From fd646d09d249b6d6a075c23d5453b1d96687f422 Mon Sep 17 00:00:00 2001
From: "Philipp Heil (zkdev)" <philipp.heil@sap.com>
Date: Thu, 9 Oct 2025 11:46:10 +0200
Subject: [PATCH 1/2] feat(odg): Add test evidence extension

Signed-off-by: Philipp Heil (zkdev) <philipp.heil@sap.com>
Co-authored-by: Franziska Schallhorn <franziska.schallhorn@sap.com>
---
 artefact_enumerator.py                        |  17 ++
 charts/extensions/Chart.yaml                  |   3 +
 .../test-evidence/templates/test-results.yaml | 123 ++++++++++
 charts/extensions/values.yaml                 |   7 +
 odg/extensions_cfg.py                         |  20 ++
 odg/extensions_cfg.yaml                       |   3 +
 odg/findings.py                               |  29 +++
 odg/findings_cfg.yaml                         |  19 ++
 odg/labels.py                                 |  12 +
 odg/model.py                                  |  26 +-
 odg/profiles.yaml                             |   1 +
 .../test_evidence_component_descriptor.yaml   |  45 ++++
 test/test_test_evidence_extension.py          | 112 +++++++++
 test_evidence_extension.py                    | 224 ++++++++++++++++++
 14 files changed, 640 insertions(+), 1 deletion(-)
 create mode 100644 charts/extensions/charts/test-evidence/templates/test-results.yaml
 create mode 100644 test/resources/test_evidence_component_descriptor.yaml
 create mode 100644 test/test_test_evidence_extension.py
 create mode 100644 test_evidence_extension.py

diff --git a/artefact_enumerator.py b/artefact_enumerator.py
index bb492fc9..251568ff 100644
--- a/artefact_enumerator.py
+++ b/artefact_enumerator.py
@@ -359,6 +359,23 @@ def _process_compliance_snapshot_of_artefact(
         if uncommitted_backlog_item:
             uncommitted_backlog_items.append(uncommitted_backlog_item)
 
+    if (
+        extensions_cfg.test_results
+        and extensions_cfg.test_results.enabled
+        and extensions_cfg.test_results.is_supported(artefact_kind=artefact.artefact_kind)
+    ):
+        compliance_snapshot, uncommitted_backlog_item = _create_backlog_item_for_extension(
+            finding_cfgs=finding_cfgs,
+            finding_types=(odg.model.Datatype.TEST_RESULT_FINDING,),
+            artefact=artefact,
+            compliance_snapshot=compliance_snapshot,
+            service=odg.extensions_cfg.Services.TEST_RESULT_FINDING,
+            interval_seconds=extensions_cfg.osid.interval,
+            now=now,
+        )
+        if uncommitted_backlog_item:
+            uncommitted_backlog_items.append(uncommitted_backlog_item)
+
     if (
         extensions_cfg.osid
         and extensions_cfg.osid.enabled
diff --git a/charts/extensions/Chart.yaml b/charts/extensions/Chart.yaml
index c00b98a7..22b29999 100644
--- a/charts/extensions/Chart.yaml
+++ b/charts/extensions/Chart.yaml
@@ -44,3 +44,6 @@ dependencies:
   - name: odg-operator
     repository: file://charts/odg-operator
     condition: odg-operator.enabled
+  - name: test-evidence
+    repository: file://charts/test-evidence
+    condition: test-evidence.enabled
diff --git a/charts/extensions/charts/test-evidence/templates/test-results.yaml b/charts/extensions/charts/test-evidence/templates/test-results.yaml
new file mode 100644
index 00000000..37729176
--- /dev/null
+++ b/charts/extensions/charts/test-evidence/templates/test-results.yaml
@@ -0,0 +1,123 @@
+{{- $podName := "test-evidence" }}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $podName }}
+  namespace: {{ .Values.target_namespace | default .Release.Namespace }}
+  {{- if default dict (.Values.deployment).annotations }}
+  annotations:
+  {{- range $annotation, $value := .Values.deployment.annotations }}
+    {{ $annotation }}: {{ $value }}
+  {{- end }}
+  {{- end }}
+spec:
+  replicas: 0 # will be scaled automatically by backlog-controller
+  selector:
+    matchLabels:
+      app: {{ $podName }}
+      delivery-gear.gardener.cloud/service: testEvidence
+  template:
+    metadata:
+      labels:
+        app: {{ $podName }}
+        delivery-gear.gardener.cloud/service: testEvidence
+    spec:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app: {{ $podName }}
+      terminationGracePeriodSeconds: 300 # 5 min
+      containers:
+        - name: {{ $podName }}
+          image: {{ include "image" .Values.image }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - python3
+            - -m
+            - test_evidence_extension
+          securityContext:
+            allowPrivilegeEscalation: false
+          env:
+            - name: SECRET_FACTORY_PATH
+              value: /secrets
+            - name: EXTENSIONS_CFG_PATH
+              value: /extensions_cfg/extensions_cfg
+            - name: FINDINGS_CFG_PATH
+              value: /findings_cfg/findings_cfg
+            - name: OCM_REPO_MAPPINGS_PATH
+              value: /ocm_repo_mappings/ocm_repo_mappings
+            - name: K8S_TARGET_NAMESPACE
+              value: {{ .Values.target_namespace | default .Release.Namespace }}
+          volumeMounts:
+            - name: github
+              mountPath: /secrets/github
+            - name: github-app
+              mountPath: /secrets/github-app
+            - name: kubernetes
+              mountPath: /secrets/kubernetes
+            - name: oci-registry
+              mountPath: /secrets/oci-registry
+            - name: extensions-cfg
+              mountPath: /extensions_cfg
+            - name: findings-cfg
+              mountPath: /findings_cfg
+            - name: ocm-repo-mappings
+              mountPath: /ocm_repo_mappings
+              readOnly: true
+          lifecycle:
+            preStop: # hook ensures that just created pods have at least enough time alive to add a termination signal handler
+              exec:
+                command:
+                  - sleep
+                  - "60"
+          resources:
+            requests:
+              memory: 100Mi
+              cpu: 250m
+            limits:
+              memory: 300Mi
+              cpu: 500m
+      volumes:
+        - name: github
+          secret:
+            secretName: secret-factory-github
+            optional: true
+        - name: github-app
+          secret:
+            secretName: secret-factory-github-app
+            optional: true
+        - name: kubernetes
+          secret:
+            secretName: secret-factory-kubernetes
+            optional: true # might use incluster config
+        - name: oci-registry
+          secret:
+            secretName: secret-factory-oci-registry
+            optional: true # oci authentication is optional
+        - name: extensions-cfg
+          configMap:
+            name: extensions-cfg
+        - name: findings-cfg
+          configMap:
+            name: findings-cfg
+        - name: ocm-repo-mappings
+          configMap:
+            name: ocm-repo-mappings
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-from-test-evidence
+  namespace: {{ .Values.target_namespace | default .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $podName }}
+  policyTypes:
+    - Egress
+  egress:
+    - {}  # Allows all egress traffic to any destination and port
diff --git a/charts/extensions/values.yaml b/charts/extensions/values.yaml
index 2617b786..8773186b 100644
--- a/charts/extensions/values.yaml
+++ b/charts/extensions/values.yaml
@@ -88,3 +88,10 @@ sast:
   image:
     repository: null
     tag: null
+test-evidence:
+  deployment:
+    annotations: []
+  enabled: false
+  image:
+    repository: null
+    tag: null
diff --git a/odg/extensions_cfg.py b/odg/extensions_cfg.py
index 1846d0a0..8e8f89c6 100644
--- a/odg/extensions_cfg.py
+++ b/odg/extensions_cfg.py
@@ -43,6 +43,7 @@ class Services(enum.StrEnum):
     PPMS = 'ppms'
     RESPONSIBLES = 'responsibles'
     SAST = 'sast'
+    TEST_EVIDENCE = 'testEvidence'
     ODG_OPERATOR = 'odg-operator'
     SBOM_GENERATOR = 'sbomGenerator'
 
@@ -984,6 +985,24 @@ def is_supported(
         return True
 
 
+@dataclasses.dataclass(kw_only=True)
+class TestEvidenceConfig(BacklogItemMixins):
+    service: Services = Services.TEST_EVIDENCE
+    delivery_service_url: str
+    external_artefacts_require_tests: bool
+    interval: int = 60 * 60 * 24 #
+    on_unsupported: WarningVerbosities = WarningVerbosities.WARNING
+
+    def is_supported(
+        self,
+        artefact_kind: odg.model.ArtefactKind,
+    ) -> bool:
+        if artefact_kind is not odg.model.ArtefactKind.RESOURCE:
+            return False
+
+        return True
+
+
 @dataclasses.dataclass(kw_only=True)
 class OsId(BacklogItemMixins):
     '''
@@ -1119,6 +1138,7 @@ class ExtensionsConfiguration:
     responsibles: ResponsiblesConfig | None
     sast: SASTConfig | None
     sbom_generator: SBOMGeneratorConfig | None
+    test_evidence: TestEvidenceConfig | None
     backlog_controller: BacklogControllerConfig = dataclasses.field(default_factory=BacklogControllerConfig) # noqa: E501
 
     @staticmethod
diff --git a/odg/extensions_cfg.yaml b/odg/extensions_cfg.yaml
index 155dd62b..c8f88827 100644
--- a/odg/extensions_cfg.yaml
+++ b/odg/extensions_cfg.yaml
@@ -105,3 +105,6 @@ sbom_generator:
   mappings:
    - prefix: ''
      group_id: 0 # <int> must be set
+
+test_evidence:
+  external_artefacts_require_tests: False
diff --git a/odg/findings.py b/odg/findings.py
index b6ce79d6..bd53212b 100644
--- a/odg/findings.py
+++ b/odg/findings.py
@@ -135,6 +135,15 @@ class SASTFindingSelector:
     sub_types: list[str]
 
 
+@dataclasses.dataclass
+class TestEvidenceFindingSelector:
+    '''
+    :param list[str] status:
+        List of regexes to determine matching test-evidence statuses.
+    '''
+    status: list[str]
+
+
 @dataclasses.dataclass
 class VulnerabilityFindingSelector:
     '''
@@ -195,6 +204,7 @@ class FindingCategorisation:
         | SASTFindingSelector
         | VulnerabilityFindingSelector
         | OsIdFindingSelector
+        | TestEvidenceFindingSelector
         | None
     )
 
@@ -557,6 +567,8 @@ def _validate(self):
                 self._validate_malware()
             case odg.model.Datatype.SAST_FINDING:
                 self._validate_sast()
+            case odg.model.Datatype.TEST_EVIDENCE_FINDING:
+                self._validate_test_result()
             case odg.model.Datatype.VULNERABILITY_FINDING:
                 self._validate_vulnerabilty()
             case odg.model.Datatype.INVENTORY_FINDING:
@@ -647,6 +659,18 @@ def _validate_malware(self):
         e.add_note('\n'.join(violations))
         raise e
 
+    def _validate_test_result(self):
+        violations = self._validate_categorisations(
+            expected_selector=TestEvidenceFindingSelector,
+        )
+
+        if not violations:
+            return
+
+        e = ModelValidationError('test evidence violations found:')
+        e.add_note('\n'.join(violations))
+        raise e
+
     def _validate_sast(self):
         violations = self._validate_categorisations(
             expected_selector=SASTFindingSelector,
@@ -930,3 +954,8 @@ def categorise_finding(
             for status in selector.status:
                 if re.fullmatch(status, finding_property, re.IGNORECASE):
                     return categorisation
+
+        elif isinstance(selector, TestEvidenceFindingSelector):
+            for status in selector.status:
+                if re.fullmatch(status, finding_property, re.IGNORECASE):
+                    return categorisation
diff --git a/odg/findings_cfg.yaml b/odg/findings_cfg.yaml
index 726d9fa3..9d8dcbe4 100644
--- a/odg/findings_cfg.yaml
+++ b/odg/findings_cfg.yaml
@@ -46,6 +46,25 @@
         malware_names:
           - .*
 
+- type: finding/test-evidence
+  issues:
+    enable_assignees: False
+  categorisations:
+    - id: NONE
+      display_name: No Tests required
+      value: 0
+      allowed_processing_time: ~
+      rescoring: manual
+
+    - id: BLOCKER
+      display_name: No Test Evidence
+      value: 16
+      allowed_processing_time: 0
+      rescoring: manual
+      selector:
+        status:
+          - .*
+
 - type: finding/sast
   issues:
     enable_issues: False
diff --git a/odg/labels.py b/odg/labels.py
index a011a9a4..8bc17419 100644
--- a/odg/labels.py
+++ b/odg/labels.py
@@ -76,6 +76,18 @@ class CveCategorisationLabel(Label):
     value: odg.cvss.CveCategorisation
 
 
+@dataclasses.dataclass(frozen=True)
+class TestScopeLabel(Label):
+    name = 'gardener.cloud/test-scope'
+    value: str # artefact-name
+
+
+@dataclasses.dataclass(frozen=True)
+class TestPolicyLabel(Label):
+    name = 'gardener.cloud/test-policy'
+    value: bool # is test required
+
+
 @functools.cache
 def _label_to_type() -> dict[str, Label]:
     own_module = sys.modules[__name__]
diff --git a/odg/model.py b/odg/model.py
index 1f20f593..bb7351ec 100644
--- a/odg/model.py
+++ b/odg/model.py
@@ -42,6 +42,7 @@ class Datatype(enum.StrEnum):
     OSID_FINDING = 'finding/osid'
     SAST_FINDING = 'finding/sast'
     VULNERABILITY_FINDING = 'finding/vulnerability'
+    TEST_EVIDENCE_FINDING = 'finding/test-evidence'
 
     # informational datatypes
     CRYPTO_ASSET = 'crypto_asset'
@@ -62,6 +63,7 @@ def datasource(self) -> 'Datasource':
             Datatype.OSID_FINDING: Datasource.OSID,
             Datatype.SAST_FINDING: Datasource.SAST,
             Datatype.VULNERABILITY_FINDING: Datasource.BDBA,
+            Datatype.TEST_EVIDENCE_FINDING: Datasource.TEST_EVIDENCE,
         }[self]
 
     def display_name(self) -> str:
@@ -83,6 +85,7 @@ class Datasource(enum.StrEnum):
     OSID = 'osid'
     RESPONSIBLES = 'responsibles'
     SAST = 'sast'
+    TEST_EVIDENCE = 'test-evidence'
 
     def datatypes(self) -> tuple[Datatype, ...]:
         return {
@@ -126,6 +129,7 @@ def datatypes(self) -> tuple[Datatype, ...]:
             Datasource.SAST: (
                 Datatype.SAST_FINDING,
             ),
+            Datasource.TEST_EVIDENCE: (Datatype.TEST_EVIDENCE_FINDING)
         }.get(self, tuple())
 
 
@@ -177,13 +181,23 @@ class UserIdentity:
     '''
     Collection of identities that refer to the same user
     '''
-    identifiers: list[EmailAddress | GithubUser | MetaOrigin | PersonalName | UserIdentifierBase]
+    identifiers: list[
+        EmailAddress
+        | GithubUser
+        | MetaOrigin
+        | PersonalName
+        | UserIdentifierBase
+    ]
 
 
 class SastStatus(enum.StrEnum):
     NO_LINTER = 'no-linter'
 
 
+class TestStatus(enum.StrEnum):
+    NO_TEST_EVIDENCE = 'no-test-evidence'
+
+
 class SastSubType(enum.StrEnum):
     LOCAL_LINTING = 'local-linting'
     CENTRAL_LINTING = 'central-linting'
@@ -473,6 +487,15 @@ def key(self) -> str:
         return _as_key(self.package_name, self.package_version, self.license.name)
 
 
+@dataclasses.dataclass
+class TestEvidenceMissingFinding(Finding):
+    test_status: TestStatus
+
+    @property
+    def key(self) -> str:
+        return _as_key(self.test_status)
+
+
 @dataclasses.dataclass
 class VulnerabilityFinding(Finding, BDBAMixin):
     cve: str
@@ -1426,6 +1449,7 @@ def key(self) -> str:
     | OsIdFinding
     | SastFinding
     | VulnerabilityFinding
+    | TestEvidenceMissingFinding
 )
 InformationalModels = (
     StructureInfo
diff --git a/odg/profiles.yaml b/odg/profiles.yaml
index 8d241e13..89fc4cd5 100644
--- a/odg/profiles.yaml
+++ b/odg/profiles.yaml
@@ -12,5 +12,6 @@
     - finding/osid
     - finding/sast
     - finding/vulnerability
+    - finding/test-result
   special_component_ids:
     - 03e237b4-434e-4e1c-b786-5ceb6cc76c1c
diff --git a/test/resources/test_evidence_component_descriptor.yaml b/test/resources/test_evidence_component_descriptor.yaml
new file mode 100644
index 00000000..7c643652
--- /dev/null
+++ b/test/resources/test_evidence_component_descriptor.yaml
@@ -0,0 +1,45 @@
+component:
+  name: MyComponent
+  version: 1.2.3
+  resources:
+    - name: test-evidence
+      relation: local
+      labels:
+        - name: gardener.cloud/purposes
+          value:
+            - test
+        - name: gardener.cloud/test-scope
+          value: build-result
+      version: foo
+      type: foo
+
+    - name: build-result
+      relation: local
+      labels:
+        - name: gardener.cloud/test-policy
+          value: True
+      version: foo
+      type: foo
+
+    - name: other-build-result
+      relation: local
+      labels:
+        - name: gardener.cloud/test-policy
+          value: True
+      version: foo
+      type: foo
+
+    - name: build-result-not-requiring-tests
+      relation: local
+      labels:
+        - name: gardener.cloud/test-policy
+          value: False
+      version: foo
+      type: foo
+
+  repositoryContexts: []
+  provider: any
+  sources: []
+  componentReferences: []
+meta:
+  schemaVersion: v2
\ No newline at end of file
diff --git a/test/test_test_evidence_extension.py b/test/test_test_evidence_extension.py
new file mode 100644
index 00000000..48e65250
--- /dev/null
+++ b/test/test_test_evidence_extension.py
@@ -0,0 +1,112 @@
+import enum
+import os
+import pathlib
+
+import dacite
+import pytest
+import yaml
+
+import ocm
+import ocm.iter
+
+import odg.extensions_cfg
+import test_evidence_extension as tee
+
+
+parent_dir = pathlib.Path(__file__).parent
+resource_dir = os.path.abspath(
+    os.path.join(
+        parent_dir,
+        'resources',
+    ),
+)
+
+
+@pytest.fixture
+def component() -> ocm.Component:
+    path = os.path.join(
+        resource_dir,
+        'test_evidence_component_descriptor.yaml',
+    )
+    with open(path, 'r') as f:
+        raw = yaml.safe_load(f)
+
+    return dacite.from_dict(
+        data=raw,
+        data_class=ocm.ComponentDescriptor,
+        config=dacite.Config(cast=[enum.Enum])
+    ).component
+
+
+@pytest.fixture
+def extensions_cfg() -> odg.extensions_cfg.TestEvidenceConfig:
+    return odg.extensions_cfg.TestEvidenceConfig(
+        delivery_service_url='foo',
+        external_artefacts_require_tests=False,
+    )
+
+
+def _find_resource_node(
+    component: ocm.Component,
+    resource_name: str,
+) -> ocm.iter.ResourceNode | None:
+    for rnode in ocm.iter.iter(
+        component=component,
+        recursion_depth=0,
+        node_filter=ocm.iter.Filter.resources,
+    ):
+        rnode: ocm.iter.ResourceNode
+        if rnode.resource.name == resource_name:
+            return rnode
+
+    raise ValueError(f'did not find resource for {resource_name=}')
+
+
+def test_is_test_required(
+    component: ocm.Component,
+    extensions_cfg: odg.extensions_cfg.TestEvidenceConfig,
+):
+    artefact_not_requiring_tests = _find_resource_node(
+        component=component,
+        resource_name='build-result-not-requiring-tests',
+    )
+    assert tee.is_test_required(
+        artefact_node=artefact_not_requiring_tests,
+        extensions_cfg=extensions_cfg,
+    ) is False
+
+    artefact_requiring_tests = _find_resource_node(
+        component=component,
+        resource_name='build-result',
+    )
+    assert tee.is_test_required(
+        artefact_node=artefact_requiring_tests,
+        extensions_cfg=extensions_cfg,
+    ) is True
+
+
+def test_test_evidence_collection(
+    component: ocm.Component,
+):
+    test_evidences = list(tee.iter_test_evidence_resources(
+        component=component,
+    ))
+    assert len(test_evidences) == 1
+
+
+def test_artefact_test_coverage(
+    component: ocm.Component,
+):
+    test_evidences = list(tee.iter_test_evidence_resources(
+        component=component,
+    ))
+
+    assert tee.has_artefact_test_coverage(
+        artefact_name='build-result',
+        test_evidences=test_evidences,
+    ) == True
+
+    assert tee.has_artefact_test_coverage(
+        artefact_name='other-build-result',
+        test_evidences=test_evidences,
+    ) == False
diff --git a/test_evidence_extension.py b/test_evidence_extension.py
new file mode 100644
index 00000000..e59ec309
--- /dev/null
+++ b/test_evidence_extension.py
@@ -0,0 +1,224 @@
+import collections.abc
+import datetime
+import functools
+import logging
+
+import ci.log
+import cnudie.retrieve
+import delivery.client
+import ocm
+import ocm.iter
+
+import k8s.logging
+import k8s.util
+import odg.extensions_cfg
+import odg.findings
+import odg.labels
+import odg.model
+import odg.util
+import paths
+
+
+logger = logging.getLogger(__name__)
+ci.log.configure_default_logging()
+k8s.logging.configure_kubernetes_logging()
+PURPOSE_LABEL_VALUE = 'test'
+
+
+def is_test_required(
+    artefact_node: ocm.iter.ArtefactNode,
+    extensions_cfg: odg.extensions_cfg.TestEvidenceConfig,
+) -> bool:
+    artefact = artefact_node.artefact
+
+    # reuse artefact filter once it supports relation attribute
+    if (
+        not extensions_cfg.external_artefacts_require_tests
+        and artefact_node.artefact.relation is ocm.ResourceRelation.EXTERNAL
+    ):
+        return False
+
+    # TODO: use artefact filter once factored out
+
+    test_policy_label = artefact.find_label(name=odg.labels.TestPolicyLabel.name)
+    if not test_policy_label:
+        return True # require all resources to provide test evidences by default
+
+    test_policy_label: odg.labels.TestPolicyLabel = odg.labels.deserialise_label(
+        label=test_policy_label,
+    )
+    return test_policy_label.value
+
+
+def iter_test_evidence_resources(
+    component: ocm.Component,
+) -> collections.abc.Generator[ocm.Resource, None, None]:
+    return (
+        resource
+        for resource in component.resources
+        if (
+            (label := resource.find_label(name=odg.labels.PurposeLabel.name))
+            and PURPOSE_LABEL_VALUE in label.value
+        )
+    )
+
+
+def has_artefact_test_coverage(
+    artefact_name: str,
+    test_evidences: collections.abc.Iterable[ocm.Resource],
+) -> bool:
+    artefact_names_with_test_evidence = []
+    for test_evidence in test_evidences:
+        if not (test_scope_label := test_evidence.find_label(name=odg.labels.TestScopeLabel.name)):
+            # if label is absent, assume tests are scoping *all* resources within this component
+            return True
+
+        test_scope_label: ocm.Label
+        test_scope_label: odg.labels.TestScopeLabel = odg.labels.deserialise_label(
+            label=test_scope_label,
+        )
+        artefact_names_with_test_evidence.append(test_scope_label.value)
+
+    return artefact_name in artefact_names_with_test_evidence
+
+
+def missing_test_evidence_finding(
+    artefact: odg.model.ComponentArtefactId,
+    artefact_node: ocm.iter.ArtefactNode,
+    sub_type: odg.model.TestStatus,
+    findings_cfg: odg.findings.Finding,
+    extensions_cfg: odg.extensions_cfg.TestEvidenceConfig,
+) -> odg.model.ArtefactMetadata | None:
+    categorisation: odg.findings.FindingCategorisation = odg.findings.categorise_finding(
+        finding_cfg=findings_cfg,
+        finding_property=sub_type
+    )
+
+    if not is_test_required(
+        artefact_node=artefact_node,
+        extensions_cfg=extensions_cfg,
+    ):
+        return None
+
+    test_evidences: collections.abc.Iterable[ocm.Resource] = iter_test_evidence_resources(
+        component=artefact_node.component,
+    )
+
+    if has_artefact_test_coverage(
+        artefact_name=artefact_node.artefact.name,
+        test_evidences=test_evidences,
+    ):
+        return None
+
+    now = datetime.datetime.now()
+    return odg.model.ArtefactMetadata(
+        artefact=artefact,
+        meta=odg.model.Metadata(
+            datasource=odg.model.Datasource.TEST_EVIDENCE,
+            type=odg.model.Datatype.TEST_EVIDENCE_FINDING,
+            creation_date=now,
+            last_update=now,
+        ),
+        data=odg.model.TestEvidenceMissingFinding(
+            test_status=odg.model.TestStatus.NO_TEST_EVIDENCE,
+            severity=categorisation.id
+        ),
+        discovery_date=now.date(),
+    )
+
+
+def finding_artefact_metadata(
+    artefact: odg.model.ComponentArtefactId,
+    extensions_cfg: odg.extensions_cfg.TestEvidenceConfig,
+    findings_cfg: odg.findings.Finding,
+    component_descriptor_lookup: cnudie.retrieve.ComponentDescriptorLookupById,
+) -> odg.model.ArtefactMetadata | None:
+    if not findings_cfg.matches(artefact):
+        logger.info(f'Findings are filtered out for {artefact=}, skipping...')
+        return
+
+    artefact_node = k8s.util.get_ocm_node(
+        component_descriptor_lookup=component_descriptor_lookup,
+        artefact=artefact,
+    )
+
+    if not artefact_node:
+        logger.info(f'did not find {artefact=}, skipping...')
+        return
+
+    if not extensions_cfg.is_supported(artefact_kind=artefact.artefact_kind):
+        if extensions_cfg.on_unsupported is odg.extensions_cfg.WarningVerbosities.FAIL:
+            raise TypeError(f'{artefact.artefact_kind} is not supported')
+        return
+
+    return missing_test_evidence_finding(
+        component_resource_id=artefact,
+        resource_node=artefact_node,
+        sub_type=odg.model.TestStatus.NO_TEST_EVIDENCE,
+        findings_cfg=findings_cfg,
+        extensions_cfg=extensions_cfg,
+    )
+
+
+def scan(
+    artefact: odg.model.ComponentArtefactId,
+    extensions_cfg: odg.extensions_cfg.TestEvidenceConfig,
+    findings_cfg: odg.findings.Finding,
+    component_descriptor_lookup: cnudie.retrieve.ComponentDescriptorLookupById,
+    delivery_client: delivery.client.DeliveryServiceClient,
+    **kwargs, # odg wrapper passes more attributes than we need
+):
+    now = datetime.datetime.now()
+
+    delivery_client.update_metadata(
+        data=[
+            odg.model.ArtefactMetadata(
+                artefact=artefact,
+                meta=odg.model.Metadata(
+                    datasource=odg.model.Datasource.TEST_EVIDENCE,
+                    type=odg.model.Datatype.ARTEFACT_SCAN_INFO,
+                    creation_date=now,
+                    last_update=now,
+                ),
+                data={},
+                discovery_date=now.date(),
+            ),
+            finding_artefact_metadata(
+                artefact=artefact,
+                extensions_cfg=extensions_cfg,
+                findings_cfg=findings_cfg,
+                component_descriptor_lookup=component_descriptor_lookup
+            )
+        ]
+    )
+
+
+def main():
+    parsed_arguments = odg.util.parse_args()
+
+    if not (findings_cfg_path := parsed_arguments.findings_cfg_path):
+        findings_cfg_path = paths.findings_cfg_path()
+
+    findings_cfg = odg.findings.Finding.from_file(
+        path=findings_cfg_path,
+        finding_type=odg.model.Datatype.TEST_EVIDENCE_FINDING,
+    )
+
+    if not findings_cfg:
+        logger.info('Test evidence findings are disabled, exiting...')
+        return
+
+    scan_callback = functools.partial(
+        scan,
+        findings_cfg=findings_cfg,
+    )
+
+    odg.util.process_backlog_items(
+        parsed_arguments=parsed_arguments,
+        service=odg.extensions_cfg.Services.TEST_EVIDENCE,
+        callback=scan_callback,
+    )
+
+
+if __name__ == '__main__':
+    main()

From b79a5b343b401fc256633e85a1533c4ec3f5a987 Mon Sep 17 00:00:00 2001
From: "Philipp Heil (zkdev)" <philipp.heil@sap.com>
Date: Thu, 19 Feb 2026 16:53:22 +0100
Subject: [PATCH 2/2] docs: Add documentation on evidence-checker extension

Signed-off-by: Philipp Heil (zkdev) <philipp.heil@sap.com>
Co-authored-by: Franziska Schallhorn <franziska.schallhorn@sap.com>
---
 docs/extensions/evidence-checker.jpg | Bin 0 -> 26202 bytes
 docs/extensions/evidence_checker.rst |  64 +++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 docs/extensions/evidence-checker.jpg
 create mode 100644 docs/extensions/evidence_checker.rst

diff --git a/docs/extensions/evidence-checker.jpg b/docs/extensions/evidence-checker.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..c106429d60dbdb8a53f889f8c22d67d3a13a4917
GIT binary patch
literal 26202
zcmce-2Ut^0(=Z$rxkW&#B3(-8MS2INCo~DYOBDj42LvhJ(mM$ygsMR3MS4dmQbP;9
ziF9d7@9H1lay>rR|JLjOzJJb@b7ppDcPH7&oY~pgUo*eH0La0rAXUJP8vwu!`~~>6
za$^Rhq-6CBqN57ZRQcD6J^&sF9s>X{S8q><n&Km46Vpe3efifGzw4}Rz1)94{}aIX
zdph;IcK~3V|3BgRuZoH6?7eL94Ey*GyC;5dys*@GochJT;#|LRn}5Y+f8)O1?%sHw
zXTNbzeTWhsx5MLHFaE%7{=jYBJ%97Z;(26YF7V%D{f6HXli0f&=;5Dt@E-<%7XSiK
z11SFf{&*S>Zn*$}<Ou+9EAby?HfR8#Aq)U`IQNe-_O}24SttNdKk|>VfBYuy)}Ge?
z(j5W*e$&AL05~iJ07y*$0IE>{;I7%f)ZuUciENMXRSbB!-0;^6fD6DL@CX0`xB_ee
z0(eXq@E9Nj5dSp~Py*b#`5S)UZ{dM}kl;7mAtby_NOb4!U7|ZgM0ZKZNbVBfBPJpu
zr69dWMovyaewT!jijtfPkCXrI<i_uow+Qaw8<G<f5#vk$m+<Q&fa1;#r<<C$Zm<Gw
zQrx&japPAvfa$lc;pO_RivI?G5#AxVee>2`qTlt#<NyHS%^P?QlD}@_B`3qr&&^u|
zw+a8Epk%p2Ma?R7|G`5x$*0D?si?Y18es`tqxx}0Lu;QDB6bl7P)r<AJHesnIVP&C
zrf*~G;r(}bK~>Es9KL7jKZg9bk$;y`{6mm`FP#IB+`<b<af<?=0Qm7+E&eBP<L<ol
z*^OCC_PVwQJsk(vC3UgPk5eaPntNV6p5Mwz0199lkom}dUQ>{=`F<VEu<fIB&X>lQ
zqT7{KbxUI;3F|tQ@|8z|-5wnVH+cT6B75T-mXN1iaz$_PgTeqnS@{P|{wE_7y-~2z
z<P|YV$6`-bbpoP2bbgjqS3Fvr35k_VkW2zyWP3O9i>gdy-^sM%9P2pn@r`cND6?A}
z*R0Bcy^06_O@}L~uGUB8UYa2wbD4TDZf-W^p44oel>Pj?Vh}`K>I1=dVrJDWgH!RA
zOO}1@{i<W9Nh@3D54kc@GG}_qgEXNE$z>Jvx}x=Z7Tj6|PpdWyxLdX8Rk-F(1|*C!
z?R)RYt6R@l#RU3!loyN3Lm?gop47vryL8WW(stb0Bthnd{S*+Gcyf6if0qt2#Dpe2
z_nY-n097krARXLjX72mfhz^;~-myZ1z_^N^k-HTEPoUByW$#NF8h)mnC#SQ0OkqiG
zJ_@oW;XcjK;|`o~FPITas-Q$Vf}3NqyR`S{U?UaWJ_ZCt`|m7-Hd$rA4h!!%sM^`t
z)fN^t2@D88f^Z^_9)ACGkUvL{E&`<dNk@c!NA_e~e(3#h@410;X{T?$t=12#)uo8X
zH%tB}YV$wixoLp7E<V|u{Aqt4FUgbpPt;qyT{1sa2>Yx4q<yfjMzem3G+v7_I@3dR
zx`wSc;wCRaV+41;H_IlK)GS0=KP5lPiB;sAY{A!Z3@pUuO+6yIl7Gm}0~=NCptlw7
zHmz8sgl*ianhF(A@qVKiRp%Z-o(G~WzFqa?mf`mG;|(G4+6=$_(t_0^5zk?5ui3g~
zf0;I?;ISm_xs1@&$i!?47U=3AtC%Q;26S>k7S2B?VQwqE!oR4TM(#dqyxWuBzguFQ
z@O(QVDw?Ydxl7B=tdl2QFfSso7HFOa0}!@sx2ZJM?S9f_U|=-<u~@FH1QVJa89-BN
z`k#B`t6Hb1f*FBQx9cQWw8is*FAf6U$>Kyg?jxN8HR8WW88r=LCG<)X>=F_C70xMQ
zGkjC(L%_-LNf1e45E{X4{`)0>w<<jQS%=2s!A9q2%h<a`DKE7z_?$kJUccJk02n;^
z&GCN*z|{&V@~xL2upcOTZ|iHF8j@xX4}KL7s;kO9>xi3}8!xCnXozMEbsFx3J4unC
zD@39^+d?>H3uE#ZK=ls!#f<to6mV)Vg38-^x_Rt;gx)g4bxc9~@+HtOvf8#pno?bt
zF6zi$1-EsaZfY9I`&RmrFFb^++;x+-wX)&$*|pR&_FN_2Uw~ax5?m1OqW3ufz;Qtn
zSuPPjBam2QeCDfF%w-`iJ=h@5CB}>4SaWoOPa&bgI%ZK|Df#V3)PKjnpr^kv1&1xV
zF!bawzPaj;ADq%7@3ercDyNQ3*iYq&oYHVS=4F2wK8xjCpnsVD=AAZB`8Z9}+^T(A
z?%ZXf=oxl!c5>@Q#~GOH{lNZ^QuwluwjE4JU=x@)TgS%I9I#;`9di0M%gDh@<ojB+
zR;`ur9YRU7m7a@9p$gH0&VG8){4se88?Lv94uM04&ekXFje;fx=4?Rr@d<OZ-_`no
zj6|))(~8p3z_|XVwcZCwr-xc%`cAscHA!#|wf=*d=90HJ4Zb&YV}f7FafTU-TSV#4
z&JV%^e742criGJ_X3mf9cffr`Shs_6zC61&9GNz$psw{VP2ngu6zi${toMk1kL9ky
zghVTbH#r}dQk2N^_EvF^C)P-`#P#f6KeV#cVs#L0BG#lSn2b^BibLmLfRUAMRm#Cq
zB)9%B3sNRD5qrVTiJ&2m{26O0yI!I#nwgfZFb<7SFspv*5Kn^0NhCJEc3X3Fi9L{L
zm1D|S*22ELN)C3@tH##G+ns9`c?jYSq_BOL+?XrS4P~c5)3|C9g8$Fx>%aBFY1Gbm
zoULTHJ~8BFK-vEba6VpwYu*y14JvLtHW05%*TmwWBBFH3POC*1J3mPq*(~!JDjk*V
zEi$dMQWEK?bI?RUtZuEcIl@mh{?64as!#d=a69p(p;~ER{M_0Q^R@bgJjm%~*HQ}>
z8W54Vd3&b0?_A*1{QGydjXe^P2Du4Ty`|jF>5$Y&_!xa`r+(hLs=7-QyF=hegU9S^
z5-P9tGf7nzE4X4kf<xORMz3tqt*nhHaQC4nal&VpKKIC<w!#W&FKi4}%ueCDCx5>Q
z7Bj$G@BeE+WEAB#JE=BBNOV1Eh_})I{|tK%SYBs9>XMN$D48<KQtzgo!oOBM$R!9(
zt)m69TeXh7rn~WT+@flQs%t1-A$>)=`@>YzZH#Px-IOkA_r&6)v07$F{gFdh{Q@!)
zr&UKcegGkfB6d%fAnqD`WjzE^@o04+|LNv4(p*259-Fp1RsP+CJj10WAMN(8&J#o1
zh`K)!sC0KoxHRhr!9kmI(bi#^14Gdiv<<ry)ST@dIh?C(*P#KEyv{w!P}A#~GiE;n
z^|6VMNOnuWZl9WG*(dAI*wBu3=^u~IA*ns{SS)xDluBSdO0&%k#p?+g!c`dU{>|wB
zEAw{i?uhs)edX?3+f=f_ntoS$v$~fjdVlc@Kq+Q5lvHL(5&K}jE+x=UT%V2B^D8}9
z_I232%F4ruRQ<X4B}6^NWE5zWNICtMX%y(R>R|@>6*4Q3<5o`6cfx$Fx^B_Qn@88p
zRqKk$-A4WC15GNuTsg9R^Y-d%ahiEpL@$Hb5@I_dZ*j2TW8c}(rHI)bFgL{(c}G?J
z$KWdD{2PZ#kO!gpyDc!>Q5P<*MZ3?{I3<!`UHjO>MH_ivPR^D);T{PG<sgZ;W%oNG
zR#w3ut2F>d4y!O5sUN~syVDGn%@ul4FVoUH%{e}+c}s`L?=^;eLs8o0=MW~b38?u1
z*eq9FNd=<3s%B5=Wk_Qfc~tI)<{7HpCdH^Oe@fdzo0L1)cR>tsgYhG!)nw8ieSGMv
zO{&f+oi?;EiD^dnN8Zk%O}OU4*HNU*-h5FiSGWLX!T^%8=U4PP)>mAsGsekt0pT}6
z_b>R_enz<6X0)plpU6j)4w#^b?Jcy*TDW;`WCG#`XXq7l3S?ecBK+cIk8^F8EQKtW
z)!&4n(Neai7OLZ<`H?BW2nM!q7~uhRtbUO&9Z7XMhgyuK(Za-tOLmleJD6Q9G2tS^
zgV4#uM}E!WiOl~eeYrv1eXY7qJIt$<zVewyyll?=O}iY%J4dUB{%ECr&fIA@Yys%B
zt%wWYic%RNR1SP?`VqQU8Qr=~3d0)DVC*s$o?@ogTxtggm0y`iIF^-(K0-~dNzU16
z=+ebm>WV7opU@`gS5nI4l8Pd;V)SYRqC5Lbor;SB*Lm0-NAp>ZN}#3%sxCi7=kaa<
zNB_IJ3ule5U&J#Biq7O+mNQZ;>FW8hKxUz`(z2=#%IRZ2^L8($%3IdUWx3^TVU-w_
ziO?Kw&aEVyA5`^~m#MrLeRqq9jQ*s9(Bgt)GSFXuVw(?{uS;I1{8K^1pRE78rm-S+
z=ZIP33IFq`v4%!s!vua*_3rWv*(ijCds||IQGb>gtP`JnQ5rv6tgL$Y#PrB~hiqD3
zVC|wu<!*W%hAJqaP&%O3;4-#8X9_-vb`Ku~n@)B@l0;akP~{EsOZu$cxkFQuAtjtZ
zQ`1js?X+05kFujHC4wMj#Frh>n!UcpVp-+;P$27*wNAo&Vd4wFpX$E=R|}eN7JHU7
z^(B=9#r7UWrNyF|-MHnTAe31=b6J2D#YK=&gth+2aud5LF>!2lbd({bEvw=~8@r7(
zxN_KKK?RDeFlW#G7SG3%Ac}H?+{<!>6zSz|Ip-I^^?~;_aH1{6wE^#mou1@F(2g!r
zqZ$O9v9~pK4{XT(G@l5!*noYzro*<cG9`JiQadozDCr~kOck$_fwipzYt3`5`EOI!
z4(&&Dsr#88on<S%-Y}y~uvbdBMLFRqVwmolEmA1o;VFoYZ?EGFtxfKTuL04N6(AO(
zv?;q@euRdr)%gt5CxNCM=VGne{4=!`g>6eC=RA&0hY_^jLRsYXB26AAsBnUyz@~#}
zxUAQ*SC#Le3hZxP`zhaQq1H}&rPSktt)#@+=>`Kzt8^^L$(4TFMtOwesc0w{Zq}PU
z8Tv)Mj}SR~p0?OT66HtuA;>;XTQI@aP=zIJqHfYiU?e_b(Z^#J>#A><xh<Zq8KgxF
zZcg1oJ(<xuYuFRx<MA_yU+$CPw1fqn?-q1DJ*L!b&5NOYTJ*#9hjO-z`-`R5rGTj)
zdG9?LBfca#IlTYA!?QcvU6~Da6%^YdWgA<Su1J>QkrALMN_5msvcvz0-YMsTW5{xv
z&anJ(a0~5|*2@5Tj@~K>ZL7Agb*GU??Cm~;(Da%JKV{bO<ONamm?%^O#4ZViK<Hls
zFF4{OO?aDrmh~-mcoqxO2){zuQca@V=<Q}1Gg%>WoS|0_BIvvm;u%?Y{b%dNeHKua
zXQVzV?*(`%Y{MLq4mNph4Esuv*jtcv1Ml+<PdX320R8ZFPVA29#6X59MfA5%<B@Gx
zcYPJ7E6rT*=8JJJlfBwvgU8S~RHm{HKaqxjrdRk>GNl>BDiO-Yj;SH3Zg@HHsf^9`
z)h44eQ5LY*G{zgvajGDS+Y;}mp2QHvUtOQD^0o?IaqESfXF2-YcgM){j=oTZYC7>3
zqtJc?wUS{pcfrWO*x1;<zAM^?)8^akZbZi(!0pVcf}Q-}CWy0)XbXR-1P*MXTx6zP
ztZQk4MjxX2*c;Ca#s~VupAba1z;|a24)O>06Kc}}r=B&KsuVoVf9HS{0nzP^=CR6a
zqyRauaB4H23Yr--U$g3hC#tN5pBOv=fB1t|l}dLR!UX+fd}<M~epx)fP!%0T1shir
zn-!w5czzW|D}>Qhe2}8zc$o#FphI+;3)H@D1>j~aS;fU*{FN<NHgXojf_l#1gV^4G
z5#R80qddel3B?h+U?=PeiMSiHO{4nP0+1kXx$xR~sguCWMv4HT-BNK|`Bna*DC;<2
z6bKv}HPyf4u)xk0QxxT>crLsR)<Hfh0Q@g(-HMr8=3IP<{bFI5MM*c$`8P1~d*RCV
zSEt(a)CwwhhX4xNedQNduZ;ol^OFVh)HgM3Z|2K;>cX*8&kiW~x!?q~$jI2fgfJRe
zT9krR{Kx;ri;3XRcmm#~T$Wj@D)?D>@VzVT#*(dn5={YL$9%Y1pWTb3AJP{-LJuK8
zjL>}S_+1zmJH5Jf>L^H;S-v_JJ7IgdkvJ}>tJuRd`7k8qex(#E!+l(@9*OkkwaPof
zcuLGKfa73udyuLNKp_hJ45>&70&Bcs6}S^~M)vg&fr<Fq7<nl^ym~w)MP(d-n%C9n
z`5f!IsyBr>DL+wi(#rJHknaViP~^yIi~j-;C_NnT<TG>6vdmbL9Q$(S)KFTb0z)?l
z<gvg}QL7PzW|2x>k^Kyk(~68>eFvDwg3Fz4&oU$WVUHFDB|%J-n}!>sheK!bEPvsg
zt~-7;_hT&xC(I^5^4eQiG&>U&t<-_n>ZjM9%{m3jMLwy*%T;Vi3SuPb(v&sZMm(%*
zmnr>cLR~|msl>@Uv6UA3V^g*+>uC#_)?0A+Ztac`qtaS(J`%|Wrr|!L3^@U5mz}Re
zMS2Qs%$&6hTX=Q*eC6LIjA~h<lE^1!_GrLF%~uj6QCy0|NC#7Mu^cyb#}<<5JM#}!
zgL$;%#FDDqoaZ@TjL!CY-p^;J-PiEp?M4yR7_p;}s^giSVP!3^_aiXJKYV1|BB!^p
zU@@jA6)mPyPI<YaCq7?3J0ft)sN21|%nURP?n<2wiQ|S3yGeL_O1jsc8K~<w8pP}M
z>N|cfEiIl9ciI9^PPJnwJS*zFMmUFE07CTqN+qrW#hx-2&M||vy>zf>zXbjF4R6I~
z59er23R7_*-;g>4N#D#L4!#C>?DBpwdy-_}d{?$lkJj8zC|?{!=ZDG1)$-qE0|J#D
zR8`GsX%VryS%O7upU2lppu4&)0YM^<OA1-Dr4(+5BORUU4b|6c-*GsB*a!1t`x@DV
z(631p33Db+3{k!Y%_9%u6xfya%t6q1p-s;tMo^=dQL>FFlE^9WT5{lIe*&!5!nVTE
z)?VV-0oEsvxZG0~^t~GE1AUZk2A*?rP}Z!q8&`G$A($13L%xKwy=Z0ZFW-H<NAn~W
zw{kNxPIyr#!}!EJIR}hJh_P3S9n+%pUv7DHp8_w;kr53HV|!ZZJqAtRr*qcITOqTW
z1w<wOg|FPx?q3&^BFRoHUw%d`T)Z57^Jr&nlU@&2i-k$)w`wq^X4h??NvMt%oZpCM
z1=?oux=)$!A6Ie{?dCT;O86V~+&_YJ`c&^w`V=_3)<F8MR5N_?D8*jv&bMU#@!jyg
z3(@LXmi%7;djgT)`x5v#)0g^m4|TIR4A|u|(LvcEX*FKs%tvVBcik=OdFE>D;PnUF
zUx09TdmHAJ;9zGhl{j#>k4j4|54LEJP0s}M{Kt(8$LD=3<;RDbl6JMl@=h#w1wcF^
zAjEANy`O`RmkxjU{-mu+iJT6PTPznZVE&7C+K<iTR$~gI{wqIsq;mw55@Il%@)uxR
zdYK9;2COksbIk)4v-|w3guf;EFMv^7FV&_|jJm8)tiPn{(%6D2$<|4%5n;Sz`YgV|
zT=boshAG562hJ7Qf+o4OY`bi`#b44sYZPpJTc4oxPg?!~{zA@`?xpyiyvDyP+W(+K
z{$wPC!_!wJ7l*{<64&4-^-{#~B9QI|+}N-mBS%5Hn7f8o7)6p@psI2nt1vjWz>@ON
z#czqsG?)_ljS8i?WA5Wz_cf3walz|vM)s9awE+lJ{?17JOL?g;=ZKfX1J|4{GxpDr
z&dM(nCklO12gVuwu*0=c8LC98BV}&xNcT9GVvBR7LE-NoGkyVT6nDDRB0i8+?TIjx
zn+`C!WpS4}r()J8zas8QlRJhH*%g97;^`u~@07tx3C$rtAU7`QZW`=Y;bY^elU6RJ
zAIg}C@fQeYa5~U(`H|->(CQDm<4?w$CI8$|#GKdqxeQP7{GwN;?S+9e<$a3T<W!eo
z>jqqMu@-la{_p(+#W;?D{o0)2C&K@j#Tya3ayp?d8!V|hrd!&ji3<bs>cR{$(gdNj
z=?wO#*i>`cLq`!&-kI8>*uEpc4d$~?O=8M9oTBBZswxHbuPP^U{(<wA(ORCa!y%09
zdWNo-n6G>o3t8r*nNKw2Lmmu2(Ng#BBc>OPxIYQIbp;Agxv^Exnb7zwJU!KevO;u_
zx)i8eEmUPmpl8~xzM`G{Wsd{OKj-=25=XU$#AvxygxR9>{VY_KRaeF~DQHNWXU}e^
z+@OnS_H6Sooe-pGOsYH5D8JJuBt7fnUC%3k0g_ga$q0+|g#H3_`n89cAnE+pX~~c5
z7pEK3mHN1wGpNnFbAj(rhcc3%KW_=^85El^zwhrSu)1EfpAqH{YxanJ&>yQ!!b?&p
zl0DmG6@z0D)DBd*>?MV2=$c#%ZQT=JvSrmR4b7I{C>uVFOA^nhc?1RCf)yb`M!~+L
zmSVxsP7@?!Mu*QKh*W3~$ntrB_Vcas{Wxn)Z%MgZ2348vp939MmJr<Ir!A~XC3=;O
z!7}mXV1>*c@U18VJp&~(y7c&Jp!XeElF&-GJzw<z@k}xcI|xMcjrEJ?$A8Qo0Pt7H
zh!`WL{i+C7fO9sT%4Nr}o1@V=?;~IP#RVQL6&{c-E|;=*3CA@1I~D7R2+b3N;#BN2
zlF<dcLCysrP%EZHD#vRpvEt6i-^fC^g^L*x_1s@f3BeD9Q?ae>L(UH2BE?38^MpBZ
zRqkycD7qNqcoM_>^HQSEgL_t`eXkTfPgNn?nUFoVRq<8bs27Vxx@4)=wJP)BgXPLr
z4;#oD@5OW^M5MLT%F3<!kGa$uL0$HQIWvTX{l^YLZ96pfRCen2JbMGQPjiA)KB^g%
zi7aZTGL4?8qm|JbL9UDlu-U;iCVjzsr+^o=+FqAqC);3)k_D2SJ?nQbAB?g0iL)^r
z+gL#((GnItZf0CZu}EcC9;ri^mJ<Vle#~%3*+Ch~wiYRZ-#h*9fU=Tusiq{MjD+f<
zqzu1H)7`MUowsv~;3u^7{xbmi2ijx14`hBD@LQ|{Ta`i#rgJ?72247(2J3yAUZ#dC
ztnzcrTY65yoRDfkvo``5FPRUECJ)kw4q@=pD)U0NvaU%hfnm8=%{<<!x*#)kj~-iN
zx*XTLX10S6$YFAdB!))A4(i_J3V`}_9Ncc0cYCpFcftgeuZ{pBRG8p=rv>ScFwg{P
z(K^8~KFS^LBT`a28b+{=i4-nZ_Pd8mY|`!hUZ%Ou6BU%*vq!q0a*S@D@IRnxrjyd_
zecHH{!DWV&)|;q!XvA;@uy_sSXjw8Nl^&<+crOLBTGw)sYCf1}7%DE8FVgy$A<uAe
z$2}vl(10{8#>j-CG0(d>azaBVmnJf>BTAXiVQ%2|(5XuHy1{;7Rg~$Rn3<Uw3kaf3
zeY=U}Xj@NR?XKdpFxqmk=;d<b6S12puRVJ6;h>R$#kg3-+$rZORT<A1p09f*Je~Sh
za%=n`lXss!fe{<35}-ozWcF03*y;IFR5>Pjp3Qi28pp|>l_aKhZ+nEcw&eAKQnAk`
zw<a_02@Q!md5t*TjklTG8ln05v9DoINZotfB&M9|s~OnXu|)@`S<`!^gL&4F==;%|
z!_j)S%?;B2jn7e|wahw2VZJc1rP=Z!aJs-D6|w8K*kxWXeGQM<F%hTIZ;bYcs=l7(
zH7j!391Sva$P-9y?PO2NM-r2#IDMECIKBKBab2p2_qGf0PI1fp&Q0dS@;i6`o4_%N
zhTPms%SNYUJ40vB0jNHFV$?*xl=nV+OM$3i--7oqfFHuUFk9bAK+~F2sj-1dyHubm
zqwIhd1ar~X8`|ny6Swa#u$zh<yK}J%>xN9J>?S6yKaz>v^qqWWA`|h&+w%xJc8>+4
zJKmVhLf00rgAAx6sus9z41@|!C`HV`OK=Tl4?5+BfA-lfeTvPOqarU;oP8I&ZO|`y
z!Mo~WF8HE%zt;w0`_A(Hh`YJYolcLmnT?kGl9Ig0LQ1Uv)Mz+pxaNpDP@!zOvS=!A
z9c-jqguM_-1nk?V=GBHjbRw;t1Km-iR8G#1dBe(jN<n_aRD{dLI*&vE3+KeR8DV9~
z+4=aAwRTToVTA=dJGr;F=!V7GDXMaN;?kapiS^y1ALS5VMQlvB+IO@((BsiK$Xsnm
z!;Mx*3A_}VpZyGhRM7iMkU!_?I8lv63zLuay-YVNm=9F7fO4e6yFi|S{N<M2XjFam
zaQ${Ya7ZrHX`l1`LRxj6G|D6}B|kZW-c%D;Tg;&fW)sH44KBCi`Qi<v#c^9+7^V(g
zF0bS#dYkTt^6|C4AC{$BUMIO<<dkY#o=oQBsVY^CQ$~BI;9OPgsv}%oe8EPEprQil
zFH@{hhCVJ0Z4Aw^-4&);vf;f4LLSoEC)3AEu0(MwsyB&<$agDSNhXhUi>ZD+UJNOz
zNh7aL9d$>ftvujszH)u1@L-{m8|>f=JMq+A2lfnRgSbV2<c6<R3t-q5O~dA2fJo_j
zRD9>xr<<ZM?iu9-1A_HX#q)Cw2o^grXBq!S-f%}{#%M(YztR_Z+y8r|kJ+%axBI=)
z=Z5H8;8*&wu`RR@$=v@-L-=2AP~6K9?iO17J8I$iEZnycXVu}~+#{H|Y8l}B%+Z4p
zR?MrzEg}HP6~2fK=S}@8XO*#j8)YY2W1hakCMK44id$8#R)(jq7T6hPX$be%(WVEi
z2{yQ{&pi7`Fqv?#IVD3zLxSrCSgW#G-j3Ud%IZzW3}v)aZ*+rJ+QwPhrfz*`PLE)`
z^yKhUX5-~pk;wPW7m%3SCN0WMKEieaA`!HGpKX#?!`%e?{U#{0#L#dw0&zzB4A7Oo
z&FCvAq1_YAwE0N0ul_b4rX6{lb^ug%8h1pkr$@`q@}tuOZ6N+l;`5@%(@czY_5*gs
z@YH=f_2ys}<>vW|{k2com!xD(j8m52)uduEzqooQ#UZd5JNAP5U3Xo5$-D9-FTWR*
z%>?2@Ta=jAR1^E#dyuI-_WYPL^!}~e3S|Dl3lde`)_tx7(S{x;^$W9HM(;!~*Tj{p
zy^69pGtJsPnA4r*^Gwhb@ikvs3S$czOBVjtdodVg^8>MNn4Rs##?mu~L|Y;@Syr4j
z>BKO~P{;n7bpnu}LTG($^@+PfwfWlgFTjmmD<-rx(a%>j%E$H38pZtER4>?LQ~D7s
z4yY|Pw~_O0H&VY_LL<%En~zGOw_`Shl>|TZ4hL}I>{PQgvLT6mRatVCkLUg8u{Mag
z3%J-{s+}1*?6^jUtv1{t^)lw<BHFaS7o-iBTt4xv^FoY{8QH=ki%PhGwD(#M{FNK*
zDvPJ7S1vpzxg9Jtj0j$I;_Y)3yRu#-PW(`<VlzTQKlBV@GWe+2!Agof83fAt#->Xn
zKQ8DPloL4g3sCQG1YOMxYWNxds;*a|^cO%+N+dhDD_fxsce4a&>UJ8_*8ZO57l3Cp
zw)E~?^Qx_1QKuKU)QRG<jg?LK4n}RYFh?xReJ3z=76s8rZVV9^0A=(3w}zTjZ*G>u
zFYf&B0p}|IJmFl}F#{oqB!sOy5$kwZ!TBlmiln?9!_B>Q5~r%%(1)5(#yzV$pif;r
z<9q&0*m0K7=`ZQFGM^}|Ud;=*N0AGMGABKZ`>=mHJ<@IqC}$BsvG1U`2TM17x+q!E
z;vlMGWU+E_dm<t^jQ(p7Npq?x`2HkLU35kk$_7HGn|&GYK-NIOAk|zDoR)(2VBsUQ
zAYwu0yQoUd%aeG<s!WIb`n`b@eI}J!uf7*N?Rzm&{`!)*nO0O4&g6e*%2hHTucY#O
z!Y74&H-o_SnV-r$j<EX6)>@#PDpa00Uh_vm@QUnfaNEIo;ZM@-%GMU<zK|v6=-@A(
zORfg1t|JYe5S0E&+hov)9$4#XV#lW%CoQbim3%zk??ln6%<~CO9<g?&+@%7G7WGZ!
z>EQ$0c3lM)Y|jA%HLAA$z6)FE)B09bGh5dqM7bxr<{mu1(9DWB_GnO`05aEi9*u+*
zBp@{$H~)q}Ku)4)GzE$Qu^)UE^*K1dNQ5|5L^Eivixj&mi5q0e6%}E%q1(*mTT9mx
zu{rxTm~Uq>L^#)Gv&FDrVpyFv<Z%5q>R#0}^}Jsjuj{LDb+B~Y>{s`RW~7Mxn<GZQ
zioi+=G&$+h@&T9k%{(Mb9K9+J1eq+|uV;<uIpBAr4`S-xQA~?btV<VW#O4M*P6lzt
ztvBblbQ~%9+BsB-{0KPps->~_V!g-EJ?C$B;a!8^F{wujHfXVgO1z*rk<RmgYPj`i
zxFSKsj+efmu&KFj8yEW?^aDj*V8k;gkA^#a$q|&fYq5=A`c-~1ka<)OWNU^v5pF}A
zz(c?Z<scl}kHwguU+9XLFZ_mu3f3o`k0(qZ(-!M{b|U=M#T8}-1Fi#BN-otd&8ih|
z?7P699WUIcJJN^1$*ZrNS=`JFO`Z8?k@j9?@DLi>AE7aD<5DK{7Ch2CRJ<a;6RDe1
zulpFOBOjfTt~m-d{4rzHQ&X8@#?85gwRe%h1<+!gM00|dI^rL2$4)G#4H<H(;xhi$
zB9sfTF>OYz3*$`HARlT2xj?kP0Ix|UUp<Q9v{@b9CykML{BipzZ7{zM;lJKr_k07G
zC}7L4?cvHl0hEtyC;jBjKTT=Du8cgGYC4)8wkfQU@X=91UM+PncJn@(ElcrUC_<$0
zuXk=1__Y8bbbij@>(mS&qHgg;OPny)r$3cW3063h%pMu@3-B@Gcr-+p52u=sKrl1*
zCCuX!SDuJD>$D{AwoZN5aFLO51_xT}I>p%)p;<m>obdr^jVctI*!)xsI~lAvf@;5M
zV$X%1jp+|$vGL6vxjgF2K+UyK6gXQdAy}rTT94IZG3vX8{*b!nyl)!r^Sh}ym2~Sg
zMkbQQ;z<F!D5KQ7wbdEoPd~8ghrmcFQ}Zs6<67d$2nry7eq;o*!rVjE>X_Tt?W<#J
zX6nb%jTEz<n)BQYUTZz^W8BlIUN83ibAinc&*#EbWi5nqOs#{M@pGFx6xH+kRVtVF
z{#^FLS;vwX$rsW>jSEmr-)ZJ>eU=GD5%L1{bW>~EHLLzYA(+Fmq8qs~{>_}0v@O`N
zAK}ft<tXCX*w$L#(fpl(R(|Xd@ucHDiG-=`p3Mx09A$P@;e#_|2eW`|&3do7Y3$Ta
zwEVV*1621+MC3+DP14I^k9^5C-cnNt5-dJl!$+zvB4~Y}Y~LUJH##^n*>E?jBi_E{
zuSJ<l-)b|Lx%<FCnP)B)4=dt_WhlLNyX<o8?_qe8cH}=O0cjhzu|t}@s?)I!zW^rA
z0mTjI{`VxFvy?A5hSr8ktyg?(Of+t@Sb*dUWs_MdYQC@MBSt{(w@iiH$meA^V1D&t
zmh;tzP(D?V0oUa7MZdl{hvPz)PHvJC$VGg-nNz1peUjJoVY5zc#!AEUp{fv0@}82i
zZQkv#n+s)c!HV`3ufB<|7$;uN9t*pq3+rSLOf-OCwBn9pjLVA>MN36q%)Uk|&@#AI
zxyQY9g=8qqmA_`|>uNIprhd}T{>B;s>4Y5bIGs|=a9&MHg;0e3Du4YX?{@L?Y18=^
zgO2fmvbD)M-pH5iIi6oW+O(fv>-_={o)~?$NLYLNPe%9c&ER5jCWFkDv<ZjC6hj4g
zxZRyx<dDU9D#B`~JWT4|yG=G#t8E=HDaW+^qjM29mM4_u5?3mpmyF4O0a6@Q^#3Dw
zjgY&h?i!X6DHW~W^1jg2g%@Ts@>;X_>){tI8y7gzQgL3FYAj<LjKuGL(YX5YfgWVD
zxnm?VGTj(w#fpqb)$?8!m$z24Dp-mZ-oHOh(i~Hi|314~tth#%lH)x9Xhp<#ldL#p
zY}2@TaIQ2~e5i5j7XXEZy>DE|!RAPmUjJoH(;XbqRK}qR+p3(JyZG|sP>GF=?Mq+Z
z!rE^~Ga=+(C|xxxUZ%I1ml&<Q%EZI-ZI78g)07T(b2N%`Ci3<3qX5vkU!`MqO6xu=
zkoO&t8*AjsR0YX7m~y#Tt%LTIZC5p@Q)oJ`I~?d*$oA!>VJ8*{w78?<!zs+?t8WKp
z)tvpBKo$Zzns7q~_olGNr`(NCtr`!i&!$$>&kix87@dogMI7|g)F1_~A|wg291mDB
zitB*8R>o6w&B@7#rTJD|<Y34eI)-%OP;GvkqMyb~K>bH;HvLJh%pKHhh>zcoT_O$i
zz4^zeZyEawkmTTRdqq)^-4^)RbA5u1-)4Seaa3>^+OzQ7c0y#c-$xTI$#`o-_HfAA
z16uif0>gEM{tag$kMIA>L_REVE;;$!eVB=@qPwEiZ4P|k@pdkQe0;K_in~Swi>6!<
zFf-K&D{G4umVZz>k(`bcf6A2p3&7TBsOFLp<tgZrA`g;I)3wGBTn=JQL1~(29vUV&
zy6Fi>*5Ut1RR9E~Y!`YvBc<1a2Mq4`xW=E<lYg`TnUCS#$NVLDEUrAox*88c@G>Sn
zT(dnTli!j)8jKHP>0yS%gtm@{CVM&*WC`kD7zZ812n^g~tn-+LZ`ey<>UsI>lHQjw
z8R;e&99=%cP97H)&8v~IC!~lYo-t}0M6db{OV~!*A6M~j!B#8yW*`~B+AFXCDG%E(
zKx@LBs<M4Y;=LIHr(F%0Q~Jb%g2ZpHVvTwaXSxM8SRQDy$Z^Ap9>k;JEZl2DR9cfo
zeUUj&-Ic^T#d|1n29k8N>~_uOPWxw%#XT0noQMbmC>Ns-fSoRr{lGOu?Iy!JXMryw
zH>Q`?L?32}wkB}5Ru&Y$o^2Bd3{6%`U}Qd$T)`sWe6zszg>Lu0y!wFD?x<~-`HtIe
z2sNI`%u&rPbstF(P{x5TKMQ7slkbH6sCG#x5^7`In$ohrs$@O;fn@3Kvqt6liNXa6
zvvZzQit+QKea<&ikFF2xR@5)=NMF!?8=K#!cLPtfMC*dwn`=l?o3xtOf+|hmClv_k
z<)WBLACTx0p$3>4gpzWlDcBF-Sllg7Lkb8NYbN{o0S7;$9k1*hf~+!g&kLF$v1q#t
z$Ji0f?Y=)Jo}g6g=a_H96oJCJDTTrRz?S^G3aA9=zl_LP4kj(1n|jFJin?dhLGGzk
z;m4h2I^F}aF>|saZB7sgPY&ZJga+mTDJUa1a&~tP2;=4pz6zDSAblSezY}1Y^bie~
zbJA(1;p?;)tf8$v2`~eJ=u+z_6Na5b5uP@a?fi9oSf+7P7$`f5UbqrroNnw=VUT$&
z83Jy5AObQgHT45h;zHPIDPzZb*#P@0#OBU%V)0+i{V2CRv6k7g*YWXlQmVDC`WSBQ
zet0z`a<sw!l9bmJlEBYs5lQ&z-@ng)@Fb-iP?)=&TimLw55~^-eZ|L#7zYlVV_|UZ
zzVuR~UB@4cX$52So|I>~>UtVL3OaJIuEYdVZoMK%zvLWO&|%I^CLF;OTZe&KJ0Qix
zp`dhqCwUE|2;1s=TsbDcRm$QQpq80rQKD&``jsgZwZ1S>teVf*t-vid(*H7YK7Ltr
zxtJU72#Kc-3N4H4;$QqHDQ`q<UdEX15ze^Dbg!5)_|oC`5BX90sZ-7x8Xg#+vmJJF
zVjy<jgsUH<OPh!V{6$$(P!e7*CdOz7{z^X2Vf!g^z{Eb8rix2Z9f=fNQ2Dt2`p*GK
zf)$3j>I&##Irg0V)U~?9u$Zwt0mao%AXNHA{Ts1j(!AnN$B3fDFj@+<yLH%~p{_im
zW49=NdXJh@u^_qXErE^A`I|gdGbx^T&5q`^`N7)Fsq^a~SS9cmK**ULNs6M(1G3}9
z|7rX`Wg&o^b(gEO{cUsUN-U+7pK%*f;{lvh=}oKJf~$5G9Oq!9k@j7Bx{&RpvCg3i
z^^b<a<{3;~jxX$`>=$_a{d){p?Y1g0sSjP+N=zs0l&!A1+e~^U=3RReilNhyD+w4f
zDYVs7kreJc`K^j_FN`@p<bxKD;?luqD{%JvJnTt;D$kXD@LZ}?7%XMdoT(gmjxH-r
zHs5a~zcW;?AFqi#yzXc48f-hKmT`HL8nylP^i)&X^Rtcf7tAMjPxkZ&%i=koE5a9y
zn436m(S1C*htCl#T!Zgw{LT?nGDMS>ZvM^@T;wt<#ODYeI@wp_a|8$Oc-Avjb@>EB
zc&kg=n<xT4P0jY0RN3lZCXH{AW7r~WWmR^~pllZjc&!@vNC34T{(=*$=x_boy3T_u
zkVrW?t-w!KJW!uKGa7lg+xV@n8He_b_c!*wiZ*0PU%}_}c{1>_{m$u&wp$9n{GHQh
zUt2AJ&*|GOm{88oVb5g~_{)dWWD5Cq;5)HoFRbkG?ikZkCM9)8*ab}3p<q>05$TAc
zPx>|=Ho{zz&wTe$?(2k~Y1QS<oC|xu08c5~8*sAWBBnkIXB0jC6?N*FVd;~Q_{tbT
zscEzA)zw$g6CjTlpB%ht`9X2`tffJ0S!x7%?m7=RrV4=vlr7thZ+~jSzvB2eM9S(z
zaXAS-Z1vqsu<6wGtk-6r2Fc@W^~i}jS_)4GWvf;!e*ciD6rDXg=cCy<MLoQHj+}?&
zucJ=3HMf`#3)-7LQ)dUZ2jpXb^O!>QiyP?879HYgQsLO>Ay*SEaC~z*F;9xUO+L!I
zCwi7XKIglzK=RQ*9I!u@(RgEV5nh=mjTSUr@w#Bw)z@JAkn-^SOTn<q5c!ZwKX+Pq
z9eW${Rl3IGk7D=eE7rAJ%55yN)nIrJcg^s7W((-k2>aZUk+*Qtw{UuP;U&(|IVqv^
z*PoW5du~>tOto=ubYD%F$t%?kKY`7-;axpWQxiIKF<Q?&6WSuYmvHt_CjH1^`=Zdg
z(39EMqZ4+=@IGQjy0)tG!lO@IfU2@KkO4@MwH<Fx!9Jr?{Sok3E4WFBF~rL`^6_LC
zhuM>P?FCz35)69(+4pO)9L3b}z0wW82u8<|1}k<uk*b)@=5gX#_-^N*6N2R{Sg&r1
zq_OB|hY8}Zb?%uV+D7|X240(A8o#jbpmbYvaioy)V!k({&O-&PXe)OkUjkt$T%+U&
z>yZ(AJ||P|mJ}xo+FZ$&*T30)i@D?ITEbrUf!3QfApzb%maox4(g`a|P7V>KrkYXe
zruwR?DHO~#XNi6P?|BDk3Cb$%KuOY9$^GS>ZS52Kpg;uVxo<sIHL!0Fqya|Uqc2Op
zMw67`G(=cEWcRsk{we7GSErdpu&;RKqP)R{djPO*`pgUZV|?8Tg^$Lk{7I8(exUI0
z3@~~-++81<hBMO>6h6%xFvP3oGJfl#1@Ev53(NPY@;<+Hq|_mvJo)osL(u5Vsqxfk
z66tJoNr#qcB{$q<LRvkrm*y8h4V{!(+_<QQYqxC=@Rm-Jn>*KVuKcz!c~v;@LE!!~
z{OPPeXtL1y=AYkSR?PvWhs(cDXZ=Yh@9gD8?0)r05|Sv_STG~=++~}?X_utX86{%h
zD6S6K7iy&1J+79|PU0jE5lSTzfA=HLP3P!XVIBJDe&WCXq7*;gwtoHv@V2Jgq??l>
zq%pINSwnec<wqGG9a=>QWTjGKbfSRVPdU6pgcTtU4%s>l06x5@|E?|OxN7dhR%7K_
z7sHUKypI1*Mx&%nv^W;?g3qRNPF!_ThF>*w5gr0PVNs6RWa+hvPpPl=EsAV|=%D*7
z0Z!(NWHr3pyHzL9C?jF*k~x&su!A?1+ucATpO_d4lpPSpIht=!&htEVnU%KI3EZey
z&pNL6V(NkC=BERx>QY+dRf5D_V3245D+VmWks(oHxcrViklopIx`PIi9DojctaH>h
z9&6oz*iWA^q&0jYRNLAkrW*P|jD+h_k3)w?!-Ea(bF>5@f3clEQK^40*hW?5%EMuB
z&0pW8222sx(A0z{fzUqkjVCZ!<mUW(^IYR*82c4UrQ%TXGt*Yv-d<a<K}4?+85a9>
z4!%uK^w)^lIJ;yad$$Q^VfohfR}p!llbq+YxBP2lX1}MzpZ3w&U<CMPIuH7_bL)Ea
zRd5-!gdiXP!Jo=WLL=GK<C*Y#l|ehP_G{a>Vk%}b^rAK&XB|T?^%B#+mc#&S%lWE9
zL`6|453#uH<oy(8f+XPvWz>TJ!xvAH6L{U!z_t$bJ9^v|faDjo(EbJ=VWDp~F2092
z?<IS>GW6X?^$bSm@v7RLO8q??^Fn6C{#ev<2b}e_CS`*gWnCZx-a5o3CvopEe&(!L
z0jqNJXy>`wKTxPHDa)uS?}YKpCeGI#(s_dP!N3;k(O-aEzu|gI2&!`=MDfyRT4Ley
z=w?mGQ;)<>|HHsI`&ar0nD@o&TjO+*;~Sl+DHrUk{bGEP=OErUy8CLIh;MO5F&zWI
z*%uQ$z9etf!`8%Ij6L-^o@ECKA*~=JSCshUjKv_<Z+16nR><xSZ>*jl%VCfo2mJ*w
z9~d8><nP>7a#{5jqw6Gbasx?_3_%_A96*YFO==w3WwsA{<Yc%@GV0-k-mSS>K6I_3
zD|OPQRU4*GZ&EwUhBzX(p&<FSq(CQ+)8yo$OcD0D$nLX^5B(ms_CAL02hG#AJ&E(D
zXZO3qlEw_UkYERmC?GId5<`LZfkAa35GXClkG!&yBHrpjt(aJ){6<syiW-C)V`B|<
zg+FAl#Dt|wp6m@MM;0)8ef02s>39?0<+Tw<(G2yup=Vo0BB&5W@t_Bei>fG&XW`cX
z4w(DqT{wFUI$<dNHITIOPLUS<C4*GC?-}wKI@l$mQg!IMXlo?Ote~$p?Q-8h9rVY!
z2A*TMQ{Z?{naGu!hiwkFRCRKXJKX%)9x+{iRe6b(#>_URYAZD{Rdv4KDXcL}G6|fl
zY8T)!;<53nC#-dagOT%LUtah7CSS&gfE_-LW|a&V>C08N)j&3+(mhm~OOk3n9VlR5
z^<hJ3Gcg?r+asm;el5|~s0(V3`!VXhx!n<84{-TPAsiatYiM;?&M39%Urelqr{ZSc
zj@1A73;b~t)H3QvWsF?!3v$8wnA@g2l~)?vfsb4BC{<bNq6k*+0f|J!xKV)-rU1%o
z!Iz)1cs@|go$oYnie)dqACk*N`tWV~$tO?GP(r%LAsUqfPm{KEeCb^D35?`s&Ns$9
zM|8hPGH7M6O-Fg}Mu5`kLPTjjIDEm)+28E6R5U6d{Q{V$vjOAfDVEP1Rv%)eX#yad
z@6*GRTt#^zsdu7C-zdbykEcE>(DdNaAp*7mKcOi+?ROtF;S)K-PX%$k_$>B<l@CdO
zeRZ?>!RJ$X>B@WY_-@gi0<(hpr8cuL+n=1`aw%Qz%%0VJ=f^^;GGhGcc}b-ard>Zx
zq}9cM_wtjKos77}*jG|7ESF}|!lmlQ1x3obz4{HO?J4UFw^K|9Od~(ZfV4~vSooXA
zAsAYZ_2SJ@ZLfazF8FJxs(ks%Mn}(%C-0BYy_76_Z+cpfFQC`abro4aRvYqyweda>
zc-s`Y#d5l|PT*R%UcVl5tWZ67-uIJNTrZxcO1Pvdr8f9Vc~JwZu)l1-l;Gs^_;*Hr
z^ywMy70;Cd=ocWFY|QfWrH;MTi!Fu2*F1TJl~^HX%{PP8l^;S+hNO|`QOYfUB}T2<
zWv<bn1|6k6W?hQHY1Ykb_2*W3fuE;8^&T+u_YBSy8)N(z6@KKoBqsd=+#|PWJk9YM
zv!eLS&}!_e^T5Dx&Pb>ZI!{(<)4Ze*)JFZ7UcNdpa<8#7xp<K=s2LJQX|T;Z6Y$s8
z`PA+&Ku<j_*`rs4<Hx6ddlM?`<u0XAK8JDLYG;p{Ak9eK9KB3_6jB|=0oK!I(H3<Q
zqtQY<H)}`VuWD8LZ2B#hLM+H)Q1X+9p(L6}hgiS4aZ!6-e5*8pAA=zRYo^>E_K%r;
zTIbH-8)&tD4!@@q7&$V1zQ-st<H{{PMdkTUyWyyGqS2+iD83rCibVTq(MjXL?E3+?
zY0P#=Yz5sI=Vw#hKjWIga-*0gJrJ~lCe0$VA~cM<fGq#~h`Nw@6)B-J!y{pGTR^hg
zNg`FV6KdCYvdcZ`t_=$8gryGt0_4{fbF==~5KZy#H(um7*IF(UmMIxzu(|AF&Mz-Y
zg6gBj_tr<mrJ^IKm>?!e6sb8P;AbA6*&CGuvR-+95pS?$uFEG)ikC|>TQzzaiVtTC
z)cFW<yY$CL9TKJD>MAGnHrhjrE=hwW9tkwo8$C@QPdOD)7=M&m{H%Y88+PsObWhDs
zj+a%zU@B8b);&-bfu^NBT?G|;*IP$V+tQ{scfm?dNqa!=ZAWT6W%}In+G7fx2SAmR
z%C?EoCv}sZ(#at@z9f^8&;92G62h$3X0Ch^U4&#!Nv|U#LX20-2m5v~bz--9lrJiI
zTs{G#_@uA2E}UIKCzAG~iOlZ+k1hx5w^zF=j4~7meOt`<Gh&N{^uriJC4?~4cYfUN
zPl^nWgwbhyfRHs{#lExe;|$Uab>&0M)}W1lW1RW6n`zTlOR@Ca4xW(gjTX`LhXNJf
zkourg-VoAj#vp}6$h!XfLs`%Mn7f07QRmfYBmUOeE9#_+KBsmkU4+@oI9paPi{beC
znjYTWEVp~LXbvr^#9@}!_2SYo@U3<m^%c>%D9*tcVbSLNRmt#%xA`6K2jmc#8Vw#}
zN%oTF5@@EYr)5ZTu32{Kc0he!9th5qur_4!u9{;JV!>X7?Q(K;XAG{ZeBqD=yxw&a
z>2;Yj68@P|6UVZ-npZ2;4*`j+a$-Rj+Hkg?DnRqJj|T}flMhdInQzQHE5#KTgPmnd
z%h2@9$OQvn6D2zjm@+L&BSw+BK0Af+t|^fxxw9e}Wf|@W>RGqjc&;^T-@g!>4tp^E
z4Wz{uS39_&v6`R^(dsgdjH=^JVfJL>r8aGSK{sn+I64f=h3GEd-^J-xcyXE;=@D(1
z1ljh%aY_Q*(*gP1-9@<2UZtRt*3QS}|Gkev*Ai>%7dULf{CL0Egw4t(={}3k-Ts|L
z71HA78q@Vpc|Z})5y-i4qH8z)VAFAX3T1T0cdt(h2T2BjbH+dYe`hEDNi&_v;zQ%K
zVn&OYgw413yhh7E3*P<7`oC=|*zJ3;bpMK=5{o~K4Q^XIkFhG+xa>iO`9RPeq`a&b
zLmb5eAm(o(Ae1~#;dxMkL?sS?#2NSa7vLA*$?p`)JUQHNocMqnI-;|Ec~8i2N#R53
zkkjYjuK1js>{sqT?(coiKQ%ZF!ka;^TaVw(8b8oUwzQ`9GYH5`p!49L*Y|6qvPL3P
zSe&iRCAG?VpS~NGegI|z$68<hu}>XGx+G6@{p{uI1E0(fB*Ow+Uu+U>jCie0d!Yq-
z)#R@H(C`Tkw8!dGSuM<GBA&0pN6jF1Gt9CVT|?LI8KFpU`rP`|{n>5~tL9o*C^)Us
ze?o1d+WL-~jWEc+&4OE?jz3W2nR&JcUu{FOs*|FYT5rP}7UqxF`py<HrB#7d2}-Rz
z*n;ib#Lw1LVNLHbgYY|!`4Ss+&$3abzRAVr^(zmub9KEeQp05KZ;YB3!;0~zLb2hQ
zlP_WO#`XMfr{hMeBUaQp-|a?+X+3Ydza9G6={?LM$gDy%buo5X977)|PAaF|?@4cA
zkn<eXbU&U&Eq!!mNe?A1=D~;dHy7Sah_~kvYgp)Ovk`Rc+6{R6e7`;}J}(;e;<H|F
z3Bq=5_{|*a)jJ^yV@2d~s3ZnuBAt)9yG%GsqZeO0x9;z2_ySIQujXy@w1|^}%6ChF
zK~8^tvARTtd`X;ECHH!JrMliHZXCS+(%hasAm>)oY<iO9hglO2kXAg)dFq4oDGkcI
zN_QmaOFnoS{JoDs#tb|kZ6}GGo<U6Hez~1qXy@FrgMPU8;8ncwTvx)D=cDdg>n)P1
z5hmz7I1Z%7p)z6L%l05_h2G4<&Ql1hJsX=aru(dcbJDoehxrGK*m>OBEc|I1Ggnp9
z)LGB=q^B$be3yjnOXn6dB5*>H=+&3WbeVtOZ)(+08@=|yrZ`|Lfdb88aBe}#dXQ>}
zZXr^4-)V1%U-y0WVw{Xr;i&5u15dl1d=BCxUdp2|Jug<}Y5mB`@@fs;1sM1DiQ0N)
zq{uQmy_{aP*y0H`)+a`;mk(y$d)!2BWBT|w+;}rV42Dt7&r4$67G6bs`*eh*mw-*X
zw+=`DAVF|X8qCyiC8}cB<5cGo-iWc-FKsHuYzP(kRYthr3e|K~%HJ0B@@<!hB(+x|
zcx3q1psy&ClM)Z99bk<P)24_CM*->pZ=ZMPe((QAoQKa!iHWzyL@63FM|GO}a6Cb5
zv__Qc6#qY+op)Fh+t!Eis3;bifYL-Dp-Plc6a*}Uk_4oKKmd^>7((blK|qg6uL%hd
znhFWMcLY(S1_DU07Me&^0tf=?mvipD&%yhh`+Q~onXH|e*?VU8v&-7+_YUmgVgVr@
zcAJ>qP<%Gogb2k*98ciIY47O1douUwe#gMIGQe2q*XS3QdsuT2a?S(GEB~C&{)$A{
zYyFeFa3~9*Uq1DM-3Lu=C5}=2664_7VJ05bT<MYac1BceDIwN_Ep}vnBH!VB?GF+6
zDU%b1`I%fbo^6WNB(xo%&lK)kK};_?ae~G|mw?MxF4a5uzOivg=c1U8I9j_1<C=17
z0X|T8r0O`r8kcJ_LmYwup2@F;MGj-iH+1-XC_(&TbL$;#<p{5ah1%=DsaseMj}$-A
zHw(vhs;0P}BcMcLfRI5{?Y;s^46Wy*E5}CZdfy5nvC4C4zP`)!sd!bsWZmIZy`ok9
zwIocawG_R9tZWB0$+eSyG#w<QI_~4G2+tE~#ijA9B09}z-EEYdGP2WYZCtANEj6P!
zF9D{gH5^}tyA70uD^p{gQrhlFWhbp|1(RM7!g8CFWfZb$7sv%P5h3xOxFYG~gn;#K
zzatWJ-#_dC&_dI$j>4u2@ipZ5yhJ@ki(&q<=~^KivVtH)iR*j}ySllQF?;l!^%2v%
z=ea}HrJR*+PpfX8LSXnTYVpULeqdJ<LdHTPMj#gg8X647lh=I+JVLc#YaW_Z#%o;t
zWn5Iy!f}R%t+ao-M$}4!!gWxAU)!y6=YW}-eAVT+86VvsMVdTw3*W#^mZlCt-@e(G
z`OPY{kYM)s-QsN<H%k;~N2Eo3(4JmZd^eA?FvQkZo_X4gvrymmy2f~PY2Vb0n29PR
z0LRBrxFcM4+S$`V6>>Hxv?I%Nu*_q+J8mtUIK>TL)0CuZ>o1xiNmZ4=qg!pJmzH`i
zH{oZozP0JvyoHGqQckoc6-`z=wsI3x(sPdMBd#J>Z;dB>22=OMtAaVLmy+l4je|Mn
ztF3QuqQ<TZvsNz3k~h6Ss`9NzP)sUpQR0lCYU9L66^BZJi?UxW$Uz0*p%|gtq4W5W
zmcQksmwrSW@Es&rwIc}6MCwIfDo|RkA>Q}1lc*Do>+mnJ;eZ?9<%uT#_=o;tB-D~>
z3NuM--o_qu%-Lqm#?ikl_~Ht`L70J1{ph(u7k~5N*o`N|oe(#zg$8^LP39-teUW2N
z|CcKPocvuXmO2)4G0dZ8Hw|x(5<~}>p~gW2ISpQlpM#Hxx~j_OXDA7rwIp^P1CNSV
zr9gRr98h1Feppyo9S`^Bzno2M977J&oO5Nft`qiSP2AlvLO12MbKYc<1&=Hk_<6pC
zB@y3WR`31zv{q{3b`L>^jb|$*Qf@f5&U#AdAy8RB7~9d6m*Q#8OG2V28{#jB<N^F?
zgR((T%9q5b?<O|kptD;A-H(8|iqtBWT#-zCGsTCXK}~%Bh}Z-#Ass;g>s9+l>Pn_g
zP@F-1XFKp&vrLVtdHfO*iPqH{X>ZQxzm810RL<n$vgY#_?4RYUO`4_GN{gjVCi7Mj
zk0ws4&1OIL2lw>~@)Ra&-7Jd9mTOU*co$-Mjy$O3Y<7`IIsa~EJW$p|{uxr&4ypw8
zieF-d?XcvMjy3OAXz}hRxkr5ZJw)=bt<CD4v@?`a2kAaz^wVyQN?G9Wtm;cm*_CO1
zz6Ymet_fYU!EjvThLC8$MxK);VWBLa9mkK?Z!fkUMYc+_^M{yGdR!-pTjseFv$dXl
zcM7Ql<`nFHTn`m?FD1wfzBUr`wsgLyOHVNzjZ@+My=p+e@e}aUr*lFtD;>|$IlDg8
z`2j+bz7pd;qu9QVy1NH#Cfv}9pkY<&3m4G%XYI@!IV4ZAVXhJ{Z0$5GY&)|gQA84S
za@KnQ5pn$VU~r~d$m~n|I|OmVhECoaQuA{5(0kYqg1HJ5F)#eA#vdaj8=VER#Q$xr
z=^s_)muTrsht;<Pv;40yQ^5&S<NJT4FvQ2K^z&c2E8Oac{Op^qRuj&hq2Bvt-T4h_
zcmU@5O=91lu?RT)_ldEWKHscn8^0tBJG|}6-!vizA^sG??6Ji-{yOka1<fA&*AufU
zfX&GQL{pYuS{Fe`ToI8&1ceHR<(ygu9I46oG?Gm+iEBbny|mUP@tibSo%o(5efd9L
zEbo^dEVO)5q3C5@iq*;!x!oEMWxyu**dsU8lF5w9VD+~;-o@(+5jZ&WhWqL4sBE*-
zPKKJjb9#OUGOzNaxJ<_h{Hy!pE!d0t+H1XHi4p#_?F(^Ejz2nLDlu-WP55p5g(f%n
z2<1pH_P8j7raF<e<&kVcz*nGg1$7E?;*<x6mt31%U8FLvj&ob3_R7vaT{|L!K^v%U
z*`}k&p8kauV<-B&Bn!JUC1yivXLh;VKBidnFK_v0Vmj2mgD$7Mhv4&urgJrjA6iYS
z);DsZo}1g-id{}FQs?Yoliornv?>Pt&RF<}3$dltk5&{!Y+(H1$0;6Jx5Q=P#uTfs
zDKQ~*Gz7b7RUq@PTln|=ewLoNK<{#vrDpOpdDEi9^W2FOH{g%Q+gC!3o!?e-2lh=F
zkm5h|AyMsVYB4K@W{QblY-R6p@xUY0_)ePj<+mFUFJ3!i6bO|?V^=Wgn<j}r*-n8t
zBwn#e8Sm=Px6O;zmUI$~*ZtrRHY}*lPS#ns`1^7`g;2lss14{6nZz<{!n#mr&HOa|
z?WL^!k&dcDu>x_E&#FaG)m|6|?@L5nnVAZ;Y$mesoEB8;t|L+xF%cdXJe9rg&cv4P
z&IsoX8r0mfTd(DYaXd!aP!j{?3w>c~0@!9SqPC_=SSyA22A%@hn9xH{U8<B~gnJ4m
zY?(mypkbsw9){oKn)4iF^*>4UEC2pz{?@)$xiY#6EGs#Nbuz(dy0o}i7#&#=HvI}&
zZy4vb*6yM;XGKGSL`w(~X5!t$9@HCmZ+g{eS9s9D&-XHcjpaYuYaeR3%=eS6@rA`^
zqSH6-KZp*$B<wwuEibk^YW({%g~@la`6Uy>a3pr5CK&gXw@byWOHGIwn7UvkpB}Xs
zLayjvZn8~PV5goa<Pi=*qiXE;hD%+OCvEvm2s(#Pn6>c7Bn;Yro*H0c%}%aI-o(KI
z^_ns8%N{k0sA?df7D`EpqR47pgI=xLXuFxW)#e)ZDb@AqOqMz+EBqaC5g-&6)j!z7
zj?`-tA#h&#|KHjF>7jH~YT>ty2b0_wo98Ba0&BkGKR@&PaVKNj9Q}@2-%Z+B|CXj{
zCp#B&7j$<Y`N7}5#lI3cEcKY#!%wWfB~D%ZkQe@o^*^2akE<N+30aC1Yu*)GaE+CF
z!HRPEy;yM$WmG~6Tb<6F_%u5(9SMdVjhC2VyvS5&+N_Eju{s!g^HMxJ9cNgnVT@s(
z@&*WFrgMXAugls2>0SXIh?v+tY$}x|xlS;{NuWB~(37QAoAY~rwY^|w#>g1VFapjA
z;X0+P{o3`t;I0=w(hi_q;DP#U>R}h+{3&E1?bx#BkW?=)J)0OzNP#QUAY`7P-1S_!
z4?j>myEDp?a-+2*P3H*PnM*~&y`$mru!mi~?&?_<RJ8M%4E<pAx^7A}L6n*TMSTp<
zmGwO5H7P^Fry19GRHIhfDj(Y{Vmn2K(qDI1gXm~&gw5RQ*evbqs5V$#z};UPVs{uy
zx_>sY@3nE<=t(fbGc`C>XMB6Wo*q`aG$dz+QW$ABHLfQ1Xu9C!Oii&8AEF_;0TfPb
zU#6}Zlpvl(+DSKqR1ytazBu=#2WB@4esNGd)w}zA=i(jb?$tXdd5gTcTa*OkP6XUx
zH#LjWzOZ<fHz^%T!}*)%maFg1FcXBdxTw*HTJ!F4{T5Y_Us+kLLi+dGLKN8jeJpz!
z0JCY5Q8H#+K?7i=Qdrt_6NTg6y?qaa3nd_T32ze>zK%MQWZUdKAtdnwh-8xUNLW~{
zl41+BK8x;h>%CLen`L=vRU;kB@%8$q<tL@LSwa`;69y8kz19*njhegLZGBQ^#3N#?
zO_)JWa#~%(3VLS%!<fetVhYd4bzKEBPq~uksOdPY<b^IIIIy$=jm?(BdKOH*&eA;r
zjVR12EDz@i_?YGg(ppq$9_#L9@39f{hlk@xs(~6p0yi(TY>q@U5s~#F)+qMrn2Q-K
zN&v`EmsQTlmy*$rctbPMaNnvo&r0RA6>s=L9;=2r_#s1Vp*iiO%0ej2)Na5<0%Xui
zMBd>pXGkKi)J{+kX^~POZ-F_^;wry(#?>ea=Ha8TV9(>lvgZ@V=K*;}X|JQ3pCc_9
z2^;)Ek`@MyOg~<6cza1rbdO7m7g<hnNKx2RE?^)NFMo{`uVlj1MgF$6-&{jwu6+59
zW*Xo3U}**az`*)8<W+il3eQWaMw0jm7pm%Y(@q>H1&XQkbK^a&!jpTj4J9w%lfSvU
z3|gMuc{7PnD~r*Fd$yg7CTTq^f`xr|!}*6LORjYIU;Mz{K5jekW?0kx9)|b%v0Fe*
zIoo+uLOUZY8g4>3=`FDm)GyYtn1{Vvd_A`+SXJ4NS3+a`&YLOWz)-&a<y@$egsq$S
zZ5yNK=D~n1Fjy?@_PDRLs(gHZvAVnsBi=#fuICIo#-V+E{f73;TWCed8M+izEQM1s
zx2p4LPpo;5R^^B(8s=Z_?1o)Z4OSHvHD8mkP1PA0gU|trLef@F0V7dRW`-BWhlIRs
zeW8(kX>iQa-V*YhRvN9<&=@icVez`2GeQthSx(go3hlP3K@@AbiM2_kpJ;#!xi9==
zJH4y+JN-)w6FcyJ#zky*zhv}Y@Px%*E!yAz;)REMI&Y;8_5UeVQvZD3FOg!cz$tEd
zYIM&y|5iz7mp+E8WI+VeOng%z6D<c#1Rzn%lH%W-sscoDrmGtk1z!TnWpW2nj;9<;
z@aF$&R4Q=LWk%1Jd4%JL#O-wA1bC7IzzQ&I2I6@y1<{(r1rAu=Y>XPX-J1euscSh7
z<2XRPBx)VcADgelnbRNszQDhx?kjl5SKVFfWQtvO1Tg{DH8GhjpFc~{pYSJ@2>KtD
zy(Y5glM3|7F4XIN^EkJGMyPpcQUBGgkP_2O=ejvn%%Ye@0M@Eva)|A*G|2diKu!<m
z#xKtAOZvat<*Y>pUU=wCzGzc?^THz+tN_*~Ua;~l*~z_5PVqz$5Ksa9wDL4fSsaTi
zTUbITt13~!^4|-M%D|c~$qN|k!3K*J%|~$)7BDNQ&`~ahstH^4VsV@2n$$o8Sp%j;
z=8a-+Liq(94TgkYQlo#m?Q}`}EX02dt7vQcQLis#U?D6TjrgMTeoWIc<)mG&U2|K}
zTD@1pyT*^xI*;UfL#XX|REIFGQifD16HA2hP}WAY17KK%NB1ifC)Pv?I#yhqrd3It
zO>IZQy>1YILnj9+5EWG{fM0Lb)c98Ox+Kw*uSn78k$~-f`#I&P$>{D{LipssfER5<
zhYW1X7nJbSB2p{qRg>NyWsmbRo`(aM&eTo+5Xak_x@*SHe37~m?1-^-(kPHnZ9a4c
z2n)Qv@f^n7Hgy4t%Yo7bib(!VXW}dHkKMh^lx|He-z!%bQK8P(`)s>rr7|Z_=~k;T
z;;)r+Ic6alAKIf_x?jIZaoai7xjKf}*W@=}2W)rS_5rA<oa6@Z9h6KAhc0-oD+f7B
z(x6IOJg<9te6~Cpq8-c69JfNC@&fH8r%pYV+jV3FoxLrO8Ab1a6H%gbk|kxt{&XKm
zZa`JJsQ|TXKhEoH<cZfVvnWB_vd%%Q=4rB%lWb0b<V%?UTMs&LVhdz6_W@sZ@0`_O
zUfhZ=y8@53te;P|)X*hoG;Dsu2`^K>;%9{P?g9ST&puHT1e@B3fty73blEhzzff<b
z)bd0av<}+J$swQ46lNj(vK?^Ud{i$x^b-W}np)h#v29JXyS3fqe70G+2V{EV%cRl6
zoTQ2-GIA<8&aM6tT-SRvj@Al)a;l$7)JpI>o>DfZUPXMnjSY;9cvaz8jR*py++Ehc
zCg_^#3A>g6lhAen<}hkt=DGnqOieS@uhhJ(-{WrJj$IQqjE5`<7TdMDX(V((9-3Vj
zqRShZ5dEMOFQk3%0rF(tm|gv-Zw=(q9ntaiQQ4lPoX#Lab68E3Ka4Thlecz#*Lr&*
zIf{rZGCE$^495A@-T3{I?l~}i;YFxaL&n*N&*7ntgo^b$7vq>h+SgU*dE3b!0cl|6
zpjvKRSHhiQ#qotDxA)*SEU0WhaQIdHttM~**J!7LETr0~`gE>X$^Dy4c7e`>)8e*i
z(|w<bi3xaDoAWbeaFA@a5gjPBr5$F&KR#$`uGdJ28)zRp<Z65~Q7Czwog6=gzStmZ
z8ueVGJt$g#_i$9}{epLR-or_r)xff>agU*Dqmd$A#QV_tuDprB?Ep6wtt)AzDM)V|
z#aHd}=>~e;$Ba%DnjL(>An$V|G`amb2lU+8ZS9-bDo{nKJj#6T1|y^GJrftBnTp>@
zXOd7X&nT=xR<{Tq`~~eKR=K*5D$c*Z$TbRm&-&ozi-oxiYrVM9k$4yD3KtlING0%y
zb;CRlE?ax&Zf%BWK65Mr+!{*KMVRGz9GGkqnhLr&7*Nd*J`q#N!+lCSwnT@&g*G2U
zLtYp1=c~3;9%6PWC0?88WUQtIjjx}b9qB5we!Qe>*qT(7#tEn6+|GoJUzipO+cJ%d
zHBP`t><glMA7R+LUA9vRH=@&Vu#BT7ePqG98I5gH5$)t*xXD|a*xE1Y&1j_dp*=WV
zPG*zv^V*3@LB0_?zKdOa#E|)#N3sHDqA*M3LoI4<f@HFPR9IA2P8fr3rzy6FpnULe
zB@utN&)2HDU%c|Q3RiH~DJ==OFIVVvhykqRTq&h6RJWa{>F`|KOfH}dHbgWzsiB~=
zmh}9W5%!_~40Qg2A4<ZwYfRbVSV*TzF%B5KmO|M%e4zS6+N9H`{=A0P;rkFRj&}lD
z(dzk2xI625;QZ#7p~9n_kj&M6g-Z^oP}Ic%gQESN+6vU6=@6(7BaTGKg?;7Wp?u|w
z`_H^?!HpG%@Ts3{UlXNsbEg2|bMyVSPTvO~UDetwLapLb3h~7wPZUKcc<$v_u!cPa
z(B4}zv+V1^)<<;6q$&wWSl@es_$Eiy7!H7@73wtt0T47gFf8o8qhToOc%;z0Ye%Fk
zwZ3Vo296sVfM9IQ?MU$~IR~g!_czDAIB!K*nql6?{Rmg-bxfh60sO7TA%*q#9=VxU
z)}Mgd#F)E1K#s-vMF%4*4SaqqCi($yLHsPd_;S12ACsH^NiEODwwJej&>U7T9gv{>
ze(;CpmiM37Y>CPs;8Vs}ioE5>l)F`X<G2~w8<7Na*%~Vj2b<jnJ!B$~**cQY<ZtlD
zWnX3DdvaFQ^3!r!05d~#hNyTm3)?z=MQUg44YN1#j=Z$0;dqgRa%FL&6jqaI-ryMF
zY%lEPnwO8E7t|LN(%s7jP)WFO*%rQ&1U>fpF_N7~yt}`0RvJwGo8u4t?H%b;*rw})
z`Ay4sAE{L}AHVKPvF0<rF{ABnhTbL56pvVCf=!~R;;!d)dvjY2L9#IL%5U__YI*g3
znc=NR=I3s7_kad1$3wz7ZV4-tRHys7ftwmifd`=1p6hQ%!)&;N3pG_7BHk+3Tx7bJ
zA2wbFExJfQZ<dmRNAeZeUdxpA3KTss4w6NZG?>;vF(*JiDFI%3UOuY&{P4Gfu1UDI
z76s?-<iw#2+vt~8APJ5#07WRAepqRy&km3&sq`V{T=d-=J(!9ionqv;Q(k3tlj2!?
z;&|XR3ha_0o;W}g24uJn#j7%iXk-8du*3FrCS7Ku%l<yR@V0cNC*JX%T+FSzfeGS8
z8XTtS$_=i$*+XNQ&$5Max>;RQDjul5+d<OG{#I9hT#X-wG*lMk2L^@nBB~rKkqN_M
zMGl$NWXHi|D5r)YP*;Zz)akpSq|W8Z->njre12x?VhA>F))U9?B<|~-Qg-W2T*t_|
zTgU{iQ-^nWPM#q}w~OkMY)yIn^^RSxR}}vu;_lMQs)*_Dp>aF!Opz8Xa3fh4)#u^t
zWlC3x28`Hvz>}N&pLTXkU_CZN255zRi6HO6DBX4FfpO+2#;u{rC?yCUi8)>{0kcFu
z0+Bt?5FeiGQw4}x+xzwlpJ-OjwvU%wpGYPuC#6Q}PSayOFo>+Qm;@X5uJn*Trh|9i
zaa<vQxH#?kiq$gxT6cl=dj`=D_W1LD9b>Za<Ly7px7S#MZSbz12*1fM<~|Eiw8>94
zbm7Y#mLl>en@}j4O}UQG$=mVWZ<%PY>VO)5?*^Y5|M{nH{P}V?@1=H7tZ1a*<gN-r
z_7eq7-9Y<d5zan*$elxSB_kzO>=vK^!{!_H>dp!ihBo>3tTiSJT^4aFL!|~Q&8J%-
zCMpF%oPPI!tIMyJ>5%m(*{QBhynXFfAH^aIHvTn)`N^Gc8Tx!oc<y^6a$e(orZkmk
z(!a3QLB^DpcjtTE6D4qIb)vf;)dVhS(=6)33+%9k&&tC*Ury$eYq0PLNgMwDKBUg8
z@n+?IbSAFi=}-~PCs7pkeQu|xluJ?q{Gqe-L9fA4FjgVWLO1$-VBk5Ke%ACEZ-#Zr
zmK?D2v?2RNpR3@n@&ZcsemBJ(mYfG=nr@0&YoqIIZ{b&GRK#-zJOs51&nATOCVi4%
zArVNdY9@G3&n$R;!uv?WSwduL#5<q6NArs9y7J>SdmdL-O-F&TpI;AjO3@02D*X%z
z`Hu<5me^orMr2U^Pqs539m1v`<^ipxI}+{h$9c0p%dpow`)_aapXR?Y<-b|6iCM5|
zS-d(lc!i7Xv2Vk8|15$n(46hR|M5$;`F-t%7HRjd7LiTv>EGwa`ijUeUjoQv7JsjO
zzZ?FO?HenoVev{(-rr>Pk1}vrLYXuc8%^X7<ygSb@gG0gZWVVtVJ$hGxxTAgb7=W5
MPxODt`{(F?0i|x22LJ#7

literal 0
HcmV?d00001

diff --git a/docs/extensions/evidence_checker.rst b/docs/extensions/evidence_checker.rst
new file mode 100644
index 00000000..c8865cfd
--- /dev/null
+++ b/docs/extensions/evidence_checker.rst
@@ -0,0 +1,64 @@
+Evidence Checker Extension
+==========================
+
+Purpose
+-------
+
+Tests are a crucial part of software development, making sure the software's functionality stays intact despite the introduction of new features and enhancements. To prove the software's stability it is therefore often required to document and store test results of unit tests.
+
+Therefore, the aim of the evidence checker extension is to create a finding for an artefact/resource in case no test evidences from unit tests have been found for this artefact.
+
+Labels used for the extension
+-----------------------------
+
+The extension uses three labels in your component descriptor as described below.
+
+1. Purpose Label
+~~~~~~~~~~~~~~~~
+
+The purpose label defines the purpose of the artefact respectively what the artefact is used for. The value of the purpose label could be such as 'lint', 'sast' or 'test'. E.g., if the value is 'test' we know that this artefact is in fact a test evidence.
+
+.. code-block:: yaml
+
+    - name: gardener.cloud/purposes
+      signing: false
+      value:
+        - test
+
+2. Test Policy Label
+~~~~~~~~~~~~~~~~~~~~
+
+The test policy label defines whether an artefact requires unit tests - and therefore test evidences - or not. E.g., a helmchart does not require unit tests, while an OCI-image would require unit tests.
+
+.. code-block:: yaml
+
+   - name: gardener.cloud/test-policy
+     value: false / true
+
+3. Test Scope Label
+~~~~~~~~~~~~~~~~~~~
+
+The test scope label is set in the component descriptor of a test artefact (aka an artefact whose purpose label has the value 'test) and it defines for which other artefacts it represents the test evidence.
+
+If you do not specify any value in this label it is automatically assumed that the test artefact is valid for all artefacts within a component.
+
+.. code-block:: yaml
+
+    - name: gardener.cloud/test-scope
+              value:
+                - artefact-1
+                - artefact-2
+
+Functionality
+-------------
+
+1. The extension scans each artefact of a component and first validates whether the currently scanned artefact is a test evidence itself or not. This is achieved with the use of the gardener.cloud/purposes label. An artefact is considered a test evidence provided the label's value is 'test'.
+
+2. Provided the gardener.cloud/purposes label's has NOT been given the value 'test' the extension further checks, whether the artefact requires a test or not. This is achieved with the gardener.cloud/test-policy label which is either 'true' or 'false.
+
+3. In case an artefact has been identified as a test artefact (as described in step 1) the extension further checks, for which artefacts within the component the test-evidence is valid for. This can be defined with the help of the gardener.cloud/test-scope label.
+
+4. In case one of the artefacts identified in step 2 is not covered by the test artefacts(aka evidences) a finding will be created and test-evidences will have to be provided retrospectively.
+
+.. image:: evidence-checker.jpg
+   :alt: Evidence Checker Flow