sops-mcp 0.10.0__tar.gz

sops_mcp-0.10.0/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Report unexpected behavior
+title: ""
+labels: bug
+---
+
+## What happened
+
+<!-- What tool did you call, with what arguments, and what did it do? -->
+
+## What you expected
+
+<!-- What should it have done instead? -->
+
+## Environment
+
+- sops-mcp version:
+- sops CLI version (`sops --version`):
+- age version (`age --version`):
+- Python version:
+- Transport (stdio or sse):
+
+## Reproducer
+
+<!-- Minimal steps or a redacted secrets.enc.yaml snippet. Do NOT paste
+     real encrypted content if the underlying age key could be compromised. -->

sops_mcp-0.10.0/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest a new tool, source type, or transform
+title: ""
+labels: enhancement
+---
+
+## What you want to do
+
+<!-- Describe the workflow. What tool or capability would make it possible? -->
+
+## Why the existing tools aren't enough
+
+<!-- Walk through how you'd currently have to do this with the existing
+     tool set, and what falls short. -->
+
+## Out-of-scope check
+
+<!-- sops-mcp intentionally does NOT support:
+     - Returning plaintext secret values over the MCP boundary
+     - In-place value update for generated/derived secrets (use rotate)
+     - Imported/templated sources (orchestration concerns — use your
+       deployment templating layer)
+     Is your request compatible with these boundaries? -->

sops_mcp-0.10.0/.github/pull_request_template.md

@@ -0,0 +1,10 @@
+## Summary
+
+<!-- What does this PR change, and why? -->
+
+## Test plan
+
+- [ ] `pytest tests/ -v` passes locally
+- [ ] Integration tests updated if tool behavior changed
+- [ ] CHANGELOG.md updated under `[Unreleased]`
+- [ ] If a new source type or transform: updated README "Sources" / "Transforms" section

sops_mcp-0.10.0/.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install sops and age
+        run: |
+          set -euo pipefail
+          curl -fsSL \
+            https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
+            -o /tmp/sops
+          echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85  /tmp/sops" \
+            | sha256sum -c -
+          sudo install -m 755 /tmp/sops /usr/local/bin/sops
+          curl -fsSL \
+            https://github.com/FiloSottile/age/releases/download/v1.2.0/age-v1.2.0-linux-amd64.tar.gz \
+            -o /tmp/age.tar.gz
+          echo "2ae71cb3ea761118937a944083f057cfd42f0ef11d197ce72fc2b8780d50c4ef  /tmp/age.tar.gz" \
+            | sha256sum -c -
+          tar -xzf /tmp/age.tar.gz -C /tmp
+          sudo install -m 755 /tmp/age/age /usr/local/bin/age
+          sudo install -m 755 /tmp/age/age-keygen /usr/local/bin/age-keygen
+
+      - name: Install Python dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint
+        run: ruff check src/ tests/
+
+      - name: Test
+        run: pytest tests/ -v

sops_mcp-0.10.0/.github/workflows/publish-pypi.yml

@@ -0,0 +1,58 @@
+name: Publish to PyPI
+
+# Trusted Publishing — no PyPI API token. The workflow exchanges its GitHub
+# OIDC token for a short-lived PyPI upload credential. Configure the trusted
+# publisher on PyPI before the first run:
+#   https://pypi.org/manage/account/publishing/
+#
+#   PyPI Project Name: sops-mcp
+#   Owner:             privacyplaybook
+#   Repository name:   sops-mcp
+#   Workflow name:     publish-pypi.yml
+#   Environment name:  pypi
+#
+# Also create a GitHub Environment named `pypi` in repo Settings → Environments
+# (deploy-time gate; can also pin allowed branches/tags).
+
+on:
+  push:
+    tags: ["v*.*.*"]
+  workflow_dispatch:
+
+jobs:
+  build:
+    needs: []
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Build sdist + wheel
+        run: |
+          python -m pip install --upgrade build
+          python -m build
+      - name: Verify build artifacts
+        run: |
+          ls -la dist/
+          python -m pip install --upgrade twine
+          python -m twine check dist/*
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/sops-mcp
+    permissions:
+      id-token: write   # required for OIDC
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

sops_mcp-0.10.0/.github/workflows/publish.yml

@@ -0,0 +1,71 @@
+name: Publish image to GHCR
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*.*.*"]
+  workflow_dispatch:
+
+jobs:
+  verify-supply-chain:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Verify requirements lockfile
+        run: python3 lib/verify_requirements.py
+      - name: Verify base images are digest-pinned
+        run: python3 lib/verify_base_images.py
+
+  publish:
+    needs: verify-supply-chain
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Compute image tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=ref,event=tag
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          provenance: mode=max
+          sbom: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image with cosign (keyless)
+        env:
+          IMAGE: ghcr.io/${{ github.repository }}
+          DIGEST: ${{ steps.build.outputs.digest }}
+        run: cosign sign --yes "${IMAGE}@${DIGEST}"

sops_mcp-0.10.0/.github/workflows/supply-chain.yml

@@ -0,0 +1,29 @@
+name: Supply chain
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - Dockerfile
+      - requirements.in
+      - requirements.lock.txt
+      - base-images.lock.json
+      - lib/**
+      - .github/workflows/supply-chain.yml
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Verify requirements lockfile
+        run: python3 lib/verify_requirements.py
+      - name: Verify base images are digest-pinned
+        run: python3 lib/verify_base_images.py

sops_mcp-0.10.0/.gitignore

@@ -0,0 +1,11 @@
+.venv/
+venv/
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.pytest_cache/
+.coverage
+*.log
+.DS_Store

sops_mcp-0.10.0/CHANGELOG.md

@@ -0,0 +1,137 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.10.0]
+
+Supply-chain hardening release. Migrates the published Docker image to a
+Chainguard / Wolfi Python base for a signed origin and a distroless
+runtime. Python 3.13 minimum runtime in the published image; the library
+itself still supports 3.11+. No changes to the tool surface or to the
+"no plaintext crosses the MCP boundary" property.
+
+### Changed
+
+- **Base image switched to `cgr.dev/chainguard/python`** (Wolfi). The
+  build stage uses `:latest-dev` (with apk + shell + build toolchain);
+  the runtime stage uses `:latest` (distroless: no shell, no apk, no
+  package manager). Both are digest-pinned in `base-images.lock.json`
+  and cosign-verified by the supply-chain workflow. Wins: signed origin
+  via Chainguard's release identity, smaller surface, glibc-based (so
+  no Alpine/musl gotchas).
+- **Container runs as Chainguard's built-in `nonroot` user (uid 65532)**
+  instead of a custom uid 10001. No bind mounts in the supported
+  deployment, so this is documentation-only for most users; deployments
+  that mount host directories into the container will need to chown.
+- **`sops` and `age` binaries now come from Wolfi's apk repo** (signed
+  by Chainguard) rather than separately curl-downloaded with pinned
+  checksums. They are pinned transitively by the digest of the build
+  base image — re-pinning the base also re-pins these binaries.
+- **Published image runtime is Python 3.13.** The library's
+  `requires-python` is unchanged (`>=3.11`); only the Docker runtime
+  bumped. CI matrix expanded to test 3.11, 3.12, and 3.13.
+- **CMD → ENTRYPOINT.** The container now uses an ENTRYPOINT pointing
+  at the venv-installed console script for clearer container semantics.
+
+### Added
+
+- **`cgr.dev` registry support in `lib/pin_base_images.py`** so the
+  digest-pin/cosign-verify pipeline works for Chainguard images.
+
+## [0.9.1]
+
+Security hardening release. Fixes two transitive CVEs and tightens defaults
+for the SSE-over-HTTP transport. No changes to the core tool surface or to
+the "no plaintext crosses the MCP boundary" property.
+
+### Security
+
+- **Upgrade `mcp` to >=1.23.0** (GHSA — DNS rebinding protection not enabled
+  by default in earlier versions of the MCP Python SDK). The low-level
+  `SseServerTransport` in this server is now constructed with explicit
+  `TransportSecuritySettings` that validate the `Host` header on every
+  request.
+- **Upgrade `python-multipart` to >=0.0.26** (GHSA — DoS via inefficient
+  parsing of crafted multipart preamble/epilogue data).
+- **Refuse to bind SSE transport to `0.0.0.0` without `SOPS_MCP_API_TOKEN`.**
+  The server now raises `RuntimeError` at startup rather than silently
+  exposing an unauthenticated interface on all network interfaces.
+- **Flip `SOPS_MCP_HOST` default from `0.0.0.0` to `127.0.0.1`** for the
+  direct `python -m sops_mcp` entrypoint. The published container still
+  binds `0.0.0.0` (because that's what makes a container reachable), which
+  combined with the above refusal means containerized deployments must now
+  set `SOPS_MCP_API_TOKEN`.
+- **Non-root Dockerfile.** The container runs as a dedicated UID (10001)
+  instead of root. Shrinks the blast radius of any remote-code-execution
+  class bug inside the server.
+
+### Added
+
+- `SOPS_MCP_ALLOWED_HOSTS` env var (comma-separated) to configure the
+  `Host`-header allowlist for the SSE transport. Defaults to loopback only;
+  deployments behind a reverse proxy or with non-loopback binds must set
+  this explicitly.
+
+## [0.9.0]
+
+Release candidate for the first open-source release. Adds a third secret source
+type and per-key CRUD tools that preserve the existing "no plaintext crosses the
+MCP boundary" security property. Promotes to 1.0.0 after a verification period.
+
+### Added
+
+- **`derived` source type** — A secret computed from another key in the same
+  file via a named transform. Initial transforms: `pbkdf2_sha512_authelia` and
+  `sha256_hex`. Rotating a generated source automatically recomputes derived
+  values in topological order; renaming a source updates `from:` references;
+  deleting a source is rejected while dependents still exist.
+- **`sops_delete_secrets`** — Remove one or more keys from a file. Enforces
+  derivation dependencies (a source cannot be deleted while a derived secret
+  references it, unless both are deleted together).
+- **`sops_rename_secret`** — Rename a key while preserving its value, source
+  type, and metadata. Updates `from:` references in any dependent derived
+  secrets.
+- **`sops_update_external`** — Replace the value of an `external` secret (for
+  when the user has rotated an upstream credential). Rejects attempts to update
+  `generated` or `derived` secrets. Triggers a cascade recompute of any derived
+  secrets that reference the updated key.
+- **End-to-end integration tests** exercising the real `sops` binary with a
+  throwaway age keypair. Test count: 29 (was 12).
+- `Apache-2.0` LICENSE.
+
+### Changed
+
+- **`sops_create_oidc_secret`** is now a thin convenience wrapper around
+  `sops_create_secrets` with a `generated` + `derived` pair. The encrypted file
+  now contains both `KEY_NAME` and `KEY_NAME_HASH`; the hash is still returned
+  in the response for pasting into Authelia's `configuration.yml`. Rotation of
+  the base secret automatically refreshes the hash.
+- `sops_add_metadata` now accepts `derived` entries (with `transform` and
+  `from` fields) for retrofitting metadata onto legacy files.
+- `sops_add_secrets` now supports adding `derived` secrets that reference
+  either newly-added or existing keys.
+
+## [0.1.0]
+
+Initial release (internal).
+
+### Added
+
+- `sops_create_secrets` — Create a new encrypted file with `generated` and/or
+  `external` secrets. Stores a `_meta_unencrypted` block alongside the
+  encrypted values for decryption-free metadata access.
+- `sops_list_secrets` — List keys and metadata without decrypting.
+- `sops_rotate_generated` — Regenerate all `generated` secrets in a file while
+  preserving `external` values.
+- `sops_add_secrets` — Append new secrets to an existing file (rejects
+  collisions).
+- `sops_add_metadata` — Retrofit `_meta_unencrypted` onto legacy files.
+- `sops_create_oidc_secret` — Authelia-specific OIDC client secret with
+  PBKDF2-SHA512 hash generation.
+- Supply-chain protections: Docker base image digest pinning, binary checksum
+  verification, Python dependency hash locking, CI verification gate.
+- SSE-over-HTTP transport with optional bearer-token auth.
+- stdio transport for direct Claude Code integration.

sops_mcp-0.10.0/Dockerfile

@@ -0,0 +1,47 @@
+# syntax=docker/dockerfile:1.7
+
+# ---- build stage ----
+# Wolfi-based image with apk + shell + build toolchain. Used to install
+# Python deps into a venv and to source the sops + age binaries.
+FROM cgr.dev/chainguard/python:latest-dev@sha256:2c0fbbac86b72ebb4bfee15b64d8cd5fd6b49dfe7bb279b5c9f193198a84c1c9 AS build
+
+USER root
+
+# sops and age come from Wolfi's apk repo, signed by Chainguard. Pinned
+# transitively by the digest of the build base image.
+RUN apk add --no-cache sops age
+
+WORKDIR /app
+
+# Build a self-contained venv at /opt/venv. Copying the venv (instead of
+# pip-installing again in the runtime stage) keeps the runtime distroless.
+RUN python -m venv /opt/venv
+ENV PATH=/opt/venv/bin:$PATH
+
+COPY requirements.lock.txt .
+RUN pip install --no-cache-dir --require-hashes -r requirements.lock.txt
+
+COPY pyproject.toml .
+COPY src/ src/
+RUN pip install --no-cache-dir --no-deps .
+
+# ---- runtime stage ----
+# Distroless Wolfi Python. No shell, no apk, no package manager. Runs as
+# the built-in `nonroot` user (uid 65532) by default.
+FROM cgr.dev/chainguard/python:latest@sha256:18a4fbda8c280978b6aa5329f7acd4dbb106876e76fdc87913855ebf4876f2ff
+
+COPY --from=build /usr/bin/sops /usr/bin/sops
+COPY --from=build /usr/bin/age /usr/bin/age
+COPY --from=build /usr/bin/age-keygen /usr/bin/age-keygen
+COPY --from=build /opt/venv /opt/venv
+
+ENV PATH=/opt/venv/bin:$PATH
+ENV SOPS_MCP_TRANSPORT=sse
+ENV SOPS_MCP_HOST=0.0.0.0
+ENV SOPS_MCP_PORT=55090
+ENV SOPS_MCP_ALLOWED_HOSTS=localhost,localhost:*,127.0.0.1,127.0.0.1:*
+EXPOSE 55090
+
+# Container binds 0.0.0.0 by default, which means SOPS_MCP_API_TOKEN must be
+# set at runtime — the server refuses to start otherwise. See README.
+ENTRYPOINT ["/opt/venv/bin/sops-mcp"]

sops_mcp-0.10.0/LICENSE

@@ -0,0 +1,200 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may accept additional
+      obligations consistent with this License. However, in accepting
+      such obligations, You may act only on Your own behalf and on Your
+      sole responsibility, not on behalf of any other Contributor, and
+      only if You agree to indemnify, defend, and hold each Contributor
+      harmless for any liability incurred by, or claims asserted against,
+      such Contributor by reason of your accepting any such warranty or
+      additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Owen Russell
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.