-3{Np
z+<Tw1&-d&7`;PIhAvjnupZUyr=XG6k`AJI(<6XLY34uW1iHbazMIf+f5D0V*Y)p7Y
zElpnn{==~lQMN`PuGFJ`E_|lFLIh7@*@#NKz?#Fry-Yz?_ef+Hfw+edef~_|A!cRN
zT}@tZjPI=9Fnl?7>S_7d7mvr0cL*8KQu$M;Jkz5OA7FMD*AjVUXNgOHtnB@YiR`l?
zndr{#ZHW>|euD9Y?t;X#oAQq@UoGm*y%@BRBNM)T>Um5&-xhO6{~)_ME*Pt#gQLGJ
zXTL1Rdcd2#-}YgfKJw1<|9Oxks2X7L|IbtG_*680zW;ip*D*a4{hzmxyvKP-{_n>U
zlejb?!M`3dK3eZW|22lMFDLG`PyaJWk5*&?#lHthx>AQh`L8hu2yAcvzp4CRzbbR#
zLB=#JEXd?9e{XiEub<!I%GJNDW8vIJ=^sl;r<L<+vbV#2ZWGHiZ@%)^TXIZD;u2;w
zv;Q(L8R1D|-oMO99pB&|n^T@>qaiQwVaZ0>?T}DO#}$wNu|0Fr{{!>f|F1Qci^{)x
zH97Ia)2<Vrl>0V5_XdB{MbuT<DgR}V=4kP5M-SuNj*QaHxqSFWE~yo9j^lk__>T3*
zu#@bX{%g*^@Y3`12@E=7ew>{iZ~nj{OVAxRr*k{FbVf}qO@lzbI*jA-7(cRI|D*)>
zurOE4^Isn{zvsNS@{FG!;o|CQ`Q{_vZw2lP@fwalofj|N<iXe}y;zz;)Fn8VsmgU$
zES)ILpD10pFm!a}L_tlRoSrVi9UdNz=`C=dqc41Ec{wB`<n6|W1+$&Ez=dpu%bq{F
zsCHGyy8~0Jn$k0yfBxhb5)z8;Uw+9~tcXjJT{RZG=eCZEiC$S%)v$hxm6bI;H`hlY
z^G0w(Q<ML=;!wqEPEKkn=H%pLsLtvy_8wN||Aq=1^ux_2GRw&ozI?WCcR3i@?!D=~
zkriWq!+z|-$q~_OHum<oPsdB&#@vq0zNV(yDLLP`apN|x%hQ_-YQCuXQ&K)l>%Pyx
zaOLpu(D%a!0SAYta0jX*Lc-(MigJ^Z$m!Hduj1k1vD@OBrJ$zjvTkf_eD%f+@9p_c
z|8bVe%F2(Sp=im!umgqAV<mmctmo~NhSk+wT)4Nkwm7+PmnhVxKL2AW3z)yNRoQ9I
zTLYNfS=#g`_A|eK9_QrxRvhv1qlcH57h7&gQWDxVDscqD<?L`CKK3z2v&xB8R#rBl
ze|dArBv-5b3#%DvU0_mGqi;Gbr}Z2z;vNHo<d*BR$mRpsbN&?B3kWM~Yp$<mNjU*5
z|Jq?D#dZnN=J8y%_Q>lr*CjM{HMO<L#i_21xu3g6&rl%J<sX@jloA*h-Ob3z$o}#|
z^f@~zJ3IT}w18Cs%MjJlhn!=K*=S9Yx_~xDi~c1uY3|*egWh@XeS$(eE<&VOe(qdT
z$CYlQ=qvJ~YYz-p_d2dDmcx_66#5b5hO2fvj+3tW`0FBU+EYYjN@0qV8%GY)ZldE&
zMEmyAGdaUH2_HH!{|?O@5{U?>v7y5Ana&zCbxL7nP0iqg1BadEe*8<`Xs1WJo(h>S
zUNjVqPt#n#L_tM`h7b@GY^Z8pS#4F6k-0y(-ab4`WMpI{Nl8fi=+VcB2p<m*#Nf==
zl%GFE44>SMo_(^qs=C<5gY*0M@2j_O8}1*?%;*j}-wH}gNf8Yq!o`GPo5!L$>L12L
z47W<=NSavb%(O+aQ`6H+6!ga_WPYxvDU1#YxgUNR7x#Mnh5MM3YBg@BSINj2j{|0A
zX81FEKWtvIot>ExIePfy$#s6Ycf&_<)>c*&u4b-PRnFUcd&R09Us#xxc;(){eJi=1
z@~GaN>2|%FZ*cIfPOjsQhu1GfpJKjEO);X6AMUFr+k3KKRX?`<`?mrA0=pKDT&t_Y
z>MD|kU9x>O;$gp?iprOP+~($HZRfGEF*fHzl^U_WRh-kXurN=!v3xSR<L^ghW^03l
z+Q=26WrMmSXYZ>0#?Sjv<>AYAe*LS$k~*SxI6?7Yno`HI(>FfFWC=DmbADareOKC5
zk;iPMh9xXYLOE7Sc2xUDuQS%DG=K#!B7eRDIpC6a*TeuryFAw!OL%~djU>JHeN~gR
zRY49?@cy4z{EnQv`cUA!smc1Pi_h3wj{QR&{fz~?fN!(KHzIWUmc%!$^MdcbSiWhm
z{row7nlz$h58-5kRsPW9{0Z8NaRiY)Ld#ut!mnBX$(gY&9^wVo`tv)aq(Q%b%hoqE
zXf1Rlre|k+|9I{3%ka6aEi3qALieJyw6sTMC3k)d4+jTFB&Y48PcKuHiW3qLetv#G
zTUrFn&2#FM#WmeeSrM;0VmR6x8A<}Q!DV-xc+k+$U;qR{Pfw5OZs5<(PGPVk<UU1D
zqC#e3_hMI97oti7Klv980|%F0%XJ7U+T+!(*f=-@x$T{uScvP_uZx5$j8@n)B3^IJ
zG&3|D9!v*6U}VIvuv--{HO-pQKq8Tpww$d|%x~75?)zoIY*ke+S7`*FoVd80pYDfl
zsu!EydH3$!)oa&0hlW(ZFMIm?{h7gTH)Aw%eSW;Yx=v#FvR3HDi)Yyi4<K}zo11G_
z%B4x(Xqtv#=o1lf3-05|T|6qu7~dbBSYk`kk3NgMeEBXqn&>eL3$yK#JcK>bxChJm
zx!KtbJsEO|zYM>uDhe}0G=IR#dc(L#g-}pl{`%h9sDB_4J148%=H_OXaS;r&v9W>Z
zI<l9PG#L*L@45Vwk1^X3lbf5H$#UwsuD*U!dAW*9|B9%Xn4q?H(o;zUL@k25cR$qD
z3N%-ki{`9uPB;0_?>g}u?Ji?Mv@9ri96-!LhyWk-g$><QFIZ`%S1ktjc{vot{)QCZ
z=93~8k(8Kt0fJH_JX2d+`!PN~xU}?XepPxp4ep)C_2zA!SorTH)53NFH^gz?<C8HM
zN#*wIEcIlBR$I)vrZW5-dG`46<F-3@?wHB;i<QmlpX`!E)R49ej8d(Zq`AACR#D7-
zFYM&x`pU4L7%<AfgH?6w4V$~&!6ykG%lEFKR`4s<f;~ui{PLgp#4*>>nbcJumFQ<O
z?`uvc5MOqbBH>zr6pSb;T8IyQ>KX4|gcM9-m~%Sh-TWm?7Uk;mu+3-8!*SRuGNSE0
z$LptU=tujk`*M4%X$>RB)d!2&bJk>{HFtT-dezQ*<A>=P5c;i}!Z&Z;{Bj}EmNWM2
z$b7uJxx%B*bFetRO*WjdcRb4S^19aY%gZ^DvKdckKfkngbS(SY0qZhYoP{$>H*Be(
zt{$tLtq{$6H?W=Ke&5cHjn96eUh7R3gtc1C4hOQ5{Q^Q%)z;QlAEBQjYgBwzl&g}>
zhJ}GqN}ML0W|3{H+GjbGDOD=0*r*oN#Ro|}bb4`dQ6Dk)^(%#Fh1EVyK)$W2fN8j`
zu#nJ~&o5KTa&mG83#|6x!t{Ibwj_508*%wv6ug(Sb#4Z6ZL763+#^N?CFbOG5MRAI
zAzvks)i*u2#AWbCd}hjg^;j!7d7aWKzi96cQ*`cbe6mh0GD#tm((H3YL~FHYA8}xn
z+DR>s>b@S_=s-j*tAO(IfY)^2?&ay8k$u%Nw>)nB(>Qm?nrzG!TfB1p)}!>B<%|3`
z!rw5O{3?nk<@IK-;p}T9kTLiYa(I!K$E793gn?D#hd^Dm-G{#u^cS6jZ`U(<EzFxa
z$*p1q62F)5(IhDUy4=dURg1G-cMyN;x8=m^JB?#pS9%q>^GYn~KDgn0a&g^lRg%}Z
zGd8&y{#n$${}utkTc{3(+s2GKa?~qcKaRS3>lPLtA767>Z>FMPhCDe7OLs@F#7y|(
z8`!PHD(*O~vftz%K|Oe%oxOifMT;$L*D9}X%z2%MSwrm6=SyM{4BpMUgb_~z0s^i_
z2xEAlV_iXbJoOh<O3jCQp|`hJDev{$R!bNJVq#)pq5N-l2sda5@o2X8$<u-E-^{m;
zs99NGS#h(m-F%rsNEIe(<uX<8$7YMoBAh*Z2?yt`Q1aVfhSwwBKe>(j)cvfo9hYBg
zuh0APE#k&w2rB3Zg&Z{_xu&hz)(Z$S*Bt`H>-mmYgoi<#V`FMIWL2Nlr(2UgWG#&e
zvKbpk%ei7LPnxV0NW0k9V`$YJ`BVhf9F104Cg>)W9T!s~D9oVT@|zz2O)2L2?w#q>
zt;U9O#?zCN`s(Xr*3ZPn1HO_@Izq$=ofdqLdjZkY*H=uV@k36Ehw_lFEvV>3W2WU;
zT)oq_q<*=e^U5Ic<(-w_!)IfWY{uB{Gn~*3RnYcUPsax-ay6Ry0@BvW2Jh#~9uL_h
zwCKAy@2|Wq{aCTl#Y1{~eODMEas0`gSBX;j=B{|1URHA^e}T{uU(8?Se-Cq?*=XP`
zGTX`;RpID6+;`{H=EKV#EVWQc#RUlZv{)XmmL$8MpDhd`smpDb->;2Upd;Lb?N2_a
zZqnww%wb6;aueRa;?F`sfpOu&g{guhEiJ7`CM`7h{74ezp=7M_5zntr59LfdGUOj&
zT)Zes=wx-Yw`#H<<KyF_o6!yx>ZkDVmhkNK^zSuiyNtv<PS+tZP5sVnCzx`EtDAM;
z)U5D1?a)B3Wzwp}xE&~T{l<;^aJ`0x28h?bK|w;s#*ZG+(h?97k~63}uUG9C({vbh
zr#{Q=7Ylc6@920hn_+4fFKLoZvJG)mAVa<-oCjq9%*$S1J{Gb@iL)KssBqe?MCux~
zeED)WhQk{3cyCqE%q+WmT3K2eff&fw!3rYfd89hml_(f`9=<H+?(Pl~NgFDpqOhJ>
zy0P|4Mq4ANGJ$@KL$P$rt<Y<CTRS7A(*x=CwJPuA8>PYir6OU5O%-)@yg;D`6(>1e
z__YU@gaYqUs@7ELmBhN{tb{CI7Nd8K&sZ+aA^c>r^~fT1vS4Q5<Q^*<k6paP;9~V!
z<l1r&tK*H(I}rwV8FY?Ay4jqs#--PI?bJ>WY@aHNl4sg?l9rkz5K-ZhVT=YKqV2Nw
zd7r#-Knpe-@?WV-v&h)Igjum$TghKEqjKL-Wn)xX&A9U27?1PosaVgC8wt7Hu9it>
zgnetgAKtBZd^onaVz=zg-+30fIPcfg=+vr_=CGu`IbK^G1M}NhoRph#y}Vn=ODiIN
z&@yO~aA}<+U0^YT69z>~c&N;+b#RXkm*l>)nb=Wl+&<LIy!&f|=w+K)+S;-kJEspe
z;fHxMP;KRKEz7}W`-gD^;iqRNC1P=b?rr!*iw4WbVZ+BZn(e_N!>$<PaV8&E5{(bD
zl=tIphtagS(Rq%iCqfrPtz&uqYGrM<^CL!RGdTn4HNz)*gYEsB7&Of5i>J02D#$2*
z?Y6bI<0T6Pz7t5yQx&>^Y<CMIsXC`X%*@S^Q&PSd@st*+h5Ex~;|CVQx_ZBg0Qpa+
zH^K=<;U8z|VxdX$djI}q3)H<6Q3i3(Y;B7i=<eM^fUPr7MiO4T7ES+P<&>uW5yc6r
zI#bBZH|Qj-Z)}_jlj41=k{#Y=VNKcL>x)hE`DNv9pQ>+Q;0sq*o&cfbQsKBv6_z=w
zu;z@@+tG6B>Z|f(it_UJn3-ilb>%X9u`gft)X23j=TU5t-Hy3aQT$t>li%7aDzcA7
zrXrNr^~lE1xx?+;e$O>EXTJQUv`S|<1PaFJn8Ht4o7ZxqnOv?4^q}j7g~_q4g;Mxq
zMBL3yn9(J9DcLvK{U9xm#jT+3>!?ojp7!<+lk+;a)XB$3Cy71>gPdBA3O8YcX%5!t
z<}Q9C8N=`TG~u#Crs*e2-C7Kp<q|5}j5c*X8D>8}oBd!qC6=BxQGqPL;ro8}`<sAf
zm8NW<&8kCmb#b4X`=E8wSt!LIHo`B=RZr(e<&$<Y>#;FUuq^GQoaE-fn(w^^?I9hc
zWPd>$VrOG(8~b)mXFAl<YRYCMYCorJL$_7sv`q;k#m0uHL~W{>j-O?zGs(%OW-UGG
z(_gI(8FEkDnkkAWIo?^q8P~GE*XB+U*Avk6@$7e$?C^(HW|Q5bl!bS$Jv1sM1LnhX
zBZ1ng4de3DJ5p4e<%aDJ+yqpop0CPo)8}q)5_?@GdsF}1>-+fdS*OV|a{pdt9<H$D
z$>m#&>>rw3xv_rOFOWo9$JdP3zY#lrpTidv8m8{|GNraLkSO1BT1Z}AequSdrcw1x
zl{ZxA+(!$^1+5>8sRM;P>+7HE>gnCTfB#2{iHWf>6V$0-5~hO%7oR<QHYHvIc9wSS
z6U0%PhYyX4V?O%Q(a`YQ*gSbDCf1;*R##j5n(4MQG>R~+<zRn!V@9uWV*j#?oSY}b
zH8cdN;|xLCT9b-Nqgsaiht(1xSy{rqEah&~GG(NGVtM&p&e$t=1BF7lttdHODJu3)
zHt!LAMy?C18f6+JaMZ4>e)#Z#A@=LahZs~GD$ChRD3tu#jvpFNX}Aim_Ow)&(}o32
z_uAu-b(e==V|FKM=)W%qbJ6KUwO#NaKp(AFc4}XZcg)!Qpu6{l*tuD>?CDhCF*pZ1
zZRg{-!ck$<ATH$kbkzG+2e75d=cg(9I(fQ-nnBkUV#8e4Mv=nE{=ogC2WLf8goDgs
zAG0>CBil^zkB!~D%p=U)TR7ZuF2J=1lkCcC53c@IsXj2Q?_$ffcHJWla9q;6UH#}Y
z#e_$ya&*JzUZs3TtlF^gdVJgLVRmD9hq#CX$@|=w4HOR$*A*3}oBP>xCW%zP1peA8
zZwWI936b-~!O7KuH%2eJrB`^!<Y#W0I^Fz0n@QO$I_XrWm=amUDYthNv_eE~a2ppB
znsq6))XvUM{QUfU*fMZ+J4YiCe0+RF|K1i-UQ?5i0e{IiKAsF(71%@du~x|eLG$Ux
zKvd$_6WL!Ko|h+q?PfdXxdeUs#Of-&pV)wp>;SE#Qe!WS3ssETrEaU-pW*cn=~l~4
z`WbW$42Ii&+9;SbansOX!|TQFwRLp_w{I_OIB7MDI5%r220;#k6p7k!OG`@;5s{B0
zxmVq-8w2j3BcOA}vHdgeFS0bW`y<NhgNv86TxKDK)&2V27*seD8#aue2QW~dvA@B0
z<+HOh#Fy{~MN}iIFJ8QeE~2h{6VzDO-k#k)WP+bl+1bOY&W_Up-SsfBiGLME2^j~y
z=<mSW3-71q(`qXxaeA_10)5stKYkjA47L2ol-nj4%UGe~y<^?A1Gd>AO-u6u+S9qm
z+6hFw{;pT&@T3wB4l^Px47OR06z0RlLc=T*?fuM7b=+u#a4YvD1T_!n_j*qj@~R<g
zO{6TI*{%0;{?e;jpZ0xge$aFxy?F%fe7!Zqxrwsu_VX8ERcBUTx3YGyQYtX*R^Np4
z%W0|vsn>c|Pq{|3bH8Pu8}a{PUd1%o@yx-fobQayBui-zOr7bCLv5<$q>7eff6n8-
zk<##%Z<0FAs>2k>2Sxi>g@<%i1>d?IEW7Q}S`^~AFR!*1J1dn<4eroIQzWJY#0Y$P
zCF&lZ&+CjIC(&u8wBFDf=)lHv8G;dIlje~{nuPW*8Po87dz<mA9LZAgyi8Hz19@7W
zGY*g$I^y~8i^>l_H_}POao>Sz)~RZ2?$+VMhY#UhO64|2$lV1SP6!=s(d_up^cCoV
z=WdKxcQ(f%$4auHV9u@F`XINT2h+<kTb`Bk=7b@G^L27hJ7}Ihy^Y8-A4Pqf`7Jrc
zBX7Iey%}ptNvPh_dyQSTnyCR5P%6;%liSzHF48%J<{llP;kx@OdSH8N>r0hJiYy9E
zgp!<1$AsxNKu=hoUs8$=sZg^6uDBXhRkW~Ri1-e5G^O9Y#4BOV6l?p`pVafUy}z1*
z4f*fKV|W0D*wSa>NG8RzEAPK#w;LNK#?;r}|A2+%T8G8%sUa=&+%c@qd!`79^@81}
zdiwfPCx_c+oXE#iRG9qTPn8LeWFf>c+rFZAjL$GBGY@xQRX=N3EC@fQYsnwEWl^5X
zb;ithy&^dN$B!`EgJstT4N<mr@>QEhSqb_E$;x+E`YuC+F%4SJJp85qMy!>RyUF>K
z;9{rObWZQ^O2=HGWGb&su#c{L9aKJb&irH;HG5?aE8TTz#2wegV^(N8e68o)viDtG
z=6_ukbvFwjre+|xjJP<?arUEG!<}{hH)D{&N4pn&%s%N@FT*Wv?6sH%{$oov*0Nqr
zT(3F+G3q;$8a}@;6ND~Ifm8Q+J54m4)|K6zPr-ETt&AX+Aj_P&SCEyt9+hw^#?eGd
z&B+}|jsps6LDYR_q4jyQt%R0kePl}vBB5TcPP_Hrno@Os1>hjQghnu$4>4$*n>vN-
zX7tf(YN-DHbG0U(ccRI{h>r}Tcc-QU^Ozq{_S*@KUuC5xCr5)o1Up}9F^PtPRo=hH
zgbFuOoT~Et?3k_JbRh2n6vbicZm&{gCr|gsn*dc|hI-tvNClUK^ZLb$7k{?43i9)N
zL}FOgL+Apu{YREEGS6aCAWOaCCN$R;*4Bc8g6Lb@+cGLDmlBLHlQ+ap29XBSpA|Kp
z0a9yhV!~{*APudMKyJTa@~?qd5<^ERmF$~?gM%<J8hZK{;^Me>@7@K-MeA`?9(4N6
zvWWsy`GtkoQN6n}bOYcYq0`xZERP=(0-S=#S#@9h79LPWnXTZzKjti@W^M;P;ooqY
zY({;7Uh9`Yt=*+wK*5@7y)SPzQ^)(-F6=sibAX2-_(epp0WL$qt0=f%0dTP*6*GG_
za|MNNvc$GH9wH454G}3R)MuGp4lJNI{Q-4mR8-Vd8@E=j93vwm08#e=anflDg4qY$
zj>x3b0Vpk`hnBn5in+9<*WMi9In=$u(v_~{b;a)$&YfD+|Jo;fCKmrTd}C|ton+b{
ztm&+_LPlLZkY060QO_{L%L@Z)3FvW>zkbEAo@+C*)GYP}DD>dy=;hv_?R(@pi>*Yz
z#Jd6>9=1NB;K0vkWb4;<Bl4yf@DHXA?nEqIf<n=G#A$9ez?oZj|CY<oesrVxnTQMY
z-@+M8IF0IGM?apfI`c)PbqWJ(7T)ZLW#ZJOK&aa6BHZYCC}YhYMV!Pu(awuRRP;Dp
z1W<f%C-=LC`>3zeIMryyX6Ky>W{B(WxQ`!nStA-tGgYcq=$d@~;1K2IugO?(Ta$+M
zg6qWi#0*$4kJBkvxe3@hCaXW@Sdk?>?^vq&5O07PEOeHr^YiD!PxR-KW4xlFU5`0%
z_)kih>b9VCbCGdV6Bkg?Sl(=Mo3czWitnUvjVmNF5#GlOK>|atxi|a<LW-PtzzZRv
zsjB_4FbavJ<YXCW>442h{$<Gi>ox!x0NsIgKNDYp@CTdzTv(Xv^s+sKL*l0v2ml#s
zp{1mznuDU^wWz2l^qb*rZJS$LwFdF7@8{#3B~7`Y6;LfUeG7;^K;#t8sx6~oFH_zD
zVp~(gS5Q#!F*1^-4{0^~axm(nfUIS$7f$Fjv<_g?Y)$Hca#u-60(*Mo4WE2bXcw`v
zYa>yQ4-eP3b~QHsCT9s<Gin+T`oTmadh$&NA2-vnCjasUhzk7E^8MWJ6fpuA0h;Gr
z7!k!Ry-W$EKob)aV>a%gad33J4~WRx+M2_3Abb71hyzvju>(*n8@sy=(9y%(uv26o
zcHAs<!CcM1<*8RCz!R=Bb~mTe8V3glT()kg$Ry;;mrE(Ket=VIpB!vr<Kcbo8CF>L
zVKu0Uz*cj_RH40p{{r+@wI6QKQtT@zDGf|f6g&uDPwLXp)uo7YTFS69k_rMVe)Z~x
ztehMHU}Ia`3n+XexYm>{nk(tP)|X-?+kscZ!7+{TEOuf+y;(8z(KFV1m?;y_PbpoL
zR6Ik&Y-u=@eE^i#%f$oBWk|z8Y&OnleZu-j3ve3h`e1g+E@dPY{nbJ1oC)7grD6kh
zA0%A_X3-i^nVz6$pLqlY%{eoly!dO@{t_#?_1-}@!ysFpzUkkD?G1D3nlTyEa5=Ba
zaGm`@v@f9_uB{V$QQ`+#Ee#fv*8CH^)xBx?{4XKT+scTBSyPGpkStW$7mw5Pt<Ii^
zzQaQZ+{_K5L$6?^6aq~FBD}H)FW1dwbswFv&F!kmttah`YP-*_KzP6ZaDAEs`#$g3
zZRdXJ14ldp1D2LS2<*z4x%4czR+5E&l{ZKhndM$-eN6Dsy{RMg<>tuZzML6h5nqqG
z$8jaa;PR+GFQcgJ-eT{yAH2pR&izaQcR2@AbLonT-=sGOZn#1_g=T+ZkC*C=-^f^_
z@i}JsS2EGjE`I%K*wbk*(^vBHuXh%HnT7Vi8_Ui0r6u=^PWhV2!utl=5T<?rHFT|V
zk`I#Q0jz+%u@Ef!08{I5FZ_*w`0DgnB07cN6K9ADqeV_cfGP+i2)lcwW3})quIfd8
zWB*+=ozGb^VqV$Q$vSaRhFPg8ORww}@yGcWgk;r}1EVq@=TWbgu}OU3$+#0-V&!jn
zL>=akwKbzGAIDAGVY~y4*u%HHN>6mOE83<Ci_ZseHplypU#U=$$CkNmW?@l^Hu^^p
z<s-k!iaTAxX}vi4gRQwGXMnxOF-PF-c>CyPMOpNW13MC}COJAbb3uQ9tCbOu$zlgb
zMYvxv2#tgYsu2!sXS%(%<DHF%gBU@(S&xNT@YzYyLn-b7zVLw3rI5n10Yk6<+7eIK
z+`yO0OFlSN5?J5rF(%^HI|MX$=ozXxb9w3tnMeCcx?M-}Pk$Qeo^E4YiOUKbwcY`q
zX~B-<hu5Shgg)9o?TU<WK6_>sbgh?y6-4(GD;>%ROptaQYT-Sv1dsL`D*VanKD2XD
zurSl(h?cd*kVjK0RFvN$3;doEPZSa*ryI6{@fAmGImPD9PWAnM`SUryTsNHWZ)!9`
zh}YeAZ{pS@HP%ah@Gp=1@BzgdCVl&M2@18YMH`ZGMiK&o(bAkujM=XQzcKWH{c8Jp
zf(Av9irTz0);EgyKq=mP$|}|XxX|Ye|NeO%em0v}rN>L#sbNtrSw<<uC96u8IV5Z4
ztjGCsAr^oqy?ByP;%JBY1h(L1)hOL$;`=fW>lKu2uRz)LY!Bce@iDPL#k~1rB)z1x
z-Q3?DoATDaoli{(*U`?BAGPK%9ckx7j-fd-iMu>#VM4**Z_PG^6qVq<`1~rJ+p#Zo
z1XVXfk?j?<Rh<*g23RxI&Gty&>=)<H#}eNFK0qIxMVFJ+C`PvS{D?(nDxaw8%}>Xg
z$Ttn{ZB-l5gO8pWRbPZZm%pZ`(?aP{2Xqk>4<A2$(nT7O6A;LVsVm~N=mwIpt(_`_
zj-U)-1T1<ED}%B*1Nxfjji_zNm&&5D-9t6*W!n2O((bCarx{LLlK>-|f^ZS-iaE|0
za!xCRh_u?j+AQ8>c7vLW`<W4ke-S_}(5(y@v7E$}zxk?L(*etIwVIjC^1l6KqBA$s
z*mCgHSW;gn9-?h$+w|2jUf^$oc^L9joRxWovKZ8>%;LR}yLXGDR*!Qp@9k%P>i*pL
zR|-w%u<|RK`$^d|gWdcz!AP^ov&kgHec^Voi!ymsgR(>6x9(62`q3r}k@ISBqIXa0
zHvPAzpQ<=xDtqgN4u<Rze(x6?mp+#LPUqH4LS0~Uc5>Kp<*l!;Ie-5va1HR_&G~@Q
zP#y5#(n8$KT~i^kPBR|geuImwMXwx)jVgi*>7;3)M4*Y<v<GN0)pW$Why@Mh3ed3E
zZ;|NP87QDhAlHO&ZLURNoWja-7aK9&d_Us7so`E<{e>)~_!zsIr{CjV=Na}6v4>Ie
z`vHn)s?%D0Qlho?9mCFfPgY2|UC%`j-%+GI?V%6U6RH*K+Xn+mZ%i|vJ`^R_1pE?U
zg)bx}IQCbpILe47?#JdI?pHN2HLCx)%HD&te2R+a1;H6buB?38o%;rx4Vy?Bo>xBg
z&DD`a6O=)nkS=KQUZzTwIs497ugCFFn3?ifsi-}+1I9Pv?mw8+`rLX`dG_!4`B5wy
z5{>SS_;|{A_w<U__Kvc`?|0Vy@1F_->ub2PW=o`TdZ0qg*AqpoHdtJHBK&enGrlTK
zB3$MMVUWMRxCc462Df?H_*WkFlsBk&xG-lmN=cJ;Ts{r`EJWNXraKgA5OS4RTmvGr
zE|`W%0@gNb(f3tPSuw>cxH0+s;AOxu#MEeA6YJ30wUD;EBfwEd;}4x#pb!~0vaH7Z
z^K}N(0OJ0s$ZQ^1KvRJK_v%ov3)Qj-ci3*x*Ae(*iZ}R1E2(ieMMes2>Lic@5siBF
z{OpydhIy@Kqg*x~x^~l>)_B-%tJZ0`?pvPZ&2C|>B@rCrSy)bcC8DHbtX&dTxwYFY
z1KGDykA>{YHvbUfNzwj#R&93(-X>GTHw6+?iB4n>mlL^Z2u`f81~Ik->x7&=@If+o
zS21{}NGbBLkst-mDAwvqvrCD&#2!)hdtn`vUbi+8CtCKmRkiou-<V2WH9Y9-bdY5s
zg&=ujJ%4?*iphM2DS&9vJL*Sr!*a=uhzI9g%-3HjB*II1kcpecf9?)m4Bbn`(5NWM
z8DmGW9X8fwYlNTpyJd6tao2o$%Vs61Q%TF4&~rO46^Pc;Ia*x5RLw;zO00aBxeE_c
zKZU4xk<DNmAnyZA^BUZrcZ)`6mQL;!nbyi|fCa`>Z;+)C7H)g?n0<-4emmX;fr6$?
z$MFF)w^==~lW@b6+im<o*=-gsR7Bl{tZC;>?g)*}H_Cv`jkFB*8QmPd!*>Ue*@EM&
zKi6!eCd=bE1KOtG)SP3xm^KjqPtFM8LA7>UWpWfvje$F%E;-zeH+ABi1{XQWRFC6y
zaRv;!ksHwHjc!31!2F}1;G}Al;2HsWhb$_+(6X(6hm>O4a>;Kf`yq2Aa6Dkk5i8?3
z2z&<h^}MQ!ll^B;OEUNIP!}6j%W1`+?E18FExfqxXdcJKIp<mE$2%*1Vrq?6S_{|}
zqLEtP#s*;CCiY|vX+BbZesRztF!6~5LJTcN!9Q*(w_Jy(Tu(`fmhsjvxPAmDhjsOb
z(AQOAfREv@(^Tgccg~L9v1!HHe3wuBHZS(#i}9(6W=_#s6EMFK)-JqX(`%+BDO}!P
zCm`oqmdV~%9)i!JUcn!ozOP(eSOpEYkK<co7pH^kdoJ#MbIRC2kVU!0Wsf0QxbzA8
zW?sDpMj?OP`{)|!&Wm2DTdP6iOt0R!L_fX;<ORq#uAmr&fY=RU@w?2}Fpoh_uW74Q
z)#C2nzXR+~*?0|}{M7~}%e}bQ;M#`k_#Ts)vK9R=c&_>azB9O8W)dgluoW%2Dz^xw
z+<U!WIauQ_O>VW-r?l1#RAD_seSRr_aSFGEy0&q0YF5Zc^o5wa>Qmvz$6HPdL@2bo
z+>xeD-`Z!zB{nJw2Z56G`Of_*l6-yDj+Et<;(B5#^3`?9LrM$2n!tFITq{=sh&XT|
zkQ9nas;I<QVV%D*2#FN8hMs9-)R-=c<xbK360?bIs?whKAinnMyC}APch?n+pq?|a
z(2vXAnbZJ-cLkKG+O0R4HOz*Vd;USil};*Wvduzy?#>RG=Ui#EQg&{YK9MNW&HV|T
zT4Nyb`*bX{$#t`1pC-LmY59OVtnk^P0V*z5Fq0iTf6wc{;Q<x-^Sz<I9X!@Df@&%7
zw~2S(xLimpZ`GVWQjg7a4pwEdnvkZ8dz{-oEb&J^L4N7-WgzXQwszs+uv*m5q}TH4
zruw)tXc-U)z*NmtidmUaY##`W0K0~U#B4~x#LLGAr8ZeTU0wpDv%ab60Xut%`Y^<v
zrkvqB|Hxx|%7$n~k%o;J6{3&b-|XuT+uBq;VDS{@%5p}n367}Zavq%lN8K-FKve9)
zf;$Y2#=8QAFAP(B9Ldj_S}hqz(Tb_!QNLX#8Isb|u`l0Z@RCe3=`L8kQP)n+%S-C$
z=om|aN$^V|_kYyCB&~F3^F_IP;!;!;6yHtRG!>C#phiqTwZQz3F87y&K%(@-&s_V-
z<M_JQXS=r+%f`(cYTQqAB|ikf{+m<9{7V7oS?09+Z6#vRw6UhWO4`1NZz=a1g{H0I
z@pMvI$*76y1A2Nq5RC!2HpT2MfD$I6){L8*7@mZGfS`aRFw_c^K?skoE@@DHMVF(a
zqpxbb8FUj8!UR=fqBIRkpaNuUzM0k=fyB7)-}!;;8W<4+G;(Tsy1@yhQvrP%N~fcT
z0-W!Hid#fnys*q(to?I)b92au=Iht@a4`juu504B;kK=#K6)Ij%mw}Id)Tghxte_W
z*(d>8F$T;MW*{OahUB2$=Y}2xr6gl^a&{J56Hb>>8hhn%mZf9!BnMIN#&jEZ>a@Oz
ztA?6|fPi%p_djasB%+_6X%#nqJ_t@oO>LYT@w-OdMel-}GxZ3u{B`=(bysB%zU+hO
zcH5FMCtBXK104q^r(&b5SFc_{@9GUY0O&={%;-Tw1Qp>XfLVemvLKR71o;$fs;|F)
z9q_yj%hS`-K(GA&R8hX2eCNavDMR<d=~dq+B;2d7uTLm0zWM0$OYU1YZ(<@sol+%Z
zQF<UtBbED!$^dl%<=dAGm=%yW@E2f0+yJVgfE~~}2_^ri_q)dIu<?43*Fv6+gX0e1
zR??Zh|5Y;)fD*IHd0%^4=-7E|D09CpiUr}JsNr~#Dhvnk{YVyrE0-=^0!$3W1C5NR
z<&%2;@BrZuKv<%<pqYB{7Yj6P5wN_xi~^|u(|ax?R69OS2B4jYghWH4pbv#vk-UTi
z9+kM^kfx$<epZ&aOZc~M-<V)t0EzsidqUAiq@<+U0UZIEDPRkL{J}NyNy*8rNdKiu
zXTOR};;O#GacvyG5?Ae1!inK0Zo>otG$}(G2g5hiWbx`k@|pXC9+sn@GbavHGbV$l
zx9eo*<On%Aacb-6P&R>l%5HV&B7k;)av}ING)U(<Vri)^<6)x1o=r_nQTUaEUWl~L
z2fwM(aoghT#8I>gC^Wlk+5lpPM)_4&SA*2G)`!fErZ_4z^c^U#P%N8DwgMfO{hAt(
zx#SNY;$V7S0N()p#aoTsCfJ1r=Z`wMrZO@Fe}NPpu$atIcL7@gj{;0k)cvVy?#F~D
zQQ|a=j6T5Xc%-@tfFFebItYOXkd{Oc@yf`^urX6mP}~FmgROL!2@$U6oca3o>v!G9
zqKzDYl)yEGk_kYz$L6Q2=z6l*gaR#fA0q&M0z?Ps!|wo}Lad_!@(-A1UGW$aMKKV_
z*gnm9{(R<kgaaiibD$pOAvD())~;Pbj_XFcl6`WSjB94vuR#B(TF~oqV}XU=DRA7A
zDYz29WTdZK->A1(J2obU%bo!-0od)8T$EA*fyh+M4JTI2kOx}fp*U4o`{S?Is3i+k
z$N!R|P<*2^NLt!;!oa`~2~|Q|B_u=x6>##e1&cvhMVEs~AA|>Z;!Axe5av{#9W94G
zrU$8=DWN|gk{2xK{ZQKF)<y)PHG&Zf;j;5f_{uPWeyK|EHXyGF@{cT!b{21rdlt2{
zylkFlHR((E_N_$=?UnDZUP}@_H<w`yiRU(9Q~!4S_H{*%@f^0(652NXMb^2SJ(KS|
zJUnh{(ymY*0NghmlbM};5dkU^`Nv$HGO|W9KSQnzU)$q?T`M>yzZ68mrEjm0OzTyj
zKC&W^=vJoZ63eRJ7OCF~szwCDZe`$YvT$%qIET%`$I)f)D*oBVK_K|_-<ycF1KJC;
z$|aPpy2zxToQ@86f7G4~gf6CGN=1FYEzSIysmRNt{-xc19-CA)6T$)lf#G|E^Ew$h
zIp#<<uCVCn=x)7TCs+TWQkz9W#P{*>niu_Ct*xz>QJ{G%V+}6AlT{jwjVo=uQQreu
zVB7mIGi<*6OR@unZ1SQdk%fs=f-r53`Rbs&;;kE3uOg6xru&&Zd)VSHUs?^!1wKWB
zSgm92bZEHy8p3IR4G%#>OKY-!8#GA3BEM#fmQhkdfrwyrpz!33x%05}PSa=Kbe4b3
z-{t{xwB_u<g$X5s4KvH->Yy7J#>wh)`83}Tny#&Ig<)f3^BWmutUOKw1?dJTeg{1Z
zSiLA;2MQ&x9D>teU}6><555uukQ{N(8NasRtLyQeSy=H3LHOIzB9jPHTo5{2N1j~U
zbEBiD|ICvsP4h7(W`*fJkPp#1wZD<?AZIj_W&mTZgw)4_V6E4xy0l<PNuEUYKbrF-
zrt>Sou5TtI)-#9Fg;>n1rfYt|KC*qwHKWt0ybV5yil?9}4F+|^1n><P5CJ4y#qC3K
z8S)VBL1O_5KTL={4b~78AP00AKGD|BFM_ax(yiX0Rd~HJkUvFOh$>Xp%H|OW6mu0_
zs3!&NJVc9pmqV*&w;%yrP;yLG$06!@S#IM3$vd?f5P*yD0IAc8ZMdIcE2RpEwd+rX
zvz3EeqgV_O-zOt&c1j5eWUl@DM8rKFryc&izTnN{^_mjp*h}65YB@+2v%eS^K>-1@
zLKXS~BvR|iT_93EL`L3z^5hABZhxKbW3AS3db5J2loU|mJ>cUbgPNtDI^N|SB*-Ml
zQBGB)Kqhj=cFcXr%A!MjUl~M3OIRs~<Kf^ugDe3z!fdyqgh~#7kr?R^lhxE>x?6)(
z`j%0N>uXw?&Sb4O>UaS}VYMI>bplx$6>G<;oKft}r_Y~%7(OAtckjEoIOzKB24cc$
zf@uf=`7zL6yQ2IIRt$nT%8LM_LQzLWMMW?MkT(vK-nUGbq$DNZ=jJjNs+jpV!m$Ds
zpZ}hcN+J?h6rn0k0fG_S^}FE{knE6ia^8gt!L|WcjZ!`XljM<_qN$jphC0W>77V$4
z^7~tK5mC`+Zf@02!x(`Zf@QiE@#Nw?Q6@Onq1}@%V|VS-UQ3QL5)(3qQi(YUEJefd
zaDkq`E?W|h)$ZP6cT<XUP+*{UMFrQG!!#Z<W|0bBtmJ$TX*^tf-2I#f4ltnn>Twi=
zwUAGrydXb~X%QZJ;`4qt$*sZ!D+2WgieLr(=2NGgbc$z-v$Niim@1E!GDF#5OEnxO
zFN)SI+i;>}l0X?jDgzT@2n6J?2+zCB^JZ{oTN?%f>J6Lc)_=zWhEuw4*uhwcNNe_D
z6LIwyAeEuX$ui&EjUAQxqkFMUJ>VD+4otH3=VDF@uLxP26|zUV#@~bNVazzn$%Xin
zNdEa%?)ZOjNUg-i4)OQpdp1{AEe)&KDffpSpvFilZv4+_ouZ+m6`r4u=&prDL;w05
zB=BFD?NRLHm0WsIX#u#2>em79-E@H0riHH5CEdBk{MB7EZTi5S%fH^qg&S+qJ=N=H
zV;&#_NCkrr@g=GC_YCW$vpN~R10F6)B8TRhXZJ%qVm(<ZH*SN(4r|Wqh<zBp14WQ#
zRq4^3rQS_*e|!Nkf<?n@yzrV18^5t_;#YfPDVxbHtCvAj(30%{dJafMo^FTkfpdi*
z0V!iR-kwad;iz_2=a?sS*7ei0^HO#G!9qX#$U?U4SLiaX^R2t-5l{t^{`#Uyg}P~?
ztN$r~db9zZ=ZB^+w4NNHRypDuOZj;~S=KMB_VMlT7p+ux`VH29_(vB{!=<CGL8Ah@
zC8RG&P+WC;*ffcDY1aPr!8ds;6b#NC9p_ysIDXGySCd4;y>Jf~bOeOg+{0}FANPl0
zpMD7;cU}!GDV_we+c0sBLzzrvFaRdgqYc4DG+O(DqZjM5&iO-6uEm@+dv)_g<srWk
z0zwdRbOaX%q09@(W*JjwW`*Ka<@@fTYWu&&1PgFlP-OBHsG#a+C{Tbv^AzcSIx6zL
z(6ByG!z8*Mnnh2e5HaMUazV4G7$~E(=f2^dNZbF=BI<)D0LKC4LvWoP5FJ`!F@^Gu
zTUn+gm&XUlQL>>U>TCKrEhwZnn%;z-`%nVTtrShQ7<*CI7<DUZej>9U=ocVsz4N<<
zksM9fFP>H^?uBx%QM8q+|JlRClb^0SUjqM73FeajIguvg4_5J!f;tUo@~-!KaPqA_
z5wDervP+m-5kzERBdYn1J~P{wk!1D2qG)xD`T`iTu}Mr3R{<aiqibom7B_F4XCCl2
zrsG>qh@V_L63G1?H4+qB+6k@%>L9~?Ub~tCY*@o)SGwQsJ*LFr!0$->?nL1;<2O6r
za@aorR%o+hdwY_X|6yD%3c$|IIvxU^A3iAZSRsh8K}$#ICGYxEi~7_6+jB{x<>8Zd
z)H?r?@cU1kGY$dg*c@L&|MXM&R1wS)9RZL|2=XX5v_47?ZF%(MG<5L8&@np7_$`fo
z0|u7w(B}zv<2B$bUAcYYLKn}~pv4^>&dsp)V*yaNUCUsR4t91qxtyQ|B&m(kS@wu_
z^E^s!u%`2SfdEu-N}&sd?AN+UTiq}{%orPA?jc>sO^FK>>7E1X(4cdN!+VOZ2?Q@w
zV+nB7hsD0Vdul7wN=I+iFV8Y`yKmpDs&e@gKiQ@-DzcCl{5K4gtpMyC>J>jrm=I1E
ztV)%4#YL6&p#hH|zTwLcB<&*40JV1@H;q}T{(wf-`HT&RS#h5acTZ-xXY={MQ=fjN
zv9M!A%F0*(!jv$!qiqi3i@u@C9&+ytF?bA2f^ZM|+fbcax~30b$S9f~pb0nc&A!`s
z?USz*G`kot9-3mD9bw-aP&TZkj*3|}))gs8^m|EtM0*|fu_S1)^0r#kag|7<;JqXw
z={k3}aF>ps4-1u-<U5L|tlDr%1CyycMS?0$`^i*pNR1CWv#QSZ1kbDXVj`Nw>rnuT
zHL3fG!G1Xk;sHUKe|&6II}YMFxL1T1|ITYZQ6e_|ue!Jlrz1U$>}g+}y@oP%db)mG
z(ed-c4(W+6DiIeCSD{h^-J&0Op_LLS>j8xufwPb07kV^K;FQIm1tnkFqKo)M*?;I<
zQP*Vsv6M_7oEK5tS}_!z_~%qH#p`#W3z)To1aOnOewlPv32aFq6dCTbWf>F|`v|WQ
zdESV&N0b(~E&ozkG*v2_bwZ^_UpgrFY|s~+RqfRdX6<*Xvbm1N`l^t1e<QhFD2Exk
z$P&xI*J7QgTh_B|X*UfqG_*4){Nv~=JMpc-s+!*!Y=3~svq|b>KgnfR9-k9UB70|C
zt8Z79pC`vqvrabvrdZgvoDrWhT5^ogLmu1xIf!bzyn;YY0v-!TEG!OBfD?M?#^z@G
zGiAAHj8%S%BQvipwGH3))&w)(9TW`;DTOAJb2Le5xEp0{;}G7pda*bPW<kbIf4H(j
zC%Ej!=JM(Tz|6y+{uTp^1mPU>A35TM5ChX>%#ytAQ-0Zjwxo2>0f2kjviX?MWVY6d
zKNDg_6&uF(fKeQbpPy<%C4?&T!>FYi>+tykZfQ7N7%q9!G}{`%#q}Iz=j6t30T*j<
zkB12Rv0=G>W)S9@x8zCe&?Y6+)4D!DaXTKH2y6dBzdpfDMTG|t-|HU(fJT5kLq|nr
z2;(SG7>h!xeOD~Un`aJrGur^x<^dF^jkW=fgRNXCIZ{G^fLvJiq?HLEwk=19w2+$~
zxVeE&NIy%w2^g}ed~keAG7<MT_87<M4b~8l$sw*<W>wSh1#Qf*$Hp~qQuk<{l<cxv
zuWgqwNTPf}*Hf&LP^MzA(vbxYP5pvnn*n5eq%8Vv-=SPW{TajOPTCYiA_#4{Lbi(c
z9TxqG!}<6ova=1Jjw{iBwk@X6W$n7@VZn3pfE%Ew{E@P3)^ex%kv9OPFcFzT^Lz)F
z*%Kp&t)h0e*%f6DcNHR`aW;L-;P>Fbq9eI(l|=BPTI_<tN_p1^B8GsgBDV{d{~+1{
z>@G@v3285s9>tZn&P#?6t8%!1(KUS}75ABh)&K+}S2|M-L<y4wD#G64`(OS?3m_D1
zC=-jiM;mJtY-DVWIx}2o)Sc(Jtxu;}O<Y!1rc`8n10|T{-uRAQx?X*}(ItoveZ~dV
z67v^u!_~)YTqE}5t^+mh?gl<6IP>{)$-9t|AXC#u;TTCl%>syTsE(9ZU>(H%5IQa6
zPWXSZz?sNgd5=OP^7J)w7Pd`m*gv0vdK1MFjj&3Ig)0;pyiCBi>gT5Kh`TNhq$dEv
zO>4H0LJCC@Ttn1y<`4V9Tf0qN{#+9Q$FpUKxa?ML&$UH)0<6P*ezIM<T0Gp99epw`
zV6#3(0^I^iXaak<IcN|+$>@G~*@lyZ)a_vMN>I$7T~g78AV08wL|7SCf`6#jgrZI3
z05PslPxNG_?in|?vV^(}n`HLys%((X8zm2m^t}qnr{uV*un|H4!7hJ7yDO?*f&^&T
zI1>1Rg{rXh?EdL7Ig}{*P^0~g8JAXmJ4R5xTUXHOa6JRQVaS{W;Og&it$g!kbCmEF
z>W|H#qH~sOSi$`-hl#rstH}|UQ!$3y>|)vaN*eZsQMb;13womT_84wQLZm@wV<@HA
z#zJy%l5jAoq<We(jm5B8i59F0oY(sf7*JQ56q)#!CmFE-L!%xh;bM85Ccu3<Z2rQo
zJTQFjKePkc0+J1bIx5mYo{pxUPZwA1(aNCQpL|Iype!u<a}GA7b`7_~vq@Er9&mDX
zUO#cvT-33k!t0@OJ3BOJi{-infK?=)J8!xD`kEC99E22>mcIJCyL)q|TS})tN4<19
zh->J+%Aa`v8P;^73&M=s`(v!QuyTVGDNGOKx{mSpBF5T>RH+WRse5Y7&`_98QZyPI
zpHE`TH|~8j;y51*M`hp0Sji?x)1VH%Jb&@xJ~MMZ-h;os?xDPFl`f+mg2l$f?_FP!
zLoQG(--~mGn4mFIs4hEZ)vVB3kjeY=nUG}S*Ojb~d_{6Ss9UjlfWlLZi=g>}mKGgO
zDV5HK_qnSs_GJ^rIj?b`{Nbt1!c~w9cVo(E$XOim4JgS3yPx&=etECiFztr!q}|dr
z=D^|b8fjapwskG^L#JpCy?f8F`C-k>sfR=p!vN2^@p0ddPv>;^lK;V3Z7$pXb?(wz
zHv<(WC1=eT`iFa64UR5~Hq0|MPutaxcIW<`Zk7tj*U3B;`Nrto#*}4o_8mp-T2&bb
zoi-fkN9Off!h6TaJno;at}Fh@c)Ee8SRDc_?(4eucmq|=DETQ0EPdvQS)_bgGVaDj
z{@}spTE%*?(K{>UO^!-sjo@>&GGptUsWc(^lOA7tS_!4|@AsaME$WxVk+4RX=FmSq
zB@?$f&%N11Re0V><}S2WCm368z854npkn(=D^|6pW?+R!{SDlk&TK#5)X3~O+yk5g
z|HH|ri>ZP<!R=rX4OjCsn`$4FeV}opY<dsUIQoh`cl~0~fInNX4awS9t=N8DgL}J;
z1^d#a+Lq6>C}<Y<Hd8|T@Zom+dBDQL!rWy}Bh<WQx8#ts9qMOz{?*+6e0U2Fxt2G$
zx)}%T_X^rK-CcByU%iw4XumbyMaH|{6TmMF1^7I}`TGU+b2JYkD$zTd7O8)i5#>3i
z5SwZn1D=Dd?y2lCBT8!%_g_+o2pl!9tZ#gn1d7io-p}yc7n|67);i5%?@v2W766NG
z)m-g*ocH<%TIJr52^>+Wqc0hGXFfV)z@=KG66k(@JbtiIhtF)kHlonG8@qT57M{^<
z&#L0aWub@pba@Z+jZbneyg5N?h;zqPoDlUz^iQu}!yN7@8cQM#oL~LPb@&Ex^}K?^
zs`W>;+E({@=U7z}tNOY-!aXn=`%!@3-7(*gxs-b(3TUw#wO4sakO5J#1<5#q-7SO-
z+@x~(j;-e6B2o%>qf1UclfO=!-JnQ%`<C=GL6R1RPQp92{nOJQhi;>>f&LDTd}R2f
zKkVbz=eN%^ibuwdEBTbd)H~W&PWX0<6s~>RV)=~OEIO^zQmN+2*kN4uyMQ&2laAYI
zH%?TVPyqYB*HwX)edB{L2iB8jwpG=w-Y-{z-d{z%Fp^92OcXnRaCf<%+5OA~^}Pe2
zQH>3c)CJ)8KCnl?#vFhmDc`6Yj%)E&O1QeFEB5tv)?M^Ty}}kra)-4ZT}F`mY8D+D
zf}8a_N$wT)bNY$GDOJCp!EtT~sns()y&?&kOtS*Vx#awmXJe&(3Df!xXHYjU@ru?c
zSk**}IRz0d1X-ewPIlKtEtg~!<A@<!N^Kd??QfFjR$f7TeA<D<r<wiYD1`{dc~^l%
zC&%397qHMovWU(aJj$O|yAjc|x;%%mIYFw#);Ro?=Z!V*t$B*^xPwZ5|AHZ^9b4<E
zmz@QoQ<Wb$*Hp^5xb7vC(B9;xnjp-a>)Q@!r+Z<l|B$fh@OI33in88Qd6!tO#%gm(
z>`hA+XYr#`DvbSxw@J$*`8@OEmz`5_3#?fGtmr?#20jpe^12#rHe8JNKscy=ra8<^
zQc|PL>S6?=rVx-7BO@bB78Crq#812CnByUIo$ThiHvsMulp&Wk)h)%>0GR%25Krcg
zf@t5Z_YRQ~r5E@WKE?OCJ!b4rNH4#DVA{LDjyq}Z>0p7+kgwO;))Z7rHHvuMEf?N@
zu0}L+tAat^+Vb2crO~tkFYQq&8-Hs+Yn6BZhL|HsPwo|FLz5geb7iw@)!d2~Um0bK
zqDAfsON9M!W4~*wW@WWEIWEzMnQhcFdC;rEAY<6MB6T{G=@#I8IrskRZ#>iJfpKkj
zva_UTQ5vD8xm>5~p??hL?_ZpkT&G@w{XiH)DVKA5XF%;sS!_1^zOeAgNTuVoxVX55
zu_`X}u}Z(CCF9caa&jOX0Cj)Me=lz+B02d1WTzm|*-yclRRG^`fl%=VR<A<4UrJv2
z%N-;C`byPV_4vD81!FU`b%$#2WM8THUmkMu$C0*XFkH?r+4%AdN5vigR_5`~&XF%X
zgZ=Fpy+w?IE+eHg$ti<TFM9EO@iuDHw0Na8(i>}&6=f8Ly^@wND?{BbYWiYX=paRf
z`0#JJuqE;};@QmW-@EyW{q>JunIg`8{kj2QJ?8Njcw#o{X2W$Chr&u)h6|AQ7!8*<
zjT_ft@%FuqpW|(QzcqE?K!DpL`g2AN{_-I@<p^tku;o~YEXCZbq*NK7K_B;$(hfst
z?|+nStVy0%P=G`JV?G~)1ma5x1?YY++6<JuAwv~(YUMUKaJbZACBG?a4e5Gp=K}1D
z1N`J`H(Wv;(}(XFnAmi9eH#-nNuXamKq8J}=iZEQgVwvES1BeYW&@J^wC4HIt-1DS
zpSCt}n`M1xLg{#(W<i}tRZ)?qN!BC$_6LroC<B9F;o?^Ofi}@tQo}L!nN@qt0Akrs
z)%A2GW;BgYOg0`2&%C`o{XQwpH*+{heg{#v%WA*ySuvI+w3AY}<|@9&x5AsS(jqlB
zb=paL-uFpIcvq$yXN?A%PI%NyG4v9>O9S(9G{etKJEZDd5^{|Fa$#Lq2WQo$UTJEw
zQ+rxJ`)55+EAw^QW)02C>tjV<Zq3<;yga6p<MH!GINrJmN3pfm$EqysOSt9U{CIb9
zpxTuyG&B@dFvGXDd<Sj<=!6BR5!BSxCjq#en0ReEREPuBazjTf7ixu~wXG~H_~A<x
zfYb4e<+8WyNgNV)OAVzxZVtECdvUNg;l?NLQl&mkhqGmFE2L|1(2A&Ij=*%Zu8HVn
zn|xPHiukA~V^EBT;GSD;In9Zu=(&~N-$*>`ZA{nxNU)y0;pTDP+%~d=F#UqQzQ~!x
zfd8@jxzY}fYSfRH|8tY8hM1K1>z_+XUeR#bd_kvNfWcUOKn{C1F)@K44K}chhg08E
zkaD58=Yy|y$SStAu<-Erzf9`9!n`tGLx!q1p{CqeOp7nR8x6js;eKk1I>mt0Z!d79
z7k7<{Fd6!UfFzNvJGhxybkpG3+~@v59wAt9Y#z0Z-%L^!{dp(JjV{d!VkdMI<J=Yh
zA7yVHR%QEbjV?d|l}70hQ9waLx<iykM5Vi>8<dn*y1N8}2FXPu2qLLScO#8bQl9zf
zZ|`sK@0@?mdvW<1u-3Egm^sFnf?AVX!Ckx*AGgd(m2)eTv;Gtn^4CpHgtft)E9_+N
znEGhNw5BpvuzR2Jz(c}rty5*5_m<{aMqJkaI@G;V7v!ZvUgYQBLIP3f61wk?n$NCS
zh(0}!()a#-10;F20lV;8y+p65%6!LNWOsG&Ql`(DV8*j0O6&2ep0|!Az(x23suwD%
zs+juv`l;<k3Z<CMvoX{*@+zx|ZZ<vS=9Od}xZAG0+TXs@&F>wtgLgPld^6bg)_eVQ
zVzWN+j9it&sZ+|$94FwgX0}Xh(&6iS9ah8};-Y^AvW<llV!9M;U_bxG^*)mPZE(cL
zk9me><J;Ga@XyS?kqBSE@1=e#e|z>!ad&<5l}~RN&-hY9dfv$1z|G4#wO?#5(J{1X
z540O=*&76RNdMj1&kdWs$8jk{-`*hY{B!5ekEW%a{OS`&+$V&wtwxTj?*?W8s=mFu
z%X91=Nhf+Wu?q<XJ7bx1^qaiZI-Ffx0wW^{fd^&h<aej7BV0jcvsNWsJ=h~fmwpFq
zOO4h*z&q?3>I%)2CuYOlVyC>+!mUK!{O8>39OW9o{&RX~)r}gbxaEE~nCyIqo%A4W
z$*Q}L$s}39_l{jy1+#T|9C<!|Ozb=T%Z?p8@<&(dj(`1_?LM{53t(l<igzskYn*a_
z>97yaIikrl&s%!B$_7^OmKaOe{o0}w!b(k2RDLq6WkWmV?d><}%0>U?>dn2R&iz76
zUbD~+SJ$L})@>rz0$*MV_g!Nn9W<B`T?D00In>Ap(@X7<^pV7j_cg4YR{9ybQ+T^9
z#gXo|23u8LH!BMF940iEN4}Gx^eB6S>zuk2^d7okF>N#jR5Ev=JL1Xn(Y%C_`bD3P
znY+rEj)&&Ob@OJuAK-3YS_+S55*HUaxH=q^J~)#6njRg`S>dYq@>%uV%Gy#uWs6tO
zexfPQ-N)i*jnB*3JH%$%Pm9IrP`ih_Z0@PQTE^2NySsQx@0sdyAJjFy3zdwiyuGN$
zOi)`%XQB6uw%V0Rq3N+*X(aXEy_Owjt#Q5*Q#o$CmPEhV*A^r?J+D=?$5ENAp!@;z
z1l!qJ<39^Qj>K5AI`!_vV4NuUtdo>B0OJ60){9|1kDj@dSU@afdj7nioF?!BLI{oZ
z(2n`p%3-~`W@b#_I7e4U@LDx=m%okFyx4RXRcSueeLU%VSa^p$nMtm}nse>z<S0g0
zyE~SJX8BKW;<m@%uG)nfuP|@zk{YH<9=#`T^S8S(Z!P$iFw?u)$miLjOOjjeWr;2>
zI{_C~jFVMdv4dlUR$H%v(^h>RaFf{mcaGzfSYF{Al%m6m6W5AN+~MOVQl!I~vV5j~
zn)~#L7dJRx2TAQnh}(A3{uGVY$L{OT#k~0y5$Cv^TarpjwmM1r?;u&3UU^@}!CGC=
z%4tB;Ct)YXz9ox_O$d3E$@Yom&kNnllz(p|gB!m*1gipX-n?0vtmCJlvG#a+xHqgn
zySW(w$PX=Ruy%AcXtd#Yl?`-R!w1g-q!>g*MWa*4kAg|SU2gB}l-*Pw8k=d<AX(_?
z$*n*hqe^MLuV-OgTcbym?Aw<x;nSaa`QNl+M?Gk7Z)ocKo21>?>?IiCD-(Ym<gQ^o
zzdY;LRxiKJw`_beHC^+e6l1CwyPSQGGzWs%s9Zg4h%6HocYoQp$f%KIx5Lj+#A${1
zu$_m$C;4>?zj%<IR|)(0{OSg2=98doeVqlf1_&P)kJ$2Un-3eB9K1d(&$qs#=hP-i
z{2Ku{7dCV)`^hQr9R5B#4K!28KU>y$NG@$rC+SsRbEhIM?VnN2-S~Tzf;;A47*eE;
zXM*wr<dWq=9*)13dVr3JmEk^j0YQ$uvH@%I8`nL;vw4)%e)GJ*-nsc1?2K|@5aWpe
zI=0B~g;=r<z_7H_`<xj5QheZL<$r86mqjPrJus8_Q;7Y-^5#0q=K=Y-;~GQ5tmdl@
z@oJt{WOMp#h0~v(yVNjG{m~yCNV!idCa!H-mTM_9%56#nVQLZ$X@86kkDKCBy=X0e
z{%Y#ZEC*HGAYV3YL7TtF%%!rYqxlu)US<0x=$4~sugNr`m5o=CV^M&#5hU8tG?lG$
z#)2@U27>dp4*bx2QySj&cpW7}j;2ndm7L<wk1*H-p2w#W|JYn_E)o|En8rtQpO*0y
z;03=bp>Cs?n-2<@Y5dP}{g9f+3O4ebQPC+W;%CV|%5-WPog8i~)LB3K!SkUv-vO=D
zWkb((h#@jJPVdBY-Wa~sf4{Ftp6`cwYsOZYVc!AD*X`|twxh{lr7@E$?^{Ac&ZFv2
zPtFx)a`(*a3<M@dr{(+QXAzxGEXG7VN2BMWagL3juduMCQJL*iOpVq?Qd6UnDx}*y
z<NV@sm>r6$2(TJ{Cy^3|ffre5$MKyZmU_>}{xSGC(%_(M;PWjNrw*~37U#(6>!#lR
z?07UGm~xp1)9IQY*KL9RZ+SQVU8DgOzZjyAlspzhXD7cN@bL4GS74jU$z8z4r)oRx
z;lyLttqlMy5TgD7(cm_a2uL4@VBp~30QS&$sbD~5MuawUw?0g=`-VH`puL+(|KupK
zXq|9tHJWO1@vB+~z#aX;_dsAY@OGYtzkhP+XAUaM+a;vOCV0E<#WUmF&V7zHtZt?w
zp;rwZCY^|xxnVs%Ff<|fl^?bQlA}AvBQ-4Ip~tzRYgU!hU~z4fiQM*iul@Z5Z}Y9R
z^ru=<2oLC6sI^^Fy$WZ(JposG@l&MW2o3k7kz;8N1v91Qu;p6RldSt{FQ}*wyd(R_
z8?2)^d6}1TF8jA_EIQs6nW#&xD5!lH8g-8v-F7`xbf0zciN>EX9%;7YB!#381nF$e
z*|Fyj543$c3T6|UuKo+VWX-eA-CziqUtY!uGPGanrWDy9F)peqDJj9p?31yzW#_Y<
z2m$;OAnXjAeKFiuvV#$UE2UIEha1KnVU+$~BLiONJ5wm*G)3h8V%}CcAURy?&7t4A
zMfbkxg}6&)KQE64O*tA(naXe14q@8{(82!2`Hstn3<o0L94}@aa&;IS$F|Z{pd-CB
z(PXi)?PtFi-O^LCc$8VR9ML+VPq%IuPK)OhG2IM5rh+qCzC+DS8-CNfn=4t<ay|TZ
z-A(W%h{3cK{%bCKdwboXRbS?P`rPw$Z@8!mqGRD={iX=p$y!4okplLm8MG~DmzIJ6
zqyn7+qlM4f+{-jHG(_ap6qm>vU(io^<CD|V1@!eL%!huwhD#&AV{b#u{)E2$krxO}
zP|(v8LinYaWKgSz|Ibn{^cokZ<=-HFP0Uw4nUY|-eek8}L5sNgeM}2Ey~f%d1)Tz$
zn|nTR>W@D-!VxAK@WX1!y^+%G&ci-hYr9|0v}iCIlYg{tx|nkP^0c=%CYdsAFh+yu
z&fU#tg@>ys{;nMeFUY>QF^E4!56;J)+zZ$%QJNpBugFbIWu5Z)U7{htiwD7(qM3po
z`>;{l49@mcm(Qn)8Hs}Be}#>x@lV+WSXTokG|l=l!eLuy3rZR-D>q;*9A-bB7dhE(
zO%ilsqVw8)2&hX0bpjAn0GaV6F9PhrLWGRM*G5izJEZ!ON%rZEPoL<^(pggbfCHL{
z#Qhd{k)DWZ*9|QiLC16S-iHkQtg-*uX}hSCd*3a8Jn|~ge+J;7x5lddxaT5?93k{c
zBBKeRe1PL}KZ&XPhWv0JI$nc@Uf^<mcqpgQHkMARpMv_%>=`53G0jSk%$ILI6)9;z
zL62sbSpNcRQ??>Fz~SW0;`Ks7LirMb^fs>H8qWQHkqGl^N+>~KA$T0X$Gm?1T18zw
z7>O;6#-pN$)+f-UD7>M<iHfJBy&0mRrd<iya7t02t_NR`Z1~2+kgSha6LQpVV*<){
zCo7nA&cB}1Jb?M_b#<feBrfcEof><LKPSuLfRpnvIM|%D(esE&`jY-*dXVAY2gmHx
zmzLE$BCOk|TofnDIl)PZ6FY@N|KZ|yS<&R_Xa+6k6%&kuV+p%P$=8pkUoSJw(5KpZ
z5%ZjW*9<i^_YWS=kl@L1v8-2Hgm00XbAvs_o2yd8O!)iyQN0pKLh%y9Mv1(~MgZ<X
zl4V5w2_#liyMwGPE&a5L?t6O!-g$x8_Bh}IDS{M!`<BUnAFmZ<A!oMQ=ew|jGN&Wt
z_vUEZoAzn_G4O5&Kx{KWOg-%LIrE?PKF048J7$ZCjr|G-L0QD{UylBHgG2;U8L;1H
z-`~5&lba5gpY)-pYwqM%cY#y!Z^GHz`7p9SxXp}D5@-GLi4(SawU|@P;8@`!E3UHQ
z$B5PbTWZroa-<|k+$p$>&LMd|jfguDaIoRLu_PLNw_Bc{N2FIiFFM+K$jXMuX*-2=
zRd^r$c(($3g8)sLnVEMt#>ofXD&5u4pn#p4U0<Kz!jb)Z2yoFh`|O$HH`l23^4|NI
zZ1BbAE`+oYUNs32&$qIb+A&rRj#T(Oxe2&j1bzfyRe5=N6(DNE8r9U)G!G1r`eWlu
zf%0s71Z`+Eql~Ld4Pv#?G7sSc7?DMG_=9ZWTcy;Xrqc~OGSUbTtfLV37I}Q@ij<TT
zDv62CW(P7IMpo8K!G!cd06-%5&&kP={H^hyQU``XOxgquH*H^_NPE%vVegQa?v)fx
zxWu(W=N#z^^72|BL*H3U)SqiIcjBt>VZ2Z9jUl&$z>|ScnLy|}zhKr+A%BH?1cxW@
zvE~wM3>I>7xXgQLy3+&)a`Q<L%OvYDl6eoVygCgn?d;qf)Ou@^Pj{g4vN~9RR5t<i
zRrxdwItsFHR10;`B!KtRnPz8a|F1ABAjx1j+2o!~kkRaSPIkcyDD^MG;tUod+!YIb
z@}V|_nPTSK2hCF_$}e9M86O{PbwEX;?70gKre|o>SqYWru`L!~&(n{oJ_CkBhi2V)
z#@mq>dfYuy2<UrkKDu>L+gp6X7ZIJINZ`o8D$@u9Wx8r%GP=m&CFys7uSTGzs(Cdw
zYePj?ksaJ4Lv%pnhSQ=^Wvy9YbA#jpf0g_j%*c*bphH_zbxf2wlX>(#gna}&Ae1^j
z>6QS>n@zh458A@%G(|47UJY9bWpz?u5uidMR6i~JTVyI?IH^hnz=Yx98*z=iRQLy4
z?ejY|4wo;UKRG=`Zvc(_!y0d~sB!G^r5h|47&gd2;1dCH_lf+%gY&XJc5pE5(*Z(h
zoW|{V;7wdr1OB@9fG7_+mmZ~pNd3I`QbVKT<#da=S;P}tiCvZMcINq`uHeb-w%ra_
z4AZH|8N$QE5t{e*7gp|_&)Zamo(IHXnLjzx=qT{inX@!;c=)iwl_VaK_J5!FIZ%jI
zD~QpGjp;DpBCD+#DW)WjV3wJc(^fvrk5<`GlaP=Ixr7095EBLBqJyr0<pcDfRCZJW
zlWF9*1Dnl1)&MSAhX9~~A)k!k3jl6_eU`XR!oa~%QqX!mT@lnmK(hl#sJgUYY+T-n
zaexMd@J1H~AcBKc^8z&3f)trrLpd5lUcbHu77;5xJ|6mB!HP@}G4<I{rcU_0Z)0W1
zodm~<sP46nj#481_`0pe(D(1(s~wD&n-d~Bf+zFzf0{ugWc)GJKg&iWr5ceT4GV*~
z2YSao<7`iI_C%|q&4Kc|f|lvOA*M39-hKMM4D52QqGSjn?=oMiX;SxeK@Hmt8P0xp
zpy(eb6<^5ccvV7Re~NW`&7_g)EVn3FCS(${Ds~Q<{?NWtKJ~4+*Sft;M99Ot)<4oV
z)1>5WkmkJYRvTtEPfOYGX9Y!zg|~wLdHF}Fk@*F1A@;i~4?(11YG}U9WM}S^M!ma3
z@ZR$Ba_~RQ{=(uS1E43Z>j2!2g+c(RDA0>2tKsRLl*;*f6}bGKV)S5Ai{$2b0mIJ4
z#RUM?yINXWiESfahmUP3Q=QX2PHW3w_CXC!>M9Wm#jpMNR=g2V{&mJ9yu-Qq`Otq5
z)A@}7Dq@HND^!IG^%|&<QXaI(w-cLA&SPQY`4$wgLPO1A@ynGHD0z+`a<4P<k>dC5
z?K#uZRu)74xhJDkuDf1eyLzrbY>7g_FWVFOCI!bQ%R14LazoLLLFE__HljFQzo{Qt
zO8NoeMfY2cx94%Bev%Vk7GJU-=Ue|xN4@W9SLMaQukOj>)$+FS!qZT&o%KJzupaJp
z6SHaZU`|aHTUdUZ9g^w7>*fF5N-T6Jcp71bN)U53OG?m;k05CNk}T1gc|)Vdo?(A$
z+Na>7i1dG90s4yN1pf(bt&df98TmQ>IXgx9LYv^sHE1XgOd}5P41ms1UM>Y@wajHr
z4N$IblFk89y(a9EE3>m-P2tw!D5+lyaHarH0l;B0#73psHNJ$b08AeA^b96y9Ed_c
z0f9>r%8q1g8oqW-r)1gL+5c?<M@%K`9@HQF)Gw+U1!LVXVcQeKqZjL_Wq%d>d8$6n
zPx-*T(ZqJugflEVaq;XyS4M1cU#~x5?T5|Tu6qwcL=)I`Uy+Kxo9`K>=Zj4{p{L7o
zrFkW;i~Vsj9_PSTqHoi;j&;U>X=|hqD~-n2r=e|TIg?=Sc&mqbX523w-BJ8(WpVNR
zOKBq&`M8dGM8Zcx0ezQG(DJEQ4P>zXl|5jo%0L(h5u%t+7I3(B=qa|~h#u_-ef6s5
zLx8upH_E^j{|o5YZM%yAiD+{K4CICw*=b`~Bo`mwkU_e@zQFk1g36O4x1S4g<>l`I
zMT@2w<z;>J2)|3WeA#03gQ<=-NGF0Z?Ov_T1UIpLaDZbly~kJWeQi9Vfo?yI!^wEu
zack^b$r*2)>~-u#kx_@(n3x(@V0TP3bhkH)EkW^lWJII<;5q1HwCtqTsR3XLXg%jq
zAik1JQ+|7RY@+P<@v*kGdBmG#!mgoZfyj=#($WEPf7<&rJu(ul0kQjKMn|J|AF5~2
zd%dG!^)TmaMeSQgVLlXWeQFyuF>#Bi4=DN7cx31*Jn~VTKlT&#-oJ!nE$lSxGg<3G
zHayCEKm-0Gd2m=u!5E9yXY$FdD{geVeJ>ouNnW<S{UaU~A)|>QB^wMiapWdJcOU8D
z^YHRY77V@yv0w0xGrxY@J39J7c^TYlosiCdq9R>OaFTetOU71OWa>th5SL%`zdx7$
zgOuxw&(&`a(iiC-oh11~*v`!|S?hBTZ)i&_?0f9*3F~f1enkYk`!?N&`jUenAZ8GJ
za{h@VgZek*Mf_xN8R$eOmNb(CDh8o{8x^;EA)%3*<n+i@=59`Jt`a}F3=hxhwu0Uj
z*OM<<vk&N;g|Nl+Bs5T*Po2BM<kBC~<!4h;jM2M`)lh=1SRAslE`hUvXo25~|2RBM
zj_7f+Tm~FB(3c=d_E%&=>TH0EK)WU&BGRB04If!&9GWJuRfZ7kA}lZ=W0|W&64#<7
z*b@<DW+>iaN0u+@n)jrb4(xntZ<o3j?c29(+@B@sN*j6uz~s1>te%NR%U%ZolY1bC
z9VdSSpy&{9*{Gy^B?APHju9wHkpoLhB+<9>ezuAMAQ|9&5vLLyi~~U^*R!7{kh!O}
zwG`XkjP0~P+I@<sGDdYR!m~5kJbLsfd(g5Bl915(g2%UjD@3KU1u32_{=F&@W{=(q
zt)kK6Ip{{ZrgJn`c~n=P4h#%1ki5Ja+o__XgNN3M0L(wsB)`sx=>n$)-rXPCaIb4>
zC@^23sKSFnCE3WFB0Coy;R?ax*>jZ+%duRRf;DVy^$&%c(<$J-eHEY!TvkJDhrfSI
zvM1hUBQpjAGjZg<ud@b+A0k=YK&j0U2-ES(G^~dO`Ml3i8$J=K##_HWl$H{K-I+Lg
znNXa*BZ#GyfmJnO2POYN*bf~Y8Yu38Qwc3I?r@AWH#cV#7N-8EeGS2LK#M3+Glu{k
z3+1{s)f4Uk_xSMeP=YCz0hnnZoPQ@755;NGe>HZkMEtE7NE!yyJ;wz?6EG|&cr7mj
z1}PeJ{(*I-$#&l6skIla!z74-BWyvC>w?#HTF(0LfdnMWD7ek=+$KRd3|MBhg`Rs}
z;b<j@rjmdtHO@=JaB!ustsGD6F#hWhuZs%{*$?O1VuBY))Vww0uTSZ@ZKWP8DVz9V
zxq+ok72D`3vy3z@I(4$Mgw(P!g_1K%ob=aNYxkdx<Ytz}=VLQ6==rB+e>QizU%6o=
z&$b>aW{P1hp_emE&nk@sp{aArY+qc@5SwtlL-84n;<JlMtD*+^uGD7}6NF4&ycC%@
zM_i!wyh-s@RVm^47@|`=)P1H{$_ioFsn+FR$#HR)ZBrGQj8U9`mn*LU1vbCgU%&A(
z`^-Ux2>%GeC$o+_!Ql$GcpHYUMTfw@Dc-vmI5-b3gRG-`QDe8vtE|d;)TpZHY-jvi
zNg4Q+puS}%<Y3%U&5MJ0)$qGzrJP5lRu9TR`dW0$@BYZ-27-0LJ7R8lPHSTtwPx!h
zOA+^2E~l((KYZ9?W8Oh>G0<%5QdQq=?J5mX{&wSWr>zvQq#scR5QE@Vl@IfYiA@>k
z!14Kp<KZ3FVPrh8C4B4FmvuD%@X$nA<)RjKN4IVDqIbpaN!fv*?T?9M;rrT|iR)Yx
z)7<UDcg59Cmm|+kpLVT9qm4_Q=^|-`+qZvvmY-7TGoRWNrBgeNkIeIm5yHv9LoGpK
zuNK)gF+%%nGThksm~&X%L-g~8%niK@4Aq|+YWdFpD}V$LIWmKgA_%PVUK|{L=v9O<
zSvz?&64`;3mPS)*^?-}d_Kbt+L2~$?6J}~*x3^clM;+^bDbt84DSnLX@NVz^VYIt4
z_2DeHtley87OvYLX%Jcp{^SjJ+`oyDk@2CX<^^zp>f(?}Et!3$ETKmO*b1KeI<vNZ
z37JK*65L9NYw@bcfkMm7j04tuiBc=UjJ{F^h$|F9T$-$^SBVTDQdR4!&>|%w@(m^D
zFakaa(MxHtdtgK+x`pSzWdoB70|mLzw*}Ao<IOshuWp?yr8PabS(w~7xxVLDYi$@E
z5-n@u!1NlVqCl1$Jq6}rtNs@OTu=x~%*$v|wn2+SMcPG~G|(d4vYl?EMMXtL8I+0w
z<Hb{KdVwl}n!h)f5W;VGojYnERn}(21?JGL0kRIzLsse)^&oumgfc;r->k1v3@}|N
z1L*8B8ABeUN!yXM^Xpws#yl;9kkHtS-M$$6&6^mgGyw;MFRYNj##Ix19uq^YL~oLT
zi=qh|n!s>#W9mxw$`1Mg)FNzR?HW|L^9-R4LY%;^-#D?<D7;#`*3sT5hWU04r`$Am
zuZuNy++V)_KS&uQn|4gRgpdCTlHf9f7SBSR^iaVPu>iP`?@R20au^APRbSa(J7#j-
zI>QE)O#jf(P&s;#Hf^67xm~m0fEz(T#Y6oh#FQc{QMiBjQ81KOHe08v5OHtW>wc<v
zkT+o?<YY3kAV^!r9_xLlNTo>Pc^cDcydFHTUTa>I4D?5E7kFRlKgdz>5gT5bKPM&g
z&4Ne3ZIcFAw9pdu1M3ZDxuW2~3khE!8i5=bXwe~sU&!wLblCY>h%ca^xPU?=%CCxx
zPh0!EQ%=8gIIi<LTnTqA@tJ8?9lKV=XQRUN=WpMr4<{u<)fl6ii&EWIzuzpkI=c`k
zRo4e9)syS%*2sOaVTGNlqGYxn;U%urDjIabgTUR~o)9?OAaj1XBa&Xm!GQ}H@mk?m
zO1HGi|M0R$;-L^FW7WKhr;5$HzXziGcJ|@;6;&Db#iBWGA|SF!t_n4FbznY0xfCwc
z?3ZEJ%dSOAPRmGcu`X&I8Bw!2R2=<g*#ek*sb|x7$0880&3`Hi0AE^!m;})egHj4E
ztNPg`E0av4BPZ`9AyXoP+;|C>6QTXBKV%O?cFxhz6kdL^CPq;|WoUnM+CLRPh>#0!
zW*v9eaULW{Ywyk}D=4&r8YH^%cw`|^gRLD-_lBNAaSnoHMYz^4uyAUm6&xM!1V|aa
zW1_VI0%<Am>5y^_H58CxUJa0=zFWEkhcOc25>ZmV1Tl8RVNZ;?UJU$bFqGj<V*>>D
zK;R1hOP)|T1T;WwwMzeRFcU(|Xidc^D%x;2mS+R)1}i+d#+8zzRzOTnK5SVBfiJ`&
zlr&8$EYj}oHM+wkjKzBmSq&u$>A$HyKroD`A7Yo=e=_1~Gja%?{Iky1{V?agi>yz2
zcEQ=S<oaF2g#Guzp>ZHIhO(y=lXfuR;H+rQW`)!W&(43DY+~SYP+05iOwj8u8ded|
z(98?O@#Rv-s=_~qi2(#rFic1`QCx2U;A6Aiv{44*ia_8POJ5^aU*ZM118}}h%e@;P
zk~FLx@7%g|5gZLxE9d*d!T_o48Tl(?3fH1FbTc59GFbc)kFxDCGXieCuOUUbIP5TA
zxHuxFS^Xv8*5!);B-K>9<L>T`s^N|Oz>7mjS3zN}y}7(UQ3t6dh%LHCK4k;vu*y~T
zvJ?dF2w)~cRHw=3o}TlqoGff?(lGc!ciyF~lBwFP*_8(r2Vf=x#3OK2qU!YE-OS86
zs-N^_h+-rq2r#w%t<L@T$y%U;>*ojR?6b#Pk<AK3zCQ-^+spgJtnNB~xOdO#0Z%JN
z`;S|6gcd^>ynA@hL7!|>;L64GNH9*ghJ}fVh~+{4FU4|sOmy5FqC%8y(TjHva=zM|
z^4e5de7y#&bO<&bUvke^b_oF>U|6w=G84yjgFjHp@D6D~5qB=U777I}wWz(F2^-+V
z_*tf20>(h&gM37-D{|GC^dl(fv2F=L)>v>{%FR6L7`xQ2&T^ST(D6FTzWmPKQyzrv
zJ=!q!)MHE6wMfOuYU-Y}^i>v?&#Pz9Kg2?XE~<`-fhH^7&<sR^Ws-6_+N7rYI#yLS
zkhI8+?=w}5{iGSz=Z|**Jw4Y?hL`x%oG$FLsuw$dNm?I!3uP804!+=BrD!K(u*IP8
zCi<BO9q0`V8P2=xS_z|_{;T%+cU_}A!XSwV!lU#<l1_ThZ49`)Hd6;pi-Q8X;&^!O
z*mCl8zNz@WZ>d&>OZ4lE*9Qy8;ZBMDULf_~fU*wMT!=0Py6*AAj1#a)aPwkw2jR*h
zaj;1zN!<~a7Kt`Ilu=pDzz}nJoOF2{XJKI>k6b;7oL4>bbk*$vZNL=TM^NnfTcF4k
z=2$Q60QmgyRWb+?`KLWewTgz;k315fN{RzV85yu}=;>V`ch_}89(KmDK^z_i(GsQR
z!-LNbkE6DA$wT2u)xlIcuN4^z!T4g2g8*$*M#j|Y8Td-oyvvrAV++q=kPu{Tcdrsr
zOq8^Ds_YAme$24ysX_#2CCA}@*9~RzbWAPR$X=IHR*q;Xv*MwGDKOQn1Rh2ZpXYT7
zdH{`E*kv84nEp+p9<Le84(Nru(mqW^TC0{ZI{#hneyX^DD1umRz2J(uH2_Pt(^rNc
z=DfY|X_%@`hz+dfLd5KN7v<?hdVgOJrPm}4m!S$_$dT*TYUy9E7df}%Ztvz+ZAD+S
z&;R(T<BqwpKF>DAxtcV8EDBB(4eg5pu&L?PFq>?gRv$zY`K^jUx($5b-G3<#>=tm-
z4L|fDY~J~fNMooRF-2ZDhlyag;Xd4ly7hIE3-I&N$;mHa5=w~lHTGvlm-sH^s<33i
zHa_25b)_xgIyHU<a5psJ4CM5jwi5!N>~IY-0IBSL1Kmz2f<W<Z23irz^1V#V%sJrj
z6+Vx!!mI_*pG@L1#x^oCf{IaVQM87J#^>-%2q$keoSd8>QmjBroyiWS^Lu<N@L!sR
zru5h^tn6SCL(-#od7CkF(2s>g{T@6j{}~LDh>nfLf>{hbyJLVgL*Pm0u(2Txs#<GA
zjls&r%3cQ$T3yQ?q{=~H<6^XmG=Z}Lo)9To*){$STD!}h=-;<|mnjy*0$pYOV-(U+
zb~RU~;y20Wb#7aLwy+w>u-aH&Hg}Bt;82;^(6<9A2qQ#w5QEpf8=0?a8?y>)C}Uz`
zGJ-U10+J;&el<0<u|aiLS3U^6f+0)N@>0I7QHlZ^=)RO}USrjkks6`nPhx@o15p+z
z2fTpsbr*m&EZ}v-1HqT{wTHpId|NBSu8zw{TQpa<kpunW4{L42Y2dK^BK8eN#9dgu
zD&eI#X@E96)^h>lSNab`00K*jUD@=Q3UMZ~+Pr*2vx#YuC|yzaFoHLV;+*&dxXxmi
za54zkBbvW*``Uk&1>9@t-F8KAu7C;!+I+W{I~{nzjqz$~Pa?$J!`{NI3;5DH;S>VW
zGkA<vI6fb5NJEHea)%Q7cQ!6ccb!1v=Hm^|k#kxe$--n1^gyT$=`lzpI$j6_)C>$?
z>%A)Zdq~?3!$PhCyrn}qKGYv=Xv91z0Lu&lBKJ&8a&;Z#u9JjOa${5TS;O=@Y&TJO
zlU&uC$XL2q%G|GCzfuU;UlluAVT2=QzhQbOdGZ1sXsm)Wl7zm~m$;jJ8>A#8e&7QE
zXg6eV0(r|-h)lC4Ay_PhWSo7rd-)ffBZM4Lw{@v`-(z^}3`+XkqvD{a|2DZ6Oaj!d
z5#4G0Vqp1ShI*N$%9kg3kEtfKrLu`2q-_DdJAzaM)e;!>0B|S>YV9wy!{<e?pHSa&
z)m;M-ikWB`x)u=gM|<!9P8(I@HU1@I`Ec%2D9q=30iiD=u!O)-A}<J;Amp}|{Ut>u
zT>DY7*H^%>sugOqgmXm8f|$`|#SD?rw_-pIC!(ef1uqHfs@+fxxjmqb$u`|F?5zg(
z*GEa=Z~^5aN>`tzRQf8>47`;_qbIt>=@z`dUBjMQYR03XzlMl=J1IizYweZwiXXy;
z3{Rytc|Cs%J|5)1%SwygXIqtM{WLO1-Le$U6#%;ztMFH5!}87=IKK~^M@&;)9jT{>
z;B<mJ*rcdB$(_pkk0-39KJ}QrFQ6{f_rec+QXP}<Vyak!eypUGB)-1qHwp#NFWPVP
z3~r1bQ=vbvY01xXJ$;!@Mar<S>B7;Z{C!ZjwKLPSKQ2?k%Zs~O7YAq8g{9-Yt@(>3
zGm$Ge-MYJ6OMRKsfnQ0aK2Nejc?U67^75}H*D^^QIkJ)FYTbg>YU#;g=17UHCPhPL
z9qCfo?#Jnq=c+G-z^>+AX>8EJJJX{dBSbH{jA*;#YyV=620Q%n_!VMfJ+~9RDQ?<t
zyp~0-m81Ag4)IWZM=|M*@N51s@lQY^SloH)uw-5~_jFqGd)?vOn?$`;<eL{Zkug5q
z+<gWcW0lzD&oE|kBE>LKaDv~mN--`(NFrU)9<i=rqxrmxX~RRU(*x%@2=>~#4Kpa_
zetbLXMPfcK*8cG;uwaKBxDPx}r!76b8mXoeCz|#Dl$;B_f6#t{Dk&z2Mtt<a`}Vib
zPpYq;4<z508rBJY%alIqx>-yhE4&!8=RwI5pE~p7$Fo$%8?Z47kjcU20b6Uo@R>M_
ziuWR_#zh#!h-_{xDtvAT`-_S%Jo)|LWNld-0~M1^cQ})W)8Ch_hlKA@5kCz$$l0jp
z!&hVu-Ip~et1<`Y_88wBp5A9v6CK4-CaC|fXNnS+FOT+Fa{4}W64V~_Ttn;Jm%%||
z@=FCfFY8eX2`8knOiHy4FJSL<Z{5BfuFd#3?=dC{BGP!*8w)-xbrQHw2d4*03_8%a
zP|f+w$1{^1$IcGYuri+;3f$b7J?W<CF{UQBd&}<B`+T4Ye1b2V%;OvLH_v!ly*frc
z;;}08INlR0+n8ZBrTfpZUk6rgozSeJ_YJX=UAD6`x0?xUnwT;&9pf}ykdvhU4VAYV
zctbDzU_pAm8kI+FnIjIx7e&)(x1Y436tC>Bu0|n?aQu-va<5(X1#8A>@i`B6wbtrH
z?xEoQwg32I@-9|1%5>k*!dCCDajV2in&nQ`yeSW*m-NcYXaDkYECTa{xzG}JqqDUw
zgHNxn*t@!JzW)68h?Qi6Rd0LkLvB&FQ-O`CF4KnXKHC((=l<kW`0TySM|$4y_xb!y
z|0)`Id-kr)z8SqM%S-37gSj*4W+I}_Hj6g-;pkp}umbZx&zd{XREPVH?e(Y@n~<cx
zXC-CJF_K{~>|%INkA<xzCf1B~>s@<i+xDyPRN3W5i&7bj_3hfKHpm_37F?{4Bq9>^
zy^~{NkpuZd<!>weiN>JsaHP&Xn{t8-_6QA^*YyQ=5v0(j<?j?B=&SGA-w&{R(0yrJ
zDyzES)2SKWo`hF9L5bN(#EtwrfKb!6d4Pm1uS@dK7xeR0qjgn%L6L>?kG6FTjsy<Q
z0zW|@mNUhIDmD%|dD_uEe_H*5uUju>!G_%pqZ6f4R^BDPhWIfdvePv`BBQy;6sEB8
zV`|G(Ei+lQL4M>e#bjp?f$NhXG~ab{lOi+^W{-%24}cb)u=t)mXT}W<QbKn!1e|76
zNnY#FiM(}BNn7EpCmd{ifYFs7_fhqBJhQ=?64#92_o;uy*eC9u8tIFypIZ*oO6lSX
z|KXk`1J&xP65a9(Np2d4hyz?_7on3RM-p+G+a1()Y#(3WvukZ_#S)<_dZG09=E(fT
zRu}z_PjXwhMU_J7>@+8N6oUGNS<mKe@E7dlQ4!~&yJtdwS&erl)al8HeLl^2pJmy6
z(-RHgi`YeO+PFUWk)x*)KQy-zPvxnX^{IgIu$tQ*xtSBDpk2THvrzNB&u3D-M#3b!
zHY}Z5^o-@Ksb~4GbJ)-KTUz{uw-;g`xLV4oL)a|pu|ES{CP~N$t3@H@gR*L%^tGpM
ze^U8uKIY2Bf*RAeDf=xANL`RYkB~(QH|Wzv;y??$qN0L;wu=n19B4^lKo)Ikx@be+
zRC&EY_WDPFp_RGs%#B}u*d>SoHI9{WJ|>0$7&8MfQ4~r^2>V-i!AQ#VPr?Sx*54XC
z0sNjG4~-D4#Sgr*40a9p_}w1gFLnL-#f;dNbYq{ZC9erG!?y_4nOg~^u=kwX!?NjA
zPWAjt`qUYJwq&fV-T#xu4Cf)_8H8<21O<1vX3LTdoWnZjMR4e7($nqPxv7~CObqr}
zON<tq&dx(SSwO&9?-QhIA_0Mc&@z#Njxsny_>bjpG>9-W_BY1MoR*bw&)H~ucmQ}6
zCY?0Hst5@j2`gAwu(TQN=nmLv7wI?Ap&$Z=qTX0~vn^|~qS=Qc7>(kHrUCUdc(u)K
zlQKbALg=KL%_ENSg4b(FT*=somNu_X0?*%I7b}Z+@->R<Q7w%Q8WO`!9t3)CDj!<=
z5uPm#lX4U2wnsQUVJWt4&NlZ_`jXd2+u32>q&9aPLoMKl#s>4Odzlxx4VxyJUi*}d
zXU~N*^bYSl#}&!8vgLD6J7_w$&?o%J;l?sejClOrYthZ0-Z(Yob~7<!%s|;RBrJ@_
z-E%Pi34{cK3yy+(He&%0q&QoOEc7PA><!SNNmdMk*ur|cv7w73F2PK;5sD)S$_|0R
zL%Iz5SmQK+1)fN^zz~$e%}rK!*p<gWLJQA+b|O@D{JXK3k4~P?iIa%KW%L8eNr~5=
zIyq`)9J;0R?ii?jGQGM<2BeC&z>a9GA&d&!fhEZqVU(g%Yzu56&Pqzk&b+xtzkMEN
z9u9#K@N&~L0AvM^1vwo8(7z6-4~Wo!^#-XO?3C~QoFBVMpVMuCFAG|a8e!1=hBOXF
zEx!-VxpSQew-gdj6eo+OA}&Ll5S&cM%yIjCOz{2;yUs1ZI&z=Gs4gaWiP#Lg@XIxG
z)1){C0a?_SmkY{P+cKGK+IOAqa*)fU-Ku*zZO7v(`Pb{9V`1WQ&d-*z8Y%&t{1llM
zEG)V+^|^Q)-;UOul1BeyB{~8+fe^rA(L_W<q|>Pb3IrNh(A|OU*n_$$^lox$YsU;c
z0Q><xy=K68(7%-SgL7Jp4{b*1ulOdYzG+{>Db}tgfSx7Ufqs=WrMn0nwBTF3*Y{o4
zhA6F}lmPG(=#{yC>J+nOA2lm}FmG%S$to&3dA%53O7=R5tu?es3$?3@2LtS^PE*##
z4{O54q4`DGX21aj-)xl-8277~E_6jg;etNYE?$N50~i1lkjOeJ-`RLTfdVpf$K@8_
z?EqPsX*j)szI%4Z9oXPAV}U_IfG0epo(5=89`=DAke8uRi+^Ms>GNL=+E|Yau-?>w
zR6$45qCK(b(}uF%g<?(74N?!Bc(}O8!g2oWWfx;dSkFC1JvB*N_M-wj?-M^BoliwI
ztDjfxe6<xm7(v&E|CXH;VC1uPTalQ=s+<P)*$+c9*XaGRoM&FV$cg2?SgxG&!;-i0
zcwhVQ_}FdrdF&BFv_>_9ozk|cGwY$see<TJuP<_(45Da|yMo~Tv&kL!`j<R_L_?Uu
zA^g$yR66gmWvQ~hwKW@m=p$%afytnxdZNSdUswQ2N?bg=g&2YL+IT3e@`v1HWW+*6
zB_}^EJ$;wy4bvpk1ilsvK=1K9O2G55v~y=`x@kJ=fibkt79$j(OUD#z2&WmPMe-Pi
z8h`%$c_v~SbQHmmz{-}U<W>xEpkP81BPS;jh)qJ#EK2^(gu{=6u7saYZpA}_fXxNm
z6-}CH4bT>aoE~Y#^a2c~qUHhAKauR3j;@zh0ge&0*2f2{c-OtS92aD5p{GNveiTm&
z)&csYcdwHqE3H?V!E7&heUz42{1=lu(53@4p7jG57z8D}|3GNe3O+%j5*Zp1+X%J;
z^i~;SJFk+w<g^~)tV4{QtD$Wyh`=%3y!pcwU*@ydC+;0Ke?o853Ku2Ujf0aHB-r#P
zU%JIr$K;|B%a>a;C92mB9k}ER9zNX9tOxr{`A)@Y;CtZjgl|eoZ4&I)lLu;ikzm_c
z2mx1IE_~`T2hcM!PFErS2kef22<#8De4p*cPIjmDO_}PAen^`=*lL9l<Waxj+mZm1
z!grb`=9Q9HP*Bdw2ju~j0ixM=-~iQ3PQV@!heF+>)8q~|svJ_NSeql`H@Uf-D2lxA
z+egT^c#360cWr_Xg>8)d5k(=E*+=1%24zo5=#sdlS!b>{wi{D+JdHpLj2d_L^zd4A
zW%z(oaBEuUoB!3#iAPFL--j}QoUO(N$|BZyOU3cL*4;;^rQ-y2A{PDokn`z;9hCu<
zhVxqV=Na$PcSUDqsZdcyCxw-~(O~1F^f$Df3_V&-vayPA(B|_#waSBkq_}nKR(E?#
zhK#F^Sf<@Kz$n==r%1|u_FARh<E1&-paMeQ_RrRerRzu{^Ddd|I~I^64jUJ+UDFEg
zxLYSRUqPwpjhoo2!#)H|1Ve)-I>Uj2LiD_W^Mos{^JhDnpn>qn*FTPUd4>k(r}b@R
zM%s3gh=^?m`VK?v0RX|^_-!C0iHE@F)JmXOufbB?b7%<PL?M*wPw65b^m^cQM8n{b
z4;;d+eKj<NWl%|gp{PY#rlsk+;?Uc2EN2<5B+!H;8-=o6qSC&|{hzY*Qg@lK@(T$R
zw0I$x_IGOSeV=y6^wr=z*YfskD`=R(DFwJRr@J+{F=)lhDl1pj>3cy<0NbaWTUkL~
z9#xS>4TE*~f<A?kW1*^mOTH=q4cDxC)=*InptZdjJ%!#D6u1tmC9XC@PXhxLOh9Yt
zq>VD$dYG+(K+vF(X+Mb|RbtwYj8VSQ*MRo4*}ungus(`~(m*@jIEVS7#TbM>*nPFv
zo_&CNkMX}vcvno|OZ1JmQA9g1RS8e;`3R}xX|0=!K!64upa5VWGk}qRLI(;ZmKh16
zhTWOs^Z+v`+DBC0z#5?>VAggg^$jn;p{S8pk-wBi2>s)BO*SfypXs2ctdmEju=Z+#
zU4*W0q33elK2*`GZ%4qbLj~Enk6Jmbk8q_Hb2A*o%<4^YS^*X0WQWibk{S;Dy1l^H
zVw2iKFK^`_2zw%_vt_8C9+rP4rr^Z0;5*^>BfxW93&twOKO85?x)4#ioOy)jzOraf
z8;MQ}yi{_br`~qvm+tzjzJY<Ci8(mHXNWgFuNCuX-9y|MyvZR*-$nxzf8gB%r#I@_
zt&JVr)!v5CZbCt0iyq3bI?q(&<pTlg4CLb%fWm-c1^8|WNl6TVrq+C@g#M3o>KttL
zMX)Xe^kUr&gfJyR9I5QCIj6KTT^P;H7K4%!mvOs>SIIb4wCs0F>MEX1AZT|NFGH*K
zww|_^_3MP&TVGy<g`Lan16wF9CFR%Y@zY_xJ$d(2Mi&IVmFU|jf5#TUm*`-+01Tfg
zlM80XVwUQBa|cuej9)?qn5T-X_je>DiQ3PgKqs=Ns%-HPvV7Oquy6<2F>B$UZ<qLo
zVi86Y?ys-f<Ce*1s~}i9=ygIZ(Bp1%BPD=8;G80w#$$a@`)gVL1?6wp<L{OpS&Kc1
zXgg9fu<TGg1U$P;1Wj4WI!~~!OzT)`{xN>4#E?&`3@*k;oIT&HI#S23HG8#3k+Xib
zC|@z#+ke9T<OKa|uRVq3CT#cM>~DA{=SOm=AM@cRihUE0&OtDeNm!iB`aXw_>q^kq
z;`8>-_CfwweZ{9T;Z)~g_72p1Q$2sHT#KgYz5}9_P)Fsph)qd(b^a2WM3I`)IArC}
z`7A1yvtVOqFCOGu*9x{S1e^sfAt54F3-yEu8bLqkXL|nX;b-DLS$`R;RAn<+dj)PG
zh+V>m2bWR(+ufGg!)*M`yLZ*Bl(jI-5+wn0lK=$muKN05eTrZmPh|*%VG${yt00U7
zx5BOM_&Hi<3PG!f^dLyhgKXob;jBX~EUBY9hW8vj8Q0y|p+y8gfwD;6a|b{PqR0tN
z^ZQ0d*S=fw!h<6qv-8uMa3DW-cD{g{tHJ_JEr<}Gx||S-9im`&nZ(IC^a7yCt5#6?
zqo;_g>T(YV!k{K@eR5<rq*$uz&8T=BaT9c~@ml-W<s7G}*zNCaV@*DED8JAlZ&kA)
z6`4SJDR2;9_sZV_>n3N@=|1(<6+!_mWs%k9yRKeWd-)Dq<%V(ZcZ{51r4y*9KA%sl
z4gOj<{{rWDildbKy4%*2%|RLT84UrU18p~HdHIX*_!L1cKrux?(5c77FQq3uXr08Z
zF<&W3o0*w8mJ7nnP8162h7c;i=Rq<#*ro9+@1(EILJPVaTOTwZ>-xT?{{=|&Rq{fJ
ziL3!EfFcw3Z$r|Wwc(N`+F+w->1&dno+9eBKa^D-J~Z4(OJx;>$XNF!9IJ`o$8Rc8
zz965ZOLKuC0Upr-6hO)^gVJkFB`a(mTk&LbaryT5M-Lbvi-dW!9`nOwm@j;fm#m&Y
zuT|<)COZz-fRGYqv0+Kn4Wq!lj7uF?pZqyGj?um#|L#wZhQ+tZMh+4ryI$yp3OV-f
zF1CS<86y_0`ytx<axcFquK9?1cngM59N)pG<e=>S(cfi80C@+i?da%OQ%Ps@$vcmm
zi;EcW6b5gpv{fs3!FifA$P5AKdS+|Oj)=UD;KuP(^zC^n(6TL3>xzFhsL%T0w!;T*
z6d}D>*y-^>YWL@gjx0%kRFb|pAoi|8-@;R@Ny%&65=4GcTJqs3p%CwOnJC>iUVrAf
zobFb`adYht%%H=D@-M)Gv<c%rC9Dm0=naE5Y&E**29#FG)T`8*a*KeRh3dNStm?W|
zUq(=TPnftqr<j<+h<lIMP_}B`%;KVH)dD-D$TyHgg#H$K=+5}HEVpX*hybE4KI;(_
z3M_}(blUlI=dQvE8<kN&n~i_`{@?b5F_49HRHJmSHx}(qTVx2k^)8)`@M}RcH&EiL
zFSJXvimGY|7GWJAn?Qi-{5>Lcgy1&-OU`?|6xcCu2#`ah%npG%WD@WNju3d>)~{kG
zJ2W6N{D)IFB??CK|As`C<Yj<W*ZdCA<;x~N-@@2zztoph<m4Tn`o!AlngFw9Y%d0{
z0ohA;hK#~;|CE!ItopOuYF1R%98<g#!iftp<>lp-cz`i8mJ?6!##6Wd(Ls;mV!BLL
zYQd#6-MZ0}fu6zh@$6Xr%}$lV_mdT|!80c6J%6d~Ka~W7aG_@Lbf3#L{GJ-5Pg6dB
zyi(isDlCXmNpTNMkKyXH0gSlUhLC^&yI<8Z4scFe3Zv4Cf6Cpqc9g#VnCk#;(%lzC
zmx;+rZ(e()O%M?J?e(WOdCha@ON-9-+3ITgorymw<lLK_cgU+)d2amDd5<Qcd`xZE
zmqpfqJWfp-mrXG1J<pYg%?fw5h*<h#rs+p1Q_a3HHM~8n*DtA$OSUs><bD=ow$yoW
z%yK-Ke}z(69LlQz@q)t=1UPiM=PTI&;Ov6f`Rm%=h;^0kT3QF42VP`HPVd5iDl|;|
zzFHJk69Nh&-;Mf9q<egxYbDF_51<zR($;fpvaL=PKba*&t)BX}SKzlBaF)XGw`Mod
z0v+m(_V)Y>ziWr{0s{j_He9>S%Bj>_NWuU>bSaO%a?9m=<AWL3I!(Ya(?tfu7-6wo
zn+pumR?$>(QYYuUJl<maVu%V=IXno!wFSD0@1K%~{udG^{OQ+3wb;n;u(7cHB~KTv
zq3%<zNUL=~9=Z4Mz9$SAB;BUX>@hP2Xu#gtD`#N&2+$C)kzE3II3gK5V$BCMm`~92
zz_NUSV8KC>f7F_ZpI^Ob6b-%l`-45_rti6^s>TR;^}K(W^L=Bes3T9YuV8qsOoI&+
z20}r=8`|BaT17NM&ay>VLI~Pm57XvbuH2rU0D96E!fAT}8cW@8@Qv1d)UI{u5Li7O
zq8Jnk29pO$5;u)j197w8OgF76d2?KlM}nR2^RWKgr@{8w_sg;0h;s}|?_ikkIE%=d
zPYTxWMbz)QWxox|mvfVhoHE?w5);cP(yqP(><Q=)BB&%tZddpGeooSOGE&5^y#=}D
z4^UFr(=z%T#jsi#GHOkrwPp_qFVs!aK@Az^?`qV!-iD`vr2&Lwfu0Q962JtV6c@y`
z<+RRjr#5m!KG~pGB3NW@e4Lz;l0T$b$Z_+X>2hy608bo%B^VnO)jWN+&kqv-<e@?U
zj%&3ta?-ZL<W69kdqLf#Js`qjpa;nfNnO)giOSK8v(TU;`<`yj&E-zB@*SxC<#+8p
zZ<sCvLcqKu`g1RksPzPF*5HMGKN+={l|y?sPx(zP;A0e-kiHSpEZd^eDj5b<@dDfV
zrBpj;+y+Af7@C4__un-VmwZ`)n9-bsnz~DYqX9uk-3=yqQqmf4{6T|FRp=fr@w56O
z6R2@dfy#Bo&}P7)+>eG6QjWgOU(fUN?^=q_aAZDz=9+oXMY^n2V=l!*H*>yzadA;;
zOc}5Y<lAKA<ON-@O!dCQMr9Ua9oBp}BJYZ!P3D17qE|wQ=I}V!+{4r>A6>7Wu;6))
zQPQ<|(Onrr=I89l;tpxDCHT%m8BT3{SX6AW2BgEM9gD<nj`y#cPkPtyepB!s2f6(N
z(4gm-0jaeT{qeCi%ciO?4ogc*N0r0RZ^xOsM3&UoPgvba#yom&tz9yVvn%s5viA7O
zwHTVy+4@BDgJ;J@0yEWV@SA6@`VD>fZ^FUd*cad9(ymXcY@&yJYM6R7lQfj<_Rq6x
zqwA-Ezn4nsI?bF$BK4IsH$_1cJLgzSPjB-!3yVtAI4fan=R!|!?@&G8EqLyxEmoWO
zty37$3r}!TrSCEBQX;x)YYx)pDW{LCcD^Za{JyPT%(%)<Se<z>vFpt<-JvKyKg_+O
zTf)NQC4}<y@m9^CWfWCXQdvb^=<|iwV$v!fCO$j|B=X<}3?3-?Wc0L@@QaJ><eKvB
zO8wxmQ^4XpIVjjW3K~!o+z+zN8EzaZnsiI-TCCJy!&qjBqfqZn976Z?_Nt8!ZvKMV
z9j8Y6&o=yNn~0<;Zpf)zbRfp%m%Pc(dM~#i-NfqRVyNe2fKKW4<kyYo-Z(N8iHN6h
z?0z{fJ$dQ&jTdUiejhf4icInyJuCZS9XD6$%B9dFd0y7p*ID8NtV=JM<$Qf#JPunk
z497ekMZhbWcm0_^ZKmT%CCAa4aIpNbz1=z7uVWQwt_pstA^oy`s<>a%uKjkJgMRE3
zw|Q^H*gVWnwek8)j=w0x9G9EcPp14$iNsk7mzdJzl{(l0V&=4)kJfU&dlYK7wi<9o
zB_ss(m;upg%3!MgSxVmnMa4q5W3tdd0Hs77=P1sry4@OvLvK{6RW@o3@utQvG)y(X
z(=g+t`2N&yRareXEv*op4r9@0?F9g3;Gr>4hX}v;%EdB0E#|m=`^g`1Ferf8#Ar;3
z2aJ#@U>7hR@$mwMPZ)*yR#layBeyb=;cgJm^Cl!8Cz6t`RZbVGbRm~!6y5v&Xl3uH
z^qt!k_@^;$SZ{`a5P`}y#@fkE-=kOAs;i=ACMHqQ(b=PBKfb+@B#nbP-cHl<;cfOL
zp7OU9QR&KcRUlQ7U0SMAPPPbYoOh?ld3^3{!c-De7zNk0+<oPDv4|X}Bl;vEwZ|;%
zzH#$Ul_zRynEgPo%(C&jVH1eNY5_#oR0YzN3)NUb{GmpN9l*%cUK_0Nv=uTjS(jmb
zqrr+01p7yd9fjO{^!EF>D;R?Mlb>A^UI&wwAHM!@p0gK#siM&Je=24NcCJRJIO}C0
zOg^m|CDAERE5h{b<i2fNO&#3Y0$DjPX`Ic*;m$lm^=(#GMkq)ExABva;aJ5}z$8j2
ziM-3r<q?v+3Ga_Q8@WFKPFy!9UIH6MSXj7l^cnm^Na%~}Eb#Esxd6GRA;1Adtg`=w
zFGyS7UZ4h$w1cLsYK5qoNS_nq{(xziIEqx^!0}prjdq19BTT*lUHs7+2jhNMucO@-
z+v-PZYWJ<J3#V)01O!w*FwHe|q6DZq7<$<8rj}u3{P4rrSm2`(YHYdIQBM+@E|_?A
zm{*TunC#~MXBl4y{<^F3un8cB^?G*Y)v&Q&9bb>tVj&+SLC|Rl)mR&@{EpkA4q^Pd
z3O{eifa90nb?MS2jMbvq>_QmMpd_EdYXY(o65F*eFW!hg`odaruJCxqpAa(v9OT}}
z8q++~_H)sZpxuwvBIAgiqqtEE(i}Z|0KS0@m~|E!1(CxnUH)=7=5o9&P{AaWc=#}S
z=?LDmnIBXA?>YSU3vu#wWSy^F0|rG*YU(ARFUO>~=lA?@zT<V|jDnf0H!JmI3=JX5
zV79>T96MGa(X^}Ix$i{pX9-6VrI^H-J>?1!2A1cAfm#URF-a;TMfWLCgyJXm5+1>=
z*%8;CTqYw!jz?;bw~N?aE`U3P-DiYlwfw0L&pP-p6nF(lJJ1(Ect@2^b(8o^PpL`h
z=_6r~(V`<bGRo3Z5Msgv!AU}%r{aIl#J^uc5*Q!VBbP=)Q&aP?ni`NcU;^?rrr4Ko
zV=)?|J-@Kj0#KxK|N2Q1MS<v|6(>N=_~9G_3hl@y2MuRlhn@U+Lt{(c!*>v@!FZSX
z9TmVGaq@0_j%I|I1&{Jh0Ic&oJbtpGq*c6$iAgCGnwgYRax*v(7r$Z2GUfRTp(H?k
z!5q3v$WMUhG%O$OU)!tyy_D)}w_DI-1`P{jjsg6jH0ZPOrG|@n9Yw)37*5Qez*fXD
z=#06s+T^eF6-53^;KlqP2!oCXX!9scHr}bUzCN@A*ATHEe}6grjEjUm#5Mr$x=c=P
zT&4kdQjH=txWP!z&!`L-ChLh=k5)ycP6z64#qqHxDmcZNJ-V4gaaSqn=7w6a&W~yl
ze*Q#Q9Vq9OX%#^X1Gjz@hHWfCu*nVS<hzQB?^~X<BJP}7ji&EmxRZkbjRqT8B|Su>
z@P8=2<wtx83lBF1a1BD+sUC-yfort`nvTD|%FsKk6;)$ygREx$xU#G)l7*oP2EV|J
z1F{NwZ2uP^ECmOypdFFlg0i_OxWRDcX4uUCd_-IZt>E5q`71Ae{rZKGB<yBuwXPhJ
zdAVT&b;aCjTO(+o&dJ$-!=-Nnr`cmVBw;g!==DoTb|AD|SX#oSy{V}U${f%}O6oBK
zU5Sy4qL-yAu#1`|vrj}5n|@0LxZTcI*ioY2oMaJqC6=;??fVPQ4OwDfM9j+nS!(2W
zMfXYK{;$813Q=SH7k>WFZ<Q|i(LY3s{J69|97%@3jK=_D>X%=9^FLqn^+S_$Z~pK1
zcs+>tyZ`a=k%jnb`S*JM@AtOg{cDr|_qSG1{dFJz`&G5V|Jum^{i^>zK1}rg*JC<c
ztP#NH(`LPW+Z2jyNS(;@c%$0$=#yci$jKFeeBr-)kZ!rQ$(w3B>0$r0$s3Pym%Ete
zC-;%QD`ldtE2X-w%N54^VHRtfy1UnVulH*Cw<WhF|M#Oydt8N;ZF`^!8)!Au&}vmu
zvecHx?R+@;ByG!fMln)B(&vVb7j4+uC0&my7xmP>(E%DU&4`>i?Gdjy_IC<DoL2<~
z^*5Q{YOC8eEhbJl92X(GknMl+%z}W#oW#6H@@2W-u)5RSF6C<+`82t-zkC08nWXv9
z#*6`nosfkrh%}`sZPnj<OeosM?BsYvf7SJ|wp-EOZsems)vNl1z5_C1izS&S{=?qK
z9{HlvQSPzH_YO>BqN4hlCawFf_eKd=otICu(QDe&ci>AVB{BE?e}Bq*B^4EMzX`>a
zcZPgslw{|-xBlQ95m>I--b=txcX;0Xg!A`-ig!}aarO4u?)dL&uKB|?m?;XiyIGr)
zHo3GwiMhf~%sDov_%=;l67&CaQiwV7i-fNR5Z!(QBqM#(iPk=)`NQ|M9Pj9Lx{`CJ
zJ9|!oc4?)1!pj9?PuV@{+I~6>2-yDF+d72QV64`hSZ=N``g-rjYYs!Q|LbMt?n9Wu
zF5hLt5gmWZGRXKy;J7(8?FSWBuz1kVk{J`h$KE*1UuG8$RCaW=-Ku}@HC{Gif05yp
zEknQJMY)Tn2|9t?kHChSR>(={ha0C@c=ewh^7U4k?ZceVQnAuf)8nZKS=f_G?3dgx
zx&Ql=hlKt;%;fQ)V)<>e3J9UE1ou)+w<j6gf87*N!8|SY^)4eaMzu=R7+v38U9KDT
zD$6@;Ppo-=`2Vo=)nQSs-@l-OC?X~u#{d+N?zTXrR5}Ml>6DHEEIL$5x}>C~yFnTx
zh8nuNJMP-Y?=S9s?(=y5IK(is_q*SBt<U-diEPREn8ey~s73k>cfXHm=5EFe5AD#k
zLkkp-xAP8DWs7|1_KDX6mIYOJ7hJpHa0n6gC!n+3VZEmR;Acrm_*N+=C`FN#^FP;@
zloWa3Sirbv`mRi=A8SR{l!6D%+AKetN!jYmcDlslQU`R-oK^A8hCB`58t&5QMdM9v
zxSxM6U4M0pvE;;bXGNlZ^`s`c@Z@(#R>bcDJB;PPTT&g4AGp`_^PffLf8W@6M~}R8
zGt>U9lG3^`lK*`<Y^7jN^7N?z`whwOTw#H;tQK*r+C}S_iirI<+0$M5E=}Sj!wQLQ
z)q7aHA+67*t{;P>$%HdbX6@#Dof-laDo;6TGpU<IN6_a3n|cJ$0XWz6Z++u4zJ`iC
z{t!4@eocS-E8q41{=f!>$W~;q3xl3|^BLBuN3&$lim<%X<GhI#hB$K0s}a}M_PPpI
z^jZv_n-*M-8vl82G{KrQz3FoX)3_2-onPv1YB29G5&E^{^RVU_yAdQJzRgbh>hlTd
ziFEFBez_e5s9_uWhZBHT{^t;wV0eOjNZUmSXd4SrH8jEg!ZSaOtBBZZm$8_?+1ZVA
zaKg5y<~dJ@#?P~{Qx~`D)$^e|OI(gCIQrp(#Q3kcwbSSine5duR?Bx~pGpM2Ygt|z
zEe`}G3D0WIQvxqe*nHljA~i*B_@6MfyD<L$|9mnmf#lOIssL8i=Ka86i{5iZdan(5
zGg*1sG$Txx9<VXujW}P7E+w21T9vB98!tb=X9)`Z`bFsTv0!00<V(@hyqNmJm-cib
zy<S0CIdC_5c8{35J=4S3?2~ce-S!***Sexc*41Dz6hrTJkDT~rmCHD3LQ71lxe|HQ
zJ=(t<&}L7{jLIClq86mu@hsm>n9t3L)NPfz)P@u)@t)@7;d<p>k&NVSI?YtA9d;sl
zr@>&U#QJyTc+v~nWP0C;Uge+I_cv!6wwH|>d(%tKqHrqa+<0u=*&FM#BAwhWJl|DL
zTfUXEHE%^H>{Ne^`ett*mK0V(-P33P-jBE+KR!7S=I%}WE{qI2_+tL)D}juzajsts
zF8X|R+5p?S?6U)z&ZI_jhsbi)Q-A42UFHt-ul<0y;AfHC@9R{52k|ipZV)NT(|#~E
zGgxHFr~S_r(7DgT0uF*Pxo4d^S7#wu(`apC8hSnjjQxDPV9S_nqIF-C$31ER%^Qsg
z@ty)yZTm*lx?B21)?&A#vi2U7WPThvus~Li<<+k-Vi#`R9)v=)$~4vPn{&%05%zHY
z&9T!0wLkYP#q7#<{nnhyzW0b492O?QtYwryBnF*0b3iPwd-fa7ukQci0u&?*iAejI
zrq-?{_vl6JF`-NgDqB4`85Yf5J5b{Z+}Za<?MqV(gytR6HF6>W9-3LTBQ$Q|E4?Qf
zY4~cwWCOPCI)kKzYVL25CKvy6BVt94x8xDo`+i?o*`W;{>1zSYgI4l(1;v+&iuJ|0
zvni>WJHkdRFEp**Z^EO!qQO1e9-XiNKN2JQakuWYYr2KbdB4y8WCzuezpaBDU=z1*
z!@2pSP5=~q$^jHo>s_3Y4sSl1pOZ#!H-vY2q~@4J*x+4Pc74B6d^{ID)KS-qViO&?
z!WG6hzF|g{&ezyE67`I#Q#04E^rtvhYq@dn1gpj>d7)y^Bq04`G#cGa<Ffm7tpLs9
zF?vesyhh=?;j(7Sj_$&4sk=C>K5iQwCFu#VwCyrBi9|bFHmWM_lwQ+sll=Qc*K{yt
zl_6#*r%ro9$u7GWHT8!jvZS1>;*#*owAT7gowIfuC2agc!DsO0_=!6_^WXKO9g=J=
z|GNi~3WrT7LL-WJc$i6*60Ux-X1uOnxKM$TUg&@~`n~9Y&^sXVRVXPfe|`BX_2fR~
zVXpR%_oO=|y*7m66l~UBGX;gjxu$(Lh4@OcMy)7+WiH+A*3}K)=A*bFYg+KV!eTc@
z=PCZtNoAaCq+V_}CULzZ8Bs)2L*7Nj^udVqAV<3k2gOZ&64W*LP@iDuBDjhR=+s~d
z;UiD+=W=r9i!59|;JJ#}0Y*Dbn=2$Te|jl@>*pPd{!r5=n3Uz{G<TiQ+L#CW`^&Vn
zvn7j}lTiJe_f-%g_b*ujdAd9|BOk;pNzjZtAIK{Z8z1}7Y>tuHQVC{+X{Sd8r9VKc
zunsG7-+)i)ubUiZ;ZT^p<FGfyU&WhY!spedch$(WAV%|Sq3U?$%ICuqeC+mnQvvIl
zR+-JcwxiEf7S8>U8XaHYpBoctF|pLg?8Vu|C)x!Y{S)^<hQ%;FH7LBRfil<B)>3<z
zCN#PmpPM}Ph-mJ}LwX@T-gAY_kA*Q@R$#6#@obbeX-a0F<%+W(Yp81DK1GoO*O9<H
zmz>D{U4-4AY^+fukL=}VkdwocjkT=Ew{bIiR(j@n(Uv#Qd@U@uY*+Fl{6M8|@0?G~
z(wR1elgDzOx4jJ6Ccn{rA$B`3@FHw_F8Gn6#7$QDLw?ctqck5BRkinh^a8`#3oVvv
zF)GKE#$h&x84obC^q!yi4ka&gw@Y`Al|H_vA8+aM+LHd0rx0n&Gv-?^7g-9vc3h{I
z)^0a<ZD~2(qtp<-TGAla7BJ9onOZQ`$A8AUUQ!6<`naB*ch)s!YRF$=uA4Lb;YUYp
zU%xor#(V8Cm1BjbtS`{GE`sD{j@C?wWhh3&O6E73iJAGXuy7PeHAz^tsIpzU;-7*x
zbZ;l|>n%VyY9S<$CjzjBJ21M0F3lU{s?VO`h$VNYE>a@R9@Y#qtgKEr%NH*Hw`qYE
z=38)Z@7%IMInURh!rS>G5K5B|?f=PEvZy6g+`NbTW~{Sfd&X%Ur40shXj8d=uQ3^j
z2}hew0vPz;?wgMieCN56Zu<tUCA~mg)m_?xi#oHpz8?BbBwhL0h2}b3Y#0q?0zKc5
z@2iOA`7kyMG7a=c+tT}+I`h)~g*P*0{+PUSsHHlwlGJ)K(iwnUTtbHS=;#ZF1y%Wh
zToKPAy<%N%BUhL?O2B4fxY){iWjO3#bj$A3m0K@H3Q2uH!wJa+9WQJTFBRMn!mo57
zv3@xhA3xWh$T?c%zc%kw%6A}1US49uu;Z=5QaN>vMT2dvX?Ap@a`Cc-<S60rafHq#
zivFnF-V@$~4&~aLq1C--J77w1P3glsgkiNbQm$@w46ax`r=#G*DW4?0u3iajPaJxg
zKPT<*-kgyvP8dKBL!)Afy?N`&Cr=}!fjK8;Xn3FV&nd0`YO|>w?`GRaT|O1dcJr;t
z^Ad8L6|Q4kS?(-d_N$cRyZt<i7yE*vrb28`1$u?~_wxs|oNo9B<D1(>-0XX>EkpWa
zI-HWveoVKyrA0j{#;+%Oaw-0rQ6$#rvrR`HoCLzlEV9Y0U-^usNFDz68V2(NxeSmT
zl*P8y8oIWV+nFfXOIqfvu*VW{lIP9-F*AOwQaNX{HlTm4-BIb-=BDfM;%T<d$0%aa
z;ir#YGrBsuhyuapjsT;@MT{)9cAfU#-ef@Sf-+FrAT+iVOOxHcYzweOwhA+j^IG+J
zTvK?a&&T#vv^F=_EN&MpzBG?tmV`O*qv>tOw_9%rzd)}S-*ybm`!LrwiNLT)oIqbs
z68hyg-{zn+B1x*wsJL=L_B=a=${&+k{bXZ}UBMUa6p2b^cg_plzRjPSqG`MlBvC3e
zOg6`fV_TM5Uh!DJ1jYG&dsV!hcIBBj=R-0}TZdAg+#mP5y`DGKQSv5bl-^<a^S8uI
z>41UlUQA`?4@@+7_Bvig)9IZO^N#G3jKU_=S2>uW!(cZVMg-Q&gTY`c)>ZCg2jff!
z$k-%fvp82jRGIMj{PK|dv14}%tvMY7!&#V^9EX^Xl##m$u9jVgBwF6^S8>dNPY@cb
z<@(=G+xEQDXX8Y4b}xk-mIlscrO3%YnOzStt|Euep%|dUA@*M(j19B4R_@iNq3UKt
zo7pBLS65<}(%MK`x6W%P5dG{h$`qmD{i<kQ*87P166!~N*jT)8?ohY0rIO({J|8kt
zoxeAn>kU`|98D)queEPV`z^P*+x1!167hEC8!N{rd_=9<&i?^F4fFA;<eLwTi|6CV
zpy~-<T;K$yC6YEfUg!+ik{jzjFyDM@$E%i4ax}a-YW|q;q_qI*(K&A&1Pqi?xxyhC
z@KOOl6HGL}0^IlIpNt2rtO3BUg{U8aD1QhAXl`yk8U*AEJUEUAfhz;C#H85|qGTHZ
zBkd{BZSZ{=0Px?pkdP#^JDi-|t3{NrcK3m~h&zNhE+lv3ZDrV==C$iAix^W!^zFlD
zrVE<Ohliy)wfMl6O4zZ3PYRIVL4GQBR2!XA9tBWWHYje}tgg2kD;!eYvxMjO5vY4m
z%sr%nG6SdXM3lc<TI46W`uT}@qd#tEm<^|^<lHtWbw9YVun)fcuxH``YaL)_m)U>%
z58uGwb2)y|haoj4N_C<M=KFbg(rpw9K;c?gER~(ADmm!xiFR^VW+CJDxtQSF2(_SD
zgXPK{<Fqn-n*d#Sf8mzbSBxv*O>LJM)PLzKc)VX`-0EQ7Y?-B!Q^RWev3ztfde>sK
z@=-(&;NN+v5Umif>~s>)O`LAJn3)o?Y_oafcMMMj)_hRO4et)orDd$wTiH?Ct_z`d
zx{W#A;Y0glbB0Nc4F+b(ng%I-Q*LS6{r3GE%Fm)Hi%!BR`=d8+fZ3V#TxWr+*=_dr
zy2?-2^py)@_=eUyP7|I_FmGr)fvpu5>s4={Je!p+^Ym4$3xJV3*(LWcF-}c%p%w?y
z+@xi04ae)NOk$%bTHBZ)fgl_61GB+ANf{B@2p*z{wgyNakd%@-I|jo6oMGD`Q=R3G
zWn1v~h^OaekO{8?tuQ3sLOd#do}8p4py0Y3VK6kBh6w@;djV&ztNwVNo$L~<mv7&k
zM;W^R{2}9bLjXcx1VGPMOHEHl%*kAa(2!qECTPnHbOq#>U53C?9#BFM8$SZUTouut
zHmtiI7a+ZMrzx`nKP+LVFfT9q+Ib?CUvDJEDgn6!rrzuQjcKD&F#dtruXw^sVHB{s
zwx#YekvvdCa6<UfvN>2x!aNhPs5dWtPKyK6>2k;I*MOfI(ZX-Ra0jqoU{A@x&%-xv
zGqvn~tZOI}w+Rjj`S$%gGS8(Ttme`?B_v@UgBiraI^!(WivVbb`jBM_@G(s2R=3-J
z{{|lmjxnk}|BoOs)XrB^EqCMwd%lZ@&eJn9;1x)+WLsL&HkdcU0Dve^(sj8gdaV#c
zbpTYu1Z)@qLM2X79=cLE)CLy>E(d_59N?4y{w*Ldz6`=srQ|hcs1Dw6?B~n-r)6h<
zfx$H3-m8VCZ-eZ?4;QX7+yrDsY-yPzaG>tM3ScHOa&BmVVD9@cWE9<{fL}+#coFax
z9PR*ChxrW-5JRBv$#%R11AdnrDp=}pB*F+q67;Gx0m&obb>q$>+%sjo(?!7@?9*1X
zFA5Qde3+vE3w%3z_r*x%ZNB2#+n)^Ntz2ALXOl*VUsk(T4-9I-_yG#gg0_+mPNRYi
zgih$D->~|HTy<TM-7`9)QHAY~TbvXZ-e^?Ua61$oP-E17OgJp)I7hdaB+h(rR)h29
zA$Q3-CVK;SnesqWcaG-J3MuMc)_qWU&Zxz!hL$_8U%AdSQubReaba#6qTJ{&&#frO
z<O%8WxwCBVo{sGLukY<iv0HoTO)RjUnP3SzF7R@nV4jE9Jn;<39SFfY`tlA{SEp+F
zT&TC8b$$lk7uQfFH=3<m7rkwhrLpf&h4gvci%Vy|lA^qQ?*1#&yY;9y?(uo3C6rb@
zB_9BH?^cq8L_C+#3nfg|$zzK})(@k;m&H>bt2$l8z}kS(0kQDb6&z4spLI@P45r+M
z(7*HA0Bh(hufnjXdfeg*AlxH&+nbwjv$D#SJEVgvLY-M5@bMOSf3m{h5IjVXiVjpZ
zuaQV`m_A7H;S9T;9wT|j5p5)2oGAotO~kMqX}uKL2>YP2i+|ez2AW)lFul6Z$XGLP
zjXzvR9E|+t5zOyBz+niU0vI3NftQB^0RBfWcVM-D1?FS0g&r3u!y<>}2Qv~t;D36(
z9~>&*Y!^KCubo`ahM=i!vdqd8NBBt?h`KZiS<OhputvSW<Rxknd5DTNShO7H>0nox
zEi5zJ(2&yIMF|?lQz=7avZKa$ofR8&Z}@9c8_0VBY9?$EFyOijct1I(Gv}FJ7b2ro
zW0)Pf%+d#KCT<Ow6`n5}i9Hrk1xf`B!(hJnoArKr-M~-9v>MqLB47{=gNe!$y|-_H
zax4xUCTJ|QK?Dq%Wsu6B`Q{G8I;gy<;reu<VB8KT)p9=OTXb|g3>uPXvc5&89}h!3
zb__U~{W2e|pr^YR7#MiGgL?V$J@74ngm9P4l!p?GKwcc)TrtkPIa&Q_(*g5+bEJRL
zwiLTS{AR(-3UZ&}1mZCtp}K-mqi{U+9z&+hPa^K$WB#%6h)Yq~*jLX`7jrW>r*)oE
zGPNhz`J~~5*{Y;BVtc;U5%*kqHOhJF#(Adp)a`piiS9-+my4Qt=_bC)aVwv)X`eei
zszg8NuXca>E|RF%ZYE>?BR8g;!@+H|^02~MED97X3#>S(52-tOHLOcE-Mfiri_(l#
zHd`Lz4*C9`y8DStfA)?*yHbT()dlnOWtfqkq~p#F9V6x;J<V!p@%QRGkL=IVCK;Vx
zv#6QILXqnamE2dp*iyX+ZEl;!-Bl9nQqzUop8sO4o)(`YB86-gZW#Bak1vdupY5}m
z!$CQpKRt>+%R6lGIN=}=Dv*}xSIIl_3v!H25+AGGn%-<ky*2~)`*JN>+ZxmDg<dyS
zTzPdRB?uBfCFl%hQa)2L_0SX+<>M^O<hp&2t5f-iTf_#e3J}i!TsDdT>z&a`tXZMJ
ztK1dapsPZ02T;u(pOnLM@mxxZGAi;M@Y=Se4#+OyBds+KlCy#{g5K4v;(eD=0Mk~0
zQjSB)A!ZCmXua;bizNNW>MC#xS;UCz@I)N@KjfDaPv}~WyniRcD1gkg)%ZuE*{g|m
z!PRqPz&s}sVI4jOHyzCCFsNamRqK7JeML*i80M+f)9-Y0RF2v+s<jc<0yrq&!BHB!
z9E8S2#^2$Mn(8UDQZIMWXDVnfQ-K?=cHPf+W)R-~XwcTQIc2ou7&#bW66n0$s|@zH
zsjFQj7iysjgBhD`sj&9BF|Z;%J9q|n89wK65-&H|CHwLb{Ohwssim&dk&Ir3pE(@2
zf!~Gyp%K65G~DA`<fYlo%;I*ZltxoFvU|W}eJ1;1RpKfR92P`0y7yL5S0jCqk_Ab7
zB2gn9KbcN2#RkW&3^+0yY+NO{-z4ue^|Frc^CRwKTos-7IfY^#?e7;|MaV@4W=e}u
zjRQ2H7Hgf#8J&`*UupEu3+t1QFswzgkQr8?lfq%)a2u7L7EcOBSLTSC%h0wySgbhr
zVlheFgv$MzKCOgVq-rj0{q^_%Zs85EwAkVc_I}@AL9dc^jP}RCQL*sMQjD6~WoXD_
zfM?M=TjG5dlOTDqXsbcv-*Ttx8=!vuU@MDw2KDx$fG%|>MFe%08ogL9Rw%m`YNxYR
zbT_l&U_pFYA1IS>LLzPfh&chUvCn=BXliPL-uuPhX}-WOc8z9*?`qwaK*%5|#b%y3
z0XqS>GHt0x{*Ypt-MVaRHCBZy0%<Y8OHY@@OL<z{mGL4e9o$5e#D-p6_W|O`8>lXj
z$*=YND;O~&mY1MUzicdkdH~G6iz-QXnSu4Yyo<`{GKMe2r=&bPF8n6lX_R)Cd4Zlv
zJb)%+pb$#%wrMplHw&$V5@~w*XUhxM+fO8X$-2gNYP|FxJm*knLW;Fy`lX;j2Ph8u
z(i8N#D9-vP@V6^tcO^}Mvp^;67zAPqq{gVEW&89vOiL}T5{BmsPMWEbKeuV{P-no2
z%?f;DD?5D0Ydv`TJphq_p*;9kX9*~pV?R0T;ticbDaakl)TH}1$dNCrxKE*7t!BSW
z5IomA3$C0vn9mg%TM0ygvHB-yxnMVs&VJ1tw3|gBi-1!+>oq<te7a;ylwG%Pt3S@C
z&x$%{yrKQ8q2zl7)xmQou2;sMTYOA=>92A}3=gukZa`R-^~E;#d)+tW0{nEUpPl6;
zTBru#r)al)?7}V&Mmv(OdQfQD=IRyw<bx-AkzwZ>vnTrv+s^4O|9E2x+vj-Z&p22?
z0D!f9YN_?9t!3!IeWG`awWazyjA<JOae{InKfKZUW!ueqQq&rli3i@1XdyFRXv_NJ
z-kl-E)l2H!(S=)HT02Br-CSv>U4ATDLlc(zV&TQgXk`pATC$<~$v2C5UGwRJ8!N=n
zPD$eAC!wUEYP*HCuq(wPQ3bHlY{Im%7{K8$pt0NNjvh3i10^<0a>CmPO9Z~1F9(t;
z85*zNKCn^gotx!pH0}wyYp%O93fED5l~tknS@wYuUY}m!5T&#uV|e%t;)Z!^U>_YH
zz;P}qE4w3D8TU#=F7Mk~+pVC@Y}o$tW#iuYXDBg=Cwv8WoLot-=A??t<7G2nf81{@
zhmH#@WXE<ZxWc5ttLE^yGhQTP{iOVR(~T^+S2~BQijicl`s#L%KP@z%YBLM-F!lZ)
zn$5@ex~go14}Z!t<b8e?kn8G#`ds?cT`+U&lmn2D!q}#S7n;fn?(nt7MpQF&`+$C!
zZ1AXSJhoI?mwD1K5OZpLGda_zm5*|;^t%5)Ht(uKf232AP9EA#eoRQlMP0*o(uL#Q
zd3;(Udar?ZgLmRvptmgr+^{Y+=*WJzwj$l|oVCC<^r$t^cOE6(O*^KFl1<)EJG8iW
zXmlTdGWfR5n<spcvdM#$2<1?0b&vsS>G-EU6gIL?hweEpy6$((ZtQjFhkhxXc&ep&
zDlqE0OXG!!nr2_@Jz_k*=-6OAQG>@SKyAHzPPn8xg0^ayRJ)5d`eG@`8&f2kRhk}(
z@ekeeb(8Do?$QQ-wS^uV!F$E_wi#*@F^dDmR{9^8gX-i#g$JFoeYqCw8M5FM*x7}C
zKnDd@P0gb+Emrsz^fgfb!`5TCF>C46*O&EDeN~i<ZeHC^ZA`l_3l)G_Bswr4LPC?F
z{)>oc87X&KcPs~a$}i{r4RKRe`Uc)^u)=Z*&yCP&X>N`OOSjOLry!sKdMZ@(fD&?5
z>gR_%vu{(EhXxn=qG@PeZrr#5+^#jpa<D9B(jHXldiU>;&IXZrOI&s(|C-?U<jQt$
zxUaXnF?~(r>iNvY-hfqq8pHh)LjzVz+fFNz%`w{KT4(lDQ9=JGvk=qMS^rgl${REl
z6J)n3x+r{eDerK!`@7r>vn2U{u*7conZ9A7w=vHj3BAs*1t7<>4>-w9t*v)~z#q}(
zUakGlUy2FzXh1B39Tc$=vhmJ~xt6#Ru9c+^3?kFvh~Mjnqo*RVdNH0R7+J}wB&XFW
z_f~~#oO+hE=E>he^xjN-lA6b45q7<NX}v=Aw9t%t?h299^YT`Q%PxiKoT>rGUZ8Hd
za<eyY$P4ZOq%Fup`x`C9AL}<@l9ZnA3vJbFE(%KSpP>EJDIDT9-^0j=Gv?zi%5q=)
z0t@gvd&TPE^W&15ni@Apqd0$|S4npij4t+(EX*##ayxSA1hdjAa9im$yijN|FoDrZ
z^H;<2cmvG`k9i1C$F<3xv}V`f>HJ=qlY8>)M)`^^!=0se+HKtpM*f(4*LG=Tg^XW{
z%No_I0KN<848qup%G`*u8@XUGYg-CTUpX;!Rmh7{me)#3A*1?Yx~?}8Oz!k6lmce+
z)Q7|pM2}|&S6}X}mnYm6dOU3{;N{~Z?<xj%F;Z%36n_~xLNoyabU)))7O~ev35=RB
zLXjP%Ap)z_W$O);IFM!?31vs6p>D9D`O}s_1nuiBuW;mMKMk2Gy~;dDoY?n+r1qbb
zBNhvXRhOawccm-k#rdJgUj7Y^{nVzrFow7&Vq8REcQ5G2tD-w&g9_!Aw)~Mjd)zvd
z4FjVWmAkiRdBvS0KQ{~UxqrMldn7LEVzHGsV_p0I0I9x5pX>#FpxiVdvcuYt@<b2?
zHhpTDehrNj=*PYW2iJo+4~TT?U+2K;20tnBh?APi2lsd*0e-M3*5G)(h60r&OkHkE
zgDmNZ&C-~YwWm1g&Ci&{=^DIIf-v(6!H>tQ5)LQza`sgvK7uqEQwBY(_fE8VcZaQr
z0j)NAM@ujL-3?;CKuy|Uz-82jRxtA8r}B5Zul;x%h-NqyS55OXRC2)Yf3na7@CqEE
z<E?I&mMB>U+fr&^va$%e9NAatYlD90_b~_AB>+31eTF;XvIwlX)Gvi+&-u<N85P~1
zRgk>g6ZP{2Kg$E2h&EPBctrMVX-{yfBKfV3P7XapkE&NS_@dg~&{)WF4mZV`@j_Pd
zIfI?9=Q3!&+m@%}b-5u>;&NN6@v`TEL>HQS@O;;YE{M#p!Hw_5&homwnu)i<0~=Sa
z7lLLKkM~*RcgvH@LLryv3E;tcxvHDOYAPz8STl14>~9!;L#*8Ijt*i^;%UC%yHOi=
z+}a{|5A&hRQ&l;<^i-;12GD{09tZPh*zh1=kkUzoa4m{Fv3T_n2)PSd>YF^HMCJJz
zrMGGnQ5j7m$5l7ga`yZFXiY4AE;ob1uu`CH5svuqw~T#I@cFKe`q{i?fJqfE4Xvx;
zl-&A7qPl_UvBBO0^iPSd!NT=RaFEFVZ=4xzTE2@%;@}Fq(yqyIj(;kgL=~*m1O^zE
zyj*0T2}v5>Vh@vsv|M(B2Qkwvp+Mer$C~Lwi;=<c;r2C?{%l;3*~6m&)WljK%nur8
z;raSrjmNGzqKT_~FuQWpW1lZ~y#!5ySIdE2!h#7mxBkz)t=v~2Pk^XAT=e0N>BdT<
zALaQyaduT^k~SU;%2gPLCDaETLwSr4vqU7584i8GwZJ;`8eF|D=~me0azMjTSpZ;G
zJUA?uYjxZS5IVEBAUHEMh3tMa?c3<k){c%@*uB3?C&k{$U2p_={{G(q5{Mnx-~7G;
z!o<g!I{Xl>0qr}8^8kGVAZ-FOdY;z#${OAIf18IWs3-vpYKeR7(L?*gU|Siu{h&0h
zfBn*U8rpOKgnH}rO-xLxieD6{D}z`PHPq9iP`Rwe9HMtDWSWV&_h$$8rSrM)ei39q
zYZQo%X{%4^){(Cy$;Gt)HwE$uHni!@tLr^}`LO&7%tvKG+SSPeSmZ)V7XS`_NsWmI
zA8(awji#W%p)U}3wH#bYUVt#R=?&uY;I=9VYV6xEBLiLof`V~3Y&!}ULz>*`kT#n^
zgU1F19HD8eIiLv&197)ohi3zg-D9;4ZenP6=-Qpw{!@lSBYv4$;D?L<pb5{mm3*EM
zIl@X&1QyPc)zYW&>w_gsw>99zTf!3i8%v|@n;&;n9II8B+vFAU3949LhE0ry3R^gk
zWQT?(9T|E<2cwYec+AGV7TR<*xq@$Tgi<!>Jd5abobsrYdWE@ebE4gUaRF?CLPIy3
zMDGZ;|D6?7OW3*m&#YhvYw}09P;?AR*7XSQBCPS7$o%?QAhzYXOVFZkxB(rS$Kc&7
zu(UlRO&>U8{T?ZXz}sAYk+%VGcu;Kc`^5vIb0Ey{;K74A&w2ov0Huemp0HoS%5Osh
zZ0*J<@f4hb9-<qOleVR0b5S{a(!gj4(0{kD_%B@BWD?B`;8m-Bfj<N&&c>8ItfADx
z?dDv7YHLOltOF7joxJ;QVsp+?ms%^)QVZDqfZ1kzytO@UdBye9olTKp0n>jrIkR*$
z%`QoG6U%SdvH-|3b-c@+R6`tCtzGqo1NWSaNS~~VAGKgX*Wn<{HQ`1=DFcNp?Ap^{
zomFGP!`t5nDwKbx6)&#yLTHI7)W*;uQvnGSB$+)t2o*P0IM`4VDlwy1De$m>nn)`v
z8J6{r$v=)RKsttp3`91SFH^HB4t}Cycma+EjY1f=amY*oq(14;z<(w@5rbJEBRPLJ
z5N5B^P%$}{Yhhgh=!CzAJCu&)VPKHJnt{hg!r}$|ZjG#$cUMFs?fZbHR|Q2F6x~Xw
z^APF+qL-;%0pJN{L$U+F3B7xR#a0X?K8Yi=9Ncd}8uh(R@2_-;=p>4Tk?}UTl$B!r
zdyNu-*^6)$5JD@++O3<15SRiy0Ooc_1|abX-iAw~(xGqxv>4nC!Ch{C)b+}{Xx)4@
zT!;?V2K3yh6t;Jmqri@~;Ka_)9|kYQV^m3Gn2MpQIV>|y-K0rJ0n2t%un_?0_}ExC
z_<?xL;zwCtrtkoSBrA)MWP4Ef1h>KiMr_@@bGhxAYv-}W<A(SMLpD$1cU~UUsvH{|
zsYkn{;ieJO<h2NV8rHqcTawIAcX_V8Kvg;AaF2~UB<`TSO~BFMZ>tt3>(_tn(BRhx
z37s+SFW*-xk4jm`ST}XL98aeuMCfcMUuztm4E(^lK!E}YRso=k=*mzZQwX%le-g=^
zOd5E=DLPUGDAWt*sh|UM7#QNkD5h90m79N>u@1AD%*pJ~M>WA=(X%VCH(>}YfZ@ZD
zoZqyP<jn0A2V_d37j{qW&t}dRUld1g6Z@B)lEj>%7D-B2nVH|1nTasCQioaMS9Ao=
znlEKFg!c*1`8RXATXkB6EP9_YFR1tz@zw2Felj&HUsU7C89N}-0U~>IyL+x3LmTE5
zSH9kkG=8b+ZGOPL+OTFGk_oaam|(DjE4N<QnVfuhtiHg^pv&L~7$r##!DM8+^nJ#W
znilM}At5un#?G+81MF~Y#&v(YXUkC-YCD~k;o=1YkTg7g`0)K`icE61B#f(R0wj*}
zMUVKd#jUWzW(Bw?P@OJ2<oORRCjl<$GNcB|M;KG%HmV=;1Mmdv9wZlFIe*cSs%@a}
zb<Q4EJ9E`O7}E+PKVHG$x6K5!xdZ9`x8=p3f^|_e^sp&IS;A+GK(z*mO!8JG?ava+
z%xjC4dxJW>o~;!v8;bPL#wI0&r_32RS}%&#(4j0;M-8A+y;M~U>*YP+9NAD)(=>H}
z)vt?MD#^O_qlX*71%;VOf5Cag70lCCF3JApqr9KsfI5e9CQbj#s!@`Neb{pM-r}E<
z_oE63$ODJHx;3o~NqXNKX%t^7`^4NE{!n7F{wb`IqT>3_kohKvGCoF_m84cbd27|E
zD&=&%dA&7YxBi`c;1VnSw!XotEVI=C!>ueP#snc<`@`=G+$xbanA-a&Q@`k0MzU$!
zE6VHlU)pyO9jP+eT@w+s|FY0Bp@yy;x7W#v*wQIS2KJRxdEX+10PJ)spph4qBCHTh
zD2__D3*{8<<83Z9i_gVgyw!fh)s5`WPr?xoiz}p<GS_a{JbR|zEI)Yzg?M;TB)hJ=
z-YaWh8k7Mue<5powP^D4f5`suMWZw6JHG=QHfK^hIsoLSqr)r3w!=8H=aZT)Qg*w!
zesF@V1MnzFGRz8#b%sRo9@HsDmTbhbks912zrm~v2~n%oCP-V>w8JJ2?3^5~GQbPL
z><+xdBZRgyYsU$m;Wsum27dioO~_gn8{Gke0HkqknMNSYp!?=SUURE*R(hitjg-{!
zrD7{85z7z6!lPHI(b4_4*zZcuHLA#?ti@#f%<20VDCYiL__ewgKk4LhI5heT(#=_l
zr@j@4P$8_#JYA0Zv@7w7)Q1(3-J0R%6<csQ0W!XP7|K8ny}sAk65gSL&+a3~dDp*c
z>W-y1^!#8LzI39xN#`#cBhm(T7HyE{28FC0pRKfD7-rbA?+?(jYBUvVtG%sc2K_m%
zSs~+5FWI+0F&n<)GJ|qHge3ZCmSk6b*6S7M81)M0KqjWkS3aBH_GH2@beWjz{A$kE
zeR*Q3B%ULLADu5-zUv2+e*&ASsbD72^Ug7eVx8w4*1yUlhxt~&k3l%baYEW^0i$;!
z1f}9LPQyPx^spl^vBN<<h%4!~gc=P%VF)1&?;d^te)Q&yIUq2~m&F47c05SoCtf-A
z;}L%}pkL?H2^%4y?ow>uk29k|+SLc3`{@;s1cK9#QGsbbn2bQ9ZKGoPUrhlS8+AMY
z#RK{=cw=Gu(T0E4KdeUf$-HBnRas!qcO_QOFc~qJrHwe1U3Xf|wQ7`rCFD_gVncM{
z`e{^6@3he7kxRQm?-lB4%HE}IU;qHuXr+?cr4QT7oP!L5J!5$O);lQIP2t&6Ev(59
z<!B}4VzcbKjy~Pi0N!)HE2+Yt$B*`C&EFaL-Tj#*qp8+S$=GegxFB1ZD*ZGqMc5{p
zV|xTJ9oQ(5S;DR5gq=LU=De8Q3Oiq98!e8ZCsZ>2b-?@t??iI`g=J7tTEwaQ325Q@
zAtw)zNj)&z2E9)B$+4@@%#45Tj4k|aT(5sJQaOy}y42L+R)jC+6{rspI$^(xI$q<N
zT>8~5;bpUWXNNR!-uCG9O!PJ0l<n(5DChl~8n(J=tA*?o-hMB{O_-WmUkpi<X~*a@
zw8ZI;y463}c7TulRhHZ<C9%Sr9keZHw82&(d=X~XpP=4{h$fdiR5DOZ-G~Etj1x9c
zkY<a^gxr@8EWw&xrsAstk1pxAZxaRlOyv2aWT8a^Km`{aF6_hu;$p=#rTy*GD%?@K
z5|~67^%?(+(ok67cK?Iu+i+lDYqX<CUOs2R_eh}NfNR%4?W(GP-HJ3o$j2eu^W7dG
z?6ZJr9EaVCkjrMoK)Pdokb~XfY4&;z-dx{Rl97e_jSWT`=e36iJ48n#|7Hnaz4-SI
zdQ=`X^9m%Amwlg-dL~>x#Ct{$o(t(B4W~i5#E}@FXf8a9hxSRQ@Pat`*CZ#i%7df*
zb^Pu9=cc@GkAdK*>uBQZc<K2sL(PGvSZ*wGJCmjIMnzyYdpkDZc{zV#+gAVgF98V;
z%MTyc7rt+iD?%?W%uR^Yd8WDZbX0I7aB|_OOT^KUbLG|GHgf%Vq8{(u7FpWq1M|Xl
zpF5P~>$S7ii-S)$??3h^(1^qX-r4A05--WJe0E1JEu(XHSzp(m7zEYp+ga+$oE8EM
z8HDPicW%%Gn3tGj)KOMJel&3vkPMDO&KqYvO>KhENE9?1O}~Fv8RbvdmO{yM%bejm
z^j6evAgH$%h#CbGeoakfrJYG)yNZ(o<0`umifgh%pa;i+v+8D^-^SoQFS%Pa;8-UE
z_W_FI$qrX7f87qrii3k2U0ni|wu-$LSc^IGV?TkXc|f4J^+XquOFc;wuv)m=#qMYn
zuA@Fv%?{f|vj0EK09DH{_EFQpm{@5Do4ZX0-)hb3W(nd^1KwN!jIs;M(JGorzDm!j
zI*%K-=|o2eTy?Toag9pyjGs0BG|`3e+|f>4ZzG(0$NqQFD&}SsJqZrt?e$x9!u+_;
zl@C}&T`wn{)VLOtT0h?Aqw<gCEqi2ha<uP=VY<T@Oc5MCY1Vf2MSPU!yp&u!$3p*T
zFGV1cp+6sCsO8vO=f1;VO4wur@$H`WM0NAix4ruOr;-=$-+!9X%?l99)93MQ{l81W
z5a~Q~_q;X519cRzr7nA%%^he3-7GnuMXbO#Hb~iPO1Ka_uMFsBT5-j{=wdykd0AXv
zyuvlFID+JiD;e|9Bu|H@xyq)deVF5;RyZwcU;O;tjE$qO1zfnpM9_{yHVO!zb2%K5
z6=lqT@0u?)$aCd_*34pDBA5F2)b!wh-~^Ib2*0azNqIJ=ZE}*84y}^q_GTDlD{F_l
z?<e)oimSW-5pRk8E(>$aqofc;;Icl2O=F?QyO}F}oI`U^(TaA5RqjAWiqK;3P4@y>
zUz+hHc45b={XmLEf%7b@BbvwC&c=w7HsX{RCHUmAM>~<|!zW3Z>|5QtQ@^?!A3c{n
zlR=^HeXoq;RiQAUl3?M4`kY{utLlJgF{29?1hpDORe)gv({r#Xf}!NQVjwrYyzVRm
zs4sy2MOd@8mtUKIr<LThVpk4a6)>fRs}cySwQAf#8;BmMTE@mk8(Gk_{3~6(kg}g*
zArOTe=<qagKXhp0#^7WFT@8Qts;v6II?+UF;~|Z#ID^xlX&@52b)@bJ(B8w3_%C1X
zKTs2u@H~UR`w?Ir<8(v}{E6USu}j8GM&U@jaVU#3CG}$&1?yV5l*W$<=!8iiN1VB4
z?S4YUa1*!E@r#V1l_AD`s3%i2wda$<f^32NivzN63%NILlwbDY*<(FjBLc-hgliVd
zLh(GF3$Nkb&Djy`6gDI{czvUV6*DvgBGWgB{Fai(m#(9ta|-Rvqks<in8~5ha4Mlu
zpX~ciaLyq!ek2)6nY>rCF4k?oU$PZwBsrL7{p|SAHyR%}-Pz{qjTwnC(d&EAt(K|_
zyTSn?A4Oaiz@>tc*X)vUc&|3h&w#e@8h{!w>%&V|PO_zDuQ?UWsU7c>HiAsnQk=VV
zbhz2Br!F?4YTn-AJPT+rUdEA*AUWCusWnYPmnR^FKmd~t<M=#Yi%z5kT1)DFB(%HW
z0bB#XVedg?Tpl%yV#fqoGG1mh=VhwN4?!x9@IQvBk#d&n2f(=A@6B?lH(x1^ajiTK
z)e)^sN^<w7{tytdGC~eHQ{jJ}BDE06tB8<o155{IV8%4NRJ`f@3LDtn6-RgVBLZh3
zr0hQ3bj_iwF6nZrw04TM*W29xB;A6!sBfIo@^AG%^uUxUBYwTLQGw~_sZSAsU0D7B
z_J&i-BSBf)$~tq^&ztC#aPG4ot2?J80R8`HYY1m+Ym{K<c^Z2+omzKXHtkMrK9?W)
z?cN4v48xs=94xVun<KTVoNq|#L+LE1tk-sRt?E>Z0y5dl^Nh*7cg9hcBx64)OAax+
z0;iJfsfA5jZ$T!6DRbBaDkyXnKyo@VV(go-7T^x_Qv=s+VliM0$|iT4YeL8UFShv`
z;ziFyANK18;4SfjkrnhfK<9W*dp!aU;EQB7z^?NGcZSp$HH6c3ZnnsBa=|nrJp5u6
z&^B;J?XLOMe*mpEkO#9ehL%CkK@0sg*x}V0QPTcL)oWOw35x=USZK|y#2L~##I&R2
zlDmPvPB^dOxswW-IMm5TsL5g6`CS+8FE(!}ILCTw7q>U&lVje^(`go6dGjcc_Ghem
zVUi~1FLz!B8BdbzBJ)3}peMH-`4w&av*Z+ckA65Z!}J;kQXe|bB=b7zWKlvJI#Yep
z-8f>I==#CfKBk>&E0U<xkEGE~A7&r)AP#BU4z=~W{LI=YKZBK=!i2W=(0WGuDWUAV
z8fN`YXDMoIBcQPQ=IPF4Wy?-yuEZtaM?UDgNypA_x1s^_-sQrTKNSy+TD*4RWFw>e
zR%&pM2~H}eg`W#h@DCpAoAwveZZF!AM}k7I@PkWq`RD?2j9$GE!iti$wJi`ZT>#V@
zIFWaNy9w|=yIw1qxIdL7@LymK2w(@Mv>YG<P#%En7oHb@jwHcC2iiu&8WpqX04Md?
zXc!*@tf;UX6BgD4P#*5y(CA5$e>&pAMjv<~w51;ITTcZbPcH!*2J48e;{GxR&M_$w
z9<J~$f58<T=R1_abt{2#B3?~zY5>du)?jokz>NSO19AbjXgo^=2r@IM#4q|>-J|w>
z{p)q9e-LL$cuKKm%7szzzF@um_L_0OC%?r4=8cf465C|j<p^ZtMpoB-sYp#fjb~0D
zyi>?%4m<)+J4VVIpDNCxaZY_>Z$D?dWH^S#XI3VX5@RB(k|DPYb>#6QkJ(YRHJtty
z7R-L3SU5xS;qE)~Tj;()B|Q!%EEhgul+K1g`1j9+VVz|^*e{Vj#M6luouit?Z>?gh
zoj!CacV6b$jIgS(nz6fVU9owLmhul4>=(iXa|b~e0apq;?0i69A5X-r4E@;BTOe~)
ztlK&01Emix((jY>E(16KpqDdemxUZcF0LC;P{Kc2*P|S)<%*|eEKsf?Vk!FaN9&pc
z&TC#zXqH8zVq!X?Bl=DsJ$}6GLhfDdtE)sYXL7jH0F$cguXFle$K3u(0D}Wf7Aese
z4vr#4fm&Is`HMF-35U9_Wqtah)%)kqnS3=rBtQaE(mJX5Ja2L5XCKQ^HA=3SWSQiw
za5nADyuSWz&xNF^?CrQv0r6D94=(~jGWQ<MkejytzB#i^*wBB9IdLdw{py2cl5vI?
zxQjJMah8LPzh7VSnFfc>)|g|L5Av&F1K>#<;}*Lej5C<_r1p$^j$(q@OQ!)_{uU|y
z!O-VZqb(wJL#O6P+@^+EpV%OIa0eyvsA1UuRzq}Ku74RRtx0Zrc5(8K#)5^}&UtoS
ziQA%%msaHM*JfUw-&_*!Ry?{APJmvtSzDBw%;cmapqQQvBg6Hjr1U*&vyvLSWHf?X
zH9x4gL(zkYd>-~^_x0jg3@12B8~0^u`T%|nkpER^;J`;~$qI}V!PKD&&_t>g%X=g~
z?0~O>7p{Ls|8;_M$aliIjhE<=>kb^}^WYJ>A_}v6aHDtx5l;2}z>Y&ajKJU-B4U8d
z2X<VLtaA<rri3N~zdkP$&!<3yI}y$raN_Ow`<%lt(D<DLSvQ#SLbZTIKfF{>sM~Ru
zmX&QdJ?c1BQSjS&!))aYR%%EvRfLfOcr!uzS9YUksv7!ae-=ht)881I;bQ>3;vDz`
zf~_E;NV)#A?ihL%9B>H!>BY`=e4<)qe6MrxgE6n!m}ukWu{nNf7eP~=6&hOa@sY>N
zW|Q4=qV>?wuAwSv1H>|k2M4uZj<9{|))ID5AZB(bm^`IlB;=wX0!w1}<d}Ir*uh;a
zkpLHP{w26zDVOCSp?mjJ-YJpJaeWsAr-5JXL;Aoth#{|K9fN2^gf1-mKo{9LPBMKx
zJ+)Dga2cn-m;;Q1&<B2U2T6ci?3i=@5xn<Ml3-pDl6s)ndHOey02FEgUrAYOi}CcB
z+b)=)M)L1u(PoNY8ztWF((Pw#ISvhHb`-f-c;vZ3=tq)e^+sCaL!a`5Lh}tDOja6O
z_Jt15t~+b88f+t8gnBVPWWr~xS`XfGcqw*!&ySU%hvU$E*At|;6wbORx!R+5x!KSw
z88IC+kB5pURknM0LRSXM8s8|>2M|{OmJ*K8*UYh7+NIlEhZn3ko-T0`B_%yr+PzNo
zlWIkgsJF^=XJ)`07Y9@By!N;p$lIYh#_JM$;KCqu<*o&TD~CI6s=J_nUtlR~4(56+
zI`gxoM=nZbu0=Lcdfl2}$A-NFXKQfV_sXLK4sbVv>Biu)RsUBoQ2Z{vW1JhGkN}Me
z5jY=C+qM?IeD&(jv^^{eu=Rn_y>+oL4ur+MyQk^^BNCQIYwqaAN&d3R5sDVy)j2X%
z+L(3`38%@h<(BDp9wMkePJjpkJhf);NY5f8^~unMzG@sNNeM@bEo{)@_<$%fRU{xc
zJf@nO{o?hrkJ)%2px4!~s(4ivG0@=y!%ORu)tnbx6q~btPg~lQs(z;Z&W@|9cpjU%
zZ(G1?<oen?8dYY06$cz=bS#$_mz@83!)7^U_e+pjv!rKbwGt3yBthx+S1_+@ULk!8
zk^;p0!sE1}%YX|^jKSO3?NMBIe-aD{An_e6gtNgKGP#oADM9gPFd+P*Wd+2V6a_{c
zH;7RKn+<TuA(U;3qcO#3ZM19be-^iG-3VLejq#D|vr)a;H$b*&dL~;iGk4)1iJx8R
zPVxe!#EWF)EHc_XngyEI*85rhF`UjgMweeU)^Z^i5y?z50V9>%x#aGf%B{I8MRIW-
zhV|CzkvDtHuLq$YVQ*HAI!2@M?qb8w7P^*SE@sVo2;)&0i40R|m#*Kkt5Q$3k^1m$
z>&*EXRdbDwe`UxTZNM3T!E}+m6(1Wb_1X@;S%C`iBjXmCyb+W7=@1eH-rmVlluO-y
zLU7SuZ|K;&a?4#V)H9M({AxR2G2^rgZoSuBDo^%CT-_u{81CHrZN%;E(mpy`x%lwY
z7ZDir5ZTz+z;<R2wqT|eLAA^mVj?1ZU|!Ut_Y~i0X9Y`$V?Uo5YH}?a=DtA6d=K%g
zKmY;D?Rne<<l(z1BO?Qe@<q=39LQ>;q$I>alD?&;MTjLNO4>>=Z<gQ2?p(Y=aRFy7
zQ$e?<EzMqNI)DYc{N+~rammJ%5T}ND{oGY8l7MBYncBS90*3*Tkr8RKG0h^CtYHE2
z_vM)xJEWPCbk+Yn@xiDBSiV86)}L1wLPd%6-o}p(Ae}jPsHU(G-l(U>P7U7?bk&a3
z!Jf_DdFS-*2;;!B^@-w+xz^L>Qz87S{rz!9aO(U=O>U=caR3gfC>OondHI|NhPTy&
zP1V@3W{C;g&cA57du`$QdZ<#x_6hION4SZ$^QN2YJ2M69*6baQi;m*Ry_qlqTe@oC
zM*5GQyNp**aVak!SF3i3m?x~WZ_qnrMvse!>-8m9u8;>2-i@bR<izbn4b-~gu^DXz
z?>f&_xt?3A#<=a6Tv5u@7+9uxBVDPI6ceGsTrgD0_1D#wWHSA*mA!ltPX7T@adGk6
z930<{Zzm`)zCCPF-HpBB^@L{<Mzw-ViiT`t;12Eu3F+V)0r6C~85kOqNU6IE{mC2a
z@)7R6Z#g<*w`vGRN<)inBa7tVzDXjy@jcqvf2Yyvt`fZ#bnN9?0kEwmPrjq4-|TOl
z6$8SI2l`A#qpGqkXN)0`why)7EQ8oXfk+AIvewylAyP83{_(?{=+WC>Q@V8xU3{0?
zEH{rMIuHp(#AZ^V$eqRLk2A9#4yQ^I0aDu9vGopps;<u@5|feuJs#Aohy(`2zkxPF
zCwr5!riB$1BP)|YB+1ZPy~s%n)WQB;^AWqgE~_Z=MSrU^*->`zmuj_Qc6Mf^iBV1%
z_QjF1OaXsj@-An!`{qZNw&v)B*yXQ~&bM+`-^A3s_hr0y;a2&h45djR+9GpuaF~q{
zLvpxT?-9&yOE5b+e|4#nHRqw~zxb)+th+s~X-3iV;+eADowT)`ouw>Nxpq!iWEI7I
z%_n8B9{H;)NEFLkUsXzHJ*Sua?W^-mAlWz~YS2#kP)#Jz1IiyCkuYRU!OtGva6Ffh
z^~B~tA(CfAo5@}d)>PZJlFvwTOO3<co&tJR!D}!=|4<Zf#pO$sz6)wQ%7NrJVNJb=
zt?*C?*HuYpQCsrYNenDFK5t(K?zyNa>r@5Fg!Z!!eWU-?JKW0gYbJO=`V6+LrZjh1
zdcfLSMup?%*x|Q*g01ymVaYRSN2jQ>o9S8q*-NO{LCxj7vEH~>J0W2?@iACz<Fue~
zwy3MxRsK89b?Gq+9M-Izy2t7f7j~4mscUeLoZp{P;V2znw^!cb0lrFS2H(@$S0OzN
zOgX=VhI)X~7>X5`yiNcVW5UXtv>PGzj~H|U3kwSnGadWlUbb%I<%sAsq~`e>b>$7e
z0~w4dy+-hxFzwWaX%)eR3p$}zZ{ggB1Z{QSQi!r#ZZKmbyFx;O50yL^Yz;fDmfvGy
zdJLizV9B=9GlGpXn2QcsVZhZMaj<Wh{<q1mEJt&evxb>|->qi`aRMONU!$VhSmaYN
zi&trBiE);SASf)mF)xiSjoPnw7`V^4RTEZ-izP@W2WaZysX!d*y9^NjL7)|U0!*;f
zYtDaacJ?u2@S}gOAT~l`PUhp_r|pBDo|-}kX4H*TOkPi*LN=9`VF+xxLPq8ZXaG`S
z0ZZ;}+I0HtRRC$KwcY-;1%3)f#fOp7^dB`?Je1PjGA(^q`EChYFvKjtM~K6oc+NEb
zInw9{3oZ5OWO(0Kuj;U`w(gpX^kHNCdEesy7Z(6Z@vCqG9v;Ay9<C*Dihb&$w)Zs@
z74cFPydh%FW4HGvob{mI`Wqw`;W7YzL||$TDRp8XiV9T>015?c{lJGjhtnFtn<Y_B
zPfR1^2?ZHatAUOaG1eN}E52N`8<`!w3zNyGu=Rr#)2%B6%vy-d6*0s=cE;5Pb53}n
zl%GErEbhCwgM+ZN^d<0MtJjbQ*K1A9sCxb0?n#4_3V>e_u?deBWPt#EZ5)(IaQ7d=
zk`Zi#(8T^xr*@6&8kW&S*4B-muS~oH?=TO@9WE^7h3A%DHZR>*Qmc%BmWoLtpVDlu
z(y6C&n#f$D;Y$BbxJe4W!YTeQ5j>ndmvS0T`hfaXmt8?(JcFjFP2U{W;$z}37-HqK
zIIkQ0>ms#L>1jpWl_SDNZd0<Z%!l0Mxz6;&LbR*|g-5^r!+y;NJ;j5(`vGM#JF-K*
zI|gVv^<F)>SY#itPn%`xCd|pjY<b!cSGgOBZL^9UkmG18sOrRo>jwyJ5Qy+4iKA(s
zzo1_~&ej~QqW{vu%JsUm0{5HXS>|g&uv-koAYVC6q?ab5x?FYQ{95aJ1GU+vio{Tk
z2XD<#e8+t&qLqC9w{oQL@M``o1WIbgEi5pacH=&#F_Y_whW)uLc=mjR-zkVMts7>!
zEW{?pH}#wZZFf^$9$V}lasQ=#{=Dm9=O;y1Cn8`aVt+;l{Tm#QnA)dIT_7fw0F&n-
zT4*C7mk_MuYbP3ZI6H(sW@ob@WaE_7)SP}>1%)6Px^C#x;b~?AXkiDx(B{J{W|ARl
z{jA%Dz%d5TJ(WrqVQ`(m$=fZs=~EBOxE~G~z}VOKXJbCXh!9G7k_&#o;rfT39v@f}
zx8Qq%!-ZN|9^e)I<jFaxDEm!;clYq_HC1N${U(N(Dg!RHy9_vD|6CD^dl3uS6W!Cy
z@VII~HbDI>FF2<{@QBGsS(x8L#^Axa`npvD=r8DBx9U1=bxE*;WC)?kLCDh;XhDF6
zWa_U7{8{kthActA=w1h=|8l9k<g{r3?;lM6c`k_0kiFH{&u#oDDI0D+34^nT;9v|`
zpkTx~y3m$<Pjv{?fIthz;9o=VsC?=&$Q!6E&$(phEH37RY6O3kUsj-_BZM@2uqOwt
z1w;p!ur>lfas<Ruy-{PJfk9I4{8|MSJ2b2X6K&C8dj`8Egh;*yrM|6`A_ur_ztqsU
z1ltJwi#;xa9)=dcDICZ?Tvn+0Gvct&TD-DibsGu;=-Ggsyp(^RiOEOiTR4&mYMOZm
z+CoU+sf&B8S%`WrDT#~Y^Tr82HT*si>;};Bf!agZA4D1^HC;mMO}-HGv1G#u?;3dh
zpx!0XjVh)unh>I#Gw@P=<SEtL*Y_y#Ra{aM;z^C5WNqIYzmX;+P8btEk#L;qXVG?7
z{qXAve(V0(D{S~DjkdSPo{)=-#;<8OD>*tvr;^GQsKoz)VotsM_g#0IsCSe&EkC(&
zI<<=3v)y*yjGHs~ei(O5li`lf?G5x_TAY+$mI_p1-5*e;n=+gvy1RbN9P(j#fm`_9
z5|g(0QAUi^MYlszTwL8M;fm{piY~p$GXtm)p^M#i=vl`G=J}SpP2{MU(u>gnp--=M
zS}f~%4Cy!ya%_63&V+_Z%?J$n3kP%anuJ`{+nMKyYR#>%7rp}!D}m)Xk6MVGYMhNR
zd)gjzf)hg=jn5<OS3nzptEEN8^O~>BgSh^RIje<x9xL~GS*P3IYH{5!jaLmtoQ)aR
zTHD@s$6OIp)TyEEJL529);NTBia@}n<u!F6<HN~gxPUP7-nUGHa7WEoJy*}Ko)5O<
z*%((E&;#iWR1{my#uu{R)RuntEe8T4fn0jD)h&lJcs&Q4t$CUVXJ)KTO-+*zfzl=i
zPgq6nNCS-Eac~f|{R0{}C|4i2Xn}SOhWy=cv&vWMN`N8f6B9<cCH?eEwYGNJn~cDJ
zq-_+Hzw536(ym@dLPO&Z2db@T1g|;1wo^LD+eRE0AK+*=vcZEUAk91wA;A%L2~HiJ
zrh4ci;fRKZP=y&|KhsJMFPtdW#xza_j^rUvnE|kXpMy2eMs^97{ZdZeNTmw1I2>>h
zm$+vAI|vN2IP#)(r9xToEEZw<?Xpkjwo`0;tO~B8d}XW>*1ZxT9kYn9B`!_@$1hHJ
zJ%Ompz*o9La1I_!V7t`A2@WagGd<Uma7_I3IcG~sJG?*+i(?>nBOGYzXW;R4Fo%O`
zwj-v{-Zxcz$yYo<C(WX5_8LIGRvp6UA=CjzcRrY{DL!!tiG-x21~a?|Rwuk%T-Fr1
z37B)rQTk`86(LYe<2j^|14#TG;7M@x$Fc+A@00Q((OAs|?Ile!|1Z`)idm8hF=rWV
zarp(^avM7fj)|NzUfzPB@?6XC`DKR&=9mk^YOlIW22DPooH&vbjGieg`SSl_rJq-b
z61mw@GZgBCr=2sEmJfBIt*Wx#5ONeu3urd~JU^D<P;gyq)_;6v7Ht*nP{^|zwn#2d
z*TOt+v>ZKz7LYlIe=xid)67hMDbIE0;UbeI<6G}~GKm7+<+x@2fw!7r{BPOR#fvaD
z932M>2pj-zNiP8z1i(e*xP}k_qYJBLyTm3;2b8wH>y1T*abyq3h%37^_Ix++8lCQy
zm6eY#3!i&D$XC?$$K5@RcYSl3K9Wz>BjF}DTOW=OZCe#(i!#(_y9WD*P#_@XdxjcE
zmggJBSnxMA;6!qO#SWWgW`fbw4_X!&rAN7)q+Ypucnm36pIL5-g(QX7VAlsF!Xrb&
z)W?UA3v(97dA**L&*i8H%kDu;i;u&smPY`9E+gPZ2xC?UW|WY^CCe%?FP#px)bbiX
zjtR$mRe>%I<qPr+5V$HZ3_14y1X|=~Zk#itV^0sXi=xZTn7t}5Y0O0-C?gJ5v$q8V
zC}2s!VnTfBOPQ0(??&7B&Hz{MQihW8*Pt9b=CIv(1xCyDiKjlB&D1ehJGFB9Z|Y?Z
zI%Pqw<U4zmzjh{Z6o}Ysfj@~45f=bMM6gn+Om6NYM%;i45<=qym*iKAgjC|Ip5ER8
z84+~|$INzU4YR^xXV2w28%hK>%mn`g?^Xy7se@t0gP+pN_1b>>@BR-}-vN*HzlQx7
zi84Z2$%xW4B6}+-O4A-?M3E8MqsYpxL|I9tvdPMbtRhJgvMG|Cz2ECs=bZO_&&Q{8
z&i|k1`OWY5zOVZlex<I_2(y`9oSBh))NCmx>AfZk(~^LkoSajswhhJ<l1?Wt&dgw8
zCXg=shZxbRq-#~Swz6VjuBfQk5w<#TcUPO;%x1B<Ticha$OcPyll2A{-0FEwF7c?h
zU{T6CYJIzNSIfM-x^qKrKz?F%nVI|pziGSgZPxcjMJM_!uKi5ondDSkkbITvDe{q7
z3C+uYz$&+Zp#7J1wR^P~PK?Ok7QEC=u_Y_UqKrGeD#g<=K`#G@&lA4&icon+IZ@5W
z&b5CY%6_Do8xwQwVjfht68%tz-rY@L>RS3e*Kg687Q}kX`-x57LlW)7q*oGc<A@eg
zfBRE2-@X&67Gw)irRA0)SMl@|wvJ()v-{oj<;$Jt&tol1+?YGdn_}cwZOr6FxOX;@
z!w!iH*J0vYPR1bK_paFb9oa^zpYO%odE`DZ_9jo|=+O;N&%Uf~u)*8EI86jEOO<FI
ztNF9&0lSv%gdqzukx>mSOOLF<kStHYbAhw^yv<xx?1FUsr=-O~<oM>#$De(9`|L}z
z=%1Z$Zlrc}hs((GJs!DJol&?Hydi9E77-4<xS1F^Wx>ZGprCPR8d)s7EWuC;`-9K}
z4;^qc^O}E}6!*U`>Tdl+<ACxTE6heCkEx@Go5K%jOr4E&>(;jO9FI~{Q;{eXZKf&d
z=GoBLSeu$zR;M*aF&3oxd}ljjm=UvD>%Xnppy>Jr;GNo;Mt(rC(4(ge80+lX@Ou49
zrh&Z(FiP?IGkSnezW<C#kd8XEA?57zncwoAKEsElGCd#CduUUw%*Y9w3VKL9?Q2;#
z40UCY|JBYW^Er0<Bgeh8<&L<fQBz_o?fsS$8*=S9b9-HOSWTP$iRMSHQIGhRbA~3C
zGf9@2X%sgfjikqqPXpSwdy~&z!YH^F#@tL{*PYoDCiCfIZqGYgQw}4~VOy81@K3pK
z%@r6jD~$`y6K?qF)<o<6iJmg@aL;>^e4$ul*I>b0g94Y%$lu4U3=fhmkDsBKGrs!!
zTYmhv53(a8t)f;6-wH@1N_vC+1nzQ35>BwNmnJ8;^~7{2J<+;4X?0^#d-}U$6YI>j
zYqo+$9@5+QYn9w#H8u!%@+ACBzB~8am<(mnis{o73m(i(<mKh%PMsnjlSoC!^XqdP
z`X$ie>DSx!6EY<h7Z=G2FI0bhc#O-H5_$5dw<N(m0{n@6*0f2pnGx0*JIcJL6MT`G
zg60$EyfA;ah)(|4&@gtL=7e_j@2elL?$-GEDg~9Lvov=@Dn)Kijve+;$jacD%ZEV#
z_Bx0sS=8S$UBtpD*ujz;w;TJJe)<(bSy@heCyHyA{vd(TFdACg(bt-f7n$<Dm0pYg
z`R{46!qY?)xtQmJJ48R%hN`$&&XZl^Zim~$-{W>aB<p@&pHruhaT>j7eD3Vo{;y~I
z&|Ikv{ar|Cke38n^~I%`VdQs=UH8D^_~4-TCg=OMcCH6HX6bqtUE2AtvejGsDW9HF
zp8D`<S$^g#W;dPZ=)QJ*bUWGqj;8nC;c_2ywhQ;~T+mbq`WWJ<d8{p|JI-QGHgAZ@
zMc$|_x^u0e$T^&Ycs?eox?b%LW0zq9sA1hIp%WsaX?-YD!WsXH;r2p~g01=^%QLRS
z@5^G$p1IyVaXm$0+07lWpMDjys1yG?a{r{9L4S&4RWz67NcMe{lT#eD$32+5j)u<%
zyFOU^ah>vI_q^ktJ#Rk;0^iR%5N9zZCA4|y5}K@l)O`<+4Ato>jhX@)5qvq9ek$?m
z^v_TrIg-~Lr{Z#IKgo^=;VFyW-obp|)L_+|jG#c!VpzQqgMQ!4OrdeGE;~_9V6?U+
zxLWP_aV2nE?%wNIZf`(l1w3nR;V=2q@A!SUik}b3Dk$!3q7V#k^7a=eBO@6$8fOFe
zh5$Xg=5~5c{Q1?Om$W%GnB?8NhsOyPUG-1Czs!xD8H_O(bsqa}J{^Y^`r<{NSeK6<
zK4dS109eh&n&cFub$M9D-GDJw?jzHE4F(y9u-)1*CoYV1JCvtOA#kTcE4@9I;iLPn
z<0DjqrF*u{EjNo!Yh|`3KY2oq_GHwe^8EJ?Kd)oaK#%pkgxlRAPRa&5D<&s_)u!KK
z8l#UtmRT-y`@=4EXE9{-T5IGk-5u2jXu5Rs5{kh3L>4*1u!?JW5gd5pSx)mn#ra+-
z_Z9X}aU<jM0w3Lz^m5mp95*xLkNx;_%0*2>;|Tch%SQt~F*RxYd|Ep2k&|M2m-U$a
zpyVOBux*<*pcOp$DpaP}=ujNmk7?PF#=rBNY;Yg3%klB>kg&@k!H~Xm+*{kc?>mEg
zhb>d_=aGO^vd$AFI;LC}57PMKFS_M6=zlkIomo2+5~y>Nv19u2Lht(IyIf6I>34#&
z-(+(GUQ)(l(1_KH?6ttFdE=`-z;t7@Gy>eF%+gYYdx;vV^<=x_rj$^LHjxs>Zb`!q
z>+G?;v8Qeg4OEAbU3Av4Sa!2q*2R;nSn6^}=JKhm%<7!1x?DO8Fza_8lCtHt@V=an
zq2@(K?{Jan(TcbEjk$F7z1t&i_H`Il*K*rby|P$Zlhu#qJ31ZYY4gy+ut+nhU@@*>
zWP6<6-GUWmzHb-UBC6(dV;n~I(Z+j`RVDP_yMZAp6_#`zAd8rZQj5jbKi}4zy?*xI
zNHlH!Ws8K+z?h!Q42!{x6}^YjHPQdVyX@&P3y+RwEh#M(ar||f@bc*H?w*95>lNiM
z(0ptn^@0~y;8KF80;?P1PDzuaxsBwOnWwY4<}rGDg1!%m;qg34nY)pZWbvmg9CAy*
zH6jULdPg}YGEzmzFfaog`|Jg!0vSoDWYXv8^_%VfXpMC_?gibdIPWNxGis)3k{19X
z26E~2(!UMrl>VvPPk+r<*J&Dw2w7585G?~{P;zmRB;vD4E+_`axb~BDpaTo<2|ksQ
zD^-KxD2@=52L#z;3gUYzMFmdsC(i~*)o8qnyd+oq^STuBDM9jS8{5s#-zN9q<C@Hf
zeS6FD?++F~_6&;V7}4iGdGhY%u5g)iIy%%Z&u@Z+3XTxcE7H4l%_o94sz>K%?woti
z7v6TVjg^H3lStm3JD+saXGl9_6fehJ%&0_ELB0!4|Fg-J^Zun~<3$c*sTvQBx2GRH
zc1#5rg<y0?i5H@euv{C?oge#jxcSZRD5=CZ{eYn3hjhJFoyDkm<*p-;7O1C~gal$S
zrDoOJYil=R0#vbH*IgmBH)AoG((-M#7gj?DAI~v)1%Wo!Wue2mviU*}ZAH4@OmH~(
zDg;f`%CC<JwI&(KwwuTddiKO@;+@`C_j~3g%Qm&aAl~N;9p~Hyb<bC%rwZ%vpG!9#
zYuUc6VVmDqR_-q#yz_Q=$0rY8xsCJlv0T?O5-bK+*~YTxbtV5S>V#(($Y$}a?kfJS
ztsQjKeWEdPbuMsLcJpARW<h38LvA!O&Pxmy=xGH@5^g+ANz8TS{t}ko-ee%*{V{SZ
zW<GXw^hW8YPqM`)3*H(xh&l{;8TPmQtUvhIzITQRvAHK>#WCSk%4{_S;EN`}$3So+
zC?Kew+Uyg(*Q8L8;XXbPG`#cXjWpm)wop}UlQJ!);V+HspSQ-z5u+zSrbu1WORqtE
zvfYpOj980~9653k7z#$>);}YW84VY}_BMn>78=+@i=g03L##6Fny5E#Rsp2j(Him6
z#q0rt#>ta@m}3C}gN{@9$`}4%)9<=DyQQVy=x0ltAbm)@_D)a_BOW?z!vHp8K-ZPo
zh+`~v+&9gYlbaif85#VJu#Fd0nzk6?;FMtJNAxWqUuREi?Y@VmAErADithdIWLb7s
z<iW5B1s_Ca9sD8c>gtT_>_Om6>RUIjIPBlEM-f060B!m86$b+AcAB3^OYl++yAu|M
zxepaeRcsyEuzv`ax+>J(5(!v3c3%O}b98_SWA}>n>EcQ@*mTugLqMj1A|P>Acl6$0
zrrLOB+t0t?k@5i+B8nud&?q`8s{LetDMD)q)Eszj`}{?(Yoo7T-9Sl&Ant4zIfrg+
z5{|B!?GFbq*}Dz|89bltftdLgU4}Zyj3DZw0C%L%ioCaMI!z&Y(+Op@a6I2AZ-|YO
z{@~cvYgc|J+INI<&`P~-cxIozJbQV;eX4>bTvUNIG0l|Ql*ucuAl!F)&R$%}(vbIl
z)x2qKiTl@bt-B)OV{gCSZuIJzD)2!CkUZ$NU&gDrtindK(7E5|U`>orOX0yQPmZR&
zJE&lSg}7nak>+{p4~pPh3|j9-qH_ylC1`6IxPQS_(cLP6k@cb*Nq*AuZK6f}+7j!6
zVT$WF0lLSoHEr(093-CWAE_CR5&Qj?{z5P^5RlY|{tWjV1LYV6Z~51H>D4DKiwwem
z>EptxJv)oSK1Z&S)9_tn(V5JatGrPsFji^Ql0j}UK?x<+BKgaJeGrPI3b}Qx*o8e?
z3Dh0!1X9$Llgg(X6~ggV2<YrFX|D=1(Liqrdyp;Lw)p`V%wIYnB-Hpsfj_a)!nR*j
z1p77EQI>h%1@9gHRP~$I-5$~b=m2F(La`%*!Cz@YFWe!VNMY5QaTJ-DQ0u#=;SUJ9
z48N$~!+;G4EZ8VnF$KVZF;^(4E;$^26li9mKK?rTSF7AHBo_JB4rC|l<7tDA;@VWv
zL+*O$Y=X1D4TXvtOtDM7g6!+$cj2K1;^+Zjb-x_Ly~cA9?2QfD`e<x&E0sf|?6gL}
zhXv3JaDYUOOKS7nL`hCuR7{Av<kx7AHQp#+9lAX`yM(JuK*vPxU(K%FyPuSla83_3
zTFj>)%`!ULqDiQL58`Un-7l&~LRI--VlZJ>62?_qRds}Tsqv+wg$S3%7v(z4KqX;T
zJM{Bswwz~=%K#nelOc1bYr?EH=e-YR*K5NdoI?g<`0m?<^x9fM-?yg=U)DHUKAExX
zE7EfM<6Y0LXIiP*uG5zhdffMRefe$ifuf1`5ZZ3B@1ZE1ODSj)A5P$^Hp`Iq+;=sj
zK<~V;p7!CIkR2ZceXkfkd%wM}AuQL(C&D%U#xwJeZIMp<_Y~|pX~rD)O(a3QyWDe=
zoW9bP9l<C$uy+=Yj<xO*j3eDSbW>sQR_-dDi}B&dlMUKaL&niRhQr;g5@uQ4w-r)+
z@?%!KL^Y{EaV_C!@>IAj`HH*T4tg@GkFuicU7q=6>>~PJM@-eX*Kz+GkhoR3!)*tz
zZ<Ofz!8%5B<U{ZJ)bqI$;=f0+v7pWQfXXSg>ZTmHEHacXI{(V;dOV!@AD3zpEpDt$
z{k$%O3qVNxPNg`!`V+b3klp7;r*B8tAXE-{x@c~Q7QyK{6KVX-h@i*W6<gV*l=EU{
z9@LZ}_Qykd46K!zdcse3SBLBf%DQ<;N85gX(!#I%9i+Co<gY+{&HEl~yRV&*m$UvB
zWe#ntJ^?TAJ1^x1)rZ}^eU2iaV`j6Ni3d;B^}XMlRXgmz*+10MD9}0e?b(M9#_lIg
zZ1zcVr&Yx*j|aF}Y$z#Rp3e;Feq>Q<t|+jZEPo@9*YXgVM5BE73gg}N8CHXa745`C
z3yN-1yhV?}8~;QOJycaAVp7Mcr(`b|9aIh+I?m6e8K6kb>w5|{Iiab9GBWttQ93G$
z;yB@50yOL;OY>dq%7Mp-%^H(qL~g$WgQYm{b?V_rwc9C)dSUb8@*4)etXoYmepC4m
zxoE$|h9sPx)~8M67axYi^|r2!&4uk#mrm87)ieGe$WUK`H7u#V+qSEsYVpUoI_AG}
zUxNkoXWlyMhL`7SU2M)()Y<CqX&6}0?Xlyb_sJU#`O7!EV=SI-k8x$;@VjLER-t!L
zx1XF*OLlha8oZ$|uIz6R4QDT(wyu9UXI_Ws)ln0E-l}E}4i4EJ<OGE{u=c-@8Z=`(
zV5kvWT|y4G=S*aZ3jb}FEueAmo;sJ>0$l_**f7CuZ935hFU_9K-<q<|yWCs;lhQ!4
zmAl6|;>MvTfA`fmRh^4^s(MZRq*JYvL`Cg+^w9P1FzK2!^2j=Q^zt#)@Lz7njjVpM
za<scVe0DjtIc2A%=d<RHoX_7jc`R`He>EnXP(AGQU`!cXcVmA0#v-=_Mgh9JuKBx<
z-4PYAOmO{3O0Y<b%cu?G-Yy(J<Xbdw%vG9GInejT_24ayNhdBVQ%`Y%>VzeWfR2fx
zpvjVw1pgURq~x(&h`Jq75kM5eDRHu{Oh8IVJX<$mU}^AX)w|3%P+?_CNHWWQ@71*h
z@m|)i$z$6R(<)``D_n%+*)acGi5|?Uo(BGLhrf*bLE{hInY*JeEX*v%&;7cjCla6T
zB&MzFK!F}Mwzjgc(*C<kWstMkOI)4&k?o^49eYDn?Yh0m;~s5RTOKivEM9V@q@<j&
zj`fU59b&iN(jclCASOvW>8j<C!*cN2?gK^j+|C;pUH+cm%8J`U0SE8X4hZ=CA#Ccf
z#0@Ntx_{qAnzCRM@^K9W=N;KV+OZ5wq2Re)m>4dxkz|+mtl?$rVR3PS;(*Zuc5fvE
zgSZjX>8XlO2V<vLr?`cGm+mUp?3uT8pWr%NZdVE<+Lh>Uat%g`kI~_Og<w~0uf<&S
z2sm;bvpa-7<au0n=YBumZ(AC+xQ>f)RWw0&ZWau=xoq@M6#xVtT=?=@6wuOR>8_lf
zAqw6yr)7QV(J$=1Edjz0M}jw}lpU+so=N{Ac5$u{H+bV`*<{y2dJ4w`!?#yZ>f1{$
z%xK8fgmT<TnMk?~9SMOA;*TXEB$pnd_S^7U$o04NS@m=+mDCm!NUj8jW!fLMuB}O|
zSeY`e$h&OfdwXuqQomZjii}j3JI5S$PCWh{o=V~L7<x2Jr-c$iZfx^E<$k=({p(H8
zLEq)raV@_AI|JCn-J`pnOMU97W&DNS&SIaK%y0YlGiirg_1mwZCp-p*2DlV;eb;ne
zv~9@rUZD}n{Nz90v069~CiA8s-m5NZI>gauki9|FnXP<U!?<;A`TOm;BR{P~oU@F@
z38m`aQ=uLXCjdLDBpFq=f#R#Z$||DcMP1oH`-sURNN7Y`hVB+`?ZnSLw*tJ^Wk$QE
zw+*h3^SZ=;4_<0J&tvJ++~InC{+Xb=@}v2?uWP%{X5tPy#)ME_l(^FNi|x<;|8fCz
z6W@pBTa-@N2=Fx=K5yC<R$$km+0$PyXUq`OZQa%P%2jm~70;nWi@1C4_J_j;AJ)_Q
zxH=WR+(7z#nLHtW8|75|8dq50e-EAasl^MQyAev3A-2oT%&&gyb8^^<aU^M_!X}D$
z>n8j4)%p3$E-Wx<pkED|h-BfWe>>}4^XrSmE!E_XIfY&WE7C;jjmZz*)WcJKlB=uP
zWUit;x?+t6qk0rRWnK*OiwwM`f(@cnqK#jM&?rB?D`A;1TgCIpf;FR?l0>=WGSITI
z#zm6jKbMmCc0>XZE$;i-(|LiMG#BS=edP=&$uLXmg9P>V={=(jpGW^pO)0JQtW)8T
zcpphJC3oxHR=mJymp;H1SydOhyK}A~fGu)fhPtR>VQS`h$#h-M#v``k+DWd1fXd6e
z<}>G9Sw8!4YbI886p1x{TwGY_%`+Zq_xa$(wm8T~-KH}Aaj&mkg6HbF<%tpVJ_8qq
zq-Tczi|+ZdeulVYdoHI5k^8$VIb_qMgh)v5a9^0bgu4xC4wG`y=VZB3A0MB|TcdIw
z#p~NYZod%TC)B7?zW&Vg{jGGxG4t^17K_6iw^sH0-VW0&l*lqLy#8gU;Z90i8(F71
zkAuZq^wfBWecso2NY`Omw&TQf+BtX&ES#Pb4C87GrhMy0tKTf&n3XvA(9qW<!LZ~z
zdCQ`z3j^7adn>X#=>PYk1*)HBIDv<gT}eLX({}oX>fJ9uN!a9E*kvCrWbA+9nX;)V
zAI!ZzTRix*nU2nH#W>b(b#<2D9Us##P+1&zXJdSKtlqZ&w9J7m)NB-;ER+iy$oQxh
z=(?=v#v~@JgedZ&`<yES`=W}QJQg{h3=H-+3dz!7|2&hd>MH%k>zUA}+)L>ab{2-a
z$~MQfk1Xe0I^4Jt8_Ko>HM_A?a7<y(&Rqe6y3RU{x!%{h!oE27_-YDsA8hVFBM~C=
zBGW>w@n&iCqe)Xw(aYWAzRNzIsE_{N^CRxYzH6#HVyv-~U)GE#+YAjBTsj2VQ?yd;
z!2?AHQ^}`Z>{N|L9A>q`gqZ^g;nx*#!Ll1Yvg_0OX@7L4?Ed?s?ep@f%9JX&!t$LB
zB#dq~zCS}<;z<j$Y2P5`8q+05d6UHV#~dBSN=k<h^_=rGPw4tI(7)zhDe}dc(%;+g
zHuIZTMjg?4&wr~=mNszTDhRKM5pjOqn0v*e>hc#^hp4bY-RjKg(SE<_7mGhPJ^DRD
zH98wI_%J>8+U~S&=MAI?>Cllr%YUm1afSvKlU>8Sw@D-}rcQtUwQFq|nYA*<Qh7rQ
zyZRUZVP{}oDDT<2Q&{-3N~E+PW?-nLof1=Dy}E8IY;(w_vrx&kx%*zHTqBAFqLn5h
zv@rJIfR7<L+I3`w&%1PN*sy_g^W(>lr)ryI9o~iww!^2#9ykWWk*~{^3GH`xq*eqy
z+P*Nh5UC?u-P7E+MOiHcoC`RWh7cNkM`_YcMV@l7tO!q<$;B0}31A;eFVCaaFR6T6
z8#oZt7_t}}@o&{}ep0M>oA#_%rT@hbhHGuQEjJmwUsO9LFtD7mF_xahr+{T@X=794
zvthFxNDuCk-xCPq&J-0M-<zpJ?YM`eP*q>hF-(xNO<<28*OHTy8|17$c)%id`0yoY
zn<i(UJ>y%Zu(h>)lR(F0u5h^Dw@!~#?%lKPrbyY0g$(c0iMqzdfb;t{d``Hpfsh0e
zr>x5s48-vRn>B#H3AFcOUcPvt2!hkHF5|z((Z(^wH$v%v>m7v?uQE)U8B`B+c+%vm
zhL`W)D@88%<JJ)nKhorjUhn6nFjQCH3_B+ZtX^RI6Y2EO?sz_DIKcbV+3?zxO6Fpr
z{v!=^2R2RDCSGyXR#xMF-ek!WbplSH+0e?z*46xfH0WJX_n!{^--3^t{fEDcG)Xzo
zqICTtHJGtaUX`&2JIDFvq{;0)1Q`#wcOe{y>za9)4!wwzb7#RxEr44vi3W-Xh7jrx
z4kZ2H=k={>c_0pH>L!7!HW#HEH?GGid~4=q#O*Cx`J+xMN0N$(b9)O6y?_#sNEiVB
z`quWJ=hKrFMJ4->k^sBO_KDrSVUgXE>CFR`LS^J6e0k@MRzt3^u!ssGyN%HMlr0W!
z4}mu(QxGM7czJmf=tH;kQz=MvANg48W+^D%hfi2&RACmrx@WcM6!maNjMu%jwH@<y
zhB;<I)jCwbI@S1dmN_ETD8XSxZ1}W+r>7izYZ%$ssFAh!{=M4!pVx~!;35vwsbc`A
z0qo<4oPq+wI<V+2%^&6nr83Em*}=`haR>TI*r!B?H-PD5lv%(&GMasfOO%b4rFJ(!
zZ%EHrroaZ|1DA>P`20SZF4libPO0AmmtD7svu#^`?~>+`x;2@@yF#<1=dn$vhGxLg
z_m9sQ8ivA?D67;MXgo?%g4ZzonVQ$;Pf-RJyE*HW!@$YTZIYbp#~%eAFQA)t)VaOo
z%QFlTfpWoa*rc=2-YIoYa&q#eLk|t|8;P86f+<ht?d=UObR`g!(zTM&r0=j0X5(QB
zdW<$2Vaz}+NadK6gNsT0G!Gwm5Fb_lGeV6Y)@Fo81yCBiN~u5+0<Yrn)2EcOT#e?Y
z=7-opv2>c~4xOBw<l^3riwhLk-Wo_0?2m|mNix#-+jTG8enr4~JX<cpOD{(Fl5+U`
z$-mD*peTXllab=2N?4V&%Z}-n?~ojopfi5367n#>YN|i3$wkL5Hl>o!to+rB7v)%U
zp>k2+0pbr|bVUOLP7mC~9UQz>bY;@c+l0p6l4FY^l}{{q?J*Kg*e5{4yIKQpyetSp
z0IOA1Re>$W1Hb_ehre19?&+mJ=yLiW>kHh$Die{LbGyv*^bUf8cx~T-iPCu^U^#@G
z2e`=w66llSL6!-^h^O$;IRJ)aIpj5jUgoP#sA_Yc&TjifV8p!uEd-^+Q#2DVGbcmH
zPvC-pEwScdLetKl15DA<at~(r206z6N|!h#XL)K~N!LI8U#}j<Q@2()S>Q6n5J^qP
z=AZo5pw@eJh_l94GU%<>4MyYm;ybUFE_YfxbQL7hu%|tG^k@?HaD-TOp)Y`2_}X_d
z%=q|s?>>9|ZUk8x-fZGG1m+FiEzk*wOf>Jq+j6P%Mbg61O7?>0mm?=mF)1$*6i|Ro
z`HfG3or6CMl#!C0Y$qR|jKQDR#gOnFU`hnOE>t?hMCt{$W5Jz?Ni@745q;etPTXTs
zIlNrkYh$<`HY%)_oIGrbPXWFJj&B@Su}zn>xXnm5s5{`2f=CAPUrKVoW0gkv<pZ&C
zl;6V%I}Wnf1<U{(a7CVGJ_b@qRa8@>ilT@ZWy5_591qgXqn8RU8Tygga*Fq^w6Iu9
z8u`-ITD7%q2%UWQBFQLWQ*4CS!N+T|HO4O$v-&9Y0$c`CdZ{f-DyP0N8uz~6TTm@h
zP(;^FdZ!@m8`~{!(;>v`+tl(v>%6g5o~s8gidt+%b)9ZOWo_)ht@k*PAuykC_C%U0
z%qusePXuI#69DlDKYPF)hOdrcPRKBntJYlV8XA-&yomXF*C7YCzVQ@w0+<E%<DF6j
z(HFle-f{76l*XSgoQaLcpol1_IkcR^DnWvnmK75W@K`N+jyc0ODdSkCz~4(zWr#QA
zJx|Knmv$%-F<BFrq9Jvw!0beGi&iHy<=9WFw&%9xLl(c!xF>HL%FKVf^k{W^`t68M
ztIy{om94^fC;iFZhOqfgP+aakUw-~EyP`v`zUh_aJl3y8{w!kdXR5WlcS+^akWO<x
z>Ti+^G$q=tn|($LJ9-#43xq1qv_&S+2ceqquN_c2z>=$;hVXLYT7a$Xb1J2BAY9?o
zoYLs97iSd4l;@Q8ZlMN5x#8K_D^rrWRlgAdP~4dzY6@)bX4t^xyK!I=zV6)jcR6Gi
z`+IKilotUeOv^3L30+R5ZHH<I`>j9`zO2DAkPKQ{ZThdO#}+H^dfK!6b4Y!`$ykbB
z`vC=MJS@&vcfPha%$`}6rCHy5`rWLRVznvxLdaut^W{|S1S=Bh*E%N^eZaoSrG4C)
zyoILxtHUR$*$oyv<UvIhw(XV$xS*KY0!rJvT^H_$LH3O)SEJlKCun*8FVCewAFPzz
z)W*N3A(gAR|D(>omo@O<8+GOPJm&vxbwuz%c;jndwr&iaRQ()iv?(ltOf|JdIsI%O
zPM=NAO$;8qkh}y#mFgyz!TWYFXZHdo#uLKfHOg<o5tIV;PR_cWW&pmxEP|*TJUnD6
z$(2%~B0c02({-#ZEq_gU(NU=cv;-OmM(?ORf9k=52YNGUlsA`_++te~iNNX(6s9-L
zY;o+6VWIz$35gx1gU+|}RDsIhrS`p|@<<WmA+?w1_j#Z$ijltYs`^XD?Jcb@Q&TJR
zuXSVr*o>3Dv56qG9obpo3%<wH4}NwRjkkjB>iC4hdJueJD$ri{J`7u*)A6qn5nF<X
z(o)$TPR(&ya7x;h4`#>9IFpkIwKnNRS{mi&vbfY6zyr$``ZvecUT$~<(lxk<W8=}4
zeLRN_eHqTy(12A~j!b@98ZAi}QO?1&#SYg0DuiL7zYoXLmaAwe`-X-#CY=t1yNmPc
zPUXOJpoI}Y?A+ycQ2%%%)h1(mR%$9E{}x(>R4}!Iu^Nd7Lj3DRotHxpn9QsxiveW-
zIE}$(Ns2rqlBF0&a4UqBZ<<$ec){Q%jy6*Hl7V}*k#s;mpSC=`I|3}9-LCth>md=d
z&L@=PB%QpgQ4Lm5+K}BmDJ?DfAZRb-<2DEWjYq+>7#--66aUxR&#=C(+Ry9z5w?#w
zfu^>$K%_(WBSK=<QSCPE9tqp-Dr{$u@m~L|+jiT}k5^p$L8;Qwz*G_Sl1Cc53DFd9
z)fmAWOKzfms6q9Y^y>q<Flj6Za3kbXfq~@;Yf}utt@5x7MXvKP7<gf<&^s{^j!io2
zgNC1SQ=b<cr$cetq?-^EK(T-eQ{1`lo@@h{Zg|LwSD_04JU=JpfH4-zJZ$++#>|Y2
zw~$dTDJL#1{oN!@=KwKEYs-fERKLLHMtinBr9&L_9T46KgJ&IB-OqLH-oNtP;xy4u
zsRCvC@!=jd149a0U;AuG0xrQgfCz0Rkx<BDDMt!RS^(c)cI~hnItb*e(EO((2;QZ}
z%)|uCTN8;z#G&|44b%=mFmHCxkC;rr$oBpT^MK>T7zX$6k>^Pa#fY?r;7vy!%enr>
z*<<b%JQj`70vZ~~S5G|q@<ie(P67{b7Ivb!!+6U<_H!A0XmP+z&B^(|xl*iJsFH}2
zZku^NI-YH>ilK**OWy{JaUkfxS^Yh~!fmxbp8I1WeUx<bnR@gaQ|H^X`wVn<UA27;
zf8K3mm8H_01-3o%;GMHWJAso5IvLKatTqqlE(X}ODP6d*O<7ra3oB~?FjUQemX|<{
zIj|A9AcnekWMpL6PEEqx%<OS`Ivsim75~q_SF4zY#s)~F=1oiSnp8p-Yx?*3>L^Ju
zCpN`(H)5Uo+}RldcT0F;d>r;<R(9LyVDnvuLB>6UPp;_H--C|O|BKS}<Ewo1(p4QC
zL{aGgz_yPB*OnlO5eJ5Uirt=Aq(JT03{a(Fm+&0=OA!6{I7e{(MOKiafY0zZ$|Ne}
zgJUNGgU_EouLw>o(kqTBDw2Q&+=MmaD^-3jrB#$)|9%-ApSKbXc672lJvy{By}cJv
z<ex~`@<rvJED${#=HfBp*Eookl8bAcD0%<;yV!;si7%&s$+qu_XMY<6_-a&FGBSR7
z8!zQRwJ&PZMh31bs6>dR7~u&0uy31pv^0w_*(Y!X=-U52>x(h*e3Ff#YQxB)(5{c1
z%cYl0?|W1P*V)t-90ftFBosY3hfY{OCeR1}d#?X|#L_kbcO-r7w%kDKoVJax9=PWv
zAF|hCKH2LBTge$28X>P26SF$szke4tdmmxc!@xT(_WKdpfFO7ELjAVh^4psWG;7x)
z`}Vy0K^B!FyThoU;hK%F#Lda@Prc6z!c!`FyTlqP?MSy*r?+aTl>EO)3^lLe6XF`E
zUGNlLUau8TsEtVse?rH}S$d7*)awo8mm8UtIV&?2LO;|@Z0U3)o2^`#qL{bw;1=GI
zeyw|TE$-^_jpLsk=nh)WJrQD=(SB~seBWaGqo$f9eCq$M^zbsV=#nM}j1MfIFtRGS
zBUJEU;75_(M>oa5xPbNggZ3Uv!zrkI03cVO!|u${w8EQ2x`~No_-G<6r}oGQl$TOr
zaR+Pjo~zzI8GB22ezS;conZofgL(H-ENg}_#Xc_Pa*NxU#M$1Tmj&P-w{(uJq-0oA
z=I>ShB5_5G1Esp-f(PDgFmOYlOMrt!^tcRk4G_V@m@qIb%;|$TSRKSG`pa=FRd?7?
zdUDYt+PZ@gBR@P#|IwRt<{S5Zn;NACiGTnYK%T!H5Kz2p_dgLMj1vpZy;slJa`7P`
z1lC;4Xe;d6rE0+7A_(iNOS`PJbDcf2=Dpkoq`yQ9xBfz>1QiNho9Ep!zi|`BLnMti
z*J7$0WezXf|0zxefuM4NE96*U%XDcU+$=ut*mrDCctDkus7Mpt^6T2nXJj|WM0l&%
zA+h-U;`{=hQ<3XG)KIMN6c=Y9BO}9QdggEUecjooM|ffBi&V2QU7y`&s*C;CDto&a
znD4{e=O(r@6kX%rwoCuLZ&jiwvr)oWb7@0Yay73l$9yxouOGMGb3zz~&9VIFb?DpZ
z&;b^#9o!#XkLrMolvz6W2t2kBY$zx`TL-6zePHV*!XI^hyvyeJSvW?6c00G^wUpZ}
zs|sVBBPjK2H?bI8dtAz`y!2|#nKgLJmzTg+m7blg06GSg8hv?bStD>10uI3rcLZv_
z-KXN(Mwa=XN_3XEGUH9fVp9QT4ODynSOTG-bCVWRrb@#vp{n@W+UgFxn|NRQ;W>21
zX@4Ot6$L~&XrIt&R+(gPeB$sCj0iFk42MCiPVbmshk}TLgm^i?A5fjjo^3h|4N~z1
zO^98r^V$JIkQW(@&$Ut8pGVfqg$Xh|JmY!$E+|VY)1^?eD<a4PyYOj!ePXOt+@m&1
zhn$^qSdIk)-ZBLUW796co8dG!stc;g0IqxuarmsP8-tE0e>kq}#y-uh$Vp#Y8Togm
zpp}O@@V)*$znVG^v4pHu=T$TLQ&;{FZZFAsd3oBVnE$)XwOfFhRz7<JynCCT6o~$y
zwYz@(5T@KD5+oN+?wp2~nB+J4z5DyA!>NDY$|tB5Ru=3v5Sa#y_~3F{W~N27QP7<`
z@5Tyx#viOQ^`BUt8&ko?g-#Q@OqSUPCUk;;O};fJF@D*#JNsCV<6n0--cN<D)4K`Z
zBLn#*L664Lz$EDo@5;uqz~JTeFkl<-5uI_<0F{b@^!3{}Jy{}{3%AOrvhU{K(k-X*
zRSEvuZGV6KBZ4R^<2?RaCId_{03=<P(cJ=Bxg^Xc9eReJDZ5nc*;&FW6e{HSI~S6h
zh|hpw&(6reuD7bm!z&~*0$d`I2z(V1CrsfWBpa=1u-4CP)i2Qo(1`J?P59Vei?GPW
zY;yoBzLkB7$xT@UG0)VcIO*|x$b7pf%p)p#FP<5%zmo!3ODKaWsi=s<6BW&Eo+l8T
z>}!J#ufrY&6(GcH2OO(E)bv`0#8)@98;t*E8~bZ>664vU;qh(g)Un#Y%DybQ<EADi
z)@2@#V5KtU>MWKLGf-}=4`P<sJS~-PgZm-x&hF?-Dk>_B92|8uwI2lr7aZrjVp?O2
zEk+y8xyML4K$_h624Cmt1sAwc`|)26zxMbO(t!E?U#?%9+A=<EzC13{c*E(y$Hrv{
zvjf7}+1vgOgs4&DVYkFvi>(rjgCg^{#3l#20ny<XT(D;9-v@qi8{*V}833xi1qiFE
zx;oqYDbv5*>b>G@&34<~6H!$A&+0XOrF@;&9ww4U-kMQt`z*NBeV&|zlDt~}!M%IF
zSiaF(=J%LFEsEA3ABd*6EgLu%_$|=cz~n~-r3;Io!Fw%^LvWA<8;I;?*B~Gx+^W-h
zdUwz^II@|7HHhX4@K1;D6rOlzX)O{yfSQ)}2(+7FoKik$s+?RyVEIfU#Yot4kq9sb
zw#;n^m<*`zC-iKjHq&<{n(nK-@$4P!yN3y3>r`QG?Th_bT!_Q?r)S0MPOuC~59+A|
zAP)wtH0pl0{wJ0{@lq90QBh!afI{2H+RlOQ`iU2h5IldAGBW5<4`K^}l2*KaJwq>V
z6P^oePFb!@eUV2FW`fR6Ay{Vqfgk@$>Gk!|Qf~tU&9AR-dXb*D&GdVGgVr&c{9~!f
z)ueb8rOU@RtvYtSOyE!JnYi>U__kZ;@YSHu*_natCrRlEu6pFw9#+oM_s$o)iYHM@
zY<)j^)AD4CsdvP$*Lh>AYK;2Z?k_KIEFK>`HLmzBoN{K>L-x<<@#QxYBc7!bBX6z`
zxfxH)ZwHd(-*WXRcnDXmtU!B_co7DcImh<x$cad59f^#I*|TRvVRvzHF)Twb<+fAK
z(|=Wg5+8pf8%nSDKmSy`A>po|a6awT@a>z{+WOk12sti>P8$hGBYv$?Suv1gS0*b-
z<s+$xk(aRaXWo~O8WgHB?4{UP3x^WiNgk^QRvbFCw6*!L5hLaBb7IxtoBsZO-W!Jv
zs%kcDr@*|u^&BQbv{Wjm1^deL$;yF_TsioVRJex-42J~!XsWbNVa5V@q=nH&Zb7gD
z?3_Rv@QapZ!ZQmDQSy}L;X>zbSAnau^!}$(1{|dg)2exP6PETJ5JeFG7DI!K{QL*S
zc74ie)pz!-&)KdcpGJBd;B-jdo+@e`L?9A>4{TPQ;6qS&?}IaaZ7E#avRV9i0<G?=
zc?B!K9D4kfAvFQkIiVPL^a~o7$)>%b@nPHE))q2jut)WfW{5x-mt0+!v;)<A>`=Mk
z_s!$MUHyr{?iDR-0k>mioCTd>ip|*4{^iR%vR+)-&qbd;o%&>wZFlzNeTwqD*RQEF
z&g|K0U}2H+xCDFS!R;>IPMvSlKA17BG~lAf83+#H3plj&k+bwUTg@yA3g#S@KBr<S
zQk-5oz4Y_bdwlBlN1ZtH@BoW?M8?j&^)o{~Ufy^D7A<u3^<{SM2x{S-TZvg&11d>R
zvdGq<tZgq{oqeCd(DGan9rDrT(-sy20#PTVUY_UR&(!G&KcXtKbGY6_8ny0|RpGNc
zf<9C%g&7IOiEeB@(_7j;mGqI#WOjR~Y8m%ZPxOcCrRQyVzB|AVR9cPR!F{K^D6mf<
zj3RMEvyA(Lq#7WicD0c@?G*{|@gI76_R43E599i}x*tXY<R%nLgXFmTmwc2<n5qsd
zo;$}ZzcQ&pRMclSk8PqIU667Zq$T1qU6%rBDzTpvhRc-*(jf8%K&Qj%LpTRqX?|X<
zC+ic)Ha?MLSVY6oAC=5`pHgWHe$G70%w$kl9oC#Wy`=r#m~tk}^M@80%u*SQ-^&+t
zyX{BCfQ}ZI!Btb>fj&b1La`F9$l)zOG=SiqX?!6C>06pE-wPp8QRb_8dgmWN=|H{K
zjcJ3lwDitDTg{H_+)vnio_5-U8i7Q6+u0oKMx~_F<-?Btv;jq!vna`7CV(Xcve`W$
zmi*?rfgR<Vcuh&=CfU>_6aLA`kr%~dlW-?x)v+qUn+R{G&-bd5O93V=uP*dThE1f>
zLgYR(gKD?zu@yRM)uXB+{vFW>Q+o5}jn5LVmG;F#a~_W!#QsDgI7k)t_=OuI-ykEJ
z>QhIg7aa*WB-4GE@%x?Mw<AYza92Y~7TM#ZBr>e5keygsTmJ~3=qhFvIZ)L5UoODe
zmtyZl#SHLzonD8^*RHthQV(BNPuAy#Tc#AG1ov?%QaMr%XnIGA1hdjqlWG32a33U3
zEJ6j)F^2w+;kW6>;QOxb1^M}Zj2_%_>wwWy%zJeW&OKH8l{D-K_<wNlGLhw~^Tu&6
zC;(hhZdh>i^!4o#D9i)0H&iWWUOMmLXZmp4@TouzS3yT8sH#t}>L9kP1|$^}ttX4l
z1zC|Fnq>TU)BCcnb%@9P;Z$mJ2%fw&QM=&Osar+1C1_H5H&FVfEH4n$P`CS3+l1Fr
zke>KcuG@u@fSdM3n4dd$4wru6t#+EuEhOzcDJ*0YDqGkI;Wt5;m7Of7U}UFV4LYLb
zA5(EvSZBMAi*^kG8o}-lUKCARUf!zNLeeR^zANsO08)GQN^&39Ww~>&LOGDiKiQ1-
z*s)4KznIxY58uHzn^RVO`)1vU>2aK-J-NlFI3*PoqItE{72#{NGn=t^y_8csPyto1
z9YWIL<UKj)=;(Os{Zsi^u1B$dTa^MoltjD=*zX2Zitl`gOGx0_T6Q=BeLl`pOkA7@
zUNXvLJ(Yq(oT7wmeD8bvI@;(;b2Md@Wh^&eFh;VU2Ivp~-bk=f?O<WW;2Y#sV4>zD
zPm~g+<d*l)c|8H;j~8dwoa{ocuhLH)7ybSvKid10BDbX6=MI1p*woq@0Fc83`pPq@
z#keo=@$o=3K4dwugdOIrZ8DMLeOy$;PE;iVi5@;+T%t4bD;){vsS&l#NN!;Nchjm)
zqd&PHn{U#hIbQYp_Djj8{Q(kdES;jmd>T<ReJ8e>5!jWdr{~tIn@$44g2mWP;8*3B
zb1SUHE3L&T6x9aw(tuJ9$i22Hoz-eOq?LNOpEHb)7m*1O4w)}rP@}B?tV|LXocV>=
znw6W$L9HXz;72WZQP8sWI5;@;O)u{J^L%?y2;W$}VDx4xU!{v*Q7(YYxb5{d{t&;l
z>d%&9B_9v0BS4}j96b?Y6mZltGc)Bw(=;U!eC7w@RaDi7n%>zIga;|zFZAM}*rlX#
zS~5%pYa7Dk{X#-QUidr7+4oa^@90n&cjFJ7ssi8wY2t388RD$Hgxvx*TANN>KSiux
z#E<<!2Vj3Ih*mx7_Fe42n+dI%*;!u-yYb%&y~^uiouZ2>9()<wwS^<9M)e4{b*<EG
z_`&?r_U)=TLRVmH84(e|BU}=?k;qLaL0<jjtp%|pq%_kYY;>!jm>yX2h<_nkyQru>
z_nzhMtV+u;7E^P(%QeRV#UM>(v+T$7`z{=zs*9|Xyj!;ND>?k#m=gkfH@FIi`)6yw
zT%okovud7(co-0wQQ2qLtLeSO{PgTzxF*`wAB5;`ZDmMd02nw)*rrufMn<M`&STcC
zv~q5N>mc?kQ~8>pAUgIvG$uY@zJ9%pR<F}*d5l;WY+yhCqNVHGH-Cf)DMIC$Q9OP}
zuauH;F9LlUo7_6C74XW)Y=<_y8g8E^2RW3scn4fR%|vN0cQISX<RH0{fdn|uI>Ev=
zuE=(<uXCVmRG5#??5QBBmG`N4`c!&uj^tct<v%ICndS-WpButpIFe{x7^nn&awlUj
z1|<EJ6FU_fz8*y}OX-~n(lDN-5-v0_Fsuv$mMCv*_>`(n%`9|lX6xqEmQC1Azo=Y?
z#*b*Wk-Zji>&w8@<R1~8PjBI|Pgk7AhCE}U3kSD)3ihOgby0ulp30^(&d$!KcdRW^
zs#KWewOc=_QHVOR0iPM$!1A@*PB^v!i?z?^q!2r~I#rdL$Qko>S)W_xZPRQt2P9tU
zB<>RuI(Fm6VIqPTD1=f%vtqJ7{-ZOS{kawoL_SZ56<#0Q7Q&>jpo7j&StQLu{z2BF
z6%5Fg23m37FdwXWb7KSrdtEeYJ35YI2OMp9Dt8=9x_HS3>jf*nFWwxeBcNQssn$h%
zg7D$1Tun82YFCCrzsW(8(w4~Prlwn1+es9~zL=6GYZWvPAJNy}j%MPpjq`TKDonhH
ztTZl`;0=V42Og5sr%&Gm4t~%6ZsFkLEtz=s2NJQQEqxA<KeGfzy@6nihW-@aSbR*R
z9Yu!G>Qa}8yb(D)=hBkEz>g@ik`4*(=%Nn;?^2T<KZXivWxA1YS*<NK5+Zt75@F*;
zMthre+y0U3MU;yIt1n-@Vp{RU)Q!aUU}`6mE}uEB0IFDDH`S|R99Tlz#^xT&hM|O=
zENHpv*F20FKEolZqi4mp5>qYEog0Us>D#_A5c%tUkIPUvd}QlMd*D^nI)VbtHz60l
z)nyZ)v3q-D5|owdpXo{9JkcyKHQl%8_ms+dy8v^+Nq96+P>-L(f&<w6sJ1pMS_(?@
z)#c5?p9K>eS+zU?@ow_-X`~?R7}g9hF!lC;s-)7US*Kz!6BYL<M{BfG@+X@vIvC=s
z)oRb|A#jf9`o+&hYeagKd?Ewp%f1irvJtwdfP)nF*Mzyc4^#UD-t6u+0yB94($@-j
zPd?%JK8qQv<+W=^y}cD6K|!*E^O1BLAL?jqw@+Taq?ssN79{3g1j1!u!H0J1+mpZh
zu6?{pf+3}dQ$)&j%cZ3yVisz);OAtn@n~y+L!y_T_I}MLIuZ=do$}if4Hh@f%=Cn~
z@Akgg{>z`=pUfC#4*;h#NWMahG{$_eig=6`V}8YiOA7CaPYwjG=x<o)&gq^%Pnp{u
z(%)}_2Lg~7VHZ^r-Tyt$s`mUhwf16XArg^p%ki4CzC!!lIljsFR+g5EuuXwA+J_PT
z^D=yUW!Qkel$;^LXXZyYYZD$7n9aa07?T5^p%1dtRRk`GHkKM3Ac&2ib|fRXEn~Lc
z!H}yc#iABJa_x^mRwkJuUNux;R8c|^SQq2UMl<;ai(Z_42{ESc__$5C%=vv$s%g>M
zMy?x>q6N2ty+B<EBfQuKDy+WfIC^@Z^)|_#RJFyIMH_puU(RLc3g3tt1r=FHTVOuu
zPVz%PvEwvy8|PcI+de(FFRJotqt0CfWWkOCa1$Ye!lLf`=>}dVuoWh}H8Rh>Jb&@?
zj&aFN0hqS+6K{0se0P07!sSLR)sz0`NrZSDPz%xdp)(-$E|b}Ns!*NqiMa@RQ&L{u
zHln>EG*pF!zoe84^78ud0Wg{pm^g0IX^$O=_-l9|2*DMiyMmz~feUuEo|q5Yxjjer
zDQ&4*AY$Eqjg3{)NpvbUapGx{MkZzD@VSXi%Ejb2kC3ZL(yy1+hcYPq23WQlK?<Y@
znC=wg95)P9pYkTN6Th58QH~soY_xDhKru|aD1^62e=*6XbltiXeVC0F%9@gSmSPq*
zonB|@c*0r`+4k7Q|6zPtPGjFMxwjnMX;p~%JhnG<xV#Rf>FDQijgcgG@v$t7Bmo^}
zG6U(wjSg}<qI%YeSp6>^dU#Qo?KI4U!@}rEk;A`Q->x0T{F5rToz}O41PRag?|Pgt
z=6;`La_He_tabm8Q49>RmA=l;Cv3efEiHRP4KX?afgz2j$K>hCsD%Or$w+*CEf=QX
z=r@~A=idrBU!%5^6BCA=8X+9`bJR%&@B(^bsLglE!mTB%-TKl`X|$*Wj}m_YKY+Rb
zso-oQA3eGQ_WHEHil6c=Py(oipO=+!!SLlpM#iA|%e1sATkqwLEV`(V^$|Z4&4f+O
zd#BXCi+)SPRe&rLJbjskY+k^<haURSK1H8`_{LgLHyXo3(LDeGwov6C*u#W<&K}Xi
z@RB|HdA@2e1g}5Pzg}?W`#PR$rA~p*@|mh^gp-E#naf20PGHyU;icYr9Yt`EVX;$E
zYU*Z%rKa!&p)SkMEiHbJ9&tE2IzGla4fyp;stgl0!3uj$^kG-B*QEPVBS^YT@(^+I
zWF#<PBI4sib#pIQ>*P!|oYR!^gRjRX<kQ!ll<3-OWgmDc2aAnCnFl-M>E(FXwpiKk
z9K@kjK+B%xHhUGuV#440QAyD;eXu<fbd~48c5R`A9xGwktp{NN+{(i8M^#NrLiF@f
zA|JJhBhBG&?QL6QDX3&v??irN&IUAo$@P@@9q&WiF%yq1cmGqfeIR>1d?>5liGFpJ
z^IK-|_Txbk19efio+;Cp)7`suPC#Du*#)2ZZg&QWZWmK)4rSWS*u{&xxU{4L)#{ii
zMdbGi2?bPKR8&{5&yvfh+4(49BTB_BZf<VGsP66BZ05q+{9En|1N@}d1qEPgQK0tW
z$Gc}RHKefqx10t_Mwk|NOCH}+RprB?Ozp#iA5~VC@3UdcOuXx#tb6Y;Snsv_!cQZ=
zJi0TjShKHZ-E*^%=WNvDkzFLosy<og%{MoniHawFFVHISSG7MswaF1;KfqL?5Ku_+
zBWEU({NfMh*LitlB<u$wH-3M8@lA7!iKCNKKMeifWqPk#5rhE5n-M<R1N`<~6(!XI
zuWp5xbkY1hpc;Q90rnLxt9)Em*!S8{FEH0LSC~edQJ{|pBYFSo(9uzkm4#XbRS+rD
zs&^4*(J$>Qi#m`Tv@+sq;6zP;-7O4Cyk&1$>iGVBa;lb_kB`r{L?FnXxXE^ty-Ii)
zIYAq8K>#7BR(^j$0kOXaK%86*QW5Y@KVI;jwm<hy%%jD5TSn@7pwN<S#XJ2^<$aO?
z3^E!0v+IJjm`FGE^eD`n{CD)KjE7D$RY@iRM?fnIGt$k{WzG|D-Kb_IL{7>{fv*g9
z?AT#xWmSo%QH(d_9&?LtAayt_YKZL;Z4Xf;V5)>ZRqjdE9HmkS!~1)8i7SpL?bpai
zC933e9@Aw-G4a<~Gv*8z-3zs7)_iOSGKc!JYkz|})?tSPq9?`0GT(MGn;!A>T#dQE
zi`vBFEbvqiRCI!swp=0>ZZ-jeg9)a@JG6VelMyRj6J7ztOdarr3piiNg4$MA1YAJ8
zO$eDiQtIV%k$4Nyou#Lz$H=-Kf@OOcQnrbHJewtyr)C554d0q0QL+Dywj>9AHRs3z
z>6OLWu3v`x1?B1K-04l5o*W<yH(wtQ`TH2fDE&Q_6>OH3P_<6I+bq<JTu|P!_0@?1
z@I}hG*Csatf$qaSBrbOHzGjG21M>65-<##o^vNAJD8>T_LL3c@$VDLPC+;S&pIW^%
z8ozey8n8Q#Hp<O@J?Haw0tzz1o~>z1Fxyc}`=Gyv=`+bNCVjZ?vcXvKyTn*A^Fybk
z)>*sP<@`z;GEK1|iQK>c_c%x53zLGkP%_dHI$07$k`7`2OKdZQc`crRaPF1fjo{=t
zo&VV<NsltP&~cavZvfWHWIY8XQaSpzO{nvc4-l@f#)kXtua&xM;D@lwucUyQrw9Hv
zZ%25rm5;P$9z*>Bycj>|!f8TPDFP}Pt)`xAvRc15CMYB{RIi(^RUs8!zadn$GEwu?
zDOFcjsS=|Jo#0a%idD+Rhx+>mCNDTM#JO{1^%V_)lT`9}WWfILqkg8p9b&u+7drA&
z3nRws`xchLeWWCL3~cXFw6U@I`typFm5RH&4BXp7iT1Nq;q3c+mi-RkiD3utBkstx
zf-ZmDcJ$>(yY4OMUBWa=r^H1B=!}?U5yq+n&-TpSJ8X1q9uiF|&%TtL#9Dgow6=Bt
zK^#SO39K9iRJmfI7s?v^U^m4E#ilMTk9zl3yS4xMeMCSD(U7dg!N3eC5Pa=Ws{)e_
z1bq)PJ;F?9c6Ju%o5=kHHe2hCe7ahhQ_71U!;dN#*9>%(ZnW!B5LCq2s=uGygN1);
z(kQC`lt+B#e_o{nybQ!EK*_OZHGI9F^=&zLG*5QdYa4s|;n5-~LY`eVn{Im)wJb5c
z_gY`>A&^9zz9PmEgj^hP1vMWSbKt+zX;(?-`{4M=le<)!BnM${08!Xh4?&nklG<Kh
zxz}6RZXK5Wx(~zJR9yb5R+mzvZb@upK^Yl>m`x^Q116S)D_3qoquXvx|7U9n*ObI5
zE=fDZi*b}UiTq4lG}LM+L-!m!coghZ%u)au0YEh2mlENED0h#L#HFS>gU&eNZJjM%
zYn@N`-m{-8#Tr!1eGyd@LCku;LvqE|_)yq<m!H=uAD5Zn`w!cMZGVn5+>>E~-3Yu8
zO%AGV*%x)S?d`c8^c(T;!I<<|-e{iUf!ZpyguNnfP!_#7|4JvAcT+=0-?<AH{16zT
z6U-=L_Lx7={$0=7TtUPTF^?fU<_MDOd9y3mu2q9+V~>4Mv#|5t%yrRhR|t5rty%>U
znaBVmp`)1L0GPD{L9R;gwH3zyEQF|@x3LGfuG-0yp-+w+dD`i{zKW!89|pe31?RWR
zU2G>#0P8RaN8$8tXj&;<%M`e$(h#}=*TxShilx5yhwdj2y@yl?pJ{YTHU-;(ry}0W
z&IZPdq?<K0H7`D>huHq7@o+r&zH-@FE^N9~;^HBycf}|A`|XC`X<HVwXOBPp^0;h}
zAwV+jcdYMRnR`>S0^L2kU1qxd-_1VU-310gHj6J$;2!j&<k+sQL;@Lm?Iced7=(<E
zkLv_8{kt~A(>2+mZA_;-h(C{7S&hWheQ9t1;I8=`fou?SnCkWDC~-+K2ZNX2i-<rz
z)S`a40IX;+uuqmVcuo4!bZo5M@9TQz`Sa&HVIfq<#286v5dyaPIO7d0MDdW!)AUPe
zS{%<<)euCZq?->#E&LBuhFr5L(6@_oJ&Okq<b;bbT=$6!HX;6Bbae3G8^<DpC#}e4
z%5sp-$+?viBDOwoy5>0P*YGeIscB1wNf8Cv<Qw%<rv^J<7p5w;Ka&ELt-rzzk4<|L
zt7<)aU@ixHq2C8I9?V?&^23F5)sy)POD7m+Y@FY>m80KU9AKi^IMKpxId-z5R=dpa
zcp*8BB(bJrk{IIDtQv*kiydbG)E+v)%16}je6Jc|(JiD(0x&N^FA2h7gn8L?`~-pU
zZt^qHFvoM{2O8yx6Lq(z6VTNWa40Y{?hIboN`gBQbJ$8NWLL5HC8PVdiuS;Ph-x;2
zzlH(-#v`HsG^lt7PJ9XB99%rbHHlY}IT1u7ZW2Is2$pyLK1xGdw)ZIb2V+hunXTwq
z$xxw!%Lj%1YaUyqB>7>eg7zLA{RcC0;Vqv2Ki@bOcd4B?(Vv;Emkt02jfTpgqnSBb
z$knxDm*dXw*@~K+d~xNH>U*p%xbRAb%kvW(NfoN{-k$%Q3kY8n(E0F02L9YtqcBl2
zO`mVmbtjdBIl^xL(z0Okb{fl)*KB(wJSp4z3hbWrX{zb0$gTVkP+;8QU0PZ?>EuN2
ztsp=apxzm3H``DdeUHg5Z=D*IoG4K(u~=LFkfevX)Iy5)Qp$_G=)aqq)y6->tE*^X
zVe#JK<GoSrvD^*=Kd=usb$5q>{|}Bm?ZebC9@RRTi4uz7YH}zZP+2Qs)Prs~<eq6r
z4C_yD;orMo_kk7J6Q$4(5Yi`}uDSf3hFJB-K)53>HDVwkNT>#7I#K|9uxLbZh2BEW
z6zH7<F+mk=E+Bkjpz%lR+t;s?HH9Fcf;2(^(psre5?V_`mNPE0CH8+{C*b?{!amN=
z*E*e_lfy)y)$)sGN8U(bnYP7pDUjf@^Qk=(+hm;B-ytLTS03+=uCLe;v~XiDU^Ymr
z!l*1uFTF$_UyBVIxcXk}fx{;nxAm^v<))Z^K=Lg0R`?z+uTfJRJ(yfA!En6(ZFoJ+
zs^lNtjr74DVXlpeWn$aTrD#&LDnz)S1*pXT>sNeeb8~aH<y3)Pg)_-8eq-NiNBPhS
zYr`+8^)pq6HoD0NyUOL3m|{u{zb=O13x?X-V0-u=(kA%ZVK~P^MZ9@@II&&>a*AhX
zFRd=kmayh~(`Ukz<W?H$WhE)c)oB*Jbgk~-hYh#ZxIV6#W5~FWvo`i8(*f@^Z-@9J
zH?yCla+?B%M*$*C@erA$Qj``~mkd0lU2}tr;DE$MN*l`=w^HC0o)N5`k3X%_Jey9U
zo;l5(mH>+$CH)Kgwt-v!E<+$r{OFgVsvjpX@73QeE?!kvY#<2Qhf?>Kay4p==SgM0
zRQ2oZl1|BTVagQ=nU#H8zE&r|cZBK4HGtkv8h3wj-OaR0`%OVdilsX$&qBDylzTS%
zVAcczTjgJ5*e&mgbq4hxn+|28!0CLox~2LpVMhK}qfb102VjXrqVm1;?&l~!u}g1s
zym4d0j^%F!WdOu!5yQY>Wif6?l+Xkg4yWZ}=BxIxF)nzoh!Ul@!WXt7hfwQApcKSB
zq(<-ch>xOB-Gs-GjM$(6TQJMPcaRmRB*gyeD<G=<Aa%I*p>)hf{4t=hZk~-KnEznT
z1uoDvwE=^pNBwwyywuoTN$4^X6T<<K{NXjhU>yD%z@S(h!%=Wj-0UsB%g)`JuFtyl
zY#zAB7{7RQb7{c>3sFXzr=74x5pWs?Mi9M-zldx~{7*TA@4^NJ#Het6ZFytEM$l+3
z1JEkJC=7p}=~~cSFw)&uIEVM=$vi5aU%!4)tE-xr99m8|UnP_n<`qWK`*te0vc-$0
z?1UkiZ5-1F3C@ZF0Z*T@wd1{8q_1yi73!3&F&qmp8<enbRao7!E?FJgK9$(NufIac
zXRkyR-*GPKr@3q&PYeC+>_2yP(E+%KZSV)_@Uch%+GXMvxL&{$r4OrY;3YT<g4<n@
zhsPNhD1hnu$A>^gN=i=;?b%A~<|H=ZkC+Z92}W01iv5|j%F{!gzPaShEwXU)L9$OJ
z84Z_3Ww|sXHckV&AiHVXivM!8wa53O90VEa$(uJEz|7SUQg`LbaLh1FGOJ++vEq^3
zJiJgO7NO=ie!Xbnmmn|*aHM~YkNY=V_C<#bIQ+9*g6Etrk=OBmxO(rf9{c|d_=ARM
zOQJ<-k%rNbib^GwtVnx`hKBZ*2Aa~Kl!Umo)6&+GN)qiU7212(b6$LZ&vP8larooD
zsn58s_w|0iUgvqf&NI20F#mXNVdSGX@HgOws2hRijE#+%-?~NjwE!Nl3Fr9f*2@1}
zI1pK+V>uAi{QGC=_NxhogIBeYENz&1^^V=P(06M6^95z=cFVIj2tW2Wm;4_EOf_z-
zHUea-DDhaiv;3XlHA(K3WFQIs<jRMW)Ya5>{yK2!>P$c5nC*T=VA(`STWeMP6=1fQ
znhT4Mr;Vt+i*goF6VV^uxxVA~i5*n(bD`K_%S{eX4ML8A=X%Gq=Ri*A;dY>A2Y<N*
z2L}`HiS@hm-oIH1G}NY(UzC8%!LpK(>F|lTtnhk){&#O-nFSye@IR=_kF~XruZD2y
zJc9Yr4{X24xILxHuje*)4B2P4$l`N@XgMDPVm4k&b^6Z_RNy#ll%A<S(gmZfhNlv?
zT>m+Q@&d&E0n>NF_TJ)rAU)vJ@zV8?QbGm+LA4!jeizCdqeCqYHR!SPz1CX22J!O?
z7?Q5M#%9EF2?@x(?4#LWxc{jt%ozytK;k1HnejmmKPtK;g=uXj6=}+so>%9J<~uCl
zD8JKbX?pP4`>M~nbWn}iAq4CqKU2LO<Pjhx2z`QSqzVtEw|!yv^97^U`?w4rv;>(y
zn;f>ine!w<<s}<Q{mmtc?$VbpO_d9@+JVD0&EQ40l)<2t)<t;3@gUQ-wCwB%I8m(j
z`U2N-_Sg-vf(J>WK<6{NwCkm3TQozjr4B(ap{%R-_U@h$%hh|LZ3P-ZCh;uW)o<(l
z;GK{t@0Sg=Z}SvfoJpvWto2$K79Si|DmcAUb9_pFRqD#@0~(!v;dSAK0q=8$b2Evu
zrHiFq1EtRKor~8PuCGm)cEyWF*||9h5BIn&>@uvonR!)$6sITrP5=MZT72R(Uegzf
zwg+9hYMa;Dz<HezXm}f_E^=Ns_UUf+;xHKCwXrrZz8|cOsK>bKv?)$6AE<Qfe5eyY
zEpskJ`{lHH$*>-jKJ2mBy7Rt`gPxX_z<<5vCOh9IG}HxwKT|&tX~!EOV4}qvTWY;F
z?67ft_tln-k`y(cUhR|=T!PShwY{iXH}wT68i%F$EU>D_ei*a&vGe<5Z-h50&-SXh
zJ@<cFfN9zB-hh}mpZ7){nxk%#8XTGPlp)>bp-CDU?^k;%+vbd{3>$ehdX$GAhySY4
zr`T}1TXvn{{#2Jzy9AB9xbcLV<tSZp=yIs-M%KCq-^0J_I@cm&U9=|=Y>z1IA{d)Z
zBrp|(6)uOzY||;Hlpu0+-q;Hi(Z6A0g!B9Rdn3Le`V!G&p@G6WBe0dkzcxSrgdjyD
zAw<gofd-m)u>|4!F;@d!iiO|?EZ%+lBK3=X!~tOdf`r)a2xu)kdk6Cazup{<16|tr
z9QVpv4TlK}ISA_j^n%z2z56Vy{z2HFBO5jIAIshn58}9A7HL!+vfWK9$drn61O}@h
z{I(@G?>_u94y?~#t!5b-y~=>1oNKACQ&asq$EvZXE>7w}E=P>Lkg!W&+7Opnrc3v=
zO+e+b4+i^YBx%{4b{4NqNw_X?tWJG3a(8h!z-#Z(C!s#M`@fL4Y<<6DgLCV8%a`6Z
z(>Kl;2EHXDg4h24iVt$X5710)rhEV5#eR%!pfX#(3iCwo^x^^*P{Z5&xKdnrzHB#Z
zP17ZL12o?DC%V=Isd0tRsIe7Nxb$SWXF!R_`cCjImgsg9!>koIxzI=s?tMB>(*Yc_
z)sX+b0&_cQX?B?e;a@!<E96@cuthY$KH@rkbJEh%cLt!A>0_ulF<aHqPglpv_G>NX
z@nfo&7pP(zcw>yEjvpuUsxvuk!?x?E!0|m++maiL*XBD(6h-D+M)2tRe){RvSmrrs
zSI`Ht-i-k8#~jb=LiCL<1Y+(yjX1}cEz`D*xXzSYTgvY5JV-Wp^_TH0-~Rd|;q<j}
zOtb?9p@%2x%2tPoIuTpT=XhzUQJMD$-hGxuQdqH*Fy(%H@xzT)h2i&Gr(B0iEdz75
zl8N%;qvua43hbfv2uclDKlo>EVSfI3ax$f@ZN&Kn*@+JtZi0Uf2QlkSl$AX2|KJsx
zxxbY*S+Do#?ZkbM#}KeJA?!E(#3ZO+!Uj-av0A)DbQ>dM#UNOz=T!$ty<RsBQ%<vp
z^#+x)itDp4?wh%+BfdV6dhFLmLnO=Dox4$QE9vWVs%wfF!mK2dIbd%fRV8QMxh|)c
z5eCfo06qd$gn4P~)T6znvgYMHI;--}iT#}r;1LsR;2@x+?fLkT{_I;(ruF_CN}s@f
zE>$T(6a+we3;G7)&;k0v^3J)DS$)f{Lq3}-(vhP8gl&CoWr;iuangnej&3XUk_BJ&
zz~7$&%LqV?W%v8b^oN7;s{<cgm#Ow;hPkimM&8uvUezwyL6ITVWu_|y5<MSTSbDy5
zo{9T8;bX}2>*2>Qo`W)7bx-Atewk;U%CP;Nz!_zWvzJr`Fo9h01)f-HmtF+@;Bh$h
z@jUa*SqS|&rd>1X?^udz3088mru#f-4u8?G^>T}>Q<Chue`V%Z<NXT%*{8QY05kam
zidPAU#c&Mw-9CPLg8jfdOMYM=GV6=RahUzUA$w{@mK(IlFP7%>uV;4)hQ>AyvmVtS
zgnAnUJ{6*2K;U$_j-<N3J}tVX!8}JGPNt@Vw<Y?YB*?$021^W-5SgLg<MVk?la#eq
z^D@sL2?HUBl^G}HWc{t=!E@=5N~BioYxKLx*IaHh^jMjt?vl*Fo6xMdM59J79v(k0
zN|OP}uQGc+59Qj_DIQMlva35p^0y{dp@>HOdK|O<J*u)R#q!a+?U$RzXuNh!I=>32
z_Nd?5#bl?ndb&QOG*J6TTA%yI{<yVi#nH|Mj*N+7mNUv^Gny&nETY_^FTB1A#An~&
z`oh|1xK7gxUv#_Q+;N2>u7&558eWbI8$%93PbMk{QXV9AQ+vC>lOsWdrvg^fc{+vk
zR;gb(Db#h+?O(pozau$A*7M8)uqQO6OQ(O9<IADjlFv2X4<9z*G!<sqiKt9~A3t|c
zOOVl>U53DiR9?WhMpItqUET-PeE^7mHMNE?juVw+cL%(C&KmCK_wh06epoAE<HEqK
z>dCpC*NaS9;v{2$#62>j-vW{$@*9z!KGCLhyXg3aeuVURoqX|1IBG?NO)l8yB#<%)
zTEGmT6TRcHGQWw0;T)f>FIi=P{u_gvH%_ck-l{YV;S<In=q(q~yAwz~Zg(yvA7Sw}
z<HECB<>kYLJA2gH%t8|l3Vh+0jqgW%#iDq`5wwK)e^Tx|x@V1_4OAdT-NCah#RZDR
z9<rnx%;f4AP!7s;J;y>*{oE_4M&?tISe4kmAd2u412%R3N0Nga3ahub`uRK*-J^FB
zU_|ToiaD9<v2tdr6hpmTp)Spm$|QH2Q+GDTe%JK6mXe+H-)givRb#cIdB^bFlMThj
zrR~mZ$+z|ig*;!_fsT7-EkRAEalwKe2Mh^9?#5^F;YuNFfO6h3<GP=c`lS_kjCp7T
zSUQP9F8|)4psdq&UXV?a6?TU}tQfe5pNEkOev^<Kk#ofR^yeu?02Ym0uydcT<ulB=
z=KCpdx3*7uu~gfK-sQOwh=U2LuY9vav#F=&dLZ?t%0<7K_*42zN!|)~lz*hoZ?^G~
zSL%umjF{yX65^<v-3YpStNZ@?!7EF4QxUxVw~{|UFBr<>a=KR`{$L<1dfw|pT6A!B
z(<?kRXaJlM=n7b7GqCfVYtm`Kl-!0Xvn*8ozv6cDeZP53GhOdcjMwD@-!q1JHbmNp
zkrMa_>fds4S$fUN4@-tN))Ojc&z`?_Z5xu1fWC}EvnUozgVdl30$I&Er&y>KJ`Gg`
z+@798%Z(WgDJYmZuem=z%u(H>U{o}Je(1)>9$~)C{q+L%M{aZFSV-vXqWH91{9M(p
zT|!3H?_xy;hTaex?^YwZvZ2rYVMl}I&tKzOxBIl^cm3mh;W5t>5w^0tYVU<g90U0e
z?=kF3?tSDvqwg>fb%QF#^WtsCXCb_y>o(*?dctNK@<u7AiK-*b9^Mv#7>EF6pHx`L
ziuu4hepj)9fero3PTQSte1+M<t;|LEy?C#67n1()oMC@9KK(>N1@MjMiCXP)%h`=G
z4^YtS+o++KChbM)9tl+UHHgs&Fc5{$oh-fdX#GnYAb`YQhz}Vo2Dm~<<oq*S$=TN&
z!N?$(iC6cL@%AA<i2e*|qQiMlj$EgO6gJngozdjiDl(<X3G>|c3{#$JVS6)=?WG%o
zjRBwc3EU?m1;oe4`*i6S@7l+ZX*aJsTBQ~fl(4ZnoZs&cF$_d(&?6YORu@G`bDaA!
zbO%7hr7Kr30>m!we~HQ0#kn2*(S%#CFNiVj&=ZVP9;*|S)Rtje9|idRiWN1k&X|y8
ztiBK$P9O4FYyD^@4GXuZS%yd(o<C(u?Bvf|GlJRIGiXE-KWJo4ux@DNu4DcmU;!>7
zinYEbB~F+R$^(SL(+f2u8BR+8rx2yl{i%|T6Z6~B`HZ_Inp@O8V`3CL$Q0|t)zX^l
z#NaXEXlWiI*Fs^Yy3OzEZNKn$vP=VpY&6&7??ri5vZQ-FDo*y>#(F4R88gmHHkI6C
zN!<G$O7e6$s?Gjld3Qk-D0a{u9N;wz)(-+!t7TRPA5j9dhNSO<^g`DTizW!m!&$zj
z?;I~#v7TL6sJTW>aFj&OnIQ9a&=61~l-9-XZf!Gq2hv3QRx!_?(?1*wMKP>I$TYTW
zmjJYYc1QnPWUYyNe7b2}6pV0zY5Fw!RDNEHc=V{Uj@L05o)b{%DAYm71T+=oA<-m*
zbZ{;9RH#1V^)yo>ori}9lFH#-?_y(P@yrwNpy!WBv&n)Oh~b^t)2?Q2E?pfIcJatu
zRaqZ1u2%ig@dLBD)u<XIp1ZlveZL}dqL73AN+}I_YpBF*5~pXl<o+#lpv`3I6-N6c
zgr0BZsNYg&esmkP=09~4If=j@3)u-dDj0vFTU37emBHmCatq2V#VD;9K?*qkd6P_X
zFTTOm5tM_9lkKS!pbEbUApwEik;_}`tF%(FKc9mH2o=iIgY|V*gP49U`p2r(!>g%K
zbSY38I0*c8m@OZfgG4b2aGSX=Z5{W=Am^m-uWSrhZ*N}7f>i6^#(so3;0#NGyr=Bs
zr7d2P5f2|OiX>>hz5Hd@s>99$^;Y~9!F7Xsb~F}EiG*-HzWzKlp`0bu<56&PSxJpp
zVgpuHrN`}~fhOuydAd8;!4!*D+{}@~&KBa=F;!#tm@Iz5`2_TO&s(9EpkDF~uLTLM
z;G`Zzp{n?xifj3~rk)<HZ@EZ)cSs@x0ZPz!{23Whnkyk=xWCZr#fiDs{NY!6I^&df
zQNwaeWedi+Zy)VV<KusKkT}Hk0L>AyST!{oR6b;dC9pw<%xU*Kn~`%?R)>gSYE~Bf
z9n_V+j^9>>myArY!){1@foj$|Z##3<u{|_|9eokZv{#P-wnF-i>`Hqh+2N&Vv@Pyw
zJbxofKAfjn`y^Mq>@I^1X0o&&%OeAFXmlPC3)?V|0PWG8(~brP<!}E#>B-C<0j6z8
zK{(~0u4)PD38O$tw?o(0J#BPkL-gZAg@yR~3a3)@PfznKZ;ql_Sy>Tvnf__mn$%>z
zXcG+(`1n(GgT=h7g4}<S>tpMz^JZe%{Lh-1@s_sl18D##Ai=)Ndf~Oz1r}Q4)Eb-v
zIN6N>Daq&B@;_Y}(MWFIM1tt9>HGI8w+xy9?5n_02Oxx^?XY1yuq*!3ft{8bhK*lM
z4%0kQvV~VM)H(#c=(*C_i^xk#sLh6?+tqk?kot#qZ_JMaXTqmaOtSsr>fijz2IRoD
zhYxBw1&ENgTOzLge!K2`zJe*|L=AXF5a~4Fx^{k#WI6me=+<>RyR4I+!)GHkg65#e
zLWgYr>pJk@tNAvDAD!aRB8yvfRHn~}15gulSi1Ff&lyhkLm!@A<hrrT7=xB13bC}R
z!?KnNHs_!J_uqY>#P>BFHk+MTK0>P^Jv_2>fOl?3IkpD`ux$@{tjbGE8g?usuhG7C
zjleu$`U~`g>T^N&cvx#7JDtLtOLnM#SVt1Uz)Av*bX8A*a*xBnepmx8Dt;>!oa<#)
zZ5ckq+>NYs+VD?V!B>*ef!q4$o6D7(8-~U`EswXZ4em<Xzmr&nQC(|ox5vk8UIpmN
zJnVh0@h4!dcp8yAwwUDUf}qp)53`igR>RV|YuBzB9oi;(iqO|A?l8`<Ph_b*A*wgE
z<lZ%wJ#53jM#I-WwJ&;dMn3NA>Vbubo7@YP8w;FWzKu+FPTdZ>h*6sJZyJFFK@VAR
zvPD%rQNso>)hScC1}fjw0T3^=C%>%8b?-R&ac)n@fW(6;#{F-rj2IpnT4)$qNclL>
zYKlD)OtH>%3(e&?#JruDdLhMu+-*`8@%>!{(CEmX;8kf{63oO(0+a!yv@Pwyr55Py
zaBXMCuDt!O1J5m|*<a^<R@aY<KUOUgG+N#^=YCvDYAHu`W0{!M*>54?!OK)}<Ko`L
z*<ZrZmkta<*M$Ik?)7og<&n`*Cg}-`??9HiT))QP_R44NG+-cn4N*>|#I2XFyp}xh
ztx!GR!|doRcZ)1BU9=ztk*;}cjXkI7z_-$g-NDt*N{&C2`Lxx2KK#*K^szYN020;p
zdlFi6kTHbSG%uAN2ksV9soVZ1%2!SV3k&Joz13Lv$k&doEM?tDHyzGQ9HB~mb2T4i
zh|>YUEcohG$)TqZ#``*w<23#G^XJ{!pxIK*`igMfM#uQg^xwE~=pBB%IAd3!vo}^2
z@^bilQ9ZmkDlx-MPT@FwSQi~9lvG@p)x&_z!tx{K{i|!Mb(F3e6s{@DZZY?Bj<L~w
z3uk;SzxUm)Lku2mUA5n@+!eIP$Skz)VWGhZk&)yB6CG30!a~h)XBGTxmVax!NPpss
zx+*F4PyOBcQ)j?H6;Fk3G?wYCt$R@p_c3r|!7+X>yA|5+o=zYkAkO#&1uG!~Cv!OW
z_%P2ewtWg9{;czq2A#IrS~1>C$<7oIqoj5eV&Z<xSA9_5eTtmfosT@hd}Bwxv5d{!
zfmhFVZGRP~@aJ3TWP2^G`=V?roVxR;s#%Q>3H{Y{v~Fdh3kp0AYm9yJR`5008WaJM
z2aZ>GKcQhh2)x2Y{-d%B)QE(_0rdwG1^JfeY79i4y?jZ|Rs$%Q+%Lj3Q45U@#(AL-
zHP;0w1YDO;Fp||Ew4<ty<n7dSeL+=4g|Vx7%#j-#5?f6o=ras4@J8Gd?uFtI7}m4p
z$F>jsYICj%63!T$TM}~oo?=nr5>Q`><i?GC60QH{Qph!q%|@e3GYK0((BhRt;f=8-
z1cv%)zCFFLbNMDwoc{e2qin-Qsl4B7!{%3{s{h*sDf7_=1v;ngCu8sZRYS3un(urZ
zcpP6B2)$usH>OGxSfY5cx)Bu~)|&Yu%f~imO*FOv3^z$6>`@!e7-~lnS!M}L>Osqq
z-;2OQx3O{m{<bDJ5%{C{8eLzhE2B<d=SaZCqj{g~6}wql4A78*v?4fSfxtKEP3Cu~
zU#<Ip1tBw|7iS#oRlkf8m9S;*YC2tA-NlAmo&<}DfVLXz#?PObooD|lV*cK!0nU(t
zFP)v+E6-8zs&Ooedmc_xe{!c;xjG^JMPgpMaEsAD^-QqnjbB`33{p5P$SG1Vb_-Yz
zw^jZPnXA}ldYY9_sJwB87fp#`1Pq5HX44s179ov2kS~PA4yw9;LmidWM&qC3PUCUr
z#b7WHtO%fOPcW~tKm5%=JU`guj3};Mm*_+cx|(n1fPMD$j~N5;GaZOnmQy(RH}Ybd
z+6JbAT;#f?#`EPTonDL45BL(Uq#(c$Y$jn=ALD}&T*$7CJKo(O1X}-YTG^t~S7<HY
z6Hvn9nD(vyY4M58)^QZG3tk?Fg=jx&_P_EfiIuywgU||z{s*BUg99pK8{jWZ_Uk?N
zc$867;uFI&kMZ8!#zYpD>PLROa~srVSBa44Thu0;d7Xzo`bjXysPf7@8pRj!oz~%x
z{PfHb@ZDj`2Z~9XYHWdixw}F6E6S{c;B}~}2`L)j9Z|1!cU)1>EKv6U`^f04HXng~
zw4mOqt_ffF{ZXxp;T|>b(q*$>ak-7l5~=`O+jl|AsHW*Ff1SF;tnf{MpMUE%hfl;H
z^Ter-(?=-wj9|bRw=6)nv}VAk+nVn1&8)Cj>-%)pig|oCO_X4EaMEkVP3-W%pA@ZZ
zxt3z1s%-#jWXMuW^M-&48RT^ae18RiR3^^^v)NykPBxw+nOj=2*-t3{=qST%3*<rK
zrAsuBWM&|>0AGPfQy?yTpa?kVJ2a9$oaihdsCza-QK&dtAx0<37ILbNNbxxksWR!o
zDugRbRM}8kOhm`U1>vHf-_G!P_SiMa^mM1TBdoNTQF^`c-=zbfQc$giWWC5V-hZ46
zw>7Yd3l54?whzNN53B!OrlK8RI>{LvAjHLdps(EHsOad5e>)1c^00)a1Q_M#caIwi
zvy~u=!CmjH*VT}-L;YJpy!z-*A_gD;6M2eB{f#RDYKH^_7>d)cvg4k+7VFulCpCeX
zlz(|)swPGA;C{w4A5UM|AU7nzAX5>uh8hKUCQfO`_}qqF**;UAt)v*II`95MXv7JL
z(0Pn)fZqGT+PkQjaynK-#5j1Pjf2+Y=sv~!@Y9Ai%pG!OXqLfgVZN7#pYy8bn@e&B
zA~%zmww?YWxj}P+1OoE(1ffF4r1JNh+=o9A#T?`~tGs-Ur2v&<8it;oXi^x3FbW&p
znaXP8=sG|672&2p!FV#g6@y6Sps68~1??Im<&^f?(BrwN4*UN`0*Q5`K#T;562t+l
zK~5>EM2Tk=73tv0aYhMG`|Z-(`sws;T5RLY4^Gdr)!EiklW=XqdLIr*oLa(TS3;xm
z@^DI#0Ac(!>R9-CDkmw)cVQb<N^`F^fu!NnFMWBJIIVFw=|3-Rin=CA!h!@UZ02t~
z;mTjYV#yvEYLF{1;pI*6nBP4f>$rQGb=elDpP*h53xMM11u9f`Vp!mG>N6~Z@hJm*
ze?n!kh3-U|mv~@9FSdR>RnR@t?e>fd$7Ia3RN3EdV>&k6|2^EYyg@slX(R~rXVWOY
z@Y~QNo(6StdMgVbT4M!wv@`!x-{CC3vpfoUJ?@Dg(g>M>34^DAe5=R&9-D)I68HZO
z1w69(%zNonxXhs7@ULgpx_0frO><*HIa*Q@PiM8KR&IZd?Pg(RudC`xxs#7EW*#OS
zhSj*PlkcAo4bZ6>7027R16yj-W&&~&JXRev@d{!0a?}Ksu6uYC8*B>uzEdULsF5#2
z4T3oNKl>-2B*sfIup^zD8tTdd@%jD_-+jJR!vD!6Za*4m;KV5PNM!)3lP)A<O><Kf
zfjf|ox^4=@f@^uL01hteo<Mt(_yriO;+=m`K?ML`kNbPR`S=X4L8Sz{Tes0nivwLm
zAN9XKI>M^Xbf2U)Oe?}nKYO`Qk;0z$2IWiC(!ZoK@@^ERv<i^%m%PNOz09Jy-n!9O
ztxqj{YyYXrCl}LiF|KwuH~SKUsnD&0L6B$_r&20hHgxIp0X9po@D9y@UxS%Exa@C#
zOkz3k)lQgbMe!ZS{EW%&sDUSurpo&thMlL4QF`q~Mykee6qGdtM3&G<31L5U5!Y@<
zM6`~aMym%WO=5D-U~i=rhJpSv<0$BK2W%uJKOIcRMC2xxKs&f|YG6|4v8vdArr?y3
z_|@?&SSkFEKRYVWN=z*|cVof{;|i7?@9sqh_>EJN3cF>@b%W3@0|^EWj|qVTCXysf
zmm-?*ZnrhjW!|cvJ-3?}M@4;EfkW*R|EoMO1DHxa<xt;o0pk+z+rqUz)d?*KVYhYk
z=+ViwaOnVL2a}v@Q%H@SSyM^WFu?rMDLc_~=HSaQB?DE#Chym~Ff#)5#A&s(G2s3?
zhC{2Rc>#Ak5>~uq16Djn?FuyD4N!W0)0W;12stpzyr)@tU*b>GH+$Pw+HE>`s;_oC
zNuUIU>EPLCPV*(ZKGpj4+ZEVAx44-^=q;AV>D<?Z4pFR(VJ6^D#`C&Lm2(4$>*ZUW
z##wHj2v`{n*fK(C6e5DD!NdJDkCJ8SylQ42mpTL|?yt<L*{@S{o4n-gzU8)W+LKxf
z(I*$8n|40fTkZY7HeJH*=T__Yzj=u<S^oC#LFa^Z@8_7e9<^lX^a}TS&B+taqPCSw
zhq!knh-+=Xjl=`#3Nwv5qz%QaKQ3DrX07(gmxT_677;oUsA(54Vu}k*;FtvkTJ%Oe
zBXbB+F8_TSmOCFz4sRkso4NU~;+C07^Qm9{zgC=ZD@Hj1Ac?SCh489p@#r2?h%>Oa
zW9E<Eu6#cun%^$#yp!VpuX2J?<V!Tp(*({-$<5@00yHL|IY|^B7y{(~;e~i9_IDD~
z-!7iR+f)2bEH2i4cBIducoWNonjkdaI9btuVny{hk8?hc>fX-6VvH9jBs1><6K`L-
zaN$D&daI%|$_R^*mQ)f6c6AAj0pNY^zC8PPqoF_@^>-}W7>w_#A`gLJA5A&F+It44
z2MCBISHS*I^eK&b2<d>@0e-aP)HUVV+h5jG(B_{D-r=^B6ZnXGB^#6<s8dHb<X<LT
z;Ac8DVM8=Gw*v0Pe=y*}E*%~hCkR!q>p#Tb7PgY`VUtw+%1}91epg)M@MdWrqOP)C
zm2OPeEB?RH-2WSM!gMPaXir(sBp&|@dMk^<MsL60eDUfPF@^?l24sO5R|TId*4PB|
zk}=StQbx7dA8gUomH0X6IWTJ0tWop`lXd#*gwhQy6p=ZB6e>6r)*Kyv0kO)2E}mNq
zivZ!mn@ta7BR~y5iZLPpQ#KwjqQ$L+Qh1Rw7j~@TT+6~DkZZ^#HQ~vh;_wN7<RHPe
zuP&=94QTl7Z*p(E5M;jkK?RN|gjdP!<NY=gVUHizF7V(D(B@@0UU56YLE75+x|(?`
z#wk%&J^7+YD2yYgADjb$(l>nel`-i~)w8cxX~aJLpBCWj1)03xm>JwXYpKQ3aq`?b
z-}1e#Y46@W>OBM%TmUS&PdQuyv;}b4Pi~)xg8$8cQXSv1E<U2Pxku=K@@MM5njbw?
z+SumgmM`E%fl<xpFJ72@j2nSa?9!hd#_z;e)yNRkLx<PE1Tq+l%LWpw?Tw!P7$axI
z+CmGmZw1DWgTdcWMwwL7Rs-)k?d6o|G!L*R%;&HQj?$*#Pc0T$IMrSDkN2iI@fP{m
zRX1Fms`7gfBRa-gpYL)rr3&p&j0iD10kqBh#%>V>GgDJSb_(La4Vu&WDc9m6+rwYz
ziBp9zeY}<`_M)GMEs5$BnUM&KoPXx|1Cfh!>0azRCE<OD6A11kRPaFFc~FzuB^Wlo
z(7(dVrYykLbf2Kl7eiqsIS9}UR%=ZT6PCd^ciS+vDBJS>ul|gDS|mp4KQ9*TC~kWM
z!JSfk0b-KaMiU*m1y-=ZPufvNeK$W!nB$g7h%v@{F5mEphsQFcIanBkXx~y^e7nmr
zkLB5nPjtB&XhMC5DlpylZ%}^5U;34Cu^#7(XyB*)a7?_5a|z{#hDYME^=tYZaQPXX
zW9T;)!y3I^<T@;KpUD)%P~vK;CQ*fvi}=Z%sy;(JvN7I7C<;Jj#UxRa&vW|g)6x6n
z?=prDOgR%S&;>diCUImGJ+}HDbC>Z2Ab$&7Z+ZRpErI*fc`eG5woGJ0HOtvDVTU>z
z%r!0A5IDH>{5B%cH4IADn;n^-=#@2DM)&D|PA7$&Xdj+8cHLkj<kV2O)IT}49Yri=
z9)lvz8^Ju%eX+ER6Hu|h)jVr<@AO>|M4BGm<P9IAki>753Q8z*L8HMlYjar{-EYpd
zUrLj%6?9K!nFN#d`XJVsz$rZ-z4qZ4|0k2fXzri=Rfmwf7Q-Wyt<1Zr2L@8;PK2T@
zF8%a6xqn0G$brn&5E7v!fue37rh8HIqw_=Q2W*xYyYU?_4~jJEzYS~|lW$dS+KLx)
z6BGBn=qmHJr6z?Se)xG+zdgomgBCfA34>$b5G)K&r^1SU(qv8ur|YkMO>n;XSMHpi
z*hQ$R;XKke=ZXgzXQChI6^QsVW;9{2B6Bw{h5><bQ$0z1=i=Ee@Dlflg$_B=@boqS
z;`n?R+iY#XHKHF-;OZ|;-;Fwv=w_VG1}pApS>Y_auB*$A$1W7uwj5VD!7f1&=>8bR
zHsqp^v{Ihd2&53)NMwQJPTo}ldUw3^T?`U5;|#-(K&gRK82^D1ehbSaJ)G64ynPx%
zj9Od2f1g^2m$c`FNYsB-P4vk^>f5(FW~nxYC7DJS=8;8DKh3TJNFMD7hWz27MtgkY
zt^V4!vN9<NH##qj?pOS$Pc24)j_kt$eY6t4vPavO2IgEdJ=a|I68e9AE42j1_+^H{
zckU&ct!FDVb3v;s@z^6ek3zXLaI9;XLrC!QmQMNun!>TZm9rH^&)ap9F1(TZeA(#u
zF1IL{Eyz)z(#;SSnm><hfk6lwKh9v^y*+ht)YMXB_lKqD>_V!F%(;T}kt#d0#<*c?
z7u+7L^{nUjS^FQjDd93noR70SaTQ>uz{JF~7d{80w(>!7TPSHsTZ{J!4LMY8Z8evp
z_rdOjVUg`JxQ@R@M<G7{8T=>--YhhS1JOR>G)2Ms1Ev6bTG9-1l@ZA5gHcpyF!0xC
zp1^Dj+~bR9*}23mI!k1jp?N1x6QDZi0&t83E3aqJznvLsV4W@re`NYVEAgk<jEb@G
zK-j|lo%IGBLWw=8-jl(v>$e;JpQI_nMZ(6AOQe;_cX0pOMtk8x{;Tm7ufBBWD=92L
zQg43e{c^LA_U$Gs@=d~I<yzuz_P3;3=bn6?vrGH=GyA7c_PkH)&57Fk_HE~_$QN1P
zbMKI8GZ;Qqd8bkM=aELTrUj3}n_ZWVmdbu@6pfCcPwSudl;LnWaa2-r*h5|DXWYW@
zj3?dh!(`#%;W`3h52}95tY>b&(9`29*uM%H!A#FN82;TpiYYu8!xjw-S~7RQweQE&
z68a*D#&GOHsE<F`JMKU>s;U~)+DjfnWV6Gy5qlk>R^pAIA_lc|glfQ!ff~FEOC5+1
z<q|dC{hs4ef{hqn8^+xq>+5G-ymX{7d`s$M%BwQ!SNT!6?ue>$T7v&38Z&@(q_Vkd
zoRW6?7Z!=vf;~PgQPGdWIT9+>W3K8=*G9gN%t7v22192;912C*+wb>L(}mu%Y4xBi
zTZ!!^#KyqEx<BiJ{lo6<v<h!|Xq7Nvo~<W~=7%uHpB!7*Al?F#zVIGQi%!0l>Zn4W
z)%(iw75~a8o;0kayb-8a9^=jW%w}FCC&Lhh8`jAq*L`yK;-jh`+WKU9PbRaNWx|Q#
z`2&&nSyz#aN7%UDy?a+vy47&R&QcZ`0u->4OVog;+yh(}1Oe>BYuq@wMQR+=_Xwx%
z8riX9$3T?jA%6b85J@)=(n9OQu(bc0qn&x4UbL|hfh+4%MNc%~`y?dVQpGQT)O6~9
zG<VEyf4Fj2e1&56(U$9HlADp;i3~X!E6s|8NOQCo_HQlpbaiQxnm$IhS*ls($fndp
zVrJ~BpdyCrK^<Y7M*by_R6f!;P$H1+*kYCMsO?RTDOmLT4D|GU6JOpxg(h&*q)v61
zN8?oFL}I(>i=2B3Tt(1dvm7?r3j7^Nk@m|PMQ3N{*tJ7;`;n{;`3UAB?01oMWbeNK
ziGkCH4V<oj%`fg!?Lg`Q4zZzm$+XneIhSrVt=xmK?ewiRnJ!Qr1*)~_sB~tnQgU;S
zGrRZNg5b#S_wZ2+;*fsQ8IAU|$MZ2<H<g{rRe0a8Yj);X>>@Qr?!`U+H@Ds8sh<_!
zTM}hRy=~iva$m}Vng8JGhfN;WTyn0>6HGl+C)X~Ol)OQi%dlfdMUELPmyw)Tg)-A)
zyzn!{OUY^vOudrkH{Eqx7#~biyNr$ucU@Zgsgo|wDqJiWqg4d$h9(U1c3N+@i4jP~
zU?EK`%{?Qg9+gYW4%v6RP<R%{@5tyiZIE6t+$je9H%+I25vG!FD2s)!vQnc5eXKgv
z>{9yuro*4a@wRm!TI6s<kZ>Gj!TF3x%jRQeYSw>^&Ro^iZ77~#ljX*wawP;=Q$HRE
zBb}w|5be3z+Myyvv+VY<96DNBN7u2sPoMHf3PO4*A>IFBHk7M?I}JD+q&gCzL?NCd
zIeFC;jt}F*;oEOPzBq0b@?H$lJ3uq8UL%cj2@Br(^5q`akwfr4Og8@9Gvi(p8<ys8
zrt#1bPWbd}Y@@TLv|Vbi3qDuZ)z%XJ7MPjOfLu8tH#{l|qx_=|w?m<MQ{XCpa?B!M
z_I5~H{YkO2VUb#-xU+N_HO0X<&tMi)T|K08jmU0Q-rp6fD5m}BmYI>6*{kN1W>jWE
zv?YVO*EQaMzB-qi-edOFV|{5DPh1zBMCMg$u%}4SadW4gN=F|?kR#&ayOcsXs@g|3
zKl;86o5o3agKi}aSBe*kd^wMuoeMChp`oE(^o|ErUB9mDpXG8HNIe><!T&SLu$b?`
z{riOK3HkEl&Mn`+7f82WyrC|mrqv?KD`WZ2T`Ar$595oZzO{zRVGL()wsCsp&0S*L
z7{DWLar34@cKeAQ9m>a3z)}f^W(BTOXzqU66*QBpwQ9x06IrXIqEgECK<kp}Qeyoo
zRjs#pVW3)lVPwuVG<%V>a_c*Mu6oLEjowO3_qrYt5%JV>C2JTin#n6#$NZ80z4Wf9
zg&xr-5an^flLzP@N_A`>sJIyKRVGirvE+R<pqk~iHlmNM7O=Xy@9@<-R{bCR8ty|<
zTEIhUpU8@eySSLugK1Gx8I-kuqUyD?&1gsq3tAS&FLl^=jEwg7P?VmADXgV0Ve1YL
z$(46&fO3;dhC;^l+e(xa6fjQ|wU8$$C2TOPJ{t2rstB#<U<XHj$p#Qqmxzdv5sOb2
zl?xqwe0*E-S31DgvXU|Y5ho9FadG8KcvPuSOZ8y$5kEVPLS)G3`Y=D{c%80MS~MHy
zTq|h&2IB-$TSRpT#!~WU#FRAOeowt?gRxy6{xf+esZ_p><54HPReNe6(2rX;&-y)u
z#}Y^Mjhv=2@3qi=U@-K^bHAtXVXgo63(dC$+b@=vms`K2gWR%C`tv87NkgiOt?T3{
z$O$`hlFbnY&?p5CLqC5?q+W!`J``UQ2Kf(HO0io)&8_wcNHTU1+Ywl`sZ(8H-tMNu
z8{wjwj~cCD?H6GPaWgw2<R$1nASjE-NI8#Q4G&gQil+C)*4J_HVDeCP7j>RAAjJzm
z%Wf3ar#hwokoWG<$bpqlnMD_rL|kXh(Fa(Yz2Jjn`fXg_dph^*aBw;kYt*ba#slY$
z-3tyTw-LAH4_9^;ex2D)3gJB$Pfc2E^jfbd)NQeU@un^-X3>>r^D57M?;-ZsTt-|0
zNLsVoyUdq}s8{Pt*(3L44NB>U?~g@e)iVZ+F1j4IRx4k2%WC})nQod7tR8!WbQGn<
z%_U)2n7&9dXw_%i;LVy&!$8RF4R)9&gMXUrnCWC~?Uf5kw%F5fD5pb*D|{>30-b~Y
z5MW`F#C}lU;|2p0E9=OtcG~OLfnd12SJZTMbf^<G+D1QdkLKO9m@zFL%{!$3*i%d-
zG~HCi;!RqbKO$hyraVyKg2!L^%^cTJL)2<6odz&~Ki=@%q8<+TUE{`7XG=VU4<7W@
zOJ8W?T!WVaY0*m`ffy)>rK)nFda-7AAG3HevuA0#BYRka_xkP<;~&8aT()k9P_|+|
zpC+RA=h3z=mSS#k-Jd9q$HDxKlz;z#d)@meCbN4juy^GG#Rqfa)Shz@VIe_`k6v^?
zZZJz&*$l6RU{-;OPXWtcU+BENAlaaL8zeR^aD8fXGj$Ds?D1Z7d)7w|vF~ueGSE|6
zg?l8%ts9J~vBwd`g6OTbjPe^#)3Oh-->Whbvi+@++$?D&b?{)_A;V9MFTFjOBGY9*
zXf3@5<dP7@H<k=q60alyFBRB{YzJJ4fB1Gx!!GL(n~XaI=ijZuNM{8zUhFrRkRna;
z340eFdAjHsxAO4lz83;G6bTHhES~9B@N`-#@>Fe2lZ}jwoV_Rs)fi$p0jr><v+KZc
z-DZ+?LIcP~*Y0r`RK+poVHrxf!1_bdyO3`J2h1Ut|5`^}C^a)pIv{xNj?YF^HpwZ%
zOie4Q>cxdO&c>p9g0YXQ^G!EMi&>pP{02W0(k|UpFW~kNKs;%3p>*TvLZyCEQ$9Oo
zu0Am&Gwz1gW78z3I0`Zpd1U0|OW(Zi>rTRv#g0`KhRcAZSam5Yj6m1gX}7|P2&zi3
zG;c-`Mj58gCm>M!JMW_LpzdR=a573tW5|_Js(HgAzunS$S~4tIjFlaM<8p{vAS8m=
zJMG4(_Y?|=fjT42_d2I+m>?o7nne<qn6%ROChFZEDr#!Wd3$Y(VoduSyf@-JL(WRy
z6}Nwun7wM-aX#(H<kiiDn{ZL12lSTbuU`Fi8;7o4Y*ptqY=8_*Om|@fj22~lF`qWj
zEY;jy?J8`I2<J+ECL`!9I4CcQ4<5VucHt2pMwYG9{b1&gzOC@-u9}(}IJ+jSxLZJ5
zwtxR#e*TZi7JYYbJ3e~0pPhN6@mI{Eo!a!K`3HB>WGS!-7R@Jgm3T<ChOv?`lIL>v
z!|{-thF&pO&unUKXGEDY@7jL@1LEpb>a8q<GtyJ_;dh)Vt=t0=BjJ&nrZ4xMXmB>^
zw129`6;YcXE-mP(6g)RUHY)1~2M`#Lb@mIHJ6+!;qyzQ?h6h4OoDQzx^kTz-15wY6
zlezAmv%J<lMUM*`LFjcm^<sY#plU0%Z`*pcl`{^z1!nqpkQVIrdfz&;Lv9g}7{bdw
zkBOOlq=(!cr3H$5uYg($c!T2U02d4mG|Y~5R&h>uDZ2ycfm2e=?}GHA>1`xJeu*Tk
zlMpI>`0xSH3+tgxM^Vo}_eS6bfcteqImB2#9&`EB!U=b9OqO*vDhV=kqcFgOGA4;m
z27+as_GhmISs57m-=(O$w7Y+rpXmqZ#-h?&c2<3f`R0a?A18m4Nx@JXwKjelAq87$
zX@}-{@D4aa@cBr6-|Pb#QG*o>`}_HwLd|_3^7!Qu8|mth&TUjwKG?+$e*bd@>+MR2
z6-+U@woV~!0X=7OuSYO@5(-63S%B;v_xRXSHD8fa#00PPue&qs*)%)C*TyHKVz3t~
z%E@hpvWzf+14aiB8x@?8J?;MJy5ihUTfyGn&W8f%3Zv%GyxDKjNmhTl4J8o<WMSQ9
z9d<DGa=Vtx!RE#*jBN~30oNl1P9Px~CAR&O@6`{(faomnGHru7c!vi?+CeBN<|6AG
z8;3)#7#b#Ok5G!e?$G|eM+p;g5TEI|G$Z09w5TrU=dnLRP?|k8Q_G&A@RRFrK6ys&
z_z@KpgnVd0{@gqg;+3yedl_dg&nWORxEeP{XJg-8+0uH|P7T`}&z5%T%{5wgQ-dQ9
z8LzyAKk)kYAkDXfYrbP=(5r#PgcoSR+Ku$4W3I*VXVr5}D%o%7LXKSyMQ$iyCL$<N
zRFna$55z!esr<+^gaV(Q-pzRUW%Nhxr2`IoEcY?q%eOm@pRg;48#y9{z;~Rf>Gw9O
zanw#iJ%L$fYjG?q^k5LsnMFI@q{EI4qX<9nFaT|STpzT@r|AAfyNU3w0IiB5=vk9_
z{*GB(+H@Xobd>1rw*Q?Isd)PBR#$%0jRK7MK$wX7GEjR1f&%EL@8hrRGLO>=q6)*S
z54NOhz9q;&qW5EFK0YRIA8pDV39%Wn=?I(Byw<#enpXnE1(?g$I}%JqLvtDh5ApwZ
z;YAE``4pPKtn6&!htq4%INAp4KKeI5U*w^~7Rsuvm(;ZP#0g>$*ZSpHv4Ef;P!9zN
z6`|=Dv+B5u?iOp#I+u6kOmmwkP+K`X&qyIzSkCYvbDwY^PWvN>O~jIienQ9Pir7Ho
z4o7yshQszJ&KZ5beq5?W=<em(zKUyikBZd=u@A6IIoho8wNC&}x(_d{G&WD;BUhvj
zMCtrI*sKq)IT%nWYExvGETQ}_%DvE@YsIR{8_~S1H5i3QpeNQi=UwiHR?bMC^X*fH
z5hu`~6N}4J_V~O2`FNC)sg)pGrjK1n?b%#+7`!ZKw@kTOSrjR{x4ABTdX{xK$I54-
zD8#T=el#13RB54+C-ijNw-2a@XKOX%j&?~ZUs(#_uH@F1!YTK_3hY2?Nl*E9y{uEO
z-f4N|xBMC5wF3Fm0XO0aW9SIoFiGA<-1#UR7GlWG%5JyJ#fcuPz;)y6ytFi*xOgi?
znVDFul^9r|GSIA_q^-qb3u;g|TBUJv>Khr>O|ox!dExg|ew$@aXzal8w#@Ka6R}jy
zx<cVm8Ao?r&eoebdJBH+2U{H&H{hn4?SUDAT+sU+m>02vi9yI1D)Jw?%!gmn95ziF
zG3iZL`~I{vy1^_PqJmmHvR0)0iMLR+ht{F4uy#q*Fh8rJl6CpgrTjw&k&r~P1T9N^
z_ALfm3^2`^ySloX+ml24wqW9-l40#aJBQARkB&=!UTWUIPya*sT51c0_X>@|`&X2^
z=(42qox>XI#0Pc0wf3HI2U;uLiQ2(Z+`7xAQ>@qcZdl9U@9fVqUhYNGLubyG@CE8R
zI_A=NtMNv(-<3=392lLDEF9|lJ>iD&a3`VfZM~kY4u?mVLq=xW*Lu<_GVG6@JCWMi
znT6nlsHaaGR`NCY-%<I=jlYi+|NZ-S*OC#OGo56m=JD@Vy^BBQ=47gyZRg*WHs}f$
zDq@F;`<#b9%ksjTZ^IUvqY~(pr{eRn?Qhi>SB(!8n$-eOwwV$gUHkgg;>M`NCY$$;
zefblk(m!s*j=tyU6$O81U2};m+$Q1jt@NkR4UVHn`4-pOb4=Z_-b1pwLGrpmqhYHq
zdtRMPtRM$&SF~w@Y|R9Xqo7Xumdr61w*-c-J7;hDvGMIwdx#Dfya^&|lHaT%O^I+w
zXt%^}slK+GorjMP=}?GJDNF)aV&id$9U@Uw0~qSDeOXG(H8)gWdUHwVmXPMq<(C(1
zZTXq*E1n(5v;szvydLFUO!*MqBM!Mdk4TllOr1jq(*eAGYIp)^@Q-eBtgu{R#(OWc
zj&P#r0F)7zdv<jMR>ef*FAP*g49Z9tey2o^thzManH4<KYEP;JnIAk=tace#^!Pnu
z|GzMv7fFWM^MG$|QQf`*!iPAju~`sSy71~Ia?=3TVS*lC&Whdc0nYCH22Er196`k1
zHn<G!^M#8S;gR=gZfgo=r8_njJB$dT5#T&<1R~ohe}y=iNI2IQmm0msXJj(A(T7C(
zT$8tNJqVNtURiKJ0!)TI1PQqG=*IrdV9V%ccjVi0gH**qLcluFb)wc?5~xLYBOwe;
zFIwM;(hZpfHpkBsR`WNIc7b*hhzZPbiZs{Fg^*Mh6T_0{fhVrZ%>>Fpd<i1$Ag`;Z
z*bQcw-7->0LIk@3=I`Pw)l<+AH{042hy3Q};@V7%g0oO}IW)Am2J4_oCuZZ5nrv*d
zCVX=VnFe;glgZ7AMMZ2d)7TH+dTLB{UoJN~atU!bJ<bC(zzm7<8rWKwt<&6}x9ME_
z_Lcw6IRP5G^~2r&TEf#pREii&GuE!=e#`7NBF45i;1Y9UUD;Ij+LMbE-jRlrvlU8j
zE*(F1GbA{8@W+-iZPusKY2R-?b=~9g;bBagmjSR$d|%wJyw89B+zcJO*&ceO#rFcj
zHIZT_?hnVvWRDvuO3C6W)M*2bTEZe<OE5X&i$e_U)DN^xTT!ZDk^vLG0+I+iBZ6#x
ze;qFtC!?fepRb5&Cu8}lgD8;^Cus~XBt&g24urzNq2TL83Y$Bi4LtMORC6Jf7vGX&
zzON!+q9g#{K04pl@&>6b{ff(;kBv2=Qxy*%dQ014=jt9`$mM9EMLRHnr7B}pD&11o
zu@iW%{ov%L6^Fc6)W1wk=XC4VvRgKXyqueJmB!77rGL`kyjJN#>Dt&WwH|SO!dQ`L
z8f13B&L7;KdMo+BzyQ`!Lubex-Gr`UH}O2;v>=XcrfmfSNN>ei-0{mT^iUyawlu#h
z7R8EbXahdx$f2;q14}6UL3w1i{(kUJoQQH^d=UXw(;OJr!JTP!<(86)WpysAtf?u?
znZ?2e4E`-C;`Vl^1J3#uYCejH*g`7GF1#ielg}8PrW0^%f`*!-t@LuM+Iw-IlYO>P
zdt-~+)Hyljx`=5>>|3Y@$Vm#PPwzW$U|W)6@XgtRI}$rdWtzX%YWA*pT3Je-YfPFj
z{mSuVMaF?C{xF3@tI)ugsAiU<Wp1*&<dkcoFjJXxZEU7Y^s8j>#>=(B<;9J{(dKD2
z$z5}EPK*hJB_Om%glctp_V>WMF&U5Ld}+n4Hy*o9(3H#5o%2@AroH%q&uuj&yOFoo
z$vdy+1Vd#z<;BizosPMGqq&u@DDmh~?Rya+iJ4opCTPNllq3ZuC1bo~mnspO`l1k{
zVo8<zK^$-=cr1&WeSSh2Z1%KN{_k4ar}nLX$D;+=;+ByChbtqSNQs|<e>M3EeU8vP
z>LD8MzQR4blI`X(3GB{b`G;a}!rgbTJnwYorw==Hway%OrLtTcchrBB@ZR6bYl&&G
zE_rb%ePoTD>)(steRnYG1vMRA)!M-LjFZH_6ecBhnNu!*?o=fYs_Um%4Ja$;HE(dZ
zJ1rfsS^BT0#>2yl@#_WS<t+o_1-_ylz`0ppFD6p1&r}@h%5MhF{l8tYGF@h6)>ze9
z`96d~i&FoKLQ0}dcxGa5M!)Zc)O(i!ijYT~mHoby8cs`$;A=%C-4AfYOw#93H~i%J
z`&sVZcB&~6TZ?%S7b?&nvG%{b^BW2Q=QL<J+BmUHYWlo4v7E>#Ev-Ns>xee8w@-g%
zz8{`FChXt3{!a_=tGiGfuFih1U-J|3a=nTFf~>!e14rHrfe##mX>sP~Pj<V+E%j2l
zJB<sL6xwWx7TV~Wpx18bD{~Vu3EY}A!5XkqEkkMwOJor>B2x@v@d3(VG}%|aPMaxz
zd_L#i2=+V`BC{qeB(;K%A9r2~exZa}hs{v^ZX)&>DJ=+xds14#_4f<D(Ea}Hn*n;@
zkIft8ly#+LcQZZq?J=pyaI-dQd*-UTdmA<Dc4|&)GKxj1ju!i+n>2zBy?r{VRJ~7p
zjCZbS*cFHi>5Tg%4UNPw&R^XBDcT6T6LLD=l~#;tTs^0va^Y`;&TUIHzIVfDe*&x~
z&Nt!%t;|~yo`^9r9><B)Tdx4czjsc#aB;kF;+dD%!D$(1&JAhXZP_ojWSBoE_tM%-
zHv4wL$$8B9^$7c%Y>)S{cG-3P7>(H}@vE`xj2zS)5AqlJCRP7z$JJ4AQ|j2alWBFw
z)Kn>+lh3`0|KjK9To<KCU*AK=1If&tJ9qXXA_+OG$j|~MaaE8xp`|<?$zH`mS2Q)N
zt$Zh#fdZgD_%*j|HqnSeDt``8k(isb6$TRIu}gDvS0oQseE5JDfj9S;>Ts7Dy+Zs#
zX?4FE2oti+KBX1rSBT~Z%8RM?>j}UP{xv^$9!C7T1={&`gWL3U^Y(nbNB6^|)-`3V
zU6ie{BxICndwk3`ve_A@yX^9%JtyTPCX;)wYDC(zTMV-Y%)J#CoeDQdQE_947Sf$|
z3iNEvJ14w4!`T@gzkcAqQpvFin}3f2or;Dd1B@V0;GpdVKX(Umn!n0+KiDuJ#}GJ6
z(wP$AF4#2D%cG;mu_ylC3N#mJ4aW%O{Wx~<tKh&JI?@S;Hf-D8(pv3J^+e1NCcgLR
z61G%e4#BX3e6(V}mi(%91Q}wh?23g;7%0ks`5kd!;n3JhLsLZ<)DocTxdfSY+I0Cz
zF_t?#ow0}MlcY1+R_9iSz%AZAxfck5S)p|_apStR5&V!PZXqgTa`ZEs%Pu$ZZ>MJ7
zvc??e`1QTHx5>f%V$GJ)$ll6CS)D4n%Nun2el$5BnaO*dKEa!<CcTxKEpTk&)@i*S
zzQv($yS)Pb1-a^I+-nu`=HbHt6EZmAp&Q3>?(EqL++~7CMB#x>E3nF_#{tKd*A^0S
zYN5^m0;qiU?9BVM$w?dZfYUO>H~ky+4Kpw<<lrtA=?f+%UpjCe8YS5J!0QUE%u-QE
zE^l;Q;$I-_JbVzpe9;K4^8|4~@_zB+#r(F$Bv2NZ&h!c>e^7j-@WBSGZHY$(rZ=Mh
zD+TfF>KMgKMAVuTEg)NlC0KE^Epv;XpC9`lw>y8AxAT0hlGNna?R5-x6ISl|e-2ys
zQiMFEka<fg$szUXQ`{W!-X87U+`EE@S=@|8#DreNQbgn^Jqu6PhTA225kuAHmYpml
zb7rl{dg_xiiL?_Yrp9X&G)xZ?Zp8LU`QXDmw^;}Xt7@pRcrv$68}RpCC7zL)?)p1k
z`xhN6;Ng3Wd<{(SLVVo^70Z?hJ1jp`d<6d<EkrCib#?V5DwSJ!1|eRdL!K=BnZ*T8
z)iS!mTRA|3|1R>L5$d|<kaTAc?hSM<&<y>UTHNAvT}w#!{kvkhkxQT}iOczy4+EIE
z#(p98z5OsPjyVlDuECOxd;fkiTr&VBfVkM7B$v|z$?75nA+;p;m)qN%cem-iWhoe7
z$?XtmtVHaZY3Z1Av}o3^mZkAhoKC@z5`%{2=Ct0;mE7K<@;?1?Cr_}&EbkR@&yarH
z`aN#FC*FN+y+*s;%e#4(&z}izJ!$WPi{8!xPmac3I<eXLik9#6j<OkxE6+^41jMde
zole)&U19w4{q5Y=#Z21CdaarKmBs|wiS)3)Pio+<OFwcV-U2~aPu}9Kc-AOQuXqm_
zp@I4og6AP}?GVt0%TaG;|G-swa~Wb-Nu&TePV28TD6oM7z`(SDXAWkz1GX-jLz!7w
z4@YQfU2Uf4+=CuG@IATLyUNH%<>e38TNIR(;%|z;C~e<VHe!1KWEc1mRbKnpV%YEy
z(zm%}lQmg1CS5HRpM<dq+DuWBliRM;%y(x}3g~lc+>++Uzs7~=1I~a_@>YTVxtgLk
zHT0zDxJR`n$X_>!i0^DC6k`x$2Oww>r?4n;iP1o*sOO$Ur7wQc0OQV{A^!hXE)n2y
zf@6Kh>cw>V;JH2PI$LKawiIPkFCJ%Yo0HmWu{*<>;h8FlS#=8+M=sx?!j3~f3|H0#
zc6d9SYhQ3{ofxg@Pe16h$-`&Xs?4`>^Cu_o54>@j0n(&VEid+6>#?C)=R=>vMlx9M
z{6?W`4hL70M_c5^ZqiD@pY6he71t9ygWg?<g4pZf8r#0V)rswCs!!_U$U-HN-dy^V
zX?bu5I6F{#5Tu1KOcC24DJ&)iN`E9+kqE=lRK^jYMjm=ma~~en4I=sSe>hBRL(x5{
zR~Sf)J^d0cJdim+R!C?Zs1%~g;8c%Flte-$Xy03pT>%17?87|@{3Ie9oJ8<rAP!yh
zpgTa0M3v5^O9U((Dk=;l9>OI2GQoLcV=dTi5+bb(KR#QCk8zz782zEif>Z=s{*MqP
z+$by(2q$jQT`V!y)7C~P9^rPYm{*HU4x=aVoQfkNXmC&w$QOE0Xg&yEQkG*k9|5JC
zRSe~zA)#{a@(AXc+tmAT8q9)Q8lR;BX~eg-RsJDOARt!9JqqQmvdtIiRKz-Ctb~Dl
z4?Lqdw?!0ZEy5wYa%)?CA9mw#CC=OAHh9<6^i;bR_gM9vHZ|qhwS&0w?~}pC8`Zzw
z8z<|wxiqNc-nnBZmlC|G3p}Fs7L1&y%21>o^<w95*&G@~F80SqvNWgh-R$X;vId>@
z%&I#Qd}o`c7SXMBh?&dg<4#uu^oH)zS2?YcwRU1%SiASs@}J%%aS@_SqW^KZHEp7a
z<}Z0f&&t~Qd@jQ?G~~!CFf0Iu*jvu)>UNuN{<cFbR)CkcdU!ZPFNWab$F&h)1iuI*
zV2x*9O2NYe*iyyrkWN0msHiB;N+dQrbwZa(gfOIe{e)(X0Z=wJy5G&oE0-?JKfWFh
zg!x07ZXrD<=frFb9!$OTVKd+3MuRR8D)xA7cnA$4*o_KpEz#dWZqencO+ijhOggFG
zI|1=4gfigil35VK5QsXEXa@Bb5@Esz*c9l?Z)a?5w#5p&5G0IMn>R4rvGU03Vp5Z{
zYGC2CCP&^uVwB;`87kcG0F>`ocW7q%eJD95K?u<H3Ql33j2m1#+H0bIS)7`Gt3O(N
zh-n*W8={RTOeMft1LIv04E)FTVc6!`v$8S!&lHzIlenm6NX>6oS5c9(%kp4yf~_L@
zT+kOInRgFWP;g~fsXaML1!Un4(un^N6BACFIy!6%S~SQx#E)aW!jAX6p5Az~tq0uV
z3QEdGC3aI&fWR%76Z`z}qqky`j|RU2rZ-4#k4JD~r=QUy?(1z`Lb4})u%=vIDPujl
zY_-Nx!gbr?2Wt0gn{<k1jT>vv&Oc0!PG6S#(XxZZK={0rWkzw$&oAZPzc^MrLW8np
zdtyZ8H+|Px8Cx?lI4w5$g{3d=fj6Z)%Sg<;!Xdeu`HGa7nrC&N%Nuv`Un|mQ-*i^p
zGuLU?frGU2M-}dV{VE?AL|xNnYdlpelvFDJFDjHn<4#sYClS7}S41S^^oZdahwk;o
ze=w6VL>n@EPhv1cOIX0+Ap`T@RbO8%G5_JVssenOSW$D~YJ*^3h#>>6p&shz?{DY9
z1#7~t<+tz*k>nwr=3;<z{bevt#C9aZ!w)SIfSql{dK1i@I8Ncwf_wLLJnyQYj!O@L
zE!5yZAu=Qhj-~UVFx7`EcOu71g^Nd#AYNbf;|YCa-C!FaUjkmT8ybw(ckF!iFa8|h
zY=mp5<7p^YcjCyM#J>^P4{}0?BX{d$zY5t@`*?TZrb)WCzO#SCj|u$MDPq#fY47G(
z9%;~ap;Ke+*_5an0UWCLCZjYUvWXB!R76XWiH~Ua^%%qBhYx=^?4=+<M*FbSD_0Gq
z@67dYmSRcIpMUr*0YnbfYVt%2R3@0yfX*w~c>U{HVOy$ehzh^m+ty^B(LL+L^5U^8
z)pB3`#^+@z>aSF~1$N|bHF>#PC-*U{7y9HUTQ2_Gn=w97wzxuS+H2svS47oZ*y*@s
zhP3VQ*{^BY`R;Sp3AH%k|GVYmrMp>3hoWSeB20!<AG^6yjY4r*Lv`p4i@_<fNj(M;
zFKPO<i+wrCtg>cV_vYFP_9*K_-C3#jKY1WB_cQHsE!y_JhY{%7ld^t@Ffy8PNxJL~
zVLw<i@;F^iXoCi(`C489Du2rXXJWlrsI*_Yb+uHf)kMe0hzrlp?c+~t$X+&?&t6Ll
z)m>f4vE&=^TY@M{q8n%;0Jg;D-$dXa3b4FkmHmu8+h^dD>Vt9$h*>w|BS_S&>#~3P
zHvQ@}KiiTGjRcV=uU=z|9+1?>JORH6lCw}_otZYs-aIlMeK}X)U#R~Hw{w(hM2v~R
z#aD~&T@c#D<&NA~!vcuZwtH2OZBh6hPBb>zybwF^s>XQ#`em*fC(+cK=pX<uVIqNT
zc@ijFm(}i)7oHa*rqL*HP@c)q`r1QrG-LNfngUmNXT6CG>gz58%GNPN;u6Vz9F&hz
zbPB#&(UY-yPlF~~dGrj2t98u{I3yB}L2oJw3`!C*e9En0N4dm{@O9R1=6x?Lj=L>u
z*RPLk^$Ixk<VIt2@3IuxSE{F|NNkUA%4?KfBMW_96LP_zC8<pKddJE^3Zl^(GvS{M
z3<&shYg2;9CKkHRx;z<?Z84Hfo<aU@lHC)nojrMW=Z`+?-c<jYw7#w~kS)L$w5dlW
zt!6c$!T<LIV;0fpGoHd;^S^7X7rJG~Wt8vmKm=AABhr6rcD%cjF8p8PkMQ)Yh}fey
z7(tg1mt@o-<Lh103En*jD@1ELQRS4V@iF!%1WxFdPJ`)>aNU-r7X#uGLsEmfgx~tG
zng)uvl_K^U3GE8xOyRy~AX|7`0wOp2>{GhJqh63%kw$A;w7rz)J0x7;pVU1LmZJg(
zJ6bjjKjpVS1^^31h~;fw{?3r(*85fw!nJ3+@Cr!~5hA?#Bs4#w$j=}EqhDVV*J)EP
zTBJA`f^xc*6)gOw_x~a5E1;rWqppVrl~7blKtw`Xx)D)8NkvLh5fPAXh6Y8XL_k0q
zM7q06K)QsXJEXhoKjZzrwZ66fyY9MPb(op=eV^w%=j^lhJ~2N;sqRh-l6boM0>>ja
zKfn76L}c(s12|Hw%YIG;xFS>L?)pkA5-x{%qXt<LMsfjE0$r)|8XMX*vy{MWfeSsU
zmVSxXsl0Mpam-eX(YUnh{be0JR`AK?nOBuISkJEVcSK*3m4fX0j9Rm$FIV6TiFs{x
z3O3O#yi3GbA-O}L!JJ(O;ym13h#oc!8V=lrES!=W{rG1~ogMKL4TV;i9pR7lCu>=_
zET`%Q#~5nchqv7$g?5Y_SGUr^y>e38Fy&;!;J<{x-S$I5=t--R8)ltb;&{ZhEa(<P
zGY!D-vBy?}8_$3^F5dDwzwQmU6Pp7i4b8;6NnX8t-AKsO4GOj(TLkEvI>(lIW!RXD
zd=q>?9{?o}wisf}$Xl2jtVw|cbq!cAzW-G?n@}7#yyFF_5{$!~3KW>wEJxikj)Hgw
zJ|a`VWF!}{XM>sK=uyS)z5@)Ku1bV7qU52B3J+huPHK5WtM|NC=*ba!yL;kiRb{6B
zq9eU})e}Y)fZ(P<p9>TPh`jDosJEIS2dO4nK#yoZ==UT@(x8YB#dj*RdF{0u8ynAP
z4AiB0{s`CRaLWa9YEER<B9L+78>ydU`w9M@`0&a>{r%j1=d#OYu+rwQ7y8)^C-M(w
z-Y+|ztTi3&M}>sOVd=g^umu(~@rXIG;C>mqe7bPq5#f$;+FZTj8A^67OYq!`Q*>vS
zGvPw!*~+?4d>{z3T7t&K4pOig&{>~s%Ol9Q&7sqdKtPl)cA(H#`VNLoz&*C+(Y|GL
z=p@Gt`431~`6~jyjlfhm1k(6{63;nQhF;Kr0N2TJc1h!Wjqg<o{!M*9DB>pazWTkl
zzY$H?hH?*Oh|oFdEe-?5EcAoHxgL(0Jfm*#_Gf`Af8spkO7y_ol4Bl4JdCn?SFBO_
z9T=MW!1_j;`+;%HCgA4uEG%t{QAR(kviZo9${$KejpN<{J^-9L!SU=ez?_nmm;VLF
zEP5ZJIcDD1p<|03+WLqg^of7(6~4Z!n@sJ#Ck!|HM3HglU6XWQ6#s?>+uxoaW*}#(
z2<qkyjG$tO%a01_{xvLDd)|cqgR|%$ZuiZyV}hmFmm&f|Cn85PzXP+XtxW&O%5$6d
zBR}dhRF|?T#Q)VRbb(2%8nH138;#JN=Ggje1O#FPn$>M}kWb+T$e?a%V;kl69>1x=
z#8WKp)%!K#mf({hP+x*PFh|q@|IDUzk6P5Rhdm#lEJVWA?9AsqFpRKaf@ltp<k#p4
z5u!PmmKXtXH``i%7A6KjrGb7v2l+Lzz}fr&YZ^2WqT&+#{5NsE>$80s3t<op!htmN
z*D#r$izhfqO+%%E<{QJBCZVPd1Wfx-gm*^LCUiRp>nbiG<(!I>y3DH0lExi-koG_#
zq+4sC**y)C%ZV1KI1!F<gp<0IA~`TBY+LGuPQ(fu-}l79VcT&E6AW+M1cwL2yEH?M
zlZjv6E>l0qrQXtkg**7OHh_4dyCFVe{Nb<0^Psd9lHj}uGj<7#tlzljdwgHY|JbCD
zL4mI%fN5pwSt^dHCOYjjj&bIZ-L2CU5J0F=FeeaOLHlo=;xD-{OAh0p^#o8}0jeP>
zDQW&h1Oez69FsttLXTr~xLC=pB|-##i+^)=!%kQynt}PhUI-AZP!xgCw1UVBnGYOx
z=GDv*>{<(9Y1vs>K9C6mqc66#3}}|}QQRL!e>T0Y2O1Xw(H_BR(I*a-8u(V4tFa(X
zm(^>x%h=>NGGDO3R1zVvoPRJB5ccQzwmPmri~xy^R>^xSVMZv^SQ&)umR|&S>j4c6
z&K#)N;h9eT;Zey&*=*42z4fzWQqR#w<FaV%1a3B*zIULnK`bG!ZYW%_z&Jnrzz2A`
zHV07R<n^u@zIlW0ot2dhE$uXktAMQ_ggu&gS|B2Wk^meuw%mv`AKHO8XJB*Rw<>BB
zB(}>E!);?m>AhEqyMC~CD%&W0n|z<vB0hjqhg{L`du2QRM#vb6{uW+Ny=AHn*P6a-
z>7ForUAT-y9KOI}YsZW`6x%F~z~~h_ZO7fkx{~RkNm18m;2A|Kma8s`slnxnaEsUy
zEhwcNVRZZ#%pamtsLN1@qc!3%WdqJUpc{d{@&E5a!pOdePnqxppp;W)e$TsfotCz{
z^Yg0}3o{Xib!>zvIEMyuoOJMXL*$=^^VdO6neqxQ#17E=%tDh@dxi%XUjkdk{Lxph
zU2Ev{c-_J(CRVK}#t{Kdxgg~Xl<t4`&;s;DV2$ew-fKV$iF4V0g4qA{srQ|aGV?DW
z<GGHk!+!xd^nrkeo?6%U;|an8>@y(_0^2C{$EQp{2?0oj%KSDX<3}X1Q1dp7&PXPZ
zNm>Dx3^ux!YxE^fcE31}1hYEWWY9Z1qo&+KZ?N}Yu&D&WMxffQBoc(RAdH_WM(Ns6
z+15E@wEX(z=;8(`CU^@H{#T}oxDrF1{u&r!h$&wDCfXq@9iSKk#I(kH*ch?l&}aLi
zFWeS;y><JQoBs!19rdT*Lig=X53M@lMX(B`R<<g`go6u@WmoY3;=M<<PDEROr0mJX
zWDJ<rv;TpA*nYV#3FX-^iR3Je-uJ;#QF9B3P*(?8M46cv(?4YV7miNv@*Rk?R>0zi
zw)-?p?SUOKO9PyU-(6kOZ~&@!1??es`G$YDRhf^LWDk&rWsxyXRadb#enWe#u(H}b
zy{iU}Q`u_J%g4%#FxIJdE^fho=;kI4@;DeJgjMHO1#QM?F%?S~D5A|>ntv@HXs`gP
z4prE(!i3QJCN^LWy<kBLvroo?Ie<|H`_}!ik+zJY*rR$Zxil^=2ohreM*=&e1#C9x
zZeE`37+YTk2N1w-C85CXikAom>KG(Z^lWU<{0U)v_vE=7=)2J@G#9EDKt>Ee&x{nn
zZ?Jpd1)PT1`Odt0=Kp{M&@eJFDtz|=-ndmf3YaXl2YCUXKB0&804geQNdI5MU6CP;
zfKG>)p<RTNW%22E1HG+O<-2E?wR$dimuYL4H!Le|?1k1nBH(hz+H5YY(<V-(1IT=Z
z49i~+@3X)#X^hK9V%#u^75|9%3qt#ajYYjr|8Ti4YSQXgD@a0Qeb6Ze#fLbEHRa(q
z%-Xg=2n1vag`m)24L0+>iYj(mfXATu8js?8*OS0Vd)eaAooAsO4L}42AcBsaJ-gSC
zN=uRL=1CFfgl;9QV>DL&LTzx=bTAB+kiN2?3dWtFUh!ew5CWtSopb(S=9K#S#CKrq
zN7d|uOM1Afh%T&aV7F0*K>+a+fC;D>&1^{!lMk?glKl5Uz<!C<thDI%Z+gesK!LJ)
zTDE3C(&|6t^nponp|RBAy?1?V30s0`eO;!zw@{0@`pb^)GW}w$j2I#)#ASZWWG@dH
zhSPSj8(61{?)&HAT6&vRHS<;x_m`R)&9OWP{++YNtmtMI2`wCzB+v$iz()=er~l5g
zwT--r4-1T0u20Sd818j{dXyw>FoUeRhjmRfdlKb|?{VOX>0)*0Ogn3q2ZJIVqRY+l
zHGm^u@WUx>@y(*NAul{dNpKNZXns6hoVuZG-Pg?s6~=Q+e;&{3mnZVF;<c`q@ZD(+
z8&-uvD0+xB#1|<GCXcWfpxK8`qAC;6*%WVsNikXnbh5wJ2>l0W_+Pzo;{zUzV;!^}
z`=%l3f&AnZU<Br5r7&^j5<=Tat55WWbSTNgPqm;!y}jiZrNOmE<aU1#T7`6ow+h&C
zfmn0V9y+zNoU<dj0tveKSx4><&NoDJP3w7YucnNnt>JQYcah%zmQ4}+aTBl+bkPoo
z=q?7#C-MXN4m9M^rwRrJ#yL^o7a}yL704-{0s?^K_Uj*-4dV&Xx(l%AfOPeY3cAuH
z55GS?lD~#Kb*pb-02;Y7Qy=27TDmY<ZR-Zfjv|~`D1Ue1iD&0A@f`(R#~>a<(W0*!
z{A@<p{$W8R4-r6a<oJ=!a9eAHK3^=5lINxXmHCNCfcYXYfy?YxZlW0#khdklyl2Oa
zjnU|;IPq%dnbH0WQ*V5NB}Y&@z?|RDu)AS24wx5WzI&Og@DFAZ-KdH7?sJu19k;wu
z?R+dkIkOzxjY+WLA>e??*|n&*P|Q%bY!*ivhWK*3+Ea)2Jp5YNztHxh^O;v44uh9)
zY0h_iVTT3Y%}jZ8ow{NXctCac2kR?WG4%87<I}FNCE(0;!KfV6U1X<wdditVyBR^|
z8L3*A^zPg(>?-l-hQKP`*PlDNGW_{8wWs~&r;{RPlpOz7DqUED?PI?L#T<V|uVdmW
zJk-e*#4*vP1M?4xW85*cNBpZz{kTl*e_zSR)-swut2yQ#*4FQ`m2;vGj&w8_Y>u~v
zb}=^Ja$j(_yW>_Jg)Cyv)6XJC*PMZ;r9bnCQ-%G1HU-^N<?V8#Pqp;7|9dx*ho|c>
zkLh>U@W<B*)xahYSLVe2DM~CV&>fd&dt-}hbC=e$UEQ+|ac(D1r56m^Pi3z@de2&{
ze{ZmK4c(~y?-WM^dh(`!SlHtDJOqXx3&%}+d;Te}8>!urn8;+}T6vbRnYU;cK;cX^
zdA?C=Mtb|di<e0Hudw(Bri`J#uX=r|EHY^jl0!zvbt8|ZyOvXe7qj`nm`C$*@e*&D
zEf;L<MzPVIAd-i_gPA4&hff2)70@a;_nGXdn9je>ycCIfJd9MRDfPYB(hSBt3C7$j
zJ*1`OCl^HS%a7v7{`+zK|NGN4eXlB1{+A07?@~Zo>$n<J+jzS(PoMIOJN~<}we!fo
zH2SBmbv2wv@ggkvf+uSZW>o)O$I`y@5!{Ii=xudPw{zA$f?_hdI!L6H%EKZUtNKJ(
zLcbF0$`wp6>0+*by?@w%<=`5hXpxI6Pd>XLD{BM$f-c#k-~!PrVdsAOjKFeR>$W-f
zg$<{6)t`OIe;xWS=7F#@i}IlhT=li)CjKqlq4%9HTRJ@wA3VN#n?z9JHVNWD>=D8L
ze1dG|NYsJ)#N3S~(V0e%B+f(9FnVtf8@2OA99%@ia!#q4<$vpZG#MU(*(%@xWxRK>
z4-FYDN2Nl87naA#%66$Yy;JN^a{t}0r9pew?fd*3RWlo0vX=o@i)+K?RjQQWe~ulQ
zaTt%Xr20D$DvbFLKlxJf7{17e2GC-;WU;T%;ErWjjE5gA5o=eDRjmAnw))tb0<_#P
zY%^(q4)PCQ&V*PYu<LqNB+f_cnXhhE`%;80ns`1txHQTy_-~!{t=XMm&!fwf@k;SJ
zo68>)WQg^TNUJ?gKF54p8pb;Oi?Ga)!RI=4lX(18m=!G5c4^;pZa6P0uH>BVn<Y%Y
zUCDs}ioTq_Z0I!7Eu@O|WTw{A)3Ni}i7LA_h)D`P$9B<bzliCd#7dSSve+5=ckQwV
zgW05EFxgK7vU4{UVK2{VG0PSHJU1(>o|SmT_PuqSTNg&eF%LySI2AfDIEaZscS?N8
z86k!gaGw`LVmX)#Tpaz+wwswbE$=74In=gxkFwWP_AX}9fylT~rLp9Ai`0nWiTA?5
zR9ARtS;0ZR{je@FBmhyfc&~!zZJOBC)<vz$pk7KVAq@C;6}HH6VacP)$upwCLcEau
z4m0gq^Z0;46~t7@PC$_^<^xN)p3dN##vCAj3^=#KO`-QhlsOTWIS-$2Ed1@oDznO-
z|8H@jcT-pF{n?57wTOgO(kjd|rgH*;O#WHtCY!M{ETdB@Pd|R`F4Kjh=cGmIcZ#YB
z39(r+qW5ELitDQBH%y~F{#zqQ&q@`_VNl83o9e*Y8e6IZTnvG#802_920!B6iOrq9
zrm+gU%MqM<xHMOO1#cu(I`2sb=N=^czM_6FR)tcma6Kt;ElDAb7R#q7y+RVW;5sp?
zq}a5bMo<-O#v$}^(f-z^mD2a-k|WgN;a_9X{P{wDO?M>nq%|GU^R~tR-);F4G<RCg
z<M>AY#4Oih(|RmNY$^;!aIqq3rSy{sv1l&vQR41NXPC<mA*15ZwyvGr#v-vLzOd=i
zLed|me*HhUms`?lYv!@&#p#a5oyreoGM+1h?0Snb_jvAiH&Tr4IN@y#*5qo{TqO(n
zIz4pp+9jIt`^YH#_13U^cWLX^Ho9$d3L3RK56N{N=3XqDw~uD_$et?e>227F1wVc?
z^Kn%u!9n5x50B7{H)zS?X2KsA&l3schHT4~dIO8qZA0~nY}r;zw&3p`oeV9f)R+E?
zoNF_y!xr~XQ`agLBx$d1oVgS-ZTN|J(qL_r^p;gv2veFo#TaA1fm|7D`735kgFvQh
z)VY3}6SHDMASAAf*J;i0arGYE>ar5a3El}$whP=DEDs(P>lJ>_rL48+b|G|`>+{8z
z*}qHThr?29r?~$e8RLqj^2%sqw!d_TG%BP&1g&;>oAGNtAnIb(G)nc4kct<2SI<b!
z!vt}7Xsb%wI~Yw_S(9iRs$`m{3NPXg9GJ5gKvz^|y~onSiJ!OU)n6&!Lq$9xf=|kL
z#k-T;X(<aZ3XgZ!dmIqm$qMl!S|&9fi#tR!N`5MNca9S|LP;3^+eAfU!!~4GZ#7QL
zHtfgm@6ren!}=_}n~;f|QGC$D^hr*8KmL#(c2=cWF6xW%7<ZP>`&_yZMZXRjEGf%E
zlR}sQ8ydrwC}`PSdzGX*UdsqpMyV;WB|)br&pC`)Fe$q`Uq^9a|2ed&hshDgT&;Q_
zX?Eax<A*w&IGV7@mmXIi9-MG$V+N^BHlQ;ZalyW~HK*Hh+GUoBTR72az?*RdJh!*f
zVM9$11XR#7rA2)Y(U}1HDNt=BwpLQTdkgj4UF_(|Wz5BVR!YRpzGl0cPNIgit*`9R
zP<YF>Zt@RdF8y{poW}bzX;N2>5n-j*eeue+n`dmTCN6cWE`bVx0N&%?Tc%A*)40-o
z*T7J+m4rw(`-+Q6*2M<cBV%TdccsP*U~%S|o%2n&S!eWfXJKbBtvapRzaGb&uoHeg
zs((LLqZC1#(qa2D*t9BW#n7b4A9U_npWHr;%G8{_;!(iRclv`pu}2Dl^T+HH_g&7R
zdm^)2Td@T^vhbTV@~d>Q?WK#^<P?A0Ml1J^NXv9gb1z*dsiuWzl2eqKEMCvrW1x?}
zTzf9&FuC`6(Q>iv$?l2q&;9~JzKfaj&TC$-G>%b~xd(qgjP2;`oftE|7hqQ`q|RM+
zy%Mp5{g?0VSO0dalKJrJV96dCpL5blT>bc~&hRd&<Q$6xmWzF4HMhR1@j!ZTj668$
z)~q|Bq$0-RNp9%LrB&La=`%jvFRg8AnEauiXu@!lMQiD&Gl5cV8KruTj%heK%uRq6
zyeHIu>mxE68swlXgZWyNu5QZ8B-of3Xj+R^6!gM#Q7>m^W&oaW{T#u*!FfJW!vsw|
z5K*Ch7L0|IN`F@ED>O~u!5?<&${?vPfMn*o;xVqGsYwC$s7mc>pp0f?3qaBy9Xpv@
z#ECPZ!JlKIoxPp8_LA=>ZrM3G_Q)KG$q0pEdsCOeCnqavJj_Zlf}R7J>hxP=$yeEE
zK1B;`)Zt=ujnf1PkBX5`wg-fWnOIVpk7H`hl~dy-eEGb!ofR(_J}jDVj`8p#(aiaV
z#>ddksxfWrj&xsrgZbCPJCRtE+H+4G3tF^MThH3$<w=QKNcQYwU=e&{-TyKC=VUEK
zie25pGC1Fn8r3ey=ssjaK6p8#bHrwxwx#R>HuvY&8IEVpMKG3tUkmH!_zoZLt`OE}
zY$Xpfa)0SVJT^YY*kb7+o4Wb!H$&qGQ?=?{O@B^&t$94D^~hQdt{~ZU^h9c&H?CT>
z#Dy^pvOfs4zxpw)H2IGU1{3F?<bDrx>S8Mm<p=clJg4QhC4qOc%+G%_(;}lJm3Jz}
z5p@XP+gyZi<Z)WH{XzBbYcV-IvGBz{RBj}PMQPCRVbI<>!cAGY9C`j$GJ-Wl{@>yB
zNkGaAw_#g~`XjM<t(h?632tYmXF~9AGd089S3IvOjjf_R9V^$#oe85BY~$BPj28_}
zhy~gEO?^7<dH(&)SN=CG@#pok6s>ZfjARjY#U!IIVg7zi8yY_cM^}4FrqWS!<uCQ`
zD*2(rWIi}@I~kASNss)2;bWHfUK5b8V407<iw)mj_47Q#`8)2e@2?IsJAsylKmhOy
z?wYs=G*=AhYfxZ40N(ebJLkf`0KWu~5V3i@l1tCP(6q7-?0YY7@7VQ14K~0s;a@@L
zU1s1}5A}`T5r>X6n$=J_`LA8^3dlQvWF1Jo`H_q+;N%&1jEBLi3_R+=KIrvWnN`(B
zc2EY;5uj@YB$acbCO;S<3XMx>$5Jiv^Dt9UQs%uM<_@4j;uXG@o*86EUg{Ia>-=b1
zf{|9WM^a;g-%PF5t=2s@s9WhtK))V0jt(V~SjP|HDdB&s^@SrV@1n`ERP$SVGNb-+
zG!6vfyG-$=@iA=-e8bLC9|>pPx>gr&m}=xqSVrF$P!PR!kx>&Z80&nY?BYHzjNLxj
zxGQk^_NBj<M;G)O5BEw**xZS`7pZ^2dJ^t*EQF{=<YE&ty5736qMWQVcXQTaQGV{5
z&}Qf3)HxKK&lp3Y-*o7N2oONQd>A}Y-IHrUy!#N#nZVqpG|s{Nm9qQ!vve4|Az(4_
zNJ@&8S9WjagcVipF7x!G!Sb0@tTTHJe7#$T3rQ+pZz06RoxjUz6c}EAzIbq>P}Brd
zQ8&wm#j0v|!;l1LcYZ>uIk)!l?;gpq6N%^Cx9Fts>TN5Ujdg-H{2?;ympglFamv{e
zQ4P_0obA9x`KP$oikK|;vB%e2@8OC+jan+wZE=0Oq9wTGHgWdfN&h30N}LUU@umAU
z|L$dR8n1RIOzm7p8bsM}h}bcqcS7)|=vS@g)iPZ>Lycd{orKA}#P949=+=ijm>mXP
zV8$c_A1oz%iA(;a;2mHOg43@|Fvs;An@j@f(o;ogk!eOcsZ}5SPW*_St1IQV${D-<
zMhI&p=|$l_K~Rw&*dl_NIu1T1&J{{b?2<t<a-T-&1ig)KI#1bvlJ+nWtU6%=2oAJF
z(UUDfvjIj<AT<TlRTQS1)1dO9(}M5-E-Pq+ZA;{VAP2g>SaY<gXj+=bKN_JVSTp(W
z`yVojijJ)ngX=R4+9CYUKE^i|M@E<ibeSN112P1lRFZ59wfsvK|3O=5mZt-ACpb0^
zy+an{l$rI3S15Qr&m5SM(4(&FS9;P@n2HG6SkV>3`AdhOT;Ht|AUv3^%U1p~LE$s;
z?g@s1(R;N!(1yGTLB_4N(yMX<f~e*8YijOAUm-CIo7Vg0Y7AP<e44+Qf4oL7f_}E#
z$&H)`@QAga@8}JXl|_ZH-F)^yFSRB(=Lv250F|Iqeh~U02N7ICAUK9+BSoE819cP$
zm|Gkpi(==sujqsim^|J%ckL~7;2iTr@Y|E(Tb`5<dSb0gX@b4sgxiT3dKx^yzqoJ@
z(8dFB?Z*8-r{A90P03<duGc=Ga=lmR6SKl5*}p`Y8dZZBJNEgmh<b3nC&Hl`*4*@v
zLqyEFLF=QXNIJ#QH}^N2UY9S6FBk5AKXFa++!y>|@NsIcNjO!r9bvhBBAi-}=^-`@
zg|yD_SblB2;xI+3mfGAoWA5TG!Aic0JuWeUNcZnQgPW^9dye)E&H#dpkgyW0tnGx{
zD4#T@Xz8w(YOu_CpEWz{5-;{p*t<7*z3BtAC{cruHGP0UDa=4?Ccs`6!!%XRSHgk#
z%lDp9eK|b0Dl^v{MKcvR?c0DCQ_{L#tGgwN?fR&UY5h@Q>Cwfo$U#{~#_mO}z=1y|
z-saczd-{IHy0|@8<k=thK4VqbMRjO=XExwBp~uzKD^&iw-+4b+_@yFG=$CzJ(=hCv
zuSxf2K5(~^@UphIPcwhMW7&0dW;HTe*p1UAc`bj>t-4FD8~pwEvWih7b?2*#PLvH%
zmr0V&ZGv86tsY*QSyzp)5W{{}y+OyzySqTa{LU6EFv@I?xE)Wt6K@7IHy=gHV>@}a
z5Pm$020JhW$Yqj@y5sm;fTtk`nq<(2f|6_K7HY{B%&vLdP92-tmtpEiUi#t{G35ST
z(ARpfYnAY(5lYUIKtBRBD;_JDMGvN~1c_$jU`p;x3D7CSz=mi@J>nvV{P@jW?vv+S
z7Nw!NHeX?S+T9@Kf~>++av-R_|K*JD;MwcH9@u391!BbGHh2|nru>O7{oQL4E|n5&
zPS=z2+j*V6|Bz6&$?tQB9CeIoeLW*}Fb2%hcxsFsf3N-b`Ao+em$JAEQeVCqy{*cu
zNFj&ubfM=!;gHgtR9ROyC?Z$DJdTFt)w72UsFvW+loa_m(I}9*PH68D$?T@4m9u&z
zxH<H{RVIEoTQNPnMzk*XDcRfh(gt<rt20*1-5u$xEc2%L%wC0t9Mb)LOgALQqHbjf
zd^H;2?#Q%rM13UbYl!B^#(dx0pKHTfiTq9JBo5U4gz_ERxraY(b?P!KbYIJx<IQ7j
zcGv6i=i8NvkMrIS_$!#6-br%$S(Li`OXQ%GEW4xpFzwo@aHjPO4*$_7a^1J*4}Yqd
z$_5|(md*<P^C*3PC@kmlkgZAJbNk~qKiukDw@Jp{k4#uCD(oce;s?@OW<6;ge;1hk
z(l>qNeL!LrNh>RMaF3vB>`m`l%Qlf`L_5ngBuiXAtdUa16~%vNwzoW<EgIiHyj;2X
zf>zHf(Z!;AA}X+R$+|4FxZ?eWfTe@TC`oR+%~|B`ZdSBW%#`{x^p9TXR^y7F4=L!+
zP2<o^<hYBv_8dBoe=!4H-cvzo<jfDW1;?k)Aop$9H=F@{7>ny|2f6e9>Jvvt!I#-3
z_2rjE?3S_Xfd3bp5g#9)J6Cm?h=@^0XxMy`RV_=|I<++(>?=Uf_kQ{2jT<46k!gSY
zKYdE$Dg7z0ruOY?ZEqiLxtNfW(W6H`<1zNuaTUN*49^Z)1sC^cfoIa&bHmBd3HA`8
zj7oN!-xA&~00-n3+ux-hJsP@EzS3~~Qm~>%|7JT_=Y*f%%EogthsN&<Gm-B`$Ug#j
zVCDeHbhL6aH<&JbCj90^q@Jab_?`3U`%68veN*Kc$ObZ23j`R2IQ4-<2o^|0s1$AD
z4m$Uhwx)NvIffIDkjOUOAeEykc)4L#(0-h#qRjkY+*r`Utq#*W99^fC;8O8<d?!0s
zQpdEHVztxHFuEYn+EKk-$Sw@8FTC2Axc!Xfz^K}YdT*^ww;L{Nd=`whs0T|07*|YT
zSTCF%Dg%WMfpbC%@PEg_pFWWYac7sU*(gIdip!w+%Ig!n9)Swb{Ge<QPro`9R$tUx
zeGb-1$Y}dChii^YI>1O=lTMI2MlP##FkAM_PRjnbu8#iA4|93xgeL8tso!~i(}a+^
zku`s%mN9Fn<oD69U3vJ0eGmCl6S+992-3wW7uS%nF)j+ir{#0&%}WM`0r4j{*+oiI
z4rod7*L!f4I5{mtJK`$89w|ZhmO_D?5I5&9tDx#GyWYm{#O+a6t|<b1bCmu`MG;ZL
zT-GtA=Au#24{?mX5v_a<ud^!E28Z=t+8g(a<T4S~!8b*O2aKO~sahU*1)G;qdp@}R
zuIoyf0WXeGY2H?)gX+9ou&9i4hYWfv)sl5v+*!f)`k5Nu9jl$uYx6=cAuO<UE#Xrz
z{f6^rd$(B4y-vBdEqGn3!(Z>yrFGut`+;h0{(B$VE*dc_u<}k8FIWs)D{)U3M8Dv4
zhVD~09;Ocwat&%7NT-X{UY?!5R(0pCewlVs8|TuE`=kd`ZZFo!5s_jvVj_xlxfkwf
zhj(A7rXC;mIiF;R7vG%JwV-$U@JF+DxxM_5c+5}lBDlPurK-ghc}AG~i9%cKG|RfG
zX^Jy!EXwUnLVEjB;&QtTqEN#)gG1fvMFrkLVRYp-YOZCchecWE8xryHTv4aw2yyzN
z_bXG};cO?5;%27h(Y9gE;P(!iut83KDnjLR`pAH?TRa{8(O*gg81vBPN*)+kxPLS`
z@85s6^}gsWaNiJD!0V4|F;8Ae$q1D1MBVBBAPU6j0S^V|6(Hp^A8mnOEt;PRUJ%fo
z&$NEa$i$R9VB+`r^YiU?Xi$9tA`n<kK-%--;j@LsMN%>{ARay2{+q2`{uR!BE5M(8
z>FDM~<AAl9Q3ISla^80&VCrsc0o|de=1ME4LC`N#4_t!Ld60Rb-|ODJXCvV!{qJ~z
zVT76IxHTi)c~lBi8U%Q%uLz{Uo&qak0%Bq&KE811`M|KHR$woq`<QSID$8v<G&D3h
z0fxUmT~%D<DH3o10$LH(xq52<{r5xYi5Gss!A8q}(%Z(M)J@OH?*L8}#`^^)=<3*A
z+VAR+l$FH?nKOJDbO0KG&;Tu^&)_)&t|o+$xwLgangZvSH(<~L!W!lh7`Ye=LTL2(
zM)dc(a^*#~%*s)X<JKLxX>fahqx0zDL$9`vz+3@4zMS1scqI^o5QU4j7w2cKzklC`
znUo;*`KcKD6#ihX%dffuw8PjPnEjuw(!W5qSrcn4mV)6QaGyP(Zx7k(!2~jQT)ZWa
zN(M?T5V%6$i)AGtujlmS0{Tp0)*hheh!%>70tO&Bq`;*B-<(3!kqd?gsOV5RQ3p{8
zD3+tZ^E)3*Q!Doe9z&7ujZ28BJlF$Pc;S4G&}9dxO9m8XaQA+IsW1$QH&k4kZkxzj
zadEnU=@KDuX`m3ShnKBX#a9-fvNv=JV(Fy=Zu9Y}hPw;$@Th32Y`ZFE4qPK6YXKfQ
zs0dWo&cL>h2e{pJF;bf6PWrC#1181b#uFM6QV$>O7f?h?y;Is|#;Gh0pydl4mRG0o
zNCV#QFKVNmkd>h)!@({(F5w;?57;KzLJ_3bjILxery18j?hm0VNQO8eezY96t)uP~
z*c0~gLqZ<easfvcPUpCxk>l;Gz!^JZ>YPHlRWYmel2)qWNOTN4>%?TxCSwl7r9V%U
z+$BFCF{`j|=pU8a^YtcRtBIccWqGifV7Q{c?pj9cu;(||!z3bDv*kWLeXnQTT>CN6
z#>qCu4(Cg);Im(8G}KW-dC_gj`?EiM$p?~?pO(4&jT3ocH)ol#&n#p_^;}gKY056@
z7Oz<vK|w6dBBYWn)mia$tDB5`pm85BeXORiA%!(5^8p;{8Q3GO?RF5i9GyHheL}!$
zuc?D@Yf{D1{_>J<-1D|(+waoO9eXG5OzI6-tYpNyzbd2-4&f(W+&X1o7vpPlSgFww
zTVHl$TajO?sB0cH|4wcgLockD1o7^3-5Vh{8JpYhXk0Yol;l_F-haB#E!Le|aniG7
zi!j;czjHwx5louy_dGl{^Z41(Mf1jl;ZqdOj~167BT}zp@xNomHrzQ{y-YjRrm(cp
zw@|sYwkP0%tPZruEe*F8ipgZS5%1GyJyePvRDFKXKhW5n;iDjfPB4^8$wI0gE??Pr
ziF6|)L&-f|myK$p#!7>jTDNW`r^PBxz@Y!fX~0VANcVA1m1ayeKDAbQJO7$*mJ_NL
zML9K3jODb}>9Dz3wnj@jz7O3?KT}46DwjW)DbXU@ebY5}2r@XPGaeXoN4-1ReM5fs
z)Z0u19Gfi1Rk~Ec%_PjXp`eZn)I+dUouGxUeGM%$(x`P4gM=3t-pBiES{p(TpY|Rg
zp=;aby$$IL4D<t92t6lf@Zq5&6<s2rqp<Vyz}5<!!VrbZ7-^3(V1{jfsf8Zw>qt?j
z0tI|InVGwF2EkGBPT;?#VQlg5%?`khn%UJ`XufBAzFpN&-z|Z|zosBH0V1Z~Hy|hc
zlp|}ISm;XXUm5~4k~@)vwBon8{7Zqp&OZwTb#5TsfforkxYdBoXKQ!2`Y)Pxr+7iD
zq?vRzTHpr)S@7{E#Lk$e^Fk{~C*y%FK}Gj?os*AmpgB}Nxi_sDE%gIt7I@Ztmg;Q{
z7eX@&AWRWUoGLRYgR33jgW)6<+;9Vm6^{=#lt3-<GFy!g4@TfHh>FI*>2MFz5OT0P
zuU}qzw*B34#*Ya=no^43`QwmL;Jq_I6OjR&1t7PETk#2<wCN=$S3pk16z7N;D4jf_
z@(pRXw>*$hlAT*l|0e&>^G{=?7PR^`CEs>b)YPPnjnnT~YlcQf%0fKuH7N$7nTC+k
zP3G*}PGAc91qCq*2t)vTHNwU$N3V8bT@bjXtzBJekJid<77NTq`9W;H663Bum_q-?
zs?T~2-OL2hQ_b-*tM7r0`o6QKX4E(`r79P6OiloCFAW!>anR3#<rb6TDeK@fs0fbp
zk$k2%!4^BUtW4voCHtbRIS<&ntjl43GrRO>Y>-Y@;`lH9VAX{ZO^hJ^#W!8q=9lx4
zsi{<{HMJchtK2Yj!LYLSRx1S-Cl$=W*f!3iwx*F5s>+DT?H-|8^B1BQiogF%m2q(<
z)bBmjo7pW~lo)-sR7P8(Hv8k>C<zfDNeE=de=4Rj8B~4Rr8eaA6Gt%qehBA6fNe$W
z=>5}7;0w@lMQv^$B)WEUI66DM=BB(KCEtb@+M4zJyK;DRz=8zFOCRj*I$G&IdX8)2
zS~&Bm*~qj|sGzFEN;r{9F)BG1klEc6Qm-F1ILTNJT<(3wkb@Nfzi8IFQ=x+0Vzu&j
zZBA%{<s>+NLS$u7zn73DW(vAbKO0-)8<vgJIv5PW8Emp`CHBTQrh3#MBP*j8(sA-a
zdL8qctXD!k6ZRz>(z79-im=BI+ASj?{JfsiQA%Hq$q`L7F@lKlRHW-x?F$=8yQ;*a
z`>D1%2_{C5TAtYU|FV3c_rS#SXz@3?`k63v8`ZlRGiMW|Blvr#TAj~P949b1MOlNE
zsurn!<LiKM%bNssd<c8|<#!EU5<erD+yBy7(T4f=<Kf0*aTUqJ+js7G<tk2S#0jaF
zJ0DU+y95<P{NRh=pUloMx~JGSlSGeEFcYd=dBg$%sQ4;z_F72O6PXt3JqCC45<!B^
zfhT{h7xy*{C87<}E7{u$9FYCoY3v3xP94X#l00)WP5yr>klz~%UVd;iBc<%vzc}&m
zVvlAXD(Ic>w&D4@>fjuzQSHp9Pqe{8dh@3Aix<~{|3%bj*hY7qT>=yn5KX{4>ToVp
zDaP3{tM}cD34X+7vhVIW?QyYSS9VLnZ7gT%?&Vw7g2PbhRMJ^UJ$!h$qIdBW>Zzut
z<wY_`0f^umuVJ)#+fu4Bq5hW(Fsvw-)zs=o+S$#h6w57fd8E`Lex}oKSPya>keL-2
z=W@(h#(ay19fDR==;j)M>fv)5-QrE1Jbh1vS{TIqEu#x2pIp-JwqhZrqG|_r?Mks+
zYCkxR$-Q_H7MOMiS^x45^7l)B=KTD8Fuw?mjWr_;+5zj+=YjP1?}vaT0oWx`e_XdU
zB)WF(+V%R@uYpvZL<|L}e0dj_DwEjXvqZ$i>Ybi!A7P?{_C2)CsHN+f)(9WWP~UZ~
zR>1E}S4qui1_`}1;1Ve*DfTTBB+%AK%2Hhs%d?z*2sAZxiYJsSZuLBe{&EO6bgiV5
zdqF#y<|7@xhA1o>Aj!%lOmJM*L>g2yp!D3ckIzBBXMK9OB`oF$NlitT|7=Te=Aawg
z7RJ!l1#we9R-_IQfw>t|9ay3x>U?S4(lXG-|7pv>;!`n(WD?xH<eZ$!bub*jAHn13
zF`XR9D0~Dp@k-Y+ttQ<s#6T94IGT5I-=`_BbX#;>R1QCk<CWzO5azemC7yyU{WJMk
z;Tz!doV@g9wQ1GiYZO-H{n>h1bPhA)x7SfoE&u7#tb_{f^D1T|qSd$Rb5UFRKkm%9
z#O#vjyu{%;(%Uz<o6F8-(Ci&@YNjnQA4BGQkTj?L;i=D<s`JOMHaGZnV+jq{Kc20|
zgx8VTNVDjM(K3lWg4h!Len_u-xKsdeOh>Ibr=n&U6jlDj(Fy4tO~n{`HGt95M(S&w
zvX*~hg_>&@=S)hpFP>}jm7mWYLJCfcxwbhM1n#Wm*{FFb4EJ^Wn_)LplDYhXPsnK4
z8_6s^_$8zo-JLVJsQg#AV3ygp24GY*uRinE@=KL8zdodPp)rzZ?F_=l-?wNMc^EUA
zd8V>&MO5E8h!boHz@v{MxiP5UZG<lISfDO@t2w4Pa%89G7q%}-8QaAD$M85Y^>A^D
zGh8{sdO}<-xP4sWBH}7FlNF>d=!lSRKtZXJGpRs2yKAM%Rb=GL`d+wLdY}uUfm6cT
z#+q|QYtlf(JZeY!$0`+jgZ)I(?}vqAS&!xAh{qtu3Z>Zzd2XLB-A!9Ej=D|7hFU5p
ziv_60FFq$GZ|nDUd~*gkeTA}l{54;hMUPNQO7-e^&1}3%Xj(H}BXaz8=e4dXVO7;&
zY?fWSMTM)E9$vLB@dSH)Bdz?+#P1ABFH1M4JtJud-MS1piHABL-PFzc@C_tS${HHK
zVP3`R#~WZ+Qrg-H^LT$HNO}X8{Zs#h?0!SkM;{;s(&k=cdIN>Y;Z_S6pU>fgp!O~&
zr;?ra&C9EPSkQ~%Z<vN0n}W~ex;_z^$yuEiQHV2)60a;jX=rQ=w+!QkLX3YeOUU}y
zswEwg|K$wxt)KL~l!4<;Faa_zkeS|Bt(fS>B@_-rdC+RCX|8#^xa<2zBBpQXG;Vsb
z<=2Q?p9@y&>KV~=f$}tb(@+UJwDIFhRJfHP(UkLV13BUxfV#s``2mK^I&!z>^NX%u
zo8RN8<<)P66bWOeBEM)fimOfFGh4=}Rwe|uU%!40t*RPHA-tU?HFHv+aQR3?-3F!V
zi)p)3i^(9E_NsXpYGrFi**27Kpb085APmm}uUO?h4fh*aZyz3YREiilOg&LjV&dg}
zL11I56j|IHUd`d(3UaX*>jpt1BH&KrF}|4@v~2=4>JHF+Etmh?gI@OAgGGck83)dO
zxfxCy)Mu~pH)kg3&eHhEg^aGejn8LtK*ronYSI)RvAm>H&UxXq##dEceV>wwsq|yD
zXu$rj=$<g*!~K+&7kg_1qsW<<{+TwOm3<Z(OKT1ZnM8HKFdsyyVFX^Auv1^6_(8Gp
z>gDl|w!sQ(3SpC$zVlH!2Yob6o7#(ODyW{t-T$s<a4?f<1nbdx`?anxmlnfuoPc87
zs#6#IisTy(_Q46NsUqp=_g{0pTns`8IB+^k2#3XUtJ&-wx|LPNXP`g3;ugz5lyWs}
zGn8ic@kqPrFU>5o5>!O>-mBa!4oR!lpk(_Gs-{|x4_|ve=o!nuF8e0L8ctnU;ZGRa
z1pSNitSh#$*G@a1(XxGbBIJ|7=c!8<Q)As=J}R?^16WCsaB%nE^NR7=rsIdvU!uD<
zL%nNm?YYB-0c`S<smRN#Qjdqav@UC2C%*jG+{WyUl5YFhm%-n<wE%hE%02uF3Bu5)
zSPEB(pRw*n5k7K42P@QWu`9W3B)s>NWyBw?*DJ^?asAQLw3PdbM7-X>p;g*B;31o$
z)tdGf$VIiD{`OBxbGvd&Fz?Cx>%8J%J6hL*@>ZKjy-yMFTQ}^hFPV;3(JzJNfc7IM
zDnBSIL!+bHA;X>8E(e72^Mh-YCX<!IV5OV$07MIagd1=0^TS_s#0aS{`~`{f@F%JQ
zrj)`vdgxq~8JzriTn;TOlhn-3a~kpH2gly$#zjU(;?DO}-nhrku4>IZ!GboL0sAl3
zSGx0?IY5^;bDIWaLWI5SBkL?NeqLY=YK)xc?Umu-VbH;oQcygBvK@ri&mJ8B)Y4aI
zqy&zQQR1%7-Y3QZrUp--jSr$jBVexr_6~51yVYO=Bk^qK%z(O{>b7Lt0h`dTWf@x6
zKl)ZEnr)4h8Sq)~I3ttJYDMFmK5cLei@0b$Ru(8tc~B1e{*twk`Y*%ob>sb52H6+{
zY1~dbfqw!mf(EzagB=P?_G-&law^O0JBwq2Aai<B;l+bFHiBhH)N~b@6ii>=M6=%j
zH*9l=HB-)`fGKRa@WP&i!4PyFWSqKptCYCRTsf@<Gy?1O&l~H;r5ZXrV;j0_=VjM*
zUpgO?kWsadpH)sREj=!;iGf)PAt%izwyUJAQ(O6tCuIg{#n<jBkXZXNx#HRy9@MP$
zFyQ`JpelEI_(CJuaqkkK=ymrCZXW@TE^Qn0$YjGoHR-j1{#trDV00PQ{3W{?B5ZG6
zTP$$1UDj<KSBXd0>615FGJ47forG}|+Ml^%v~b*d1IcEX>aAx4{wft5Q$ruTpGLVr
zNqsz#NNf!Y7hVKw8x1FRALyoh3PGcUuu9XaEV4rmA`Nxh@5lbcu=7vGtj})vEfYW2
zi6asfXPKC;aFzFq0uEQ(4E3OT;Z!;uNnhXTS)-WSn~nXSn?1GB%@68xy>xR^?ffZm
zPu821ZN%<``bIESYuREP^G2B!;0*wYf2D&=6TE-`g;H%uy7ki<jI(T)|FkZ|*sTnL
zXRs_(TXN;hRMAlMpdFc{lV1Uf15uNi<~yW)ES}GA($$<Fo2EXL|LE&m2zU;REAaF8
zSFujgECe&N%8AEb%_-?Vu@!%Z3sbKx0AX6s5PWps@qX7c6hkj}9rse60+Mn-*jQLP
z?hPI9t)O`%kd}htEtZJ7!(HVHIal2)5d}#ordk0GV`cS+G*tX-R|S?WI_z?BZT_tJ
zMaKgUaG>9n1275Z1cG7~EfWOE)sHrH=j0d(_nL_kaA`oSE(90dh4%o$Kakor^7JtP
ztXCcB>gc$RX^8c%=IKW)n9bJ#dYZp`zop)d6gO)i&&-ryFn5mXK*4l8j;Q##5}Jdr
zKoggg4oC~V>E#vs;+tdSAnut4PH-3*b=}60+Ho1}Ys*d46{7R+;^w}?7wdQ~g~r63
z9mlMd_AXr_?pkd&HgU6@-Qw+XJ9=+)_I=;C4$If6`iZ&g$<Z#|K6CN^yW)Cy+_J*e
zOM~agtJbhM<6v2{we3GHKbKc9ub#svyGn)+3v}hQ+EE;U6KrR`F3z(ElMdoMo@2L;
z6w2za@%f3b-cUU>2yCK2L(KCD0mfpF=5AIs$qoyA2gv3NBpWOaZ|aBHGq~#Rok-iP
zHb|<*ev6Z2>HaP8zA{*jk1T8!)~x=30Ovq?&4sRLJp5GJ_RHoXnumb>G|Z~?u#xk>
zC-<$X_F8{_W`|Qsqso_eV(M5{dW77%H{?uyzWwRwB=NbU8{zv?TPm~B&w@3jr0C4=
z1Ub9(_LmfQnz(0;xP3Rca--b{xlSu+`mKXRg{~*j!we!N2!b=O()yQvgB5IYFPcy>
zpI9=F_HV4)8*{A1{U&tyhRueotpp3^as@!!M)gob2s<-iRmj+a1C%cWL_}&IZi1rZ
z_T9T^ciEpx@rvLd%<?OZ4blEOr#Ke$uY}hu=I!UlEWT+h7MaS=l^1py;-ea~+LF9(
zUF+A?5wbPV`TdF-m91rD({X(K+m8A}AT?YwSXc7Xajbo)3OgwzQ@f@ejTKdUzLyK$
zi_c%Y*v%x^x1LZ(8nktE+`V(BA*ZvJAC0Q6=Bmaj%1BCLP%1R)eGIpm$k8fQY?Zj@
zuL+3}h=B4ztXRi?-A)C}JAd{)fK<;3woG_l|2HST*hIROzOUe73;%?jsKYJ+pcn)z
zXyX}lsdBDEp}t?Ct=>goVrFD%nfF>MUVI_KVRer+cL{!K-bmiwo*%SqEYtl1PS+#L
zv$5MU)pNHOB`%`An8$wl>p)vvysVcsCML#wyg}q8cIr4EuD-du`~HqxG?7r&>ICVc
zHqqHVOF{_=30=1%L(G>GzG_+x{+#Ou1Czmd?vutv?KN|4Df;{t$6;Uu(w``Whlz=~
zxwqHU(t_vi?hf0p4Cb-4>P9!A^kNO<CL9i(D7L<sY!w}rQJB1&9Q0SDcA4HStzC|M
zlZ$HB6*;KQziQl!EDguYM#GYq0;<|$l%5e88+WFBzpR}#I4p)M*pc~eTvz0x>(p}i
zwC-n0g!ENb!v@ShN78O(E;06YK4tI!ZrPv53h68fYMV-JKN6<D+xl8vM>oRj=k!L?
z&J8-v^PwHv;_ERjbM|>uC45dOgerBratnlHdmJa^*=4KeJ=&XFThobn$w#ZoDq45m
z;cF2~9^|b|e7!90u}H(`ixjiLxTbetFp%M}1az~0N|txF9hfP!jCZ4hf2JIHZb5G6
zcrfk|#cg;=>f;qUkhXz)0CdzSpc?^N=b2cCiA1Qvd)KtU4N<>~%2+8fv|0r!OF-pt
zJBTCpoLyrdLWOsSGVtTr*qF0TJYQH}-*YwS46;N^Or93%-IO()({|(rItf_VYpC9Y
z@(`+XaIxUG$+um44$DJo+5`-d0Az%DNLg)oi?WC~33qXT+MMt=E(MJYEZL&1IXFre
z*+`ibv8PfZbRVWxo(uRZrW%0b5~3sWK9&dM(4*N}pf#{Kf5PQk5&l?j#l;3)$!nn|
zoMDT?aFd8HUr3_IegZ3s-|q6|%aB%7NNsSaFFcUG*$kK*m|60d%Tr-FRci%5(OrZ<
zu)8)|+Ix~6OeggbP>AI*EErf-nJ5lv_*2-ZU)`U-1vNK7i$yQl!BRm$%%y-wBNqie
zT3CXyzUn{GTLNT(D&Rfa7S5`=*l0&r3j$61Zac%=b~`=CX`D)X@On5t5MWxM0kJv4
zqH61-!Z`RDqq`y7Sz(Kc(i10`DD-Xse%EGa`tu|j*P&aAleS{Fe!_7nL31zBQ42$E
z!fkY&%4?mRGKRS-UlS_JzJP-mBGfXQ1Lq+=EYdrv6AE?X<FWsI$S=-ok6aeTZ`LHG
z>`{9ksSj$h<d(cO8x)4QqaT8U&jiTpSNCADw$a#_=y1UrFB!++)WX8sJsDg_r*hK4
za)y|b^#wv@u-(Hh6-8H-tr73oyTqWo2<^ig`O-JFW=3=m*rI#S>?+rSh%fxNF9K?4
z`}<Uqi|GA*zny6=CWfuN-96K|7uxhEm7Yx4)dlL<c}GZKjF-}<X(wxzw;i?X`-mux
zF7&=FPFkK|dOomZ-TI~CJ{_xc_I>1vBv#Kt-7mb(i;Gn*u)#c?rc2B6BCx>TT3mV(
z;AHF4PkHZ96~Nb)(Qedw{z!%iK-x=_wGy1Q`H@(ua%mNXIG(Qb@5H8by-p^j%$Nve
z+LX2yCMRFjdElWNL*Th%%zFZmj7FtBJK#~f%LD!pzJWgqS>#<|;qL^bjIbVtYFsO~
zJ>1b+?|@rE1zjbE7&d_42ENT@fV}`MKA7bx4=%*;0+nC*<!FPCq~3S3Po6wm2J4yr
zOm$8M(H{(^gISWfD4uscw}EIC=Jds8NazwDIq*i39{a<J1dVIv2z315JG3`<0c14q
zS)IwIS@6iv2y9w)Dr}$455Ip8vG|FCLP}oV7tj&2?4a@X$3vk~vtX~EzWlPQvQYG3
z%m(%sKv@YLIzSH4@w9;*2kx;v;BEl3UViQ}<xWB;E7}J7jGuynO43hY;0|Bgt>3?O
z-Jk&guM{xhkcfiY06KIfFs_~<h=60@lPz=>E9pFQpaBPbmL{rh&4+-%p=!@lvId&R
zu(&}Ii<bc3OVS(n-u&5dltBgz>!ER)yP7(x1w#;lB2YWxe?$M~a@K|(unGbw`P!x_
z<>llGudWzU7I3h`nLr2KOo%9kwQUDApu&WLmiqJ0oYg&OJbvTUQ#3Zd2e%>pfaYsR
zNTP`VJ9{A9gXb?_X3Pno$N3?^AolqP%nBtZWt6`yE?%>KnJ%y0EYzDD0)k=tMB>FC
znXUe!7fr(sHV(<l&lyez%@>9#y18J`Or=?jK%`F9IM?f{>LM*k(&@Fez|v9yke!d&
zp>)vmw15={20gJNBKueJn>!o5d2U=|s;%sB9p@tt94u#6C^B2Y(~Gm1yNb?+fb`;P
zb`Z5A-<($cM@dg8v8^00Z#g<5%rflTWcKh;e@ljF=(n{Ww9cOmtwdDMvX2)St_dsN
zc}|)lycq9Y`=U6xZ2;vlOGvHcdaKg%3m`l9r-FJv8;wJKN#1MqRc91FWy<~)5Kh_L
z3~6W=+*@Yzi}&JhmoW^vAl&-uXRVa?dE|94hj$)05S(xRqz$R2eSO|;!CxHZrRN71
zQzbQknR55Z3%%^u>wk>Wa?%-JJ6<uX9QzOvFCc3!yV>r49;r7f@I5U(NBUxx;?llL
zE2QVJ_Okown{U7b4dclgF<O^R43O7<Mu61uv55%_oD^!m0wGI>q!_x>xdOquU{wwp
z(rmSp%sJcuKfhNC9Z^tahQeb8ECw3C%Jb$Bp=V);>nn)x(55xiHbvzy0BQ;h6wnT)
z#-JfrFh$fXdUqANKpsM<Ip`d%?74uSJKDSkl-l444`?tZfUoFu{jvYeknnKyppfKV
zF33v2yK6|lmzj>v6GAfj9BS%9cVK~z1Dm8Lfj@Q{%7GM+EmUnaQ$4NywzHI$v-*J*
zdDyx*_!#mVhznKc$181PaIWQp$0kt7U)aIt4MEQa91xiRdfJMilyDR6mbj?Wc?PDd
zYyX<!LP!PeD6A+Un+2{{4cO4xez{Rb^%SNzz(mwn;Jbi+kv+Rc-qc5HUFZ#egVC07
zHi7w!9g9RJ!#7ja3GZ#)SW%~KLV&17=>5OycWtHhzJpMav0X6&Pl5r4tU-IL!eK-4
z!Gk)&;RSr8sn$Qx_cx5tO1*}~!_5r?R0ZL#L5(A%Z9u3Q5!6+xEzuRT(WVQ=u}M&h
zq9cr5aB+=;w-D3YgY|KzrId&l{7_!Wm9N8=WYepOLFpnD>^R3@dK|Fb?!snLk~sS_
zZ+D_4%^f8#&}3){GHV3KBsrhKqUH3q>h8+q?X(YP0(DT>$w2c=TxX<jBi~ayGdu^W
z^mJ-^>G8P)f6vTUKX|vHUk`FJGLqot`vm@#+uiUgAKfK9H&;(TdtAG>X*oO4!6`H+
zhHz6q7=7u*xDcCK_C)UZ=M0M5BhxKW^bE;)?c+piu}SiBSwsX?rG5N-w)@hnQ%p-z
z%#&=NgYQO1N4_d{&3d(0f4o{KWl)HY;4^VOI$wETIk-4rH+d7E(*I+Qirnk3!q2Vd
z@8Ga1UY#Nv`ZUNV{`KyCXPc9s{8Bv+#A)`umyb2wBig^uZg9Ug<F~M;5m9K6SzBhS
z3?F=pl8D?Gm^|G{QrXiv()u$n2{9YsdvIft2j?|TPEOTHU0q%NmhYE=6|Ub#D^n<v
zj2S<v`z`FPOg08?$A==2X^NBc62CpAarTv(Svi+?GP!mUT2qwXd8%qzgqp85-k?!N
z-Ip2r?K<<er`FxQYGdVrV=YZa#KHagC5twE6VxSlg#?!6$oX-dhHZbJ{E}}QM6|QN
zKT^xP3;TgA_y|Sg^}tdK&HaErgvIj4GoYC1j}#e0nNV@7Mg>lIbH>sSc=J#=9+mKW
zOi6NXyY2}TMY#RIC6<?UbaZ;AX6Zvq<kI+UtV$RMlm1#Np;-@=%hK|*ry>W1<UUL(
zQ)>02@p2J49(RXncswIgv8Ayh1IA=`7j`H}3APT@YBt2Ix?agn0l>etuVEwa1j!12
z%LRW9Ee}mmJg4M8z5;PfL3)iFL^jB?A&l1NHiE~q-(PED(-POlqC+_av!Dc;0te4p
z;$Ig;*T|wDx7FRG3D8;X>~olSwR$MQSM2Ad2WD)PVE<p%KdHz<L9o7hlL*Alzn*=h
zSIuwriS`wF)q5~QHsqDU`mGmAgE+V2CFxR~+a$b1*5*CX+on^zgzcpj_m)#RN3-xF
z@x{r#pFdQ?ki|wT1N!TGqRp-}GF#ic&k`%^>Vw7UZLB^@9hlJ4(vFRF(6Qf@e?fUB
zs68HN9ejIzOVCpQ*XD6Bm3u!QM-`!nQPlVtUR8KwP9KlJ*jp7Y8+`$qibW#n+@X;_
zKTqwsC@dXH=@l_$l~oKd1suLmGAg#co`Kea)7x>~lv9`HM_oqpMXZd9hdSg8i!6Wp
zSUhS2S5k$$uOUs(Mk8o!hRmf-uAc6f70&9sKvDinp0>6v7h6>BIOP1hpQXb7lNzmc
z7-x|rmp#uF%mVAKLYX{;<#?be+x?Le>m9FWRoP%{XS|u+J+kNor{}7wkHIfew`Rh=
zx>%l(^y?e9sLAnh>d@AAIZRJvzxpKpR9mwnhzwx-G8Kdr?%xTi?{J^S0k8v12Yz)@
zetU4+(hGoa2<uW%Yl4R%%y{4}egcnInX~g{f~f6Z5=gU?o&R3>>&W@@yGhP;YsA2~
zkiiv(W@Xu4q-k1(r5|U_p%;{mm22QZ=XQQ%BuuIBS=P8Nmb93<O#jN9c<}Qps;H@5
z@t%wKb|nONUMEz$a^5$MLzamEgSPD=I`hHN{!op}_CWei{@KzdL$U0KQXTHMH0YjO
zBV);^Z>g1>)|qV>9lF7U@lZv)u4wm(xT5oK=`ZW3@*B|h{b)`yxuzI#tbOcs-{SwV
z_0~~U?cWzDB_R?PBB_!}3eu&bA_CIg(hbtBf?^Sp(g@Nm96Cfg4k2;qluqg9t$qFe
z#(RIfG48mR3vxVX@BR6F)|zv!IfGZ*J6?}z{FpJ1ceeXZU$=^0T$it-=Z%FzRnpzp
z_Qd($qkB)N+GFPh^eXHvhhGI))cH_CI0VLde&g{|TlofKoEw{eXE&m4S2&I(h5>-@
zn<KKtQP0<#eb%o!T6N6*b(C9+c5l<A*_eAn+2MNnr}hlNlzIi_Po=e7F{CyN-7~iL
zR<)F!b15QfEO1&4rt=mO!f6GYzzwGpPDZ=AZaka^Vvn9Y35|{Y^bab#MUVhY62(2M
z*PBWx>@n}!fFt_1!<K*UUqL;M;~#IG+fx5)d%0fBrZ&Con2}GIVBGBf(N|9*^VB+X
z?z2N?IKLJGu~#aG<4by?EPPAwTB|RlwCW0VjY&>tQ|wLVoHgSb+6?Ntyc^)~a=(!y
zhbzTtZVTorTXh8V+`gyB__J|$sV=xtw=MPweWvpBe-MB57fr(c_Eo~N><7E8zsec9
z8q6^3MYoSe1dF6L0|?}?xPb?p{xu@VQ9*yGM*tLpGs`QNv_ud9Fn)h4P|=QAfLmlh
z{cs>!_|05^-KR*MolRW3+BE*h-B?v8+WaV@fBQ(>AKxhUbp374@iCw1bbQr&a5vb*
zN6%SF1b7bD*GjlbT^@}*)2)aJ2xt&MS-gpT3J*Q%ou%-*f$16N4@>&~Po#0^_2r)h
z$EQrr=<0~5KN!U=bfTsTNKE9K?@UbJ_=)}U<#_6dq_?}lBRknA3{SGJeIFAOEt5Fa
z8_3t_0`~O&(eACY;`<8pu>y8Aw@<cLhPEPGuW`aA*ZDi=TpOwGdcD;jS<AoN^W)0g
zhCEbdRD&Ou{I6wfA19dS-_m-jp26=vsgM@_)A*j2&pBC@>!Rj+KXHp)f*F4o`A6DD
z^i7gJb@MFW+Oxww=o~KmP0CB)!q6}go7?PzQ?M+y>+oCh<9nejspjPpjXz_KX`K^I
zJ4O#xD4ERI;3`Hudw+oNH_0I;`*K2fxz*f>@Po3mz`(DO;zU0|)TMe;m}3j?jm_FG
zxcqoYGRs&GkE@qEY}~XBA<QI-w^g?`78LQwkW+7^t6fw~Ms6l^p52Wp*Qb3{dC8%I
zOx!AUg?3!Obf-vo?*6bLXELLeFfN#%qJ-52iq?Yc?F*I9x{zBQRrSWxl@L4WkIopG
zK-_9`RT^8kw*i-b4)6a~7gAqyKw)mZzpgfYD0PwIMW+pG8K0oa`K|GD^mZRY6Gb)m
zmzG8OcB0exWxDaI&irQoPYVDY{2jJCWd*KminUgcD@$tJ++vieW^Kge#%pEvd+F1;
zIc|S|Mt){-@dKkYn14fE)&ynDLHmkk98Wx>gN|9ADs_KXH)9eT4PnkyQI|MkA0)@~
z{NIsPN&x#>I3rPOJ+9?SHSLR_FLoiKLWUP4eL4Ki^Xo@v|1$6~lgYXmKa;YHeu`yl
z8^;jd&c{*KT=aRDPQvhB`P3ZqO(B;KmAg}}h6{J{Z@=jJRPTxW5C610kk(}WD8)zN
za1R<_ql&;<w2r^j_iOgx^M|>+CrZ1e4kv>`Y_DM*Weaqq@zC>**CYEGaOsyel_^*_
z-lE|!K6ugjG=lJUz|t|tEP2(Y$sIARwaLUHt5%&eA!y;uprb&1n2-=w=L9QmO6X$0
zIp62Vmn(Z}wtmu=)%##_k#yo1Yu1B^ZejQawcklc!rRVE*T&z0_P@hW-PaJ*F`Vw_
zY6YvV!8x_0<C?eY2!iGCGx<|>aS=17!9O`pX+e_%jl%QBs?H?FwSE2+L^=;cC&_Lx
z=Kpt4p(Eh3|JbcR+Xx^E4%t#-GQ4GJ9_BcQ^I0aqGNs|w5kZm57ziP}VusltTz0_d
zy56<Zqk<-r*~|zVZr0`g^s7%&J~*H4iP_cekOI)30zCo${Nd3NFC=pS0O+>;<x9gh
z>35k&GL}|-uU}MGi7oi#zXK46_%-ChAhiccPtLh#VXb&O<$1B6DP@xwLTuEJE-t#q
z=_TmT-0uG>#udMQA&ltG-){@UVsQd^zxz`z&@0PTGq-Fnk3Nei?HR`X9V(>;fpILJ
z99r{OPHCM$C$*g+CC|;%@e6KjQnx+fXrHbeYX!nTo`Q81Q9i(8$as_xB_Y-UnxtX>
znPU#32dXS*uaEY$@>DP{%~-2;!(aDEbro2)-@zw6MxuM@eD)22Fp;cuS>4#(O{=Jg
z;Wg{rXuPHm0iJS=(e=khq@$i@9DJxrL#FpKPZs(whMGMpdOC5K_IbHHpb~e<s(kl;
zbbVYXa&w9mU*<hzq8K-q7)baEOEM|D>PfSKZ`2Z@t<9s(R@0ysq1(vyc~CSz6%fGf
z>qB*UT%)7p?bUr^j+|CNXC}_bCg<vgSI)R!{%J|$m+o!=Z7Z*<?Rj1^@pb@40863P
zF7awp*Y|E*wmS|y+dDhekGC)r6%~E|>61|hL-5wnuFl%p@BX=SzF|F&+%#ldRt~8k
zI0rHo^TpWzx6p3GLc{xsrX9snKC%7WzyGqK+pj2%zrl?@Ij}N_>XTO}bBa-_Vkl$C
z{fEE&Sth7O6cnkS+C86S)=Z}@ecYL{cW5RR{sV+&zhHl}sVa4fz*zrMkBrMsawgV~
zTKc&o>WigFE4i8w<+&|oDoUxjPPz1JxSgcK@WBM#NL2HYliFdQs_=R$W;Ao)s*>lQ
z{HJ`XEnob^#0>1^7d*T8YJ?AXwQD=3!hEew7Pa+s%I7{vZ{Fv*zVSCFP1&3;#Y1Pd
zhb6F>>@AgFoQY~6NH_WS3wky@L#TEG9vnni`4?}vRMf20u?8HW8WPkCOehW2?NRie
z8tWh44O|?3SbV|8lK6kMvQIB#msdi{1UNXpVgHd(`LHr1tz@CJIhuH5fo<{{O=k_m
zTZjwgLrK5U#*z-**xIV^>Iw$*<Tqebkm=qD*f3c5XDi2rJGi=<!C<MV7*i~p`UN+S
zXIa;_0+}!8KJ*rJoHK)5fJX)fllg+T{&ydE(K<=@9@y~p2~SBM5aVAyW<OV$nnqtO
zTFd-v<`36REv68f04qK!xw+%;(BHhX%o4l50~4*5t_i?{Pc*p47#7?gz>5>gc1zjl
z;x$`}FL0?X)EAC9JktC1gyeRn7)PzT6m7oH^_vHYeohqFUOnIAig}ruMd1xr=4|L&
z-vg-e_9dSZZ|q?U2y9iLDjS$KcHZ>mH*f5i%ny7K`{-MvVCFUu97gv-B{=9Q@3`{I
z%wb~U<Hoozuu!w=Tr_@boWxaop%mc}7ay3?!QR+@w|6#t51&X!(%<naa@<Uom@fY4
zXZH~DzsY5xDK^7%LKSKAup6sJn8--)?__3r0^=4s0=kn)ibgb=L|<Ru%i9}BAD6{Z
z*vXWf(eWQ;_=?Z(G#Qkg-v4Ecqc1_0m7TAosp+mw6b`Kz){Wb@GZjbBfH{H;9#9Gp
zR*huX;37o%wQGn1-Em$oSj$L^PHM-Ng;DyJxOf6MB~1)?k3Sz>IJGx9^(DqEVQMA_
z;~)zD?_8`M576}v97{=>#Nlb5%rbShzaHGo2s2c}mVK)8Ao+gQY=+ZyX`aN<vkza2
ztJ5#PqjC<F5Fm5iJr)VzorwF%?40_iDZ;k?#xI9Wl6Fy#fhjqYsb=8|Sz>Xm7Z;w<
zJ&10)MDA-<&a|9-_(#IrQ1EGLYt=oDsKD0b4!JiJHQm3-_8;4Y1-HKWUiZZ>5AStN
z!Ab*|`PSe6{M_xL$cycdxlmdxa$lQ)#W&<RO=A!%(;tc=XoG4*HRX?!6Dko-6BTEu
z|H!A;(E~;jw@o_xE{+Pnx6eb<T<lau_UJbw3G@0L-(CA~Kg-J+_b`4HOv=iXt60@6
z9f|MTtJbV}$z()-=8N1G{#29pNH>o|XlXwAuYTH~Tf1b?V8A_?Fe(cYVl(K3AsF=@
z>UQ9-Rem~nvdwLC^r~aP;`1FD{diy6=x?Z;f5<)MrY_Dmyf;AqqF?-y!8EA;JHRu1
zroa6uX?UlMnbX3Fh@@M1|HaGxP8mhlJl(gA|8VDbiH+)BWR*Oww!v$M&(tF3A?BaO
z>zs32)HwkJrbBVphWJ~U1rqt-PzcxXD!tHuXa4V}r3}(aN;p&Fi!S+u{YsT@xR=+r
z#2ry1{VM-MyDFxd#l-mA@8ibf;72D~l|)5RCd3jN&eJ{#T-W6z3QxH?b_%z*Ucge4
zhP_*rPFbjG>BP<&ucKVWr0{nPlSt6!^oHJZ&vTf^l7~n^(Aaq<>-`?&axT?e%h?QN
zZ^@^0&iyN&Z7tq0eKxhLyV>-a=22_3)pxP1=KAW>ExbHMt5*W2)ExwgGJkANKI?(F
z6SkKTO7N!aG5?81pDOeC)e(mJS5^+Llp@&N*SOE@u9XaPpmTLy8yy))QNKanCtpOt
zdUAXWX+jMor4TOZ1{U<Ub5|d+iT<6YLa8Y;luMKUrV}1IVEC!1GpLWuFi2wCgOCUg
z%0YjO&dH<ysE=26`W_c_XZfhVbVUnCiWb>&T~7YB-_;jDD0hIxJ>Rqf?K0Fw$}2sp
zddfr+`W@Fb=l8J&C?b(FH$rM;iRHyIYSE<;V#@4F&-E2w@0^{E`pdWaYYg4ce<$Pa
zu<&$S-;Px{kz++ag}8mL+O+RSsf{_;`f`;K!Gp`lI0G43g28+ao@!@vHB0C1Hwkev
z&a1C^0#;WzMe6^}MQHokSUi=ec;-kaH?#{EyX`c@AuZ@1)&UQleIQcylootVPo$Bb
znBSD9^?ch*XKtBoOV5AxXFL62Z@G-X?wY>TNJ$WbAQ4_*9mM<G?bAzrOiUK*#2d=!
zkox;oR5}-jR<Su1?!VhNN>Rp#!WMYL2xEtCqZ?AYKiP8^W!L&&$K8E5{WvgJAhp%_
zIidMUresq1*1{~^NsnRtXo|$8>Gj<AJO-rwmRg65X{qv;R_1dFKSl~FH^+e3i?#OU
zNfk_Q@PK47f?$Y&t@L-Q>MN!6jXw8?W=5TB0mk3vqn$n7T~5T|5zLHZ+1t~8yt&a_
zv~&M>{fw+>{H!_R)l}ctQ9?^YitA!xd0e#0wDd$9P61dF8+#Fh&YYin0!+WSzcfzy
z5XJ*V$PKic{0_*Gx%JHeHgfi$3DPT6&1Asjb9oi=<?S*c_2rdHTB2asBar?2ze}12
z;nEEiXMcVyCB|x$7ZE#j5rmvMD{J>x4IPmji;MYp$hj6e_2Y|={g8PdhLi5TUcI-!
z?t3<p<XCDw^l(JP%i{W^UmdIA<RO88fRDI#Bdu$(Rl$8AGNd0p!V6^t2mz>X7$C|F
zk_l}9*<!c{u<<Za^D_>^CM2XOL_tFX<MKaVj)sD}C?MvD4B+q+$oE-Tq%wH{i~}SY
z3+n3!p^P9BP_;o~%cc&3nkXP}xgdcLUhJt$0$1B?<SrJFLk!ZFK%@^x0(=4Q;d!7G
zUD&9L?v`1gD3Z(D76&iO)(q2SDqFM{FMb;|2}F@tSXjUWb4C-++<YyNQ$<1(9;3TU
z{Bv5N&CL0@X7e2|Ka<PU?f@?=R1CSpw`~R`OZs2h^#^3zEIA1yJk|1oIqB?OkR0Eh
zfeFhS5)%65PX?@<ASW`bJaqjkVB#(|?Ok1V-7)xE!i6+`DL(9&98vk80ax!9E120q
zul)reAH)LIE5$XgT3xYXR6hb}(CItkPi1AD+}53UYb*l2^k5`GP9I*ZttMif7e2X5
zeiSNq^Q2{X{9R}8?0ydBGov&B=2+y{uBBJh3d{*t(3%g>g$KS}IkgL6?4*)B$N{e|
z(NBwO?iXA?Q+|<DE2CpJ0HNQ`yI?OUvm4ttU?d3(dR&I3ETf?`zMT&|Kc1S5B``(a
zyl=8Zoy}`hF&4t;I$G`LU?*^?OAYs~4rl6;H65RX@5iZMH;=3D{N3ixXA2|hkNse4
z`wH;QW3LA<x}rS~Caq}_ml?`6mILbgawfQt>KJ(fM}JXT$*p)~t=%KXc`b%dO4Blq
zJMn|_NdMSmoCZ7zO*+@x7cr<z4lD7M6a2`zcbomvVA?RL$}ASq*T+m0b3N^&pN^<t
zz`XdY@Njp?DQ#Y~&jCA;T($O$Z&X@tIw`{jDq<vCUq%I8a^e!iF55dgo|HEf7}mF-
z(M&L}2Q1(71kn#_*-S9D6B>F6_`2{4ASpz_^%Qj15s>c=)F&i^7!4K}Ld@1BP}b7)
zTB1PBfrzev`oMw*OZF@GYh*GHG%E%MH(2Bo5Z%&6h9?Cetb$+v`u{gyhk{r#ATpS^
zxkG^C=6TUT2wWbbA-U=a1IIAZ0xTn&5j6zt0h_+l*$%dpFh0o$=Dwhg`N@6?Zw3c(
z4o{`I0dF0+PzW&>^gb-k;*gs8vdjUgJdnf<Gl<s(Y-wPI5(a{lKt2XRj`0;iz%4Q|
zGXwv+Fj&Z7K!J;huZqVqm0194Lww001;hwO4BHL{w$3N@Tf*RsOO~&Cc@N6i&KflI
zPSVGYCLGw1hY$)JRlkmwUOI>g{!yX)$dpX3fu0D67(dfX=&9<_=M`HB`GRmBshP2I
zv`b0h?wp<+sbXk4FoJ@DU*R5*(uqDbHfHqPT`4S-9GBVj#+ihC8BjHbMMb4o@MD2a
ztf8^-B0atQlPB+Z)M4gEeXi}|z|k(uRJ3V@uU|Bvhyc~wx4y9En9$H)Ab-#-v5xND
zx)2f)0^uw-MMOsChUfnvb4$RHeNm#IrIiEG0uM{13mhnsK;%Xp<`cV%&wBcM$+fq)
zx3;%4Ff%`io(E+br%qW?g=<;G04<o8rfxIopTURzd0b=(`SEQDwD-(ImdxIJRU_Ky
zBSr7!WX>RZi99X4U7w)VEs&IEZ`)a@8|9{qVBb{80+y>mHB5jYdwu5fx2xXOWEVST
z)A(h(N56>LZ=L_eQAS4hdTfI<_T9Hb(RUy1GAoWr-nH>$2>X4TgIGIkGFLmsb%oJm
z5r%V4EIu1yaUKiuI)4e12N++9657gx(h}JEDY$YpA}$>|U$gltsVd!HmD2AMJW$Yf
zY+3y|5NKQ9EKPPdOG+v>>fX{cfa17Iz6bS}grxHGHnrjt=0Io<p1@R~m3R*r%6I*F
zHRqC}R`qoAv0qV0Ervc@wyyne@w&NtI2e?k2=tx9F{2bXC8Bd@|1#Si1=4>GK%p=E
z^}ZlFoFC)!WpZYyk78W7kLt#m)xL2pSvkR&d5=<k@%1820gmhR^oeQw^4%TWeLB-^
zrxuK2IqAAGPtT6py$%=CJ7V}gO+W&jOZB!fjI+XGWM)tLJdf`-$>|;3dQ>5LTiSs8
z*~0UFZg<O*<XApfia>SpfC~kr=!I{>j4KZ?`r}?(a{YctEDv>^_37~etej!d5SWL%
z1yO`BJbcH-Zm<A5@ClMnsX~@KTY+Q&1Fr{5<adp?C+J!H2*}hnr@%|`E}*<1MpPjy
z0{@G4*hV1mbsi-4>EMY0#}3<@q*U}v{hc0Qpzd=#S{pHY-uxZ35hXUUZF%t2JRU4+
z>TxrEtps-G`x}N}b&&a)1tb(e<WnoQT?C}RsFiwu&}gnUFn0umj!3Hmvw&cx{@qQ&
z;vN;mJmvLy!#En~krb-E1^lUXW&X|cxvUPS>d?E>3i`2GNv9PT_nC4s+`6TLu>go2
zmQm4vLx_2`9Y5d;EJ#wBSyB-iGj(u4PA#bGGX~y>rop>_i2)TO9P8Z_J{ZMAhJ&l|
zy3^(9fpfLC?p@xwGi3z>iXS)1d`>)6b!FfpgQJpcqPQ;81vCuMLFc>Ca9JLlG)RAj
zGRau4v22bPQoM)<rut&8nia1+wLna~*SibXalVSN0HbZQ626C+<$%=6qF~ZA@ZVff
zTa_HRZoq2+Hj`U19%-eNcGGI?BJi-PCpl&IQ#hc&0Oj(?)!I*>U=0j>4DB5Jt%IXR
z?3hNdouH08DlRTo;gg8uw;uZO7S?v^Dtt8N=W!XM0zQGxeWMpSHEIoZlfye|ZKM_0
z%D1Y&;U=n)OlwPi6*5a|DPk`(WMp*JXXGNG<EWVI=cilWkeI<R;7(-p7gtHdzB*n0
z8+ag4Qyn$!y{A((90+oe4<EJkZ$1~EJQd&{U@H++mg>HTSPsK!+zsjzy65|1zV41!
zWn7}_B;_AqPVM(jy31McP_Nmd{tEs$w-<b^UMm0B_!;gPnVgtE^+O85+``T?&ogRj
z)u|}w2+Sai3}jhDM>u-c^knzn_{#_4QnVd=gEVrE3i>fhgBVzP=OUp_V|~5fbzak#
z`z=Jf6m+SW?gREAANoB;cV3&vgzI*E^Xj8#9C5;!zJYO?=kb1$sRajERkc^satWsr
zENZGyC=p$PPNU|vTQx$bxV{JN*1+~rHAHaDPkYZ|q41x+f0I)lF*@OLtqXm885jS8
z0Z3=Oc8AO$Cu9T0A~(leClGBU7y=+8{82R{EoaQviMF$vVy*U{_O~_1TE3~u`{tc@
zxqdpJ%z7k-&k73`k$MCR6BC?>|1tNV#UClY>8YyeN!-}f1V=6+vAI;k1&1oAGGYUE
zH~pp|7NgH%9Yo03pbUO3N6l5WfrCZwvwssS(dY0s7QlPOi&ikX<-E&)348lA8iE~D
z;J}rYRUyLqp|A}x8kmthF_?F^X}}&jLJw2-Ui^`CCk$Lh+>SI$IV3XlQI?>@$uO3G
z)LsF&y)o?ec_dBJw#FQbPQs1LnBSkSDu^a6)kmNhjn;+bU`DIVCmx>dH!!6;r)CPJ
zWSfJ!LkSvAYX}cp{V2NWrC;GBtx9+KvU2`=3eYrx!eZ59t8IA=4zaA4flrKPB1&OS
z4J+0`<JLsjpNdGxn-L(Z*2_OHlZ9D6m?GE#>$!yFPGqq6=kBnXiOFrc-v+yBD6{k`
zGY}5G)Hi2mZ!CqQ7)H#nAh0DTD}m;n+Agzgi<WD{=j*&G6SK~I7QY!)%a2_@dfC8m
z+>1Rr+&Q5>^LuS^{8y|TlxiZutTt<Jv`J42O*{4AfEbgfdvvxk=BcCNe7gS^bHVk2
z6BbwM7ak>xm^4-u)(ocib0zwGKX*f|*nU^+a-eUwIgfl)vf5KWh;VW)wUN1Dql}TY
zR#q73>yBU_dqmE`*LabMOK1N0^lRq_L;SB(x1z?on(L)_=6Mshgv`VpL$}1&_XtKs
ze~!sy7g;=LcE$UVZF)htUH^Vz@u471#B-Zx)IE0>w%0QB>xa9z2hK!O$m5&gQXbUP
zpZ=86E>#+ErJOB2A#3xNOwuOX*uaOzWS?Insfk45*@x-NqMY&5I)62v`zW?#`mQ}(
z6e0YzR%)v5a^u{5+Y<WYh1JEbx7k-oOZn#V)CE%56I){vA6rJpQ-?KO9<EPp9$2^8
zbbCwAA^*($<L*yIAx!oJ;MnGm%=+{7CFt}w*n_#;A|WHA$gm!tbZ+&}#9NmA-4Wg^
ziGt`%I~k&TZZoSr2MMX1`9BOeInw3raJ`SVlkFyIwrlQwm9G6f9k{Il*!!@@`{c`I
zF4MZAoyQTI&xk+1@W!vTyYV$`fSlg_%WC4fDW;h~W6za~Q_oqd4%dmoOYF||?#eg%
zW8M)2x31tECuKGL6&D?y+I5hhn#G`J{{n1J=2th#Eh&#y%0erWU&s+~rPj)qK_@F-
zg@~BLZ3~z6aXB~-pj33Utg<Yyhr`GVfCkc$m5JJkxmru1mSI48)>IaMgWzwl82%hJ
zXvhrUeBswr1KkD;EDA=v{?h_p6fxU1!%O%}eLV3{sJZSB0ZEjrlk36B@;uHQlecCz
zt`x%?rD925%5Nrtt3DUn7TtB5n_Hp%mvYgaex)3!PUYG%tez#pM(+ht)-ckp#Adbl
zKIOiHBs76Aj1#VAlU=i(M<tr=NdtxYPSCmTl3dNACR=Uz1P1Z>aIVAB2?k;v)O=5%
zNQZYinc%tRupjTL26ZNkeWrC}YmGZYHK0`q`XE>^Gzp&0wj!4)9n~~6G^$6I+6y2P
z<{nI*$;B-1To<%Ys>gt8X?eqWhbH69*(p%bFP8-Usp+1R4^=PKRz^w~784Awv;yK)
zeyKZn(BcF4fkW)7s<7CF57@3<{8SM9?8NDNG%~S&vhLeuQO}_wUUubhoHT(%?B<%Z
zdKXWV`#Ot4ev;F=<lZDT(Fe+hi<pVcMwTPNzrj(tno$B1J;_G#*Tmjq(%xE0tPAN)
z+slomd`iDGTu=Y%O(;+LvzobhQF(KD-|??>hRQ)Zfr}T9D;L;tJzecK%cACK3~l@F
z^D_s|hvj#2n>^)?C5^Xs(lx%>u*1Z3@3H5NS)Ilmn0jmO^4aC}*)2*OvJvq;6^-I@
ztuax9VYbDwN+U5@7U9UOPX{W#e;E(6&hM0aUO8uZrF;3tAN+-hkzbNM>bI-CB7U<e
zXj*u47RPeo9Y|i|LVeEmK080TjvH0^Jjtry#1(TLYL4f*&4XXz!pkx%r>w$Fg|T#g
zf#kp^42UifI^xBX^4}#weZOPi8GsS45U52Eog~Np4`_Kna-4PUV@#H|0LHJq6YLr+
z2LjKQ(L?2ZN;=Upoj%W@P#kzB!_35F5$yzD+y041uRAXOP92U(%YvD#C%ArrLlE2q
zk9h9@HD0m7bE_QXr4AY(S7u=753y_kg}(*1t6$wuz${{_@Qq=l7?je(xP;E_l_hT@
zS+9;<!k{DXXpa1j;RQP#DcWc}R%~dv;PeZ8Ls~OzQ(dPUHT6W=>hi<)6i6Vmp0DFo
z6QeMLKk_+NGI!1=nO|Qi8C^`{<sH~k#wmN>m`rd5VkYVI=(cIdWu0opy&}|qCbWrj
z2oDIPNpTBUCZRoo=A$|$7p61$v0J+7PFIBVesOf2pvL)kZVReE(I{BGymi;_ut0SF
zX%S9%t!`;R!Q_p!3q*4XA$nKB!=>?S$X7$c(N|VqYjvu=-@U=g`t%3UTl+7`tSU6x
z&(*tl!-bx{D)l;Bj?^O%*Bg-VuBoj(Jb5EEpc;6kpzm_r_Rbr&!`Q`_^Dmuj#pS5d
z>kN=sDmf238x$tSss*BFP<)$9k?l^ia|aNzo8KPzl8?L`DuK4PoCp#CHwcM{AT;ZT
zQ8TG+#Ue9Og!V4YSbT(uyY5BV8#|OEp}daL=n`w9+`CbL`he>v0x*C7&S<mRKWA(#
z)N2MHKLkaA(iN7n5J)3YM%ool7Gb#I0E!?=GQT<`jszsGzklq4h)Y}a{&fn9IVTG=
zc+?`V7>kCi&?sO9z(?i*i1cBe2-VK+(gfDVNS<Bw-Z+vj2jwu#&raC-Id)d)VbDPt
zd~=FY0|!fK_r5@Wuv~u8sm#ieZ`sgs&teE+D*3~E!L7#A!P(=<D|Ody@>~>!3%91V
z;uq#2V86%QvMjQ;H6j%vb)902Y`Ngh$2Tt&71$|6E8QHwb?HuC>rS4LyFhH%_4iWj
zN|S__QwZGIj!$&ot4(W^48v3xGvvHCpC^>w-Vz=j{Pc=bk0W$3Bj|QF=9A`n@hF$-
z!}n<;JJ~#|!H6aJBN+&>*uNk<_3`Z9ah3DFn-{%(PW`4g*6$aErqaVFV|B4tlCsHE
zDkfg-WjKvilA3P{N(E9qhS8l8HBB3UpAqG@b<W43|I-50?PbrNE)gqac!PL#DCYxI
z-w$IazZYS%pc>LrP-AeBi3kb1+x)U@tn$^<h3zL_DIXDoNEr-(VJyvJSw3rql$h8E
z4vXWXi8K6R{>rv5P~G9059y<#(WWqTQrvL^mFvNd>er3Rb)k38G%<<&6;b}ZM7Pv7
zUbphtYyOTx8BbIULg&C906PV!&aJ<&=QJIvVC=xJjggbHlbKT0lS5TK(~2@{$QUK_
zabPc+9va{^)UZ{+01Lbq_{{*!_f(lE9`H3;6%hl58${yRR`|N0y+m|=0M(HM<=$O_
z^gdo?w)MlGxMYLHFzEy^58u9+Ir~gWYOUms#cKK5XF%#E15mH6cw^C8<$o*kG5u8Y
z=_q(an6HP!P00HsFz)6jpmr8$#T)sHW6B`2P=7={9amm|dFzIHZOSt0#gj7ckLj4J
zcdETN7N-3wD@FSIRr^%ba3|Lm>ppC)UD4aH>Y0D~gxd4s!t&$8)-C@0+63>f6LK_7
z``UKhZ{9<tvNBx7&oP=N=j~HzOXiq@Z)u`;ZB*o|@3nZFFGg-g9{#&~=k`cV)eYOX
z+5F8bI(42XzsaMG$`QEjPfnW{Yv)^WL0_&>;Bto0;iWOLU}eQ~S5*gorljac(44z#
zWw+JsXLqe^+J_*aUVY{w_nW!n-#g&%9u^VN$d+G~JofpVRR{}I<NN#j_!IP$lux0F
z0~{3rgpl>B4GR@oaTq>CEFWRO2zv#G%(N)FnZ8taI8)rxv=>An?cRH1>E{gk#KDOL
zwKLII^645^Nh_nWpGap6w;>L)+fJw=elongVbITcV3Mt5ESq#e=Z{RUV^4ux0pg+C
zHm2%VhsF0N{j{`;hC1MNtuU^uH$tg$AmcDc3zgM6<7~o-tu=zk`R|X(a8>{5JB33+
z?(d`@S!hg5R>YlLZ_(Vb^orf2XJWo+Rad!27+OT8rUGoBMO_tdhQA1VFlSZ+1K|<U
zva(1|4lfpPbe`<Yur(2CjNB_$V-8sl3e(*Fe33%puJUV7g&}s1lTy@k*BVrT$ly(-
z3mB)jgF+9eWHr09+`qJ0@>X5WW}^_`4d1P_x^QeSruD=4!|w2os6@91R1~3Du)Dlh
zLp;sE(rm(E_4G;^AC6_#3NQ1RST1&3*V#D&aew8r+2MZTmERF5QUR60*J`lG7Q`k^
zZRzfYB*og@FJui@*BJCo%dU4;68`uml)kNM{POQlu+tPgK8&a43xUd^BZ}=S598OK
zCcR7FuOtUL5Aei**P7k(O~g=I!b3RN)@|&Vm|cuT;jf&qYNKx*W|h)b`0eJMjI0uT
zHtO@TOU|Ho8Bf^IEhoTubk!Y2vN&ulN;(o3GBGl43~1YZiHv-rsCW?(nUs|wa326w
zppSM+@kTNStVc=$K>)r1GB|T@FuyhArYw%_1haDgw{JnD{@B`@9e#5La(Iv*-lJOm
zVWwgkIa+Md3n$7HT42H$h72Jm4j2U4Qrj^Nlx0L@d}ib{vJb(%0w**$Dx$?aOZYj}
zAqe&he8c8MTJ@3t&Qvd8GCqgBiNa(0t1}ihU}Hi7<JN`%^#YmD3l%*AxR?~8WB6pO
zj!uu(d0kdCnu2Jp9QC+#$_y~;0IwoQAv?RQwx{w5O>F&8IbMN59ZoLZ3@D-&G5Lx7
zWN}k%I+h>5Nd{PIx<K8@yz%X0U?3AL9^kNrQ29-VaRPR92!<TZ^H_v#XUn#eDjcyc
zfFR>0V;)5v9obr+lj5$_8XppTTrdl{DIqaoI^NjOaPO;JOi0L2sBpoW9n2kqf$Flt
ze1MMx6Fw-c5l|;JgTbct+{$ZQ0_2ZC=$EO4aQw~#(#9#CC%b*07vSLySZ)V^GX!>P
zxJylDiQY}{p_XaW8FF`MUw%i;SMcKC;=0eryB2q`-Msm&ZduVPF%e+CA~@NRse!Ej
z_d$iM>&9Mr33TJ@y$6FQL4IKg;`USbj%OYpcX_o+_MQe5&r)Y3l)SgBrq;+xIzAuu
ztjm6P(vZ|{qFv6_pU3Ity>qGpj#F7t?K3g|>fEit!)kubpgFdyfi(i%nDUeOD*MJv
z7pa=+mhhW(TGE4&tm__5e^sz-Xk|?fWW~RVCEVy8Hr?YGjx^5vu$xhYulE*~P|%a~
zy<g}((`{V3`kA?aO!3;VkG*FNFUCK_Zu03?*PQ9f7IG|RVQ_^rvVJRmt9`vWzBl9C
z%k_6b95237|5KnH0OIVr72yzKY4Q3UD4+qVxA{@9beWQ}1@epmQoaaBT+!mpVtQf;
zQL?eADL8&TG&N15Fm_+cOh;^@Y7fwMa1$D=`QeuU>;6t*(9zy*1g0?l{{8^)HOL8!
zHGn)d&xD^U@JS@Q<}Vo5w`tm){=~&&+(M4zX~RwevDGjRjkQ`GnCU&ENAm0qpN26v
zB`XI9%DwuV&k|j5ZEdZxk$F~2%TpvX4z@ecxZ*>-4O<LMfVe{xuMG|>KxzHMX=!Pe
znnq9^n}Rxz{{(pmY{x1JVQ@EhRasuF5h_{qLQhJpsGj<q5*XgV3`^B!8{2Rp%z7Xr
z9_h`K$b-$2=oJd9_g>70Q6=xD#zsV0VVOv*(KQCZ`ob`Z4IXW;?H(ykf)wCZ28%5&
z2TPomQB0B%6EnbUhQB`^6agA=*rSE0!Hfh-aw9-m0HUpM(u3IyN^vhixcI$49``%*
zS>=~s|7Q}YQR7uUHm@!+*nb7_1_3*v=;&6khNLYSg19`GA~S@kmtnz~nVD!2SKE~N
zGE~j~j_={bDB)mBUp-X5RIam+DLSSRw2a6k8yqt*lz>_iUCMB3b3R{}b-NHobzBy`
z-&t&xyB$!aF6*aO>i1Gixx9sR%!%XF{yhe**0Yl=WpUN+)NBdNB|V&cP8+c+J$QO{
zVojwGO6<9}mixPwb5{{7JeQ5iVo}R;=Md0y=ZSQ^(h0D@HWmAOuix>E^tHf4In*lk
zsMyr8w8j?YUDs{1p?0nw*ngI}<ZCtkQ2rq=NGu0bB%QD7?Bk!*1usm`JeaL+RT(Hd
zWn4Em;&KtEYu=1w7^VsXoWfE5DHq3kSD)4k=Q|^Ya=0`F3fy6h;8eH`;hpyJ8=V$6
z8aBNc^Ujut%~u&*$+rzD<d-s1wvnakf<?t&hxylV+<*r04-1=w!+}@%%9)SJ*;%h}
zzI*i!<!n^!HEXLS(Oer9C2kXSu0p$6>Ep_KRko7aY@D37%QxSfhTcygN4t)6<zkkA
zMhaD4)jiPd>-Saf--XjaQB$)Ox~$LX>FMYiF)^{#5~7=0YTgshJC%zIRNdVrhxg`%
zdnm5RT<z1TSK6VCWNR)6r%jvNR1CLDSIBBFP*G3W+jzJ>cDZ^TYqWw)a>AL=gA2Fp
zAi0;1%Swq*9iad`wilMETF8_67Mv=cy9aCO=u5nFXZ){1(?X-HFm9_TOh%9!xd)!4
zYCK=wwnv%E^>JxK%Z3|jH3z2gKdw~JpJw-J`bDoL*w=Gt;2heQXW_(<$KegCx>0OJ
zoPUA8)1wy)r>0zhkH-8BvHTWO@29VzMtkx=I$AE$C@KFM+zPALwa~2>&AWZ*omJ^C
z#5?r(8*sAwsi^Wrap5)PcX-H8(3HMV!x`2+P+CIyg-u5O7w%*K_W3%t2id6TvBUC9
z+-C;<sE2_{e#sg+wGN9;tP7|T;rLO`D^UGwftMawciM<u=&3u=nEP`4NfH`?>>)sB
z4j!jZvXE)`66Ljz5trmm?s8tO`g^!cGSE@_t@m|l;*LBoUi3gRd*X*5Ud&jYK~aOo
z*G^r==*~ZDbF<MBM5;=gB~y+y=rezgkJ%hLgbxjdym2(a+g<O;*~~-n-lbhV`yWWw
z**vp^Ub_PIFJ!<tsd+egaCK`(<#hKCCp#YF!#6p#K>Gqi?6%8>?@8C1d4d`5-+n}3
zzq;wVZ{zl@jvpL|`}+ElSkD7_3l0w39=98R)9KV~>Slw*|N6N1o~|YSV@U&gf}t>5
z1*Hq+i^sOkR05;+lG+z8j*Zsxm!0ga)RW+o&_?LnbmaXiayfFoqF|k2CuJoqyi}Uk
zR6-1IB6(~0RO_sS?#)6&lbB0YZU7SaQ(WF9ev|`W3%{ms7loP&*C+b6jTm0fqo@%N
ztlU5Qe-C|oz=!$@kdub+G?$f^gD?LB7}^GbHO9gJ;UL@X+lD{~ZAfrwV1jen$8b-J
zA_}x6-6mfX<eg!`0YrGy$2d=y9hL@ieRhC!UfEvGg}}P~*LbYU=B(t5kF+!G(1n0e
z7eSH$7;}`L?2dqm;T$x&<u!hnlj#!Y=N<EK$}GtH`fjg-z*v=!X1K0TU%tM#S9#<+
z>v@<CL!E9s=2ubI81Z!T%g3(Rdt)mWa_iB5w?vLtjc4o;@$k*)^8fxnnTYYerj+;V
z8#jl;fb@nWOUN-z%gXu)X_zqWzBr-pbN9+>bKTjB)Z$efAN-8W!m*64?|Y3W;R#0{
z0sq6=fO){bd$niru$zB{dN;<l8t1Q2?KLtx`74jV{iq6MGnv(?cDmk}PQ6`z)wY@#
z$Ij9(1qs*jUvLwxs#I3>xk$FY=H_-L7<B{S)Ohv(-q^#khdAL6ow&iS$`~%G*THNQ
zXflC!eeC2^EQcRMzFG&d@ky?%W$q8rC@pQ#vi|Ilnrjki+^mH0&zr$r9ywuryx%N1
zdlIHF2mMTs<yuQfSlAX;Nc!<aYH#V1ZH-4rzI=G$`s6&#{(L&?$(sNBGi<wBei1d~
z+5PVUM*h_q2Guuh1GoeL`wg;@0BBEMHq*M2U%lE01nY>0`9s0&oz^h>-s=0SI}D@c
zjVEkto5Hen2St#M^cuYArYZh3cL%&6TykYt(@Ox&%W_4;gt|kn+Gu&*Dvqm1+)t_X
z`d2>UqmJtGL02RGjuYtHyBXd59D7de&B(OEf6vYTy`!@G69c#aH6WA4Ai0Aml&6qK
z0rUUH0Ha)ryRsUU`i|I?cb`BLH*f*V)pl$DBVm`H+fvrS+A-6etUKivqw%9V8&_=0
zawX`-2V@NzUp!E}a^=%QlR)YR6<ec=r{~6XBnvep6B6`1@JW`M!h*+|{J)(y&V5Ck
zKC+qde{ZIk0Z@Vg0)yHpn41An1Yl}5f?2y}@L%|V00&Up#DYgJ*m40B0p9^WQOlYJ
zFg(%2g%tjLU{0X#*0!dH>pV=>nsg;OzP+{eCR|;Jm4(tC{GxA(io(KVdQ{KOr&I26
z&a1*F@&01xjo^BJcdwwz&WEZbc-yOJ|AX2jsao*~0tSvG-0E0r4*@Y@Cyj2$lv5hN
zv7kvc<=4q+DtBNz5vJWgtk`N#q%PMw)qm-DO1dXOx`t+RKW^G4oO?oIT_E>B`g*D8
zo=?$kuT~Ie!mw@g|H8M(lZ{|R?iNs&04sqe0;W+J7#Y7e9@2|>+yl^=V;~Vq%UwBm
zUW=8}<r4?qgndj#4D5j)UI1GrZ8Ev{O`7Z~>Z-2;$R?Y}gC$279S8;D&k+k}6xwgS
zf4wj^S^#e_o>bnBi=Bd4U8cQE$>W2S`kjSes<vype5%#k`}l5(y15FfCOs}GtOF7W
z2_8P;^-t@z4&ubBF0Yl9YSy2vR)`(LroB2ZKQGT*oG$So4TWCX^AN0Xvjp>t|2@vb
zsZbDJd2CVj&3<9q!m2+R=4kZ*-RGwZM9Smm$Y+2cXm?<Wl@%23g9$j|pb818)p}Vx
zpMoCNy->WrUI!oH0*3Zse$jCVHqpZ9sDi@A_HOd=CSTC1c*}>AfZJl;a0SP~^!cJL
z=6;E~e%dGPbAANWZj+}5hr55lv#rV0j*suW*qf?y-{0utqe<K66@hcl0x>({=Kr_&
zl6#@t)Bf+RKVrGjLwa-g3*>_qLY(eEo~{hc$bohA<hKC27chhY4?gW@(rUeCa&K`4
z(VAl7=Qs;alT)+OQwfq@WyU0Cdo)v11eXRw3KMiiUS^cN4BY%c%=*duqn#A<7supl
zzE8zk>bkflXD!aW%hXcMHWxUp<6I-Py}NYsanBhT{dNnV<wZ%@$p#k;`9M8|pyz<U
zYEer?2PJkUTKCG2@dxfWLUHxbb06p-dgws_wn24bBc~0rmwf7TCIz>l%v?i3z??cv
zd9eTn0Y@&C5ejnhpDDrOSvKmK%g>PXf{>7;+_zstLhk$c`1l!R*pWPQo`8Vb;hIGE
zx$BkQc0grAv78(4aRCX`a;rjNEI$VZIuCYU1l)tSOSHb_3j=CTM3^2GoW468vJ+of
zF+;^|@T%7c`c0GVg&r)3tFfsi$z9fTwUI%s!mp%w2LXXwpviU*T+R%A!6xdt_qe6V
z4lnY1^@W*<t;ipWF9LlMzZ+@Xfvj$PVrS>kunl!=Iy&0(A)$kqG=A!*L%a!D6KA;@
zlE;;Q7T20G!&rtrC`oCBUiyQ229!PTYilL;CVVA8vbKM4AhhEX9ZRe4nUKiYTRF8j
z+epI4V&5A89hHD!W=ci!NAK&}Lgi<K^5S<Bqsh7$Z`{DLvs<Uf+0;G8_T3;$&MN)l
zNFe@VHqo_Ue`pGiQZ!dH=04vVWm${;L_MB+lw<6K1!?$BC1*gzT?<htvUum@wV`T@
z1bkz~OO*6yn(PYHx$Ip+zc`l1F~inS_sXmJ;2bMFQ4`q9ANGWMe&BR!yyoFtq<k{E
zIeMh^Q)wXS*r8%^u119|0x7jFtO?84i2s$-CQDImIbInQ-WrA4$H7|+GHt-L;Uje7
z%Fwuj77T7T5Wt9y#D@<(CD4cguJJ%mFJVk80GJLegVs<ctr4(GhN%xypf#4Z-QXel
z_U#)?9Ru&(1?bjLjW>AtWdaMAn5$ii6Y>wbev<M9)^LUM@)KaZu3x_n@b?Em(nHDw
zm)GBPiEbfjSHp#f?==`vKyLRV0LDSmLJ}k;b`A7opxK~(_5bPlq3<`{N`Uqj5w!uB
z2l4Pm$c%n!Dulp)52T;$k)mhf;2;5S==f6UFlHgt8p4#wLSG2D9{_#aVAj4?b7Y&|
z<!A%n!NbEV07E%a8o{4jK7Wau0;vO9jenWn;{iY{wq|d2q#3j`a7hY}s))~@C%kY0
zFQ={*t^qhzSUPe-qYIlrk%%3<1tTCCKt=(<$8D>n6ME}kbx&mDqZ9KwJk91U9On|q
zAL`g$N^<I1%$NVgwUStIk+xxkc*FzG1#)bPQOsTOBF)Hv^v93Wog(W_ne@@I@%KgI
z66NOR-X-d*-{H~+`3SD_n|a}k%$#3EI)*bx^yGAO&ml-_X<a^@fJ>jSGLbj7=EYG^
zFQe#SV%xK~mZL=7y2f9dqxN5tJbvBHIZ?7S)zANrQ8QMb(!_GPnqboVEsXKq+d({5
z;%9BeiLUS+fcWuu*GPXtyLRhv&%nL&Vr&ikkZ^U;ZcoemgzzuARe5x;bo{^Pi~ej=
zMVstf|NlK)f$eBCvWDSG4~{OlJVL*+Fb^yRpc2p@{GYLQHPRr_skVW4oi$c4Ug?_e
za=9YY2tuux05QTwv~-;3?k<h213QVd2GGJ|0VxaK4nM&@Z3X9!ftXZhT>ElkM3?&e
zNN&qM*2?k{Ag$oJUBO`m8wdmVyWuXt!)Lff2do%u(WvEL5Z?rXiUwnz@_SL&IJ6!C
zk$~PY2R#TQBV!0O<dGcO$h;CrA^t-+zX(HD?4wPrkcFK*JcD?G6P`am4UQQk_#c93
zgdT#~p-d#Z;nXkswae@PN5H}Xg;7gaS82J=RnTnd^a9}20<{Gg7$s+9ya%BJR2-<u
z7po4LGj_7zZUKZ2Jf(pUvtVJQT*RQOx+e;dgdtBfC2VMD2V9p#G7X6{006~L_l;J)
zp2u5y8<eh<E1c>7fUt#F1d1L43kO)EfkBx5uD<Al#kML}mjr&ZH6kENnX%i_7O46L
z7|7!rK3ryLX>FYXb((;!tt}`W6F`FLv19o{^GS4Ua&`A2;ux;}tk$tivyjzkaXdm_
zVoT7d>2n<#jV|{Qt1|e>O8UpQ<xG@ZHn7w0#<S~7?v(mteC)51@6*d4DY51n>TTb^
z(mTLh<Infq?7t37o@sGm6h+xR{k)9QMBTS$Hasj{T+t7b@|{WKwyuus@%06hW9fRd
zN~}LRV%kzB#NHV9T*n@WEd^5=EAIQ5ci7qg1p6K{z_|E}qForjwgea!b|eI~2a(ym
zaxOlZbKnV+0J|5id9(~H<Ivn&{<r|X7I|{OWd-7`a$N@KbEtj*;@b2*+w<ke&XqV>
zl;@XV0jL+ul0(5&WXL*i?=`;E5dc{(m}GE;j)4vC?+!*EcktX(tKf^1pm*WVM;IDY
zn%A#ilZaO-R@Q=^M{pGCT0yww`)eX26DXq>FIMQvzKVJB1L+4gQkQ{CfTI)dXO;Wb
z%I-B#1wp`0ijmcAApBk)ZYlPkc!9?2DOjw402eRk^>3h;VO6YjHUg3c{4%hK!+G>(
zZ^G`Viz}PWrL%2~54kTb3BDyy=4hpTgD=P)y*PEwPGX23_flT(;^h1)Z?-+SeSkV#
z0XB1cdu}+ukeSctwG*~JZKEq1!+%GuZ$sXRnS9Uu&MAXN&!YX-u9LW6=8^+1Q(~0k
zlnA9k*-wSidbj1a!i<wU-D5LaTlnkWyXgj2o}j*4>AH?z$vDSKOSCYZdUDcx5cXkV
z0=K|a8b5mAB@`90{GHnjJ~~U09Zq{afB$mjuT$kD3pvH}r*ta{sYfT$%FV|oCa-1+
zXtID+KM*5OXFoT~2aLNXHMSKsJ3kNVSt;1f0h?rCVDOty^c|m#{j(t%-2k^T_QLgo
zal$UxSK7jFgVb?)eLdeqmFQ*x8*!HDWJF}7unwDo^PiTBvFo)dR(1cN?jkE~dS|(x
z$dh0LD55hZEBl>0)9|wui0}fVU&JdH1H3zex`U3T_+>`WoA-gOX!I=XQBwfWA?7m(
z>bweS-5zs&(1#G%yNOYWd+j@uC<vcd5@_g|SH`T3RbnqY2**glF$dgTEGF)@P4>$j
zUK?wlthnesK+ey_#in!c?fH{WdxT(_;C?qYW$7lBF$Jfz1SmS7q0Pw20Xx4puqXpk
zeW`A375P~OI2NUnlpC=^bk^6HB}=ROCC`(T3R&aW9ODd!ZrDlWsV*+)c}GqqG`eZD
zWm4lfXKO2!L}V_@^Y>RRJb1LdUT3ttx9PDvML`q2u(Bd!%6}JEzxYG2ulq@xqP|^F
zdwJXO%2VO3<102+u;$<h4+VT4KD4xqj1joS1ma)n%V}<=_Z_t*xoegg9Shrmg9cT%
zCY;||At+mWrK{Jkw*qF{0DbIN0lNe|*0=V^uE-p=Sh1#zencbg<(6Wz^-nGF;MXvj
zb{~Qd|IXDGP|MYNtfoc*V5?U75)@mtJqA6%n7Bg&4d%1`dY?Xg05`iP!;l{^0~{Ds
z%isu^*gIaO#dAJsI}WDfl|1s=R&fsrd#D)i4^iHZ9x8O_D@fC&hTWG%L?jlbo)OsE
z$>|=rAA<8)!pWZ*OoUZ}?(o>%^WQ2Q8whLIZqK&8<*C4TZdTfoq*TPt;+XVaC0C6w
zadSJwOepH|sk$v@mDOjH+ht|sRq7JVQUpf|`ah|5okXCf&B={Ze(bjYX&riB%kW*^
zlF%QCOtX1r`u*VLxz|3SiU&rwn0Oz1{#l+lN2V`E=W|#>_tE?onf}4bqh+_F)l%%`
zLoL|4;b4QIj3wQCMaX89FSH#KhGR?vOtHoejXNO_tKNXye!_e2E}U|R;vS@nx}*x?
zM=M2GRU5yENyhJi>(2|2hXDN~q-y&E4jOemcZBkT)8Q`V1w`u)84|<i?E9S;XjIu0
zF<RM`KJi1=fF<(*<M<J_9dN-y^oVdAInQpqHRl73E}C;@<qjY3DikAuCGo<}Stb0&
zW1ovFu%8u}Dg&Do0uCO4L^uDVbBv+8xpL)7pQl_)OUqAVo{JO|O|bJwxw(}MxInX=
zd&z5ARva?7)jV0hXC_)m!m6-L%jexHMl}J&oBLqRydN%>NSTWc&lVi|(Aa_DJ{pqL
zuJafZ!afFh8H1U7B6kFI^fb>!f6_K8OXe${IT+HirFRk$*em~FS9>Q-J5ki4;QzD$
z`4=@Ta~^A4McV97HSbTo&_hK53!Y(Hvw`LIG1R#1+nc2dGf5sfdIU@nnEAyXIHHCe
ztNhCqaoyK{I&e@530U3$lu<BVH4|SL*lG>WuJkRI%L~gUrTD4)4q>5rw7T;g(VDKd
zYHCqoCkvY0sHr4>V&V1CE32P|teJUvFGKlxZWJ_|VC-Z9C2Al(?b&v^#9fbVb6MuF
z_SvPr4m4E7Kv+S%63|@;@1HKy@rLg`NV*7r0^y7?KLScwsNc@VM;yLLg~TFYb3oVj
z9Li`o@ZebE_vDZ%8j=Op5gKB6mVk<R2tN!KKV*f9-TY<k!(x9R)Nr7{S>#p#<E?C6
z2}_9<1r-(JJ%f6v$gK~pKYP$-Y9A`6LI9hzwBdBa2jDY+p0sw&Rg&q;0ue*Burp!=
zW(u_u&_BSE12=*L-5wO&d>U_dAr%3qKt!(~&tXIbiAn;t5HW%}w-HC;#rFr+wM#yq
zSyi6WdZEpD)zI4hzn%e}%x~kUN7TQ=yZVL>7CVs21!2a~F-WUcE&b{T1uX13RBvcB
zgyu59vIgYy0vPiECIkI`6A1Xm0y@yolj1wO2L7zh)Wg=*I$H9jyG7&y!N*N+``^{?
z6@p)EFR<<};U11U1#j&Y1g{!(kS{FZ&Z-8*9`7xYa5z&2RxJ0Up{uehBArc>WI1SU
zlZT*AD2yZjY0#j*!X9+2dgN&X6;8TLZQ455G|FO%wcYGl>)`XJ&njH3<I9cHPDWRT
zOpPw)Eq6F77jrFR@(BzeQ(@Su$P|4GJn*1b;iF3W{P}a=z<>wv?mBmNv_u@0`Fu~k
zV2mvO&fRQbknb7j66B=vD0G+>QN-m?zlS(I1UG=wjt5qMR204<s0QD`Q-bJ#Z9B71
zh<hU8>5+c^oEhpJXnR9Jd2iDW(OYl_V1A(TATc!b1#cn{Q^n4vx(7a4N1ZJ#1qY`P
zV|M8kC_`3Ju#98(V$h~^zQ+!+7|02dfejo|Ghcwk55JM(gfFBC@eAicJu^a6<iQ#9
zta_YNuWFE)jaNdVR&!Z?;F>{aS66M`Py&b;wbXo+ltR&x?4Te>22p?JrOcpvv%Jox
zJ{3Ic@zMWx0)D|V(N+45nz0N>eGX%z(%>EoGG1u6E&*@~TSoiIQz7*pMX~K}$?w$%
z%uJ8d7YwUDWMxs=I&&GnY9?}GRZ*=={S+X$`B>NwpM`(iuujiQrsj|Omi<?;%-%ZG
zGcosx>)P9b&=WiQjZhOmfeM9xc-{`PI#s&7JBZ3YiQzq|O7PZr6B-{E?sRoEq5~Zy
z(^h^SG|DF5dilioz)rItOE#8Y&Xa=?&~9b4qME#}yy#y%7}Mj7@Nf<<CmOi$6p%J3
zV-SxxW$Zve!*TO+0|vfAw35|OymJv_066{wHTkyH_yz2>a-6>9mi>3IU=v?Glz;xb
z#8dbE^6J5Sq8ZdXFbWnxCcgg)X$3SJfHq~4i5#p(egYb&P>`gI6eH0k?a2MR0Y-Z9
zBCfxIZ-a*QzNslQFe=D<ZLa`v;Vp<Mf>&`^{LN$|HatxBjQ}6tl1v$<v#iKWGEB0R
zm6WKw1`U9;1hLRvleR0svn~$gQUe5t!BLYVIfNBH7$_rVhrUQjnGtC9^A$G#Nmley
z9^#D$(AMl)<+_Vd?>emc7f^}8fa7P_!$8=c9$yJ{7Mv=xO1@cXUTK{j^6GQdMO(!}
zj`E;05;%}kd9P*<%3YxQHNl$`ZaHG81plN+*Gb<L{vonf<|pmoK+|?8AZ!rQOjaj-
zj`qBQs$y%;Sxvp~ZmqP*Y{a36NENY5?(7~>|7Z_=)(S-;9+|-Y<}>|Gu5%-H{|FuQ
z3vNp2)h#yUy<zJ@U8t!LkOHN>;bZ`N^E*7a8na|_%wZ**>XNYkvLqJk{(_-41!BT1
z8>-%1?RGAv0suF#Amn$&{s>rQlAkdA728*<70C~ZgsH$qXr=fw^>1n^0bT->DU*;;
zH0;gLwZUP{0R0HqF$=OUR>6zF+Jr(L1bQK$^?2~$bvyP~@XtSg{yZd$4-EK@LTd|0
zt@T)is^^WHK<L8W4($Xt{0g)yNHO5NtOiZ*eW;X7i>|-ArtkFy&~#{nn8S#`#{|@a
z9w}s0FlmOc*q6x3??W>I%?FgDMZkD-80-KHQttFQt74|@UmPC{JuvU2dw^vyh>~D4
zCmudH0-+RQrYmy-PXD+A%bv<XcX@b1;X{}YO~Z>pQ2<t`)?1qVZ?h9KdAE8a+}Bq`
zZ8}FmDY`62=SY$K7R+|PgoV}jq)374Rsc?GuqOP5Y2U({Zf-`S1Je^cJ}x-SK=$3W
z(y^K6jeJ)2N+ya)Kc?^KU$dJY>GdRBa%RD=$9fmM&{}8YS)jxI+AfG(!RO7qk9%NZ
zaDcGP51b^d1iFo=UPYDLwwU!B|2QhfCxKLr(AiU4E9<|T^<1we(6HOUs6XR|D+%P>
z6F=g-NDozBf%y(_LJ@MLDM4oJ<lL(dM}3Y~v9!pOnGom~3;d%4M*1%#r<uxSnpiAX
z-sPG-ZP@u?KlKa0C;=B2SF`ZN+ujorTH)dzE2XhjsMuIPdJEAxPmruifcH0|t+JvN
z_7DTLNvl;eG!y-va#>=hhd~5O5)(Ut?a`B}lJo1}-BP^F0OCK>3nYQ1HHH0{nwlB}
zLF*F^BMGdJ_}kwceL$3l_B5Nz%$@<Nw1g4+*-fn$5CH<$g%CP0$jA*-m%w+G&qitw
z1EEu#2{N6{hO<*HHg!&;a0k|Ek9`G2i$aSORs}tuz>gm<tEhR&v|i^5r7I6~Ju4xl
zA5&esuHO3n%XwT|JlcVzH1rX+gx#R(3&xX<G0f`VKM>fl@1--+qn4dOG6_@yKVW()
zy{%+`V<*e>`ar6wEeJmFFHlYvpkV-w6=pmI1WJ2ezFE?;f(qm-dhSV)0}PRtK~f~b
zRJNy{&yN~tIe+y(t}6NNr6g-3scZ7*CL`y^T@S_DHlwYDoqqK2by<2EdEh~5{bSxu
zy4or;kbn2Z{EUOv1gMB_bYrsXeCV}nqY%a#xM~muyoGvAcihg*9$G%ICKZA#6ren2
zK=lL@YE*DImC(hI+jPS72ky%SzP@zr>MN#om;Dy!{vW2^JD%$Qe;-#uR*Fh?$|#b(
zR|_GLnN9ZIdqyaVvN^Wwy*EWDd+)vXvG@4hPrYBC@9&>(GLGZ<c-;4OU3cVD5g)g&
zvTqWqlf1IRZf`7|GljU@+#sm&ilATG^PJ(~8Ez!%P+M;~&7+)=kZKrY`r941a?{h*
zH8goN5V7|yKE4wgf+*;g+$D*UzEuF8fT33(Eg-Iq{*A4~8jgt*rokwttU(7ki~>dt
zufI|EdknBA6rSWK-Yw{YL-h$z7`t-!xJ>XPXh1vX9g9OCaJ#gy$9>aDf+6d%DL;cg
zxzvi%-^s|wg|E>e!fc6xXTy;k6Vs)f!bN8ykA4^5hLLg-;zX(G)Cd=?)h5s|Z+YQ7
zY_N!cNLMA`NCJbZtrS^Sghii~m30K_zKxJ!qn=mUxIG!r-C=38vRBBnz8OH%BP?=h
z?i#Y>oo?ZFxVnJsiNlH_nw+O`<CpWw*|8Okj~>K6k0%la-#5ZzT1KKzhCApj5Z5hC
z=_$L&qTXXt&2YXpy37S>fL2Z=jL057dZY`*<?FqyaAyoh;7C%GzG*!Lx9YaHpKLBE
zDQS~wy9!9fOO8<3keSx$x06EM0`JNS9*Z#~KWL^CYljC5sOXBi{#9nin}wy&3LZWs
zCnQXY9fk3g^9k|a%QfR1j5Z(i>SqNTbS}*gj-d*UWLDy+m<0IX*C(3Hh^e$_iV<b+
z5FmDFL4gb0-azQ%pnAdjZIM4gEPZ(3IZ=}ON^cqgvbHK*)jVLqCt_zf&JB~mL2zSZ
z;6aMlHC%H%OU4DRAlNSK-FTVP?sCYAW{qG%6_sv0`*yGQg{1xR-ADeX7E*tohTua6
zhMs{KSbb!XZw8=zG>f{k(%v&+U;sj{4u9!-DHPTazwyK0;r|69<9R~<z+Kr1!xLb6
zpv;SlYe2h;`Tl)$aQR(Y`!qiQO2~2t4|4C}97H%=#a8AzydMAxH*Lb(|Jeu*3DpPP
z->S!DMjNnE<4;$q@}TDPhi*KV(b*H~T&$@0XIH1IsT4k;)Xr^om)^hxpB2$Auc$aP
zJ^d6YRN%(TO5V(KZtfcOTABX^+6e1jVuBF_q)-JWX^-MF&c=s>^OjEnP|%CyFEyqu
z1$2Q|sogwo+&FXLFlx&)prW&SaTPVrV0OMfYf<wafZ_tB?iL}(CdmJ-*m(H(F&)sU
z)6>(PB`>+b)gTviE>=Ft%E<Nds+rmtwtUV_aJ8cMSd)4r5j;(ye!J%3PW(k1)x{wj
zZ&j_{Ktm#^?)msLP?R~6)Ay}k;WJKGM^nUtnc6buMBKpL`3Pb!$DOPbN95?$4yEJ7
zgkA}S!R9v)SHijAP31}9E*9*$I0>FuCa)u8SE^E)QTU3h-72VV>kra9CZ;t_SX8cG
zp*IBT;ZVc%ds*UVsIQbf=Cs-QCPryg94|)c^a0XwXdH_|>n?d6>U4EV=Ot=X6es-x
zI4{(WogdLZBO@aGerip@4KreKkrniX=*j}vOvwCE)&kuMSjiX(8-URuH!|xG1A%2I
z?qL1}2Lq@~Dy(bdcOj@jp0)0l2^Yg2l4eLeVV4Q0)gT}#8!q_^Re<i&^6sS;$VRrH
zbLuTEbo3#w_SnDGnJUu_J!5Mhy@vm7X17w<tfB^H+<E>v2Fuu0Hw$m~h6Iy_x+f*Y
zsF`e%2f;dBrE`%W&yPVmG+w=z`M1mEN1;BNH2k_PtchUN%$WK)eP(9fBL*EN^*r;1
z5+i)!?vbxm8slw8wCu&454kD$hL_Dh$3t@qR5HLhXZ+XPO2_oDny8&OJ1^lxZ<MtN
z5gnf>Bb-+|`-vNSEjPTOyNL3En*}-*wv7LN7P!Q=SpEp;s!uo_Sd_a^HjNeq^Pl0c
zR=VL!;QL=*%C;e+Ncd4AL6MegKVMXYez<rvy;f~WwwP5VtDz%2Ng+5?03$VisvwiS
zyYs8Ve(II`CAwOL89IMworX-{m(T(9LTOlRw$7FZC7XjWlSF>Fa}HT(R&2$vjFVE>
zNGiym0~<GOAZZMcdeHeo?SFy(u+a%S=@%F=u$T-yO7qIr65NM-py4!s3y7pB+@ux@
zkTN;}UTQ`>N6u&a01zT`u==1UkRR%Nn0#GFr5*2^p^@DMc|5ekph~FMVgdd?ssjf?
z_Q7(H1^o3PDYheMdVojHtKP=BI9(L3FuXb)%^DN^kU-fxXu^GJ!?&b9r?E0$ImHLT
zNI>XpL`>Ugz+<P&y?9a7Px`%@9kUX%<Tz3c0Q%i^Sg7#8-HDp;z|4n>Bn*Y5GUT3I
zHIa)4u+%TSmE<!N*kGTW+31_jVS^Z!6IeJPT3_qg+S9~)ob!TE!e5*VCMF@M62Q_&
z&_c$qMSjB$J9X|7X~~M__sZHc-?H>Ry+;wEaXI52HQ!|@+JS0XpJd<>)VNJC*b>;Y
zx1FX|<?I#RB70Mk7r|w|P&HM>qd6Q#H2;*mY5<XxC0HT9-d;k=%y4V)oOnMZEIt9q
zjb1KTWzM%#Q0Mo;fRKb_*|wsxay^iOf1#&#rBt)rGEwe*3p~^Oca1pfi!gABkXWl2
z(FlVvHSDUEL}pkB1OC#!x%(?*P9Qn2t#rFI(XG!xD1{vOZt%3rC;0R{x0yYTaAE9l
zFRhB?Vf-oo68Dwr(<c{aBf66Y3x+od%=a1TdRFggRH`oV^MsBzN65+A`ZE_1SUS%#
zvOL1X6dQEXX?3=A^gx^7w;Ws8Q##-CQRGu-|M-XBX(F|qUNg1;o_3|4h7RVQwo}Kq
z+q}NNZVaS7M|Z1<A(a%f+*?sVSvZu%Fz$d|<{x0G2POgKTHnc;tF5Dhk4ab#x2Uwk
z<^hIn;d$KB+tbriG~r77^-mpaI3gLM1$}5Zby3$n=fAyp<R51&A{{m}u*ON(4oHn<
z1E$#;R-@`tItxPr4?xZpn>Ou8>R(?vX=uQztnk3-VjEZu?^o2+jI;RwP<zC7W?)Ol
zK*x-&{7gyhnYY=|z=$%kq)2o%+)=R7F|)KIU!`T#HO1?0uL{D7LR}yX+&mi4x3p{3
zo+iXAW$8NM{D+i)$Ln6rr_Q1C(+fl3Tj9r~8^Xx~thX>H(1p$ietb!KTSOa%ETUt&
zonLNMRQvH|kelPf`3E>lyUx|8m0bscGEHa4m+pBub88$MtFZGp31&QP!16mV0BB;O
z;HfIjR~~Tc5PkBOyTsd+7!JpOX}50_<$$aG3`G+(me7IM4E+0fKx0_*@nCDcNoeXh
z_IT9(fSU1zYVY#ck9MqB7p2{}@opE=a$Ahrto><;FT}TQ2kB$c|2*FORna<F9RJ+q
z&}MElU}@o80k{5PtAX{jF$O$15g5fo9!m&_iuJ@m!Dh+gAF0MaYX(fblJ~s&JyS;}
z<7R1HSzKIebW9B|N@`GSnD(*s_x5JS0ZWtKHW7J7NbKFc85pXRtV4QCn-CCDI__GL
z^k<duKXAt1TmPI-!IKRt&RZrIKU1(Yy?$TWTzN+p+9wg7{xCFd*M@n4GOu&9PeJRc
zU(#Di#Dm)yBA1Z4wYzsHeXUQ1^n)z^p+wd-l!{bVY!;<D^1P4Y^V(mRFg_><cT%@R
zPTdAR(MYi+T#iF%g`qsay1Bap2dt8V0<j3z2}ADx1lVY(IU4krrB<Yk7O1FS?4%DS
zSI(zt!US++lABH$-LHfl)1z>k2+rc|@sF1f1t~`wCh6|*<U2U{4a%0F?4Vnt3Yu@H
zwqdh`Lmg|H3j90jf^?ijliw;+${>n}13T0#22S?~-h~;eQ~cK>{{1H>u{YH548=`V
zr7}%CP1NhMcmN&Wr{ZLMo4c3}1h%(XR)Va8l!S!LogX=C=D$tP%ofeac%z!!2LuzY
z-}5CM<h)MPIG*7?a)T~df$Y%kCAfyPC~`Z^;YJ(M<@LoF&HcoCK0wBznPKUyUXtCA
z76}9tAhms8yj9`)$gZF1&7t$YHlf&u>)mx?evEt03vDD2?SKyqU^M``JqPCq<+GWr
zN3BKz5+@G7Igu>oZ9?|B-UBNebZi40ZBF>5Q1Xn_XjI8(X71bBXdySidWK7m9J-Y^
zunREBP+(gWwADm8^Jh(V!+uI3xb8-<H~{K~@Z5WWd))7kW3PX~Ahu2lckzsvnloSd
zKxKVJ=>Pw)>PcenJ*faK4UHp@Jh`|-wp}VrPKA;}+PcLJy)RQShvb2C^--5w7y?6b
zvVPPA5V$|ZblyciM|L5W-z`bl>D>av8pfi)(Lz$hEJf8z{3n^*C5s{i_lo_5TW$6)
z8>XNyisH}Jpf{J0O`?FpV1tNSW32N95rTIuU$r6zzR5QeF0Ibz(<Cwi-*@ZGYG?xm
z#<c;Mk~_E6TR&`>h5zd!R80Glq4o+wCt+z%N}5Zf>Wma4emUJ-A6t=%`K7<Y=5~Jk
zgtMU9138(S6ieeVE6CGelAACX<CDzXCv}mEWk<oC<k)(;NgbK=z(Gh--5F+3)`HKr
z)#JzWo;~p_KaXaYjx7K{^KBN>^lHW@UyX9O4*DM*SDL&n4V^;Mj2OvURU0@Evcs1E
z4CoRjiRd@J%=10lgV>YEzKheA6d|S06WBkJtC~1WO#i!<zk=TQ5y)s%JAOm)3>Y0~
z>({%l0niRg#3PHThC#~{i^n<}q>aB_{JI$p@i=e$K>Z=}R{nP?=S6~~gU4}Db?npG
z`#+i^E@GB_Q+x*E#sCQfEdF`uIFCrJ%=3zwdO0}MR7QOfpB+AOjM<M)CR>M)z6lnq
zfw-+<foN)aS1a4CCHjROp7T#|F+jYXvApm&T)K<Oc;P|i-2P~c4UNwK4OyT@1*yI(
zFen>yUd?IWILYi(C(kmvyVs44;Ihy+e&yg=(<!H5RwWg??lE~yVsi9nYYAH8UIHff
z0XcKQAFUHWA3>9xWG9V@iE`~kYu^#4qr`Q8kgWH<u6iw1Vw}4Wm+&HRy<c2Ve&*Vr
z0fO(B@RnSP2N&>zD8?@^zh7&Xt!~t%WRRRg0zT~KxXpC#s{5_oq>l1XAjFGmVGupO
zZ1g{*<Fk(g-P7oyAX~8bJB9Sl$>xEc`s(*^C;Rs^&o=`<4NaE?7p}R1NYsaj2x9Yr
z=t$@W$pG1>vh5)KW8_Z<Cw|_o`1`g|yCyBWluUdRP$<LJx}mp<Ur48{Xzw14+PSQa
z@Z;R!WAL~-;F+3i7I>V~9yM!bb}qrI$A@$-i|2O;1f;Fa%r9(^`9V>zU}n<Z5}mzn
zAbfGFm&!F=+08ZdR$H=_^H>4%)XMTTzt=zfoSY*anU_@P5+;IC%pV96YlS38XFGQA
z_j>J}_sj;yh>~*1kM{3@1&!8Fj`U8_P33@72Jd;<t>&e$)5Nmd*xrghJZuVmCcdhR
z@KpW&K>!1c^wtd%6hcnqa<F(mpq%}IKfia<i1UO0cP&NzuE~JBP&m{Wp)ME1u2n!I
zK%{R_TAtHX*LV)gHSP3BGI!Uw9QdM3Cr-;_5&S&eiwIRQPw)w*7a?P{MK(zr*G{<|
zP`moMMb$%AKjCrV26$6gzDN(+B><rLF4EkUB1v3nyWEp4BpS4tsB||b8?O*whGA+p
zQAcDz<T2L7Wx*3}6Ja~ae4$eJJatcAo*zoBXueHF4k%XwB;k1T!?tOAv6N3_WPSkh
zhkO0?&h4bI^lS<=!8%>c_q7^V+%;w8@N=`GVlq+b$&aO`?^|O)5ZtZ4huFjI$CKvN
zxuXSbqa4Llx#HOP?9(d{kpbnI+5QDAhN5E{6`Gw?CLOe3m;(l5z9Z-aZ6~yNSG!c@
z6ASSwoK9I8S$(<S6NtnRkd3#{QZ)7b_YYc?YE8Op0eg{AoAqd3RCClrEF&t6!Jy^G
zx!c&H?H-Gvu<%zqxqv`9RL+ii@Jo;QY(3e4GsMp4Q9i4Yo?AGc-VklP|FiYiHC#Oy
z*dCsoa8G0)_-(iRF5NFEw_EDH@0sXr(JYriSG_<}aqJ%Iad8aI=AjB3dVorlS5>it
zQWOfV3wI9@ICvu<#dmYb{WNVXBGWiPs%uOtui?~=ch!EwFa0Dt;0;%IccUEk`g9(~
zPTvm+$oCLattcAW4;eG`JuJhfNoRD(>-WMfbI8!_?8#Aa=*x4aC=y*2ld`5%(wJ-t
zc>&1rr0!nLHrZ~3!eIRZ(4>&W2mokz<QyEnX;@)#l3Q2%86!05^09yMx7?MU)O-PU
zjvwxzuy|n7TW{ty5$JW13${HD&_r@|0fkWufG}gwGR2oTEfq<tR!dWVFwD)3!>rA!
zOh1dUUevtPzayl0;lPTJKE?3FXVomCalM~fBWyL)JlX8l;h+F(;rIEAg}8pXGCc*~
z{4Xb{e}9eaeO6{BYUSNi5+~uq!{_syqnH~Ln~m2hV+DRNB6azRW3r{ZLMSvW=K0N8
zRf?#eKhkeI+@zX<{>dDSGm^5i@n8d?`}s~hC^_brQkbIG3Kqq8T^DA^eEPFJwJFQb
zkL;r5D4H$4w#z{#<bV|tPDoCiOwTlco>N2s@%Y29{OgDxQ!qy?`61zEW^ALkE}+ze
z3N!6IfZwKh#Itk(*WF5?|7f;Z^PrHy>)uRw(&g~C(YQ(Txgn9kBk7+yb}4$>Y+p5J
zd^aVvIrY)z{L=IxI*Psjfe{g}aiU&IxTN8XFD}B++_5G-A^YI`Ji(@V@v-S;;@vY>
zfkXG%n9j49g9`G#>GqQ|`|^We)*6<%TZRmjY3|hl6gFZ*#U(MvTaWkZ!kqHXyj5O4
zE2OmS3ml0n%+zFLV;_8jYqB~!Us72*I8mOx%0JS%U7IsFROMT9Ql{Zx{qrqeMZfA(
z0C}DmkHc8Ue6aYdNU{0Q`*vlMJ{|3LD(%S>Gh=H)iAAMAyvSDulPrNG2g7UA>kF+j
z@$rg5A{PQaLB8bg+z<Na6*c~^HgG^VBYgO+=dSv_{{AyLAmRIO`}Y}FV9w+4O}eYX
zrk{vA=^TfNH~FYKZTXRu-!+u^ppAK4oCzGwg&ZCqkGMF+THVtV%+2M)!Ig>*Y;cZc
zaol0}4+{`Tt|K(*?s2X1e4{jY<vG#>V@Q!bcRW6qZt>=T*~5^+$GvIZ9wjuJ41|8x
zUnDEI%``N_1KZsWsny9QJBkDDY~$Q<)?{qwq`mQQgDX&_+kW>zd!<=5vpP?YU&(U}
zB!u8mO#b%#6J45v(<<@jqkYPsU(c27jRvaYw;ArE)Ag3k>u_PWXu-1es&Cphr)nCQ
zW~3NOvlRb%i|Y=)&WME5{ZWgD#*|mvFDHC|>mrN19ML%yZRL5PT5>10!~W|WXh8rt
zsZp10dSylB2uJcwS_!v$Vu|u-v<v|dPo@_Znn2U412BrQL~69UnnM2FmLF%{g|zc>
zI|vH9+I(tll)9VmN0gKm34bN$4vk5$=KWFL<P~0K0#Q5cuHtrp&$bk~s0xd#`STAH
zA_Kd-C;gPspRaXj<}es7GJHrk;WEgXJ_}WP-}7RwH}<ymy+zMd*+PcuaW|v!e01z-
z1Je$5X10leiT?{evFQ_Z4;+va`0G{Ph%_@7r5bw5C>LxzLn%YU2Qnjs_5hnjk*Wcp
zWp#e)1kFoOz9=s*pITo(TWumskh(h7o59ijaD_s!t9Lh`VF&vBS;T+DJ&BsR5|Zx}
zDZ8kpd6RMb4<GL_NAin#x(s8Nj(3W66;uRCjsD)wyv~2DBw&Sn@M)|4)6VA=!m0dv
z*^IG5(^Y4FtI$U4^Y7Q6tyb*0ke3?g{`(VKxneb>vV1A-kg!xdGkeQ_;v434KK2Dq
ze}h~mmiqr)+DA1-=;{72L5JR7f)qWAs#18xjk$2~(IQP&%c&=5u;8u(@H0_tZls#$
z#ol8J8^z>(K3})I%ROc+mJS_-t50n8hYn?q9m#*WbQ&Kb$t+F9a>jc%7Von(3n?r#
z6Zfv_%bM*cbl5SJYRPfAF9`T8dK@p)?;|HQ18yjMVWsz$Ts)9bd#5V6ys`1D=e#wB
zv+}1KL0Hvb${6C%i8uGL{77jB<##hba?&om=Nj+n3et<UOVn%_R8@0~jfNeXdBWVj
z(CRo33ksWPUG=TL9PZ|jEo&9J*n+=4RxLL?c-3h5m%h4QU0F+|67`4l)&&Pmsb_~I
zepFQWyz<L}ldB%9lM=npZhyP(E*kRdA<|XdfTXURy#}uRqPgz%fzum%!}6IAtGL$F
zlt;k`&`vF<J-AL{+NDzL8m@6QPp;NIkGubWUOdoQ`Ki-<%PpYyUUfJ7p&M0gl^knA
zM^HgIbrP`1gIq@ev3cU6L=hUXjt^$6s$Jc>sw&<M@0AR#Nf1X!+S=88$StSF)S(u~
z!ZRHS_uSg0zO%`{nK{hsLr_yAzH>AmDIQa4+rHqaUTmvo!A03&ZGQ*NF$#BCx8t$H
zIBeGXl$Xa0Fwc_f3jN>X4ll>%%A9<ZQxQ~tYdF)IQ>Rs#$IP+$*nv64e`|cp&C&df
za)M$KOPHBp;`sQgO!SKwPL>ZTv(8yXcMJ$tUd3NK|K%Q^G~8N9x((mH)cdopZAHv8
zg9`bsdF)1v8cVnfv3n||aD~<*iZi#qK_$At7XLFLA9#hG#@$5YTk~)k(7tCDUMq^z
zey~Ci#jWh{Mch=C>EtcF`h>KTf?2E)($$T<?!>qXo8D?Ms=@{hY|yddgduKh;+Cgd
zMClDUgL@-VZ-~Od57~gZw#SHjF2$#Pz3%RNaEz46dXVPxC<zWDo3A!u-(2)RkCaZo
zqUY5E;Io{BtE5ND@-mg(9ke0tl;Y*L7i~EC{c@I7D=c2#aZ9@h7p)aaxZq?o!Ym@O
zjeN*f)!j0GPklUaHjxpNfLNu>^vSPev!(8uhZn~*vEHihrn{B9()B|^XZA4=_{AJy
zn$z}BIoF<S@T-&<i+E$scT#1W4cahU?(f>46w#0Gp2oQP$SM1<nBUdn*XfV0IkL9l
zTI-jmnW)-iF9}v+HE7V_e3SkWo*Trs(2AxJ@YzfHZolEIqtEc2FyP~KWz}w;mJr7^
zVtstPpX4Vu(I<xM!M|<okf8G~1j-zgI-G4kI@!46;Z{rrpU{#PwXZp(^*Uy_f4^ZE
zMT9JuH0@An03UDc#d^H>@D;A|FYtfcwrM_3jCu;Qx$<=gN4LAbK9A-N-8uMDg6O*W
zOnzdx$N&ZhC`}M3^enerZ!dcAw)@~N{uXc>7@qEr++QE*D%3Mk8Sf3eopaf6xR4f<
z&*)()!eutX!!Pj9E;6$<=pNWuTR-Tjc%P<Zl-hldcR7Q3ZsE&4(&OXJA0MX2dQ<KL
z5w%UfjV|D+J0FFJzLLrcb65X5&&Ew{wpAJ5vt>KJkz(`TYX->K_*UtBj}t7GZRsgl
z?g_S(?N_W*u}sE=86GmY_H7hDWAI&+`EtuDn<h?cT3JIla)g-%<#nlOyV)}((IRx{
zhTC|ur8YLqZ6ER~Ekr}t``Pp7M)1bZ&(8r~&?jpfX0srFd80BbQi_fvM8+<GyJ}N!
zMp=UIgIAEI&q4NY*NVbmGl}3g!&wXr$F89fyG0T5#o29FP7X|*2=<4vzN_tzvm)lw
zL1C}zQycTmdM6=L>yI~e2q9u-DSQau*_!~TAs7eu_voal2b@Yu(dqsdy#aKK;g~W5
zNG(2adb~JuwHY9lx}^`!3L=*FldNvXs<88<p-(aBFV-n?#4jt?Jx&_G$(f;hL@M$M
z$-HTQFmGy}xo|82qCRR8c*wMBW1_q^@@!$qV8WCIP1P^0Ek)A0Xu70amb>~!5L9zJ
zeDUMA`&0L5sDz##xYQU<lt&Io;TUeny@)97O2WOu;b8xrlYX^F@9_fpob0ujPHWnu
zX!<%et9i>2DX+`uci8O-Zv=fw1c+<LHHE)+_faB)Y`9bcI+f_$1eSKm9K2Dlg@b4W
zY%xM3cgxEwdOTWYIkrvIRG5s|re{|C0}zZ$62i=^Pq79~E4g1bw42W8*HRW8DPHc?
z<$8{Ncv!x*8yXnnCKwgqSL?gc5bH2o#|O?vip)9vQ@BI(fi}3IXd2qkQVoT`8va^>
zB1~Tv7a0T2;iTekX8R^=h7f%oQ4Fe@p{smzvn>+(MSc=GK4)OI+5;LUH{Yb&%rj7`
z^>R+Noag<)rs(91r607#e{ei!gc_oyH7Uo9oeI?QIr-OnJ&|}6vf`N)5VzCJY`wI^
zc}FnRUtSs&O%+fs3Ux^OEogivzBefLNp`C8=)lO@#(1BYO=r>=g&w)K6clze<j^F@
zYNx89chUHWV!qPv-@-8EtBE$E4uDv#EagnezM%u>{~0f`jez*PnRQl(lh-J!_|)(>
z^*d*eL~+?tNL5#TL^+N2P?oyFODi;g3K?v)<MiO%Y98_v&<j^!+hEJK198Y^BOTy}
z?oh6@1i*$rgKLhJ^E~|3D#TM3N6M@c_s?bshwOH5svgumf3b!rujJNhOTY0dZr?y$
z@o$Ro(fKKI4J|VXG8qou42viH5qR)sj`!@<#?*}ZidpqTNNTch&G7~P)L4fR@dqDn
zO<v5dI$SiA)?Ea&OAhW#WBCo2aFem?3kayKskOdpU5NYaA%GTK_Vdg3sNcZ%VQ;=(
z$j<8AoMZ&|$BqSKT56jh+2=6frtFX<3h&IB^rp`9Ogt#LEMsuJL-J5uJ&)$`bM$Bh
z$M{Mb_EkKpsy*E=CJ*AP?5D{hwA_VkKj76+Va5`R?9EwCI?dc|-a%L=-SzBCvcFBW
zF3yQjpf~D-qbiK%e!#;o568AA1GZH~1;O8FAhzmTBHbZaiq*YEG*o7*O8#FlP>77Q
zqB?nOrUNDzZAWi?Eu9_BqkK~st$me{Edu@e(heHh{mXPF@31~fpI{wuE<c5;p?xA8
zyOm<G?t#t1_qs(vHD)&B5xYQf(<}|mtJJ^ND?nDaH=eZhxwblMylV5d!DA~9uAnk{
zO+6W<O<NoL4|V}rxOgi#-F0<M-5wKDv%HvUk8>Bfy{Tphh{P=S*J4Na75^IC7|Dtr
z1}z$$drpji7gkwt2oAgc7@1?RjSwPP)gdIzHRhVxNOzGcH{Y(Abh7Bg&AG|DoO?9!
zxfjuSgq>_h2NXtwxi@@#Mk+jfMCdB_On=@hBe&;#NzGcu-NCk7s|dA&smkkAwcm*r
zTDa{6*^Ext4hl>?GK#J3zGu6w5H{SpFH?7+Wa9pYdNP*hiPb0UA_cqe6O9<N%)`2r
zJlCc>-{-p1r~%}uk4dkjqS&^k>#Yv!i(<wcp5oUV6qSVm`3pf^!`!c=u4piE3{?y9
zUl1d7a@?gJqwYGCWgLr;&bC9SLV3!S+Q9$@2M-BTND}(|Uq4yE#i9OX)&dJtwvwDq
z**DPdIah6U^dZ#hu&V-pE(+H-#`FYbOLhbnFI?g9yDcRleCly_aq0Z}5TS~aWu{of
zepiZ{kPW4G3c@3y^^D?ZcK2e|=ZKZVsOP)r>_1pW5(6rcfF(N8y`1%G2eTP|gdt{0
zqR5&0Kd~pgUpJZDoIh+IpHTI{nmJMqL(i-%MrSu8$w2_71Jv~QOk;O-i7oohqFsu}
z4(3hbN#h)4UHcSuZ_|5z8b1Z^$NrM*kd)!F=tF}f%x+&tK_f3eMmVF`FlVVY{N&?G
z5%bxDCd43XMCcHQg`Jh%^sf#Ye^>Mb1+lbW^gzhiSXfsS6rPd~{v;u(Wb$5!K>p!Y
zn*2*BU)vzqb1j|;wjzbJqR2~%mv@a(l>yxPxQ$|&SSzF9ZSdMJ=1t#Hb$&KT>rOQi
zT0iqYT;qSqkKT^>At;roAh$HUHTYqiLeQX)1KXtoEyDWl{HtXTsy`pDF~MfRI}^zq
z*vfHD8k>XkxvXw?PR-UypKYj1?vh#T^o1I6x{>{>qU0rNUdcGSxIBL&l-tP7GL3J@
zNU1)i#=GT4=*PXGHJ#-#|A#*QJK#RcD@P{Gfx!mP9~*!H$>Jd%M0M05!|eR%DcCLV
z)QoaF7oL{QmdpKc(^xc~zSgS$n=wJT&%@j#h&h#@v2%5RTyomAk(Sog#+I2jl@MVA
zOFqY1MSC3R8yY;&YRvfGf$1mJW@OC8&7b~R(N}&S4S{$mzmq{Ni~+tP4;aK=`k;j;
z);Mt+`p#GC(<i#<=Qd2|Gh^AEB$s2vUkacRO`vfL3Xo#fk;%Ik7K#uZE`EOY`ds$+
z+@R*&qqOzvy$vyYkH`1^wRYJ1S}DItA-Ebb1bw)1yOkrNF44(hxASA>&v=Ik01pC4
zx?v|ln?Tw`&$qZhl@6Z*G}7qkt12j(pDR6igI#RTJ(F7|b+<qKdv@!glT(-Q%h3+I
zgPj{{fl>0)ZqeMvp453yY}%YV{R=0=<fW_!#5*+WyfTJf!?pG48~-zAx#Q#c`1Qxv
z;4-=x@-R%57sHf;-Bg8Ad4-sCZ=i}^eG$bz2sgRJB-s1QnY<Ij+-(~%?S(@o_f4dX
zXjS_`gm=aq*0y8Bo!52muGv$?y2`!1D2$qAoI>_~<qffaU_(bN?W@x|J?qr<gQDq?
zmvF6;ik@<u3-Y}gZk`pJ6XT5rXVB+YowfQm5PWlEZ(C^*^r%IXeKp3)qa{NI&SjEv
z5;!6vx3&(F9WH7eot+hpk*;NQx^W$ibz$7?73p;J?Vf+|gmSqJ)0q>x`tnJU=`(Sv
zb$*``-@Bf-$&~n8L%iQzo|0ZWczA1q{^2T{8{Z*2Bm{PG^NXE$Io~2hj$Y{#sRpej
z{xU7(P3v9#Qy1R+i2`ft{Z&i5yskLC_S@qj-`byBSXAajQdE$$f0B#H?H@WXL6xz1
zHF>v^m0V}nWWeqMt=h_ih<LFeaz{};K9$Z%B8QLQ6Xsc&*3C!EsLw-S?_+3DCa7-Q
zyEkj5pwP5??sXEq+a)h)Z^89-RYcTiO9dTLhT&qgTnW9k(~T@_lk<<qc9K_x8)_v-
zKb|{Dlr)m|p5UI_ZQJefrhhWI`eqV{W;;zu#Gl-d=%T*2H|sFyawk3I79|X%^cR0;
z|M72&eiX}&?Lmrv@zT@p0<V|SM>#00)ZXq_E0IvNjn7gib+M`#ms?55)YQ~U<v(yB
zb>?@-(aE^YUjbyh!hVbG!1h{kl_)ZEaipCrY;tTgXeT1TaM?QQ`dQB0_xk6WpQ~!q
zjo&MU=)bv`p7Sb*cKQY-jRMh^TU!vxKVWj`ESFC_qEO<KW8Xiy`3ya}JI&ksobB4_
zSNCsk)GtGOfR;%o>%qJl-LkJH%dK0ZF*e}Y`p$Lc7FO?;E2SI+LNT;Bfb1r(f+K)5
z-n>d-b6g8v)Knm5evJhTb%f?ayp>}v8<UcQ#-UdlKNAi0DPC3}bNcR4dQEcFq+1Cc
zwgQEC?17xd{OK3Gzb@~&(}pOfv^i2`A9sC?olUDS+SGr9KRR+k({Q40RisG*$=H%c
z<INN=MypM-)*A*d6iYtM1Sx`*W(Z}pPS3W|)g1iQ*(gpM(i$(^$gaGv=teBtd0k8|
z^`#W;26T0p-){0d+S8n_6D{r0JFYvh7=4``EU)~b*{n`oPJ*{F8DKWKkqYt~{f-X*
z^Np{;H?HhC0|26hAmdLY)~Ke=Kvl3CC)vmq1#=r>ZqkU;dhZRVC7hB!e>5F1*LK5l
z^yg^<H`EWK8f^G`ACE}gR6#0h_^65;d}}EjJ=p86v5(^fL6Dn^#KGI^(ve7)I|7+$
z)@9%(;lVc&_xiOALho~fFiiY(Sh7-?-Uk(7Q+u;Gn;&J3w(x6yi_9hxZ2o-0VB0oP
z!Za*t3GI+fDc6CMfs|iEu@d5k%Ji*4BnJg6hnL~8e*I`K*K&G{L%k9>-1&MY-~)d7
zsy~k<PV~tS$ywcj?<JWX(Wc#3&X2@+j&NU{yBH<ySV)J{-KU7+xGErMex217%_TUn
z8vuZrlVAUJ!^;xkHeNz4sPU*frfNL$SyJDPY%lBKZ!9OAvc56MIQm{FY?Mbh;)ImU
zD4ktf-6Ny-srx6gqtvQR5Ajc=I|0*p8H>_M%nzSggr(YA+1%$mqG>83PP9N8*K9O3
zDDUF;bx^oDxKcqi-JM<VN-J6?{@(scDBIwWj`F(6Z^kZ~iuMBO;Wbw99pQni?Vb*$
zoAnly36KO0(50B<X2p>8)Bf0~MWZMFoRVA@w7>}`ak)%os$)1`Dd%2kEfwtsTy&0G
zY2gRxVR>4&QHSj|j=;AaS{T%j?Ww%ARzXGr^+7`YVAk)|^%4X{$WZuSe=!chs1HYL
z^>*I8I;tA@aOj)4{;7XfQG5hi&-J72N@vv!Ocp-rOaQX`?2%27k%liI*w*$@qia>e
zKup2mVG&)JQ-~k?be(W`M>P2akw%n^J?;?76X!LAI^1Q$Jl|XFDa{Q$-A{b>TK&<x
zvGk{|HM4hfbNBYep8vg-NtC_({GOR0Oo2x0<a4L6BiW&1Z}oj+d5?t0rxUy8-xcLS
z2<|U%28)*oirL@DzH^bt^KKOpnhTdV&rP|mr)+&Uf_dj;Yp>n!C^aFkQB1gWVNZK<
zP^@cJJt0y02%+$7AWY!2T40GvKKi?Sa0s{$5$@IJP@?I|N1)Y4=Eh3#K})Y-GA#kI
zM-APMcMe~Ypu}%0kS?IVuR6ZdmtqoqWisxwDdNTQuekS6J*3hRomC55MY;x6`a$IY
zy_Bx%H|Tqj@ex>6@j)^NJpU^k7j^2SQFY_W8AIrc^g@03efk6|cnONvEd*jx=;)c7
zU-gW2!Yzrul7_mEnYqwi`mVu0w^^-cXZoV*q47J*SMO9yX7-Y)12rwg#mQCb&TG#3
z`#4)Tp$vR82tD$jV$ZK_xwm9N&jme{j%Z!siV}yY1-E7;H(7c`Q|q`=#v-&1y;nte
zSB@abMFoqFTJ2lVq%@WUvfR$X>lD?9KwA@&yG9vN7<D0Yx_Wj-1h{lR-|KZ%TP<h*
z865oCFVLK~wf#YQ;c0|D%OUN{I+=aWq^7wkq|^IlX+e#gg8v2DH+x)9NkIR^)BWt_
zq|2RH$z`(#fBxidJS>j_qP8`!`=eUflZnY~I`z@#-(s(%WZ}k?cjJUqET~rdS2c+1
zT)L3x5BWA3-P?FcSH*paFWBiGS?`girJYT3r7CVbJoqEmcZPRe*a|trJSFNodf-s(
zQs<$G1<qQpNVGur6*Ha_Mzno>iwC24d&x=f*3Py}h!+~f<`8RYv7*7gAct}PvmVZN
z4GA^(F9M!DIBkLFLZ|Dk-YZ8C1*YZqIm179cWjM0@<>X35Gr#gfL5>X#9+(D*%PBe
zj)$v-$45)ICgG+eO3nP8V1~&J>yCc(`~ydkD2~@e>2wJmeyYzShJ!ti@`GED=a^|s
zR%&BGXR%wYp-|Rpq2tn{^P^?sAlCigxGNqOe^k875P8ROj#Zq~&{uIjhna!iKuWp|
zS9TEnRGhvpjoa@)TK$PA{ZtVmu(~?1x`W3|u?oYh(wp%}@;nE-hw8!x90L0)MyrE`
zk7D0VY4tpw_~evAn*7%pTu*wpV&(;_Y1m<B4x2k){hsN4T4x7N-sN1z`VWCKNrY^@
z+`-}ddKD+@V--Z6iykJaZ_rtW$*x{?wOBK~fWE`^2v?sheI-a}=<*M{wAm1>>xTqE
zLH<wD@`f$?&z~}F?rdwVpWC)?NfYRz83y}>|Kattcpam3kUs#^h3Hqs#q{?PU&B*`
zbKXMFN=jCyVn9`ss=HcL{2l|G7}p7x+1uy@a+n>V{%58n_jnG*5~YNks}dx2zNXC?
zYbI@^ck2IO=(K)@i1Oh&XBL=B^mmHTj!XfE``%hqqr911c?T;`{8|4j><tEdwly0e
z$d|%X$<5lh(>k&Pb0ny<3o@#+4auMN6%T5}J?)E+U+8sm%8u5d%TFn~Us?2^h>p7k
zv*5z}$V6gMk#D=|=VsaD^EooD@(st>2zuAkH1c;7r&z#j>nAVy7eDl}2E8#shSq7S
z_IjXuO+>e}Z%@W|4ql`4lAbnQ-<c!?IqxB*k`3F{4IUh-c&=!{T#cF*z`WFhRzlQC
zd0+tn;^Cvxn(zS1jz!M7RYroorkqbzKbR|gT&-tFZz6se@6$ZawOn|ROYbpN5jL4W
zz4O7iu6EwEX~RqsD;hdZqvlnzttElB7OP70G~*ePgMD0i1MBKpNlwX_ki!qP`DeGS
zQdBrh8@RH%JxH#+l752x^Ls$v2Gx8?+78u4K;NLmS`e;neYEg1DB2J<U&hb+I6H1a
z#{q)##}R&&Sf`9%s>4o*XMG<4<eMr)^7E+ex#@}OWA}-Uz@-kwDCH2Hlcy_AhYh1&
zH;s+#QUr6(w2aGf^J)aVIZawG=FQ=kp*);q&1)H8V{MO^<ZX>w)iow-vQ8Xu-K~2v
zirK5{<#npop?exslvdX`N{?m{e|v4rZ0f{9+H$4up;|x(8}kfl2<CeY0$RFtyS69K
zrQe44$Kzu3B#X)i^^4j3er$h9?%TRJG4UaFoVNFIZ?aerX@$Gt6Lz>%Yp<%(=^iYa
z4w=Z=y?rAb&noYj)8nsDVDG^v*}Rtu4xf+fVA^kYG*6Uc?pC_Z{j5<i^z@4y8pgUv
zA$c1$)U6A1*bw!NCNCC?B2ZR**D;!dJ&4Q5<>wBwTzdntf#Q~5>5jtl3MKv7!P%de
z&oJJ&hz-8@_$+i47-TO#2)~MO$=yDZ6!pVqc~cXr9FmvE7|U6)K})WfE&7GoZ0C4U
zA>XueR`B9*$<DcB{3j@?1LIJ&{mSEi6<(P0=#0YF@B2ZUbI7>4WP%{eJ?9(d=A~uO
z!hHHv2;(S%RhMdRZJ5Gw&is4YfxZT%)n~g-%~^uFOAbn-b2LxT9eBcLrA-yf;XwIo
zBZZ3FS{~c1$*s87RvP~+^XArAR+x0$v9kizE``KetJg59wS0)LLrF20m-n?@^dNhG
zYD!&U5Eow^4k*I1Yl1dsYNH7}<95=N*vuOLW+-EZi{*WK{9m<_gh(I;3EU?Mpy7bn
z&kYL;wIe}&SX!juWWHV!T*Bep$PIm;mh4Itg!@IK=^vE_SUoTlD@M|7j*~-XKegC8
ziJtPOjq8gSrwP<AFdvs(DS6J7SEi5LLk(~uC*AC#Ol~e(=*l0HhJEV(hRVWW1X(>E
zt2+H~Lj#QUgFS(^X;AN}PRlLv*8_zuZP9A`kH|Yb%i9A79i8fTf{1t0qNEjFvi~L|
z&v;~!M4=%4@<L3kw_1<*yyBDx1B14_YE)V_`jw1KQghW5anpFj&$aHx&l~7wXHWgs
z$Hdt|D7!*rqwVz(`XX+Mv#flObl{?8>W^CzYcvnW$Fw>P1a`Fy0BI$Ef3S|69UCT$
zsWTR{(~nTYWSaXI$A;Xm^)!3s750~>@^YgD)7imL^SQ+Nt7KW3r|BVm89H<Q;QZ>y
zV%4~Ts)xC!dvdXKwCb|JzX&Ddv7ngb@vkC9vJChyQT5d?5MPC4<8yq3U%TmRl=aC^
zK<3T+&BhbbzK@0uS%s|7)<>n)Hr#A|4E0RPCWaoFpGW?~0*vQ-N58rfx%WdAnu?hw
zE$@(ftTlCLGFc2^oKUA^nEY?TStZ`*ua?Zl%0O7(nO^YJD7bgRRg&8Hxw-k{8`EbW
zNmYNheY1COQ0j|@f^iqJ2#pU8gm)Q7w=|^jndaJ}Uez93OSWHO{O^j7&nQeIk)3{2
zxd0Z!uHFl}|H|W7Xv1juYc--Vk|{V4aznLvDW$=i0(L$LRbl1DspzhxKaR*W1YB&{
z_-*+5N6tR-kA8VaWaalIQi@hf{ae=H^A3?A#E-Rd2TKQsy7kp|h$Y$YsiSrF_2~jN
zw(yaG$mFQ!Mi%3cP_#!6A>~lx%BsPMDEk}Z*#xZ3LMe*)WZO7h?Z;jE>)iAmFyZk`
zE!?)}2skEyyu4qYQ7Oe|onV=`-zlV0nTieOL~D`!&x$ORk?&D%k3lS|><|WE0^>%B
z&VT1EvKGC|{oghDpV<x>L|1%9m5Pb0LoR1~_wK`ZY(yPZGdim&+d%1${nX<g-x~Yt
zIr4m?GUqB*6%A(U)6e=EsYN5b{#B^WIN$0hS`tnywmrPfdHBhnHtI{2?t5o6+|?I6
zwMjj5Q&XRkzEM$qYlpOfisDVt(|_68Pm17#E2uq@TU)D9{0`SHEVdjzyHyJk?3o9?
zHfS=f4U1V@uqP)_*ETBo9_ue&lUtmUg$M}DW5(EN$)M-4%n@wVU%ZLvpzMo+DJ;>6
zn?KzjUFPn0Q7prbJOQ=unGUJX?m-vh`9;EQ)YHfbM!&P!aoavsT^D=}^iJ|>_aWax
zm6!S!t(=f(y;iT(C(2?Akfs(VI}zen|Go8$*^&v3IP1!H1eWW?4eA`k_K;4{_<&vL
zoR%Kked!9#BEV;~jtx$XHMjiI9-ru+P!n7Io{_9G&{;q$h77Vh9T?1OIe~`TvyUwW
zF=cPVb(-9wKO}LkUWwZq+1Akf#yRk(sYRnfBiIT~1coFkHrdrYKI!-#PFAEoN^;6P
zd;UewZ`@{JGqE1f={n=(iNRJM8P#MjWp2B0U<14vhjCweYW+Xj=H+s4!ca62kj+-!
zu~5ua6CZQAnEL(ZzDLZ&r_*<WOutjJMy+5-^`JtWBBA$vK&|chcLd|jh^0f`Mal_b
z_Kz1DI1O*-d@@KEUQgr#o}}+XlI%QYnLZZOjXm;J>VZ)oP!=uZhOTND%m~#+f{qPU
zJ1aQxHFu$B<E_qLf<G3=w5O5Fy^|+Q@}zl~<C?#T@v50E;rp-s?-~RdCs9YoS&mLl
z{qB~pIiT)=WZI&tChK21lXUD>zKx`zIgMBk$o<pyhtF`h==zolQ~@OS%{pD2>Tz|Z
z=RJO=V(cGmZh!Ej+<e!YdU1n<w?K6E-`_tIC?Rv1!)zoJ=D9m?RNq32Ne+C)w*CnI
zdOp!?G$os$Zt7eAj)L2NjKvAFNMQQPXmqD8vj1-GZSI60a|<zu{QJ<y;k4R8b$1+U
zQIHx`#)yIrbSZv4gGAk!u(yX`xhz;1Fj-w`-ojA084f^ECfd9p6wQfh4s`~BNy7lv
zNCP#AB_lA%VBL6C^&9G}S9tiLS5m^#{0{Vn&MsZ+tXjrmhrMZji%5=eY-Aw=<zK=y
zh{Re!15(3X?~>-@-;J%k!`)Y1AY6NEczx5pK4np*-*P|SmEG0tx_fW?xlqs^OW|@6
zXK=zl8WQJ5pd>s4)1j{?$h!EcsV5SzxT%@Z2T$d3%r$<=yHXTYT&XcZx810nnjo~u
zD_s&$*=mWrJr=W_&^uBQKHrN@65WZ)f4TE9&=N1T^MvJ?RaCB3>DUv6Dl2XGU6h(D
z7%AIj$cqVeCwo`Mr^rQ^)3O4F0&l2vL0%tcpTL+}!RmHX&>0i$ekQ#Kh?N+2B|K#k
zmAB&T9_iD-1$YYTv|o&GU7YhF3eME7nl7)se4*Te;9Oq0>_LiNaA6aZfQQ8PKpdbq
zHa3=5PJ9z)Bm5g3?S4_5<w+3)VLm}OoWfnm)nfSh8M|os^XoLMSW3&MY0Pe9xszzd
z)G$n>siu%%>(2XT#;Ek9*Q@_V>u_*dVP5y66=4*bBNcxgX(TOn(eomur>9@#pwvA$
zp?GTg&DO!cann`mn1`SSa)^%@y6BKH@ROxOPSam1Kku*MS{(B>=uH@vHK&YuuD!yx
zXXE1EVK&zkl+4*oia-3N_KjGsnW^I0d!?dneW}28+?~NE8bbD2+NvDyT}GYrVe1Bn
zFeo*2{~JD54O7G>REuEoaa&q3!fuB(OLqlDJ#CTTNQuimUsb1A#FfKgfS9$en!`xL
zNR;&~O87r|#Z1R_P6wP`%KqM=*5PmR!nE2(8CyK;6AjWMQnmwF^X;f`ClouCb(Zo+
z!sXbu`e~2!|J{<TjXky++z0C_Rb_icylKUfCFaYS#VQIPicRY?BvZ`P0c@A0@Yx@V
zt3Dh_vCzR&*QNwsb7jGdU)pYNDK#d_CMcr-!`~$^expzRFL}92y#nav{mq6AnuQng
z(!>eJcac?>mdNbBKP_{JrH}}da=Ox?{y3J?s54zCf6sGvu*@{Lb2wX$lPD&g=&@#P
z8>ssqg8p+m2;eyYulBH6`1~jI&WC{1_m^s!s`5z>n6ID#4C*=>DTB<)g;zkK8GbC2
zya8k_yO(Y4g`>I5By@G>%+@u-M=K6m(gP1N?uF(p!tPMxT|T=gV0eZpX=H4=oV76K
zbrl=Q!G^4#KYwzPk28Uy2a4*KrNq4FL~!kz{z6+6uxTPrjzQ=az6(SJt_?ou^iB@a
zsBta;B}zO@?*_q}E$nLF7FXdl-wZ15MU@@YRDi65en*UQirurTCmX>yEtPr(BO?2{
zx<!Cx0*Rn5d5Xsrg9t&AVXm-`Fv{NqcY}tij{sa0dAxNS4b|%h-ve3K6@Wuwdv?Z?
zsF;(-Q~uT(_;Fq1upND6&t917J@{gk*o<GsZf;^GLV{ltH#kkSK90L&D5MgSHg+lr
zx7%sZJR8b)<$4+i@ZEB<^%(1%Q;}yp?=yxTb*4?NM`D~V7a$xfdHI7!<XoNTX_fY;
zM%c!N6Xlhiis%|#>gz9_ScxyIm@q~EIRA_{N|dBgWxq~}q8B2#%<cidDT~$_hwS*x
z%rd?+vF!rkE(W({jnl0IvO#RaQ7?E%C=n&!YfKjguN=I(x@1mIiyN<ihA2>OiGX(r
zYoke6>(3qUQ{SX=-Mj=u5|p6xd@gKhqJaMZRB{XO?l-Pqm%+X93>4>JVQv%1&ybQz
zyn2O)hN9a(ejErS^DWTu+=k6NBW`XWND4xvXsBNRv_~zigof3l<72|xxAkoVK#&FY
z2o2<EcEXw%`RT(!_y|=0$m5jWWtoHE9=$;IsRxz3ZS3`DgrTo@x<(O>&^kp_d;urU
z3bg{)>VdAVPN18_*;r+4rul$hq)xo-AT)m((;w?yq?EF+--B?#0%ves31_=f0G3+>
zu2W!lpAL>IF_#xmeDH;6h8DkxiC@s5Hr{CNuIZz5;O4$|Q9PQ#dUg6^QGEL~566<W
z9o`B%mkwwYk74g$d|g|+{vp40yj?x6vq}vbXPRbbfrINo#?{GD+sxAg#X&_4<xG0*
zs0Q?g8NPU$#AuC*$@tBVH6B$)EB}!K*CT7i?6*(#Dd#Zu5)FUjPEn!ZyZ&grWy{Bc
zNc?^U2Y2b)1wLiOwW704jq@tj_Z<iJ?_ekIEs63z17!71;P^ljXs7A`e*&n?s)V6Q
zD!@#+ln<M5Ra{De4NW58$l^Kv{RFz(OOtiNa8L`dx{XWR#S=)lm#z~Lp-5I_T&54$
zweNuFn3ATOp3RsR3k&eBVW$Z!>QImBkMxHd0{?@(t!0RtQh(Kwa>m>;L8U9V#01-l
zKKM!skzkp7kV@FwIOwkRue=n4K5Cz<IUGr>UIqJlQu|TiyL=(ViIPic^!L}n85CPg
zP7G^b)sBG2+7>Wh)&;TWO;OC5!~5%jzw444QQJfa`@Y_m!U6Z>vkabUt9<n0Y2uNn
zBIk=)HE^P9<Ji~qMx<p*H+?iaG&8sEh_v(DEZ~6vs`g3eL$!5IO3FKU6YdEP7!;?+
z9_}gVMY!W`A<HWZzK_A+oCTk3%#%ag3lxT=wcB)(onZ6i*8aYI4+XCnXkNl5Tuqc7
z4KMGownEf(h56Z8x$`9BZCGdlstn4geI(xvVN*}vuUV8!)bKd7LvVubQ~lszgwxK#
zRuh>;zV&<y8&PN=%vZNgcRJZ&jVtJSFoY(cR$YsOG!=}xUd0QIFPwsAW~QPk9UYw_
zA073J^<a`v2TzzLmqhKApB!C<F2$|ao;cJSLL?U|@`(h0<FwU*_}hz1)8mlYf0kgK
zkDFP+jBRgj_qK_lh?WcGG=Zt`?~VeG$3LiE$A@X^XCtps3ALraNj}t66jJiIaBy_I
z%weRg!upBi6&*|1>9O|Zkif^eevVyx5BQ3(yQXJ0UeCImE|ao;)$sT@<+^c8P2D7K
zKpXUnuV7(i70tCoV>qpkaJE0HLwQ`i)^Othktlq}vtzrxNLUpJ{&|HHT+xc9yQZ~u
zAzzVnS}&{3!Ye<UgKVVB;pTK$C2{K@78X{-(FjPL8R}b(xJ*7;l*oNs@T|x|#6U`M
zu0~cLFITm!V_|Q3d3ogovuwdPH7(6#Vh~(DXfB!M4ni~t4l(0@{y>wsmE`OGhWHWR
z+DM7yj{C#GA~oV$w=hCWkNTEvxm?0Z2DXoKfA8c~8-!~{z#HauEd>=IP}~AfHY~OA
z5N6+EGBRJsZGd|S3%@e{{DNNss)CuPX9KBHWN6mb<fkdR^B|7W4Cf14WW$0$$wsnt
zFB>kHI2Fl-9gs+j_Ne5Rj1^_u$((f}-ob`Bt|Hs@oSe1V0S|KwEUY4+RPR;KA0(E5
zU*tV?zg-_JFEepTH1E(Cz}AK%S)|)IhPU^q=tbwRDDKc*vfjz%fBWdgdX~wK%xGD@
zSuY%WlK!7p!f%L&5!_C*&b1*)H|!cy+f|QFQ;y{Xm1Ax3O$;#KO2IlDT{#P$nB~y?
z7fd`(+cXdyzjLhmI?cr=yg$hK@ZFcB%ey1&`ru9Ha*C&Z*z9$su4g57i2(s|w<$)q
zn$wzRmY0oeYNAom7OcMS$WbXzgBBb*$SZ*oi%EzlYNaW`57;n_hSK|;`~A&+P%-@9
zf=D#bw?j+8E&`7Ms)(SVmjJ6OK#pl7cG7?sX#uQGu>3gS%#EBSp2KpvXP_|&It&6k
zZR~0_&S9`&4rj6z)V%ty$U`WBHVx=^^=t?Tq}b&Eu6Sp$GYvo*C<$BG3&95BZ-|x(
zc(LH{@YD)F5dQ?B2`6OD0eO>r_kr<PxfLiW4d;B9Q}Gvl@xn0B&({|Mjwrk^Dntnh
zX_z5l%evEYN<^QDa@nJj13Q%ZHZb|@4er6dq|73Wumdjm!$JBZ^Q7t5uY9)?d(fQd
z7o;dCLusfynUB8!#B&trcEy2eJN)wXQay~JDhFmXfRNbSA$|f9R}fY0J5ll+KXUR!
zUc9&hx6X8=I77nB*yD6d3=NjTD^Cx?+9pC`V$itg8q4aL-~=U8FewGT+hUX;yj7CP
z@!-KngE%K&KPvZf*;V5iCvVlsoq?hku<!`A013pXq7}<;jXOXFwu_vk($v&!KR87#
z-2<jm6zm&=wNG@ctlj3ECZIcr79_C!lGE+huUHAfP`fbz@fJWVoX^dAi95g_+lIJl
z7b^e?C)B#B@#z7&6W{agH>aKojQeAw>VcSsM*1sq8xIZqtVUa+Ih}&2Vr*n+jLNUM
z*J^N5C8Xbg*u9vM7B>?qO@C+aUb)K?@q+bd4$_u(Vg_uzf981zoML{cBYl;T&%~{;
zX?;XiOgRC@H$FPi?EOBrYr6bicI6}G!Vi!SfTm2MxT_#Yy?}aUWE8u>Hncd0XtW=B
zT(_v$w<in*V|}DieJ8p5C5Yb9J=EeLH47F&ttf|R2nV0RegI@I&=FZ1tB{Me;<cC%
zs0ve)u<o(en2f(THGuTBX}ZC$wK@U>W^WJ^8|)l|)OmNEhe!JeFy2w(!a%UlblVGa
z)|5~~<v{ROqU}o|-;F*2NlymQ9ifNY0Y5YxJE<IXz`(-t74AKV3mz>BUt}B|=Yl+F
zLc(3d71%J>z;R0jIN+c~NJvR(9<uo<AmBbNt;iP}(CB%xJn7Wp)&VPwLADOHaRj!|
za)?I&*$^lY<{=;9dr><z;gV#Uy(S_eYIT(kH5pb_4O^V-{w!u97D#@{+@kFT=;MGW
z*2>_!UmtIPV}n1bIY}gdoK7r<1P>F$k{~8kUy{inDU*<ucbdE<;WBvRzNoy3SD|K|
z`|j#s5ZI5Gw>L#;5tE6!lz;`~+;H(nTszT04cr^Ph?vtB*~f?!aANaZh+s;69V>y_
z9O3W(Zly27c-snAa7CYiTZJ?aB}!M{>0Rz39-w5^EVD58*5m3MrQb!U66yT$b-Qn;
z{3>txK|;xm9}z?0D_7378UzKJKl2!gO%{~Y1JT^?1FlsrtFzS$=0x`!swFK{AFpJs
zReU8#UVM+B4}Gg3wW9vB=tc}bwq}jrMgy<f(c=F{)O)~V{eSP{H=<!iAtM<fS;>~I
zk}{I*wvz0<_lzW?GBPqF`zAX(q{vG4-h1!;Kd;{3&+q?u^pLpYb-!NE=kuI%o$Fjz
zh)1OZ;gI@i433_~+~lurP(A=AVzRSsz5HCu$Ls!`eNr%3b$bUz&haOV#uW?*k)03g
z!|eX2=imVx$CiS~)m*##5?0dfVK-&dBGZE|5Zi?ZdJ&Y%KPZY}$$fAKZ6$CY9AqK@
zjpd8P#4M1!{u7n+|JEz4nXV$D`52ULis!etwi+z>hd$w&EWmu+IYi7dZVJ)a{~mBL
z&JZ##ls*W^@m~z6J)YsJ%aapAlpANgPL7W?K!#&>u$OI17Yp%AM8#pOA$f*9&cBC3
z<Wkz^qyq`CtZu4bX{j}DPZY(EWVVkoQ(B5ml~ewui~n@#b36C|qJFky*9<hNx}HWI
z<(q<s1U=X+&zfg>Si*2h+@ICIn`z*G2IA3AKLu&3@$?OXk@xz}j%v>K6{8Yo$Ba0)
zQP9NzpWKr81T{7RjBd5of+ua$5{O)daMj2vDUpEm9;7yR41W+nl;FKO5yqDIs^B3T
zYo12gg{wQwpN89aUamS)-8>dI4x+b`wk&p7Sr1Y-pJ0=^VElnRB{l!Oanb2}r~L1O
zvE5%xCOn<RD0Kau^jk!m+Wb3&L?X>5OnP60@Q_AQ*e6@Y_wrGH%)Bgqy3d$%dU7%2
zS7GN*iZ^+Kyp`Xi>k0e!$(P3(eRM@HQ2z-f_wu}TCl>V6NSnjx4EGk#-8-S`J`nIU
z8C&wYzVJ6*Ez}%y2?RgopXHf6I!LK>l$wXYUZ#08pB4_1ENu{3*#5fl@bdnhje|iJ
z0!nU)XN4drB82(@Hkr;z^wNP5A3y#CQQ#J|`KL_OM{#d4I30M+d*80F+kj4s6g<h1
zl3tiHBG%v2b>E(s^zf)UJOH_0to~xt4_c~oCgQC}Uo+6HZh5IZYpPHTX}vQVm{on`
zgd8#a7<H{xt!J}TTF(-x)AQy*K5?ZTMR4g7!>wD7?AhVERug;j*g9&foznOWx-<R|
zdG!W=VM%oH1D%smk1hGiA`VYa&x`o@MMAo<b3<`|W>vFFODxv3`u_gdicU!Q%~gB+
z9p0s&%{U6U^Cgw}3`f^R-L4dz8UF=sZ$3T4Rx`C37f^i3Xi<CpRo3s1)Po0sMbaeS
zIbHeh-+!U&(3$q=f^Bm|EwPNw&5jHb=V-n5&s+L;ML6i!xCy^;q)V2i#~I$A<F}h?
z?oxP@c_<Xew=i>2;L>vK?C@2S?%DQ_4X$ObCp&$=+-;c7?H0%@d@HXH%~@ZgSeVdh
zTr%(LEHYNSCn{=ddy7_C3)I-b2*$W0ai)7`DcIc`w`tDa<;5_K!?(e#M28ILQP(fZ
zs%X9mkepXHmV`9={l|})?L|Os?8uJ%dFwG6jV@Vru7u_Mk=wv8qirc$HRl2$VTt=%
z*^rpBYxr#{ZO<=E5WVl-KGE{8PZr~1d>B?-iD<%tWK=vx^}cqeTA*WmAJ{PnCtb-2
zp0fn$Bc$H?RDCJ^(NBYhKvS<<DLhAPsxiA>8x3*FZP~@Hs)Lp7NnH2!Q=c<Qno15*
z27i-Flz(~|$>C2K=w+&zz3E;fU!q@SH||K7?ShVJs$IUfBc{RrRaPtO6P;P;o=;nO
z&zC;8XMR}3+@a$;8@f`<yz~{{Qp(SapZn>G*Z#!$n$Z)o--qXZGuL@6eO5UC@@`}8
zk7V-vT+I`%!D7=iX6C$uqa!jJn%}P<(xo@PNPSm1XW1MBivYw4U1wvBY1*yH(xKjO
zhJqUkJY(?RfN69@d<k46gd7)DN|;*!07B1^T7!N$J?L{n;RyQFAlO9;3IdpS=AcPj
zp}<m{9j|P=nE9<;8IB4tdQdj@V2jF?Gs2YMoF_tl91_!t?wY@OPdQX*cpj3{T)o;F
zg;M7dm5~l@IN;!(H$rj^W_^&OWt4s!EisQ7IcIdA*9v_|8~{CAwfPwSNLZL1>;-xo
z>;a-Y{xCJVO0uH8uet~>cnEsw4#(lc5a#wUDV6hZ%ebiMlPga8UZ4R(JsB}aZW$t+
zZt#=Dr0cren_`xcdj@OXrtUL>YZwg$Ku~CyS+0(bj&83E#hmu2Je^-zk=N3S8`Sz6
zH*@?GA~_^~eD;)A<#J?Z&d*;mDows=#5svWd{1ene8qI+TQTk?V2CS;>Z@HtL)!8e
z2DIZ5=}%W1n}R`X9>@-$s({Arm-g-_j~>}ls&^!cVlB51-vb|QI4_C_Qg{oy0QQPk
zi`>m#jWoY?q?z;EJ^l6Dw<>e^Y#X=o^m0NrpRjT~=74w(SlVLo3w71Rvp32w@iNlW
z3!%UWT5?($ybl_}8En=dnJcldta3Bh>fkahEnyu<RWJY0B?H0nAMoj4q4cY!Yg)ZW
zTF=ZDU7x-5s@WTLhXljyl&1QVyD}R~-q~9}ZErEwVDoamZac_6kX3QzipomQ=w$oN
zi*o<&H}WB~J+bzQy`J$y`fUF+%?~kl1@Qr#oW9mXao2cFltP=CvpYb9vwu^SAwX13
z>z3&wOwc_>kLovlx}L9q0eWdIr*ElM{)L(f9D{K#g~ut*pv9g1$#EB4j!=llgxN00
zz0QUTjMl;OKm>l<PiDBhyO^#+6^LX}tgM-Xx2F*maEQimL~cpDvC6kYqLppG6B!Uu
zT>@5ay&j`b$3aD>QDK)ZPkK{Sl(sx-y~r3c7ZkfjLEUV1LH=juUaeXr>w%N~IpmVF
zRA44zTH^#?0SQc#-6FNvy%uG_1|Y%l0B2Ru-<JH~l0}3lcC)hnoJ~yLt^iRpNS4yH
zFq%&x^4^|$MWKsaH53U0Ry-nr%RNndfR%0;p0a)L_{kIYyBk-)Qa0cs8Dt?&WMg~=
zkT`*^Ap%jR?B;_n5K@eeDJmV(V9*s`A57&g%(b~OXKm)Hs3O?IqUMr|p`jrdm&YAo
zK>qj!beNDU1CVVCi~`gS1}9e;IS^0W|F%a;OXX9az7=POD~>+!r~;QdzblZs^*t@;
zDyN0zl5;RFQ!)T*2?K6)CR?a0+Nz3hEO*g5Y;HNYwN@kYxnLX=4YskD!7>MU>W~RT
zo@q+TiP*S8Zi6W4f@IqrkXZmeiyRtF1BMQ;p$Cg^R@=>70(lHLa1y(6N6KvtLx)>I
za`qu)*kEhNL{IMv5ePKaAHjcuBo<EEOmjV#30&AN&0xMV07nK)_8HH#M8z%gvgTRE
z{}*%@t0hc#4B#k&%8={sQwmB-lP$NK%<kqfFgpwd&|}a5jlE+SD15{Nr#Yl{{l!k(
zJ3B_;!;38T)s(7o$g^%m9{538m#b6RJ26^j2)6=pb%OVaBsYU))*TSK5i4*Ay#{|u
zQb9lcV56Dt_Q;=dwhnJ2kVM`DoRi08UH?HC%_De6Q_bP$tx8OBH7cF*4hdK<HiLy?
zWJTGZ#65Uje$*wE^soGoHp1mZR(c)pZ@^Q&OhuKQukQ6OB^7>GGa%wF`x8N}7T#vn
z`OJxBu<8*+2}*<eFJCgljZm*G1A5Wzdux9Z`OJGep=JSrv)t2z<YP@<xaN479avO<
z*#;N$UC5pJA1OgoBU4SNLI7+2wAqB^A;T(O%a)T!{s=2A>TLgZPj`(RtdPt#Xs1U$
z7K*vB?(D=g=>$>Rb@kHzQUCQbo{Bq{)4a5|e1j=d!y^C31u!dtg7~+jXo@5wYw_V;
zq2~FZ(mPhm8dQ8{FSZ8b1+3qLZQy{#kA?;ufJ+>NbwV4nim^NZX@k3o9QJSrz=MIS
zp9x)axOf}U7(<$)fJiDG;;ch@Iv{_^<9MSP>g7j8yWo(WU&!wdDH+_a4FKX0uLsD@
z`SuKB3yO5jd8sZE5*mSxB$U8<MQdQLjMzFMP7yus$ag@o^s3yxM(rs4;)AU@oXlT1
zO_1)G4wWKGhR-^1adERa?&Vc)|9On6g4?|)s`4U3*J$+iD`i_JSa?*AoscTYy7nX*
zj1_Y9C~oG1SG=mwML~#?;2f?1^%oosPd*8k{Bc*^J;3B5<pdP6$ond_8p+m$qv|!h
zWp2+yhqk?Tut>=o)z)NSWQ-NEXNLUVX~<tq02DM3$!ZS|k5`aDKuHML)D|L7O-maJ
z2nbj8HYvy-7PRf9ikkQ38v)P;rS2U-LW1=0-4SR2pMc;6c=&+!qx#AHbFJcB5Gh(9
zEamX-l|i9LbI&CLF5mpr12I)TG_FVo?@C08(8a~2MEzcfNPN3R>FSBn-AHBAnKExS
zIROu5pWlx`AM-p9S9Gc29dFew>7Tcy4(zpG4?2i+cz<EZ;jcyFuRZPAyxFT>)miTl
zwzIITmNCSbIR*3|e|=z?T3yYrD6OolY!fo>r<!{F)QhMg^=-MU@O2)c%r*Zi!DW(@
zRZP>kOz8ds6Z<i-g`2#)$6+ORD#hE?G*PcJI_k}xy`u$yu3uqN?x{0U{A~%3p|RVp
z&iAk$Ji42lYace;o<zo1Z^6F>g4{)4rmR!;C|SR<#`aW9zEARBZEHT@H>f^r*rxM7
zeg`rT_TzO};Mx9ASNA%Ifjc`pdqBoaK=4^HNsNF_ECD1Dg%{dobP(t3!@adNZd=V~
zkrf_m)#?H@eE}q4H^DC+isMUXJg-RJxIL51I!5Utz0>Fo%>8yE$=7lRvui=0Xus=l
z2n)vnHEy;e$$GEs5Sc=&fth97J98054J18vqq)B(N%s$L$SC$+7f-mDNJyp1CUh&I
z!-V&JtRvpxdB0yTY#)SIKE9)4Pgc=i7X@8BNN!~zLW;A{HHst))mUne)BTNgr*Z=)
z#ao>0vp-6x(beyN*Y+(VW^->T?;xHyS+6gbm;tH)u?5WGrjhxPs|79_&*4p{SLb9F
z3nwK<(mC{b0^SC(13V$?$Q19<pBX+7>;a0}Eml^25FLaCA}Eqj`Cg?e<Z$--8Ok`w
zM%{dVQND2W$?aPH{r&z0K9~nf?JY5-_*tQs?XB1M@??XmSlT|9n=d;4d{WM72v%s|
zGV@vIy*FHIx$EXs;dh@oSTPEC(daPV>EU-TVs@r|6}IP-RJOY>PIdw)<LAYcnhFrY
zR<|Pe4Hy3ybuRt7=uHBX0=l=&+-@%104S4|S*G7F3ky(iB}kf;@2aeT+rVl$pPkmY
zEcLLD*AIRCt9Ie>>;k&fyDWC1p?0QCVC=>AyvWp%)L$I{aGF6gG%`{KS^UL!uS)$z
z#P|U<`s?}~T(8Rb=v0S4EqeGVdv)sUoviPuf85OHai~KD5-%?;+cfIr7gi?5-|WnH
zeFnwKC)%+80_~1MypQ`Mp;1)%iDt)}2hvVce~O7+#|V|k0_DE{NjGJ!7^2HAHOJze
z-{s_#KZ>mFZ0RB7yX)Sex!e{vyh%o|lp^XRNLISi!D4mtT`NRhB^*Z4p3V=F+@n5;
zOa7bE@I)`1346qAqBCkKLCljXj`xOx-8p$2tz_q?UNj~@Eb#8WeAC8xuF~jF*9xy2
zEw9=14;*4%dcmLZn6f0}!Moj{k$>-Wf2zGo$2Q0uM%@rlBPeJKhTwoHMBjL3yf!)&
zpV@ul>zyGW_t=*=^L4TXsl&+qkO*=j@?JF)2BWL$H*S?*Zzm?QeDn3T8RM;a+bAjQ
zpHB-@5+=Vsd?mB)L&GXB<ab*$I@;$2u5C&1>z3@t7iLD6j!!f1PV-dkz9&!ITk45%
z${&k8X#f2C!`#t1s0n<(eG@Jpu>u!wD_ZP0w78px&--l)r%KwAk`j_&8E}Go<7j_j
z!tt4_&VM;gzKC?tNEq>Hmn#OpTtCIwh7_gMzT6y@Rx3UB6hr^0ltg|9<2)$#s1j3S
zjp17`ouk)3QeHFV`q;fOiQn;jysoa~(W8!Or%K<N6Q2MkA4}qb@Fhck_KDlYg^x_C
zJgz#=yfpaxH+cTTAO(A?-ww^CXoJr0KMY;I3zXj-#R{~Prfx;)*K<qQ*<oiWTnlWJ
z!BZ67xq_G@QVA{Lfep`y<(dXq96n)wR<;~M^2Zhm*-%F^S+0jza-=1trTl+;dQu7t
zF9SHJA_yJM3-p(#be*_=??e^C=hXv%<*W}4w3Rztm0bytd_;<OyVGqqd0Z(+O7hWI
zivAF%S1^8$^JeXrw`Zt}{;LnSvf5<di~dra!%p^mSY5BE=s9kPq1Wz?)Vq;CR^nY*
znkYISRlOk8Xr6f@^JjGb)ENggc^EoAXRn#=JNW0RR0*@V=*4aMbE{P=gS<<&<A24;
zl3h0|6ov#A#3;CQ&%Hmyw!J7p9rF9L;`-LP^C&!yHjao;x>wU)w`64%WVFqxKkmCQ
z?Z}_|xLeyWIH(~@dgkl?p%$;ZW!#Jr=lDv<^MPHX$w^99X2Mqu8$uxBy@51Vwm*VH
zHi@0*>kvmA*)>&dZT$GQKwvS4eq}+v0rz5B7@QQ|9yO1KoQVty4TUTTVCNZIV$BKk
z)V7~z`|tw)Ao+QNS|FWW$ytMORj<MOMp??-@fg#}{hP`^tZ`6ip~EY2i+$K8#LRAZ
zELiJH=tC2R$?j%)qvP{fL*y3XbtU7Ut=%g;T|fD6v2+$h)xTO48S;-_m^vQ(<NTL8
zMbYGAfSG*$iJtzf%-W1DcSynW8E*!9-<pO|YIu^R#)=GBdpAAb=rNztqUusbJNvmj
zQKaulvB+f?hbY?A^S|4!TkkJruz8d_-QCSSus&W}8d`53Vp(6<u$NsV3*UEH;|hbN
ze*TvC);w+IfT3^CVGJeBE#&>@3tUNNdRpPIKuSa_d=B8fmhYBjBjnEs|Jw+#RGJvW
zPsl4*Qi-ft3_1f|N3SuulUh>LPW!(>*);J}JbB;G<>K7LA9Hs0<FI6<z7ciw_&tXV
zy7sck@hzK+#l&}7`78F9e@OVPupH>(^fSlkxlbL2O1!s7>2r#!(P%pJMsK#6RPLv%
zYg3i-n4IobCtC&wSm*sxRKz~pyQsuFGgz!T^ge<)TL18^pTZE=g4YvjZk`1}9#X~e
zFZG%SuI#N0Vt24CZsWW6Bo#hBBd;0QySRFF%(pqJw*EuW+(aL7o3w{A^C&AO$o6E;
z#KLR~U%9lnbRr}E*@ndg2|+oHVCFxbKPl&-8%?mBjt(v8NQ425tq(AIp%u}83nd^z
zVO!~xm)+}BsQ5Py>13sKt?kK!<b!P@j46llZraLZ%xlG%BYEN&<7nnivB=v&mX~zJ
zZ}oe@K9Fd=wr0V@xgKk?<*$3RJ*=>#N&WtX;`2I(Uh|**vSGKbjA?z~sv<No#>P<|
z@*XpK{9T0Z%LFFK$q7!GJ*eseUZ21!puuS<b;V`Dy1_|*eNN$w?7YB=lsEIW!*p*6
z$T=XV2ybkZfr81`NRyYJA37Ffpy2=I=|S&UVe-5c_md-T45~9waJydh%E%d`@)6CO
z`gaJ~YT8ZuS|rnRM9BIn?2%+qcV(u<{W7zEo5wJXDl&lNPZ0sF@RbH@I_#y5Fv}qP
z@;kT6oTYN4La1Hz>Re4*xVZI&L$JCvixWj(2j&s<Gph&fHZTRh6Pz~isvIW%!1Mr~
zGge=%-S#c?VWwwp&)@T6vwchKH6_e>&A!jXvCphGOAb0LWWS%So?ZY-!D{iz`_-7}
zXuOOK(#Zklg139-V$7UGF&&A`XL%!U6S}4fxBO`l2T&WZRF_~PO@Txdtg<Abh6IiR
zQZH8R^d^n(vk{dt8b?HQ)>QL1(!VqPk=fY6jhgFnI$#>q;=DhsmeX@7(BS)Fp;q2y
z>#+p~sVtQTRl4fRY*E##Yv>ZKP_QICbzY_XUcm{O%<<O*8;nqyXXOY{pg}}pBGH%b
zTjg{ytxano<{#?y!T9GTOM-7FW#Gn=IsD|MDqJnjIM0J!`k2;NfD~k|ey{<YrPh4a
z{hn0o_JgZeuY%P6{N{>XhlGE9=fV-`cby~&ak+F-<_}rggQT)d9Y2@SYcE?zN<Lyx
zQ&$fH>G(?ks&MrrGQswh4Jr`#<VZT=q7R5jl+H^GeRIaqjI;NEqH(HN=a|Q&AS|cP
zCFQW)r<MEB!qf9)SjlUd0wjIb0qUjCjZMX>8_Zw#+1NIG!|pTF-1XikXkVlJJHda@
z8;3sRU;n<mYtc{Fj#Z?$5_FcG+X$W)B2`?Z+RqCq<<;|3)3b1cJ>QQXP+T4A4HPrY
z`dBnRw&6D$8==Q-Oo<0x5&|zfys+uKx5>Xw``0lLZ9KWnLn_uFZ#&odrzLeIJ4bX&
zke)A_KSU-qV(kOm8^3l6Wi*-~q={5DUbZqjo9$!UOF<f<`h!a6wFgd4rQ`R$bYF~b
zs~s(nN?AV~nX#*XStQ98CB^)~wGBKgq#r!M1L4nNEe;j7t9s8{y20YiplBeuZ|Ptc
z>K2OIYPmk}fS@GOXda4%a%kK+SH}ois;swfH%JqU{^dBTOw`O%yK?oaB&Kig&B_Dm
zd0qPobb$st{Mp~`RxAVp3}s2!@I0%;BZf@?hSN$*$q5?3*9#xIhJ{w7$U)&&IJz5Z
zCv~CX-MxciBJ<W(15u(EXFP{1yuFzFNcLdRd9HT+hC21vg)f5<aFTB4T#V&5!T!i}
zN2|k%$UQ0V`VOtH`L%?aBjfjt^g%9!4>GGIj!3?~JIATrzWi`&fmW7g)8?<`giQ%^
z__4}Y`<^3-+85*RY<-rn*N4=fL0A=f;wjTJ;rXt=63kEPi@zcn$0N@pAIqK7KkCnu
zWPaNJxX*jo1Df_5UqUexlSbsf9<i^=?-Te>b@<^9T}N3~`<2e(H5zKDShlycNI5z>
zsx0mDSFZ?CaH21SKEMf<nG{gujDcR%d4d<q14R#QzO4xrXypMEjtx}_9e0F=va%m=
zFzQ|w9pKW)Gm}Bze%h|0&!JG`?dGQ46$%Q&!|esX=1xtk050|D$jC;f&d0)f$?k1d
zWsEE==YenZQN-CQX7sM_cBwJbf(LKo?O<6rnGtjvJhB{z3NHQ&-|*oZkU@A(r_zn~
z8=}Lac1*IpY4ePU8FqZb-!W<bR8)j;1ou4!&gXJCd{8U(zstQCBX~}6yeeuo3H9UA
z$2?so2OAB$mZ5I`Nk5FNoC1{Gk7iD<qWth!Aj3&U0)NI$f^T$|V!k~lF1>NXn&+!d
z=#>uK$3xb9esO)CNO^dAwPQ(le%(v9gBu_lf+y5It*dz4Z_mudqK#}*HsoZ6s!n!?
zy8ga@-5L{bYyD^J4%6xHl5r+fpee2v!w~br0c3MDMCTJdcQxw|0Q&N8nD7~~qDauw
z)Vvs#y;ZZX1fRT<J(s7}O1xlFHuMy>3jDKZV7aV)`q#>o21ctSyL(Xb=MIQt;h2?B
zNsMz*lKkm`wfcP*49%uMe-IjPO@PoFj{H9cr;bJY*=-rdA-YN;NA{_c$x&~~ZpGM0
zbahirny&P-6D>@NPW+-?b9y+lTaV*8l8u5dkox*t+R?-9?c&<QAa}d%i}Q^~yVE7Y
zk#mYjJZ#*d_6?9EOBLo!+5NFYT~9nh^%Ihwdj3y4+1kJOKM@N5wiLW)F7M?=>XJdq
zElNxy66K>;oA5?G8uP=OoolUAOt#~FT-=+>JlBTDPA@RG*N&AG5}@Z8TS*n<<gjt@
zoO$&0HNF%3JcP_#gIvGTl!PE(EY{ky98QgzKq~dVQ0md1GKIv}8N_z+1<y6Tp@Q;q
zO3s+aHhKzQ$be|<@u?I{%~e!Y4@%nfxz~rLcNZ$r$%kgDs;as>RM53KF{^j&&AA)<
zgnr1nY$!!7=fJY%1yB79w&vFt7pLu9>)5jaK*K_fy03}Wx(=`BcW21so9j&=UYnaU
ztyn1FjQMsiG(rbt+^O=Zt}bW4LZJphi5B69Ustxv;lRQ*AF%EAG(Q&yWGR9MJ;n~P
zA3aStsE{Ux@|v}hr#U@XIMpfK1UPwW_{p9c0}_mX%F&$lR3C>OQg+}iiC-~M|9iAm
zZT#1)ME%oKt0age$971FDk0d@#T#6^1F>s+d)sI4t8!Ljz{QoMGp)SdH5brhtuiaX
zb0gosRH9=wG<^5QUt5{(KpR3jF&b27XD8~$v3cDm_578@zIT=30fWDKKF%zb;JH0;
z+r1k5gnavBgV4j_tzvM!)Kg>r@Km(*x({|FlLed+CMG6`E1K6qE79Avf6bFkGAkD*
zs>LWc7V}jxs*|tUPCEY#7Oo&kGh}<Z;!>LL(3THYn*~gq59%1bu<9}n`??CEB%hru
z9T#tj;H4Pc_78DCYcdyIo!j(%xNkb#i5cFO-JKfJ9n;V5bn@A~VN@{n7Ej&$k0aJc
zOO!4bw%8#$;MG|Vu}F@%RQ=T1=!9oP;wuBnx6}eeW8NE%?$e#p)RQD*y|3fBRvu2N
zI`<FV^FF;tI`BB+a{^XB|31;nUkuluc*wC7ixtCB^;(7j_#hv>u~zLW*7v8vr6JL%
zs-l5zxvwrJNQDg-HNWGAI0fpdWvPH&B7`FdAJTbh4JNz@XF`{&M+hvqGPAOf*DHL1
zeJ$bT1&Tk*fBq<&lxTUy3x6Wo+1UY;+&z5WLpBbM`@r}dwh{maGK4eu1gz=yV|EjP
z$r|qGhdn(r13#Y;V$OrK%V7UG8)GZ{30%Y_<>d)$<txxcX<d|R?|nzCf*K|eHWfDK
zhj;I=vQ*y0#ZlF|qIa*x)c0#%!pBchVjZ^;jEIRjAK!)-CD&x^c`;VdmSNb+x$`Y|
zzS9)glU8NeH<voE>0%ZD-@1dEn4%W<x~FHX1Th!WX9y7U@iA1^fNEa?eAFM_-GemW
z0gDF;3JU%8hKe9jgK^C2GQsW@yb{u+#CpZcQPbSq{NQYFxf}K%QBc~mB7M<YQF3q-
z;3i|XZp5^nv^T)4>Vf<1yLZW+7Ye4j54_-^7Z<1Fj}H}pNEI4b8&fgflOSZD++~6)
z?vv|T+M(om@w$(HadEL~wHvJL!7mw4v{!!!*9Vy0H{gH5e!yB=2rH#WqxJUk9&tDj
zCMd9gZ!}g~*H7{Aa&!2l2gyh9{IF0W&a2x)bbGi#-@kwNv1H@qob_J^0Y7+n$g`>B
z^8MNIuFFKm(^K^9ZPk(0nZe<sy;Q15CiWzc&5Lja+$NnjTK=VFfLlgT|AZQwdvb0s
z#iCWRD%lDk23Zt3@7J;(cJ|e}$S33B?%g&SrrZ`u%T3S}H5`%ob01)|fHU42-`f<N
zj9Jz^8l{Am`Xu3M!}06atlrp9Z7(qH$4=K5lsfOP8xY7_OS*|Cr?<K5(%=+qnCic8
zd|DRM%7ZVHqO|V#i;46i(0sx`2Nl@!U|IzID3nzhHMAoqi{|Cz<O<-qLUM)CG6xjs
zRolx3=+;*IX@M~+P)W%4E#2O?&ggcpR?J-o3t@dY+raP+4{<|tEg=K0i&lW7Ki&ki
zWe6!HinQ_|h4M#pK6G^CYn<HO5_Dcgi|z9OtHetj1&hoE+^oQFalM)C!!P|pjd2HI
z`ggJgV5112%<@?6n7K}t%B7+Kg36J04A(T=4Al5l4YE|_EG0FyA8RoUgljFdipFeQ
zTtR3~Sk*o%Y)t@jUvoGB6L8duWRpanugF7iCYm`4X`S(Fd+9IBw28mi^Y^a=XAJ&z
zJ+N#61Be5k66-wivY}9**tz1qkYTvo($WG08i~pEYV^aq9ONN-dK*z-^cK>Dozv68
zwHH%+jLY!u0^Bs<^^Je&>*>Klt=68Mz8)ka0@E*eS(Mz2qc!-?C1++{fV@0g-SSzA
zaLK#jR<P|1l4X*zw9M<{n~FYJJ3F<063c@NK^f$9U%?uJc|~ulPYNuswU1Z3-@hki
zjgo_VYXHDI)>@XtkSN&B`s|8LxGNgJeCamQO=~I53VQ~46|b6}`@-9EALDW$1S6^m
zr^=K3dZ_cBDk-7z)It^)%}!eh0DPXA8BODd1X?!zkIzb}Rvz>My*kua2M?}G^UnP&
z(~Ia&C6FUkwzt1)W^Ud!Jp2~!<?*tyc!=YN|Jr)=0S;*#XGQpxVQ&gez0GptrOrXZ
z>Bx4&`A)>gehQIrg2pQ)MBaHv)VM4dd)Q{>mYw>?Q(G94BuZj(0?NQ9(ML&B(fi)1
zQAQgxV`Zr&c{g)cEQiZ46B}XwdUU!qIf?o_92PJgpK67XW%83sxv+ot<!?&NOa;3z
zO!>g+2$!F!!UlKl=5$T@@9SeXl;Ba;%8xDQ!BG33C1)$0F^ks2LpO|L)AKtT(L0xl
z_ko>2h8hP?r%g9WPV$gKaIV7`30`{jeGT^rF|<SDyVyW+zq)hu)u>fTPmhl0b-j_8
z>r2;*6Fh16ipVOTyQnLY2A>0VFlz8fA+rvfLhx!!*v@C=tSanx=$G^{2eX=ce<o}Y
zuhuSF)NxT$IYB!p-`uZmv$2VdPK-_E<Kz3;+Ul>uw$maz<>xjrtp0AW+?LU2x31<3
zsHcf(EZ!0j=(DDVbpp=`7U0g(Z8Z1paD~0(P$g^%)al->PO&RIH}3tlEe}{V<#dm&
z{323BILuv?D6X6p*<mtLXc#mm=7E9qBB1H{<tjY0lDLlEnbk^YKsBs5xf7POj6AOY
z>VU{QqY&a(-!}N!*Y2bWJp^y}D+$X6tp4u<RG^wv6gxNv70^`eE1Ca$>eD~E!1`)A
z_mq<CM|j{gv;J_0;RwU`2{U=KFF3e(c(%3|f4aZ8?sYay$89rSry&sT;16DGzY~PW
zsKvRbh+N$tCBD0;H(t6=hvGIdHLzWHE*f@SGw9AHi@()UNuO?mI?Jiwn*oUrbp`Fg
z8>ri-6h6V>->Rizg;H!Z9U$)qM3%m2-p3q^xol`fovgDP)b^{sc7DIM33Trikc0Qf
zBZSo=VP%!C-&s$wx2el|p|PZ1pkS7|;3^Mv!E!YUvG3o%4^8=-h-@`5<iSi)C^u$f
zSPZ8pY1$_CX;f5{M`vD6pz{pGi|-RQD3k?1HB9&DMW>Q*GIE14EDfwZvC4>6_5=}U
zPB<uRj`wZBnqzAq9ZlFS`)g)1vv-LAjK|<&Ju+BhZVCer6lRCqjqcj{w&p9TtDk=-
z%hX@np16Z~w-o=2dZl{VLD=?i+muGo2F0S7c!efW;{rwb2=v9FE5uy>8#tp4gV7N-
zs|)QGuy$t5L+n5)=rvpk;sm+=ZC@9M(}v1~(u7lc5BiG{vP>VvJcXgy1rFIS@wIaO
z30OclrBNcxDaO-47BJwCKNw3BdMH(IO{xtTpClhI@A}vcDiJ4ktLmLz%Cgr8_}NF6
zE%^vQzMv<}4KKHjT&l(e`cEeB4`27hzPi99o?wpQJIHarR<%wP^60}A?))=GqbH+2
zrz>Npgw|B88&h*TKig1&r6sjbUUr=dsM$ZmuQ~d5DO7!={D=aVB;CC>_Y`{CNS9gv
z<XhjyVbx0l>T|pY%xE47dusoHlyJvpdRMqpfIIp%Jr5Sd`7vR$zVrM0<@VAT4(&iJ
z96Wts0Q^^hcbb(%$fdiSo$RGucY6BM2Mb4vlM&(wm>;q0)zE+!FC;|pN5Y+(PeaZ4
zvqzBYNU5cE3`7sY;M=6Z>+K?INJgNQM-HuYV&URjsM_3ndT5C#>e)#A&PPn7vgyjp
zLuJITUcKsv|JX@?OFG!Glw6&Wq&)hjF!)gdX%7Xz02&8S2Kx-HtbS$JC>v@sws(>#
z-}?#~ms-wFOGK1hI_&?cj{AZPn*5|71N><q5H@De)xT>`NP`3DIOC~jqjH3(7DGth
zEoLvtd^=CLA?GLTFi&!Nx>q}uU%8sP{OJGS*NS@4h`ZOgPU}%SEmw|7JOX(CG@&Vc
zuthsrZe4#^OZ~=>MdA5S*vOTHDoG@NKNEAluHc~*sy$SL)xhoXuR1cRa>Er*D4m@0
z)LI_eA|RsE3RcCK-2r_T;F@50pN{cmvWkU!2z9bYhz<x`Hd%-X{w!IKBdwE?oqdTs
z1Xnrh3Vej(!T^)gy-@enqAp3vH(vsB2sl59gBpCH@hP3ITt8uRgN3Epy1#!l0uoM$
zkkLkk-e+Ere!zW&;D*~K9CAhAw>cE?Xif@t^2agfO5qcPi;k)jS*!BD^(;f;OE*@_
zoQ==_xBw^!h-8~I01+i`RY**aR=XekMvP8S2;6CAX0|`Il>PhrDze9+uGi&!%*)8=
z@7>`J+;T6CwtTlec<xd!ivt;l-46<zulqyr)WtM|CvyE)_Qj>8lSTSKJNOkoM{juX
z?`esq5O%o%nPlHUSHv)LTEcBhhymF;$I$#e4r+$Vneou+Jbj_mHNpR|2ZucGB#dO2
zpK*kC+#5xjLaVmW1waIr=O_~@I?pSLmeDjT3fclX+4xP9DR6RfvcRN^VLO=mHLZvO
zLj~q6+0>G~b9gvl_JKfqqR<=bnuELVxjcNjPMjywAJ*2<QRsgEOyG0hU839kh@kV&
zkK_(6U2L+XVbSwDWPm3&(|OZCh5`Wxjv<XI7u%nxs{$%Ha}hp?k#aYIdMMq?wrx~4
zME~K}esYowgRfRz;I9{ckfjf;{D4#ST;B{&(7mOvw&e!wY1iT^z#M+bQx;+@SZDqq
zHeJv(=hmn!*NUvSX$Z6$tEqk*<P3i2SWuGiQW1&|PeBNU^m)QY5Fu3I>4+!jQ>zEP
z7a_8u>;u13NbbO}0}I9NxcE1WM(&Ai-^;z#5#5GzIVMub_mQ0jSFZDZ;Kwi6{X;9{
zRej}0+#h9EjR24hYQPG8;17ur=C}Ilb^KS<emzCK*>n5=?27Qsk3Ab256)4n1n;c+
zgW<afr!wisPW2}d=go%7KsPm;W{&N*_w1%$kAD@Np?Np2<n#WVinewLruLKyY_{o)
z6yNIx?VR*ofjs?su=_iy4oj&E3p$Bzv&5MmOO~1HI}K+v%cJ^Dq4|g0{=-dmje7Ea
zCtGV9f7cSFrLa}k>FYSkhW+~V^g>4X#-<vozkodPg|W5uuk4+JKT-=hh)$>!4QII&
zCY@`oB)ynzLNY~P4=|G?Jb8?DqbIe4gV<?k!=_xK2bMixX?{><!rg)t{l>f-psQ4&
zctk-BTvLAlZ+KoP!A|~=Ch{8CRRTN&Mc^6*(+oEEaI1$NB<t9ys{P3j-KB46&U+`@
z-6$WHBm!L)Udpkl>BS$fo@tY!K*7DTU^h)I2O>ftAQqh0Mtk7rTJTG=MNI<xWj9V8
zfF%@U@MHvnwvxRz`Aa8zW5g(pYB#<l%?oIJ6&Rnw_OTJI8kJ%vm*$K~%gFd~`|*|X
z=v!t*1K7Rf%gA&b7AjY(q{aN(h}GQPH2>gP-Ce>!w^73s8$Qw)c1;ElHy*L7r3(F&
z$5LGX0al_^icj0it!$l3=t{gAM;FN70JMb-t<N8yqMRi)8Z&HrB*wVnRH^6l?aL=d
zQrbiO=nFvB$3SQe0<%>Z{$YS#dapd9NBYz8wV4vBl<ZpiZ|^H~E8+oJEy0;*^jB|&
zJDf!X3dF_8*U{}UJzpxN{iNIxg7&`dGL8kKi{!OOI+x?L2a^*#sNt{9VGoYQe!p{{
z8$#Vl6_TydjFhuq>OOZA<g@#TU6imR^=~b^lCm};d?SBqEePtpWED1lPViZx$?P!$
zAPKppP<lx+0PGS<E%4ofe=3+IaUK79RCM%YqWdcBz8^r^e+zXuK+Fa}e*6ipAwXk+
z(LZ|9V8E#vt!g#c0~NkVYieHm5k?z=@QF-1*uM@~fbJod-gjeTWB0rq<*a?JXmqbS
zuXH<bO(-BBL9$aYv_dK7A*hge5AmRXCmR5qI{x`Xw8SddW<J)aF9$vjfD_-J7wQAH
zc)3h~@=JFxG&WFmARMqpar_%lD<E(xsi*`9+0Q1ImiC%o<8+Ur9^|E5)v)BJR$+_k
z6N8#**s82=TM6F0J~!p}>~{m#V0J46xVQniT!KImt8rp<&clK@5JY_FFk^hlxdUv;
z1wSdAicKHRL1iy(1t+nPhzPY^1q}ohXmfz31;9o=T_yo4Y=nZ_Trt-KA%&A=BCQDz
zrM!bp70SGL^w+-f-TZHUhiKR*KWFTaf)w0IC`H{Ie$Fj`@AAIbF3ffZ3<t?DY`E9h
z9g%32B5OvdC7H<&s+)}t?^7~Jd_BJL{$D4LWO4y!X@rOd#TuH!hBlVe54$2TI@8@B
z>b9@m>Ypp8ZazEZ!)19Saq;5Ck9_9jz4<3xRkbJQb90VGhUel)_PVL-$Qun&_Se%$
z#ijLT*#<R|OI8LW@|P9GFWT1CsU$}&gyg*E*{(Jg`WR3wQ5pJrXeF@e`Nczf5SIc-
z)ziG$wid<?raWff>SE^1If2<o1&K=`G!$U>0~`d|4wP(4St|Wy)=BE6icD}O2O^P{
ziBvMDXR|&DJ~srz9RrNEni?KJgz(JaOApbE;gA&RL*JvzM4u-%xyQ@^KEm!V8u;Fl
z94VK698r)0CDkk9ZHL|Ue72}dP~f^%i;eGqDR=;EOF)gFaZ){NIaWi<@Q!ua$+qKJ
z$8Raru~KGDH_ilhiB?`TW}#now*3?SD=91}+w;_@?aB=~Lw?_dQ-M5p`_t&v?3|pG
zzNPBb25=(iw<s;xrTta?+h|FXogBa(NUf0(l+6762N1>C$??70%ee^qE%@Pk2+<S@
zuYQ=+jfjeB8v7z~WY3&%#M|k_*ww}Fz~3?V1aPjigf0_aEKHhKUf90o#E}PI>=W1_
z9)wzoqAN7-e%`SV2>nvxb>fB^uT_<C%ZGH&5ULy)D{O!y`M|d3;sRl!*P$u8#^V~W
z$s{3_$&ClRk|_YFcN6gLU3PlZ;Y6oenuQLz^t)s2$fu>o76m=;YCHR(l#7dt<A!Yy
zghAI8kz2QZS?jX@oxg8V<3{AFB|!Rt5o1gK<nd$t(SvU9iG!w&DZN#NM*O?z2!hqW
zI>QkOV>p=AZ`Y2(_$803h~jV+_sS>G6<$$i&n<$?i5)QZdl{W~Z}eA52yZ6LD};uI
zX6EEH(4DSh*Bt-B8?oPG@Km~VSd4C*Z#0w*sr-4K@fwN%hpDm5_{k3z6a_fN8~n76
zxN$^FiWi1Wrg&CUGaCDZ8TQOLR0TTMa~IhF6hTTTg)jKmSeXMzNZp~gcno&P7l7FK
z9g>_|f>09tOK_Mz!%_P?HmCmAGjaWG9DDAAS6A+Bv0PT@&cr-Dn4n1>iVUOC;rVR%
za-u&NliAA@ESn_eX#**`VRy#fddqEV{q;_Q?fYb_YiHN29#_6TJ@LUZt*i5@^ZC1L
zfYy%XMa$EM{1}Q!UTX}0=aF>z;=&ZGpsT-9P7kE|UVNu+9|)=Wp|!hFvH+K~ZLuB0
zvGKfUKnY^Gwp9f#Z0i4O&*$5#_`ipT#RZKxjl(}|CW&s>&o=zXV?##ktKTzC8=)H+
zrzA9^Bn4~Fvj_Ro26e9sJY>A2LOij>rDm|MFKo&r3^SDF3mNg;_Ajvp2QyL*Hp^sd
z?65=CYaePG;%JoOZUo=bCzE-tc<oJ%XApgUhrB+iay`@MRME2c!?K9WG;)&%jFSk3
z*ew*N>?#Ui1tJT*I)4QyC~2vv8Nx-tt$a1ucd4<9GBWTiEiDnk1+DY&<+R?*|CjPF
zv>_geB{S3oi#-AcC0d0m)pGZ~Jtv-omSsm+1DCZ(IQ>E$2gCSo{PU5)Rp-T|I%2Ew
zW_zEL_|r@=n)7|Q`is&Zl5ZcWKZ)bL_^&U?T%o{pa|f&Q{I6d)zNM9QUpY`ic;xJq
z%tQoa#M~EAWOPdz?<t?<^z_4^D$FwUEG?GV4t%(I^JbwHaC{@UpZaX#K_0m=5k!ZK
z<soP@FshNG6={NcpPhR6nn=0v0JsLsBaA7~r14Pb3Oii&eDp>f3wcOop5=cDbHwi3
z7MN@_`1ARZ3t3&EVRONW_o#H6@x%2Mz1sR;nA!&Cu}b>u{pY3eZl>ssEeRMdO<pAz
z|E9g}zjVo}l8+Yn2Yx9HffIAJl%e9L-u}RRZ~7KI{eUFq0$wnRRs8)0=-3omNvXh|
zW<}O<H32TGwLV<Y4<LpIg^L|t0I;SB0w)$Sv3db!FARr;rKFJQ5h5DF8-jo_xSoia
z{be=bjaxM#hj)*H>4#Sk=3V5?EiG|TNE=T#mH{ken*cSgEb)YQ_H7h;<9F<)WosA4
zyw5~yPIk4?RW5h%@)oZ{`Pu-TH`AYL|2<y`tQKnW7$ZCsGITcTw#0#2x%LtcsBqPy
z3&B634IKc~heM;Mmtut-%>;^}N|)t^9ACs~nIyq^`sZcLnD@z&p7TQlrQ0Tf*Jjkw
z{<m2LBFZ%cd>RASI%8;JT5;35Ua!@j)x>Md$WB|;9K3{LkAB(?IJ^xoHu^2)K3uln
zH32Ic_}*+pYx?KUHv|OAsI~rw1HreS`(j5nc8s0w3RD4m8KFFb6WD=<Ku|<7OkDeW
zogCsOBt=B{0H58#Fa)mW95QVT^knX7J7jJE47mRLJ^wpR$XO*^{WobQRb{ocsdLp3
zYPP?X*=72!ilzKYKfD_-)Ex>>sf=11u7c?!{M>P<*$D)_e@4)6Hz7QgfQY5HJ!ZHK
z+y-acY5<7JrSs$(`P0@aX8~XN)wmm;KmE8HPb@$=Se!9AcZqLXpoe~yEWIevs&o(^
zt~TPP{N^C;dtt{lU3nmH&sMM_)FwYjD-W-M8;%^Tn2C00(2MLmVo$I~s2za@*rQ9L
znoJ$v+LfL@?aG?V$~nxm7BTen-o;b#-^A+~hH<e|VBd#9F%`(?!AxJs4+tiWm<J_L
z+P34a)6o%Eps%N?!QQ?M)8v83JAye!k_2&h8Di`@G7NKz@c8~j0skRciM1-Dr?0PJ
z!UlkAX?F7FOruXZ(6%HGxtZ$d(Sd;5P{1}lmozfE2@w{zBfQhKNP`_xh5oNb_(0&g
za)3obnqqS3p*Zaz4Ea753Q!S%)Br8QigB(S(SYg=7=tQDut{txM^HX6<(>+2=GiNa
za?ZNWIX#GP+WgL;)qq~H+hY-Ts!K|v$q?<Z+mX(X*G`U}0jMmD^xcpW_GwK$-by-K
z=JSN<66krpewu@<fbX7#jRLZd20r}T?|omO4g{RhUH&d50bHg=(Mv*r;tl_P?cWmR
zl5j7O0o>qak-@^BbXG2|J?#hcRTXGXn1Q2)<dFHpEfZ!+`sp~(7($``V|D=H{SC~8
zCNCj51WYx4<S~+KJQ}L;tn53@Ra+uFp;@+)>d+yj=51Ue%q}eKvL1wX0-_P|JB}~J
z@5AT5jlBEUV3h&{&|HA*0qlvdte#JInf}{DJ~9lF(8Pd57x)SZ3dR~s!A;NE(d8s4
zPzBA(w_u>}i)v|+gYp$zl^`w|!1k7mnd3<UK!|c9q6I=L+;O(3H)HJ?^6{zWg7noi
zaQ-OOT#JM`w|Xc#)<L)isazi9F)+E+l(06#PJ#-JE06;!8Pd1b9CH6_AxULtXYaci
z0KWv9VMtrL)us1<C-zCiuNNMl${}~JMfpL0+tl<HRQd-impG_bohoL^>4`<s$kQ~~
ze{6M#6Qe*%$-IB*leqVF6t{kzPedyeia@^DDp`k08k*V$WkV;?B||G7p<?-?M#*tD
zHLZbz%w^vBff-z@9$I;7r*W>jI4LLh-P_U(xGDE*082PN{PIQi$R0LaUui?05sQOm
zNJvPv-w0agL5hJKbTudgC2egB$9EeRwrVU%gw;A`q(;hgnyktiUKVX!Ylb!mQ4r(2
z<L|b%SO5B<bvc+Cs;<-WBUga$VJ$&}2bv^r_y4u35A9#R%+L>&Pnq$+xEhNteXoul
z7KIiP@E>T_y`UHAaZwmD(Bd!?xD%9tm#eItDo1j}@q3b&f8J$CaB|ZP(jOw6yJjnz
z0s;69zS0{Rh9~j-gwQ(uq2oMqbxQ5>pF3#sn+@ENq7W}c6RgQ^8Y%ueY)JF~pg%Y`
zfCS7RE)*J^Ln{xUISb^{lV~8Di9-7ZX`oi?hC}xRXz;Ld<Mn>b*hyxoAikx5oI(E(
z`k=(57jVg?EuG;UJLdP<HK3mR9os!IMF*P-r4Qro1{~H9=s{r$78Z!Nh)!=pWdwyC
z+$s10@DYF#N<Onl^&72bCC~q6K1I6857H*ga{-n+!2OLhA0cD`R!s!2hXMi?AuxY+
zxu#Z}MC|PBpsGGNX??*12{shYhb1NX`9z?i0c5p|z8x(%6yP=cC%3L#`q(y0q_<^r
zm4ZS#rw7}lcJ;sJCq>oEuI)KE8*0X|R_engB&EZE*#NWMFw=hE*ki``kKH3g$3A;_
zL0~wO#p-7_)SH)9856|BpEq6rr{{5Cpv?KZ!p+q6rCuF`d-d}L52iGX@(#oD@<f;m
z$ZMd`B5JF((1a!UHVO&@H=^X80-1o@g!%K=ucRn$*Uc9wAGvgFo0Wv127PV>$%V>A
z_*0m8ExeU=v&W{US$%fsq}!~lB+CzJU3>4_b8KyHDm{CKQ?1L@{}5n49AGXbi<+xK
z^BSIn-`orM8Y%!o?Hr2JbGSTzmqA5DJy*jQ+Q_E|H@64Q$(+6|=PVfcoSN#F2PD1x
zk#{7CZi}~&nW2}8pM<Y2Wsv;I;<p<936czKy=^yO0|)l@syV@k#PXW=nfor35=eeJ
zEqwJ??fsO_0wt5w!4A5!{fDLSBP}f~wuj0(t27F7DSxgWgMhU9@EyzZ6*V>|Y`xec
zOT#BDO#f8@H%8&~!}l4f^{yTF2x_Ru)}OHxatC)ljO(RWez<io<Q8e984ceT$FDP|
zddL>_6{P{M;{x<kqgr>ZtRu{#&;G>5W{42p@m+S58sHS&<y++Q51B|0N>nd6Thz=M
zfXqj(EYouV>(OQB+{7VKkUbLrR4In0hH1IE5_!;F1A1A8l6J+^)^K2_Q%8bO18k*w
z!|}lx*W3x+Em@nn&aFcig}vpmu3h5}d&E9ajWfpGQhi?7ZfFY~W2ET>*n`)~OzGSZ
za|OCxF8xo$oJ3}aeK&$GY=d4#Axa~3cJQuBTGs{WWN?mIUbyHazJGc_)VjQ8UPOMr
zYCq9>^`l3JYO*m_AMw5L)*|Zwe{Eg1D7TU|sBUzJCI%OW=KOZj!tO0GR7Cq8Ug&!$
zdL)}{97U31{!4zZ>OsxQ+FRoQB@zEm>Z?>XbA0cO8+X8BL+Paj6hN%K^5vXBNFbo%
zz3?xOJ3Bqn5SaT$zfFj-2{?Q}bWu-Bi|TN9<?&qchjWJ+Xzm<!%&K2B)E(*s4awGH
zHBho6Df8zTWC;5C$T<k^I<KkmHlQKt2Wfv?8SHTlcJeA<aKbq^{^j<SOPDb%eMqYy
zIs)*)3vGJ{khUP-QtvrCI}3QtILylEb~g-IsjrJ#DcV&GTYCY54j3#n?1LZ{)$-#D
z0n*vG29D<&!s2Q<SBZjfs6v03y91KgA-YEc!*7tDDBKVciBFn~Pv7p8CWbEBTTI9=
z%V%G@4@wF@e?A925$K6|4Q(9ju#+R)67rBHE^QU&4}j{|EjT>zY-=cV-?KuEFL~L)
z^#MeO94V&ooUQtwu71>WTevwrH)n|8yK@Oskb4wr05V+Ni#r&^33Hi@NRe-asM#Rc
z4GbtBZ$k3MA5SR!iF49^asehpwhuj9B5xh<3Zd1$SZfzSzuux>V9ew0e0AN#qR^!*
z3<f&?>+!na7{6z&2(SgDHArx)%N1GuSZ;2~O{oL}o5i7s21ch?)$NB2?;weSfKzW(
z7F1<jQL_yY5h$xeLIOQyU_JnsswO|(I*BZ#2}w(U59$McMy~(XPHIJTji*eWS{h7e
zFaFld&x7#m;axPea=gVHk?;1vCZK%@s5OAH>~B%E-JNvnoWhCp6~<fm2x>;<BdZz$
z{>RhMr7N`h?l=dK1N=?61c~2kM>42Ll$?7g{!2HiaRg)lM-j1I?!QxS1Y%mtJMN$P
z+Va$HBPB$Fu;V3!)v%O(@J2OnTc2y8FISV1GMVRJE(Hq)5EP<vFTm@k?Sy{6ybJIt
zM5CbpT80C+FW5rQ5=G*1OIJf<o}%hq>kNJP5;)(Y1~ExW^7nyq5#L6>>x6?VAArpU
z``5<iBpg4$g-X<|Slx#w?ld7jeyNP0jBCtDXjtS2Oc-8hpY!7wu9yhCHUf1boyKG!
z)lA^;x4k3IW3&!p0&l+ztq^HxcMG7d%NCrrk5JT<pF2OsH4g^`89Xd##~O8_ZlbDy
zl8S^cSf~Utu9Ju7oJWNax?|f*>HGI_!DG>XHT+1~xAR~pm*bbHc)%fxvzTYnoi4GZ
z)avMzL)p(6ib+JkbU?uV<~G7LVdvH1g3_+ojtdHcb9`~IpOc%<vkG;+%((oAR`_<e
zK%51i)Hf;P7s;Gj#hGMU|MKn0l^%6Hn3sW+)gevx!5}5KzJx|A5VN6o{C%nQ=+Z0f
zORuEXjU38{RxG+aQmSE(EcIc60K$t6Rn^f6h2it>|4{U;da_qizQA^-fbB*|NQm;$
zJKc;iSP@TnA`k{IKbrAo8oEllz_-RGYB^0=sPWqvWjA06yDg%1hPM6hrM);I;5d&P
zr~}pb7-4}?prHvGP!-<z{LX(2p44PLg7L3>So)x>>eu@5Nk#;g9OtdH+dK=xhq)o!
zT29+FyG=%EZix>8jDvcEr@Q)g(&cvveTlno=gmaLBx0dRi;gD$oSsgPVCHS~G9-P9
zB5X?U^rYNAL`Ggga4^8fr2mJ5{mb1yQ-JW@lP@)m`~a>&>$P>p1rfG!TGsG7!t+nj
z_E$}@k$x=(3XYfanh9;G%w(nh<Mu|z#57oyO+ntBnVSpzgnHlyKh@D`tJM$(O1_4s
z#k+nGVbFI{H(q+wS5<UmZw$VwRIq+Q%*G$`C;$R;wafB{b}`)xh~%Kv5M5B~6;;+N
zegoMcN(2luqT4xz1qCF4phH7X5-I$6&^$g5(&|AH^kmk0;43a1EzBQ&S$|Yf1Z?`8
zPeGvnidEsa=)`h^5THNW3|W@J!4|OGvHkY-C!}irZ^Z83(vZ4mD?Mo|c}@`)D6l{z
zgGm2PzM=+;%rc(DPVO*#q<)TJS^vGdNlV0&;D~jDgM(w72NFei@p0!{-~_O;vp1$l
z2SEaJK(UFQ{XAl|H-zU*doL)8pc!xitPA0zK!t_^^E$5tSyukHSu|Z<cJ^lcoc7S&
zxKoeK=|{Cj6`r_MJntWSL17mHLU}HtM}g41lV$o2gWLzZ_Xp=v>j~Eugs$YXq$>yi
z{{1_1>2l!r9el_{p=VZ`^z|zbYGqGO@aCiP8?%7BKh@J)<Ldy%{0kn*fBZ$XjW^oU
zF<-~`?R8Nqi6fh=8qin*Qt7gjNYWkFzv2}~iTF-VD!G_+mi#r4hWtP`%BSMJdNB!K
zXD7C=`>D_S2;F6=sjCV1wuouOT(Rk{V;XiDy?>njRcmlEp$)sv+1#bbws8>5v41$N
zTi)&wmXQ%sXvOp2xd#hORu)}d0K!x*xaXk>jG(d50eed)F1EOGM3iL46YKV5_cQQY
zl(PZ=ItQ#$h&ScSn>UwWbpWL)c|a8uJRu$bF<4?=ol%MAOb~S^hkRSYJx>@;whzCi
zDL$hsoj8Eb*yuP74-Ol?n$|U6)`sld6{ju9kL`a4`VyAXxN7!O)#;!F^74%{IV@T`
zu&qG5Y&20+m(D$g7y_A6tV?3~)Ya?{ng8|BEQk0rRkB|nqKjdNLL-!hC`hlDzE7=C
zWB8^ea4~_cAh|{sECci~+_E7KN?uYeT}&VFa<-%^>|l-Klnv4HuD9d9;UIt9DKQFR
z0t*Fs#O~5#IANMW%Nm(jgfVrj^|d5)5)O3qJb0#UUol4aDQ9v(;DcHKtk^H_%xQRW
zI_wzhD)vkTx!eqJ5pmmQEnVvmn||t?oU%Yl6(3*EBSAeB7+uN_^FG64b0qISk{9Tc
zP*8-I@1HBM!2Y<;OF))Bm9PEqhSfUeU4)&v%#oAuCy*7x`4@_8qFZNx$$((yl{5a#
zBmfV9<N(}}a~yBw5!3?NFA<6I4Da;8{GFAJ?K@Ni&~|`A69qCX*Z<`q%-Qr0k)eT*
zCO^=b`#3g>^ziHCjjP^ra&R<>?hTWvktZu>ZU5gq2bPKV*jH$h*Y6-pqSl>%?b-jh
z00yX~rKN*9*-Z9agemZE`d|vK4Z3LerKNG;0D+`v)OC*5YXI7B&w<7WIORmgH36FR
z2Wi1(AAiADCjr6yfe2R8b5$%shJu4Po_cwKPn|6ao?1T$9(0N^zmrYwUI6A{Ai$H)
zAu|KD!_WGJ6|gpd(x;$6^w*3J)QH=;sM$<(baja;&|$#JwSaC3sL9L@-Tc?dJLv`Z
zjt#0JNPPIMM`;!#4}(8<xVs(9#5{fW%pWQ#i=k3N=zY--4PGnvNs~*z^o>T~cxACC
zr$M+Bw(#lbdNIf#pjPIDD1kB#U>*SB=V;iX@B_?Bv}(p|_wpMi#xcNcELA^K$x`{W
zNw72RI#PM4Wv5x+{Y8=Z;54?<3Iz~6^u?Tvy*OP;?~?xiTXzypN|%+AzV(UG@CdeR
zZ#D!(U+;@O($|dE3&idG!JB$ny`HB{zuv_%?J8$Nt=p9i3bw9!bg1<Q<ME6maz<E#
z)2FxD*q~o{F8PG`#V3Uz;OZo&q+r2!5Hcum9HDglLewDn{}u}MGXn#95Q+)x)ARmB
zXZ4gVYEzo$fgxmlAP7qfS?VwAXX(lYXQwA1kqQTU{pv_%n%m{vz9l%l!r?^wIkQ<X
z8h)XAUyb$3$GgS~ojaa5HzbZKpce#3F2QXR4G7F|n-I#7hY0kOp){L!JRTSr5QMD(
zv2@ju7HS!U-Wzdr`TeI)p#b6<9Bj_O+%lkHz@g|g;dOyWBvOK>t**NTVu=&bx2=bV
zlG0;_v}n5*P(EW6{~uTH0grXR#*g22wq!<R6iHTPl$D(dEu-vF9?6RAy~&K0GSbi#
z<*~OA6<R7gvm|@3-}|d`{{Qp)otM|?oagnB`@TQl>vLW2b%}gfTS4?H1qm6uWQ84!
zxN;4<^zgvLT8b1;)L0@gV0aEx06W7U7n5g%H`m^)-F~S|1Xtwu?`Oo#O4#s5nXkGa
zA<oRu#uY&jB=Ylj-Eg)b>I7Fu8L7aL5Ah;U+u-%CpYC9j!PiHWU4}RbLk7MMT~L5+
z#u7Q1M76>%NcO5Scb4(7@0|YgmN$cLj@@O&>f_Gg&wY)|j<l#gfy5V=k2<wz@#xUy
z(%N4wcP6i}IGo4ZEp*_^^M$vgKe@i_Eolpf!ho4b9}CbJ^+#F=P?bYas{$u4z57p?
zJ6F3tJDujKQJPYftvoz1M9B~ukMn=HB6lukHzpNr|2eF-dsInxFFo~}qeA)1ylTmo
zK{8D0KLRxjGi*k#ZW8}?JI037ZQ@VqIJLj!RtD;|gs0mMUf!g91tuZjDWq5Dz3cDl
z?6otvoNk}-O?A0YUecoC3i3#{@7QtwWttXIb9i{?1wVN%<fsZRmPQ=spdfwyH5JuS
z;M%XXZ~uNPtdG&r)t&n8iO8a!GUJ@K*jB$;-l<nk!aF_n-U+A`5nNkgnK_+kYx(=G
zG_{r>%W3kTjh8}LKKMe1i=as1o!mz{m!JJ%(se0NDLxYefcA3^^$r20uYffskmzRp
z?g6ulPYlzsgkL0+ovbHL1c_Fjt;$!uz~geC+sp6Aj+Kwc<HG4VsZG0ox=&TV!9k;1
zsXhA4aQe|wUxoO8mZ%a1^qxpw#~6yw=JqeY--(Hd!7H*@5{|!c8;m<T%(DrBD-;9-
zwKzv7p*)#U)ySKvPgnJC@Wl($XVaq-)cvf<S(91Y9_lM5v-Y#_H*9h&HoL&HotvTT
zKq1vNvvY8;s=E~9Sd!WE8w#E>93U7_!Cw`C-*MOg0#-{wt9u9mFaXVa@_{=s)K)na
zs_(oSY{dnPrb6`<VCQPfiCe>G7Y=?}vy(xW9BR~N#RSY8WwT=p$hn_yu}7H8#iqA!
z2d*1E`3xgiKr=pCDTYw^an_7Ke*Ad+^lA1PuK(5oT>tHlb8@OM!XEUv@hx5V(J4WI
zoX|1ACeUsdcTi2IMRUI>?awS~2Cg8Bl^>k)bL}>&8K<@j(ArnfwT!b%O-}0kzPjle
z)mBNf`p?shMP9S4dUM4=WV^(v8Ad`s1<=|%I%*z?4Xn4jw0k>0S&oS5YXnsW<MR`g
zc)#pRZ)!E}Lbn|A+WJ#_`|`2jh`_=6(qRXqTkp;RB)hHXeZpmd5MRP-W<}fqZUdVz
znxj*JunJmH73z5iHvmCi0l{5;*_%ma)Wpl|$!BY1zF;cj5Esw5dNmXYj_`);+qbU@
zwvZ>E?`CCHU*Pr1l67rPdp8u+UqT1~R^}3T6+)04IxNs4{r`1Gn|>aU`@r&$5LN*3
zSIep@9k1Xa*k~syw#?s}MUxF=nL_u~i~Ho1VvTpF>H<@!R4Wm_49aC<X*9P#(&Xjj
zuqP+Q`do&pnqcd9>Ikb=ksaK_EoRk51%b7m4clA-=Y^h|mxZM$zgeK)+V;tv>L<mr
z<$%uSsZ@1oOI6l0Y31|P`Ko7mq=a}DKJqgG1%R_<a$4!-x*9t_Q{A9jR#8#8RzrpV
za#_9<Ckz4bOXGFYaj3R5H%~WT=|mfWcZz^^${>3l7#LU>gS&RB`f!Wd4^WG+y{aBR
zzL`VZxVMmhL+;f-tNj!3lr)e`!e>Aw3O*V$YW=!&!!{ywl$bpTiWQ|}u37b%zP|Rw
zi(`zFaf%;&!5TPrm9S$X=%>F;5rj7kCK1Zeanr8v=`%N3-wgA%uer?Jv$>-2^uiqc
zR>XCU0!(lqBwXMaZY|N|D*Y<{dU9P07&}=0>>mF`;z@^1QRx@&<*?5VuL0>h<y_YY
zbH6|IWSB&Xe3wvPv}3@hW_C9o<U2wK50<Kr2M9rLp%$-;I%O74o+8I3vAy;)ov=~|
zAs9o>gx5k_PjB6FE{RH#V$#2={&oMt`nI~sgm_DX%3y;b<*283H+1;wK$=LskgP8t
za1hlpu%>B$!^H1#ZNdG|5_*(xohAGBEJ%J<MtODSWG-okc9wyLKSNKz@}7Gq2tHty
z+#T~M_;HjLdDkCdJ+VE=a;$OoMUP3dVdFT~0-#+hdor!Us+O8GcJr#KOY%u$<0w!<
zxNNeYK7A{>i3mGf8iT5-$~v#gp+FGA9f|9)Ei!vR*7yjBbHq-fzsStYBmssFkTg0i
z_Ss{a{HAFJrU*XY-_k%?ApL{@RGH%YU+vNCug@VSjqMZ=t2}-BG_%>I#gtW9qL=0s
z&5q&<n>=G6Dld>YS1I`_@q*v@5hq)clWhpPB_ffR2&V5DHg~ou>{wJiAaL(ev0eb%
z=+6I)ZcZ+2nPt^@);8%SXwFg6CP2|#&zQO}>-?a<;g?5MQG;d290zs!GL3HFJTE@U
z2pF6MckG}-NQvc*xst2m&1w?Yg@7u<gisZK=ix+0PdDu=FXzfQsuNd(1+05P-ACtK
ztj@nubo44vBtkHu>MPs-^W#HT#QxxK&IF||o3^KSZW-A=v!xhb;8j7%cst@Zk`=i^
zo)XE-PfbFS(`gs}{{UDo&nFleO0$@M839B`+HRS)Q$L*{bCu_x3bH0NRAHUU0(sVj
z9Z6TOVrtkUe{>R$!3+1FCxD;hrdm_3Oh<ug8@3SvzlKj5LpnwS^Oj@qqt8ET;PXA|
z(l}u}a@fCWy5iI5tmv*?lea2yXP-KC$`YLiVQbo|kSSN<(x>(`O|{YEd}rmK*bP*K
zcvmS&R4Bph0GGNSOZ~|Erk~k1M<%1)6`sn|<T`xE^DY3-kWmzQq}y~}?zjl2fdIPp
zb*t~$tPHwVE7#&;DNZbtz`b*H8k(8i>7D6tuI!S0lJ)#~Jpc2A{+nZchqDY+#Zs4!
z4KJKKm5$6A68Sj?MsArp=dIW8zq~Z8$9wSdTW4j?Dh9SP=0O6xBB9?3t!8mi=($8r
zB4~4mj4<~|yix{`0oYlvg}45+I7dGa`k_if|3rCRsO}@AQzR0BZ(96fiG2;GQ5zZ}
zh$%s^`FOZI+x-@SSe26gm8WW<fvN*No|uu5K!|HC0u~27ZuTAB6dmuiK#}J}{+|L(
zBK@%LB7IQ6%#3Gk;|2{rx>FriQ<%#tubg-^@Ujcie6EN-3bBnF)$21a<@cAkIf)s&
z^5Xpyhi$HUzAP$|7iFVc8IG}A7#mog><RRv2Yf&ldbQ$D`MkMl*{6tD&a~=<IuY(y
z?OA1?HdT(flBvNI@%g$uIHAv<Kbxym)CwH9qle-;v45K<bPAY3LhMXHxzaQ3;(2Dt
z9Ss(VaD6tsylkXRnCZtN&o;y-rq|iZOx9{s(}j@6$nFoP`!cx|E8e~68(?mC?p%$f
zRMnuH_nz|wXUdfy`nirS=bw3oTYkl_;LKRz*z<wXz^oP<rumy<8Y7o(rqzF*LoKGM
zl|s;`Ho^P3E(OFl+vW#l^ra7%!6vFg9a>#Aeq=<RG||4V)sJaDJjGJI|9yrEe~^oz
zif2Ia9QusvHHxZHXAUPY^KS}2I~A@6&ULFie>DAPJ&<fIM`e<wo&Ss2yDT#kk33n`
z^VN)VsoRUXFMr;d_k8;7w!~L2XSHcHZjK#`qbzWGKDg<l@AH#~V=mq~Eo>Ej%-Bf4
zW2mCzo9_;8kM||M5jq~9mqPv4EZe0;6lf1`s+{pr=2PVJal12W+V0Uke4xF!yHX=p
z|BnT5_MnL`I%26!xwkz{oWC)jl4XI-^~E>Ga^>r!M0mv@fP(=b@&Jv`m)Luf-4~g6
zs;j!!-vK>|hMcNjD}BrO5}LY&&QXq7%^B}#Tjj~ri$E4(zGVCRM<~T<gKkRn9Okr$
zhlCU~DJ6w6zMrrq9=nAJWU|`{V5C;IbPmn+=D{DSx6q!Uo5*d?E+}BfDLC`&-}Qsq
zecaO4lmQF1{68M5tnT_#HvRs^`|^O*1J<oC{~5V%eUM{eO2%a=qY7Zd>ig4TsiYvl
zC)%I>fODxHyR4qwmI;mx<7h~kb)P6xRHSX@i$LMd$8s93Zip!MQcMpDtgxC=vxDw~
zL@GDuf3+5@>!g>Z5sLFhUNpHv1Eib;Ig^05KE_k%VFBi#^+A~;{)hVk9MBn)Bzu{g
zgf##tC5Sk1Jn#;{Mof16MDplaFwINd<Nd01c`gD?{BCg&o+*ENF4sNont47h@y;Da
zK)&tfzI!ZJ2L}gx<^RKTqE`2gJFBaQT6k|{Lr{mSwOz3P4Yw0XDW6^ErU~ZLgogfy
zVbc|rVCDIHET`1Jh@<#|CdK7woM%l%>P2|h%<gfwVo(~@Qb!HO->F^@2G)TZAI$o-
zRGjwR)*MGEA|9tVg1k@;#e}*yqW!TP_HsZ&rw;fXbN-2wC%w6+wl&zt9c<ll{E)=;
z(0=)~?|AqaYJ>XafxJ$7ptYd^HA||>7sogBh-}Ya)HwPtNLL&O2HrY*(ZnRaV6G^t
zP%bsl4OHUlS6=#*nmgO!GIj1{`*SOO#^kr8fB+d@hujq&Q8n(XX?IY;GV|3pojw=Z
z=YC+>qpbbeSrI8=UR}tMX}@cvzv*V6dR?#BdP$>+x+KGTzID(|KtRB%Dx=(G<emM&
z4+m&`RV<z|y6cq`WC@r@D(F4D+Osh8e*HAwHlSCSXKfnd1?1#7@s2&zy94#fAwxsM
zT)LYN(|zdR$u$z+Y?x~vhd$YbHxdD-9})v78ll@!o4YkL1SR1ODQTuH{n|Aj$H;y-
zt;mXTyvU$7UEdlDbZha>*%K$o;q!y07tcbln>3rwrqB2pORHM41?rkW2L!C{=soPw
zlBX^Fbxc>64$b7&ty`Bg4f!G8CIuk@5+R1!<|^SbTr98KvJ;fI790R1u`quc4qbk?
ze3&vpYw<Q@!PX#YbRmZ&SB->Lh*HJKyS*m^2T%2xVW<@sCPv!l&Knxp>{~`{2OWpu
z-cN#!7_T0ndH1qEh*3Q97<R~a7$Y(o6`$e@l<8D9n@B{;iF|x5D4bQcNR5AfK2xOA
zIDD9vpW}v|36#o2+kzvidgjcTDua8Vyzs!1D81QZV`2<WpAJV`tcVsXph-E;B?r<G
z%=UMuWq%%V9*>3lv2Fhcgu_SUy@KG^8g@gdc>GL2HX!kI%HI_7d_ps1_yqA)oukXC
zir2HmKI>>u<jp^QcW%qTHO3iUtxKI`6S`-5dSYT?6464$zOIR!+u`=sl@}Ts%F!=6
z!&{`kJ=iEkGAjT<{I;e-LOj3K476h=j#j%{@Pwfs&XVTLyBeu07IlxX$_C1t?kbrN
z&H}n#cn>py!)s-`sy=`C*&&;wyqOc~^U!M2H9KN9`sd?=*=7&H>Ywg+5m@=lZ7j{9
z2^chbNyyM)84no`RfW<UdXyfwUD7f#GAs4thK>|=_J@>2BNc>2GPnS%kByCO9(2y%
z7?LebzKm-M!t(_TmQ)2Sr}lZ8%nN*igd^YN(nHI)Bl2Dcr@R%ba*kK=jFa{FxJwWg
z=E`Y|t)Ry+TqoVU$t}fu=i^U8FxGQ-6o4Q#38p+%m(D@A@PRvn&DbA8p4qTm-*K?U
zsW7{&tTT57AT!yF_$L27+sq_5F=HhrCbAgbP;y4E{TBevVNZTz`$K*4xM(fa6tDhm
zd1(ia<l&Ewvdeqcnwy%um>=sXZNu^Pa=vIW2zkGWhDY*?<lwb30lsLWF=;n?bPAt?
zpZV(w0`;lpf=8zN$@>n2?2?kLBxvm^haunS-g^xE&YyOgn@6dy*#RY5QRD|*&k$iH
z<=kCn-XU@IP3xymb%BWh$%&#nIA}FB@P@3m@v78)Fv8Ae$Y8`r17VnExeP`&;e|?A
zF@Tzv^ADJ@J5J-n3GSDdV(1q+YwKuo?KN84#eCHS$AxaWDLwkvKG43)+>m>Mp}|)&
zslsdbbhg5uFjWDE=<D~5E9@-<@95XrrfuA9O%tI{zv<Ma7*q@&(be@irp>Ym2Lrby
zz7T)WCU?Za;ju-`ZJeila&prbIB)4ivr3@EkdrW)-SIT!76bDWKF=Dzv!VrwR6OX`
z(1)S~KzpP9_#vKcNb?DqcJ_B=x^Py$Q->7Z9@f)?kPnY45dwu0dP=R)ANv?c<dO42
zhGTtRmB*JNk#5=tJg>-SR!qXIgc2qyLK5m+Hc5R=+$7|_{+{a4H|?1><fz)8drS}G
zAl-9St#z&Pdo}!;my=V(hcQ(*9Kvvt(lrSpNC?0su6Kw7gHZ!ti0|Iyfi+J+6fL>_
zBf;@odkA$Gvs2+g#~t@|?-SlD5S^IqEG)J=Z+~=3%-{ts%tJgIlQMfxw+_J5e)TU&
zD@L}aQQD{Rcht?E6s2ISl{)^c1p+Eu)|kM=jsc8tJ|@obSb<H)_&b86qrUJ*hx64+
zt!RaP&5#3iMIsmbS#!K%rXK00zI#B)FDC5Elg<FHS9OWPBq4e6`@y$QHbNpGs-gS#
z3tWFzMFoM`Luwj?4%Y5HtVhobm%~SdyBDnI<qSGPX3t}}1j#Av7?o3)r=5vx4r^?q
zJw8bLE}UWe3l~C<?(A=-E@9R%r}o*aEB-im{*s#P;$5XbwnFcL7u>&3g->N=S?1I2
zcm6l^o!Fc0H+mqabB(u-JvudY;W`16DMbzpeHop#vd9Iyjix?9Wlf$haK#mkL|cLW
zJ(z3>YLOH)JKC=O%)IHD=DxVtY_jMDZ3dZT9>iQME%}&#<9{rz2B8)MwR&AWJsaKq
zaRaJBDM$i(@vUXa`6ycOPN`vS&8ssP>$W%=8F7-ZxkuTOyXTmAQ`I!cVJpl>0GZ=^
z$5qyZm^;k(ysoTRAgP=Q5J@-P2dMw`-3|&b(v>KRoyRDZ7c6=g#WH)p6_ksO0Cy&4
za^P+h`1GW})&F$Im%X!dBvh&xJPsT@NM-dEr31oBSco8%0IrPQgQ%FeZYR^~z;e<S
z_uxJC6J@%iM-$%<f`mva2)gL(<b)(FSwsaP9R$+^+79puABSDGz_Sk5NQi8bt3cDK
zUwMbP^%CE$g4+@ln>8zPAyai3BpvUK4tHRpnyR3mvHEh>Nkh8s>Fx6MG68`H<g-Zw
zeol^#45izWR0YK;9hl$z+)Z7~SwR?UNiQ&nt#Q5SFS31;{GtPMCy_O9^-b9O_j<SG
zT|;{I<r|BWA2Ix)<TcVN(7mZ{IYIP8BT{K~q@SI5R3&vqRa!^(me1bX3Ph*@&t~$F
zLj&K&F30|x<|WFyNK5_Z5wBSFm!K@s;^2{lgKruXp!C9jh?@n;C=%Cq53J4FDbosf
z{Oy<{m@!_{wA#36-SwN{h_(aR|99-Q(%$FYA16ne;kvfDKi^(^%MpG3VWH;>fAa9R
zLGy7a{!rd+cj3shux6l!FYsPJ^Gwz@p#`KO5&gW`22fR|lCX$*Chui@a()$uk}te?
z{#-9nNP5SP@JgEQc9b&K{ojQiDe4rf`U`p=fz%OGUJuRqXp$QSH*8&UvbMIa>29BS
z&xl@^{NK0~p$iUqicx(t?=Wxm>n!P9S-~|&=?}~|q$KoB{CN5HdGp`C$c7EME_p)l
z?eTK}5J}`b6LU1ej=NoK(nlCsXLo#>BA%PoO|sP8E!m!ns{N;pj6}SgYTq6F>93sR
zJAR;XdQ)c<+u-WKo9F%PUK?>N%e2gVq0YNZxiwd3=(WKg3Okof1yN^mz`bqXzC|On
zg+MR<N`-hEQ1cJH-`?~tT!flyw#w{=OS`C7N$F-DIr8}{(ba{lYjlVG80r&vqLZ?%
z*Oka9Y_#eH0&IDoo0A22vwWSBl^V|@a#yTDMU<QC3nl>&+WxzY5i;zZR}Z`AJv#Ad
zrABGNX(jgfsZ+wYv_JQ6tNjv-V4}owVT#Y2pI&5*7Pd_Dqb=YKmoZj^*A_qqCYiO?
z(PctM01ut&<;!!4?{BhR%x&${lcKn%3RFqik?9S^QAMWZAK`jX#Nx|qrcFBuYRvfl
z6*mp7z1MRf7Hn|!d#}zac16^hqVLHSdaB6U&H0g*+jaB?=X(NG?oF-@T-ApH@GG0p
znf~;vS8Ip+P5*V|#uB2Y`TO`xw1%L`#<BabyUsXXR2kSWo;ft3ArZ-d(M8U^yTxw!
zUg5{HpWBM7J(YO(<mcxj--PmlQfXH_(xsGBHLa}$!INZxP=sX#=7>Yv(9ie<$brzS
zuh&A?jDSz`>8YfG2Z%NSX@*K9A0PV7ap=<ZhYufy+L<7_rP5i2)#P>i5f8|ub#!!8
z0W*}8l%OdfkRXH-)H)PQVMlg+DB9hp%+anqCMrY2!`a!{q0EsN&?Njhgpxtpv_y!5
zhKA0ef)d6t7;G>`VYWm!awtwN6cP=_$XbCSxjNrmTm(>)1-ID`G;_ykDQnvb`+syO
zD9aio%yzzxdBzK}goW%nPv&qMRuyeFGcyD3geo`k>ldrv`6Sbcf$po9jh`7-zf^N8
ze<?mHB2?kqA}l_osx37s%fMvUb4)DtFHSLkCVeL3$`%r@N&sQuM`Yr7`l50|a6L?_
zlWpyd(<jZ%|6G5$F?bWU`f+;Fr!QaBkOYyPO@R`L8qI`p3gyuF8WEhNVmROzVWlz5
z-BT>|!F#7M4=EFaGOGPAkFuo$lGKl{%Xr~3I7URUtjmDD!1A0e;ErV-zq0%rlI&<o
z-4Q0lq1yH}<(`JtQAhCy{?nsefyMM)?WJUOKmPrin<&4;t5t6rP9r_x74*cY)OGU5
z>6QKri{6R#wJjMdp5i490oyKoQHjNj<j@!%f)f<ljOm0fQ=~F2H>8mh!7&(o-@kt!
zWCzh1iF9bsuc-4`^W^(^8zV`RPSfFDKC_&d^2aXM4!T84xI~Mzt9rX6CHzLS)Yc=!
zc)t_~DLOnLj=f3Re0?gf)Pw!Je$Fmsx@mq9?=}y&6&k_mJiZ)cjHEJ5C(xoKUb{9_
zxX2a-a|Vm5z07`CHAy1{Eq$-#QWDN*iZC;hFsghVFEl96Mo;$_<FGU_{Pb1i)a!B8
zw<3Q_?-J(^r7aSFm3zAPlP%JS>j72^#L_T6&P;h@+d4Xn3r}><9>zCC$r@jY@j4JY
z?)L*cg6794qusMR(IZ<<UvZL>)Qiv>zf%tY?gEX3?;mLcx|XVXDR%dq!2^|@AQu0U
zwI|jYyj?aWc}=|$(QIpr`mYvX@f4vM>%UZt)Q;}P1XaN&3tN|W2n+XO=v-NiNk~A@
z*7QjxB9#Q~Rc0nMI><QcXTKK)$;oyhAqt=J?iLnv%v|wFKJ#N8k)UdDMF5*+=WP(!
zz59uNeLpPN<K4I!Ft1F|{l@RPPgWLLA)B7FAMOE3tJ!fO&-exOoB^E}l`vU&-xs$6
zzFjn4u}m3}iOFTd;CjME>E_W0OnStsF~U5EyIVef`s(Hr!%zn=Dv>283w$k<j8^2h
zh|MFl$|8_y8i~^^akwLS60jR$vwCEpRVQr0z&U!Ri)<R0R79BL`@KTxerPsJUFr4S
z-oKR&kwbvsLWZBBHO3CDvix}Yi<kk3o6QYsBcfCQseSNZXRtWUt%HJh&XX4e<Ck8o
zkG0}bp-90s(M?<v8!&)yit6dpsl7#j(6R4;DRcM`!*y*wZ%Wmcp;uhOwyOJ{PVMp+
zl9i>Fjv{M)Sv2nzG}^`IzJ4%$RH5C--fR5Qsj(#s$K`L@U+t7bubvm_qiI>;YEfPm
zN50j*qHTC0)Z;rlO<#!9L(@4QFbTyxF~E@~Ixn?QiHjhuz+k}I${Nu5nX_lf76J{T
z!Zq0Gn>E~iC7GrK{~DK!y6=?fx9=W*1rKxG*9M;J%{zP)d82mZ)b_D#o7PePnam;&
z9r-|qPW&vjbcA%;yF;l*gg?<W=da{J?nVl3kYkOaD*Eie-sML}nbf8#a~d5y5GNE{
z#fd5k5_#^!nv0UOtDny{X5g{}yC%gT^lS4{q{>S5I9Jla2&;v-EB5gR-&E?Rvs<Wb
z%dYtEBN9PfKIp^Dwi*`JAo9qXWR;T8tv2_}y!;k3Esw6TK5NtGgGYBPdhQeQC9ORY
z11{jD8RXo=m7h0$$A@f$yB#uzYU!!<@87=%wLb@un6d-dC<bKuDW~Lu`<@b>B(k{G
zsp)B|2&cNBw{nq6hYz*3wN>*AbvsnhQRYi<EI*%EmDn*nryYMNT&>U38UHR>r%v(a
zD4iva$CGBjFBJI_GSq3`eExHBQwgEzMJVdTlTfZcpX<}9n^_G%L#WjAvySVUS8Pmm
zzGJJx_7j5AkB=TbO3AX4j*ygBg@v(O&m=Dko^$#6giYwtalJbSs7Ugce{+q~j&xl{
zngL|A;hi+Vsn0*{`toIH_}Iu1=yL-7ElebK@20?vvZ5O0o=!{EGkHrTP&tUFpZ!gl
zsA2B7e<p*(r%<;WS8v~D_!}!?({@)g<js}37N%F5*%&bOVthpTgg*8~JY-tN1rF>%
ze9h8Ly=oyz^@)ML;UZ&mUQ+*j(6PPO6aS5QN3UP|Y15U4^}g{yh0u#<*S4VLfgPhK
z=pLS{8t6+Fd0m6nL*m2kxt4YT;3@a{$O-Gi!;dg<EQPP4kj<V=*}_}}QGc+}-R8j>
z$X8Z=VOBSW`2&>|WtNKH=ib`dK=E)oZtV!eCz@DHYngZS=?Rl-?8e+%sH~41iM3q8
z)SCU_fswg4GQhq&zlAF!*O-aZdjGMM!*t<-1FeR@URQ>WLtTW8ibEoDs8=gn`(JZf
z3?$^5l>)?yj+ac*#G3-cUj+NNVB?@%2&`1?n+zd4iPNerZ19Xbg$o=GOoTBJnO}Cn
zJm&W+IGTeY6|ui~aqwB(>!&9nvB==GhyMC5|4-Cyq(9xW<c;o3D%+##-f%~B_?h98
zjE8xKPZ*msB{~<w)VS#g7pH2=UWmR#3l9jl`)=21JZ#ap^^;ugw&*E>)c>^igkaJ{
zj{^GEEnd8fYGwQVQ=Pg;tuW>9ALp?cB$pN?;!`x^J|dutJ|W{4veNmZHEPDksZdNQ
z85$0!NZJZzh=!HdmL*R-$M89E(Bkc0wxTSysc=!&X!4sd6V`!jry6Yy-e*9+L!_K5
zX>L#FrpqYa2vVv8Pjdy9&Pgks@_*pZtd+Xk<KBHdIckMPh|D?a#3HU<HQe=*yQ`<V
zhlhu0X3gX3YPXK02`=>~s4)F=1)s%6?hgLFn#ukKisxf$uD=AdZfk5FW{mFq$g|t%
zIU!<&bqkn$5=2AV{Qmpy*~bi+N1J7czVaWA*BQRqy~(aj@FwS@OP^aK#eiMO+`Q7W
zfDb(sBOeyH@ax~S;(}vrV(?8(h~v@sH}{J44j|RooFHyo@4+niwt-WGN97Zv53#~i
z{dc4M_MOyG(XVrg+PLH{3u`ryjGlYD%>MGY!X-zJV6LimC~gi`uCbqcyUMfXHY9#|
zb&e(7>xVkTx6@yQvWPTg4AYYe`oZa(MEi%B2A<ER4F2Ioi#%~!x0aLCXo&@raOS8&
zn1E3Wdv!R<Y;ZZ{-WKLtu7;ZLN6)eD@!iP@037I_PGDYL@5_LP5$+geXW%Slcbn4+
zyM5@9{D$kDP*`Qe26=_gK1@!&g2_q?ijs`c+T|tZ^4V*>x3T7FGvH0H-+2vC2x4<v
z0%TC&qk>tbPGDk==TmA*P~fhuIO8h`x81pyH<=H!5viDd&r^ZJBOZ153nu8{9uee8
zWU^h?y??iVv{Zt2KKo7>rH~EZW3?ynTY-S^6U~H#_|RD*8)!b$(<DEge0w6}c)=Md
z5N{Z`33eIRA_y|j^=A`}Ahiy%x?z4Pu?7CXmT!QXnw_h>D@D)+b<;TrCa5O74mf{a
zq%wUr;uCS-V>uAfREVXD{U)9d-I<}|hX^vq6&9?8f*(j!)@+U%)SAIAusaqPXy~<d
z*rdS;XXX!py*%E*Nk8xgH1`s(*^ci-Oc~x1zZ*uZ-KXDv&CT5vUh{5HIg#2ySjq67
zhLC<a@@nbt-@hMHu)kIc@rx12$l;<c>H70Rkz+Z#yzQRk=+o{Kdf4<}1^rmaq!8Vq
zJm>k~<kz@c2@fi)5C~c6pFa$JkDcA%i*KdO=gVqvO51)Br_`BTZ1-+yL^VP=k?Q&8
zya|#g>h+JO!1!8jj{X9uM2M3ZDn1l4HfYA6YZ<ao!@z(ig5hB9jvY(x7UT6<7fahb
zvgo@ew#!N|6~=Lsov+dCywrX%F@KBe_^ZjHi$}!)w8c9m&`7&h6}1KZHqTs%Y@djm
zUyB&dSeM2=+$g|TVeV#kCn%i4>_|T1x$^N84Xy#MGrQQDCJ-zouzx>0Vk<*%U5EKY
zH3*v7%DAQY>vD|n4dww_S>HLwwQY4$3^+yzYMc0UQhza3q$v%z&?LVNaz?<q*F!bE
zyjq(+u-6-+$A!_W^R6Z)H+yP|z*^0BUSdY`UzGrOW}x;VB%AiI*Fx{MTJM7WG?+PJ
zbKZMn`MOo1-?MgKb<DTVo<Uts3%_{KXNSRY`VAqJ7jR~c_MP4RN7x2bTS{y(VQntI
zRHh!{9Z5%jpTGNp@CO=5wXu}_%nPk4iL+<V?)D0ddG^@{N~=kmB3#7P^`X$Mz$G%m
zdAgP}S?(2DBH&-*&D4HOIF5K2a36)gv1M)S-@v28N*+IZ#{LR%Jk*3Wq1uv!{${r3
zj=pG0_0CTovINUmCm^619h@pz*DJ=BTMyyoHr#+P-DJ8&Jbg_ucvcdbnz**AEu&(B
zWohF^I?}tZyr-s^VsrtNGXVdQqim$zZ%(GR#zEy%KXWTK58nG)$Q~V}X34d4z+Kd>
zxU4-fE0kDnN+JQM^ZGhWeNz4)2<gE=$j4A!CfeMB_-Nwo{YvM<aV&`+Iq24hE?pjZ
zXZ+8IRe4rCQ%oKaKgx8Xc^_x;YGFLB?Pss}$djteK1JOIj%U?8C|K<RK@_mFx5cFk
zG&L5<vt6)IZRa!_`SYjV$inOp{^!EVcwnu_SVnJER)T9oyViE!Znn4H15BosKMobr
z6n*L1!gTqqeWs<d%bLX<qH_SAOc14+?T-Ka(<jINTCD^q3pPu!U}Bi4;X9hca8fi$
zC{<Upho^ee+}rT!3OYlh%=v3acZR;Poua?a{r*RR<R$9ED}1^|dLJb6{(WOBQz=VH
zAIkppU2wp(*-6T?=cD@4<aYAbq*9P`_ZVy{kSzDN)wYTI#6S8-ry-F=&-d>BKLGA9
z#*!)V)V*i?(qhoC-4v9}5(R6?Z30Q}LyiPw3|<M_rJ-4&Mzl~@spou&^7ad?1!wl$
z3cWp`a8fLlto?}aty-*fT`sG?@XtShm?@g`{dD|Ux2B4cm7`N4h7ypddlvqniq1bt
z8{lT<7)rD=A#`I>D^+ocG2Kl(tYh`IGFf;e00QThP3hh!XJVrL>;Sf)QuC6VTki%#
z8d+CyQhvs>2M=j;{@tE?)_n)|aM0fdQCFaI5N)ehwqBka<Uptv#8a1)mexF+&amIs
z;gw6VY1!ntqKH?j6N!(7<8Iy17WCE<3|1Tl+&Rhfgur?49RM)rm2FJ)2hv1lKln0)
z7z9);tNuy-It%iJpZseY?pu47H)T59OLa__DMZ<H2e6QeJeFfm&EEC(y~b;A-R$Y;
zCx6^RfKH)hPemc2HSNm_KeOV{va4)0twqYg)>J=VcSckcVOr4)%l+eIM;#BE`;HZu
z=N^8VBzy6@@KOkDq)<nZZRbl%Cq9STG$RXtcBjG)Ny%ORrSCuR6Vkr1%QUAIAD<G#
z9ku(c59$@}gN6HXq#)eCWU8&3cx?BWnwfQt7KF6nQYMrtBx2+HnirZ9<7-q6uD~Ed
zF6q1<gYus~{va<Ckx8CP6$HgAr6UDxxqcI?&L5u$tCgBU30#d%g=bmVg>EI5ja&Oe
zs78o>bcAd56lfWa_5fM#b1SB7&`I}kCTMEXhI<6SIebfG&G{s!#su@+`Q1k5=JCL8
zK}wSqWd$*^{ad8svJoMTShxuDT;>bEk&w!?eV>g?k8;wQwr=Jys4*+d+XC&lyH<v1
zKN#K(V++;Lrju<UMw58$11%b%IzyUGt&u(kCq!#+!(C6aGKM6>n)b>ykGHoMkFAVo
zH)FD*Z7i~|zwR=2K<XbwgB$cIV_mVpJ~I`_bwr~qvzWobkjM8^S_y3e$bjwAeV2@U
zB0aaf`~rlTpl;FO(4uL;;E0@SaK{i1M>!>Kk<??A5He=c1tyL4X;b_=Q1y}Pv)Rn_
zs*6wE4{>7?;BmMQsvQcnb}$GKeEUv>IBuZJ^sov6%P9Oq@SwWmiLGI5bauVPZi7vh
za={<8kqJV|oOk&K0-U#ju*eE%20enU$y8##`LuqSbBMPU9{Y_+wtCo_LF>YW-SARV
zHuzn7vHXRwOe)TOwF&9$6Hb6cu>s67)gX7oAqe4#3?bZHhrU@ZvjFeNK`9?NI{z;B
z&#1}a`g%YPTEE&Jpr=8-Ci*7Gt%y7%-{&$6TclQ;auQ#Z;J|NX(R}EsH@o&b4c_!>
zOO|)bdWr(H5D4h=Ko78ZnI&NmUV@5FNZmj%fG~uxiQhmAtq@m4@Mnjy>n#6Pv}|6~
zqVk#h2_k=+p?{sP!VL!TGp{y5WkKM1BO|JSFas;u=rl7vydh+hgd-d}-;5nH&$A|`
znkDJqCnO{^pmQc@#f(*qN`$(M&|vH9H(;~e!t`me)0OY`R)1$<>U$rX#p*bI<3ptZ
z)sAqtt9z|#D2a51<vF|TMdrYoLjD^AMng^edpq_9CtKVJ>2lK6($cD00_BdM4oM9~
zy)-kMF0mtG@7}BWHFq*HS}I#H)!^OKkSjxKKT?}w(4i7&A~dD|CBGJ5dYBX92DX{V
z#`BXI`3kL#@=UmSt~MHTBB#pmi7WD{4~=l0xQ0%!IXQs5*W!<D-?=<vWIpU#%Fo8r
zACH%X=ScbCPU7KLgMEK*Xcr~eEADGZHv=X9LcHS%>kHIQ0!}YVWD^3bN^BX3cOm(`
zzZj?W@xp=7|MtKjDSR%bb&SoOw4S*Zs)Vhv$BrE%V8|W`B#sOf>0?VnQ|j(Kw?W;2
zw`yIE^Y3%@>V=FuqByrVxB}BVoI9%>0_QdSDF$cGh&7t!o)S9_^J`wUEjAwK*1i1Z
z2n~i-rI=`(meBW(4&*j??a&LHWhCWh_RGJQ9QVaI?kJn4`pDeEq9yX5S*J+nfYW$*
zP=T<~<l6Pkki-(pW%bvh^MZ`O_Erc!V7T&00J3mIlgvD3xu$zx-fLnzl7e1GCZ#qH
z5_V4A`vjeaNFbr_qs?&SAXpj|bw3vaHA$(z5(2}V&%dJHi?mea=08Wr0;n2~A5=JS
z&4o-K?kQ_Y7*gDl!`R32XQQxtQHu)D(|W6l%c%{P&v(~i-z(04I2w&P?T?}<%IX9A
z4BTeBqh=O2MG|d|N{4xjMVTTybHWP0>Ad%pjZLukXb}JNrwk6OLonL`T01L}Cr*zR
z?B?F{bGI(Z?Ak?3ge-2x$J&754yqgk@zz%!jiTA{=3?)E1Sjxz_1;1)!j3jO6J?2#
z8|(~+Irc!CB|mmA5Q}PE<azC#oQ5vFdGy%<n;O#I?JP>yy+1WQB;0hg=ia+}8P==Z
z4l|lNjh>we$9{BH2$XBl{A73S+h9IL3*~L!4f2?avGhH?VD08pli~gA^`+ZXgps-k
zyKPa#BZ%F;nK6gy>_i1PDiRb6`~2o-?9ww0mSS(*;1Xqv$@Cu0jsvp{(Z{>P+QkI|
zzL$apGZ@*Sj-Uyx4!Sh_{`hOdO$_yl>cxv$d?{>AQhiVrqu_6D_)yUwf6(RU2M^QA
zKV%y2tJzv4&!gnncFpsOFWC!mpefA#y5jCZeDrs*+;iFF8%B*ufiwPlxFM%-_HJ)&
z?L9v^gT*+@1vc0N3FbW@>n!LI(u}bTwGGsmq#&&Irv1JvNrx~Z5xyLF++Srn+S%RD
zApZiHp`)w~?v<6hyA3Mnky7@{M3)$*@ZJ<F(C*0Cym8akGGf=#%Ws{-QcqISw!p@R
zQ~h-}j{^+cF1*Oz&`-U}*0f!Xop@=z@R~04F$YFf`t9FZ02z#D*m&w3a1{7tjO*&_
zRgY>8O_E&ms=yxmK7+rH(7nN&j0nOiTw05_lW`s33))Jr(PxDVFWC6~XEq0=OHo-9
z0s6cReHh~c=ydaL-w^JB6O}_$^sraEWw9V>f-loLi;|!a8SgzczJr|Zgg)#IL0k&X
zEfw5v@Exkb-h`0?_NHulzP|?`C5<b2_`O2`liLwoKRK-{DQvo4u)i|#2P{BfP0tk(
zE#Jd4ICLI+X8m*@x~S(eQ4;)T(2GlkCqz?5HeNQ%FoO7BBaPMN>29WW&e4fewJH<M
z&It{-eJeN&l@K9!<8q7q6<%(7X~sbhW|uW<eWox2#4eNDr9%jVY5?aia{7tk_*Fr{
zWIIg|w!vaAFnfT9hr2szWRh)G^Jp}f-z@OevT5G0F&l;<XWvwUd8@-UFZrgyDf8v8
zA3oHq`{IhcYp3($7d@v0Y2>h!KI@6AE1Uy9xQ@A#>G%G9(QLZznO0_m^3Cm~404E3
zBwmQe0!)bAYJHMiFjW_ojR_9IfX1;<T$=z+h|GXf5xY_jMTm*+N)b2;MF^25u(J5C
zhWitbs=C}h$v?XnevSvmzNZ;i8<OLzE@~^BJ(B?72F{6CPQz~Igkd@sp%tZ_91HDs
znf>cNQyN+^r^GY?h{A<3JbZejiz6@WOVSIJD%5krrA`Fxc(oIKm{Ni$Yi+nN88g*}
zyeTLmf*O;<K{Q{4Fbw2IiO25TqWgc3ZdNBR&Wh!WGy*hBIhzu!D+1k(l&$*Z6A^ss
zr_CYVK%+)e%3aHJ>))6U{KQo#qmhRkC;NR1qo16~yjv)2c9OT}l1IH>Ji^&FG0bea
z{9DpXUYa}qpLrYI727LOv0Fa5;&K9BO<c(_-mJnZED0Bk*2%80nqN32?()M~b@+O}
z6yEiqi;zy?!lrD_Kg8~cTj|lGNBF(VWG0||LL_B1g2&OM^Gp_b?L~$;y4Xl>#{Ffx
zkKagceO8Sf>C~<Lt6a}dB#AoG)6roDAU4DxZW8J^kdQfX6#wal?IyAocm5SK5^uu}
zcWatbGB&!`8H62vp)ba7#iPEzD)1>;y&h#r?qsF!bI<<f=Ibs^vkFfG*GMV_ziaC~
zJ^O~o%cC>OD!8GV2C%g7-m@aqe>osx-B@ZfeWe^DpV!LWQXkS4UfSQw+oXouif<q#
zt?KeI@HS3`Y4cYY!jOpM>w7SWhi5+`+bBsysz<WG=J2o^9w^ltqY*GUhFyvjwBur5
z5+LxyQgFh)iZ0sHgaevJX2uR4WaofrWw{8c6B%h`%sG($k;H$F?*IPbB%2eGti~N;
zTH;Q-zEF9o>J@iYUB~*E!mhfHU5xsLH0vcZJKhI+lVubuH>|IeZ(HwJG^%^OD#uqe
zE*_8>A1SM{`O?Sns>Y<eiP^e&5|_%>7pqiK>wI2F!Q4FDAO15A`Ydx8HjvtbxPiq~
z*o(2y?>r)xp&VH>O+;HN-aJK{@89N75EUIwsGhilJcLrdpcs%y`YNmLI>Sj)FNoD=
z&4a8fbKfuIqUS&5KbUGnA|Zbz_bFN|+}qFtF7$w%p#*B*&WZFmXmm+l14-Iy4kG{g
zfdBUoIpk~Y4ws=cDRJL*KzW%VZGChHNxDj|lHRn0<W;iT<Wr(lRk<pdYhFw}^!)IR
zy%)utVoPIgeB~m6HB}t>GgozR@g7ap*W*E>f-ihTCcbXbM@RRv{a<1~1V9hohC|N`
zu|o&e6Vk}>s-zc>(9$Elxum!Ae=tXvUedXibVd?p&4>-F1>q8^+4|(a+!9%Yl^Rpp
z;}egF1tj3wU%lFgloI;yciZe2gu5&3QgwG=(|2228(Dn+hC!fg_#D)mu*P9OPTQwX
z1MT{_YZ{y3QrNhZ{^yUTXOy#<_Y5MoBUz<x$z$|I#l%0o?FTX^D}y#?2esLRrVmeg
zv258Ax>?8?e^4aQ;6-mz6j35sTL&Gs2@bqWwmX2%Yv%)NtX4s^)2XVGa?BMPXq%uY
zG`>cx`M?)yEH)iLG=#}|MeP|DP=WZh-?#Ozzz;wsnhr<_mX?+hYhEthJtamKWF#7)
z3jhlMD5N);djP1b;<~l}1_dVSEWQOr1C<=IJNoBiUHVvc(tal;B@Cjr%98*8`Na*K
zn)CRv8eyTF1O*0i6c5ToAf62T<EdDCjc6v^55$=}a-?}r7d3XUx#5L=^sP?&{au|~
zhJPjkC+@A#nP-<tXFR9-53Z?e>S2I~V1|{IbwQT;$T2PMGX~7MbaqiPh;IkBgK&z?
zCD&zZK6g{wa*{sst99l`NBxW^TiGV&?R;4O3Ju>T3)Z|m=^IkA9R1ql+RBvX-Sk&V
zcT<!;xja=Ys1D3^8`?>$`6F=3KFxfRo6G#D6ZjF4dL2~B$<CgYlcO^u2V5!NdhhN0
zdl{#=|M!z^A~plzB3!As4rqn{zK+E8Y3jFiqCS`%HuK1yL@kf}yOacnf$#-l#tH2b
z)>R>R+k-LqB;xxMZ{Ea)!up4N*$ieIwV?(EUNU0C4p1Z4<|kiU1}XNwY~4TX)Olwg
zb#_Bsa6^Cau#a3xX=xw&5@}cDVNnZN<H+zt78wIl<&c)<b2lrBAL_UGasFM^xbjxo
z!H+Fg?`{=X?H2jpk1NYS&<Y$3QMR~9g|A*gbq)bCZnEkJ`F~U5z*iwvmwfB?lM#~D
z49zsL2602X)S021Cw(pTl-zGWq8(AQ7tBG;ZjtD=W{fx(jga8KCLot<u#!bbd{TRT
zX6*4}U2-orFsm$(D!-ps`<OfbBiBaTGT&WHc)l|_+EYhrX8`XHtsd$tMG=8!r4dKk
zbAO=Hw|(|t&&XJ1eP3y=;k(RP<l`Y+vE21AZ~p%I2}BZEVOeQtm*)SLSJ6TeT5kxr
zA3V@<SwSc{4XJEpsyTp9lJ(;Si?si00ir3<z(LA_Hpjj8rdn1Q<!QZcJQ%g>zCag4
zzq0BUwek|pAt8o^v01rjOhpr-h_5dma7{h3Xc)YD-lfJi+^(4?r(=em_v_5=vKcp?
zFXisMxsFTxEA2ezE!Q(9i<Z;ZnJ>i3_V;G(<dSnHmQ9}4JMq6|fm`Zd$8Y4M8*<L+
zBjXl+li?$-Am`vd7|w%b4Z|y(9d*NL5Rs`tdYsAo#?=^E=GaCwS=<EJ3&G|M*9B$?
z!2v3LLFm8%p+P(;2yj+!O85ro2<<*5>j?#U|BkcxMiAK*fAHPWUqD`0UyqHB#tcSx
z<I=lQi+kdeQuKy~j=aH*^<|JT@lRXYm0vPg8cG#1FRWM<Ru~5HOlhP2Cl(6^2ZRtG
zAkZb5x8hUbftfknZ#|et!SHZ~AJQ`WOgqlTH}0<+Q1}$ErOr)tsmVxBFWx?|#{070
z^433lF(fa{`OIq`eemkcvz}?y`YNb)>_P|g7_O;*_Ec2A8CzHXZh29lCB?YB`x0I{
zor+Umqj^sMc!%7$!h2hpaQEEuK@qqbP)z)kvIg!QL&rfvUyq(2;#`6;CE45eSdnj3
z+s%mRy`ktW1D71JQe8CT)DJ)^McCzz=m!b&vM5j!B$8I#)^G$>SR!PW3kiEprDL+h
z@;6vj_y)}XuS#CbE`9ST{z*XkG4LA5k~1QQ7cAFkT;#8SiwK-k1O7qCt$;s#{Mq{X
zb2wro=-v}IA3hxeXf~femq1}9Ed59tfMf%09LYzv6sdU7k;Q;yBPqp@CyyS@G9WVR
zwr$&nvx;oX0l)LWSV$zSIY4L>cstO}lOF%<+e(-QFn>Tu6P1v_=@pl3dPlq&+3k0q
zJfY`pK(s(V!W$5JG1xpbFaRYzk%VEtZ>k-CHL;|W%4X%OO#<zAq!ckiJW5)b72=*I
zaz0<a+-qNM?KPZ=ZNeJb+BD$$pnJlEYxxvx1VTru6U;7N+#?^a4#Ep}Ahe~hBei|~
zx(P_z^l(e$w)7A1@A|io&f*s%5TC_KM`vedp9<`hK!z&V2jfI#yr#vjQk~p#Fl8Hk
zee?BaxSo-HkNIlVt#XdaZO@b<iwSrYb=+(G^$NGoM>gK*7#kY*hwe!Aeu>;)>6r#{
zIHCH!qLppQfVew+z>weJy5D23e)8lNTNpN!(T2jM0`>dF@2_&=c((gV1f?rHEOdq9
zUd_fv2+My!*=mmN*|m$<39M2Np`rM<(dLCMjSE+&d3boLU3mdq_ZCmzX+Ch^0A?EU
zxnm4?W?@Z2pamAlZR`aisKnwlnYu{^7PMFC5c|AnSw>GdicGS3@Z<OS&uC_8&<H+E
zV*NSY*Nn+h2}95{(r4aX!o;iGu3hZ$Gxli3L=Am9psAM1wb@+J!WaToMt|J@1}02&
zC6T7ew>=oywlcHb(n-_GGH@arQQWK`qIY|OGyxk`Th9dt2Sw6?3iSVNqqFI?k<7ku
zoeUcVG{kS?Bc(&vS3QYY-y4gEQTq7zZjIw3@m;f{@<{4usNEEQ^<S^T)7foaBrm)i
z%JvIRPIIIQ(bT5QRgpoG7j(P=KAokK07NLNfOoBYzu&gW&fsawy{FEljYWjE%;pk|
zU~5I=#s1uvK1h!H95y*2$-TwGM8R+2MWhv1wbFK*LQHLyb5WnG^Ph^O>~RfO6A&Hl
z&<X+M3}t-LLu+&$Dhktop3M8l%zVEmfmh-wIp|hwzpZ?>gU7;qW>uy5TA`n}VxQ8%
zfu)Ku;RgR)P6z%*=^oj{;kr`u6SA$QgGVx#g}!i%D>R%vhhMr{MSY+<DZkt1=VYfB
z)9YXCJQ+H+k|~q(V`noJ-uD+zb|PEr5Ii#i_MG1OVS-O6k&37?-gjG@d#eF+Q@{^I
zBP~Dz>VmvIB0wl`eYs~6u^oNLPHh0>K~w6z+O#m)@7iwWX$2#A5w!e-^YsT}i8X+@
z5qhSt?@Av<$8Ecv^UivzyR9u4V@Id^lro~Oh?Q?}7oVzdCa<%d&kbDNjgDc9)T>q(
zTZGdfx|R;4dg@vJ90mh!maAk~$bj$dMciL#S6Pm_T{Zs!=FXD&4f=ti843up?U^FU
zC`dTVh@>W3bZl<K7lehz@Lg8*KL`FuMMV`b3$E<mg9lSqeC0S@oL-E{EJ0$ax-Pc|
zq((<ZdJ|lEX%N5YE4P`*fHe?BX`4i7!2GYpM+Tyl>1XPiBkfFr8<;0Wr|053%6;WX
z;MCvdwgArrB#barbx;=;fNwT6aj>yvA{q^(giEKVBPLtS^p?EY(nBX6eah`t1q^FC
zv5t1!{qp6QYqL(*J$<n{P+0UjJdUvZKm5p@-0(ya%O&%AmC^aPwOlxLMODD?u-R}+
z#`tsrgn2ZXBG;dcmv{dAOr+~0vIg${GWpWojjQ3cMM9X(+|EzuX-MOfqa9k<dYSw-
zia@=6{5uG}Jg|4LTPin4T3E91n}>L-VliiSTa~30Ard4)gHY_aB8YSss$skiVlM{Z
zynxwrc6N)~=ugj?N*JB0@9~VM@EIaQIlyNFtMU(IsBCx-=xtN4fTk8OL!KBN5PCR1
zP^J4^7L-I%vKUVrXeA+qhuFCb3|c;5Mc%1$^|IgC1&dm2h1{N`QzgYvG5gHf3gOA2
zU7rF5p#?-30m!)qU>`1PE8al2Zo?1_DIa00=8!OrLjPUuBzB*f#XI-Wqw0*c84-NU
z!otFqSj0&bWauefd;I77{_Sw$`TamEwfVYaKiK3d#4Zt9V^g>QpwpH2of8N1NjNIR
zdenIZOOY`68s>ATri6)Gk_ZUDSlG1@e$-jy8baAodk5)MKLD%|za3Dlh1OPd#I^Vb
zdG>90&+0lwGZ4Fc0+&8!<S=yB$n+{P6HRYn*JU0eCLFJa$YMfc%7x!*n;5-Pt7r8y
z-*KXOmGL4n4yzakGq?bl8I=G_fA#ObKStWJd*vl8HyuX@a8*SA2ZTEH2=1^fIOF~L
zfg}udEJ}PMtJ*bNlTGb$^!7;#^+9-1?sP>3Qlq;KSCf-95`1?HM1@$Q5C;rK$;|#o
z1Oz!@wbYdyR=uNdIPD$lqUvwZ2w`ZzY`GylX2%5%sDxPAtFgRAT-bK|4&mb|VNIAS
z4ZxW}#EDQHZv0EcYHFRnsB(e&M9`DUxIFN?WnaE1m}{M79c>!1<?%~7M7BaKj!xxm
z<o4Oqdg0T*SvVxkf6tfZ*6ijb3c(BWOzlVKL8#f@RY^6qZfYU6_hA)rixlmc*iH+L
zHa^|*ux{Ig&d`eZK$NpI0+S0`;EG&QvX;4NU~Jsj!j5Dug!t~nxH{P=lz<ZsdnXxo
zrU(m>H}$Hrr}z^ol%POFz+(jg4q(F-p^5sD9=NucX1<wQf>`-L93@@_H%b81GJh(T
zo&3gqduq{FQApH?s>c$?n6q+$ib&Ri_7Bld?1b~_m3`ZujE*TJH`kyvP0n>V_ao%A
zCS}*jiSluOW|gJ3gd9I+GQAAtIP9b(Li6!(dBKiFti$TPc|N@wPZH{DX#M9WMjJI3
zRN?-BsjC?iZf6Y)Tt2>emdk*rgQBn};9zR-*`w5#e}4`3?DnRCNwq16xiCb$)iYSW
zu%`SW?$M?R4J@U_*ZmU&feq*g?UQkZp8_f@WTa4HQKicwNgDwcI56(h0hl)Y9j+om
zYg$B0*U!%{<2?<_2_7^VAi5eoB4lJK6o&pPE(WLd5DG(5>NdfXGCR%kn{fRRN}_*0
z?!<WI!rPF5Wa#nJWXNeihe&B|FW!uxj8Y@#ybANuN<#9R(f?t?^9Yr5u$@WS?3c6T
z_YL=@Z);+VI<cQ^NzgZ`wOv8tRLkk)ml*7)V+N6UzFkt18L&;&t^F4WnQqzZUFxyb
z(KHH;MCy9oa7G~C#5lGI{Vs?{Yo?yt-d|0_uK`#TDi~rfLk+zo*3!p{iD<%r%7E10
zP`u4Hh?+J=<GQvotYU*CIwF!&CyPNelp<-~*{`2xp=&%Kay($ZlrYv2anzuQyQZ2B
zldx)MAIuKnc>3=`m4aRw7&)`j3`@XDKmW-^K4F;oiQqwD5s`kRfkFc*0~DiT`p)=v
z1%<_H-HFseU~U9Kx!{u_RN?2|-;PF2LMS^uB5FI22^0p~_IC8F$)=KZ9*`lrYP9!+
zhN)+vUM`0r%4Kgexj!f6@VSb4f*s&iM%}}fA(7s3;otl&wLCGRP3R79rKR;vdbNK0
zh8;+soV8>@FYzUa^!BKRv8OZ-9_mo7>6Kv!{qp5Yj=Asl2GhUj|D8K`2x=LpiwvYP
zfO_cm#U8iQVb?V^(B6cGQ1n*tvV-GA@WiKsEF^-3#?^wZ4E85-z62UrIuLdFd;Y?_
z2&i0?NywTB&<4K}I#`gGVC5Iw)cd{_-$W`AL$RZUopYu)wxnzr^Sp%^oO9c8N#Y0M
z<2Mg3hR-VC!tVRyoo;kZd(Qs59VO~gr4r|*;h6Q+A-PIguQkwNFTAJEbq21lLO!st
z*b*3z7XL?9B%hk8X(wsU)@utw?j!kp2n#fZ3GlcGRoBE`DG7@T#jo$OSJL2wthV3x
z1M9(Ri9~9E?7fd3rmMNRO=S+2@-l%e5mZnha9GI5s_=-rBBJ{T9`U<VN~$d1>`XW?
zZv*;X_~Tg_3!~`CZ;YyruuJG?5YCsCUK$luoJQjR0#UHqRd|ZJX82qR*@icG5<An6
zb8iYw)8rUYWKouD{`(BKh7F{zV8ixmz!4ptAfR7ePRw4)lOZ>ytjL4X%P!-7#bmro
zPVn7n&M2G@Qg8W!9~PVt`+H8+o{tf@-VBOcBljf4+(5fPR*{h~#9&3PW^?jfM6+sK
z@f%x$rR3)$+>WRd5DZ$H$o`s_V<U3mFkr8(13)4kS^k}SZ`9<#vA7XpNR5y6u7E+d
z>&3e{0y4cF)FgpnzIj85n1YX>qId0zHi~C;K9AFaTmwjOac4!${!Yv<C@2WPK4Qjl
zX}hMBpjmRc`h>T8k_4|+DknZg+R68Et~bp(HG(h2d0HE*4$57Ws!1we+Zrex^)%-5
z=$&ObmbxP+9eH8ihGHH?Ky&(^6A>JRb=Mb>EH;tWvqGJqG{<%MbVbPNZ-HcmPq(QA
zeqYaB(jL>XdEFI&R=}(i{&abuq~^$Herj6G>e=bqK$;&Kg6*9!o)feMvA!O5DuT`k
z?Rt7P9Rg!eodo@XOueu(&-fA(x#f5Wl#?){gAD0K-7Z3YHBs`JFTZqhAd(T_yR=yS
zWkd{hAnY@07djn?W&)--tR<B04p_d3SbKltH+xcpEB1EU5jM<?pD}8&z7>Lkg}K7Y
zV|LrsBA$r1dS{L^wEOC#FHOm!|F*KTSd?gDX<GY#3O#u7=<#ECy5RQ<VVr}6MMaZt
z@>cXtNT@be=22ii3+cgJ3*t<e^{}x5qY#j?{Uo2VwlX;Gh~O8Dwm6R@5}-1Q*8Zn`
zXTMnI1=)Rz`Yy#{qYM}lY;YM+@{oQ=FHspb7b<OC=nnkR#?w?jf0_e1qgZn%=Fq+~
z-5QStOQ+EIs3HV}hjI^1(ZG<iDSo*-7M%+Ez|4}8@A`Z?Di4p|Wc~6|z3IE7EP&TT
z-ylPwy67o|JB0t|+d}gX)IFUy`&8LtBAK?a^3IRt%0bJ=c_j^d^cYDxOl=q#+dA*y
zb=~bt3Edp?d$xTc_K@vox!;o9k=@`daQ7V=q{I5!w49oB8TX=HmkbW@GGVDUKT+2_
zez7Sp4s3C^I1pNF;c3;CkSpZ9m4!zr;LnY=D)#8g?m3n9X%#rX;)n~SXJtrkxtOMK
zCkF6Cz`;S>RQ85*npeR!M9OZH|N5?E$2X*U1x&_TSR&)T2=VANr3!LX#1&0M6~p4e
z00gFvs3+)@ykDewe4M<Ru|i3J&}dU2kxZ|4djH})kQoAqTboP>B;?1%#oQpqd48Xx
z3U5+%=Z=?wtRV(ngWvGMo-7#_&4{Zw7TZf09{%T8#2wv90i!ok<`ky!bie=s0G~(}
ziLgq%b&HM!y?c1a7&OX6=Mxyep^ZTX!`9s1r`S1$BQX9C*D+{C(X<^$;uX<Uzy#-)
z#vQ?(s3Z=DH*(iNO(Q&<*gcP?8Hf!?2?U0fxfbi*CyWCd(1A#gIiC3lD<XM(ZkER3
z?WIeXh$1ALhDABvfQYjI*`Tw;_xjHLj&Aa(A<`!C!!R$PZ0j67%64TKT26}ewDk1%
zkq_S?uXI_R?F2)u#^85C7~y*lEDvu|UF>r?=ls9zAuQSb=#TNe07wcfc#t=mqX<V_
z&AFF{a@(h4KDwme!R<g)N;4JH@Y|9Q7vgy#B-(%Jl5GXUuoo}_6i6??6^wox&wJay
zTWrYhpP(hJ?ESr`1Cs-y)%L(s2k&AMWETips&$kNwYrh$wmV|C@9O?F>#+~^`|wK8
z3KEgkjqalUfE@6~vnz7qVjyH`2#iLSW*&@31U7~@ppU&WCF}LEpNG5=alG>TG{xF@
zr3DSoGKYDiVz7nsa^OPr(gD7slwe4l^m|njhPBL)9TjonQ5}?xdD!*&_%<)Gfjt1x
z092LhtK)EcM#geVGF`svMBHmvi0y3%bE(5f_sA`upIDGg#FL;{F@v`_Rgqmc*nE8w
zH;heBg}>L2XpxZ!_mpC2AQo;@Vfy1qcJp1FvhxE7@KB~zpMjIxYh|*5$ZN$ihvie$
zOVL^4^fP9yl?;P_4`N^FhVEi|x`^C|ZPUAV?^YtpUt9Mnt-_E<c))`rKN8uY?V~W=
z(qe=})CpnN#KIe>B}jGZW?IAo1q?`##J6Iq#fpVt8%GC+n6JxXrYK|hG0<u0J?#Iu
zmFR^q!W;YxYo=EA@m6ygt)y3;+Z#Fy$6(~Z0E53h^sYTjonWMaKqAcpvpW8}?CAW^
zp??5g{y$E0*yM@d#X2uanX}K_7h@k(JlGlh*RYOh7N=cckoPDuoxn+9VuZi+Z`uv9
zH@C^h;t1f%ZWsJp<U(OC>D%%u&{|<*fq4fX!?+I|Iw}!$HZLSwa=~Cin$l@OLQ(+T
zjWiE1`Gl6e+7iAa7<*+2>?!dgY(w~sz--|>!rX~;?p~mrWn|i-VL}_{?UbS6R15-P
zXpqc<-8ax3M!HuV-8p^X0_a}6QTVMuW5>ea2IM0qqUSyXqqQQRvxn(AVQlTyYK$=O
zMhD|E_I*FW-N36XaA%shL!azR==V%hydlLA6+5;#O?cU=Tej`pT6FELmE#Eks9|Cu
zP$w2qg&97%udtKm1}b#_^~#kU$UYY$<|be~p<VZaSQL;^zWEOS&*{y_i0{JlDuiha
z2lPSl&83@v{y6a}da<CN;E1(reB)_h>-PEa=>;h0^8OEF?;X$e{=bjEkddt+do-k>
zh(czR29;3RBSnSmO-QJ$b}D6s$V^6dW<_Y&*%?J4oAA9Jo%j0u{`#HUxt&wI=JWY@
zJnr}Vb-%9b4mT4}8TYguo#;bVjU)YEIlJn)T){b?kq%Eo9p@#bv2{X>aYAoTDhE*&
zHk`i_b5}XZ%J+fcti=r_*N(TJD$Zvy9IiQ9xN$pF5Npp3TeTn6b?iBjpk;Bt;lPRU
zvKuRz%MYk=ajoGK-GA99V^GS{!k5Zopq6=bu<uQryyHNmv}5N4x5DULp%Umv<sgF*
z-(5uh2#roO9swDbcXkSptiRuv>Y)QG3{>9K)v=nHncbyPGrjm)If}N*oU!>bn(37J
zOON9(3i+gG-uQLlM6-9{GOyd!n?2X7uE!AaWJ!q<sKM1?gIC#i84@`%dY~W%P2Ox$
zi^Q}|WcYPfCm!8F>PrfE7)6S^wOf}d1^;<aaPQvQlvH1d>C)#MzH5C8j272zKH1pR
zbOsd;8Po~dev-^P8eqF*8t%2Qu&PK|M|e3`xgO$tf!UgG-n=2W8;pDRNl%58wzcuV
z5T8_~<7h#hxXh-7W6z>Cg6j0?(^rFnw14qLWM}VIQB~z&XZLMr(7f}u9kP`bw6t$J
zI-W3UtC=RtibG19mzO8Be*G1P(nA_s)(vHq=4pIyTdl$%p>+B3Wug=lbBCMWBKb5R
znn_tSadL9TVyqV+cliT*oN&-HFfcUeI_4!MUAIwEuYA|@W_@$?*{?sT^R1WKbJi*}
z>K5E8W#Em@E}9u!#DcjNcD*Y3<ckc`H`L|<>K+{Y{GkBX%@LACckBqfb7yszu-;vW
z&G)ORoq>%7%|$ll$qjHwruL%{mNXXTmJ)iRVqoIjUh2=Lcnu@@#`)_q2p5N81vTz;
z+_Ps_a|_Qo5FY2`y3-pZv-zU!eU-chsrxBDv&GZ!{;oZZs0YD&3+FxjO-ccS4oR+O
zsc@pvS#m*t=F1n{KW2!Ws(@{AtXoHKVq#L~k?)lvsXlA=(PU>1wW$ql$V=KtH5yjx
z?i*{|Mz>ixEzj87bowlNU#mQ`_1L4E*RC<h|9-n+c5&1v9Iy17KkR_sYllsL{``3^
z^DeHt+w|(yt0WV-+eMS%HRs^w=GMS+;pyz$9BK6t+|1UUh^1jG|MbQkd5Hi%a_FDu
z6Q}YTp!Vh*t65V;g*!7)U0=_JfwJWQGv2$3US&V?5-8<Wm}gK^QBjR}#3m10JenwC
zS5i{)n)o1nEhOY@bNJb&-fvb<^vc+R#WeK|X4Y&x*h0y6=<d!fz2if(WJy0Z-aKP!
z$<m^-aD3s(sXyP3`}9hB#a04VA^xUhETmV^841$&!zP0$d5r&kMlNosu7QC$W-;KG
zoaif);6pFq<~ynxn2kZbB&j3(kI>7%kVm2~N{0olrX)Sb5+!@{?%n-;zAJk+kQFF3
zCd&#7M+p;<@Uq@!e}>O6nT!d!M3ejCI}#^>YU6KeuCCIknlm9q%i3{l7nVLTvH>?B
ztHk8kvAUa00~-gb*E8M4`<~ZvGXKzC8r$qQ)a;uZ7A$_OP@u%%_Zt1Zw0U1;S3Y?4
z=dRPSs#^D&^B)eczK4kuwk3<4B&`ZMGp+b%OqCpd1S343DzX}r+m3g`n5HGmlC3Ky
z;uS%*qP%{u9H@^v{@RKf2Hkc@5kPw3`58%waEeQ_=ES7Yp>)OAEgE>`D%oSg`yZ5^
zaeU&!RkgJ9+r`DaLTLW6q{rHPd|=6{v#U#R+foK+F`Gz_Pg9|P(dfEvlex{AQ&UeO
z6g>A_&gNNp;Q`w-qt5527LxLZ{Y|W&%q^{zxvC-zN;;jqdPQq1Hzr&6SO;Ibro4au
zRmF12t)8Bq1OoJ#t1%IROqsRXI{VctQv^>p%=;lDxZuaQyqnzMsV~}hySz;ur1$RS
zfyaYakSe96t*!UtLBZYnom#9B0>uudJ!JuRX+)}YUn}?dewUb*QT~@da>XCLvwm8z
zu?&@V*&y40Qa*d&0-+xk7Z=;PxCGuiS^xgdjA{H-V*3^2RoGTCGBRWQft|1O^Uq*2
z{ACiyM5GeILQG7IovZ7h+?v=bd>iCAlEVRMEEiDykeM5ik&&~k0nhF1>`Kw?2TelF
zKgtTfgGna&ToJN_wb>wJS{8DPX;RPhQOMs#_16Pa!e_%QYbm?6jZM!;iZ|z3tRqS(
zV@HNcZdG4fj^1sch7<f(j7jE)aCs2G12NTbm9dBiT#jT+B%7-!F>&+#9Y)DhnV{35
z1Ll}hSy55i(ZNqfFQpm2j-Aql_zgnDGr0#39M~ti#$o#2k$6#2(T2~qF-ll6@B?ny
zH<#KZ&zkseE<gfaot{mg0;eOs*?D0&)Q(pR@=Do;KA{2e4d~04wwL02_HZI<k;PY7
zRKx+&%3vm-8ZuiDP4&F|{PoECk)rF*gu+Mwlk~u12V^fZc>B=CqNf`qBu<z|(wM&5
zDbKZy-oeo^RFPG@`RGZLX3Z#spPqq%K!^}{{us`md21+MAyZm7_)4O}`InWogliQS
z{l6`+b?Jh)YqHYA27-Z^`Kq#zZ)hlS2140u*HcDIQAjnUrKa+IS_U)G3cxF^(`m^8
zAjdM`cDJ;)Qc(b9pE!M*K1t`|x2_|u)6>)BXdA;+>(-4-8VS~jr~s*VJQhsYU-X=T
z%$KM_Dmo63@cf7p=DLJZ$M4bDCkeBGEN@Ut!Q=TT>igRUqvdeCRXElw1R?N`@rS*G
zlX@8zN0M0Pb>JD52w-HaEjb72WDf%8BeT@+)c64#KSt%h#bxpo7dWtl76ijrwKo#-
z@_g%Wo!7J{V@7Z{QG=95KULDHdP@+R74-DHyXgVZAUTz7mc(NbjqMyARgI0G?yI*A
zJFs1K;EJ#k)0eKS@$vDZ;?qH8kvBfjoC~qXz?N(0ZiI!Yfxao1S*pc6J+pQD_Wk?!
zuRwKwGcwXTddMT9%&Np^`7(vfHFpa(dk(eZEgVazW!Pq4Bj^$Z8uBzN-?t3H6;67`
zls=mcEG>)%rKXCZ$BU$asLfqnT@hm_lr)o)Fpvc)%2>(xbJ~=QpPwJdhg)&aP5^Hr
zlSx`yOhGt7EEjJZmE;1g3|?O4Km%r3E3FB<1}}vwv=(Mr4_FF%jZwj+5)|9`ab4T?
zlkOfKFSEoNF)6+b8{p~FryjwlO>hi~mYfuSEr+mNtSan{g;D_&m*sXYXd1vQ_ort?
z)?UYe6o`y9HE&j#BN$+X^L?>L$?CaSD9x!lSPF7{DAv#LVoTBW(9i&7p;A<@vh7Sv
zOv3k$&=)Gs+MT&(C_ZgTr9BcQ=bCn+&T<R$Kij<G_Zm*lUUWk%v7TpH&m98afllH2
z86YaeyW7Jf|7jeI>_4kXihj6>y^Qap2_ykU4p#40NF-=*T2g#rB7s=bTJ6#I^Ct_;
zUAJ_C>tGH~^#~dJ^`2hZXU)z1m*=9E-++EURCOzi!2Df{zg#o2v-{=lQr$WdKQ=bj
zZH>ld>Cg6D;WdmB==NW>)WXA0nH!uqajPoisJ5AnO(@B?ckjOUo3|9nCC8dIFeD!`
zueqy-fQmkp+u~I7)MfLwPY%kMSAwAvJnbD{zmmO{nySCBN<e^>qIN;HZJqiDs#}Mi
zN%*IwH<d6?ai^jIm*+l_pcZ3P<emOwyP=Jkaic*U=i0UQ77ocuohF{9s^a^1jNPND
zeXvCN`BSekokOzx)V&`g8ja@SvUea*aSzLBdI=<KWLeTC?qrgQtIb?<b01CzvWgib
zr2QWrrJwxcU8XC^L(jY6qaYjzMmh@C!QW07UPQ=sW?8SZtAt#!(0n93z<c1=uU}XQ
zXM=C!m|XO2ia@rUk(uddxTD!EB{P!)v4*C2-$iRO+?Z4$NCS&iCEQ&{JK>ReP{OKd
zd$B5a27ZcD<U*}eZGHVga6y2_w+=gk)sI$|5NB{Ek|x!l<kQ3?&E9@Iqka_GS1;P8
zukPP_NLD?l2Z_zd50wq})f*a>TsAU4T8{O<ul}i%qazW$gC4bT=h36&a83H!o3f@O
z_M}ZrfweMSMRoPe>-38;xUegM9w656)MEx)q&MY!ZNl2?`-?8W33;7XI{}YOc23SJ
z&LnLuEg^OWnQ&VSrfEp^4^oMGU3!oeF9TsZ+w;(LOl8r~U<MA<Vnr1Cw{L$MoLIkM
zL+fI^R+5^ZB+OpWTLjT8^VWpGaSe@chBE-wkYMiFIqzxM#VkP*CE=^OFQMySLzz*(
zfc)?KbL9(xP|lFj5!@J!NEr?iZv@=GaRA4BB6jLW*~gC@%JtG2jTnVyU^~upyQoM3
z<AA)|)#-^*D&{Dr7s!5p@u3>4a=~WmeTs=J-0M?}3hpmTR5qn06OIx<b+&~+iU8>l
zh9tnO!zSNrTKqM(zEA-_ggH>DIx9nf%CV2(b0?l`lIFsgr<N97mv%JSTC$(fzpt*Q
zr}p#Jp4HlVuW-#4mU}cvfmU6=YLtlX#Ejk_7FO0kovr<~9&knd6d?w)LD>b6_l}Jl
zZCtfai2eKr+Jt^<wDJpJ=gx*(K|1?xZZc3Sj>A9OK>&WkP#e7yGWLu4Xt{%H1O1n-
z!84g|rB*K3*fg`Lc`OtxivdGP8=dr4A_4xhNAl4YhZl8i7)XVXW?Fp{OU|*loAfFN
z0(OKCKNkL*aNmzfO2YD9$%XOLuz_bs{emiaI^PHKCA67nw{6>|tEVTtW5+S`W$>r)
z=N>>_WX7@Q2<%YFU-W0lv`cDg>Xt?H;$BrrU-~M8o)F|5w-u@&n`xOyDgZ4EuMV$H
zO0=c>dc0_;cW-ZROV<`5Aqw8znpwHtG8^!iTFr5zUTuY)Sv%G{?yyO}?h%qaSoiLo
znaSn>!({v9;<V(2_{7Al>hCXV)SaB9)~{brp*-GW^QmPSAH>?Ls8XrH?J*jHK&Xxx
zUuZww+_!5%;-}HW!lvmq@$d^Z{MgYIm6gJqHy<3f(qIt2e_oeUG_`@nz-fBkJk--G
zs3jfoITpq}=+qF7IwDYEVIh$R7OP6;1AVnq?y?q4!%(IW5KzKL#V3D39|p~eucqio
zR(AwUDd2c~Os)_8xkrCej$p_P_(2o=bm^cP`Iw>m?iI9;uC%&3vFq_T%{b7k$GO~#
z$&&YVd?r5%=wn=Hz?KBj-7TD{XwM<w_sT0tOFz&q6&LXyq(t>mwBH^EX%XXfDau0Z
za8L3V<C{9AbM}T#a@LnGC0rn*>_*n~Qj+gsPG_6Ln|JS49*NhoDu6f16;zfN)+keT
zLt}x!&igh!ReJtCt@$_K`2~4oS*S>Xp6nI$cmLUF*)iRGCO2IrCMYPVi8~vZ791HV
z9%&L20gNYW-4{H+vQH}ft!jLrmqRtJhVif<goT3EO({iSeZ_eeA&T^6L99aSl1Nqw
zzJgfrEW309BYVhXOQfUK_%tMFgW<CQH^sb*&<s)PL6}pH1gE>V_X-AUYCMu!iTVZk
z(0*XYSUE(12IJQp@qE;ploIcxLyh2a?fjcyyeg){N&@#&p!m;kby6ch9mcS7CH#^(
zfgdb*EjooBKY8}-M)K?FDRbl1MoS&UO$2SbmxCB_y$7Xq#>K|1b(d?MsY|P1v?gNx
zH7~QvQGV{*9Reaygtl&F#EXvo{!LARZwN8)m%)tI1${6n2xky_S#F&|4c1?6*-T4I
zOZYOxXY|kFA`sllE!%&17((qo%~fkP2F4Th&=w2ZwpZ6bWW(_nCbxyng<hEUgY<I@
z=9g0oZ5%4sHf4kaMA8jC_;u^~uis@wo{x&Y9&~9foqI~@bGv30jq}ld>c`3HdT<Wx
z?Ct%q79BedS0PCE^!LY4J?<Hhs=0(NGnpsWWfoBg{$(%v{ylOb`#$DeewK_=80R4;
z2~?PN*{(QK1jSo{@i`pkUpqRS^~-PXL={nuP&3Ese;PEmVaLGj5(?{YF(AYL(mo!B
zxhZeo9xCFm*8%?hQc?n}6uF`4v?2(b;N@fI;P7eK-Z^HJPyC*}vU5=}jB#9CHcDFU
z5D`&}+r8OWG1woiCk7@aV&fxx>(IRQ=w1}SihaE3m>bCNUW<jQ=s;{Jkyp{|_$9Jw
zlQ8J9Pn?;~r>#zA8Ysl#g+-IMaWmQl8CE8{7LwAmTf6!KqeuVdr*jx(KSNsCSf6N&
z(@;>)-vZ9hna70!$U4&=-T0AdA_~1Da<oivX^b9qx8u{#U%!Uf7SGXv=0a)EJ`{;1
zg;h<44wY3_26VXMit<P<t_Cw0r2?v8oGh8`D3Z-cgAd0NF|om%dFI)L1uX8M)w~T8
zoA&wm`0Sx`j=DULwL%L{#)r98kAcFWdVzgirE$~?E3ag9Mr8srkSm(QO@y%G=53~o
zu}jd`-}4mh))gyOz}b<^Q5c(;P=$mUD;5cC0EGJy-l1?FPs|MQ+XIH~*!VbE_9*7-
z2M$1rKnBoa-+&Ajsc;D;gMldqPRb5uf7;YZ&OH#6@AxNIi=nW~qr((5be-Yr19Xvg
zFb}>TDmprA2J;JNdxPzqoht$0%QkaR<i@{2*Y(*ggk5F($Bf8*txaO3{dLNQ-y@U9
z9g`*$rMiX-xXPqsG>N&0kdTmX)*==M&E7CH!B3xlP{pIGT+ea~%-tu9PrMvaQ)`Oy
zO{U!G0nv@Qqod<*&3t#CJxUQIM`w5Gr7sYJOL)2#Egdj^48j_R@-nTaqU_$iW!2S|
zEd#D73y@b=tNR5ocOokE^z_6$D9rxGXKK-0SyiR7aTQB`(TgoStg@wsI~%k4Pa2FQ
zFHN3~xLwna>{c1TRr*gO=Xjm1*;S<}t{1H5-_j~Nnr2vu{^~4xoJAM^V{eTA$98MH
zg=^Nr^SbGC7Cy;o-dJq&3HARJL!_Fam?Afi{0X23Fu{PeCm04)6d1z|TD#iYqf5?+
zT(N5Vdlb2K3Vvkf4d|&rn`gf#M#(II!Vxtwh;t7kc7!%=+#e@SF!txqMRSB`DIg0p
zUh4r{5}AKPlJ@G)5B)RY3X4pB#^bno^tc4(q{)VQKkS>@ymjl54NuX5qNZH>nnx8q
zsD73*_Txpm17m5em69%5f)rD9`y%^x4N_lzoVxd>TX}i;$FE;&x2)e45s3~G|Cs%P
zma%c&L*Wq|#DL9HP1I&4CTODDrvN>ui*IMTOR>vsPiT(1q&ww95!fvyMWJ|kdvkDc
zG2n)mmMXh>dJ^|bv8|XjxK6n~H_pS#TMxyupRz9yMXY122nq)W2TF_sFuFT&S<suX
z$}Lj`%cj6JI|K00D@fuzGHs;(7Eue(ru2Xyz+)p67aQABB9m;+_|!Yq{sJRXG;!;R
z1z1p>Z7+zp0v>njFo(t2vqMuNqsrlE&7mpzMtxg-r;ME3@Fv@%V)T=T|IQ`eAS2^;
z=%<n2)5sIHs_$O$V^+hwrYip$^|yYg6pg#WYeP=M1jD!h@zZ{KB^w*j!IvOPf3UK%
z6Gxqar|RXB<Zn%5|9C~ke&ePM=a_e|o2~W3-al`YZgkRT_{=VwWAyD7xtW<Kh8?xF
zwLNW=40LrFl62aJc^)k)r0tyNA#j9lAo?lTZWq=>QqFJJt4J9{!)#O-21XO*U(>Zl
zuS!|g@rCxmd_ptP`=QF`)yL&ycDp3FRgUChlnmwTo^*{j8by>B7h!pWbyt;DuUM0&
zkW}-?pC&XMH>G9Je&Kg14clZvJ?#A{%EMi*-rnBy-oHSTpdNDfZcJCoa$<A*<yY|{
z8HX*-Mlwjm$>~+q_Rco~r`LWy)!f*)7UeX4JnH!2WEBM5bl%5MI&Ch`QN9rH%h*T5
z2u&bBMx=#lYimnv96LKZiS3z}?>#W<lXS{zYSjAzx&1HLnA+H|;5fwb7>DjGq$8jO
zNH?WRo!zlxhlND@ot;`quex&V5-!5a5wsc8W&2O-Y>>^B%)-V`zb_Lkk+1pAHMrrs
zs>1lK8g|EO=)nhV<mb;hR#pETz3ualuCEdlOn0^@c+HJj%ErZ0dL|~eIeiayT<R=b
z>8C9Itv&<$i2zzRz5v%iqqOjY@u$<Qz-+|>RBaAKBdXO&cd4tZ1HY1$wnQ=GoKIKF
zT(i_RIoRJ1Z#swKd-Y!XgcTK^dK)_bEFT-QLz!S~ImC(;@SbWQTf68ony`^ORdMz>
zRE?l$2#uA>N*gj|a)#N;M_ndKMMVLuo+3hIOCIOmxQ4M+#lt6@_eSyG1iic&W;0Tk
zalp^AGNFmV^HUqGZH`r|%IdBR|8(#2nqWZ-g@7KUmxgeGqq#9ZtylBHHoD=9&pQ%c
ztqq|E-lA^BdOpso5MT>Q^^rKYH04n|jE<R#rkCS9Zk^f!O({v(&{7c=5{j-@iC2l?
znv`8BToK7!vs?5-sLs~LJiSeK-pyOPuAE%6>o`JJYr>LcbmGkm$0`rmL_T@)VaZi|
zBVaIx)bUpw!IdK(#v%XUiNlj#pl~JWynk&k3KceTEin4e*FL*@Bz~{p<KwW}J^+qZ
zm)Te>;GV9BTM~Lfy+%6Ve`q654(+*<$XA+b)*S?!&dl6AF6f%ZXHffbN8l0GK3d$?
zWMI*Bvj&70C=KBH+~O=2|9A4%lt5P6BucR`8sd~uQ)6y<<i-2?`oT46goBA&QMdOl
z&1<^a!P7ng6+l)ngDPNk_>cL(Hi6UOjV*zXn5y1W*;vUZm$;B@{OHkhGv}6`*45gb
zP4l1kc!oYY_oSu&{`LDH%~KOd&iRRc+qTU+MD~a*&wGB=oZL-PWbUVk=7iN=Tt3vO
zzO(2mVTU0ujZIIhA+Q1<X&#;U7ut_pk|a4uun4ak$$S7h(id%%E`~)s3{wT4AxP)!
z$p;u`hn9oz#*Hg*c&na2FY5URrP-5WJ|#`W8|Z}95b22`4rv`+p2)n4yvvLEO<l)}
z`Z3o|7cTj$g2hp#J-PIY^)%YX#FA*1HSV+q$BEP4Yu9=%)NK50{DBW4wHFN|ub?-<
zV1R%`6gDdER934pK0R$=t5RKE?Reu?@_`l6mTJNK*PG4256rrt2o`a5OTc#{PkH?V
zGWweNBndY(r#ysovGayD3~GN)NhH|CA2n${;9MjVotS#lqvz0Ki}#ZkCFbLYO=L|O
z`+U=erKep}zoeHWcQPJm%b9WJGZK)_i5a*O<7gUfe!;|?rol(xxuQvXvBo|vBOmt`
z6T?M?OAJ!}w}D0`Bf~-Dj7~~A948vr`Dquf6lmw*1%8RR74h_G7%DVEvI23Iqrj-$
zTi7DBg3QO@=KXwZ2{dtirmGq?C+O+vUD`obW{gg3r_$CulQTsO!Qq{|F2BHYZ(cx9
z&<3ESkahbZdpq`2K56QY|MhyV2rI|&-UFe|JV7s=zR<AA`(h%k7dV_eR+rFgJVSh=
z4<F{XlX#%ljvVv!hV+PLO%tM*B15il77@ZGfTnK9Q1bF*2y+XC4`w7JH%;gL5DUk4
z)M9DpOs{x}GVfDv)`DGM70dkeJ#J)9YLMw*5A{N4Y4N%9&O-%l1lnlJ57H<?35^vf
z50>mcU0trksr8gPMcj&W25QKq?Qh({8D%Zk`VSg&N8eHFiNC+UvBgqTbMxb~k4-))
zdH4IuhSKaWh#8>n_nrIHOd2E=y9y^isZ)G03n(<p8`Dd9#KazYV+uxX>t$Snk<KDs
zP$3vtSo-CsN!romPzW3VCt3ICX#JM67yIxXk<=i!acs+>R>=B=nWM;JE4P%r&dW0e
zFN0K!gh_zIVzRaK<f7}T$`t<A_6hpcQ4)VjmS>hJ%5gupPPDOcW`!lr@3y&ku?*iG
zg;U@cl~dlS#|CzP*(@k12&o>}#s=o0CkB`de+;Kc+L$<h*nptriuIzqf{l$0wt5r%
zf$#F|`{?-i`BCFA-wqB|FA;kpc27e@@-b&RdKBPufaHbAwCs!lq!VJPjlm!;p?gol
zd96OjCo?lM(z(j_sclFVS|`{X;w2#hGJE%8(xlnjYHSFJd8L=vFAr^_uf4!0)W))V
zohW_ngMZHW`@mONQD}(Z+Gy(OT?bIr2Nu0P6ULa?TW_mHQb5YH+)EuQNaj&CunNdO
zmteZHMSs^Y8oZa`w!XJA7mY*GgGC4c4X7H80(gQ3z=077&jvBEqkXbK^sTECVAM3}
z8AgV<q5>yQz*u~wl>x6Sz#^mz;_afrrQsFGDIgGrW0n-^D9Cj&!FzCq`>j5q$5B(Z
zqoIsw)RJo}_|$t^j}+*nng=dPDrrO`ct#ix*Oo7l_9_}hr8r1h&3DOi0cL-&z8|oV
zxc9sh3MPUKkWGcky!9Mjdhb<yTNLejaqR9WX(^@UY)bOqWU$)!H2rSt5{X~2s<>Wi
zYHDQD&5A$F&3`UgS(TGH(j??Nzt?I0jb%hlLGETZEeq@pP+(bkdF!c2*I!@1PZ%cu
zT;9L_R+BTs(MG!u2ETc|zxgJG(VR66yv=l%W*}6N32E5#y-<k|HYR8}aj3IU!jmrw
z5u4NvRU}0bvW_D7q!o1y=1r_$_H6i#W1<YG8*+&ql+qh(w~=Pu(4T;VXj5Z#ZvgIz
zXF=x@0O22o`i7(7lA6^<a10<~n3HAedD><W=|6HdHA6$g^g*s8UR4>mp|kVzWYQyQ
z$tyTz(4wZCuS@wNA}=2)_HFIDb>?laE}#M|M_WZ4{!Qdi8`(WIGjmX1zb(4?yCDuZ
z#Fro<bBmNGGavZ)_%t;&eGzb3l4l>nLKH265r7oH4Xy<TlSDuQw}ntnBl#5F#-i1R
z^`k8hZ?LqqeBuD)d;6P=?V9>Ayc-$<E`9y%X1yZCEZ~wr?0VIYO-*WI8VlXuzpo5X
ziD?d~ygm+znT)LLI6vJ^d3pJUrX~vqNndB9@M9)A%~5BYo_;yCardT@KfjrfxygO&
z!%pc%f22`$e?<#IcEVm(_KyF%N6ITJX%XIdXcM5cz0iT9zsTOnsRDHcTIQX`Gv7zu
zupk!&RE>}yrHAt?UG~x(WME^nY)<0S@M^28(Ns#CFD`n*JG40UIma7kIYp{H;vyMs
zIP&$iw)q02CG$4*at&^%pPQ|UlLRcItDi`i)4i{$**zT^9Q;{7M5p=7m#d(MV|_mS
z)y1I_7;2^$UD&QbeZw<ss5ntC`qgXcRV7!7V{9(L==+#Y4|f{s5@p&Wl1)$z0}TKW
zxDyhGhPJkg64LQSMMd;~B2lV<=@GZ?Ku~ga_F6QYR29P#6E_3XnPTUV*n^WdK9r{X
zqo$*uL#fwyD?TB#)~{VSg2Wt@EyB>KODPA}%4PAm{_zvi06GMainUHjuM|Ej!{tKz
z9t%^&-gbMKb1m&JXPS#yn^N;fy5*)hf2nqf&0M>1LUfHt5hrg~1ob9~<2Yh?a^^mK
zy}L&mjV)wgs+yYYmfr7B`=EU7Joy-nx4Nk65N;Z@k6OX@o#aY217>5XNvr3Kc3!jF
z(QEDvr&%M0Wt1;Veld*Z6F2#%v|&H<h*&70YBom<#A5SLPv2>os%g}`%=ZhaFG&hf
z4R0M<r4qOnM2@B}U%Fv@^|8em0_(Ii&%DoKl>FUHcZYJyKhUkb6ms#CTN)ThfTu`G
z=*Wk*E82a&VBEAnO-D5Wwmb_9i+<wLa2eX|=n&4Lp-4aFrM>}KlnvFvb!e)R5io$m
zLNhYN(S+~<n}hhw1WBeajj6=2L(tPL7eaOC&_*2n<Whi#3t8R%^&B`-AY-9-N&y22
z*?wLAJ=6|?3<l}2hQL0&DlE8}WYAZBX>Jk`Q9*Ih#J)Qal>ua9lk;wvv|BL!{57f!
zE-OB$#Votx;9uI1&*s>%y=R{5v!>&lmMEfD1WH?uS~t|Cu2|ek<|p8X!9#S%O!_FK
z?XQ7;mSFMR0B_-V74OKSM=&}KBl?Z#CI`N-h}Jv)Mh17lzPNXQQ?#I<AoG&y`XlMa
zi?$rUrNOk%5ZJ7eyS9PFhW7oXKXS{Cd<C&D#dGhiwHp<%PR%D1*TA}Z(mOUeS>Zj?
zL2qScMdpiv?+Ee<JHrZ;7y&qra8ixI?TBU8b#iJdz~8^zH_9>z^hEFS=WHr5ZWGOM
z|K<X)qqZZs_ji0921dqSIcDQ)``3dH7C0(Sw@FfRHLf4QCJT-}h*dK-7C^g|l<S;C
z4g@EQa?V%iDRuYt(Zpz;Z|E`;#em?r2eW9^d~9rt54!ehHDdrN-HPsGJU0(*3wG4i
zfPk3H%#YEPda9psp*{H!xUYqVHqIM|hJ;Az^W8uD{IzLa6z#leSis@Hf5Pyyoiuuh
zw}-kyxFv~6nJbq?s6zy3abSR~I(6!~ryGAVjhwHi{-ujyt0+YsBO~*)sWCMl_bU9z
zwP|YdE#%CJdd55?@*O=PRJNg@U!Q*xu$G615$YJ10XptN6hk0%kxXON_5C6et8X$N
z1EDiP<6)UAS0O$i@h_8OK4qJgOjqDzo8|bW`SFOYMb!TF60dh}1>KFEi%aHP-|Xxx
zSIPlrC_E@am<I^*`%t#%IcuyT<%<`$Uh((;kguGS&L=)C)6mlL+_}jEj|6!*sbv>~
z>IYiwh3!K5pa14>e<?Z@zjZDAR+Tc0Ci!}=YiLZGGnMxJWy~1b(NQY1v-CiJ)!iuu
z)2j;BYC}s7v~+Z3pc$eyQp6buE8(j|)e;sK7Wosfteun7)hAE*DbZP3xE)tOKjz?g
zlM{?w;L1O|398B36{K{qJniD-gqe0X#C#ROD5DT|(tU+4sN(=u2jChVTSy@z4zSj&
zd0Ury8CS0K3l3&NK@(>$>5gu79+Y#@7Qxer*yfnqy+Ludo2E#xU5mJsLi0W}GIAAd
z8(Vuf4-b-WWA~1*7$<~YB<N*=EqW(dOfvPSyAoq!sIXv)6w@w;pqbx?R>X*6ZJ&nv
z>A)@CX5EM^c~0L~VJdd1t7sviaKKpFZswO!2v;eW#;o&brvfs|p-r{`yGeoM|E&~v
z9(_*$*!XYuWe(Dx;or>lLrmGZ)iN5q7PWAJ53N<Ngw8#$f7`e_Y$+^`ZN84mJd6fs
zO+(vdSM<Um_4uM6UHkTJ_aD8f-RIiMFh9mI?8Q<(YOJ~tD`m&PR1YiD0go4>i9F%3
zN%rDi4-O5kzjfxxMSJhh2X{pLu-s>DZCx@doe(P3;3yVxzbiT2-Dlx>jvK$VqQvVn
zwbK>zeE(&?2z;JfS6uAuO4Tv*sy=#T=5@zc>V$jFqqHB4#cfQ}jf>ib6(OsVasR#1
zl2`ki)%o)nNwJpDjeh-N1t|k<SbmVht4K+{hOy_{x2u?(;F5Y203a9_v50B-huoCh
zTxl?m7}3QASlNff1lVp6nze{@RK8*s_+OTNOM82HU0v8>PW}#ikV%2FA281eMmWU#
zef;w5by}h#29gs_;ojU%{xG6y1@{n$@T2`NG?B?8W6ScfU<}sCyuIZtwJB2wp|QBS
zT1HimtOh`iVr<%e${ahKj+VA0+xnCOTlDMBZ)ov|16eaKTC<o8=O1O|(u@zIK<~N{
zGY;a*qPaQC8Z`7ACm?b`k9Y0(osg*Lp;1|(RoA<J{CFQG0d}k^Dl0?>#0X21#>exu
zN0)IB9TQf0;7z9@#2$^V_oAe>&R1}q3<^zeuq9UpF7=u+3je6KcW~g*+IR9vv14gO
zpEBTlfEY5v#bBf(F@SdJ!bo~s824=I`S{LQX%UgYC*Nydjh{4%a{)UsviAhcGw}qN
zme60{ADg)ppL0b7D8{2?gb-jB{c9>BcII=N4`eGkyji2f6fyJcqP+}KQv5oy*%;9&
ztw47>sQqWd<7yP!hHf8Ec26?iFHPqi_8$`8_VC?ZR9wfTeSu?-YWhU<4IL9=pY$}}
z#|y>+LPIy;8f-Jbcb1modu3&*DDXACyf}55q99omp%RQ>fz@BUyyQvDHMZXC1%VPC
z-xbhF<Ic;#Gs)r1&mTX|*q%yKG&V4hi_Qc2fgluhqu=`a{E_qHd2F*&4VCEqD+8V%
zgK~gaZ+it%Q2-2!4AyHrHWzsS)&$f%=(ABxuGxU*!3ll+_lgH0#YGMcXa8^VX_uL&
z9_~Pv(_4FSdS+%Ya^auuZNu_Tg+pW!<BO0M7m;0HbZM8_O)BD^jMQ+_r4aRaQOQp1
zcBby!UV#Y{i-N6yv=n#TIs}o-`-gtdhZXb5yc=bqZl~R3y0w_tx!}ZFSscmEVXA2K
zi>^Uu`B0yXe`vNe+4tcz4zD98+K_dhj<aK#G~DLfUiX@iGl&Abt~gn8{^8=ooh)K{
zFIT`9SKGQ6V}vcEu--u(2pxVQCeWDE0ALCc*;?H^@Zx3e+r<uVz9{~^#T@x)Vk3(|
zkB-tZ!`lb5M4n~EhI4{8^Y0S@{;B}F{H;~AEkI((^KVK?*l=g`w&yBe7^E;nPR^JQ
zQqZUO5Ap{6Gu1|Oq2R=uTCG1*%_i97vPvaO^V`S~fP^1{Gu)t@)D*Hyt*z}Q29AP%
zQu_JxYUShmZeQrxdovHbRx?XWdXy0^kCCB)Fh@VF!dwdUI0Lw~KYy1NQloC<k$JA8
z0$nlSLx(Od1CpVlpg4Wonuzg(E-o%eN6wbGo18ciW54~OMiu9-MnTK4caby{xjwF;
zcRq4*a-rN3$yxVjT_7F7Jfz4`aksU+yus*fJ=*_kRR_TVKxDA3_QdD|+_L0mk`;j0
z3bfEbSF_SfFX+vhFrAr3TqJBLl7Y;bSsd9F5RTl9Qi{V&s!o`l!70pti?KMZ6rH2t
zfc$(knwrxxM9WaO&JdMl)iB%Sn!pG>YxJGozJ1%U_XWq$LKbqIJ5PGJ@L_<Dh3?6^
zbm<b0$(UK%PBdIptsXnPHcZP*OUP-B4vbDW6pyc`9w>@knwPBXi;fm@5uBQNd{JQN
z<#F5jwrV`S&wk30%fGmq5T^ge@cWg!3<_ObRo&;=g-U3K`a}Y=cQ<_UotATL=upUb
zc=rcZAP(!aOrvbtc$A<>+`7BFi4K^Ab6i<(&MgN+d1#{(x!%^EAF&Z^bWTMLf#fOx
z8=<_Wh6$(uQe&`Fl`*kza4x^%q=5kwde}K1tdx~0xa-VKo!POm)KDw*t%<(o0=fX2
z<7W&4AKd_gNlj`0bn?lI7uyQz?a=(7p_D6@Jp7uPo*smd(A9JEGBNK)E}icFVw4Xh
z8+H)r6kpn=HM6rVO_1hg*Cq45RZRXV{IDrHS#p!#)3P<b#!M#pRc6}<Zqh7*zw{T?
zI$!guPABn^DkP$!Tef_k(oZs9s!QlhyQgQOmwhOy?faD&<Fjl2=CA$nPZIac*U~yJ
zY&Y%9{ei^2rP`_0QYgY}6~hW77_5VtOH~Zsk`@1D0>Av5C|RH5u4<a<(t3qhz!(s_
z%*)>~W4f)FZNtH^FW>*bQpkFr=GxC^?)8j}FeB1U*Q4~XmTL+NV}<bs<aK&+HWzI%
zsC3>YK3P*#9MnOiDWEXj5)+502xaigEO<1#r&<{ziTXUyh^iNf5S`WNJTXIoEO^)3
zOfhog6F$j99lzT#`8%HFXJlmT<JWH99j=j0@qioU`_W~OA4!R0h+mH(^XmBpvb%1U
zMQCUEi+Vl=kdcr%q`a%f0#&xN%Q!}R#K<C=<?MZZ<lbN+gLcNj%Ug3{W~Hx@w1YU(
z9uG0Mp#|@Atg;Ol7=zZ%yBznQKb=A0`tmk@$>PJsEU?sYC;{?&+>xLdcd|L224()Y
zcCcV3A2B5?=|y||4BE@&AWD~2d$pMR;(t#Z+3hctFPu9U5W=4xmz9;(<?S=qzYf{E
zS*7_$bOIeps(;$J#O6cz?dI+-EH2J|I^FnOu6n%IvEfv75Ob8#(YOxN43cLM3kGzb
z3c9Y)GRdTF@r+aV!sJ5~dRO79Npi1Fz6(%<$Hi@^3KtB=p|z(D!|fUxeDQo#iF(5t
z8s3n#5>>{nJ9o@)_8G*YpGOQ6NMq{Z`g6eRQTrjj$kM+5Z_!xv>vNYx1aHLYG{cV`
zmn=GTrXElGKg^D{1rv&pR27&1ID+`MvR-Lfp6G88(I1Y4UikD`?IlJE?<|_U-5LHN
z#AN<0RgC8IOcz1b_O|RFsS=yv0ZB-j`rluM?;s5euqJR}GHH)k>@h)EKIm2(qTX0`
z&d2_|9BbC8*c}I2m$-J(!%xDU_!_A3(noOLL1*d7$LE(Ohd%ODM!%^LVP}xKaq>sh
z0pPuVxt!*0)5*W$eoAhKmjr&MCT94)-vPrShIX&h=+7d}2qaJuQWsVYddIb?>8-yd
z1j<I=VuA<D!@kMvdeg6k?%HvhY4x0SixS`dyH^}^M|keyki#MHW9Hz-Rc6q1$T)ms
zz{xZJhnsNCQk^~D0a+oAk7yIR7#(!RMu~JWstu_jB>)G|u(GPEg!+lY@mkn9WneO)
z#E+~d{s|xwWVEkkq%BBCp6{ue0&O_BmZZ_1!Y$j7haM7zLWJM=LRB8R^S{CLCotpQ
zb)hRwEiHp!glw<RIB^uhb5sClG9xC8(XApJE)2~bi6h-c7$XEUnPX?7dcSBCtbP)A
z9#BIo=UK41Keq+8wqQ)o4RDnLelL_nd@Zu;q3(*gsTir`(`o8%h4%pU#wz8soF-sl
zid1tL_@`AP^pjql64Em`^3l55?Qr6Ox07>sDHTN-bO7I{Di1-3AlUp6xR#_>w#9mK
zZBR}h3gv5+y~a#AH0Or+#0O+bQ^r9b^c3qvTW2*$FOkEs#V*fwpu*eTRH!p5KzOu-
z0`@w|CJKiVp@~UI-0I*I6l6ow9Y0}~NsEzj{ly0~k?hS$J%mEWOx@Zof09ZzKb+y+
zpr~jZSKz;6ff=%pMDRT^BB=fnuZA(}ec}I!IpymuHCeyF6JxB&z_teoT{Y_YNrzgD
zM#LZJFeeYmxunn<M!0v9`Lr(HLU@1t0Rw+%D3`j5S-Nv=J6&B|&cNFSq@{hBw>dZq
zD36vxDhk{?L>yu#isX?{%g{a|>!7`zmz9+j0><7o>um8NAoNj8EhABrzJbUD%fNa&
zO=$332hQFe#5e>l<8~L;N*qLF?C0Q9&ts$2IZp6jky?V%J?7c7{pJI-CK%1efzE?o
z5cr!8j7hbM=)|1M1)U)yOaB#r+^bh>5L3LLK6dv)89K5M_4@nU2T?vt+-P=Gz@Vz$
zfH`4^7^ytAExr!k24qj;{H#z6Y10I#_^mT`dt*B2hV%I5)2E8h_#k^b5=EN`o<6v_
z>t$pjp1c8A3h_gEXZKF<L(i8a*C^&g;V>d|HzML1JRBguS&t5L)-f|wuLiYWcC*@4
zb00}b4!K2x4_b+Ly>Ry!rFJBzxXn&L#*Tu3$TNH}Fer%ad7~B7-r)7iS{?k=nne$w
zg{ba$*&4LZpJCMh5p^1heWDyj!O6F6%a+4~x|2lAgsErnUWn@qw@Im|_EU~_7CW90
z@C(BW*bx}qOR!Ri!+%7?TY-Z~I&gb&uz3CBWxX;+6hSsg4@|-|+$yD{oy+{cCq4Ib
z<vA0KpyI>;tYBCdU$)%#Be|%Ezw7dX7&Q$|&yOFBAOlQGz!x6XG};lF0jjuq=p}$e
zlC^+a+dDrs3{cD;XaIWrA3Hn40AB-SeuE6<*fBDDmQ*0Yw`(Wl_U<K(F_4=ct|mi<
zaqh_2yhDXa<iA)NE}Y+#`?S2ngxd?q^#YfVOX7-_n>ab1iCmHB>7AdhO<_a)fXR@)
z;OBFvEPWOxXJ$bGjdu0~*Ii9GtE4PJ*c+%J*bs?-ntFYfXMDyJl@?b*9HjQa=u-*y
zKrcklQf{5ByXkc>>?m};?JnTAMNT)T)`KU}REiQi*~k=LWW%e$m(OP@9&(Qc`8=7h
z*)uqp*le%dJ{-HGzl&D+WShg0skUjC)W+~Qo1;2YHb1J*SiDP4cWyh)iUB|0<ApjN
zz!i&Y(y_K7iZ(x|tg$~^M~O4*(s$+Q6CWguCJrl{e%SgcP=DsOS;}9sJINfc&Bgi1
zE;W-TC$2mp9g?@6^002)ExLeVujKNE{`_IHwH^Gz`N<2Z3scRXUZzh(A}$}Ymx!2B
z0-bq2^jtLhQP+^?oq?p@LuuNMgPZ$05aS-$Q$%tHUG+gfyFAank9e9R4jzWoQQ6c~
z=<@vc&GM5Cs?cLCy?_Q2;X;l3!4`UrI}(mUyLPR@2`=Cwd-L{ftiRGN`e5B$d^OkK
zj;*^wT3Q+uyHBQr;z9Pxh%TfK*1Ly{8@)N}8G55>?hpiS!q@h5Kpzp<pogASj&#+3
zQI80vt(wWiqmj_?fvB0n4Bjiqya|Uq2}uEHV)QLxSRQFX5(j}I0auy5UbEsvV*`qq
zkd)NjQ9A}-aHV@;>ZJ^5n26_ytrMUawF~2i=1-&hM&xn8kZymhJ1lFeKl|1X4OZ|g
zdQiDqGwG=3!Wb=dPliUp3GEYT`(Z0{Z(66}&4)fCT6hP+z8rkiKRB3mK!toGoCD9E
zJ+lkj@}S1~(LP1p{}tKst`$9rjqukj52vp<Ebok)qa{z{!*IzuY((2<Qql7z5_B|x
z-$0E<d;IwEA^}esI0cu1_UK1|Jdkcg+#PLY(5u`B_5sA;`{p{>fL-#*xiBMAX5{8t
zHdk+|!mI&b!iqHUS<F5$asQnkwnRg>Y_xj&Df9HvW?seKZb^EKtqFrl7ZJdsC4{D}
zt@P0igmq#u2123KksT4`miv5CBb_@e#hLX&bgKUckSzR2ZG4gVb%ra>Gx#hHo7khG
zEH0Oj!v_SDR7G3+PSgDie^|Ve;XNcf1El<^-9AW8q-z=WJF(F2j@kvLf^BDxrZgEI
zAX?%q<@`g(3#)q;ooKs-X`AA5?)!j|{Xs4Hy=TX9(3H@kBkn`}l;ax0^iZa<c=bbK
zyF4rKAE+#1=T^;&a9UeWyl(-mG<pVWsk`=8tR!rMygXgo>O${@Jw!Ew7L^$!<sNc7
zzGu3Pp8@BTd=w|gaC&V2*=nUFKcHoO;XZ#hboE5s1NoWEUI4Fhr`=#3KR((i998xs
zEfV0-k3Gu8io8oBFL95LsCp5$Md{t1Jz_#xyJvpxdzP<K!mfXW6GX#uTqk;@5?*uH
z&@@Nj=TKVyBiYr%Yyg@E=;VaKY3#G;TwI>1i^Ovk;e$$dx)E6hE*T5P<CZM`v?X#~
z48N>`M({fZHdGKoET}0BDXtqXT)I>RoBDD1nqnB-y-~XiNEQFUJmeXl_<HRcA|-<@
z%MAx#`h?p=sOXj8@N?xqRq9o8`KHZ)pO9v1j%`;MXeVKK+b8Jwk}Cv(tQ*8^bF9_9
zMQCcYKvgh3+7%8{tqK0H%57p|l?Jv&0VRL>ce*Y7%*Dfy_{E#yx{?bwSv)P)14~93
zY*KvoK<t*{ax*kdc=0Yf`h7VfF0vARJ04C3Btke==PFaK0&tIT`O$jp*y!M=$P`ko
z^WPk2;M|HXs)&5T%mD011}2iAf~NI2|EG+xxxpx6|4Lp>z-w$D?%E#G;qvt*1Dv_Q
znTM#{E9mSk*gDA(cPgBMaetcbfHrGRB+=;2l6Dd3!NsaCWyr!M1Z4n}cWMm=CLTGI
z+G!}zN7$P}nR?#JN)=o~NXb*+dL1d}TKA27R_6LI|MOY>Ei``slVq^0e@e`yjNSX!
zUYxtA4D1yv^#GbqkRYi`E4qOia}@wO3G%Sg=t}B;A<+2ciz%*4p4Z$iOjF)cGPNDA
z1K-DLWU;rRqK?}vO+G`W4Ab5NMn?Q#r`mpUSC=*A8n{n@YoY~%{l`JsXiJS9pnpHI
z-T|R1*MQW27bTlc^p{(Jhlm9oX8V#s2?)6e33Od%df>QR>VD$d`38vaUo|o^2=JDB
z<WkIP03spra_b3LmjV4?A)+$U^lrKBS)^)%JQ|*7%cW45+QAX^y)BKI1EDOFa6`0q
z=v5Y%?@~u914jcXumUnHKJa9{Gk8z6C^5)~XeUU9CJ_slzx%$F9RlKRaGA@|sO7*|
zOw7%QaKd+qRvJJ%`d?s+gttyKpD)J-wQf*#3F8J-y0K5{JI&x@f;i(9WRU}cMkgGf
z3gI$~Qv0u|9z5VoD;Rz#*5;CDB2(N4cLT7p!=<~tR{x6&-WBtZ#e(j*hsR!UAx@k+
z6^MiR*6;RGwGb{pka%O^nLsQ9Ft+dpoDK!RfWVt^k~0i1uo6>iNs9uu;(-s0J>I4K
zzVBdqe)}eR!p=a!X@>E=gqMughbTSW5FkhL{aXxYv5LoW6&@eJ7ZsPfFaF;zYBRaB
zc3(zTRynrQP2`~<$en>cl@x=-GY-W!D)Mpu*uw?5k0hAG@sSM)*g-=>K70&1gqUL0
z4f+tbnc<F*dpL%f2WH@`jZIBeqPCEL_%*MfU;;030YhJ~G3>v8+Jy4J9C-x!U|UMu
zNxk+&&h-q@bz@%SSiR5EYGY$#)Rkpm$e`I!;d)IZ4h10AIf?}}fVRZ`NHvJ{p*OVM
zLv^<uiE)M7c;&irocz78SSW=CvghZ|qp}T5BI^Jb1F9xZflTMI4Y}KL>iqvb@kO?3
zvibqJn*P-hOpZpfQiz|7b=#|z0M3ZY1RZ_~5)#mCP}%v9+PRZ>1=$PeU6@eW4I&O1
zX#-%Hn2QkYI5dzwavHHT=&^#c*^`>vSq1>&CWubNNr%L1)H^I_W+0-Qf#{Cns7KB)
z4mD31?g0s2;4Ae3(ZNqtpn~dj>tlIuyE^7+0n`}#FJD$9D+b(aXwgkk_ye``1?17y
z!}Aq8)gA!`Kr20V1=5T>=V8v+*x0{f<@FP%3`jEhrl|>QhpWF79<O6?7W*s{9h++i
z?aiw^!{~bIv>uuNt`RY8Y#IQs+W}Fl-``F}Sp%IaNI;~%#B~MB_By;|P>z;;_`m`z
zV(=P^dXf%cu)mcPxe+}*R9GlzzZXJJMeIM46z+0=zCVh?rV=;|@jXG}fXUm03Wp2;
z3$jo4%;FDBLqlGVs+T~}=t7ZZAJ{N%-{T*MmK=@9`MOA=DUJm=vjSd>#`%R30ZqzR
z&%Z){YVxtI?FLvASbtgWa#)DC&gL!OY;2>Nae&72aaGASw95b`r9fc!bVE}~&r^gm
zaj$fRe+4u4&nnB*yM2KS!=1#+8b}1@3aG+okL?6^J!XCpDh#-1&=IPMfBpUBce?{~
z;@9}X#xMt8=0rYI%^h|uiG0yk$NvT4R@~L}`*aQM?x8>m_a4!%>#t+KZn{fz)xlTu
zKUZ5g@Z1Mi%3s9yfBti`$Di@;|NQ-*gDNhDdegr@>Azv(iu2Ev5C7}^{__M09<V|G
z{fK}6G$io<_e-jc@%zSO`so38cUjzVP;@b83B9Nw;JJ{@G2$AydG?fFU-NG+fM+=l
zb+BA;#QT8)0=2*#YbckmM{#p=a~yzvBq})9*jI~a_yQdUP<MRp=>Pf9%<OALr@ldd
zF$+Hdgr{&4#-P=EgKiQ*U4aMyMm+;tQNq*eis1<`+(C?!(3iW^kxz?(YJd`OD)r#$
z)wegPi(~F?2-m(X=ffhr>T7Dsk=|fDBsEYevVpKJh~;MFlPAQNW}H76T^vTZ^r5sQ
zj*Rf%M2Sc=|L~_GS<#8hu$%dxD_;~{FsSMTNS3T`GMfGC*RMoQ2t^qODx3j1sXIDQ
z_8<lNgA_mwVSyM7EB)zVgWwZI1qVM#no)xi=VGuMgNP~!sU<2MT&7j95XUU)lh!R6
zRPab8zBcd{*iv#7-X*-SRf97|%R@5P6i_6I({rrHZBYz#_xIC+n^re6jcnyFOG_YK
zlwOqnRX+xlY=T(C4@35f%RkG#r~S{DiJ-<&sD(nu*lYX%Y2ap73zQ=vqs2jmFzb#C
zX>4Yu8tgYTzsJD~!GUiKY5HD5W5zZqR^6yir1!+d4$1F0f<+&+t$`@!yUZR&k|_aD
zN8*^dsuDwD!T49ldNcGBTHt!!pL-os87tAS7{g72BhCu!WpY~p>ayVYL7UWtGb5ff
znXw765=o^G18``oflAlH;TLo-RSk{Wj0@Ve-%2rj@Ct&vCM$CvpC&&&E(pR5JvKUC
zhum`jQeHvHu6LRKy&o7PXc6_JQ4SNoGcxKNZ9~kESOIq<l41acBdK|8TpSq%1;5TS
zkcQ1JbS;PB`WBaO7<xAYZWD28AZZ_Xf8d9FaMiVV18NdcGlQUL4~96JV5Utedhk7d
z_Gf@(2rsj;h(weZ!43UH0Jf#t#}#OSUlf=39ff%wq8IUV!PMxr2#O>@B~!73YqY2M
zh^YvQ*)8;edaT3~8Vq<4pr7$+N=7>P{X3Zv{u6h^KMcaAU`P-9{OARI0jLtjASx1V
zdo4CJcE$?27FhvoEYo9O)nXnUu$@w{xaL@GTF(6T1{^z!yGSCtFnpJ8-0>&W7gT=M
z?Kvy}8!I5<1j$i(&SoPbjvIy@fy8nRNH`zhUZSNO0C}RcwA9SxE|CDCnFJO_5ON$I
zA~=LBo45x6wPVGzy@F)U7WJ2I2$xrp_3gPs1C)#SFp&C{XmK5sgL`iN&n@GZ^4B6^
z?yqH$oa--=;udCm!9s>YfuFbj;NaE3z+Sj52CBqRC{W!HG#L4;_@NM035RcoP{%Nm
zgiCI;&>!pf+p^DeonlJTw)W+&u>`dP)U#<qD_(HwG$_lhN;tA@UnZ-@fzt18{g%O3
zDm!zSV?MPRcpNYrnmm@8u*)O+r_Lc5A?mBY^0x`ixu}!(K6*p?DX$F@zFb>u=N8{6
zB+4H4-57b(cVR+aK0GojYo=`>CF}a2XOn(qB{HttsYgAZkpuvWo?!Gs$Q{R`%h_{5
zw|itH1T1Pocmi5aJ}_u=hyS!60b1Hi9Dq^FgHTRxg4b(7viV{DfWr-3VbXDh4512_
z{MN&V*Rj3Y+V*D&DVi#le<XG)<CxZ4*4+GH)|Z=E+5|}O3P3Uc{Lj=!{&tThXdzJc
zRKlnf#*ZH@+d+8}l9AyO5D<9#{ymS@)N?Ek8stV*nC)Tlp!eAhc>y-t!f`r+=K{nh
zUiM8Q3cE15ffoC51tvrQ3U|M0MN5S5Bxi=vKZ^VHOE$ESm{NnK>;<m#D^U%vR(WiF
zLfpe<>qQktz6K6%8=L#@*af*{R6FR2x);DsH@s5!q3V6=@ncIb4d<>e-v9mzf4|8U
z@85^^Yc2r@Lh??$G%$e=6IqA_Anf6=<dM6a0WF6d@1*jFFK3CLzdxDM#|}*%k&I%b
zQ1+CRz!osaiK)pJ?F3V>j>xff#@yV-rYR!<=M{=|HSn;AU$Mbs$rO9!WQR6hK}ker
z=Mknn9*~o*SAK<L**Nvw=D#NrDlQ)U4cf<YGEoqj8vvkg<h^cSd0N|?ieeWueGoH5
zL#X43ZiJDA9Rpz;HRclLKHrJhOD5Z6?XRG06cH%{K#sD@`VljQxWYg<LXKv{>8AM)
zZ{L=Jhf614r8!CapPNjs&~#14TG7XkACIGnf}u?e?+qFwWWOs~9Q!2nHkam-`75sP
z)XGfq*7T1A?Ci4MaVvQ%Fba<HGR<5sCgGPTgUOgMM2DQG$I_82NnYFxmkNF&(U!Di
zh1{7!0sGiV|McRTbSw}2d2(<!PpICOv#B3&+7WAp4VyO6vI)o&_ZVxNPZ{6HNC>E+
z2=oA?y|pd!U?6OG%aB)qAPmRFiV}L_cua=E0K|mO2bMQ&O(HDYL@?r>9416HMO-Rl
zW7h+rs%o;3K#5(BUIwgY)VxX=nb!)!B%k!|2w0-=RGx%-^t3r=9-<I}RVQca$P+vn
zYQ)SoOBienn={k?e>TW6v%24JEWS4;%k!t5oW35=^p!L=Nvr5vEpX-=L+LvXJ3ETZ
za`P#s=mLY_x-=L0*?4~GlOJZ6KC%39eRnv7zXpxUII+Y}n}HLP;lD)m-w^u^Q5<05
zN(w1~U<~-3=WagmapED){AL%N<&aT3MNOBQhbsi)p(Mmsp`adzh`6oonHhlw_FVdU
zjfHnlDNx;}0eJ^J`|qQ03S9Rwc#9_qgVY2Xmt~aq{qaw9ehS1P0};6o6g_g_!ecg=
z;CgM_DGG}0+}ww~O5e8>uxT!oA}Rv=T?y-DWLZN)=YhZ?{u(@%wa&2ozn4c`it7~h
zIb`t0-cu*<F7@$V73=MNw>k062b&dqk?vgIwfr(8_q?+D7<XhzkdG1;=9{&;l%L8i
zpV~2j=7g~R$WlHJ06y3ry)?Q(hb|9uPbTJvVpWMWznlF1`-)ne*_UU9Ks2DfBHS+h
zZ?EWy1vdB>f0kxSs&VPyUL$4jSZaG7Ks!<<<0x5W|0(caS_a4-rBKO_+e#9g;>wjP
zBx}3<$c>%UQ<|a`#Q2$br;*MVF0jqT&zMF;f*atX$Xgt~ru-v~^yFy(nCBNBg@?1D
zSb>BKVpl(~I%xcM?c7-}w76}peIACjpb+${=_lPS1nQ7iX*$WL85i#+Va*W_vBd(d
zq-UQ~w4$P5)I%ZE8mvb&!s9=u)6vnbmy-H2<OK-xz`=b92?@KFE)R#@fdwz>Dvz}M
z#UE`il-6}DQ4zfdY_N&fPlw>{u%fwt_IdbT_>!YQ$0(mWjn#~7Y}F{s=)Z;|Y5s@L
zhNG@_$qP{gt#9a@R)T|jiv`#g+AV7J<8Jb>dg_K5`OCcJVhk?jtmikiTuM+jN(4Lu
zz|Fvh&r>a4t7oUr924L%i%<HN78WW{-lm@NuOEy{PQJ*VGLkt#wloNr(C$D$tSE?!
z1k(gi#7CoBs3-ufsVGQs-~2EKR3)@&Q{^+y>*YO@9>+GW5*87$(6mm7o)$_y)$Y@0
zb_27$-}uvG-uJJ|?e~$UBHxT&EP#pwt*=wrV%xW;bh&&{v`+PQ&-+zgt`=R05|~(y
z8%WoTsq{LHc~_UB0iZ7yJ;E2{*s;Xmu(Y|#K_FIpxm-WmVDR+jgT6}KZiDV(A_ZM<
z>ev*0aW-}+IJu8?QvnDtWgkDkUH=mo1|6W2d5%x}MI+85@TJc+p4x*+q*O$!31k+7
zqV71Ip?L<bEUEb+=e&Y7Veok3ExI^-zz-wB4hb)HC;{Xlc6MYEDzwrqIO%R6Zj!2=
zcwt~KqnfZjL*Gw>W0Qm^n=|EcH;U$be<`Bz`ljFE`??HNWMW5}OPq&KVU2+keJgF>
zVF}Pq^fN#*B@@MAwss_3ke~kpyOQLtU2xVokW1xp^&R?dYTkz!&69NT)6#wi?%r=$
z7~EwSz!5<|k!a3Q8~F?8QIlp)-0>sb&sL}((RFroG-t@gaZenti7Q<0VGRx98vL_r
z-9PyQrK7`W_I!PNUWX>l3x&ZZ>c-qxGP<+0+o<CeK(FfV>3Jh_>f}jUj28yA43j2#
zKtjsB<-Ecm%eG4q1W$9Qn-_C%C-*}DG3%wcYuB!!U4~5w7>581!cRXnP+3U%*fCbh
zUs~d!jiA(`G~6uiv*h)nef@(P;;z?5XNB1$pN50!ig4O-mAuf|3XB2&62B)%ALu-(
z-|W@gnH*6@4A{_*BmgyGn@+#n8&yA=CDjJJfW9)Urz(S8^yJpHgmob$ZKU=)*b5ey
ztMtVh8V`8$evVCQU%Re-kz?rh@v%s$p@HbcqtXqji@W=`H8`fc;N{v)-BP$J@8k1|
zuBB<|f2GW?D%XTM4AgS(P2J{9({8|WIL94s-Go*LO_czq`7{kMUm!&orl;SL_PH`e
zH0e;jl0}Tf`fJlbivqHVDjZwaWG-wV!y*855WyA-m#cR^cl-R6Uw{(BvDxOT!Yr8;
zfP9O4K^dfyC!K341h6KS6=0fX^MvPj?Rzfu5(g0~umDX_IGmkj@WSv~Xp(ki^Z+iE
zyikZ{8^K=yv{5|POF`B`${;nlc&!V+{Z%>?pPzq^ECcjAE{1#%8FLB%WujVjS|MsG
zSo}{yN!4xVn|n&S{DdR@6Qic@C2=&@mX5Q61==E5T2%-Yyjq+QBNG!zuu!V3_PcGm
zsyW>RQwRYG`wvJ0G$7?Ng=_6+6Bz6h{t$6RclpV~(MgH>cptwfk`q*xq*t!BU(n1h
z3Dg2*A+AZQJ9qD%)%tb@CTb_w^988%WQ4qQ&d8>siI0n;K|XQ5&>(Exa+IKm23NqZ
zOJey2K1I5Gllu?2gg8{6Omx?D39IsEX=q}#Gos{vR2ZE4K0<96NwMEP7M#BdGsCzF
zuRlD5qI%Jy8dWd0Bz@#SL#LH%JTf_yIlC|j{LM`erin(BFtk#S3J-yNrT(XV1x7+a
z!q;fUxWBBMosTaBNu4=xP=Cc7-R){<T)-JsYRG)`<;wetHzDOB6!f4&5Zi}1y}&sS
z-xXrRYh^w>eOv;~FN(sgTads>oX3cI7A-g4VdQg~hYpJWV7!i`@YVSUSn3oO%I~Fp
zu|@OaT?jTp`o44tb~t;(*ra5!_0zw0?_?>JxJ}`P!YZ223aJy4HuBvgEv`2zdelHk
z!(L2&@#2KB@g*xq2GwhCYBe7`ctD@6ABvoUckKbp{zAVo`qYbYST>()7~#1Hd0Q-!
zW2Ak6C~%K*_FOkzu|9)MFtAYhHJW>o3Z8t!&2wgjgNIPfNPg0_ql66XjeVgVJbJvd
zqJ4BZq^qd$`dewgx2dJc)}}KY(R2IiADhlQIZ+$;`6+GxUPW@1v>n?DuT+uTfSkql
z_EZh4kG8Jk39S+e-H4eYAVebLPq7$OCVDcoX2(aDmqv5;oO_E=yjPILgm6ieH6^f5
zBJdM&ADQ-H@c2yb-)<tjV8&29l)o{1yUfk|3Frao3y=YOELx`eNdM+m5Mc(qyvC_`
z&9@28k|zMe;2ojSd8C7`I{?>@N(2s@oV*$yULW21mJ_Aa^YnD-YfBnOkH!xsemsx6
zOBb&td)~$VwPDq0&hLL^=o)(qQkErksrZ2XLj_2KF<wFC`@Fmg_ZivWK=T8v5n^G8
zxhH4?lQxxAj^>5MUtJ}~1+|lOAVZF+c5-z+c;v{96Z_yh#D@SmX^8eBMt0S{+~=x*
zs&PKD3tt5}-QjRcYXxFG&c}+vFw?SLK&=aJE7E%QJr6YISIT?96>I38z)hU=phVlG
zB_)}qoW_~}$BU(kiIsKFRvzu)quIkY$MAVb_E6IwG8J3(*=93mFxBL<*b((;>84Z7
zwnxXUE`D%ISI5OpSB%q2A_KYxCl*qk<iU|?Y|bk#O1koabNX>)CFx6R@xhu$U|C0J
zWt!##ef6hd<yN&++QzUWqeqNB`yrO>dr;F*Z>N@e(sr85V4HcdH6v+bp_^v@#A$Q`
zW)`}-&KQ3V(`tU6kWlq(!N^q}U^1>8&rj5?56m89%AQd4!pvfP$!U+BT0be6?DTQZ
z^q#cK1|3$ZCG}e7-%WUbID)n@X_(}ZWUbtq<YU72MX|$5CX(yZ+yf%fLhn@Q9F1W3
z2d4w-Op--c{b}eo9F*x!bUd<V@wkEv>#u9qbOYul)|GZV2?AtgSfu60rntnOYU6rq
zK85oq9qm@XupOqaDYNOzuLGgl{(n@x2RN5~{|5XsqOzK@RT?6)N!djr3Q0yp$WB?=
zA{s_U$Oxfq$qHEsm1Gk#N@YdaoA<o#`+olK`#wj<^E|ivh@b2Fj?d@(oP+tznk_Gs
z29V9&z(qll`u;4hG_2fyZP}4PXyoMN9O9n?d2)cx=GCiKOQ(D|LcK$KOjz~q*mV6+
zeF&!#8eI@^tgJLQmlN*Q#DtO<M6Le~konRBK^T1DV#V$1kU@0fpZ4k3w&tCVm9X1-
zv%WkIDOD}f)3PKvrpQ)mw51`^G8v?RM<KL6DOUU%=N)%~Z*Q&9{!A1(<%dr19}9c@
zcvFy~$=*c>L<v(E7<G3AI7G^yzN7orXyw0_Q=vdoCeoN8FBA(F1V9J&a$p?*@PW4y
zRyd$QwIGf=ftvJ>i4$60%q{|pME4*k0$dw%5&<_PD(URpOo@;MLeL5#D6nYrg3k%I
z2C^Aux}KgDmqRZDI4U4LhK&M%VBkK?e7y>(DL<!N2wOV>Vg*YBUnVkqzaR@E*#je$
z<fnT0Z&bh_!!D~PT_0m1;34BYCKwA)b$v%=MDj*mClE|SNe*NMfk@PVl8B%mj0j06
zb|C`x<xr6^P0yR-=i|EzE88T60AfB-r-MilhqV)yHV1cXK@YCD0E)aX=Da9IN}Kux
zI-LMNkUlMpW2DKBGLM+z!&Ef)f=PS+w|n>QU6~+veMW)kJEr<iQ>I%j+4_#-!xJfN
zfQWU9ZP|ga6N;oA_qTCysO476uH_dLL<CzOJ#wTPdL<~`6p9;Qv6uSm@Z;=s{42Gt
zbd7Yhb$C(m-#lfw$1)pz5Wb6>0k6TpST5srFv<+-wVdM#Gc3rnjeu7Go0P?F$15Q=
z{4y^BYe3=#zE2pfkY+dVw8I4<=pahQiUItlaNxo<_YjYosOW&W20ElJyM^X3u&VIE
zK+f!InR5t7NROfS)8E$tYRRLX!_&tNgG1T1F~T&9&oMg$985r8h%rxIDEE|VA^28k
z#faC~ZdoYzWM@&H^NRI{M~vK9@C=}<yK|M1F)VD49{)qtSi|q&Xz^|2y-)Z~>P-n9
z-+Ej1Tm(l4ra;cv4$AO5!a8bXWOKIm!vF@Zsh0W#<E!2~+1ObEgWI|{Evk|q3bcYm
zq`Yr)1O@>6L+?$Q5;KW{FFJ;X4AKc9@SyO2q)d#ja1vuh2w3VwMn=;2AD|*&41`nP
zhvY0=SILZ+L38o&JUGSPeVmZvBf0nvlqTN?Bnj5v-n~^>BL0-)L+~<&@Z-(&M_#Du
zUykYEz#-<nQ)DMh1Uv>Y&=N0Y0NjP%uq~0F>#x;=j`jWACHnka6sNtqxdUPA%RI+?
zq!(F+fcLN7lmW{JJJX?0*&t0aoR03(pPc0jK>%4sF1|m;%S*V5fRo4kYy#s;vMS?m
zw*>yf&F<{8O(v5d7nmlmNOy1|G4uo`+!`d&)4#N2&w?@<!x8LFVaiuT#u-X5+%naW
z{?ol<F|d~{o{**dNPy^=|63Na;GuB{1KP1H?2*-4MvUu2a04(2EUk!#AW1j-c`a+=
zaP^z?3s)eMVRUt{`jve--#=I*8Sxl$$c~~UCmZq+7rlZm0NEmq+k{YjFwYR6GHiOV
z<cV>Avg7f_%M<_((R<(&f!6(@eIJIoG|~xndo9tr3hb}NF*-7wxJ;f5Cl^#|Hp3|S
zsS}4+_(hxGtAc}H{wSjfvN8g>YfxhmG&!o!02D05DT+1E*Zlt4E9ovjmIfU?l~u_D
z2i{$eKji^<iI(KC^+oyB;A5Kj;dOIQ@Vc;L2%|XQA}~!Q)ccshLh$gS>z&3%du1d9
z>;&mGJ)M}05#`^%;X9p{8yAjojZFWFwL?@bQ`T<BW47I|YWHeH*AEH)>gg)g0Lp@G
z#F`bJ=XQ%Ayq!6)_&dLeY1|1nS6YW9k)sq?ff!^HsXegM2W*N%wT|QT>E5xe1+dpH
zxR*X&lUuROLk#wb{2}aU;pmV_8cMB7C?vse3_#_NKX@+*35E$>xy401kGB$pc9)YJ
z3XA7JfZWvKu`(~X+&K__PVOjU+xHA<kGa}N59`V}>tnPQcL^67f_wGyfID6P+PLX1
zj*LwOq^NPq!-wgm`O>OG%sIZ>xiJur8c^2YlnV+qAB?RbN4PQ4ypK@qnV8wg>IL|=
zbiFIk^*%u!Jw_IuyfeER0HHlJN_B!6>j&l(?uYMcXFU-ikv^c9tt~8_J5VVlY}bF1
z!0_Po?2~<tS%?^iAZt12#OarY9B#h_(Yl0*+?E7Of(Rmm*F}-oT_Zo-pTxKdkd`*9
z?=+d)?OR82goi4M0Jh0GRveiqgOSVAi}k_*)zf5XRBzAxVvf_p6o^z4^I#XinN3j*
zskxyQMt}^j@BMrEjy`_?@Lu?mkD9>N1EnaHg{~XXWCcGGVVqKK42==~o0(|AgW4VC
zpAvRpIX$7Hft>?F%0H|znFzT5i(TK@*Vm`}X5})kll#Z&BJu{$^_jiYcMl)GAvFE&
z5yfDX+F*qu4a8QNja)GHB>hETia>Bvf($3Dk8v?N{9v!ekcT-`1=K3SI2?!Nhx9Ay
z4soS2n94xNH#oCIa3jfP?;XYAM($H3yBY{#+nEE;YIi<9d%Cz|qY?*lu(Fc}Mp`7J
z^IH|UckSor54I0HtF#2l0PE)01k6tw#JIwQZO{Evfww`L9GoZ~Fbm8MIc`PrW>j{_
z)r0&VHh9%+BmzG&Ud7meKJl=Q+@7<KlCMxACeWcE-cy8m?ync@8L5UwABJlc6~SeM
zwV-g9%4$qZaiPG1q{fIL=UD#Q=}mfL3CmqV@VFt3q{&(t9o4<KKa|OU7e4KwXAp{J
z`6y?me4*cDcK1I-c+wNqPOFdom|Tzx=pV)iljt!6#eg(WCo~0U@tDrq|9HQhMA()v
z*Uxo@_eA09F$sA#ui1C67bcS=f!V7(2Xpe)#1J_rNCawtr!Tobh7QC>H6_*Ym5&%3
zQE-GP4S1DCudMnv4YySrFU!Dqqp-w7;qgB9$f57w$uWa{v*yI;_g3JVX}M44Mya1n
z&bOhPraRRVENYcF+23J2?HVKt&#HQ?L;C@H4v{!zriPOHYFws=*x9{XxQ;WHE33cc
z$kfh$3;0Y~>g-Mcn+(LTLoZfNAe0!Sd9Cyg5QZdQdUloVMcfqVw|gz5CL+K@g1I0i
zT3nD?{4UmEm)C=(GVzu=tvwbk;jADOyhQuMDbs&#-$$*qU8$Hu60AIrlOPrXr-W}y
zRHH_e2CY8>JYM&4bH7g`?jYH8t@%=V@U~$6Lm&n~<WScz?YF}+mZNJQ)tvYr7oZ+E
z1<=cgD<+!g2MC%BVEvJb$NwY%SWcfbhXZlqi}h=OVu#p%QoK-$e`Z7BDr9oLKJECG
zH!j=JDG@n$NL;R#z?9<@&@3^Vo>QDB9LL(d*PQ=vzigMFfBkctkN-*+U(U|-yA);;
zAHV%*5B%)(t0a`aD$1P1-_(_Hj86N~CE;hg9g{RRMroAleqV-*D<-h^P!sxYmNLO1
z?kniw;W349%*gHCiud<J+@ZJv^d$hs>Odt{ta~rHDj9$u$3RjXCW>l*0XfstC!l*_
zzu2YcRXRVW5R^I)`8G}z45-x8JNiU&BbbU^=PZ4jSRY=YXtvTm@sSf8xpTcXS!%3U
zhw@2AY$#?GSFQmNC@t2Cvc5X$m@+c4JR5Luy#%1(!#Wo3Wn<pm<<GS<SF*^`SQ}}W
z_B_Gd2|y}s&sd1f@24+%#(OZw3V`XAVoVoA2jDL<FY4Kick8jM80-tpm?;6Q=IeyS
zcaqV|0eZzpWR3$si#`p;1q4t7J-^<2Brvspk}$1#xZi=gp(5!cDykzGE>B^?&4Ke0
z&NkJ-&XwMZZTB~pbKNoIsll5W8HVO}9i)c+FnBPyA-6~W+YclC#CA)!)=Q5HqUQ+<
z34$O5xy}`F4S5DY+Gx=ii@jFF^<w1(wqtXAAJ`!BDu{5pM?L9I!T1{l)tumsZtt$8
z0!Xol(}pP7LOVS900mRQdtLShtUNI_ln0zOPW}@edm@UT?*~Xk6d%mA2yKtSDSf?O
z>g674)$Jt5O{ON5<C<Dp?_NjNy;CpIw|!)p3bjE~#awRky3Vqw$ho|83oeF5qh58<
ze5Fi!mo(iQWB$XfswLomu+8o^b$oo}u(RXnYqI)VDv1-6OoCx-iJ3Hue@v=4pKgf%
zb$LV9Yh_0qGBt;cPwx-?(nCpw^A0_VNy=@E(~n`adLgN(Soh&`dD92N9Ysm>2d`=D
z4=rRKiFq=V0N97MStqhp&%q4uDc3^UrWQO8SS_7<aXYoOjAf-#n04IZ^C}tx>XRH-
zU4)NPo+UvLMTlpnr~B_}vD`tggEv3Nqefmu5O^`VsDidoS0eHGEup&OTGeFnBb^rY
z-+<1_Hc%M(v!Alr7EKJu!6klKCPV+vcoi0s*E>XxQqErnLzs}YUAuM-$4cxpZkTNw
z?EjD_V9>A_va!hEzR>5KHE$Cl4c`uvy*kW0ZE^K6+c{W?uu!zrM~IcD{t-DW)YNm*
zQd)L|-D>&Y7SOLh$?~G!$MTQ9*Kcuby4br}arXi9!}R=DEb4z!QNv-owgm+w5%kEY
zl(_8^>?C{Q|1z?()8Ph&{|pxnG*EKj!JBlkZW&4H=N`nc^Pk@ygcE4I*amI?qI-p0
z_PgqL9BZ1KJmvP_*bgmYF7XoFJiX|4UfhT;+TPfLya0DbvXJ`xk5U+d(vDT_*i3Qt
z%Uuc_?;M2D6|3DFAI!_=yXP@{CV+jy_hLKUM6kqw7%Te?W1eC**%_J}Ds-?Vt#+;3
zc@)E~glke7rV=+%&77S7Vp1gLYjg;khafLo+xVXw{r&qL*r2{Rzk7Rj-PuBP^5Ebq
zSy}N~d1y$>rj{3oYOPhm`A=|+mc@4mM_X&_2q!5pieA;?7HG*gO1{da-#UIiYn0*|
zCzGyD&3}NMPKaU8pP~AXoc6z}ts@*iRiBPenCAETEm?QEJ--qP+~RJJ5cU&9G_At}
zB@c%-rRk;BE93bWj+~rJ_D*B*D?Lw6(R+jn>6zq-!^a;ArX9y=9?2LSSO~Lvaf_2Y
z2b1%3V+i6zk9K9`zUFX)8c6T=N~Pwdov_U6Z<UM5r`iQ<2{j!uv7S$~<%Wo#PqRAL
zG0=88RRi%|eTklfMpy3}#y-G-LnJLBx&nT6vps73Q3^@tn=MZ8l>}2%@7O5V#Pj$;
z@N|lML}}EVm6XQ6@~JO-MYHls<Jw&pB6*^E7=rp{wEWo!(!rF>+Ne4~3I!nu*m3sv
zVR9eR*1K;<;s9YmU}Ju>(NJs(9^OW8%yN(=i6?KvGH3T^zB}gX;q&BGFcqV<)$o8?
zov1H~$v+thB?$mSM)4E%L-J)Z9M_ea_owDloOj;yx=rYg6Zf4p0Ti41r4Cz)?FNbp
zk2tB|^%1OR&@qWaExew?jTX0PNP(9Z_6PDCG7Q?;56p%DgoMudf`-Oh-2}wNvSU<f
zD=rPmno8Hq_=o;x&3XY|-iE|%>}QCFnd<)~K3ZtUVhUYKcTrOSxdCYDvKk-qW&I=;
zfb0Kf0VIr9D7l#nLrs&cFfPC0a3WB4En6+F#Dx>eFU;)LoSz4v;oxf?*?J2_G8xHC
zst%_;i2%z#j1bTuQbS20^)+BxGYu1TQ~$q^2hl?cES=Egx+@fa8E_P8Ik{cBu&)3Q
z5dTOdNZ}gofz+=rWeT=u3?xE}LHjH1Smb$|xh@4v1s`9!f_aTtniY5G8K$mN_zKvt
z#<Sv&M4J!77Zqa$lo7-sxw*}nh!q0>=zE+@YCT0ebJXZ@b={6iu>g2_0|6jVDaF&z
za5z92v_n>1(xhs7{Q8l|#bG1J@O<IpiarSJt-JFr6{n0Wvtdd`>+TAOhsp*@Qmi_+
zp#28<W^|+)x2L*?Nd%9SDIv*ED^G_O05-<u(I@6SZ-atNV)}f4`WwcJ-|ioNYUJ^C
zorv*vIe8^vp`1^+t-H*l$m~msi)a+Qx-mpCL5$CJHy6g9&u1MRoqQ<hBl;#^f7$MR
z`}2k$@9;iF2@1nFDtC9z8ce8cY$W9va8(m4t(xGvfdNB6aUgwAVl4RX-gYi)o2}KV
z;3DE6UOcn1fC;@n_<+4Vw0D?QW5wt+(j8<sN?L#7OkylgwK?ZtwQ^zmBP~A@$X5-z
z)Qjn_f~%n5kRp&uSCzH<OyLYXNHNX>>7UM$u4hM)hxcy^g*`?8YxNxwOLnTGvO?b3
zd5=W1(B~3~6SDl3L3e4M{uX`qdDr^v3z@69nZOC~L-GeE5@^7yhi8}vcB6N-$2o^C
z6KVx|)Jd>5@<;rnZZ=|qe5!pt#;RSAS(iKku98Jwxd+Czwy3X&*a#@W2!R-c1^|=L
zU1DS~QiO68Q@m4X`aKuFQ4?A8XiFV->3Ly-V2qcD7|Z9wXM#+#CZNW;he14%LI@{R
zVhA=eg||y5^a_iFpef@dqV094ed3cthEACm_%cY6FvT-!U2XgcmkcDa9|ZIf8W%^1
zml7fU{HFy<ywuX6MK}$CI@a@Bt2T16@Hl=rSf)FP$rFG`+!GK-(j*>kjogtBGhHTW
zqYsWE)I7R3K-XkkdQk#A#~5_|L#MYv%O>P`DP0Q~C&~5MCPQ!_>XwM?TU=8$xau!x
zY54(B^XwYKlo1*Nf;yC(J$Z}dfk?EWry&m?jyuN_xZbwS`0&8TFYkQpct0dW$=+TN
zoIs+f@;q^#Q`&9*D1p|4x0JtHRZ~MjFl7my>z9TvZ~jo<DepD6;<)Vd3Q1k=6$~QT
zhpSqy$X~j20_`;gUjb>-vFy9N8%bW#u)0ZnawvI7_IurKk4`)h(8q}D3E2;bJqT<O
z`<J&v@Y68q5d=?yV02-^S3bW&P$a;B+0$+*nmG?go3HQz2Q+-GaKJ|ZQz>6bBR@kz
za}Pa0cBdB#eXccoaCf8;GuOHNVrx2u)Tks80SG!EL3y9O%|llQE(%g0t0bC==zJUf
zw(JaiuI{3>2y_G>r?m}LH7$75I%`e8u!pw6gi6=TI+>Tv%+yrSQhBU1vi-UU5y$|q
zEQK4QsX@}j+18xjNq8)t=Puy&3A5qcyHeGB*XBRQiV-_Fl_3E!x(-f4waWAXzJT%E
zy{5(1m)C>IIw)T3cU_0fPvKCwPyNt7$WO3VsTc}X&YpdVx*B0>3P%|!MwYym;Qf1T
zwt8-0W8E21rG72*0PTuDD!3*p(PAACeGHCHygd`?(zj1N^$K<ApqB<kc>mF(pHij>
zO%rTe2u2^kW2%t)<m6~HC(JhD)?d7F1`Mq&47_NXT5`v*foXR~+WUAIeKr?8(Wq&O
z6HQFq&-SOUtlri2(pEHefH#dG$e(r9bSj5sBqI$sN*X2bi}2I&2S>G?li{!B!jezG
z3{XxHfsBxMj{F0^hKJ`NI>^`UZP@trt)=^8<&$K=+QedPoLARGGbx9203QrXQ*{To
zsnC;Z!O$~)(8DpWy}|WP*b)<(7cBH-nSn0PTTssd@>{MD?O<^HbK5c=pdOSuuJOHA
zx#j-A10{94SRg7ehCY+fuS^)?4u@gby!W#X>@h+e3U^z?TSj}x!19HS;O0V)C|mhP
zZt3yC1)kn7IFS94J1h&=#91Y9XpoHN>82sPqkyXhkT=fesJ$LV*DAb6!|hC3{Roqe
z#Io2DT3r%-F#V061;)dM$7H+9Nd%k$5wT9bToll=8zuV5tXw2WIf+CU3Agzy<vT;r
zU4mC_deiOJOC_IaOaurU5hC+DHc)*jJ(WS7uUtm;Abb{JKV-Z{wt@M{%bP#XVnal!
zId5L&(eXq^GlkkY7F4sBE_Gem)C3wWu8@48$W$?%SZo0B!6-1J8BGj2j*LcdX%SZZ
z7e1w64$;342Kn+IO_IF)Tkqw4w9+_Lb_3=SAKbWRfbH0Hawf2G%r9C6B`*X<d4yM~
zlp_ylL$zs-RquxoL*S|}mtxl;7pujm&jVv*{;&w?%PiR|23ngh#MJSQYgON+po0dV
zmaf#?S0y7|S8>w2&h8`2G)dd#@x83ID@pt5X*W0Vp~ZXKgSpox87ricY6+&5*(WB}
z%V&&OK?{Rb2^o#TFZm81{N^rw3Y2&F|0NSK9T?pt+vGfi)B9OzY0TX02g*BzE<g5j
zb4qI^zj{WxwK^tv^VA;66Ib`Dk$Z=8Q3nTC<%HM`-K?Rs_Tc?si4G4kdT5faVv&LC
zEF#e~G=(RmvxhZ+1}7AX>Ec3Wrv{ASnYRa9gJMK{BUv1oAY}h-*HrI5I(9>X7*dqE
z?lTft!W?(x*+gXPrH`tb?>JS?fW`tD*2ujgc<PFXi5Wx4sBn`_g(z!zd0AiXt@dYl
z88pdSw~T*DK9a7f+!!yZn53r^`oQ*2CLPJQJ+Bmr$~~qwb>DtdJeNORKVQ^^>F-=`
zJ=9WJF$d+nIP<8i|6^rQj^FrmWw(~|v1gf?y@UFAromDD?>1Jv^zKP0Gl7cs8+Yk*
ztKZu<Q#zeb*IJxO*r3I*=AH7}N8dxYbC(rX)$$HJOP}1UE9xv@c@3V`h0R{~<uW%Z
zzLrSTqhVWoz4gHi%bWQaCKy`eXLz9V2BA=Bd0QVSXrR*(!l1P>+Xr1(?fBHK<XTAI
zV7Fn}u|r<z1j|GB6b)slz{BiS#mCZf+w<oMDl0KquoC_qi3#OZT)$cK%!um68B7R*
z6q_!A{=wF!z9}=oUlb@E!T->$!L&1w?Rc29Gt}jzM9nwLOG_<l7eeDO5~Dg|l+La4
z00Th(8$6)sr0;UnY#-}U?UtQG6p3z+^k7%<Ot*ji5NO-gJRZF#&=@lz@6&q)M&wk+
z8pg)YE?O>Nh=nagScT0BTAeDQ>y(HTLcEu@#?ApG2TXGK>6g0_(VSTHqT77A_U|8A
zQ|FK3LQ*KEsDZAJOTEU=Sx}JhX$c$_TZgN)6<J^4H&GpX@P)#9iKMsUE%l5SZawnw
zc4V-Wx?r+$Pt>U4f8AHWSO(XP8zZvjhi6{r=Tq=sN^5EVp-Or1tv484DdQ{mPwk)n
z&f-(G128-h3m<=a3PlKr5V8UfmE;q%N@s*099#E3(Mb1q^mWJ)dcKh{G3mLM<oHC5
zwL5E^h6*-P)VUQg5E^*P<;`FM6)kX;9Ay)i#?96gWs;G|t1x4nQGqcLk<VRHDOGqn
zj$T|50#uj7^%@Y4J^T#yVy_m%$0dADzf<#t+G)rOaxE^-jmv1ra~}MDq42<5udADz
zupeY^8Kn!ruJhy`Tv}Usyo1wGvkLCvEet;CGo>b2#F072FYD`Di`0%2EQ*F>mCg0&
z12C}5+OJUxtD94oq<Da`U*;3C1{WWX{4}y$4LT-S`7vQGZIb-({3aUN%yuu1%_#d}
zvMo=fPg2HJygoItPYZM+WzOVxikdy}>kVgoi9?LpM3;AmOXAC)6rEqGH~UiP{fEl<
zc!<O(eofo>oH(DtND81}J63)_I{Ko5Sn{T7X~IE5^$-y)&^|3n`Syl6jthr#15n=X
zU*GA^R&ynBwNy3u&xRw%0>@XS;v!bQzL2Db%Ma6ootvk;+PW;s%+2W)gKxZDdU%#C
zqSI(s7pt-T4#2|_Y@ZXq=tBBLXj#A&qrK45*qCiNm7SbyQpMnj{tomX`=1|oFGr&e
zR#FP+JDoc+G&V+XHU4=A6&|c7IYK(58}FMvfyxqm!m4{21cwz&48k*g8+SKj4A@ne
zDmHD?n3<We_?94<i*O2+gd_F}3JP@3l;D7esXk5UnRY9_%PJ^fX~FksvP@98iz}Y!
z%PrS9k(2&!v2*R-+0tj>iphfaRNK{ARZ{y?C=ZYvw7x<e%A9^Fo#k!>>2%UD>kEZj
z9FuyYg@TXV66|19G2%7Oz?QSEJ)-F+2eizA&oSgl>+@Wv`K@}=MiU;SMbX{7ch}3q
zLPLG188}EJc6&Q(yXHUjI$~rhc<Gx+K$JPaki@1UsI>-vBF>UoWj#+XS$QnFcYDM?
zB7-l-#4Rg*Xxe3+_jns7cpaA{>tgM(AD#AiQ#n&B=O(7ebka}$TVh8&Ce5d=Uj3FB
zczW*_3J~{vg+8w?%}^J9KIl^=R->J0?fK<_ugu5uw_ngRa7cR>>Cs@KD;8MwGx#zI
z&fm_>AMD?bw5XjIFH9cH*Nt0TXM9_eQ2P(-fm6owyp8rh3{Kj87FZ=D*LMvSpkg!q
zUBqXnO;S9tBd@1YbaZU&RpAz=MjUfVE!V9NiOejy|6>=&R1bX+Gs8`?K_G5fK`Qqj
z)wL#T+)1^4X9A5Z>ijOdN`O`nr{&AdUI!T(Y)&fUR~Jgl=*GQI@?cLAT37Ay1lKeo
zC{}mz1Byf_T-Oq%QAPmDEZ7zr6SI{+O68$uyMm`dXj_Cx5biYxPCx<Bf<5nL-N_8p
zjYuVjh%&q`X}LK;1$)ZpWoHy$q!3~dR}sZVF-9?>Jau;LFzvZ7(_~hEDC)*ep<3QY
zjJsH%q$1=;4rSnmDaIJCd8X|leF0B7Ht#TDXS~8(G@t47HuBiN;t-=KL&;wI)sHe$
zFKwtK=f>1aC5{h$S&-Q$;vfj6j};fqmVaI^t+{`yY<F|kJ0H%9caC#54h~N8nKK6)
z$oj6gl@4mG9F+)k^6$E*7`L9cJz(Pnz1ruUdADcA;qd(O$)jW~9yrCGR&qpCt9)`x
z^yBA_dq+AGQY_U8$D5B|C=kn{Tdp>8-V6sH=3QCKa}f8g1PZm^Wf4De<ip4k%t_{A
zc%1e!WsYWq*sguRHH1Q)wf$qeIl62Fq{Ou>6%-a;w!Lu-sDWy{<l{Nd0CED-ah;7*
zOitQ}kB;6<3gmtUY4ZMK$3oN!kK<BN{Aj?F(Fp7REPF?;8*^O8FJ<YF1u52~iMqfZ
zkYH2_2s~ocUb!<?^F<%8B@dGJaO=EX&;e`jf9AEmWR7~<t7>f<6=#uqRnLldWo4yY
ziV3Kl$zp=d`Ikoe#qlNrSCFQiFtuL|l74VIO<M={Yqs?5RQ1VTv&2aV{s}Q8{PNRy
z?V`RVyKgYP-ALVl#0`n-mA(F&)3MwVk7y3RxVp6X=pW+cogikX0mMsv9%_3y@T@kE
zy(h=^dKsNU9DCwjrwHE9na>CRh6=yd@4T0);uQeRH?enNz$EtaO#l(hhp{TMnV`NT
zi)yGvWkqfJ`}nP2-VHxv42oMh2o9oz{j==GmwJ$1ym#ID70VFpp9LO%4bekLkU7Vh
zujo<dL-<`v?pKs4&6j~yB+_uRuQBf|)U|oVbn+`9Faq*HW%C9cUY2uF*(*EV;j!a9
zwA*(7`h)9f5A)t%*=lg1rIkAi!hP0k16@NyyO)OZrVX-tTP7&Q{&|#>9$5+W7x(l<
zG0!HAxx+$MFnFNkR)DC_tK2C!-|V#qbniX?eIOo59hMh#?djS3*c>dLhz_vF#b5A9
zVp|=RR`{Ok_%BMW5PtRG`N+qQzlC_YaD?w^^8FKjtHtJ2+z$zfs@o|vW5=|<ySK;)
zG&Zv5mKSXYc9X(IZ4-oot?doreGE?4Z)sJJdq02wR()Z|4#BsSr=893-MHXh%p73)
z{_|&T>4-bVPDJSf-1rnR;JOX6Al78d+(Fy`MEjd2u6+8~{6T$b_r-0{f-&~KMxRft
zRYCqubIq?yN}ky3Z^*r_phKHZ6)GyL{y>M6MH6LNxEwn72hS3Yc^$@_0-O5E6QDe3
zYYV?ne1WsC$42XfN#V#*pR;^9hF)Q%^$z2wbYp#<AK!qIMD^^GublW<*X`^$Z^-yn
z2k>#eoR?126W2&?Ax4Whb`%$Gd;I=cW@4vvt5S%%=)Z|Ixto5uK}e}vadTfcS>IR~
z8!5hW^^TPc_sh8s+Omxb1%M}%<X1<G%g)P15@rB2$KH5PP9+P9Rxuc```cNZkT_B8
zQ{(gfq20a#L%$;?eWCNZl2ELeUow0RN)|+LsxN+Cqgh*yMBRqL$8)brSc!TYj$a{{
zI${_=7*p1O?F68`k9fSUlm|)f8*2+hvBdZ3!udkBWBRX2iAvlEVI|yNN5r&dpXFT_
z6-&>}eZeK=IH8C53qD<<JRLr@|3W3h1zfa!45u-q$1!gH=+GlNa7Z~WZ#;$U5;v}0
z;d*-73mE#e)Q^pi!%*GqZ?fJ);Mr~U4<9~68Gx3jI>rDz0Bn(2ChJcBe5a5455Vxv
z-=C!(BXYl^r@*h;7mxQBF+WjwVRlYMh4tkP^N`Wk+2w{$$p5d>ky2ZoVJl#(*|WkP
zA8)^MmQP>O8{C_G$>;j~)S!c6LX$87K1}tu8%*^8gYds_8feHkw|rh~etsut#bE8E
zY4KzRC4_|;PYs{DZ0G^79R3&TO)X%L5~_*p3$}qipZnOfcy<d33-diSG4%XCIT;K|
zE1UvfT08!6(pjlsQaw6#RZozut5PPd{B@;UfTj8G`lcoZknLa!!FeFlCnko4qEcwS
z*z9$%T@&rY%^%^wNI2;%E=7r*TJOCn5yawSTmHR2nE&%)>P2794NuA*H<kk@i&;?G
zXLW8erU4R5X!c7=l5%oBKa<9z1>6YngnU=nN!U}P*u)>wAgbWNGYy3CKv@~#UW!Z9
zAr^{e%wot+ax~d$R`!=UGr(~tpXdj%EV8C+r_n0Ibg3SdEAt#vx^8eO=t8LIg?pZa
z=@tS4M|*t=kR{M}+Gp%5fP40di0r}_Q$j?=#fOkpM@6VgS-@3$HeqRN`#c0z=HG#8
zQHepo{c+?CvMy9I+gphR2HEB1KhE4nHa;lCH?su!SI7X*4^pJZtxG60LR}xrqY2^W
zzPHZCI;sJ4SUFd1kFsUf7sVwYtLUCS(=`l@OV&M6z(b0fnmcJ2w^Om=&WKqdnI^2S
zndLk>2B8sdeK_n2t@qPAEibKi_Oh%zKJx!w5Z|=Jw??sKv~*i6-mKKltnJ|3bx)6d
z;e8|v8Hpn#0Q@!IAt0ZCe~`-Z7SNLpr})vMfu6SJHdqH(Q5Z1;dCWu9E@91pR|JIC
z4}?eLz<(baqON^f9k&7t2_o3Rv>}o%jT5s1mr-^Sd}wG8M~g``_Xewt-2b=$yS4&O
zrN2%~ewDke3(=xysBA(oo=Bolv-ZiZFE;nTE4u{ClJC4F<StXW*O_iJtmg0(40XMi
zr9P}wP+0JNrP71UuK50!%PyE<_7PKFy6nkV9KN%zITaO8w>vsvijzEn<OaInIcF~Y
zH!gXGy}zf-mIpT04E@iaGTOguEAm-Q3)he2<;n!6-sz~-$+&cuvg5S4!8n`{nf4C@
zc%*AB87pr2)1b3_sn4X&8eWA9vcNBm+v(jRAVL+hFnr}l$RW@%txm%LjgW6aE@L4m
z1kMDCUSh1+%%yE9!lHQUU~fwmd=3L=!@%<~>q-(4i-N}|Ny>sV`yA#*m;p%-dZPCK
z<XQbJw=~}OaevrZR?D&S*r=!g$aA!FgG$6+(xK>X^zh!n=zHhRbs3;L1tXh^@NaQ<
z)Sy!Zn+Rghys?KjFf9imqZY}LqcLHq5(CA2^Zvgl3A^WOS2Fe<e%V}+FyCaZ$u)P@
zjImgqjVV{w%jTS*Fd{en-Qeq-G^NuV^cT}^6Rc(=6WW8$N=N9m&YY=&kNU`O1<FHs
zZ&X&)Bybb~%o7s^r$7BRg;Nj!6zJBRx&C%gwzJa9wM+?2FJHht`}gf51G80Z`*hI6
zR7mUM{M$!+xb5IVfTO7(pmMY7)+&p0!Ug>Ce{W?doQSI?qwX^>Se$B0{yP)r@8P!4
zO8*BUXmIl|9%5~}Be0F26(A4W7=fxqVzstgFra|VfF~-fY402Nh@Ll1D?_QX(!<>y
z$!y(Z3vGG^${ydILze;=j7W+r=&~vPS288|8O9WC`yp%R1D^pBfB0WBzx7T>6WV4J
zXi(;~4=)zXXCVtVlUqq+<8)MDQ3|B{8+zd`-fdvuZ|4;I7R~YXZ~oXc6sX#@_Z(^5
z&5~_zK&5bRlBUSrJKG~s95WbZQ5G;?JdT3KfcE#$Tt4bU$aY)jOhj4e_;huBA)+D7
zAOKesOhokU`v1MYtAhn6-MxiHqnd4goG9`Qr&xC!Baif#Ik!>iTlEgue{T6a(3>4F
znL2rG(^;O<WBmM|(_99}#~*^uv=_qB+&9w?E<QUQAWRSef#6afY~=M3*wu|(4x%Vy
ze3;GuW9RSKeTKf%l^ZLS_I=gtI<Lt`RyQ#ea!r}6kn4}fk?nD)s_x!CH_V%4V{Ljb
zoJ0Vet6-9e6+Eq?0$^4HLKw==eYwSYkBJ;S(5wELgQKp+hOOlqAHYs<@X%N3&NB&U
zi3#)ABEMGHi&VX#H=bjcELF#@Zb0TVDu(9+4Buq4c|>#?uir=rf&d>vIW0u#S5YS@
zw#VbbXDz*>Nri=vFSLEp0H>(V(iPeXdUQ(tBo0b+Ib!oZ70uZ#XZqCJ1;?b(xdr&R
z6ytgOuK7qR_Sx0-%$f(}-TQ_@lVx{Dx|>e%6&o)%WiNE7{|D{R#@#C1{d!=%IZ<Rs
zy^k+-24nlvaz89*xH-2dGRD*s$_X|$>+@W#F~o3=M0@rEQ-12pmycTfGcHFxd7|9K
zi5}jheSi3eYgCRCScnS6NuD@6`EtI^LwZk6!dq~&;o7zJUs>GM8~n)o07sNoZ?>{t
zLv)1jpv4x!E!Q^F5zpF@Q(OYU4g6axx|%f47t;K^dE6v>whK~8Sz-pE%xe|IazpF(
zehkN#bqwdW26fCO|H?KjRxe&p&y!9sLAnvdm3O~|Kq4W^q?f8ege+G))uKCR;;22B
z>vrv0N{jS4n|i9}U!CiI--LDqs?c)(y4B*!BI~Tmbw{XcPhr@Ob$%|RR=Gp7!+^r1
z>wH%y&iee^Vg%NVcilkHEg(}cRH=sX`9Ho6IcFfVw&E8f{&>4aab3D6-I-fm?;{Gu
z&E5M-Vwa2G#f@9!(vBYPU-&bigsbJ{bv^-0+U9;Ll1m!<UC!P;@-+0nBn*}2)Hfam
zEd1e;l41u5#$lxJY^pq{Lm(HavV_!p8zg+}z=_WmJA7wp73l%QD4M7Sv2$6n^or>T
zjbY&tN?{`MV|_+uqpcIhg|NX$hA9L_1tD2yPV5?;oFp8-AlZLHwonLPKmAJ2cu~$o
z%gGC(i%=mF3Vq3sL1**FP_ik#C6l_~7~!pu`iKv4rmKhjB`bir6WY$uD;H%ZvOF^`
zL-Ots#4ww(Z*FR;8b6GAZA>v}?1f7sY-n)fz^aXsKZ?ei`J56F94;Y)CiA4r->U0$
zo&83=)bFJQ9Im$g2Q<<KPUaZiD4jkmVd3RNQA!#sNn^Zm(@8G%yU?on=W08z6}{LV
z3m!uJ0yhMpRhX-iNVwYXKul&}5Z|%?CU^>TB*Od8Bk=5Kx?Y1I$fH}fY$1%oXswat
zjT{Xn(D0Ey>kS}$Khh7Oe}GsQr#)e7;{CM86s%~tJUtzTIC}5nvxI|T{y1BP7EkHq
zHLnC=#^cOvY_xaf<$95<O?&@Tt5xGi!gvJCMa*iScir8w8T55xTuBVE;@z;6B9C4s
zN7aYSYhvgNzd!h(D2{tWAKFrQ^w!Or|E6Bt0k4uU)g)91_=LFPVL~(_-R-yI`9Iv!
zSFb}3szj1V6Y8L;Bn}&Y%(u>1^_>)j8`@jYhe!7~IchQ@VC4YNOsnUH3gOfC8Hf=R
z#xM+nU8b(Sb|-72&mKyBO6{H(kh1|&fRC(EbMA2)x0;AK@m~WNED=*+0IGDB;$z8f
zYZxi~GYmH8j5u=uZdh^EQem(v!W~t&b^w79nwm9dj$2yO;oIwE?;QX3%?AY+p+Nn4
z)Ac{0BdW0a*Ett1Tp;ue82?dK6|7u?7Ucbh4@txE;o%g=j^#>E2$=>Ua`#rf_=4U2
z^sct2%&qFT5t?w%s#vS)_i0)4fX`2C3oMkrznH(<e3MOJ_(S(~Tgw{005P*G*K>F|
z5_W9O_MMV#wY@Po*&H~kR@|~hiNy9gaHL=?Zu2krAl)GxI1iOym`=kvl%$c40GvLh
z(&n}EgyA~WUSP6>fSZkCS^@j6((u#f`5K(W#7sK9QXF$1N-C;XzbF7KZ)(;Y4u=Ot
z!alKo!E#|rg}(NeILblRdkdWbGx<-r#el4b)4btK!_i$^=_ng9Y*F+$Z?MdoaHrv?
zG2C$qNKXJP0(+8f>l*8k3rdcyi^#ZqW)2+{p?D|u$GhE=KK~7I&;2*V6%YvSDE^*k
z$yj>AY$X1h_sq+kbTYqdyw>XVm;{ae_&y28E(~~aVoU@$I4OA*1P0>lejJeko;!&C
zFAUlAK?n7IdL|M?O7yDWhBp@xf?Q&Fb>;ve-IQb8V^BtB1oJw=tY>B>xh)4vpKwpz
zANqdq>I}q4aMrh9U9=~(>_2X6X={^vpB~6YUL9)bM{#kVT+Ua34N9;S&^3Wqk}lVN
z@E|=o;c$otN_bsCkO1)j{`i(qRQ;n<c(J|=z>{oNe+X9rMyU|M1PCttPpB{s9mEa%
zM92-=)*7w}C3n@bK}W+^G^Pp4gZ%(ZtdC<fukeYSB%Qzj5*-LMu2Qb(#|56{5Z*i(
z!Lprnc{B;4_kf>#lE60luB^+xm<kbGnn~Xs?2c=HJ1!aC#ry~UBd5Ij+np$C<5mdj
z7DWCBc6@^qRBEp+{HZ`Kr&^2YDLSTl+3R0c4Yb`c^xVowvV)8wMZ=<U;X3pee6FMY
z;&AmRte}v-`S&q?7vGf+XeH5(V8wwuYntT)9_;F!bMVSKqqK)y>Y0hW{GDpY)L#+k
zHVEknScr!P4&%EZgas0;!j_26<>*(6zp~2HhxDe4-|f<yh~F3g{bJJjM5{N)2F1um
zI-BALg2W~^$1NS)9OJz^y6nK_5UIj#A$*Jip1)46QJV2>5nC2EzfaOk&<(6-q<QH+
zN_o`7b%%bvWbd^c${`|^9@(3)?@NKmU<V-&!&1sCWTxDC96XFEyV+HxVH7V!y+Z}<
zvbm`42~eB}n}F0@0Be|C`oBzTxz1Ecb5|b!phyR2ZD6|(k#bFvB7Xq`iDWx0a15+E
zj8u7aHJt;o&%UF@P_z*-bw}=o*0QcgnFA0D^OR)Fz#Ja%fc(xM)i9#DFz~CYh~bfk
z(a77P|B%|3aSIK4H?sSvJJ?-iqJ1+OiU%iuT>I<M)_)<hgMj6SqVv-B-Ad938e2!t
zNtEc2?0{IgZ|%|IV6`vF8`9d?eV;(=A0&A71xcH?Y!Qr+yvPYMJ<PkAgZz@7(WW~*
z^Ob{ejzk!IUS$KkNvQQ90VZ}q9kOl?)aip#4GI2v1B1R{9SD7bX<PRUr3I{lVI{g4
zS0Pb?3z{S~pwbNvJwkK@J#lw=Kiyp5^ZZ>_TAI;n1(=)od2_sK<o+$O5dvv?d%_=l
z>exevZUbllj&QDv*T6{_a>fUPWM1-F<5wpN^rn+ww~>*E_`JZP|AY|9hPQg=PkW8$
zLU$Ve0c;Z5^~&~3W2Oe6-2hZD*P4Yt26c0|kH((RGuH-XaPyJ8p^_wDbfgor>$euT
zqOTvPT=e849w1XC5Zz%CZ7!t#=l)YdaK862rq%3xA6EE>L1jHM+BmaZIE9Nl7jfyT
z(`0N0-Z=q^y0iBp9^~A`fSbcPLy<ZzaTB$7=NUH>DT(hf^MVo<?1Mkst1{O7eBfXR
zgM_m$I`_`1Ly-s0(iDc+)!=b<{@S)Io7@7W>Nl8?6cip2JB*$J-55d0S2(u)59JCb
z>?{}}U(K!rhl~-r5W@Mpahj}eSNg8ybPb=UE9drLvH2c*jRuld@DI91VxTZkm%{M_
z=qYpHWf+u#pCDPwvpYLYZ>8<)lw(M&0+IrAhan<@1&qo0a4jzn)&CvD|Hr0b9{yAG
z?Omf2=y270uOyYRN;q!zTCHJ072EqxTII`|+rr=v;<rK33-*o=eu(y!;O|o|#QKr|
zXWI6!Z1fJcK#WtOOP_7)2q}RX9Z{tb@lB{ZZV*Ms3KKV;1JZpIYcHM^=-5L}K~8>@
z<)Lf8GrYW$9a)#$rJ-pYiavfsq8qu$AJSwAXBI|Ae~6!+ZkMv;Ap{k{>>HKkZVVxq
zddjTdzf<et^WoIl?VE&Vxs@zrm1Yn7@}&z2{^fq!b4b_jOf1c_-L;f=jL4KXD~{$x
z`s||VSKDDi^Wu(~aqX>`sw4Zz<+!ix*vz>7;D^nRb!49maGrFF{h%85MBj}3jbT%`
zQg^;tZsEfE<hkfSS$}j>aL`N5wQI7-c)qcH{mtJyUsJEGpXG1eo=Z|3>apWRlRbqh
z^Z^Pm2K@Np!v$;WtT;9EDmOWe<_SsOh?Pmugyy>Y^&56nCKcGIxD5|Pe_$KA+#Gt@
z4y{&Cv0VZ|u*&zd-`l97SzISU?elr!;w6KQZ^wkFH7;Emo*4#~uM&n)VkT%r1;;CL
zUaOOD`Nbx>=XZ&ny3#uT7RM~9mLu_rtMC;{@!aTC%iOs<cFOMJ`Z%>@OK&ExYnO<M
z231XFa({l|kl(p_H{}hEYsSJl5ZrVENS@5kMmjgb`V4y1t>V;P5L|MbzEaVnYmTYV
zxf*~Xls~YfFz!#w{H$!UR0YG!F7RdcOR*Isy?LXL=(2akDRRD47K2qj%jho~r{hLS
zh;I__*m;?KUFrH>_8^~M<AP3wKth5zWv(PE25CTkqJFz85`9)O2BX(;MX(5)1(ujy
zYY;tJ_7M#NTdREnSa@M-ks5Rd+9^%dACR5Wc78`rB8^1<>}8!jHW%jbb>Z%n;WKUn
zZJVf_Mk-c32eM6G58k1<W7*~Y>!KcJ-34HaNr7IE&O<2tBICo;@CTdFI`RSC;6n6V
z8Nr^Fg6qAsFny4pwbG7Fb<};;Steh0ORj9XUEIq)OT8YieAeM$Kur>?iXh-Dhjwq@
z<H5&jhtm3Q53~RL^(zBb<LG4ZC(ONb&`RayFuZ|_I)n-v`Sf2m>oYXHK2%ql<OOf!
zM#^h1CtSC3<@I;ioM3%eoiq0uT??OX!5P$+!{ur(ga<v^Zq^y66so>v4s@|ox%Bn0
z52ahMywpNp(hGy8V2RYqJCjo`YLU)TFG3tXm)NY%wzTv!UOa7(%Whtqx!~-Y+2#Cs
z%km57g#K3N&uvfhk9BR2?=l_Yly-m3U%7g-d}Dp(7e(*p{$Tg;46d)X3rC*B&AOb_
zEq5(^3MSJThMy5LSVCh&e-iar<y6-R_r;g}uH$^SmZei*tz?L89Lhm;hoCuGp!hYY
z7$Ck1>!&}{YySHsC3}XOFl25&y~iL0g6bmO{=yPqm6jO4#|WDEL)s}~(V8OGkXO{@
zb;-)g$&|ZPn97AdP8a^;{d{>O5=nk$N+x7nz0mON0Nb3`R91fKhTFN~ufKoK7iI*$
zJLR_JePsUkp0J3B6tpUt6%|)tQ!cC`&~IPQ-ZyPpb)&c3tr(N~M7V<OW@OALD$>4^
zdkJ^KJnuf{tz~^VF!|OFr|?HR$0I11*XPt{(O2p??OL9_KC4w{T^1ZU7!(q634s!C
zuH-^H{Ww0JFShYHWRGIzC;fR&oG5FY>2*JJ)y(WUygs$`^fJ**A3S_G6F&&t+nJJF
zUz@I-ei~1X#a&#zqkIF~`^kp^@a@v^QSnI#i}VIQ2mcGdI*s!d8+Am34>qgM91HOq
zm$n$yl39@Ya3nTy*0p>Y+RT(1x>lKW{)yg>&rNFVYf3@=eICI@f2KapOdYmdU2IGA
zI_W0U^1_kYarS!GTJ1vl9}jgDkR{O5j^}%T(l-VrOPOYM)3uE`!;Ms|Upgj%y{!tz
zf6k6~sl({<#;LPDdnIg(^?<Uya~5WhntcQe|FUlm9CWSQpGvvS!XCqEsRAVQ>X)^$
zkXKi%^!-`3W|eeE1M=q4S=?Rfn2G-<3Iii$pN6ucIu|PH7&<2F4TA|H#^SZVDLgBi
zS4KWFZT@v!07G-+Cr}@)H;F!Z`xQc76wcDubO8qFJz3xSK_@LUb39T9Yar?N)E^E}
zcaQlG8aa*e9V!_c0iXM)idtJ+-)fv4;BM&FecNz`hf3IOB*rS|0+>Z9;rWk=z3woo
z!DmparLh>cMbTKi+10mh3cqTu!ird@iLjZUnEHO_UyFeQEdX-#Y}%Te6G7K6>9f5R
z8Qf?V-aA1beNCvY?V_-2AP*acMRXEH(b3UrjbRhEipH;gE^Ur@De_U51#XGiX=!$u
z8^_t`i5<S`e63-g{i^%q*Pf$afi)Z4Y836kDg^sl)cT8n@VA|N_PoGw220@x7ncG=
zh#*XDEj75b`DcZ257qKptA-uPfDi)_=W;d-dh_oKx-Shk>l9i(P6_W4z;$TeX=ZNx
zj+>Qb<SP}6ostwX+{1p{;$-zG)^E_3ylr4&Z2W0)YrRKn%%sFZ-;%Sky3@x)+^OLQ
zKP+3X9*f_2t01}Ym|1T1WJdq7rq%%7OO`_qWUPiBh)T=Ytqt=oC#2?PxG!<8d9IiK
z7PaACOb!-t>EYDb{Q3AWTcr&?ux)YgA0M0c-(sFItS4Pw;)Z|+ooU6>M~@OgL|vYc
z*|$%w>xx_UfhT_ib&fJt*2c$LEx9JHITr)5vjn9r=J+kMFDudp;9QSkVNB}{(S}~q
z)J#S%(fCyAM61H+1$av)qh5${{M90iyXPX1ps`59XyVJ@VZ8jboST+*9vAB&^{3Xh
zDr#!lFi0!$Olg6&i88J++rl@QyCn9Rt@g2w==D|44|D_$SyYU8q<M8YIn$n8`Vl@M
zP2Cd{4^H73Rj06;Z_T?e>9^RHIS+VT0to!#r%WP=B=ML{dOk>dZH;F1UDx`td1<Ad
zS881wgEtMF`y8(_t6N%Tq=Z)v6s>OaMBg1F?NNGQ6!uIsmR@*5$3l&=d<da})6IhF
z5)gS0DyyHI@>Bnw1A5NMr=LGLMXYu?X658`VxlSerV>k{d%_8^@zimq?O2OgI=4@9
z;1YhqSpg~v2rgvxCV4sz2v=}+(QgEq=7U-Oho3i>42Ce%e?K%el98D+7FJQJi<|Va
z<@EDd+pu<5`In$}b#&k4>$*8m=~bB$oPFU-Scm0BaNMgzhl1V};Qym4rlMm>0e-!E
z*RI8bFM?KFaB<5Ok8e%->a5rsnQEPxnYniMzJF_xFp!fU4wCpQNTQY1Gi2NR?jDV=
z{hH**v^#CnUm?+S?p_WDT6alXJMt*wL$goO-?|nse&hIC>Uxr+QlqTzc0$1m-X;%;
zb^g)&YTcsTFvOe%%_TEE{lj6+er9-QJ_RKF+=4;oxA?8<8&eCVzxMGcV=!}}(sS)j
zhDsb(8E84N%r0EpyQe)+5>}MhEdKrGSs6&jaZ;z;ZJ`r8XLVVivxYzt8-I)dKYonA
zgqkUq#!uWZ|0ZlMSWY-uf9d?R3LSm{F5PkrI^735ws<Vhwm`b~I668FA;*4CT%}Ga
zDEMk;>!uQEVvF=f$cE6xXbNX)CT4s}t`gV3!A9r;&O*<*OhZRKPH5jkz=&_35Im14
zOgIdkVmSHN8;9G$__z*0P5PBZsO(#a)n<0P3n;rKzNPD+54C%d_{PCE$!pGq#0`n^
z$E*@f7F}t9wS+N|blZg@|03K{B2_Iv=m_8X@jld3dFVp2;waj^lM1EXuuXo3TW*H)
z0%mqM*WDJPdS*H<w~E&v6kS<8%5zq7`tEG8%#pPxn}~Zrr%u@P<F3aM5osA2XT@UA
zIh7e`XI?}myO~8-U|?XPSsm_Eb=Z72qgjdw4NbzV&=OJ(9)AAFKHG)vfT`}Q&JmQ3
z5^Ntof7XWDJg0nK7Z+cw)n5by^Kfw`_l@mryr`{hi78Jh)IW|`w^oQbfbF%A7j;f%
zW_ZKTu~|uT+<<3QRROj{f>{2^zN@1n9Vx6hWYG0|{Pam=ApFUbbf|SuYuWU_xlD-0
z9HCvoKVo;_N_VoHDF0PIc|)QA4n%!78~9kz;-iZdx%PfrwqfNJTxU*Y<!udH2vuSa
zLbGlMCe<lJ<}zTN{wpsoD$4wja+Y@H?M8n(*5{b-&FJ<_I3={!X+BpCZTP7H-!UBA
zjpJ9ew0=Z2j|Rfu59DQ4Ko>-jgo({3!OKS(iCt=9$1$Y%tmkzUauOSdXp0Q=czAgm
zyIXt!J@`8eh#KxJSSk_!Y(67OsbJB283JvD8Mk9?HZJlXIWl$Gu85DgalhIY+m`%f
zoMFEHl{5afG(@3G21;D~^1DYk(!rW;8p2S<!x(aYHM|W?e7p)c6vo!?9w~MDA^k+k
ztqAb~Eu-CC>{1Iha|0b-QE@zK-IS>Z44k@64N5CP_$5>;F*05igtu)xx?qFSjY#OS
zQ*d<ipkgzBZahPo<RH}YrOeqb;W8Ka!WRMG;DrB~UtUqszq)~m)Ce*)I-p}}T&sQe
zZUlUEPgB#>@PVUNmX_0_AfxG{vJRWI+nBeL^jv+d?gbS`Gb~#~UH%Swulzm>^7~^X
zcf(=$=uEHD$m{W(GBtp-%LvWPM)B{k(qneL7bW?{^XFyVi<4m2p!@3DeImytj7F*%
zXsZZxd~<}hYI&q1Gm3!xolK073@FzmVm+Z(j~%vUjMD@2e_Bg7s|i}Z70cWW*_F(+
zw7*NgOdG^}=J$*&>K&2?>728DIpSNePv?$^)(<m#Mi$;Z<S#vg-+AsKCyIPf(Uz=H
z<anANl7M(23q`CYDok`Hs#Rjuzm>vl%O=DUJb)O=!GCbdqU)v%Hf;w{FV8e#xZRHD
zec;2%Nbn*Wkt2++h%`(WxhEVDUi!K!#aCYh_#|N+m|ZeDp#=MLF(S(7g{FHe9i|uB
zaSk|H9VL;x=hw#lek}h@Q;XZlhfx4o_X=D3Go2d#->KlT`q`*r=c1(TgaD@y0A&J$
zeZ1NWOsFanWhB(jp4GU0yX2|c<nf<Bew>lKd<PC0$9|6+fl+gwOEIt+0H959t!;58
zK*JP<w=^^~q7eRI8hzx%2|d_8w<m0@nx9L!u`T4||F{6seX8^#19qyafw1{<54%_W
zN;jK_kFNuokmo@6Vu#>>M|8&UMdZLWwN##4P@n}jk~d4t{th=4e`5|UIrr^$gNd^Q
z+f4~J*Wq~Qh}c-GL+AJyA7bYgAnl9(umTjV&v0ZTdrSu|PBBR33z$c)?Rb>xE1jcf
zF-LG&CsK5zW<CicpjUdlYvM~@&0#raR96`pJSZ$z*qmXWh8w8GRJaCPoLJ+yDY1P&
zz2Su6ktnQRZ}sVX5U&dw=ishGq0X3GYUCzg@+XqtAY-3`f3&?-e)p#ba(w10|6F}T
zLye1KlYcPn$kxe|hkd&B!Wu9p-6HEJgr&pGBEIRxD_3%8_+QK7*n#h}S-@mNWLFD9
zEQL=5RovM=!jac)ZButsS2u>g<i`%FmEZZEP4mB+O3zP*gTV>=RPMuv>;KRkW#2wl
z!cer4vt0H=YsXKzHp{o0Hf;*4;M=q<3&5Tp5$=Vv=k2^r4it4dgolI(u9kSj-CZ5k
zoX*X)J9!TiW!?B&pO1Uy?~1h(H<LlW_lop=`DDt>seZu5;I*A1Od?lA%uXFTZ~*l~
zfv$9JVOOu4;iV6ajUBjE=AdwNu##cF`p!bY>HuYH%Stlu$;Cn6o|jjBL7J#})lW&T
zS8_9zI60AObEH)vw7n!6G@DX1b_LfygxM;)54a2k5lU~<;@&d%fstrP?A2kpxB0cA
zg7aRgQl*(65uqc{D!j^h{r!Pccp<hT=h}!;*pEFFbuugnutS4*Ai;jXsn>=@<oYAf
zfQG}jiG<lUhV-7f!}>@3GZ?q!Puk;;-+GS5qmj~3V8!BgaO~k#-C%R%&Y3;)z)dRY
z@;C7btw`7-xKOmiszcOa<oqrFoT&;~0=QmK)`fD=w{+y$!%rpxbzLXzyQi7R+0Abu
z3#Sd2d<`RwgfOlt<>_O??J?&)bMK#x<58ZD<ewNEA;nFqr4FC!aP#UC)ijIOx6<H~
zUOzEzZLz>8wKTY9{%HpnMnru=zB^v*`TpaR5X5)bhG_r<`rg@b+nfM0CI|iH$M^3A
zy4p9XUAo3a4w_RJTyfLD${7U)x<#)NYYFva7O!2Fx+7}v==`Ix8$=(|mtuoo9>2C}
zo=(rvKRoGu9&?j@dTT2S3#>{oWueGP?S70~)d6Vkttowncud*eTNY*@RTI{i_hxT=
zK7&OPgCSQ>{MEbRS3H+YJupsOCOo!AlVlI897iI@MI3iDdI^fO@Z~vX?eTOA%$%}`
zG9LN`IG<d?!2A4%4`<%VqDMyBL5+5%IMe<7UfVL@xZS2vn^uJ$*L*vV&#C^Z@m_Z1
zfQU^+zalDB;%$lY`F1y%Mj1Ru(H3I^?$&B>^%wP-%T+jjSkPEBEk6M}^49<>&U3_d
zhBvJQik=P%`&Jk8ywUt5kq~+ji7`#Lg_ec049dg?OEzCa&Qni?hntQG8HrSo<5fu$
z;W2YDCVr8kQ7v#`jaf$iR@>zC<%Ly;BIuPX2Jbm-Km6haX1i8jUS9Pyd})3CI;>8@
z8qI`v2BQZ9gw1^}Ub4fkY-(wNPW)^0!8MXp_Ys5dg=Mp29V(z=WPmxFhS84H@<_5I
zDvX-WjU0orS@hmbhet87Z%=aM2olPrprUQYOZ{SbyUR$_&`XF7BK<>fAi}%K#Nk-(
zy8V?wHm*6IBS)Yz4<l^;MsR|6I#<lZpJ5meB!)x;)MROG9nm{+sKQsosEPzt&}e|n
zY7&8Oz`|F_^^AEIDnNXh05Py#&VN}xNL8wyW*BkLf%fZ-8oC$>d*do5T<p1*f1!#>
zdJr6}jdx)vlym!up2_oTR=PPB%wwK#C|T>|?E?;}{-GNN?KT*Qy$BNIDp)Fwsnd;Z
zWHvR76^=Z*IO$x;`q#M%RK7~91u$V33#~%7(?E=;`0w+d{O&{Xc<y?ymAoMWrmnJ_
z`{&@~)y}#%E6`knCx6(4uS?Ii<TU1KEJD}rHT9$)11c5J;}n_KpP2VF^FV^Awt83C
zQ`uYYEd38W*Oo`U)`z`j9~!R8he*vwL&lU0EkKz;(MIRlS1fRU$ib*tISk<f4c?q@
z3Xcx3+^ZiVRt|on4p5G~IrW)wHudN`=NERxM%|w{i$W86=4McsA(vje?-*E0v>CHq
zmFpKVaje9E`<dbTbX2@<JKF>SetB-J4Dcd?7l->Hq-*i!zR~bntl^A^iOJZ2u}1Ul
z;rKnH`{M0Ep2&c2ECCXiPL__p?cacyJ{?)JawshKQSDDT{EqNrpKCB&*N|EIpuTEc
z#r=~f{^%CBzk}7@D;6dFLxjp9i0yc*dHnk#efOza>D0@5z3MaFA&sJ(Q7yRF1j$y!
z%@mwYVGrQ<^XN>Ztp(85K4t|P!Q<WuZEVd`#@GjxPDnvb5Zv;9-n#$I@m7VZBi<6n
zrEsY(Wt;MBx^hA^qA0!)b~SSoy_axb|LTbh)m7SaZ`Y0p8=|@*x*sB$7j3aCGE90_
zwLQ4e|L_6_gNR5!fPqtt(<w~EeeuR=C8gN=^_Y8o9Cffnll4n1xe<8afUO|}8KtwW
zDhJa$rgOq(;jlUmU%f6Akf18?D<5w7geXBnEZkq?D1U^)LkaZYcwNpc$PGM)4=aJW
z93yUbC2Eq@2SuLBv5LiKge5%Smh-q!a&ZAMj$VzAB)T%#JaUVQUc^hq0jG8u=?0lj
zlV8)J>s>&#vUOZ_LAVb@^g@W#`aBl;N^vW4i3NjjJ%*pvi8vRxJ|w}slVzHVV0w+9
z?n2nV6W2X1dg)wbQ=dbf*J4xL_Z+3*as;1^?dsx`^tjO3R*d=-I8@wLEUe~DRT{g3
zexK#5@7f)x^BT`?KMM_TEK+mK;-U+1AIIChpV8ZBnVFgCER(zL-w`2)K$sW;k?q3*
zDqZ>&>)60oTyVTiK!?EAVRaz_a!JAjPQ#mJebT*X5^(*a5pT4?LzBMW*a_=A72LrV
zWj_r7MPx!zVFep<Gx@d=J;~$AEiQdb_4uvV>UxO$Jxyih`(R<r;qZ`y+W7Y?4=xF!
z_gG&W*f4PZY99dqHBYQ+v;&f@HIjU6GM@T4l8NpKk(A2r&OVs3vr9UhAzlQ~AFMtu
zsg$;U<ZUEjHlRs7bdZ_3q}Uo`L{-3IX$4_imex;M{h<%^rsK^?3a$V~{#UYusU4ym
zA0LN0kURg4)n4$kma#fKiX5*!Hx^jgqNO$mC!>m`jXK>hzFt~(NiB5LvM+W-0a>P%
zpt<?)1#i@Rzv0(ULpNO%%=nMDCiRw&d;3s*;5sOK_39PT!zQf#HoqwuFFk(B=@hpx
z1ID}qV^*lwZG@M;=<dk-=@e4mX7)C(yz9gmZr&Db{5|DZwL~q8UQYDd`$znLsH;mb
zlbi$KJ&K5>HZ=d~Kx)=1Hx@S9|DX1*{GaNy{Yz<?skBWCVw#XLlH~|lqjH2KWQ$_5
z9!oh1*{X?@C3}{rD3#?@_Vt)ar_ENDBeF%uHZs;M$@9KzW}fHy{srIH>-+VSQyk~>
z`P}z)UGL?-E<_kD-l1qZPEBJNoqzoxgPEP^QcOj0E?QoKX&1@arK8$&14o%}LU*_K
zjq!X>&muwqDW1{Wi{jjptHt{)7Y>`yjZ%AgRi<vb6!(iBJN-f=Lhy}4Mmnnk900|-
zaw&?pN;}aZh=X^<vkPxmcSL}w^?k`u6bM^sRJGJrl{C`>$-Wg31}>TaXLONwtobY(
z8G$3<AgTu%GGAin4Pd5F9cJ#?i*6<02HnK6kVbpvfULm`j29B}6<_I#*F<mGxa)X;
zrDqopkqiiTPdFM>!gCmx8a7_1=YVDHjhRyGP=1rguW_=mZesEBjW@9<sThb@4!dkN
z@}$BIy_`(R3psFamVp)E19eQMI=?STe23l02VDZ|DZ6~eajtWT>gDlkdV5G$1S3<^
z`{?>S-xTgQo{C#ki$R0#1kvJYK5iZ2ld{%K3!=C5_e;5<Z_6M$8pI)>knQRKo&>2m
zoc{EOqxL8cvdUcv34yB5H1QPf5WXYZ%j|~N+laZ1%UA$>@q<R_15v+?S_Ck)S;<pB
zN>o>xeJhi}V8a@IQFYS-m^hvZ9C{@cSe$|c?gRoy8&>FC>92RI@0u8cJ-Fh)0aCH2
zp#r$p{t0cc2C*27(XT5!vCIg>5H=9-iU!oQvT2E_nwkenZKPWtS*#cUau0`hRtU)J
z<5aj#_~(Z*Ci|1*B!A<-64ox%g?VJRU>tYEKIWr1M(+<3xQ_|T6NR(VZ!i@27FLZK
z^cVKI;j(n_U<13E)79HIbleDj0k{m3jfy7x%g%Xq0>nS>rw<@%5q74L=|BH)(qHib
zgK-o{9@WWR(CdOsISHw{3BAURWY97NDMwIfVL_WmB5vH;)3<l62{A$A>U-~8&W4Bc
zB$eYggsI^EcpvzRG1;0TdNIOY2je{4=v;bdmA2vL6thet1S{@Wb-DF1{O2;jZQlkG
ziHVIJ$S(Q#hNSifpbkipPF6Nj`9AM^tBJLx560AboO>kbssjyJiV^km0G)G6-=aH|
zUQthV{PRLfQm>=o2Tmv7G0m~P|L~!{c|Ps1u5KtFA0KMq5iMQ{joc!fastw_Cv4Ww
zKR1A!%tiwld;9<ia3B}<`vkoXSg;T<RrJo?y8~zh!A6FmgJVP~7EMRzLFadchn<=-
z4`aRwhA5oU7T$XKe73t{Wd#AtF>!I9u5Y{!h6Pf4e~vQ}bxV=E-LL!CB>^+uyM22v
ze)V;&-=xgYyP~n^%RER7GGO+c1{&^P2@Xbgk!Y0U^lA#*9%3k@gR`2?^1)HUip6tm
zU+T7rHn778qi3g^7Y^-??CsZii2f`hqM|c2_{-79-%yifV==6z3j9-#fPrDG$MeCK
z+voY-6w)wvCU6aUSKxR^r>VQQdAW~Qot4RQ9=2$y*hmWx(R4w5YKAL~UM`<{|2-mt
z@o?!_*cS{LI|}4hho*%Oa%vP0g5lY4jD9#Rh<`m?@>n=*B+&+@zyC4RDr8@yuge5z
zqU~~Wa&I&=m#o+%t%;e@_XK^%56iS;th_VIN_Fy%Sf=zQQ@i`F9p$+G;BmJSsJ%X0
z&_n~t38-wRboVUcZ6ls-@bJ>X`t)#|bBRI4weRYB2TYqFj2~F9Tf;uRdm;oa!_T6v
zsxM|$&cFz*+J=qb-5t8Sfnmke;uROJRO?OJDTO&2chH##a&3atpBIHb|9D%93>svv
z$@mK*Zk4;6FQDvg2yNyKLLI$U`P04J-0|qE<Z0zVyy*|y^YNPSTbf*`pt4z{Ap#U8
zst`dKO#hYe@bI2php2?}fRU4qC7iNmcHbbzX77NA+<#)~QR@&$ldp*!xyjJL;5O*i
zgONK6JGq%V++m}_%*GXk;j!FC_cAgw(QMNI@CuqW!YiAj;@Onc4zv`VjC@jBs>RE5
zL-WGps~}4bL6?X_xw$iC$jWc}&PoCKIu4&!dKA&(D*_fMLMhs+ypEnKLun5lKB9q2
zmn0iyz&4au$(ESS@b%#VXoKgcL(tymeOZ}>iR5>1I>;A8uUc~K!d=QHjD0cai*MI)
zwX~q7?UibO>h*4fEx#TUh$awx%}80WvwX^$WUkd$&nH{HY`lDlK%MODkGa9PgR8v2
zG$)|F79;}Fp5;}S+f->e5ZRsdba8R<gFxG>H`zc`#e=RbEPp+=Zy?#;1r3Y+J~@Mr
zM@Q9^S3@44^R$2*aJN746AKJVp&#6YB=S5m;b)A&Jwre7*qzR0RdTg_oek<2q;+ak
z=Y6o(Lr$B>Z(TLqM@53dIK(@^#eJB7a}_76jPNLcc*t$I5*pfA)SH|EAK#}CEfe2~
z#-l`rCHvnO18YGGA0eLw`CA-19_Dm+JH+|$u3Jb@Au6IXsBm_mf9yv2h1SQhN@uEF
z{kq2l9-3tVnbmFjB(Q7Il}j@-Gxdt=xwzDNNC5{h0>{XLwd)|jnmw}K7oMcB_{Uut
zjSnyYUJERMkpJgX1(OsErFLI`(tMeAGNt1FMVyuE45>>$B&3@pe;6Akn*Laz5>2ef
zfgcA@&z2D5g)hub1075zP&c6vG(9Vi^@0XQDIgur@Sp#JXBj}Y5csja;=$}A49oO+
z#-j7qod~`SWc1W|8TrLE(Y*m(q%cy&JZu@2uOHh}DcRUcMq4v~oW<|j2be)w`yI3d
z7*3A>$G*LbXoom%<l&J|hAu-~#g2hYAdaFQmugn%cB`WtdgZ#cYg4hr++&Y|tUP3$
zT3l>~`2|F5pg;bl$0l6)E_Q2*@1`Nh2R$R6zvR3H;^J%2xv%Dn_PZ~T$bc!>D8?KF
z{SlPO$=ld;T6tIpE>eVQ$za=cARS{<Q94vnWqH^=&MWAMopl-XM7N_%$O}jsJW7FR
zqexdgg9lAM9|9ac18167R3)u~4NKgJ*~8=KO+6Yeqvx6u0ZWIJCk#uTt*6cJZ{3#c
z`MVOYM@d_fk^OkvXdzDhLqrlQXq8~FGmvnevRE%&3YL`GVS<C9g+(UBww!g2Vm8Yg
zarj(>issBi<K->Z0td}&uW_)ylXMj^Y6wNui|&!<){jVbQtvot(Af)*cbJ!Qhz;7G
z#(OcFhdhuzUpnR`*r3hH5ohNt>?r&RpN}P+-g$&k*>LeX%C3(*RNT1HJ>j=1y<hdR
zkxls<6x7*W^-H)aHofR_TlD!^GXx%bXT<_vw7FTm(dd&rVg&^x!wNoGF`~y_UXVnU
zI{qVh=xG=;0nr1&j>L5Ek>^SVpHn-sMeH7#z~PyNcY1L1rW(YfrPr6D84pQnsC`Mg
zCz%D#7+_C7XHbJHh{DO?<hL**LLQp@3>vKN+7=B%ef^s-SOH)>*I9~z(@y9=KkBJu
zTY?BTn^n8v0Umwm<~_!G=|_l)@>NPQFg1-=nd#eVnq>?z#sS9|0F-Py0-dspFpR|r
zMIziA^}uXZV~0&l?!g~yJnQ1bjHCl+X+?r{t{TJ)1QDuA@S0TF^lIBN{wLT&7qlZG
zVFAb+V6oyO6u-YBF3ck&ghIawx|r|_S^*B&jaf7`G)#@#2}>kcjX~0YDQ3E={d*CW
zP)!&Kj$rMlMU5!pI6o=_Cn&4<Br>x#_&DgRJaBd=sA;51NUE98<!0X<Kxo9mH^wq9
zQf@dWMvMa97#;<Z@0<3k`rD+)4ITNsOLo--wFv+pxW4!y9J58{?}@8$35{4Tn=Eub
zSv3$<kONSlwyv%b&Je^W$+9{D8QI)f+Z>bp6RT}ij)aWpp#!Fm@jK|=IO7COF0#Jg
z5OUArl>!?_DYR(|+}?UL@#4-tf5oL|MHJ51or9H6aC8=|2-6eGybOitVBp~e$DUlS
z4;$#4TR@MisqDevfj@v&Cj^n3uO2|i@0`H!GjG!D&qe6vFy*wZ=ZC7kzB;a?1)h5J
z8dP1S>#sf)e<A(?oO>y>zjhdDT(O?5X0cTm!VHLxO>FjTDTl6D7Fmi?Z_K;Q(iPF-
zXe1lfnLNx${L`WJbjj<pSZYTj3rb7h(QI<wer`9nvT}9VJ@fc2&GPEg_w1lYwP05B
zyj-{^oRiXHhbgRMCMM0C*-+<Ao64n}EP~W}cU(WUsg)*|SUU?;T0Io_`|rO8*pQho
z&*}ubm1Ko3viZ$?7AdYonO|K~Guc9uW6C>v`QeAl5CH6iZjHO<I(w08vi+F);oQQZ
z+T%&=*heR5yIF!SH=5fdl{EQrKlOE*wfFjxC^Na?IaXTLSV~+R+t$ibvNnO!P4g;;
z7r8gj<Y$$U&6ign1Zq=hjgv6v#PpEA*w5~#&kSv?%Xu)}oG`pcK|!HYVMT*n-J>%-
zeE9<IW3$XGlYMN3jMQM=uaJa`YpF2?&yf9rUR*ke&#;X`G~r~%qYxzRLTK|C5lf9k
zr0+fY9hra=Crms?Dy^WBhS-y6AiKOdAL$lSYNM$pRwU==V$O$ES;iTpMLS|TM$cz7
zdb}x+S%$U>uP0wPXuKK?V~yk%aIB!U3Ok@dm`ZDRcQ*y5A8h(EFe{q{kHSDvTa<5>
z1sG?$U5jd#=V(+RWs+s=zMPPV`g3`ies3bCnv2}iYg2GG<Q_IYa}X=Q*EY^9%a|zC
zk>hAA7x<2eKe;Vs+<{+6hyhee9SxqFd`GX>g;eBsiXert3H@iyf+cM`)9d@kV52}1
z`AQ>Vud0VLB|y^qsUl$M8yUr5GhW;gUzNi#2YeWrc1Iq=`QO$gWeMMN!<?R;DcYff
z2W1%N+;RHGZx-<l!Nt!P?jK-V*f$c{7{sZClGv}ep>UXq2C{O`_+L_FKXxIDKW9jG
z`)PXWzyIOegHbcV)uP(jE+L_deUFg?QF63q)FdJ(OK^ROBHw|fkffTGcw_--takH9
zcjfHbl!d-pki3xweY7R{L^cSa9y5OCD4fHc)o3elk^Y#TF15aUJ~8JljgxTkmLntS
zq&X(deV{AOsbt2b0g750%u;LeExbO&4CPBToj-^AV9pXYk0@cl($qF-#`%{!1J?*4
zxR=1q@IU;ni`#H(7t|iQDKE{k|3fDFOQ`T`aCvhrh*dm3uI7kn$U!})i>jm<`@P^N
zSUz@L@icE9%S1d!B$e(Au^;r4hDvNK_p!kYM!6X{wPg;~RWfs?-MFfPRuT-so)T*)
zTy*uiyW7?ozGwv~HvKs^z!_~@=JGeyuDf_RlHEPBNFd_`Mw_Xe$^!}->R?*&?{+an
zxI@Bg*_^Sig(CZfUo1JhcwmS73Vpijn&`i_#P2nZd7#_D>ruUXA`VpLy#!O@WBabq
zB3tiMOj1%N>Up3tLiWP^6*E4hlcTnBv!XDS;~g|~3dv<}cE%#@<cW14bx+hehvscB
z(bzSz8vF-Lst3MRFLF_ak&0z2ZFbG^=P<cNZYnyWBPBMTH;%W#7GPTwcms@l5Ucqx
z?B6@Y#ICgt$qh4V`mPAu9kd(BLD6IA&Z&}O-;iD7ifo57pxTMG8^BVD3`#XMH7!0f
zkM1NWm|yi4B3@w{yU?36{WT^B*r}D`-!3!21x~oz7@ccu<!ZS%=R;;W*m|$B_5ju2
zL}l*k#Q)Uay2c;K5`wDB*uoj4ZtYRY?^_aJQOr}+W3c%fRP+vD*H@3N(RopmzldK5
zEeC)-BH4pR2)=O6okT4b6;;n!&dBa#S~2}18&00ozY~?i#3wR+;|>N8n{a{Mr87^J
z8)Cs!P$Nm#aSv~+8&7jMt#+Y}j*YN1G&VQi16>m@;@aj?K<fK~w?R*>4}*2o?{+xo
z;o*^JL$N*drDvOJ1ek47O*prTqO?LpfW=QX?Mv~Vrq_8|`fvl2uRdcbDXGXbWUGP}
z4whzQ`P{=VDBfe!0tSVR4GqOaMMe864d8q-{a7bfBu`wZ9X3_A-$ffr&q(grA${-$
zpUj;ECwqH+9UYyL!Ll<;601dl-Q1j?;0&qu%%sKH4X}?wX&!1XYaPz}OF~j-sJ}H3
z8zD_LQ_>)O)q&Ql9*x-VrFHSJU%rA((thTxasNi6qf|xHn#UsDN_1hbc&s(N57rvA
z?q<oF;!#1ztE+7`Sh%UDe`+*Ua?)cFam^a8K7$P0eQce21nO!#4RcIcmI!~g_Rn@*
z9i0XW+oB$M>@+JY<{)K~^lVMZqsYj}_}X^yb-NxCW7pa9_r0w@U9Cr#{AU*wH{$5W
zb}EMJ8dp@RLkl7p_3BgW*uAp0KPi8i>Q<rVqkPp(Q8@-vvTIvT{^$3735%V$xRwb~
zHPsC_F!hn72^o*A=@Avk@;;5#<QIIAC<eeYAfk8MJw~a>^uS7vz(ka_hFz%L9m8%F
z!R<%P&Zx6V4OtNOo5@+pJ$v?aZbY~}gI>NK_8psp!($(jlfTqab34X|Jm_<EYY!=P
z)w_z#@%NG@fRj$<C>L2Q*2<Xub8l<?M6sZYS!S04v&)0HP0M|XfSM5}i*tW<J}{E0
zFr8V1#=V#(HI4!H)4AjU+t{Si<jfOoiV<3csj#7_v?36G@F;2ZWqx(a1tN6LWozIW
zfOki1t1V+oZ*okUKmP0K6`}cGO?~EDUx)wMKjNhCH#fnKOv6gv=P9f<7$QHEsn+4Q
zK#zi2DDvL)O0qVmVj+m0IC1M^VfRXcca@dfEIKmp-rbL+9GQl)XKdjhMhuZm4V%#n
z#^Ev$K?&XfgyGQmQ<aYI3i;(%Yy+71^oLDh3}uCF&N$W0il2-7X6QowWV_cEjctoR
z#G1=uTKdUfezAXkZHpPxuMF4lheyfudC#-wV9?0Lw9S*YwmW2GjzIcBXlg0-%JG}2
zPZ<D7kC!NVL6R-^4t>R$U4i-ES8&EJ_5FKm)STNXl)NW4_S>VUu1lZ9VAnXD%0r!*
z1?L3Xdh1~sVB-_2xV9X|4m4sRu2&$2%6E3y&q42H;9)}jjyU}$k8SCc9E7)pckIE#
zhjqhK#8rzC7`gH90PlC(J>k(_<?%sT7Bjb*PK}@2kD*e~pY3<S=1_5h)we1>$;xNs
z67geQAM;f528d}Dz!bVG5U)roMP)6%Wy^29$?;g|CC^|n;Rai<U0L}UW?aa9>N;KY
z3$ROE+_wH6ii~zGqC<ks8D#diG!nc%Ss57o)Zep#Yj2ql++CQKWz!zcDqLl$tfKB<
zPoss5uL^Ln^KtrKelwXr6e0LE3f)|S)bbjxr<jx!2C`XB<xQZ0{rdxnDROs|1X6yS
z#pz(Oci;)QJ~TEux>qk2&}h4Yf+?}QAT{U@pOP17$#+hKoZ>rU1<Y4Vqkz=^JH;Rn
zKkJS_pv2q4P*v9@Z1E6L{lASfSFmP@+(TTJH*Z!Xos2`oaj3t`6XUilw?iM*TtBR%
z1`vf579*x%R1S}Yq}00KSO*Xvv3;UbQik1qk<qzXZ8!)jLPZx9@@Lyz*r;4Tv-q`r
zpkxhTh)Dz4o9==DIKJ8Y5TwB`AUA9+X>0%ZM+us%lLd`T^RYp}@enGl4!Q1jbj}%E
zowIEPo}{DSJb&+xxOg1z`EKBgBvcWwI&<wQQBmDzzi>Y?%Odp=MBi@r%_!1{e<$Vo
zc0eT{EP$8lUuW^@D6lmu|5>q+Kq$~NxO9kF@y8Ki-w*{BgYB+mcM-7#GK%utcs-V1
z<Wp-YJ8%BseV?w520C2gpw}R^BX<4L^}*C6?GV1+TR%w!Cp!YTZDIC8E$Iu4AiKEu
zkH@brIBs~!+?Tp0T|2V$&cQt@ySUOR$!jb6v%b+DL;42aaji-aRK55(b(v77;hPBI
zRdq*rW>0J(aR6VPRdnODCEvdP_FDbIntxuZHIGlNVf_7)zB}m279`~U6Ts}}H~n44
z;J<$l1PAo@SHQz9>dXFq!Sy5UpOlDyTgv}W+{df`t-qFN+4a#4c%tj$f7}Y*)su@p
zz~u0x?LRJ6@F&``mtdU(Grm<jiZlz3>rcvy$mPptU6N2&aO<paI|K9y)*@)Gc9M7N
zKmS?wSB0efde2p%u<=#oXF5YxeVFhrixB+!4&-0B0%V>*v-tY$U$2)e)Bg9%6B_^Z
zysq8+_iwI}6BdK`{@2&9EB^o2xc(2_lIr;-uS3SJ%~xoAUBuLVdYajLk6-u~@nTK|

literal 0
HcmV?d00001