supso-project 1.0.0__py3-none-any.whl

supso/__init__.py

@@ -0,0 +1,363 @@
+"""``supso`` — Supported Source license verification.
+
+Assert at startup that the downstream user holds a valid Supso license
+certificate for your project. Verification is **100% offline**: it checks a
+hybrid Ed25519 + ML-DSA-44 signature against Supso's baked-in public keys and
+never touches the network. The library never terminates the host process — it
+reports; the host decides.
+
+.. code-block:: python
+
+    import supso
+
+    # Hard enforcement — raises SupsoError your app decides how to act on.
+    license = supso.require_license("acme-db")
+
+    # Soft enforcement — never raises; logs a notice on grace/failure.
+    status = supso.check_license("acme-db")
+    if supso.is_licensed(status):
+        ...  # run normally
+
+Or configure once and call the no-argument forms (SPEC §9):
+
+.. code-block:: python
+
+    supso.initialize_project("acme-db", grace_period_days=30)
+    license = supso.require_license()
+    status = supso.check_license()
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+from dataclasses import dataclass, field
+from datetime import datetime, timedelta, timezone
+from typing import Optional
+
+from .certificate import GraceValidity, Located, locate
+from .errors import ErrorCode, SupsoError
+from .keys import (
+    TRUSTED_ED25519_KEYS_HEX,
+    TRUSTED_MLDSA44_KEYS_HEX,
+    IssuerKeys,
+)
+from .license import (
+    Grace,
+    License,
+    Order,
+    Organization,
+    Project,
+    Status,
+    Unlicensed,
+    Valid,
+    is_licensed,
+    license_of,
+)
+from .verify import inspect_token, verify_token_internal, verify_token_strict
+
+#: Default grace window: a lapsed certificate is honored this many days.
+DEFAULT_GRACE_PERIOD_DAYS = 21
+
+#: Logging policy for :meth:`Supso.check` (logging only — never aborts).
+Enforcement = str  # one of "silent" | "warn" | "error"
+
+
+def _now() -> datetime:
+    return datetime.now(timezone.utc)
+
+
+@dataclass
+class _Requirements:
+    min_seats: Optional[int] = None
+    tier: Optional[str] = None
+    features: list[str] = field(default_factory=list)
+    min_days_remaining: Optional[int] = None
+
+
+class Supso:
+    """A configured license check. Build with :meth:`Supso.project` (or the
+    module-level :func:`initialize_project`).
+
+    Setter methods return ``self`` so they can be chained, mirroring the Rust and
+    TypeScript builders.
+    """
+
+    def __init__(self, project: str) -> None:
+        self._project = project
+        self._enforcement: Enforcement = "warn"
+        self._grace_period_days: int = DEFAULT_GRACE_PERIOD_DAYS
+        self._certificate_path: Optional[str] = None
+        self._issuer_keys: Optional[IssuerKeys] = None
+        self._req = _Requirements()
+
+    @classmethod
+    def project(cls, name: str) -> "Supso":
+        """Start a check for ``project``. The license's product slug must equal this."""
+        return cls(name)
+
+    # ---- configuration ----
+
+    def enforcement(self, policy: Enforcement) -> "Supso":
+        self._enforcement = policy
+        return self
+
+    def grace_period_days(self, days: int) -> "Supso":
+        self._grace_period_days = days
+        return self
+
+    def certificate_path(self, path: str) -> "Supso":
+        self._certificate_path = path
+        return self
+
+    def issuer_keys(self, keys: IssuerKeys) -> "Supso":
+        self._issuer_keys = keys
+        return self
+
+    def require_seats(self, n: int) -> "Supso":
+        self._req.min_seats = n
+        return self
+
+    def require_tier(self, tier: str) -> "Supso":
+        self._req.tier = tier
+        return self
+
+    def require_feature(self, feature: str) -> "Supso":
+        self._req.features.append(feature)
+        return self
+
+    def require_days_remaining(self, days: int) -> "Supso":
+        self._req.min_days_remaining = days
+        return self
+
+    # ---- verification ----
+
+    def verify(self) -> License:
+        """Verify against the system clock, returning the license or raising."""
+        return self.verify_at(_now())
+
+    def verify_at(self, now: datetime) -> License:
+        """:meth:`verify` against a supplied clock (for tests)."""
+        located = self._locate(now)
+        self._enforce_requirements(located.license, now)
+        return located.license
+
+    def check(self) -> Status:
+        """Verify against the system clock, returning a :data:`Status` (never raises)."""
+        return self.check_at(_now())
+
+    def check_at(self, now: datetime) -> Status:
+        """:meth:`check` against a supplied clock (for tests)."""
+        status: Status
+        try:
+            located = self._locate(now)
+            try:
+                self._enforce_requirements(located.license, now)
+                if isinstance(located.validity, GraceValidity):
+                    status = Grace(
+                        license=located.license,
+                        expired_at=located.validity.expired_at,
+                        grace_until=located.validity.grace_until,
+                    )
+                else:
+                    status = Valid(license=located.license)
+            except SupsoError as e:
+                status = Unlicensed(error=e)
+        except SupsoError as e:
+            status = Unlicensed(error=e)
+        self._log(status, now)
+        return status
+
+    # ---- internals ----
+
+    def _keys(self) -> IssuerKeys:
+        return self._issuer_keys if self._issuer_keys is not None else IssuerKeys.supso()
+
+    def _locate(self, now: datetime) -> Located:
+        explicit = self._certificate_path or os.environ.get("SUPSO_LICENSE_PATH")
+        return locate(
+            explicit,
+            self._project,
+            self._keys(),
+            timedelta(days=self._grace_period_days),
+            now,
+        )
+
+    def _enforce_requirements(self, license: License, now: datetime) -> None:
+        r = self._req
+        if r.min_seats is not None:
+            have = license.seats() or 0
+            if have < r.min_seats:
+                raise SupsoError(
+                    "requirement_not_met",
+                    f"requires {r.min_seats} seats, license has {have}",
+                )
+        if r.tier is not None:
+            have_tier = license.tier() or ""
+            if have_tier != r.tier:
+                raise SupsoError(
+                    "requirement_not_met",
+                    f'requires tier "{r.tier}", license has "{have_tier}"',
+                )
+        for feature in r.features:
+            if not license.has_feature(feature):
+                raise SupsoError("requirement_not_met", f'requires feature "{feature}"')
+        if r.min_days_remaining is not None:
+            have_days = license.days_remaining(now)
+            if have_days < r.min_days_remaining:
+                raise SupsoError(
+                    "requirement_not_met",
+                    f"requires {r.min_days_remaining} days remaining, license has {have_days}",
+                )
+
+    def _log(self, status: Status, now: datetime) -> None:
+        if isinstance(status, Valid) or self._enforcement == "silent":
+            return
+        line = status_message(status, now)
+        prefix = "supso:" if self._enforcement == "warn" else "supso [error]:"
+        print(f"{prefix} {line}", file=sys.stderr)
+
+
+# ---- status messaging ----
+
+_DAY = timedelta(days=1)
+
+
+def grace_message(status: Status, now: datetime) -> Optional[str]:
+    """A renewal notice for a grace status, else ``None``."""
+    if not isinstance(status, Grace):
+        return None
+    days_ago = max(0, int((now - status.expired_at) / _DAY))
+    days_left = max(0, int((status.grace_until - now) / _DAY))
+    return (
+        f"Your {status.license.project.name} license expired {days_ago} day{_plural(days_ago)} "
+        f"ago — you're in a grace period, but it will stop being accepted in {days_left} "
+        f"day{_plural(days_left)}. Renew the license certificate to avoid an interruption."
+    )
+
+
+def status_message(status: Status, now: datetime) -> str:
+    """One line safe to print or log, whatever the status."""
+    if isinstance(status, Valid):
+        lic = status.license
+        return (
+            f"{lic.project.name} licensed to {lic.organization.name} "
+            f"(order {lic.order.id})"
+        )
+    if isinstance(status, Grace):
+        return grace_message(status, now) or "license in grace period"
+    return status.error.message
+
+
+def _plural(n: int) -> str:
+    return "" if n == 1 else "s"
+
+
+# ---- module-level convenience functions (SPEC §9) ----
+
+_configured: Optional[Supso] = None
+
+
+def initialize_project(
+    name: str,
+    *,
+    enforcement: Optional[Enforcement] = None,
+    grace_period_days: Optional[int] = None,
+    certificate_path: Optional[str] = None,
+    issuer_keys: Optional[IssuerKeys] = None,
+) -> Supso:
+    """Configure the default project for the no-argument :func:`require_license`
+    and :func:`check_license` calls, and return the configured :class:`Supso`.
+    """
+    global _configured
+    s = Supso.project(name)
+    if enforcement is not None:
+        s.enforcement(enforcement)
+    if grace_period_days is not None:
+        s.grace_period_days(grace_period_days)
+    if certificate_path is not None:
+        s.certificate_path(certificate_path)
+    if issuer_keys is not None:
+        s.issuer_keys(issuer_keys)
+    _configured = s
+    return s
+
+
+def _for(project: Optional[str]) -> Supso:
+    if project is not None:
+        return Supso.project(project)
+    if _configured is None:
+        raise SupsoError(
+            "no_certificate",
+            "no project configured — pass one or call initialize_project() first",
+        )
+    return _configured
+
+
+def require_license(project: Optional[str] = None) -> License:
+    """Verify a certificate for ``project`` against the system clock (raises).
+
+    With no argument, uses the project set by :func:`initialize_project`.
+    """
+    return _for(project).verify()
+
+
+def check_license(project: Optional[str] = None) -> Status:
+    """Verify a certificate for ``project``, returning a :data:`Status` (never raises).
+
+    With no argument, uses the project set by :func:`initialize_project`.
+    """
+    return _for(project).check()
+
+
+def verify_token(token: str, project: str) -> License:
+    """Verify a raw token for ``project`` (no on-disk search, no grace)."""
+    return verify_token_with(token, project, IssuerKeys.supso(), _now())
+
+
+def verify_token_with(
+    token: str, project: str, keys: IssuerKeys, now: datetime
+) -> License:
+    """:func:`verify_token` with a caller-supplied clock and trust anchor."""
+    return verify_token_strict(token, project, keys, now)
+
+
+def inspect(token: str) -> License:
+    """Verify a token without binding to a project, returning it even if expired."""
+    return inspect_with(token, IssuerKeys.supso(), _now())
+
+
+def inspect_with(token: str, keys: IssuerKeys, now: datetime) -> License:
+    """:func:`inspect` with a caller-supplied clock and trust anchor."""
+    return inspect_token(token, keys, now)
+
+
+__all__ = [
+    "Supso",
+    "SupsoError",
+    "ErrorCode",
+    "IssuerKeys",
+    "TRUSTED_ED25519_KEYS_HEX",
+    "TRUSTED_MLDSA44_KEYS_HEX",
+    "License",
+    "Organization",
+    "Project",
+    "Order",
+    "Status",
+    "Valid",
+    "Grace",
+    "Unlicensed",
+    "is_licensed",
+    "license_of",
+    "Enforcement",
+    "DEFAULT_GRACE_PERIOD_DAYS",
+    "initialize_project",
+    "require_license",
+    "check_license",
+    "verify_token",
+    "verify_token_with",
+    "inspect",
+    "inspect_with",
+    "grace_message",
+    "status_message",
+]

supso/certificate.py

@@ -0,0 +1,152 @@
+"""Locating and verifying license certificates on disk (SPEC §6–§7).
+
+A *certificate file* is a single token (whitespace trimmed). The search order is
+an explicit path, then ``$HOME/.supso/license_certificates/``, then
+``./.supso/license_certificates/``. A live certificate always wins; failing
+that, the most-recently-expired otherwise-valid one is honored if it lapsed
+within the grace window.
+"""
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from pathlib import Path
+from typing import NamedTuple, Optional, Union
+
+from .errors import SupsoError
+from .keys import IssuerKeys
+from .license import License
+from .verify import verify_token_internal, _iso
+
+#: The subdirectory under each ``.supso/`` base that holds certificates.
+CERTIFICATE_SUBDIR = "license_certificates"
+
+
+@dataclass(frozen=True)
+class ValidValidity:
+    kind: str = "valid"
+
+
+@dataclass(frozen=True)
+class GraceValidity:
+    expired_at: datetime
+    grace_until: datetime
+    kind: str = "grace"
+
+
+Validity = Union[ValidValidity, GraceValidity]
+
+
+class Located(NamedTuple):
+    license: License
+    validity: Validity
+
+
+class _GraceCandidate(NamedTuple):
+    license: License
+    expires_at: datetime
+
+
+def locate(
+    explicit: Optional[str],
+    project: str,
+    keys: IssuerKeys,
+    grace_period: timedelta,
+    now: datetime,
+) -> Located:
+    """Locate and verify a certificate for ``project``.
+
+    When ``explicit`` is set, only that path is consulted (no fallback).
+    ``grace_period`` is the grace window.
+    """
+    tried: list[tuple[str, str]] = []
+    grace: Optional[_GraceCandidate] = None
+
+    def verify_file(path: Path) -> Optional[License]:
+        nonlocal grace
+        try:
+            raw = path.read_text(encoding="utf-8")
+        except OSError as e:
+            tried.append((str(path), f"could not read certificate: {e}"))
+            return None
+        try:
+            result = verify_token_internal(raw.strip(), project, keys, now)
+        except SupsoError as e:
+            tried.append((str(path), e.message))
+            return None
+        if not result.expired:
+            return result.license
+        expires_at = result.license.order.expires_at
+        tried.append((str(path), f"license expired at {_iso(expires_at)} (now: {_iso(now)})"))
+        if grace is None or expires_at > grace.expires_at:
+            grace = _GraceCandidate(license=result.license, expires_at=expires_at)
+        return None
+
+    def scan_dir(directory: Path) -> Optional[License]:
+        try:
+            entries = sorted(p for p in directory.iterdir() if not p.name.startswith("."))
+        except OSError:
+            return None
+        for path in entries:
+            if not path.is_file():
+                continue
+            lic = verify_file(path)
+            if lic is not None:
+                return lic
+        return None
+
+    found: Optional[License] = None
+    if explicit is not None:
+        ep = Path(explicit)
+        if not ep.exists():
+            raise SupsoError(
+                "no_certificate", f"no license certificate found (searched: {explicit})"
+            )
+        found = scan_dir(ep) if ep.is_dir() else verify_file(ep)
+        searched = [explicit]
+    else:
+        searched = _default_dirs()
+        for directory in searched:
+            found = scan_dir(Path(directory))
+            if found is not None:
+                break
+
+    return _finalize(found, grace, tried, searched, grace_period, now)
+
+
+def _finalize(
+    found: Optional[License],
+    grace: Optional[_GraceCandidate],
+    tried: list[tuple[str, str]],
+    searched: list[str],
+    grace_period: timedelta,
+    now: datetime,
+) -> Located:
+    if found is not None:
+        return Located(license=found, validity=ValidValidity())
+    if grace is not None:
+        grace_until = grace.expires_at + grace_period
+        if now <= grace_until:
+            return Located(
+                license=grace.license,
+                validity=GraceValidity(expired_at=grace.expires_at, grace_until=grace_until),
+            )
+    if not tried:
+        raise SupsoError(
+            "no_certificate",
+            f"no license certificate found (searched: {', '.join(searched)})",
+        )
+    detail = "; ".join(f"{p}: {why}" for p, why in tried)
+    raise SupsoError("none_valid", f"no valid license certificate ({len(tried)} tried): {detail}")
+
+
+def _default_dirs() -> list[str]:
+    """Per-user ``$HOME`` first, then the project-local ``./.supso``."""
+    dirs: list[str] = []
+    home = os.environ.get("HOME") or os.environ.get("USERPROFILE")
+    if home:
+        dirs.append(str(Path(home) / ".supso" / CERTIFICATE_SUBDIR))
+    dirs.append(str(Path(".supso") / CERTIFICATE_SUBDIR))
+    return dirs

supso/errors.py

@@ -0,0 +1,45 @@
+"""The single error type the API raises, tagged with the canonical error
+``code`` from the cross-language spec (``spec/SPEC.md`` §4).
+
+Hosts switch on ``code`` to render an actionable message — ``"expired"`` reads
+differently from ``"wrong_project"`` reads differently from ``"no_certificate"``.
+"""
+
+from __future__ import annotations
+
+from typing import Literal
+
+#: Canonical error names shared by every implementation (SPEC §4).
+ErrorCode = Literal[
+    "malformed",
+    "base64",
+    "bad_ed25519_signature",
+    "bad_mldsa_signature",
+    "invalid_json",
+    "unsupported_schema",
+    "bad_timestamp",
+    "expired",
+    "wrong_project",
+    "requirement_not_met",
+    "no_certificate",
+    "none_valid",
+    "bad_trusted_key",
+]
+
+
+class SupsoError(Exception):
+    """Why a license could not be accepted.
+
+    Carries the canonical :data:`ErrorCode` in :attr:`code` so callers can
+    branch on the reason without parsing the human-readable message.
+    """
+
+    code: ErrorCode
+
+    def __init__(self, code: ErrorCode, message: str) -> None:
+        super().__init__(message)
+        self.code = code
+        self.message = message
+
+    def __str__(self) -> str:  # pragma: no cover - trivial
+        return self.message

supso/keys.py

@@ -0,0 +1,69 @@
+"""Trusted issuer keys — Supso's production anchor, baked into the published
+package so a downstream user cannot substitute their own.
+
+Each scheme is a list so a key can be rotated (ship a release with old + new,
+re-issue, then drop the old entry). Mirrors the Rust crate's ``keys.rs`` and the
+TypeScript package's ``keys.ts``.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+
+from .errors import SupsoError
+
+#: Supso's production Ed25519 public keys, 64-char lowercase hex (32 bytes).
+TRUSTED_ED25519_KEYS_HEX: tuple[str, ...] = (
+    "b1ef6d78434daaf5dae5e3df7996a3edc155198c71c92b91f539ce2fe649e9d4",
+)
+
+#: Supso's production ML-DSA-44 public keys, 2624-char lowercase hex (1312 bytes).
+TRUSTED_MLDSA44_KEYS_HEX: tuple[str, ...] = (
+    "1be0e29d77a9998bb7661228a79e1d8118aa9ad88535720563d1aef9b8abc0d3d037cd984f3f652fc5512c935593dcd9f470540e125f0e9bcdc17c0bad721386bb3e3cd28cf895cbd0168cfcaee5131e581e2916abc7a1c25022f016c81781d16cd8b4cd8c36a7ced2a1753e4c01f69a05e9acb6f1926867a028f0a5ae6c1f22873c3df3d562f2ec844d422c8c68b2deba9257a13013bd009a227d7c40a3aa81129b6ed1f950a0cf75f3cfb9fc0e405d7fc929ecc9bf59dc566b075b3b80ad914fd150749b9022638e99a7d64b68ff82e295609dc2f6bd291463c417a1e69e7e145164fb3787c5bc90fe1dc4268bbd4d4e44c13d50120cf161466fbb53ea2a5f724ace3afef42eeeb0d631ad2b815b5442caddb509ed9d1cc8ab79ba4042fa168245d1446294677503eed33410a979a0646da3393e7c2a6e450c63c55ecc5bd92771ef7b278b3cef2d80fa306733fb2ecee4b2f4bb07c3b14ad29da4607b97e04cfefb76258000185c6d795ff91e9af4a0acf54a25ddbf14814540461474d67d6b9503d7e07e97907ef483593f97b9d039c4e548b25917d722c1c3e5ae7f81a1c232faf5a6978641230408cc01d70724f64e150836388dcadf60ae5be134ab5413228e5ab13402aa4331d144b586e1cb05d7a4034a9a5f71513d6029615197212b4a68684d05fedfe92bb05f24eccb6a9be9c1fa1003ba106718db9d39d4a08c5b6ae014d0086a957ed033e74af13d9a94d549524316d6aa544487eab716878a4a07ca3285724af050fccc8c3f8c3c82e2cd271133ca9562e71238e23baca5ec297ff50ebee8b2461607054d8f18d60b012b6eee2240adfa38b05f10ca679c271922907819974b5481d0aa7cab37c215123a6b6d7067856dfc475a8c2e3e54b658deb0709c8cb77b0a8508519d44b784f7584966d978d65b78e11e059c1e4b5441fd1625af92b2d647c5f0805343243b2225882b3c9beda4c1102aff1c084dac105da2d37813881fad33a860cc655bb45fac59d73ac2d92fb4fde59cbf10bdd07541e605d008467ea4c20e0c2796683499b19adb394dea4c8260c7438fb9efe2db2d65b9f7f4f2a8068a1010f70b7b2ae83c92dac6af023fe7f41eccba36d702b1bd73c88147f3ebc4f9e5416573321567b224a255e3edaf6afce2bce7b1d33955bb3288bf1da61709488c84e9321385e6ac71d120b752698f60eed6f1e75b12c04b30f998450cedecf91c6e611e7f23d5ca1252f89b699196f726931078f7e93d5a81b32613f7fe42563b907dae17822757bd66a0b1d3aecce3b5a01d317f085322c2df01cea971b0e3b58ec7cd80d681dafbc6ed2eeadcef36e8168336aa8954fd1cf6426702679d8e3f57a8e0b9cda12dd0ccf0aeb5a6f84ac5e2e0d4e43093063f1b8e1103359bc92d5a1891d8e34ec44a97469941d5b2665c5cfb910019840a8b8efd7e59e3bb727dbd09d3d68cf9b4f4c42687b762da645233bfb55b5fa523eca0241e4a6649e12aa41b5d52a2a6cdd043e1bcd500c6c99ba7fe33bd39a5f380be88c14ebaf01c24034b4b57b04a290336240ee06c0feaa495aee10f15006cff5750061bc93091660dd945efda00ddbd50cff8f69b85c18493ae21f70e1d9b29c6b90457177f9313764d505738b5474550b1e6969fac1aac7a3f25b6bef5d0be43eab4b464a8a86be08417935a8f5d097cc237a0f57e4330c18ef54d376e42a2b8d17a1c3e18a6a84c123cff67ea4f2e86284a34862f81c0c65cf79cb5c972de88a98e5c0ce89530739729610b39ac1f03f5158e26b81e364219ead057d43b222bbd93c39d3507c127ca78a7c6a85511ba92195b125f8ff70cb2d5c7b2",
+)
+
+_HEX_RE = re.compile(r"^[0-9a-fA-F]+$")
+_ED25519_KEY_LEN = 32
+_MLDSA44_KEY_LEN = 1312
+
+
+@dataclass(frozen=True)
+class IssuerKeys:
+    """A set of trusted issuer verifying keys, one list per scheme.
+
+    A token is accepted iff its signature verifies under **at least one** key in
+    each list (SPEC §4 "Key rotation").
+    """
+
+    #: Parsed Ed25519 public keys.
+    ed25519: tuple[Ed25519PublicKey, ...]
+    #: Raw ML-DSA-44 public-key bytes (1312 each), passed to the verifier as-is.
+    mldsa44: tuple[bytes, ...]
+
+    @classmethod
+    def from_hex(
+        cls,
+        ed25519_hex: "list[str] | tuple[str, ...]",
+        mldsa44_hex: "list[str] | tuple[str, ...]",
+    ) -> "IssuerKeys":
+        """Build a trust anchor from hex key lists (self-hosting issuers and tests)."""
+        ed = tuple(
+            Ed25519PublicKey.from_public_bytes(_decode_key(h, _ED25519_KEY_LEN, "Ed25519"))
+            for h in ed25519_hex
+        )
+        pq = tuple(_decode_key(h, _MLDSA44_KEY_LEN, "ML-DSA-44") for h in mldsa44_hex)
+        return cls(ed25519=ed, mldsa44=pq)
+
+    @classmethod
+    def supso(cls) -> "IssuerKeys":
+        """The baked-in Supso production anchor."""
+        return cls.from_hex(TRUSTED_ED25519_KEYS_HEX, TRUSTED_MLDSA44_KEYS_HEX)
+
+
+def _decode_key(hex_str: str, byte_len: int, scheme: str) -> bytes:
+    if len(hex_str) != byte_len * 2 or not _HEX_RE.match(hex_str):
+        raise SupsoError("bad_trusted_key", f"{scheme} key hex is malformed")
+    return bytes.fromhex(hex_str)

supso/license.py

@@ -0,0 +1,128 @@
+"""The data a verified license carries, and the outcome types the API returns."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Any, Mapping, Optional, Union
+
+from .errors import SupsoError
+
+_DAY_SECONDS = 86_400
+
+
+@dataclass(frozen=True)
+class Organization:
+    """The buyer the license was issued to."""
+
+    id: str
+    name: str
+
+
+@dataclass(frozen=True)
+class Project:
+    """The product the license is for, read from ``metadata.project``.
+
+    Verification requires :attr:`slug` to equal the project slug the maintainer
+    asked about.
+    """
+
+    id: str
+    #: The stable, URL-safe handle a maintainer integrates against (e.g. ``"acme-db"``).
+    slug: str
+    #: Human-readable display name.
+    name: str
+
+
+@dataclass(frozen=True)
+class Order:
+    """The order behind the license and when it lapses."""
+
+    id: str
+    #: Expiry as a timezone-aware UTC :class:`~datetime.datetime`.
+    expires_at: datetime
+
+
+@dataclass(frozen=True)
+class License:
+    """A successfully-verified license."""
+
+    organization: Organization
+    project: Project
+    order: Order
+    #: Issuer-attached metadata: ``seats``, ``tier``, ``features``, …
+    metadata: Mapping[str, Any] = field(default_factory=dict)
+
+    def seats(self) -> Optional[int]:
+        """``metadata.seats`` as an integer, if present."""
+        s = self.metadata.get("seats")
+        # bool is a subclass of int — exclude it.
+        if isinstance(s, int) and not isinstance(s, bool):
+            return s
+        return None
+
+    def tier(self) -> Optional[str]:
+        """``metadata.tier`` as a string, if present."""
+        t = self.metadata.get("tier")
+        return t if isinstance(t, str) else None
+
+    def features(self) -> list[str]:
+        """``metadata.features`` as a list of strings (empty if absent)."""
+        f = self.metadata.get("features")
+        if isinstance(f, list):
+            return [x for x in f if isinstance(x, str)]
+        return []
+
+    def has_feature(self, feature: str) -> bool:
+        """Whether ``metadata.features`` contains ``feature``."""
+        return feature in self.features()
+
+    def days_remaining(self, now: datetime) -> int:
+        """Whole days from ``now`` until expiry (negative once expired)."""
+        delta = self.order.expires_at - now
+        secs = delta.total_seconds()
+        # Truncate toward zero, matching the Rust/TS implementations.
+        return int(secs / _DAY_SECONDS)
+
+
+# ---- Status: the outcome of the non-raising `check` call ----
+
+
+@dataclass(frozen=True)
+class Valid:
+    """A live, fully-valid license."""
+
+    license: License
+    kind: str = "valid"
+
+
+@dataclass(frozen=True)
+class Grace:
+    """A lapsed license still honored within the grace window (SPEC §7)."""
+
+    license: License
+    expired_at: datetime
+    grace_until: datetime
+    kind: str = "grace"
+
+
+@dataclass(frozen=True)
+class Unlicensed:
+    """No acceptable license was found; :attr:`error` says why."""
+
+    error: SupsoError
+    kind: str = "unlicensed"
+
+
+#: The outcome of a non-raising :meth:`Supso.check`.
+Status = Union[Valid, Grace, Unlicensed]
+
+
+def is_licensed(status: Status) -> bool:
+    """``True`` for ``valid`` or ``grace``."""
+    return status.kind in ("valid", "grace")
+
+
+def license_of(status: Status) -> Optional[License]:
+    """The verified license for ``valid``/``grace``, else ``None``."""
+    return None if isinstance(status, Unlicensed) else status.license

supso/verify.py

@@ -0,0 +1,259 @@
+"""Token verification: the hybrid signature + payload pipeline (SPEC §4–§5).
+
+A token is three URL-safe-base64 segments joined by ``.``::
+
+    base64url(payload_json) . base64url(ed25519_sig) . base64url(mldsa44_sig)
+
+Both signatures cover the *encoded* payload bytes (the first segment as ASCII),
+so the verifier never canonicalizes JSON. Acceptance requires **both**
+signatures to verify — "hybrid" is AND, not OR.
+"""
+
+from __future__ import annotations
+
+import base64
+import binascii
+import json
+import re
+from datetime import datetime, timezone
+from typing import Any, NamedTuple, Optional
+
+from cryptography.exceptions import InvalidSignature
+from dilithium_py.ml_dsa import ML_DSA_44
+
+from .errors import SupsoError
+from .keys import IssuerKeys
+from .license import License, Order, Organization, Project
+
+SCHEMA_VERSION = 1
+_ED25519_SIG_LEN = 64
+_MLDSA44_SIG_LEN = 2420
+
+
+class Verified(NamedTuple):
+    """A token that passed every check except, possibly, expiry."""
+
+    license: License
+    expired: bool
+
+
+def verify_token_internal(
+    token: str,
+    expected_project: Optional[str],
+    keys: IssuerKeys,
+    now: datetime,
+) -> Verified:
+    """Verify a token's signatures and payload against ``keys``.
+
+    When ``expected_project`` is not ``None``, the payload's project slug must
+    equal it. Expiry is reported via :attr:`Verified.expired` rather than raised,
+    so the certificate search can recover a lapsed license for the grace window.
+    """
+    segments = token.split(".")
+    if len(segments) != 3:
+        raise SupsoError("malformed", "token must split into exactly three segments")
+    payload_b64, ed_sig_b64, pq_sig_b64 = segments
+    if not payload_b64 or not ed_sig_b64 or not pq_sig_b64:
+        raise SupsoError("malformed", "token has an empty segment")
+
+    signed_msg = payload_b64.encode("ascii")
+
+    # ---- Ed25519 ----
+    ed_sig = _decode_segment(ed_sig_b64)
+    if len(ed_sig) != _ED25519_SIG_LEN:
+        raise SupsoError("malformed", "Ed25519 signature is not 64 bytes")
+    if not any(_safe_verify_ed(pk, ed_sig, signed_msg) for pk in keys.ed25519):
+        raise SupsoError("bad_ed25519_signature", "Ed25519 signature is invalid")
+
+    # ---- ML-DSA-44 ----
+    pq_sig = _decode_segment(pq_sig_b64)
+    if len(pq_sig) != _MLDSA44_SIG_LEN:
+        raise SupsoError("malformed", "ML-DSA-44 signature is the wrong length")
+    if not any(_safe_verify_pq(pk, signed_msg, pq_sig) for pk in keys.mldsa44):
+        raise SupsoError("bad_mldsa_signature", "ML-DSA-44 signature is invalid")
+
+    # ---- payload ----
+    payload = _parse_payload(_decode_segment(payload_b64))
+    if payload["v"] != SCHEMA_VERSION:
+        raise SupsoError(
+            "unsupported_schema", f"license schema version {payload['v']} is not supported"
+        )
+
+    project = _read_project(payload)
+    if expected_project is not None and project.slug != expected_project:
+        found = project.slug or "<none>"
+        raise SupsoError(
+            "wrong_project",
+            f'license is not for project "{expected_project}" (found "{found}")',
+        )
+
+    expires_at = _parse_expiry(payload["order"]["expires_at"])
+    organization = Organization(
+        id=payload["organization"]["id"], name=payload["organization"]["name"]
+    )
+    order = Order(id=payload["order"]["id"], expires_at=expires_at)
+    license = License(
+        organization=organization,
+        project=project,
+        order=order,
+        metadata=payload["metadata"] or {},
+    )
+    return Verified(license=license, expired=expires_at <= now)
+
+
+def verify_token_strict(
+    token: str, expected_project: str, keys: IssuerKeys, now: datetime
+) -> License:
+    """Verify a token, collapsing expiry to a raised ``expired`` error (no grace)."""
+    result = verify_token_internal(token, expected_project, keys, now)
+    if result.expired:
+        raise SupsoError(
+            "expired",
+            f"license expired at {_iso(result.license.order.expires_at)} (now: {_iso(now)})",
+        )
+    return result.license
+
+
+def inspect_token(token: str, keys: IssuerKeys, now: datetime) -> License:
+    """Verify signatures, schema, and timestamp **without** binding to a project,
+    returning the license even if expired. For tooling that enumerates
+    certificates and reads the project from the payload. A forged token raises.
+    """
+    return verify_token_internal(token, None, keys, now).license
+
+
+# ---- payload parsing ----
+
+
+def _parse_payload(raw_bytes: bytes) -> dict[str, Any]:
+    try:
+        obj = json.loads(raw_bytes.decode("utf-8"))
+    except (ValueError, UnicodeDecodeError):
+        raise SupsoError("invalid_json", "license payload is not valid JSON")
+    if not isinstance(obj, dict):
+        raise SupsoError("invalid_json", "license payload is not an object")
+    v = obj.get("v")
+    if not isinstance(v, int) or isinstance(v, bool):
+        raise SupsoError("invalid_json", "license payload is missing `v`")
+    organization = _require_object(obj.get("organization"), "organization")
+    order = _require_object(obj.get("order"), "order")
+    metadata = obj.get("metadata")
+    return {
+        "v": v,
+        "organization": {
+            "id": _require_string(organization.get("id"), "organization.id"),
+            "name": _require_string(organization.get("name"), "organization.name"),
+        },
+        "order": {
+            "id": _require_string(order.get("id"), "order.id"),
+            "expires_at": _require_string(order.get("expires_at"), "order.expires_at"),
+        },
+        "metadata": metadata if isinstance(metadata, dict) else None,
+    }
+
+
+def _read_project(payload: dict[str, Any]) -> Project:
+    """The product binding lives at ``metadata.project``; missing fields default to ``""``."""
+    metadata = payload.get("metadata")
+    proj = metadata.get("project") if isinstance(metadata, dict) else None
+
+    def field(key: str) -> str:
+        if isinstance(proj, dict):
+            v = proj.get(key)
+            if isinstance(v, str):
+                return v
+        return ""
+
+    return Project(id=field("id"), slug=field("slug"), name=field("name"))
+
+
+def _require_object(value: Any, field: str) -> dict[str, Any]:
+    if not isinstance(value, dict):
+        raise SupsoError("invalid_json", f"license payload is missing `{field}`")
+    return value
+
+
+def _require_string(value: Any, field: str) -> str:
+    if not isinstance(value, str):
+        raise SupsoError(
+            "invalid_json", f"license payload field `{field}` is missing or not a string"
+        )
+    return value
+
+
+# ---- expiry parsing (SPEC §5) ----
+
+_DATE_ONLY = re.compile(r"^\d{4}-\d{2}-\d{2}$")
+_RFC3339 = re.compile(
+    r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:\d{2})$"
+)
+
+
+def _parse_expiry(s: str) -> datetime:
+    """Parse ``order.expires_at``. A full RFC 3339 timestamp is used verbatim; a
+    bare ``YYYY-MM-DD`` date expires at the **end** of that day (``23:59:59Z``).
+    """
+    if _DATE_ONLY.match(s):
+        return _parse_iso(f"{s}T23:59:59Z", s)
+    if _RFC3339.match(s):
+        return _parse_iso(s, s)
+    raise SupsoError("bad_timestamp", f"`order.expires_at` is not a valid timestamp: {s}")
+
+
+def _parse_iso(value: str, original: str) -> datetime:
+    normalized = value[:-1] + "+00:00" if value.endswith("Z") else value
+    try:
+        dt = datetime.fromisoformat(normalized)
+    except ValueError:
+        raise SupsoError(
+            "bad_timestamp", f"`order.expires_at` is not a valid timestamp: {original}"
+        )
+    if dt.tzinfo is None:
+        dt = dt.replace(tzinfo=timezone.utc)
+    return dt.astimezone(timezone.utc)
+
+
+def _iso(dt: datetime) -> str:
+    return dt.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
+
+
+# ---- base64 + signatures ----
+
+_B64URL_RE = re.compile(r"^[A-Za-z0-9_-]+$")
+
+
+def _decode_segment(s: str) -> bytes:
+    """Strict URL-safe base64 (no padding) decode; raises ``base64`` on bad input."""
+    if not _B64URL_RE.match(s):
+        raise SupsoError("base64", "segment is not valid url-safe base64")
+    if len(s) % 4 == 1:
+        raise SupsoError("base64", "invalid base64 length")
+    padded = s + "=" * (-len(s) % 4)
+    try:
+        return base64.urlsafe_b64decode(padded)
+    except (ValueError, binascii.Error):
+        raise SupsoError("base64", "segment is not valid url-safe base64")
+
+
+def _safe_verify_ed(pk, sig: bytes, msg: bytes) -> bool:
+    try:
+        pk.verify(sig, msg)
+        return True
+    except InvalidSignature:
+        return False
+
+
+def _safe_verify_pq(pk: bytes, msg: bytes, sig: bytes) -> bool:
+    try:
+        return bool(ML_DSA_44.verify(pk, msg, sig))
+    except Exception:  # noqa: BLE001 - a malformed key/sig is just "does not verify"
+        return False
+
+
+__all__ = [
+    "Verified",
+    "verify_token_internal",
+    "verify_token_strict",
+    "inspect_token",
+    "SCHEMA_VERSION",
+]

supso_project-1.0.0.dist-info/METADATA

@@ -0,0 +1,110 @@
+Metadata-Version: 2.4
+Name: supso-project
+Version: 1.0.0
+Summary: Offline hybrid (Ed25519 + ML-DSA-44) software-license verification for project maintainers — Supported Source.
+Project-URL: Homepage, https://supso.org
+Project-URL: Repository, https://github.com/SupsoOrg/supso-project-python
+Author: Supso
+License-Expression: Apache-2.0
+License-File: LICENSE-APACHE
+Keywords: ed25519,license,licensing,ml-dsa,supported-source,verification
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.10
+Requires-Dist: cryptography>=42
+Requires-Dist: dilithium-py>=1.1
+Provides-Extra: dev
+Requires-Dist: pytest>=8; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# supso (Python)
+
+Supported Source license checks for your project, from [Supported Source](https://supso.org).
+
+Use this library to enforce licensing, so you'll know who is using your project, and can
+be sure they're paying for your paid licenses. It's just one call at startup to confirm 
+the code running your software holds a valid license. The check is 100% offline, so there's
+no network, no license server to run, nothing phoning home. 
+
+```python
+import supso
+
+license = supso.require_license("acme-db")  # raises if unlicensed
+print(f"licensed to {license.organization.name}, {license.seats()} seats")
+```
+
+## Install
+
+```sh
+pip install supso-project
+```
+
+The package imports as `supso`:
+
+```python
+import supso
+```
+
+## Usage
+
+### Hard enforcement (raises when missing license)
+
+This is what we suggest you do.
+
+```python
+import supso
+supso.require_license("acme-db")
+```
+
+### Soft enforcement (does not raise errors)
+
+If you would like to handle it yourself, use `is_licensed` and then write your own logic.
+
+```python
+import supso
+
+status = supso.check_license("acme-db")  # logs a notice on grace/failure
+if supso.is_licensed(status):
+    ...  # valid or within grace — run normally
+```
+
+`status` is one of `supso.Valid`, `supso.Grace`, or `supso.Unlicensed`
+(distinguish via `status.kind` or `isinstance`).
+
+## Where licenses are found
+
+When you don't pass a token, the library looks for a `*.cert` file (each holding
+one license) in this order:
+
+1. an explicit path — the `certificate_path(...)` option or the
+   `SUPSO_LICENSE_PATH` environment variable (authoritative; no fallback);
+2. `~/.supso/license_certificates/`;
+3. `./.supso/license_certificates/`.
+
+A current license always wins. If none is current but one lapsed recently, it is
+honored as `Grace` (default window 21 days) so your app keeps running while you
+prompt the user to renew.
+
+## Errors
+
+Every failure is a `supso.SupsoError` carrying a stable `code` so you can branch
+on the reason: `malformed`, `base64`, `bad_ed25519_signature`,
+`bad_mldsa_signature`, `invalid_json`, `unsupported_schema`, `bad_timestamp`,
+`expired`, `wrong_project`, `requirement_not_met`, `no_certificate`,
+`none_valid`, `bad_trusted_key`.
+
+## Development
+
+```sh
+uv venv && source .venv/bin/activate
+uv pip install -e ".[dev]"
+pytest
+```
+
+## License
+
+Apache-2.0. See [`LICENSE-APACHE`](./LICENSE-APACHE).

supso_project-1.0.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+supso/__init__.py,sha256=hVeXsSu5d9z8FasLz40Vx2EuGA-NAvF-XGpiNULJ5hs,11473
+supso/certificate.py,sha256=ikVXzuhlTNEGyOiFeb_umarg9tBXVAmA7fw8dB49ufI,4773
+supso/errors.py,sha256=Q11mNoxoRqTkdTk05hcD8qJFBSfqm1sobdz6WF9xfgw,1231
+supso/keys.py,sha256=NGBZjMvzfe5b2zacOT4f2sESF43Mjb9bCbrH8mEBQBw,4994
+supso/license.py,sha256=mbVEV-4KgzheZ4PJEW7-jSwvMF7gdUqlkCdSAmRRCZE,3494
+supso/verify.py,sha256=F5NqI-EHO7oKo36-VUGCc3_9DtGdOO2CbrygHcptZTc,8857
+supso_project-1.0.0.dist-info/METADATA,sha256=pShxOIVKmb6_2N4qZ1bz4UOsgwmwNbzf3Cho8FAXJoA,3310
+supso_project-1.0.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+supso_project-1.0.0.dist-info/licenses/LICENSE-APACHE,sha256=cPAdFxSCLIUZOWiFTbholiTAUYq-o-31y_n6qNrXvOQ,11335
+supso_project-1.0.0.dist-info/RECORD,,

supso_project-1.0.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

supso_project-1.0.0.dist-info/licenses/LICENSE-APACHE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work, excluding
+          those notices that do not pertain to any part of the Derivative
+          Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and do
+          not modify the License. You may add Your own attribution notices
+          within Derivative Works that You distribute, alongside or as an
+          addendum to the NOTICE text from the Work, provided that such
+          additional attribution notices cannot be construed as modifying
+          the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Supso
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.