pyauthz 0.9.0__tar.gz

pyauthz-0.9.0/.gitignore

@@ -0,0 +1,50 @@
+# Python bytecode
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Distribution / packaging
+dist/
+build/
+*.egg-info/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+
+# Testing / coverage
+.pytest_cache/
+.hypothesis/
+.coverage
+htmlcov/
+
+# Environment / secrets
+.env
+.env.*
+
+# Audit logs (generated at runtime)
+logs/
+*.jsonl
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS junk
+Thumbs.db
+Desktop.ini
+.DS_Store
+
+# Internal planning docs (local only)
+AGENTS.md
+CONTEXT.md
+Development.md
+Implementation.md
+Progress.md
+GOV_PITCH.md
+rampart-project.md
+bastion-project.md
+pyauthz-project.md

pyauthz-0.9.0/ARCHITECTURE.md

@@ -0,0 +1,124 @@
+# PyAuthz Architecture
+
+This document describes the internal architecture of PyAuthz for contributors and advanced users.
+
+## Core Concepts
+
+PyAuthz evaluates authorization as: **Can this Subject perform this Action on this Resource?**
+
+```
+Subject  ──┐
+Action   ──┤──> Engine ──> Decision (allow/deny + reasoning)
+Resource ──┤
+Env      ──┘
+```
+
+## Evaluation Pipeline
+
+When `rp.authorize(subject, action, resource)` is called:
+
+1. **Cache check** — If a `DecisionCache` is attached, check for a cached decision.
+2. **Action resolution** — If the action has no colon, prepend the resource type: `"write"` → `"documents:write"`.
+3. **Environment merge** — Merge default environment with per-request env kwargs.
+4. **Role resolution** — Walk the role hierarchy (parents) to compute the subject's effective roles.
+5. **Policy matching** — Find all applicable policies:
+   - Policy is enabled
+   - Subject has at least one of the policy's required roles (or policy has no role restriction)
+   - Action matches at least one of the policy's permission patterns
+   - All conditions evaluate to true (ABAC)
+6. **Combination** — Run the combiner algorithm on matched policies:
+   - `deny-override`: any DENY wins over all ALLOWs
+   - `allow-override`: any ALLOW wins over all DENYs
+   - `priority-first`: highest priority policy wins
+   - `first-match`: first matched policy wins
+7. **Decision** — Build and return a `Decision` object with the result, reasoning, matched policies, and timing.
+8. **Cache store** — If caching is enabled, store the decision for future lookups.
+
+## Module Map
+
+### `pyauthz.core.engine` — The Heart
+
+The `PyAuthz` class is the central coordinator. It owns storage, cache, audit, and the evaluation pipeline. All authorization flows through `_evaluate()`.
+
+### `pyauthz.models.*` — Data Models
+
+Pydantic models for all domain objects. These are the public API surface:
+
+- `Subject` — who is requesting access (id, roles, attributes)
+- `Resource` — what is being accessed (id, type, owner_id, attributes)
+- `Role` — named permission set with optional parent hierarchy
+- `Policy` — explicit allow/deny rule with conditions
+- `Permission` — parsed `resource_type:action` with wildcard support
+- `Condition` — ABAC condition (field, operator, value)
+- `Decision` — evaluation result with full reasoning chain
+
+### `pyauthz.core.conditions` — ABAC Engine
+
+Evaluates conditions against an `AccessRequest` context. Handles:
+- Dot-notation field resolution (`subject.attributes.department`)
+- Cross-references (`resource.owner_id == subject.id`)
+- 10 operators: `==`, `!=`, `>`, `<`, `>=`, `<=`, `in`, `not_in`, `contains`, `matches`
+- Fail-safe: missing attributes produce DENY, never crash
+
+### `pyauthz.policies.combiners` — Decision Algorithms
+
+Pure functions that take a list of matched policies and return (effect, matched_names, reasoning). Each combiner implements a different conflict resolution strategy.
+
+### `pyauthz.storage.*` — Persistence
+
+- `StorageBackend` — protocol defining the storage interface
+- `MemoryStorage` — thread-safe in-memory implementation (default)
+- `yaml_file` — YAML loader with schema validation
+- `watcher` — PolicyWatcher for hot-reload on file changes
+
+### `pyauthz.filtering.*` — Query Filters
+
+Converts policies into database-compatible filter expressions:
+- `expressions.py` — FilterExpression AST (frozen dataclasses)
+- `compiler.py` — policy-to-AST compilation
+- `sql.py` — SQLAlchemy WHERE clause generation
+- `django.py` — Django Q object generation
+- `raw_sql.py` — Parameterized raw SQL generation
+
+### `pyauthz.core.cache` — Decision Caching
+
+TTL-based LRU cache with automatic invalidation when policies or roles change.
+
+### `pyauthz.core.tenancy` — Multi-Tenancy
+
+Per-tenant isolated storage instances via `TenantManager`.
+
+### `pyauthz.core.temporal` — Time-Bounded Roles
+
+Role assignments with `effective_from` and `expires_at` windows.
+
+### `pyauthz.core.delegation` — Permission Delegation
+
+User A grants User B temporary permissions with expiration and audit trail.
+
+### `pyauthz.core.simulation` — Policy Simulation
+
+"What would happen if..." analysis by cloning the engine with modified policies/roles.
+
+## Thread Safety
+
+The engine uses `threading.RLock` in `MemoryStorage` for all reads and writes. The `DecisionCache` has its own lock. The engine is safe for concurrent use in WSGI workers.
+
+## Async Support
+
+Async methods (`aauthorize`, `ais_allowed`, `aauthorize_bulk`) use `asyncio.to_thread()` to run the synchronous engine in a thread pool. The engine itself is not async-native — this keeps the code simple while providing a real async interface.
+
+## Extension Points
+
+- **Custom storage backends**: Implement `StorageBackend` for SQL, Redis, etc.
+- **Custom combiners**: Add functions to `COMBINERS` dict
+- **Framework integrations**: Follow the `pyauthz_fastapi`/`pyauthz_flask` pattern
+- **Audit exporters**: Implement custom exporters for the audit logger
+
+## Design Principles
+
+1. **Deny by default** — If nothing explicitly allows access, deny.
+2. **Fail-safe** — Missing attributes, bad conditions, or errors produce DENY, never ALLOW.
+3. **Separation of concerns** — Models don't know about the engine. The engine doesn't know about frameworks.
+4. **Structured decisions** — Every authorization produces a `Decision` with reasoning, not just a boolean.
+5. **Zero external dependencies for core** — Only Pydantic and PyYAML for the core engine.

pyauthz-0.9.0/CHANGELOG.md

@@ -0,0 +1,140 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.9.0] - 2026-03-06
+
+### Added
+
+- **Federal Compliance & Hardened Audit (Phase 9)**
+- `AuditEvent` expanded with optional `source_ip`, `request_id`, `service_id` fields (NIST 800-53 AU-3)
+- `MutationEvent` and `MutationAction` models for tracking configuration changes
+- Engine mutation audit hooks — `add_role()`, `remove_role()`, `replace_roles()`, `add_policy()`, `remove_policy()`, `replace_policies()` all emit `MutationEvent` records (AC-2, CM-3)
+- `TemporalRoleStore` and `DelegationStore` accept optional `audit_logger` for temporal/delegation audit events (AC-2)
+- `ComplianceExporter` — enriches events with NIST 800-53 control mappings and event categories
+- `HmacExporter` — HMAC-SHA256 signed log entries with `verify()` for tamper detection (AU-9)
+- `pyauthz.contrib.x509` — X.509 Distinguished Name parsing: `parse_dn()`, `extract_dod_id()`, `subject_from_dn()`
+- `Denied` exception now carries `.suggestions` populated automatically by `explain_denial()`
+- Django integration tests (9 tests)
+- Strawberry GraphQL integration tests (7 tests)
+- 42 new compliance tests (404 total across all suites)
+- `docs/FEDRAMP_GUIDE.md` — authorization patterns for FedRAMP compliance
+
+### Changed
+
+- `Denied.__init__` accepts optional `suggestions` parameter
+- Strawberry `PyAuthzExtension` now inherits from `SchemaExtension` (compatible with Strawberry v0.300+)
+- `AuditLogger` gains `log_mutation()` method for configuration change events
+
+## [0.8.0] - 2026-03-06
+
+### Added
+
+- `diff_policies()` — compare two policy sets and report authorization outcome changes (allow→deny, deny→allow)
+- `lint_policies()` — detect common policy mistakes: undefined roles (L001), overly broad (L002), contradictory (L003), disabled (L004), orphan roles (L005), undefined parents (L006)
+- `pyauthz lint` CLI command for linting policy files
+- `explain_denial()` — generate actionable suggestions for denied access (which roles would help, which conditions failed)
+- `BreakGlassManager` — emergency access bypass with required justification, audit logging, and authorized subject list (maps to NIST 800-53 AC-2(2))
+- 29 new tests (346 total) covering diff, lint, explain, and break-glass
+
+## [0.7.0] - 2026-03-06
+
+### Added
+
+- `pyauthz.testing` module with `AuthScenario`, `must_allow`, `must_deny` for pytest-friendly authorization testing
+- `pyauthz` CLI tool with `check`, `simulate`, `roles`, and `policies` commands
+- `CONTRIBUTING.md` contributor guide
+- `ARCHITECTURE.md` internal architecture documentation
+- 23 new tests (317 total) for testing utilities and CLI
+
+## [0.6.0] - 2026-03-06
+
+### Added
+
+- `DecisionCache` — TTL-based LRU decision cache with automatic invalidation on policy/role changes
+- `PyAuthz.set_cache()` — attach a cache to the engine for automatic caching of authorization decisions
+- `TenantManager` — multi-tenancy support with per-tenant isolated roles and policies
+- `TemporalRole` + `TemporalRoleStore` — time-bounded role assignments with `effective_from` and `expires_at`
+- `Delegation` + `DelegationStore` — controlled permission delegation between users with expiration
+- `simulate()` + `SimulationResult` — policy simulation ("what would happen if...") without modifying the live engine
+- All new types exported from `pyauthz.__init__`
+- 50 new tests (294 total) covering cache, multi-tenancy, temporal permissions, delegation, and simulation
+
+## [0.5.0] - 2026-03-06
+
+### Added
+
+- `pyauthz_flask` package — Flask extension with before_request subject resolution, `@requires()` decorator, `get_subject()` helper, and Denied -> 403 JSON handler
+- `pyauthz_django` package — Django middleware with subject resolution, `@requires()` view decorator, and Denied -> 403 JSON response
+- `pyauthz_strawberry` package — Strawberry GraphQL extension with context-based subject resolution and `@requires()` resolver decorator (sync + async)
+- 7 Flask integration tests (244 total)
+
+## [0.4.0] - 2026-03-06
+
+### Added
+
+- `authorized_filter()` method on `PyAuthz` engine — produces `FilterResult` with AST
+- `FilterExpression` AST: `AllowAll`, `DenyAll`, `Compare`, `And`, `Or`, `Not` nodes
+- `to_sqlalchemy_filter()` — compile FilterExpression to SQLAlchemy WHERE clauses
+- `to_django_q()` — compile FilterExpression to Django ORM Q objects
+- `to_raw_sql()` — compile FilterExpression to parameterized raw SQL
+- Environment conditions flagged as unpushable in `FilterResult.unpushable_conditions`
+- Deny-override combiner produces `AND NOT` clauses for DENY policies
+- Cross-reference conditions resolved to literal values at compile time
+- Performance benchmarks: simple RBAC <500μs, ABAC <2000μs
+- 44 new tests (237 total) covering filtering AST, compilers, and benchmarks
+
+## [0.3.0] - 2026-03-06
+
+### Added
+
+- `pyauthz_fastapi` package — first-class FastAPI authorization integration
+- `PyAuthzMiddleware` — ASGI middleware for request-level subject resolution
+- `@requires()` decorator for route-level authorization checks
+- `setup_pyauthz()` convenience function (adds middleware + Denied exception handler)
+- `get_subject()`, `get_decision()`, `get_pyauthz()` FastAPI dependency injection helpers
+- Subject resolver protocol: user-provided async callable `(Request) -> Subject`
+- Resource resolver protocol: user-provided callable for custom resource resolution
+- Denied exception automatically mapped to 403 JSON response with structured error body
+- 9 FastAPI integration tests (193 total)
+
+## [0.2.0] - 2026-03-06
+
+### Added
+
+- Role hierarchy with parent inheritance — roles can list `parents` to inherit permissions
+- Cycle detection at `add_role()` time — circular role hierarchies are caught immediately, never at evaluation time
+- Full ABAC condition evaluation with 10 operators: ==, !=, >, <, >=, <=, in, not_in, contains, matches (regex)
+- Dot-notation field resolution for deep attribute access (`subject.attributes.department`, `resource.attributes.classification`)
+- Cross-reference conditions: `Condition(field="resource.owner_id", op="==", value="subject.id")`
+- Fail-safe condition evaluation: missing attributes produce DENY with descriptive reasoning, never crash
+- `allow-override` combiner: any ALLOW wins over all DENYs
+- `priority-first` combiner: highest-priority applicable policy wins
+- `PolicyWatcher` for YAML hot-reload — polls for file changes and auto-reloads policies
+- 75 new tests (184 total) covering ABAC conditions, role hierarchy, new combiners, and the file watcher
+
+## [0.1.0] - 2026-03-06
+
+### Added
+
+- Core authorization engine (`PyAuthz`) with sync and async APIs
+- Pydantic data models: `Subject`, `Resource`, `Role`, `Permission`, `Policy`, `Condition`, `Decision`, `AccessRequest`
+- Permission string parsing with wildcard support (`*:*`, `documents:*`, `*:read`)
+- Action shorthand: `"write"` auto-expands to `"documents:write"` via `resource.type`
+- Flat RBAC: roles with permissions, subjects with roles
+- Auto-default policy: allow if role has matching permission (no explicit policies needed)
+- `authorize()` / `aauthorize()` — returns `Decision` on allow, raises `Denied` on deny
+- `is_allowed()` / `ais_allowed()` — returns `bool`, never raises
+- `authorize_bulk()` / `aauthorize_bulk()` — batch authorization checks
+- Policy combination algorithms: deny-override (default), first-match
+- In-memory storage backend with thread-safe locking
+- YAML policy loading with `version: 1` schema validation
+- Structured audit logging with `JsonExporter`
+- Error hierarchy: `Denied`, `SchemaError`, `ConfigError`, `PolicyVersionError`
+- Role and policy management: `add_role()`, `remove_role()`, `replace_roles()`, `add_policy()`, `remove_policy()`, `replace_policies()`
+- Environment context: per-request kwargs and `set_environment()` defaults
+- `py.typed` marker for PEP 561 compliance
+- 109 tests with >95% coverage including Hypothesis property-based tests

pyauthz-0.9.0/CONTRIBUTING.md

@@ -0,0 +1,123 @@
+# Contributing to PyAuthz
+
+Thank you for your interest in contributing to PyAuthz! This guide covers everything you need to get started.
+
+## Development Setup
+
+```bash
+# Clone the repo
+git clone https://github.com/marci/pyauthz.git
+cd pyauthz
+
+# Create a virtual environment
+python -m venv .venv
+.venv/Scripts/activate  # Windows
+# source .venv/bin/activate  # macOS/Linux
+
+# Install in editable mode with dev dependencies
+pip install -e ".[dev]"
+
+# Install framework extras if working on integrations
+pip install fastapi httpx flask strawberry-graphql
+```
+
+## Running Tests
+
+```bash
+# Run all tests
+pytest
+
+# Run specific test file
+pytest tests/test_engine.py
+
+# Run with coverage
+pytest --cov=pyauthz --cov-report=term-missing
+
+# Run only core tests (faster)
+pytest tests/
+
+# Run framework integration tests
+pytest tests_fastapi/ tests_flask/
+```
+
+## Code Quality
+
+We use `ruff` for linting and formatting:
+
+```bash
+# Lint
+ruff check .
+
+# Auto-fix lint issues
+ruff check --fix .
+
+# Format
+ruff format .
+```
+
+All code must pass `ruff check` and `ruff format --check` before merge.
+
+## Project Structure
+
+```
+pyauthz/
+├── core/           # Engine, decision, errors, conditions, cache, etc.
+├── models/         # Pydantic data models (Subject, Resource, Role, etc.)
+├── policies/       # Combiner algorithms
+├── storage/        # Storage backends (memory, YAML loader, watcher)
+├── filtering/      # Query filter compilation (AST, SQL, Django)
+├── audit/          # Audit logging
+├── testing/        # Testing utilities (AuthScenario, assertions)
+├── cli/            # CLI tool (pyauthz check, simulate)
+├── middleware/     # Shared middleware types
+pyauthz_fastapi/    # FastAPI integration package
+pyauthz_flask/      # Flask integration package
+pyauthz_django/     # Django integration package
+pyauthz_strawberry/ # Strawberry GraphQL integration package
+tests/              # Core test suite
+tests_fastapi/      # FastAPI integration tests
+tests_flask/        # Flask integration tests
+```
+
+## Architecture
+
+See [ARCHITECTURE.md](ARCHITECTURE.md) for a detailed overview of how the engine works, the evaluation pipeline, and design decisions.
+
+## Making Changes
+
+1. **Read the code first.** Understand the existing patterns before modifying.
+2. **Write tests.** Every new feature or bug fix should include tests. Tests go in `tests/test_<module>.py`.
+3. **Keep it simple.** PyAuthz values simplicity over cleverness. If there's a simple way to do it, prefer that.
+4. **Don't break the public API.** The `pyauthz.__init__` exports define the public API. Changes to these are breaking changes.
+
+## Commit Messages
+
+- Explain *why*, not just *what*
+- One logical change per commit
+- Use imperative mood: "Add cache invalidation" not "Added cache invalidation"
+
+## Adding a New Combiner
+
+1. Create the combiner function in `pyauthz/policies/combiners.py`
+2. Register it in the `COMBINERS` dict
+3. Add tests in `tests/test_combiners.py`
+4. Update the engine docstring and README
+
+## Adding a New Framework Integration
+
+1. Create a new namespace package at the project root: `pyauthz_<framework>/`
+2. Follow the patterns from `pyauthz_fastapi/` or `pyauthz_flask/`
+3. Add tests in `tests_<framework>/`
+4. Add the framework to dev dependencies in `pyproject.toml`
+
+## Adding a New Storage Backend
+
+1. Implement the `StorageBackend` protocol from `pyauthz/storage/base.py`
+2. Add tests that verify thread safety and correctness
+3. Add the dependency to optional extras in `pyproject.toml`
+
+## Reporting Issues
+
+- Use GitHub Issues for bugs and feature requests
+- Include a minimal reproduction case for bugs
+- Include Python version, OS, and PyAuthz version

pyauthz-0.9.0/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Marci
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.