admina-framework 0.9.0__py3-none-any.whl

admina/domains/compliance/otel.py

@@ -0,0 +1,101 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Admina — OpenTelemetry governance observability.
+
+Provides structured OTEL tracing for governance decisions.
+Every governance domain decision emits a span with action, risk level, latency.
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+logger = logging.getLogger("admina.compliance.otel")
+
+# Try to import OTEL — optional dependency at module level
+try:
+    from opentelemetry import trace
+    from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter
+    from opentelemetry.sdk.trace import TracerProvider
+    from opentelemetry.sdk.trace.export import BatchSpanProcessor
+
+    _OTEL_AVAILABLE = True
+except ImportError:
+    _OTEL_AVAILABLE = False
+    logger.info("OpenTelemetry not installed — governance tracing disabled")
+
+
+class OTELGovernanceExporter:
+    """Exports governance decisions as OTEL spans.
+
+    If OTEL SDK is not installed, all methods are no-ops.
+
+    Args:
+        endpoint: OTLP gRPC endpoint (e.g., "http://localhost:4317").
+        service_name: Service name for the tracer.
+    """
+
+    def __init__(
+        self,
+        endpoint: str = "http://localhost:4317",
+        service_name: str = "admina-governance",
+    ) -> None:
+        self._enabled = _OTEL_AVAILABLE
+        self._tracer = None
+        if self._enabled:
+            try:
+                provider = TracerProvider()
+                exporter = OTLPSpanExporter(endpoint=endpoint, insecure=True)
+                provider.add_span_processor(BatchSpanProcessor(exporter))
+                trace.set_tracer_provider(provider)
+                self._tracer = trace.get_tracer(service_name)
+                logger.info("OTEL exporter initialized -> %s", endpoint)
+            except (OSError, RuntimeError, ValueError) as exc:
+                logger.warning("OTEL initialization failed: %s", exc)
+                self._enabled = False
+
+    def trace_governance_decision(
+        self,
+        *,
+        domain: str,
+        action: str,
+        risk_level: str,
+        latency_us: float,
+        session_id: str | None = None,
+        metadata: dict[str, Any] | None = None,
+    ) -> None:
+        """Record a governance decision as an OTEL span."""
+        if not self._enabled or self._tracer is None:
+            return
+        with self._tracer.start_as_current_span(f"governance.{domain}") as span:
+            span.set_attribute("admina.domain", domain)
+            span.set_attribute("admina.action", action)
+            span.set_attribute("admina.risk_level", risk_level)
+            span.set_attribute("admina.latency_us", latency_us)
+            if session_id:
+                span.set_attribute("admina.session_id", session_id)
+            if metadata:
+                for k, v in metadata.items():
+                    span.set_attribute(f"admina.meta.{k}", str(v))
+
+    @property
+    def enabled(self) -> bool:
+        """Whether OTEL export is active."""
+        return self._enabled
+
+    def get_stats(self) -> dict[str, Any]:
+        """Return exporter status for diagnostics."""
+        return {"enabled": self._enabled, "engine": "otel"}

admina/domains/data_sovereignty/__init__.py

@@ -0,0 +1,42 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Admina — Data Sovereignty Domain.
+
+PII redaction, data residency, and classification.
+
+PIIRedactor depends on ``spacy`` (the ``[nlp]`` extra) and is loaded
+lazily via PEP 562 ``__getattr__`` so importing this package never
+fails on a pure-SDK install.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from admina.domains.data_sovereignty.classification import DataClassifier, SensitivityLevel
+from admina.domains.data_sovereignty.residency import ResidencyEnforcer
+
+if TYPE_CHECKING:  # pragma: no cover
+    from admina.domains.data_sovereignty.pii import PIIRedactor
+
+__all__ = ["PIIRedactor", "ResidencyEnforcer", "DataClassifier", "SensitivityLevel"]
+
+
+def __getattr__(name: str):
+    if name == "PIIRedactor":
+        from admina.domains.data_sovereignty.pii import PIIRedactor
+
+        return PIIRedactor
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")

admina/domains/data_sovereignty/classification.py

@@ -0,0 +1,102 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Admina — Automatic data sensitivity classification.
+
+Tags data as public/internal/confidential/restricted based on PII scan
+results and configurable rules.
+"""
+
+from __future__ import annotations
+
+import logging
+from enum import Enum
+from typing import Any
+
+logger = logging.getLogger("admina.data_sovereignty.classification")
+
+
+class SensitivityLevel(str, Enum):
+    """Data sensitivity levels."""
+
+    PUBLIC = "public"
+    INTERNAL = "internal"
+    CONFIDENTIAL = "confidential"
+    RESTRICTED = "restricted"
+
+
+# PII categories that trigger elevated classification
+_CONFIDENTIAL_PII = {"credit_card", "ssn", "iban"}
+_RESTRICTED_PII = {"medical", "biometric", "criminal"}
+
+
+class DataClassifier:
+    """Classifies data sensitivity based on PII scan results.
+
+    Uses the output of PIIRedactor.redact() to determine the sensitivity
+    level of a data record. Integrated into GovernedData.ingest().
+
+    Args:
+        default_level: Sensitivity level when no PII is detected.
+    """
+
+    def __init__(self, default_level: SensitivityLevel = SensitivityLevel.INTERNAL) -> None:
+        self._default_level = default_level
+        self._classifications_total = 0
+
+    def classify(
+        self, *, pii_categories: list[str] | None = None, text: str = ""
+    ) -> dict[str, Any]:
+        """Classify data sensitivity.
+
+        Args:
+            pii_categories: List of PII category names found (e.g., ["email", "phone"]).
+            text: Original text (not used for classification, available for custom rules).
+
+        Returns:
+            Dict with ``level`` (SensitivityLevel), ``reason``, ``pii_found``.
+        """
+        self._classifications_total += 1
+        categories = set(pii_categories or [])
+
+        if categories & _RESTRICTED_PII:
+            return {
+                "level": SensitivityLevel.RESTRICTED.value,
+                "reason": f"Contains restricted PII: {categories & _RESTRICTED_PII}",
+                "pii_found": list(categories),
+            }
+
+        if categories & _CONFIDENTIAL_PII:
+            return {
+                "level": SensitivityLevel.CONFIDENTIAL.value,
+                "reason": f"Contains confidential PII: {categories & _CONFIDENTIAL_PII}",
+                "pii_found": list(categories),
+            }
+
+        if categories:
+            return {
+                "level": SensitivityLevel.CONFIDENTIAL.value,
+                "reason": f"Contains PII: {categories}",
+                "pii_found": list(categories),
+            }
+
+        return {
+            "level": self._default_level.value,
+            "reason": "No PII detected",
+            "pii_found": [],
+        }
+
+    def get_stats(self) -> dict[str, Any]:
+        """Return classification statistics."""
+        return {"classifications_total": self._classifications_total}

admina/domains/data_sovereignty/pii.py

@@ -0,0 +1,260 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Admina — PII Redaction Engine — Data Sovereignty domain
+Bidirectional masking of sensitive data on requests and responses.
+"""
+
+import logging
+import os
+import re
+
+import spacy
+
+logger = logging.getLogger("admina.pii_redactor")
+
+# NLP model used for NER-based PII detection.
+# Priority: admina.yaml `pii.ner_model` > ADMINA_SPACY_MODEL env var > default.
+SPACY_MODEL = os.environ.get("ADMINA_SPACY_MODEL", "en_core_web_sm")
+
+# Mapping from the short category names used in admina.yaml to PII_CATEGORIES keys.
+# Allows the YAML list ["email", "ssn", ...] to toggle entries in PII_CATEGORIES.
+_YAML_CATEGORY_MAP: dict[str, str] = {
+    "email": "EMAIL",
+    "phone": "PHONE",
+    "credit_card": "CREDIT_CARD",
+    "ssn": "SSN",
+    "iban": "IBAN",
+    "ip": "IP_ADDRESS",
+    "person": "PERSON",
+    "org": "ORG",
+    "gpe": "GPE",
+    "loc": "LOC",
+    "dob": "DATE_OF_BIRTH",
+    "it_codice_fiscale": "IT_CODICE_FISCALE",
+    "es_dni": "ES_DNI_NIE",
+    "es_nie": "ES_DNI_NIE",
+    "de_personalausweis": "DE_PERSONALAUSWEIS",
+}
+
+# Categories of PII that can be individually configured
+PII_CATEGORIES = {
+    "PERSON": {"enabled": True, "mask": "[PERSON]"},
+    "ORG": {"enabled": True, "mask": "[ORG]"},
+    "GPE": {"enabled": True, "mask": "[LOCATION]"},  # Geopolitical entities
+    "LOC": {"enabled": True, "mask": "[LOCATION]"},
+    "EMAIL": {"enabled": True, "mask": "[EMAIL]"},
+    "PHONE": {"enabled": True, "mask": "[PHONE]"},
+    "CREDIT_CARD": {"enabled": True, "mask": "[CREDIT_CARD]"},
+    "SSN": {"enabled": True, "mask": "[SSN]"},
+    "IBAN": {"enabled": True, "mask": "[IBAN]"},
+    "IP_ADDRESS": {"enabled": True, "mask": "[IP_ADDR]"},
+    "DATE_OF_BIRTH": {"enabled": True, "mask": "[DOB]"},
+    # EU national identifiers — opt-in but on by default to match the
+    # framework's EU-first positioning.
+    "IT_CODICE_FISCALE": {"enabled": True, "mask": "[CF]"},
+    "ES_DNI_NIE": {"enabled": True, "mask": "[DNI]"},
+    "DE_PERSONALAUSWEIS": {"enabled": False, "mask": "[AUSWEIS]"},  # off — ambiguous regex
+}
+
+# Regex patterns for PII not covered by spaCy NER
+REGEX_PII_PATTERNS = {
+    "EMAIL": re.compile(r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"),
+    "PHONE": re.compile(r"(?<!\d)(\+\d{1,3}[\s.-]?)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4}(?!\d)"),
+    "CREDIT_CARD": re.compile(r"\b(?:\d{4}[-\s]?){3}\d{4}\b"),
+    "SSN": re.compile(r"\b\d{3}-\d{2}-\d{4}\b"),
+    "IBAN": re.compile(
+        r"\b[A-Z]{2}\d{2}\s?[\dA-Z]{4}\s?[\dA-Z]{4}\s?[\dA-Z]{4}(?:\s?[\dA-Z]{4}){0,4}\b"
+    ),
+    # IPv4 with proper octet validation (each octet 0-255). Avoids matching
+    # version strings like 1.2.3.999 or build numbers > 255.
+    "IP_ADDRESS": re.compile(
+        r"\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}"
+        r"(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
+    ),
+    # Italian Codice Fiscale (16 chars: 6 letters + 2 digits + 1 letter +
+    # 2 digits + 1 letter + 3 alphanumeric + 1 letter)
+    "IT_CODICE_FISCALE": re.compile(
+        r"\b[A-Z]{6}\d{2}[A-EHLMPRST]\d{2}[A-Z]\d{3}[A-Z]\b",
+        re.IGNORECASE,
+    ),
+    # Spanish DNI/NIE: 8 digits + 1 letter (DNI) or X/Y/Z + 7 digits + letter (NIE)
+    "ES_DNI_NIE": re.compile(
+        r"\b(?:\d{8}|[XYZ]\d{7})[-\s]?[A-Z]\b",
+        re.IGNORECASE,
+    ),
+    # German Personalausweis: 10 chars (alphanumeric, no I/O)
+    # NB: deliberately conservative — exact format varies by issue date.
+    "DE_PERSONALAUSWEIS": re.compile(r"\b[CFGHJKLMNPRTVWXYZ\d]{10}\b"),
+}
+
+# Context windows used to filter version-string false positives on IPv4.
+# Looks at the ~24 chars preceding/following the candidate match.
+_VERSION_PREFIX_RX = re.compile(
+    r"\b(?:version|versione|versión|ver|v|release|build|revision|rev|"
+    r"update|patch|firmware|api[\s-]?v)\.?\s*$",
+    re.IGNORECASE,
+)
+_VERSION_SUFFIX_RX = re.compile(
+    r"^\s*(?:released|build|revision|update|patch|published|"
+    r"\(.*?\)|out|stable|rc\d|beta|alpha)",
+    re.IGNORECASE,
+)
+
+
+def _is_real_ipv4(text: str, start: int, end: int) -> bool:
+    """Heuristic: skip IP-shaped numbers that are clearly version strings.
+
+    Returns True if the match at [start:end] looks like a network address,
+    False if it appears in a version-number context (e.g. "version 1.2.3.4",
+    "released 1.2.3.4", "v1.2.3.4 stable").
+    """
+    prefix = text[max(0, start - 24) : start]
+    if _VERSION_PREFIX_RX.search(prefix):
+        return False
+    suffix = text[end : end + 24]
+    if _VERSION_SUFFIX_RX.match(suffix):
+        return False
+    return True
+
+
+# Per-category mask for the new EU IDs (used by PIIRedactor when not overridden)
+_DEFAULT_EU_ID_MASKS = {
+    "IT_CODICE_FISCALE": "[CF]",
+    "ES_DNI_NIE": "[DNI]",
+    "DE_PERSONALAUSWEIS": "[AUSWEIS]",
+}
+
+
+class PIIRedactor:
+    """
+    Bidirectional PII redaction engine.
+    Uses spaCy NER + regex patterns for comprehensive coverage.
+
+    Args:
+        config: Optional PIIConfig (or any object with `.ner_model` / `.categories`
+                attributes) loaded from admina.yaml.  When supplied, its values
+                take precedence over the module-level defaults and env vars.
+    """
+
+    def __init__(self, config=None):
+        # Resolve NLP model: config.ner_model > ADMINA_SPACY_MODEL env var > default
+        model_name = getattr(config, "ner_model", None) or SPACY_MODEL
+        try:
+            self.nlp = spacy.load(model_name)
+            logger.info("[OK] spaCy model loaded: %s", model_name)
+        except OSError:
+            logger.warning("[WARN] spaCy model '%s' not found, using regex-only mode", model_name)
+            self.nlp = None
+
+        # Build active categories: start from PII_CATEGORIES defaults, then
+        # disable any category not listed in config.categories (if provided).
+        if config is not None and getattr(config, "categories", None) is not None:
+            enabled_keys = {_YAML_CATEGORY_MAP.get(c.lower(), c.upper()) for c in config.categories}
+            self._active_categories = {
+                k: {**v, "enabled": k in enabled_keys} for k, v in PII_CATEGORIES.items()
+            }
+        else:
+            self._active_categories = PII_CATEGORIES
+
+        self.total_redacted: int = 0
+        self.redactions_by_type: dict[str, int] = {}
+
+    def redact(self, text: str, categories: dict | None = None) -> dict:
+        """
+        Redact PII from text.
+        Returns: {redacted_text: str, entities: [...], count: int}
+        """
+        if not text:
+            return {"redacted_text": text, "entities": [], "count": 0}
+
+        active_categories = categories or self._active_categories
+        entities_found = []
+        redacted = text
+
+        # Step 1 — regex-based detection (higher precision for structured PII)
+        for cat_name, pattern in REGEX_PII_PATTERNS.items():
+            cat_config = active_categories.get(cat_name, {})
+            if not cat_config.get("enabled", True):
+                continue
+            mask = cat_config.get("mask", f"[{cat_name}]")
+
+            # Find all matches; for IP_ADDRESS, drop version-string matches
+            # (e.g. "version 1.2.3.4 released") to reduce false positives.
+            matches = list(pattern.finditer(redacted))
+            if cat_name == "IP_ADDRESS":
+                matches = [m for m in matches if _is_real_ipv4(redacted, m.start(), m.end())]
+
+            if not matches:
+                continue
+
+            for match in matches:
+                entities_found.append(
+                    {
+                        "type": cat_name,
+                        "start": match.start(),
+                        "end": match.end(),
+                        "original_length": match.end() - match.start(),
+                        "method": "regex",
+                    }
+                )
+
+            # Replace in reverse order to preserve byte offsets of earlier matches.
+            for match in sorted(matches, key=lambda m: m.start(), reverse=True):
+                redacted = redacted[: match.start()] + mask + redacted[match.end() :]
+
+        # Step 2 — spaCy NER-based detection
+        if self.nlp:
+            doc = self.nlp(redacted)
+            # Process entities in reverse order to maintain positions
+            ner_entities = sorted(doc.ents, key=lambda e: e.start_char, reverse=True)
+            for ent in ner_entities:
+                cat_config = active_categories.get(ent.label_, {})
+                if not cat_config.get("enabled", False):
+                    continue
+                mask = cat_config.get("mask", f"[{ent.label_}]")
+                entities_found.append(
+                    {
+                        "type": ent.label_,
+                        "start": ent.start_char,
+                        "end": ent.end_char,
+                        "original_length": ent.end_char - ent.start_char,
+                        "method": "spacy_ner",
+                    }
+                )
+                redacted = redacted[: ent.start_char] + mask + redacted[ent.end_char :]
+
+        count = len(entities_found)
+        if count > 0:
+            self.total_redacted += count
+            for e in entities_found:
+                t = e["type"]
+                self.redactions_by_type[t] = self.redactions_by_type.get(t, 0) + 1
+            logger.info(
+                "[REDACTED] %d PII entities: %s", count, [e["type"] for e in entities_found]
+            )
+
+        return {
+            "redacted_text": redacted,
+            "entities": entities_found,
+            "count": count,
+        }
+
+    def get_stats(self) -> dict:
+        return {
+            "total_redacted": self.total_redacted,
+            "redactions_by_type": self.redactions_by_type,
+            "spacy_available": self.nlp is not None,
+        }

admina/domains/data_sovereignty/residency.py

@@ -0,0 +1,121 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Admina — Data residency enforcement.
+
+Ensures data stays within allowed geographic/logical zones.
+Blocks outbound transfers that violate zone policy.
+"""
+
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from typing import Any
+
+logger = logging.getLogger("admina.data_sovereignty.residency")
+
+# Default configuration
+_DEFAULT_ALLOWED_ZONES = ["local", "eu"]
+_DEFAULT_BLOCK_OUTBOUND = True
+
+
+@dataclass
+class ResidencyViolation:
+    """A residency policy violation."""
+
+    source_zone: str
+    target_zone: str
+    reason: str
+    blocked: bool = True
+
+
+class ResidencyEnforcer:
+    """Enforces data residency policies.
+
+    Validates that data operations stay within allowed zones.
+    Used by GovernedData to check every ingest/query operation.
+
+    Args:
+        allowed_zones: List of permitted zone identifiers.
+        block_outbound: Whether to block transfers outside allowed zones.
+    """
+
+    def __init__(
+        self,
+        allowed_zones: list[str] | None = None,
+        block_outbound: bool = _DEFAULT_BLOCK_OUTBOUND,
+    ) -> None:
+        self._allowed_zones = allowed_zones or list(_DEFAULT_ALLOWED_ZONES)
+        self._block_outbound = block_outbound
+        self._checks_total = 0
+        self._violations_total = 0
+
+    def check(
+        self,
+        *,
+        source_zone: str = "local",
+        target_zone: str | None = None,
+        data_type: str = "unknown",
+    ) -> dict[str, Any]:
+        """Check whether a data operation complies with residency policy.
+
+        Args:
+            source_zone: Where the data currently resides.
+            target_zone: Where the data would move (None = stays in place).
+            data_type: Category of data for logging.
+
+        Returns:
+            Dict with ``allowed`` (bool), ``zone`` info, and optional ``violation``.
+        """
+        self._checks_total += 1
+        effective_target = target_zone or source_zone
+
+        # Check source zone is allowed
+        if source_zone not in self._allowed_zones:
+            self._violations_total += 1
+            return {
+                "allowed": False,
+                "source_zone": source_zone,
+                "target_zone": effective_target,
+                "violation": f"Source zone '{source_zone}' not in allowed zones: {self._allowed_zones}",
+            }
+
+        # Check target zone if different from source
+        if target_zone and target_zone != source_zone:
+            if target_zone not in self._allowed_zones:
+                self._violations_total += 1
+                blocked = self._block_outbound
+                return {
+                    "allowed": not blocked,
+                    "source_zone": source_zone,
+                    "target_zone": target_zone,
+                    "violation": f"Transfer to zone '{target_zone}' blocked (allowed: {self._allowed_zones})",
+                    "blocked": blocked,
+                }
+
+        return {
+            "allowed": True,
+            "source_zone": source_zone,
+            "target_zone": effective_target,
+        }
+
+    def get_stats(self) -> dict[str, Any]:
+        """Return enforcement statistics."""
+        return {
+            "allowed_zones": self._allowed_zones,
+            "block_outbound": self._block_outbound,
+            "checks_total": self._checks_total,
+            "violations_total": self._violations_total,
+        }

admina/integrations/__init__.py

@@ -0,0 +1,14 @@
+# Copyright © 2025–2026 Stefano Noferi & Admina contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+