npm - @aiclude/security-skill - Versions diffs - 1.2.0 → 2.0.0 - Mend

@aiclude/security-skill 1.2.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/SKILL.md CHANGED Viewed

@@ -1,112 +1,85 @@
 ---
-name: aiclude-security-scan
+name: aiclude-vulns-scan
 description: Scan MCP Servers and AI Agent Skills for security vulnerabilities. 7 parallel engines detect prompt injection, tool poisoning, malware, supply chain attacks, and more.
 tags: [security, vulnerability, scanner, mcp, ai-agent, sast, sca, malware]
+homepage: https://vs.aiclude.com
+repository: https://github.com/aiclude/asvs
 ---
 # /security-scan - AIclude Security Vulnerability Scanner
-Scan MCP Servers and AI Agent Skills for security vulnerabilities. Returns existing scan results instantly if available, or registers the target and triggers a new scan automatically.
-## How It Works
-This skill operates in **two modes**:
-1. **Name-based lookup (`--name`)**: Queries the AIclude API (`https://vs-api.aiclude.com`) to check if a scan report already exists for the given package name. If found, the report is returned immediately. If not found, the target is registered and a server-side scan is triggered. **No local code is uploaded** — only the package name and metadata are sent.
-2. **Local scan (`<target-path>`)**: Reads source files from the specified local directory and runs all 7 scan engines **locally on your machine**. Results are generated locally and **no code or scan artifacts are sent to any external service**. The scan is entirely offline.
-## Network Behavior
-| Action | Endpoint | Data Sent | Data Received |
-|--------|----------|-----------|---------------|
-| Name lookup | `POST https://vs-api.aiclude.com/api/v1/scan/lookup` | Package name, type | Scan report (JSON) |
-| Scan status polling | `GET https://vs-api.aiclude.com/api/v1/scan/status/{id}` | Job ID | Scan status |
-| Local scan | None (offline) | Nothing | Nothing |
-**No source code, file contents, or scan artifacts are ever uploaded.** Name-based lookups only transmit the package name and type.
-## Required Environment Variables
-| Variable | Required | Description |
-|----------|----------|-------------|
-| `ASVS_SIGNING_SECRET` | **Yes** (for `--name` mode) | HMAC signing secret for authenticating API requests. Must be set before using name-based lookups. Without it, name-based mode will fail with an error. |
-| `ASVS_API_URL` | No | API server URL. Defaults to `https://vs-api.aiclude.com` |
-**Local scan mode** (`/security-scan ./path`) requires **no environment variables** and works fully offline.
-## Authentication & Privacy
-- API requests are authenticated via HMAC-SHA256 signatures using `ASVS_SIGNING_SECRET`. No user tokens or credentials are stored.
-- Name-based lookups transmit only: package name, target type, and a timestamp-based signature.
-- Local scans are fully offline — no network requests are made.
-- Scan reports on the web dashboard (https://vs.aiclude.com) are public and contain only vulnerability metadata, not source code.
-- No telemetry, analytics, or tracking data is collected.
+Scan MCP Servers and AI Agent Skills for security vulnerabilities. Queries existing scan results from the AIclude database, or registers a new scan and returns the results.
 ## Usage
 ```
-# Search by name (requires ASVS_SIGNING_SECRET env var, queries remote API)
+# Search by package name (queries AIclude scan database)
 /security-scan --name <package-name> [options]
-# Scan a local directory directly (fully offline, no env vars needed)
+# Scan a local directory (offline, no network)
 /security-scan <target-path> [options]
 ```
 ## Parameters
-- `--name`: Name of the MCP server or Skill to search (npm package name, GitHub repo, etc.)
-- `target-path`: Local path to scan (use instead of --name)
+- `--name`: Package name to search (npm package, GitHub repo, etc.)
+- `target-path`: Local directory path to scan directly
 - `--type`: Target type (`mcp-server` | `skill`) - auto-detected if omitted
-- `--profile`: Sandbox isolation profile (`strict` | `standard` | `permissive`)
-- `--format`: Report output format (`markdown` | `json`)
+- `--profile`: Sandbox profile (`strict` | `standard` | `permissive`)
+- `--format`: Output format (`markdown` | `json`)
 - `--engines`: Scan engines to use (comma-separated)
 ## Examples
 ```
-# Search security scan results for an MCP server (remote lookup)
+# Look up scan results for an MCP server
 /security-scan --name @anthropic/mcp-server-fetch
-# Search scan results for a Skill (remote lookup)
+# Look up scan results for a Skill
 /security-scan --name my-awesome-skill --type skill
 # Scan local source code (fully offline)
 /security-scan ./my-mcp-server
 ```
+## How It Works
+- **Name-based lookup** queries the AIclude scan database. If a report exists, it is returned immediately. If not, the target is registered for scanning and results are returned when ready. Only the package name is sent. No source code is uploaded.
+- **Local scan** reads files from the specified directory and runs all 7 engines locally. No network requests are made.
+No environment variables or credentials are required.
 ## What It Checks
-- **Prompt Injection**: Hidden prompt injection patterns targeting LLMs
-- **Tool Poisoning**: Malicious instructions embedded in tool descriptions
-- **Command Injection**: Unvalidated input passed to exec/spawn calls
-- **Supply Chain**: Known CVEs in dependencies and malicious packages (typosquatting)
-- **Malware**: Backdoors, cryptominers, ransomware, data stealers, and obfuscated code
-- **Permission Abuse**: Excessive filesystem, network, or process permissions
+- **Prompt Injection**: Hidden patterns targeting LLMs
+- **Tool Poisoning**: Malicious instructions in tool descriptions
+- **Command Injection**: Unvalidated input passed to exec/spawn
+- **Supply Chain**: Known CVEs, typosquatting
+- **Malware**: Backdoors, cryptominers, ransomware, data stealers
+- **Permission Abuse**: Excessive filesystem/network/process permissions
 ## Scan Engines
-7 engines run in parallel for comprehensive coverage:
+7 engines run in parallel:
 | Engine | Description |
 |--------|-------------|
-| SAST | Static code pattern matching against YAML rule sets |
-| SCA | Dependency CVE lookup via OSV.dev, SBOM generation |
-| Tool Analyzer | MCP tool definition analysis (poisoning, shadowing, rug-pull) |
-| DAST | Parameter fuzzing (SQL/Command/XSS injection) |
-| Permission Checker | Filesystem, network, and process permission analysis |
-| Behavior Monitor | Runtime behavior pattern detection |
-| Malware Detector | Signature scanning, entropy analysis, backdoor detection |
+| SAST | Static code pattern matching |
+| SCA | Dependency CVE lookup via OSV.dev |
+| Tool Analyzer | MCP tool definition analysis |
+| DAST | Parameter fuzzing |
+| Permission Checker | Permission analysis |
+| Behavior Monitor | Runtime behavior detection |
+| Malware Detector | Signature scanning, entropy analysis |
 ## Output
-The report includes:
-1. **Risk Level Summary** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
-2. **Vulnerability List** (code location, description, severity)
-3. **Risk Assessment** (what risks are present and their impact)
-4. **Remediation Recommendations** (how to fix each vulnerability)
+1. **Risk Level** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
+2. **Vulnerability List** with code locations
+3. **Risk Assessment** and impact analysis
+4. **Remediation Recommendations**
-## Source Code & npm Package
+## Links
 - **npm**: [`@aiclude/security-skill`](https://www.npmjs.com/package/@aiclude/security-skill)
 - **MCP Server**: [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp)
@@ -115,3 +88,4 @@ The report includes:
 ## License
 MIT - AICLUDE Inc.
+Inc.

package/dist/index.d.ts CHANGED Viewed

@@ -3,7 +3,8 @@ import { ReportFormat, ScanEngineId } from '@asvs/core';
 /**
  * Skill Handler
  * Processes /security-scan skill invocations from Claude Code
- * 로컬 경로 스캔 + 이름 기반 API 검색 모두 지원
+ * 서버 조회 → 없으면 등록 → 스캔 결과 반환 (vs.aiclude.com에 누적)
+ * 로컬 스캔도 지원
  */
 interface SkillInvocation {
@@ -24,24 +25,20 @@ interface SkillLookupInvocation {
 declare class SkillHandler {
     private scanner;
     private reporter;
-    private apiBase;
     constructor();
-    /** API 호출에 사용할 인증 헤더 생성 */
+    /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
     private createAuthHeaders;
     /**
-     * API 기반 보안 스캔 조회/요청
-     * 기존 스캔 결과를 검색하고, 없으면 등록 후 스캔을 요청
+     * API 기반 보안 스캔 조회/등록
+     * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
      */
     lookup(invocation: SkillLookupInvocation): Promise<string>;
-    /** Handle a /security-scan invocation (로컬 경로 스캔) */
+    /** Handle a /security-scan invocation (local path scan) */
     handle(invocation: SkillInvocation): Promise<string>;
-    /** Auto-detect whether target is an MCP server or skill */
     private detectTargetType;
-    /** Format the report output with detailed findings */
     private formatOutput;
     /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
     private formatApiReport;
-    /** 스캔 요약만 포맷 */
     private formatScanSummary;
 }

package/dist/index.js CHANGED Viewed

@@ -8,7 +8,6 @@ import {
   PermissionCheckerEngine,
   DastEngine,
   BehaviorMonitorEngine,
-  loadGlobalConfig,
   RiskLevel,
   validateScanPath
 } from "@asvs/core";
@@ -16,14 +15,19 @@ import { ReportGenerator } from "@asvs/reporter";
 import { existsSync } from "fs";
 import { resolve } from "path";
 import { createHmac } from "crypto";
+var API_BASE = "https://vs-api.aiclude.com";
+function createRequestSignature(name, timestamp) {
+  const minuteSeed = Math.floor(Number(timestamp) / 6e4).toString(36);
+  const payload = `asvs:${name}:${minuteSeed}`;
+  const derivedKey = createHmac("sha256", minuteSeed).update("aiclude-vs").digest("hex").slice(0, 32);
+  return createHmac("sha256", derivedKey).update(payload).digest("hex");
+}
 var SkillHandler = class {
   scanner;
   reporter;
-  apiBase;
   constructor() {
     this.scanner = new Scanner();
     this.reporter = new ReportGenerator();
-    this.apiBase = process.env["ASVS_API_URL"] ?? "https://vs-api.aiclude.com";
     this.scanner.registerEngine(new SastEngine());
     this.scanner.registerEngine(new ScaEngine());
     this.scanner.registerEngine(new ToolAnalyzerEngine());
@@ -32,15 +36,10 @@ var SkillHandler = class {
     this.scanner.registerEngine(new DastEngine());
     this.scanner.registerEngine(new BehaviorMonitorEngine());
   }
-  /** API 호출에 사용할 인증 헤더 생성 */
+  /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
   createAuthHeaders(name) {
-    const secret = process.env["ASVS_SIGNING_SECRET"];
-    if (!secret) {
-      throw new Error("ASVS_SIGNING_SECRET environment variable is required for API authentication");
-    }
     const timestamp = String(Date.now());
-    const payload = `skill:${name}:${timestamp}`;
-    const signature = createHmac("sha256", secret).update(payload).digest("hex");
+    const signature = createRequestSignature(name, timestamp);
     return {
       "Content-Type": "application/json",
       "X-ASVS-Source": "skill",
@@ -49,11 +48,11 @@ var SkillHandler = class {
     };
   }
   /**
-   * API 기반 보안 스캔 조회/요청
-   * 기존 스캔 결과를 검색하고, 없으면 등록 후 스캔을 요청
+   * API 기반 보안 스캔 조회/등록
+   * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
    */
   async lookup(invocation) {
-    const apiUrl = `${this.apiBase}/api/v1/scan/lookup`;
+    const apiUrl = `${API_BASE}/api/v1/scan/lookup`;
     const lookupRes = await fetch(apiUrl, {
       method: "POST",
       headers: this.createAuthHeaders(invocation.name),
@@ -84,7 +83,7 @@ var SkillHandler = class {
       const startTime = Date.now();
       while (Date.now() - startTime < maxWait) {
         await new Promise((r) => setTimeout(r, interval));
-        const statusRes = await fetch(`${this.apiBase}/api/v1/scan/status/${jobId}`, {
+        const statusRes = await fetch(`${API_BASE}/api/v1/scan/status/${jobId}`, {
           headers: this.createAuthHeaders(invocation.name)
         });
         const statusData = await statusRes.json();
@@ -99,32 +98,36 @@ var SkillHandler = class {
         }
         if (statusData["status"] === "failed") {
           const job = statusData["job"];
-          throw new Error(`\uC2A4\uCE94 \uC2E4\uD328: ${job?.["error"] ?? "\uC54C \uC218 \uC5C6\uB294 \uC624\uB958"}`);
+          throw new Error(`Scan failed: ${job?.["error"] ?? "unknown error"}`);
         }
       }
       return [
-        `# \uBCF4\uC548 \uC2A4\uCE94 \uC9C4\uD589 \uC911: ${invocation.name}`,
+        `# Scan In Progress: ${invocation.name}`,
         "",
-        `\uC2A4\uCE94\uC774 \uC544\uC9C1 \uC9C4\uD589 \uC911\uC785\uB2C8\uB2E4. \uC7A0\uC2DC \uD6C4 \uB2E4\uC2DC \uC2DC\uB3C4\uD558\uC138\uC694.`,
+        `The scan is still running. Please try again shortly.`,
         `Job ID: ${jobId}`,
-        `\uD0C0\uAC9F: ${target["canonicalName"] ?? invocation.name}`,
+        `Target: ${target["canonicalName"] ?? invocation.name}`,
         "",
-        `*\uC0C1\uC138 \uACB0\uACFC\uB294 https://vs.aiclude.com \uC5D0\uC11C \uD655\uC778\uD558\uC138\uC694*`
+        `*View details at https://vs.aiclude.com*`
       ].join("\n");
     }
-    return `API \uC751\uB2F5: ${JSON.stringify(lookupData, null, 2)}`;
+    return `API response: ${JSON.stringify(lookupData, null, 2)}`;
   }
-  /** Handle a /security-scan invocation (로컬 경로 스캔) */
+  /** Handle a /security-scan invocation (local path scan) */
   async handle(invocation) {
-    const config = loadGlobalConfig();
+    const defaultConfig = {
+      engines: ["sast", "sca", "tool-analyzer", "permission-checker", "malware-detector", "dast", "behavior-monitor"],
+      sandboxProfile: "standard",
+      rulesets: ["default"],
+      timeout: 3e5,
+      maxConcurrency: 4,
+      skipPatterns: ["node_modules/**", ".git/**", "dist/**", "coverage/**"]
+    };
     const scanConfig = {
-      ...config.defaultScanConfig,
+      ...defaultConfig,
       ...invocation.profile && { sandboxProfile: invocation.profile },
       ...invocation.engines && { engines: invocation.engines }
     };
-    if (!scanConfig.engines.includes("malware-detector")) {
-      scanConfig.engines.push("malware-detector");
-    }
     const targetPath = validateScanPath(invocation.targetPath);
     const targetType = invocation.type ?? this.detectTargetType(targetPath);
     const target = {
@@ -137,14 +140,12 @@ var SkillHandler = class {
     const report = this.reporter.generate(scanResult, format);
     return this.formatOutput(report, format, scanResult.engineResults.flatMap((r) => r.vulnerabilities));
   }
-  /** Auto-detect whether target is an MCP server or skill */
   detectTargetType(targetPath) {
     if (existsSync(resolve(targetPath, "SKILL.md")) || targetPath.endsWith("SKILL.md") || targetPath.includes("/skill")) {
       return "skill";
     }
     return "mcp-server";
   }
-  /** Format the report output with detailed findings */
   formatOutput(report, format, vulnerabilities) {
     if (format === "json") {
       return JSON.stringify(report, null, 2);
@@ -231,9 +232,6 @@ var SkillHandler = class {
     }
     return lines.join("\n");
   }
-  // -----------------------------------------------------------------------
-  // API 리포트 포맷팅 헬퍼
-  // -----------------------------------------------------------------------
   /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
   formatApiReport(report, target) {
     const lines = [];
@@ -324,7 +322,6 @@ var SkillHandler = class {
     lines.push(`*Web Dashboard: https://vs.aiclude.com/targets*`);
     return lines.join("\n");
   }
-  /** 스캔 요약만 포맷 */
   formatScanSummary(target, scan) {
     const lines = [];
     const targetName = target["canonicalName"] ?? target["displayName"] ?? "Unknown";
@@ -344,7 +341,7 @@ var SkillHandler = class {
     lines.push(`| INFO | ${scan["infoCount"] ?? 0} |`);
     lines.push(`| Scanned At | ${scan["scannedAt"] ?? "N/A"} |`);
     lines.push("");
-    lines.push(`*\uC0C1\uC138 \uB9AC\uD3EC\uD2B8\uB294 https://vs.aiclude.com \uC5D0\uC11C \uD655\uC778\uD558\uC138\uC694*`);
+    lines.push(`*View full report at https://vs.aiclude.com*`);
     return lines.join("\n");
   }
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aiclude/security-skill",
-  "version": "1.2.0",
+  "version": "2.0.0",
   "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for inline security scanning",
   "type": "module",
   "main": "./dist/index.js",
@@ -46,18 +46,19 @@
     "README.md",
     "LICENSE"
   ],
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts",
+    "dev": "tsup src/index.ts --format esm --dts --watch",
+    "test": "vitest run",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build"
+  },
   "dependencies": {
-    "@asvs/core": "0.1.0",
-    "@asvs/reporter": "0.1.0"
+    "@asvs/core": "workspace:*",
+    "@asvs/reporter": "workspace:*"
   },
   "devDependencies": {
     "tsup": "^8.0.0",
     "typescript": "^5.5.0"
-  },
-  "scripts": {
-    "build": "tsup src/index.ts --format esm --dts",
-    "dev": "tsup src/index.ts --format esm --dts --watch",
-    "test": "vitest run",
-    "clean": "rm -rf dist"
   }
-}
+}

package/LICENSE DELETED Viewed

@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-   1. Definitions.
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-   END OF TERMS AND CONDITIONS
-   APPENDIX: How to apply the Apache License to your work.
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-   Copyright [yyyy] [name of copyright owner]
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-       http://www.apache.org/licenses/LICENSE-2.0
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.