Update 6.2.7 to match 6.1.1 and 5.1.8 (#296)

Let's have our cross-references use the same language.

.github/workflows/lint.yml

@@ -0,0 +1,19 @@
+name: Lint CP/CPS
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '**'
+jobs:
+  lint:
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Run linter
+        working-directory: ./tools/lint
+        run: go run . ../../CP-CPS.md

.github/workflows/pr_tools.yml

@@ -0,0 +1,38 @@
+name: Test Tools
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '**'
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8, 3.12.3]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install flake8
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+      - name: Lint with flake8
+        run: |
+          # stop the build if there are Python syntax errors or undefined names
+          flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+          # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+          flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+      - name: Test no-stipulations
+        working-directory: ./tools/no-stipulations/
+        run: |
+          python3 -m unittest *_test.py

.gitignore

@@ -0,0 +1,4 @@
+__pycache__
+.vscode
+*.pyc
+.DS_Store

CODEOWNERS

@@ -0,0 +1 @@
+* @letsencrypt/pma

GUIDELINES.md

@@ -1,25 +0,0 @@
-# This document contains some guidelines for editing ISRG CP and CPS documents.
-
-## CP
-
-Our CP is a copy of the Baseline Requirements (BRs) with the following changes:
-
-1. Change anything that is obviously necessary, including much of the content in Sections 1.1 and 1.2.
-
-2. Stucture should follow the structure suggested in RFC 3647 Section 6. Casing of section labels should match RFC 3647 casing. Where there is a difference between the BR structure and RFC 3647 suggested structures, use RFC 3647.
-
-Note that any RFC 3647 section is allowed to contain sub-sections that are not defined in RFC 3647, so additional sub-sections in the BRs should be copied.
-
-An example of a conflict between RFC 3647 and the BR structure is the title of Section 3.2.2. The BRs call it "Authentication of Organization and Domain Identity" but RFC 3647 calls it "Authentication of organization identity". We must use the RFC 3647 section name.
-
-3. Section names for any validation methods we don't use under Sections 3.2.2.4 and 3.2.2.5 should be [Reserved] with "No stipulation." as the content. We do not include information for validation methods we don't use so as to not introduce confusion.
-
-4. No sections can be left blank. If there is a blank section in the BRs say "No stipulation." to indicate that our CP will not impose additional requirements.
-
-5. Section 9, legal, is designed and reviewed by ISRG attorneys.
-
-## CPS
-
-The CPS should have the same structure at the CP, but contain more detailed information.
-
-Section 9, legal, is designed and reviewed by ISRG attorneys.

README.md

@@ -1,7 +1,7 @@
-# ISRG CP and CPS Documents (DRAFT)
+# ISRG CP and CPS Document (DRAFT)
 
-This repository contains Certificate Policy (CP) and Certification Practice Statement (CPS) documents for ISRG / Let's Encrypt.
+This repository contains the combined Certificate Policy (CP) and Certification Practice Statement (CPS) document for ISRG / Let's Encrypt.
 
-This is where we work on our CP and CPS documents, but no revision becomes official until it's posted here:
+This is where we work on our CP/CPS document, but no revision becomes official until it's posted here:
 
-[https://letsencrypt.org/repository/](https://letsencrypt.org/repository/)
+<https://letsencrypt.org/repository/>

markdown-it-w-anchors.js

@@ -0,0 +1,117 @@
+#!/usr/bin/env node
+/*eslint no-console:0*/
+
+// This is a copy of the markdown-it program modified to use the
+// markdown-it-anchor extension.
+
+'use strict';
+
+
+var fs = require('fs');
+var argparse = require('argparse');
+
+
+////////////////////////////////////////////////////////////////////////////////
+
+var cli = new argparse.ArgumentParser({
+  prog: 'markdown-it',
+  add_help: true
+});
+
+cli.add_argument('--no-html', {
+  help:   'Disable embedded HTML',
+  action: 'store_true'
+});
+
+cli.add_argument('-l', '--linkify', {
+  help:   'Autolink text',
+  action: 'store_true'
+});
+
+cli.add_argument('-t', '--typographer', {
+  help:   'Enable smartquotes and other typographic replacements',
+  action: 'store_true'
+});
+
+cli.add_argument('--trace', {
+  help:   'Show stack trace on error',
+  action: 'store_true'
+});
+
+cli.add_argument('file', {
+  help: 'File to read',
+  nargs: '?',
+  default: '-'
+});
+
+cli.add_argument('-o', '--output', {
+  help: 'File to write',
+  default: '-'
+});
+
+var options = cli.parse_args();
+
+
+function readFile(filename, encoding, callback) {
+  if (options.file === '-') {
+    // read from stdin
+    var chunks = [];
+
+    process.stdin.on('data', function (chunk) { chunks.push(chunk); });
+
+    process.stdin.on('end', function () {
+      return callback(null, Buffer.concat(chunks).toString(encoding));
+    });
+  } else {
+    fs.readFile(filename, encoding, callback);
+  }
+}
+
+
+////////////////////////////////////////////////////////////////////////////////
+
+readFile(options.file, 'utf8', function (err, input) {
+  var output, md;
+
+  if (err) {
+    if (err.code === 'ENOENT') {
+      console.error('File not found: ' + options.file);
+      process.exit(2);
+    }
+
+    console.error(
+      options.trace && err.stack ||
+      err.message ||
+      String(err));
+
+    process.exit(1);
+  }
+
+  md = require('markdown-it')({
+    html: !options.no_html,
+    xhtmlOut: false,
+    typographer: options.typographer,
+    linkify: options.linkify
+  });
+
+  md.use(require('markdown-it-anchor'));
+
+  try {
+    output = md.render(input);
+
+  } catch (e) {
+    console.error(
+      options.trace && e.stack ||
+      e.message ||
+      String(e));
+
+    process.exit(1);
+  }
+
+  if (options.output === '-') {
+    // write to stdout
+    process.stdout.write(output);
+  } else {
+    fs.writeFileSync(options.output, output);
+  }
+});

tools/lint/README.md

@@ -0,0 +1,61 @@
+# CP/CPS Linter
+
+This tool performs a variety of simple checks on the CP/CPS to ensure that it
+is in compliance with the Baseline Requirements. It is superficial: a clean
+lint check is a necessary but not sufficient condition for full compliance.
+
+Usage:
+
+```sh
+$ go run . /path/to/cps.md
+heading "### 3.1.3 Anonymity or pseudonymity of subscribers" found out-of-order on line 199
+heading "### 4.4.2 Publication of the certificate by the CA" not found
+empty section found at line 71
+empty section found at line 272
+exit status 1
+```
+
+This tool is used by GitHub Actions to check every PR against this repo.
+
+## Checks
+
+The linter looks for compliance with Ballot SC-074, which added the following
+text to the Baseline Requirements, Section 2.2:
+
+> the Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with section 6 of RFC 3647 and MUST:
+>
+> * include at least every section and subsection defined in section 6 of RFC 3647;
+> * only use the words "No Stipulation" to mean that the particular document imposes no requirements related to that section; and
+> * contain no sections that are blank and have no subsections.
+
+### RFC 3647 Outline
+
+A significant portion of this linter's work is confirming that the structure of
+the CP/CPS matches the outline laid out in [RFC 3647, Section
+6](https://datatracker.ietf.org/doc/html/rfc3647#section-6). This outline is
+reproduced in [outline.txt](outline.txt), which was produced using the following
+procedure:
+
+1. Copy-paste the whole of Section 6 into a plaintext document.
+2. Remove the leading text, and the page headers and footers.
+3. Unwrap all section titles which were broken onto multiple lines.
+4. Replace all sequences of more than one space (`  `) with a single space.
+5. Remove the `(11)` footnote indicator which follows some entries.
+6. Prepend each line with a number of `#` equal to its section depth.
+
+The lint tool then ensures that every line in this file appears in the CP/CPS,
+exactly as written, in order.
+
+### No Empty Sections
+
+The linter also looks for any places where two section header lines separated
+only by whitespace have the same or decreasing section depth (e.g. "1.2.3"
+followed by "1.3"), indicating that the first of the two sections has no
+content.
+
+### Use of "No Stipulation"
+
+This linter does **not** check whether the phrase "No Stipulation" has been used
+to mean anything other than that "that the particular document imposes no
+requirements related to that section", since doing so is a semantic (not
+syntactic) matter.

tools/lint/go.mod

@@ -0,0 +1,3 @@
+module github.com/letsencrypt/cp-cps/tools/lint
+
+go 1.22.2

tools/lint/main.go

@@ -0,0 +1,115 @@
+package main
+
+import (
+	"bufio"
+	_ "embed"
+	"fmt"
+	"os"
+	"slices"
+	"strings"
+)
+
+//go:embed outline.txt
+var outline string
+
+func main() {
+	if len(os.Args) < 2 {
+		fmt.Fprintln(os.Stderr, "must provide path to document to check")
+		os.Exit(1)
+	}
+
+	file, err := os.Open(os.Args[1])
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "opening document:", err)
+		os.Exit(1)
+	}
+	defer file.Close()
+	scanner := bufio.NewScanner(file)
+
+	var lines []string
+	for scanner.Scan() {
+		lines = append(lines, scanner.Text())
+	}
+	if err := scanner.Err(); err != nil {
+		fmt.Fprintln(os.Stderr, "reading document:", err)
+		os.Exit(1)
+	}
+
+	anyErr := false
+
+	errs := make(chan error)
+	go func() {
+		lintHeadings(lines, errs)
+		close(errs)
+	}()
+	for err = range errs {
+		anyErr = true
+		fmt.Fprintln(os.Stderr, err)
+	}
+
+	errs = make(chan error)
+	go func() {
+		lintEmptySections(lines, errs)
+		close(errs)
+	}()
+	for err = range errs {
+		anyErr = true
+		fmt.Fprintln(os.Stderr, err)
+	}
+
+	if anyErr {
+		os.Exit(1)
+	}
+
+	fmt.Println("lint checks complete; no findings")
+}
+
+// lintHeadings tries to locate every heading that we expect to exist, and
+// checks that they appear in the correct order.
+func lintHeadings(lines []string, errs chan<- error) {
+	outline = strings.TrimSpace(outline)
+	headings := strings.Split(outline, "\n")
+	headingLines := make([]int, len(headings))
+
+	for i, heading := range headings {
+		headingLines[i] = slices.Index(lines, heading)
+	}
+
+	for i, lineNo := range headingLines {
+		if lineNo == -1 {
+			errs <- fmt.Errorf("heading %q not found", headings[i])
+			continue
+		}
+
+		if i > 0 && lineNo <= headingLines[i-1] {
+			errs <- fmt.Errorf("heading %q found out-of-order on line %d", headings[i], lineNo)
+			continue
+		}
+	}
+}
+
+// lintEmptySections looks for places where two section headings occur with
+// nothing other than empty lines between them, and the second section is of
+// equal or lesser depth (being of greater depth is fine, that's a subsection).
+func lintEmptySections(lines []string, errs chan<- error) {
+	lastHeadingDepth := 0
+	sectionBodySeen := false
+	for i, line := range lines {
+		if line == "" {
+			continue
+		}
+
+		if strings.HasPrefix(line, "#") {
+			currHeadingDepth := len(line) - len(strings.TrimLeft(line, "#"))
+			if currHeadingDepth <= lastHeadingDepth && !sectionBodySeen {
+				errs <- fmt.Errorf("empty section found at line %d", i)
+			}
+
+			lastHeadingDepth = currHeadingDepth
+			sectionBodySeen = false
+			continue
+		}
+
+		sectionBodySeen = true
+	}
+}

tools/lint/outline.txt

@@ -0,0 +1,270 @@
+# 1. INTRODUCTION
+## 1.1 Overview
+## 1.2 Document name and identification
+## 1.3 PKI participants
+### 1.3.1 Certification authorities
+### 1.3.2 Registration authorities
+### 1.3.3 Subscribers
+### 1.3.4 Relying parties
+### 1.3.5 Other participants
+## 1.4 Certificate usage
+### 1.4.1 Appropriate certificate uses
+### 1.4.2 Prohibited certificate uses
+## 1.5 Policy administration
+### 1.5.1 Organization administering the document
+### 1.5.2 Contact person
+### 1.5.3 Person determining CPS suitability for the policy
+### 1.5.4 CPS approval procedures
+## 1.6 Definitions and acronyms
+# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES
+## 2.1 Repositories
+## 2.2 Publication of certification information
+## 2.3 Time or frequency of publication
+## 2.4 Access controls on repositories
+# 3. IDENTIFICATION AND AUTHENTICATION
+## 3.1 Naming
+### 3.1.1 Types of names
+### 3.1.2 Need for names to be meaningful
+### 3.1.3 Anonymity or pseudonymity of subscribers
+### 3.1.4 Rules for interpreting various name forms
+### 3.1.5 Uniqueness of names
+### 3.1.6 Recognition, authentication, and role of trademarks
+## 3.2 Initial identity validation
+### 3.2.1 Method to prove possession of private key
+### 3.2.2 Authentication of organization identity
+### 3.2.3 Authentication of individual identity
+### 3.2.4 Non-verified subscriber information
+### 3.2.5 Validation of authority
+### 3.2.6 Criteria for interoperation
+## 3.3 Identification and authentication for re-key requests
+### 3.3.1 Identification and authentication for routine re-key
+### 3.3.2 Identification and authentication for re-key after revocation
+## 3.4 Identification and authentication for revocation request
+# 4. CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS
+## 4.1 Certificate Application
+### 4.1.1 Who can submit a certificate application
+### 4.1.2 Enrollment process and responsibilities
+## 4.2 Certificate application processing
+### 4.2.1 Performing identification and authentication functions
+### 4.2.2 Approval or rejection of certificate applications
+### 4.2.3 Time to process certificate applications
+## 4.3 Certificate issuance
+### 4.3.1 CA actions during certificate issuance
+### 4.3.2 Notification to subscriber by the CA of issuance of certificate
+## 4.4 Certificate acceptance
+### 4.4.1 Conduct constituting certificate acceptance
+### 4.4.2 Publication of the certificate by the CA
+### 4.4.3 Notification of certificate issuance by the CA to other entities
+## 4.5 Key pair and certificate usage
+### 4.5.1 Subscriber private key and certificate usage
+### 4.5.2 Relying party public key and certificate usage
+## 4.6 Certificate renewal
+### 4.6.1 Circumstance for certificate renewal
+### 4.6.2 Who may request renewal
+### 4.6.3 Processing certificate renewal requests
+### 4.6.4 Notification of new certificate issuance to subscriber
+### 4.6.5 Conduct constituting acceptance of a renewal certificate
+### 4.6.6 Publication of the renewal certificate by the CA
+### 4.6.7 Notification of certificate issuance by the CA to other entities
+## 4.7 Certificate re-key
+### 4.7.1 Circumstance for certificate re-key
+### 4.7.2 Who may request certification of a new public key
+### 4.7.3 Processing certificate re-keying requests
+### 4.7.4 Notification of new certificate issuance to subscriber
+### 4.7.5 Conduct constituting acceptance of a re-keyed certificate
+### 4.7.6 Publication of the re-keyed certificate by the CA
+### 4.7.7 Notification of certificate issuance by the CA to other entities
+## 4.8 Certificate modification
+### 4.8.1 Circumstance for certificate modification
+### 4.8.2 Who may request certificate modification
+### 4.8.3 Processing certificate modification requests
+### 4.8.4 Notification of new certificate issuance to subscriber
+### 4.8.5 Conduct constituting acceptance of modified certificate
+### 4.8.6 Publication of the modified certificate by the CA
+### 4.8.7 Notification of certificate issuance by the CA to other entities
+## 4.9 Certificate revocation and suspension
+### 4.9.1 Circumstances for revocation
+### 4.9.2 Who can request revocation
+### 4.9.3 Procedure for revocation request
+### 4.9.4 Revocation request grace period
+### 4.9.5 Time within which CA must process the revocation request
+### 4.9.6 Revocation checking requirement for relying parties
+### 4.9.7 CRL issuance frequency (if applicable)
+### 4.9.8 Maximum latency for CRLs (if applicable)
+### 4.9.9 On-line revocation/status checking availability
+### 4.9.10 On-line revocation checking requirements
+### 4.9.11 Other forms of revocation advertisements available
+### 4.9.12 Special requirements re key compromise
+### 4.9.13 Circumstances for suspension
+### 4.9.14 Who can request suspension
+### 4.9.15 Procedure for suspension request
+### 4.9.16 Limits on suspension period
+## 4.10 Certificate status services
+### 4.10.1 Operational characteristics
+### 4.10.2 Service availability
+### 4.10.3 Optional features
+## 4.11 End of subscription
+## 4.12 Key escrow and recovery
+### 4.12.1 Key escrow and recovery policy and practices
+### 4.12.2 Session key encapsulation and recovery policy and practices
+# 5. FACILITY, MANAGEMENT, AND OPERATIONAL CONTROLS
+## 5.1 Physical controls
+### 5.1.1 Site location and construction
+### 5.1.2 Physical access
+### 5.1.3 Power and air conditioning
+### 5.1.4 Water exposures
+### 5.1.5 Fire prevention and protection
+### 5.1.6 Media storage
+### 5.1.7 Waste disposal
+### 5.1.8 Off-site backup
+## 5.2 Procedural controls
+### 5.2.1 Trusted roles
+### 5.2.2 Number of persons required per task
+### 5.2.3 Identification and authentication for each role
+### 5.2.4 Roles requiring separation of duties
+## 5.3 Personnel controls
+### 5.3.1 Qualifications, experience, and clearance requirements
+### 5.3.2 Background check procedures
+### 5.3.3 Training requirements
+### 5.3.4 Retraining frequency and requirements
+### 5.3.5 Job rotation frequency and sequence
+### 5.3.6 Sanctions for unauthorized actions
+### 5.3.7 Independent contractor requirements
+### 5.3.8 Documentation supplied to personnel
+## 5.4 Audit logging procedures
+### 5.4.1 Types of events recorded
+### 5.4.2 Frequency of processing log
+### 5.4.3 Retention period for audit log
+### 5.4.4 Protection of audit log
+### 5.4.5 Audit log backup procedures
+### 5.4.6 Audit collection system (internal vs. external)
+### 5.4.7 Notification to event-causing subject
+### 5.4.8 Vulnerability assessments
+## 5.5 Records archival
+### 5.5.1 Types of records archived
+### 5.5.2 Retention period for archive
+### 5.5.3 Protection of archive
+### 5.5.4 Archive backup procedures
+### 5.5.5 Requirements for time-stamping of records
+### 5.5.6 Archive collection system (internal or external)
+### 5.5.7 Procedures to obtain and verify archive information
+## 5.6 Key changeover
+## 5.7 Compromise and disaster recovery
+### 5.7.1 Incident and compromise handling procedures
+### 5.7.2 Computing resources, software, and/or data are corrupted
+### 5.7.3 Entity private key compromise procedures
+### 5.7.4 Business continuity capabilities after a disaster
+## 5.8 CA or RA termination
+# 6. TECHNICAL SECURITY CONTROLS
+## 6.1 Key pair generation and installation
+### 6.1.1 Key pair generation
+### 6.1.2 Private key delivery to subscriber
+### 6.1.3 Public key delivery to certificate issuer
+### 6.1.4 CA public key delivery to relying parties
+### 6.1.5 Key sizes
+### 6.1.6 Public key parameters generation and quality checking
+### 6.1.7 Key usage purposes (as per X.509 v3 key usage field)
+## 6.2 Private Key Protection and Cryptographic Module Engineering Controls
+### 6.2.1 Cryptographic module standards and controls
+### 6.2.2 Private key (n out of m) multi-person control
+### 6.2.3 Private key escrow
+### 6.2.4 Private key backup
+### 6.2.5 Private key archival
+### 6.2.6 Private key transfer into or from a cryptographic module
+### 6.2.7 Private key storage on cryptographic module
+### 6.2.8 Method of activating private key
+### 6.2.9 Method of deactivating private key
+### 6.2.10 Method of destroying private key
+### 6.2.11 Cryptographic Module Rating
+## 6.3 Other aspects of key pair management
+### 6.3.1 Public key archival
+### 6.3.2 Certificate operational periods and key pair usage periods
+## 6.4 Activation data
+### 6.4.1 Activation data generation and installation
+### 6.4.2 Activation data protection
+### 6.4.3 Other aspects of activation data
+## 6.5 Computer security controls
+### 6.5.1 Specific computer security technical requirements
+### 6.5.2 Computer security rating
+## 6.6 Life cycle technical controls
+### 6.6.1 System development controls
+### 6.6.2 Security management controls
+### 6.6.3 Life cycle security controls
+## 6.7 Network security controls
+## 6.8 Time-stamping
+# 7. CERTIFICATE, CRL, AND OCSP PROFILES
+## 7.1 Certificate profile
+### 7.1.1 Version number(s)
+### 7.1.2 Certificate extensions
+### 7.1.3 Algorithm object identifiers
+### 7.1.4 Name forms
+### 7.1.5 Name constraints
+### 7.1.6 Certificate policy object identifier
+### 7.1.7 Usage of Policy Constraints extension
+### 7.1.8 Policy qualifiers syntax and semantics
+### 7.1.9 Processing semantics for the critical Certificate Policies extension
+## 7.2 CRL profile
+### 7.2.1 Version number(s)
+### 7.2.2 CRL and CRL entry extensions
+## 7.3 OCSP profile
+### 7.3.1 Version number(s)
+### 7.3.2 OCSP extensions
+# 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS
+## 8.1 Frequency or circumstances of assessment
+## 8.2 Identity/qualifications of assessor
+## 8.3 Assessor's relationship to assessed entity
+## 8.4 Topics covered by assessment
+## 8.5 Actions taken as a result of deficiency
+## 8.6 Communication of results
+# 9. OTHER BUSINESS AND LEGAL MATTERS
+## 9.1 Fees
+### 9.1.1 Certificate issuance or renewal fees
+### 9.1.2 Certificate access fees
+### 9.1.3 Revocation or status information access fees
+### 9.1.4 Fees for other services
+### 9.1.5 Refund policy
+## 9.2 Financial responsibility
+### 9.2.1 Insurance coverage
+### 9.2.2 Other assets
+### 9.2.3 Insurance or warranty coverage for end-entities
+## 9.3 Confidentiality of business information
+### 9.3.1 Scope of confidential information
+### 9.3.2 Information not within the scope of confidential information
+### 9.3.3 Responsibility to protect confidential information
+## 9.4 Privacy of personal information
+### 9.4.1 Privacy plan
+### 9.4.2 Information treated as private
+### 9.4.3 Information not deemed private
+### 9.4.4 Responsibility to protect private information
+### 9.4.5 Notice and consent to use private information
+### 9.4.6 Disclosure pursuant to judicial or administrative process
+### 9.4.7 Other information disclosure circumstances
+## 9.5 Intellectual property rights
+## 9.6 Representations and warranties
+### 9.6.1 CA representations and warranties
+### 9.6.2 RA representations and warranties
+### 9.6.3 Subscriber representations and warranties
+### 9.6.4 Relying party representations and warranties
+### 9.6.5 Representations and warranties of other participants
+## 9.7 Disclaimers of warranties
+## 9.8 Limitations of liability
+## 9.9 Indemnities
+## 9.10 Term and termination
+### 9.10.1 Term
+### 9.10.2 Termination
+### 9.10.3 Effect of termination and survival
+## 9.11 Individual notices and communications with participants
+## 9.12 Amendments
+### 9.12.1 Procedure for amendment
+### 9.12.2 Notification mechanism and period
+### 9.12.3 Circumstances under which OID must be changed
+## 9.13 Dispute resolution provisions
+## 9.14 Governing law
+## 9.15 Compliance with applicable law
+## 9.16 Miscellaneous provisions
+### 9.16.1 Entire agreement
+### 9.16.2 Assignment
+### 9.16.3 Severability
+### 9.16.4 Enforcement (attorneys' fees and waiver of rights)
+### 9.16.5 Force Majeure
+## 9.17 Other provisions

tools/no-stipulations/no_stipulation.py

@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+import argparse
+
+
+def make_no_stipulations(old_content: list) -> str:
+    new_content = []
+    for i in range(len(old_content)):
+        curr_line = old_content[i]
+        # Unconditionally append the first line to avoid index wrap-around.
+        if i == 0:
+            new_content.append(curr_line)
+            continue
+        prev_line = old_content[i - 1]
+        if curr_line == "\n":
+            if prev_line[0] == "#":
+                if i < len(old_content) - 1:
+                    next_line = old_content[i + 1]
+                    if next_line[0] == "#" and len(prev_line.split("#")) >= len(next_line.split("#")):
+                        new_content.append(curr_line + "No stipulation.\n\n")
+                    else:
+                        new_content.append(curr_line)
+                else:
+                    new_content.append(curr_line + "No stipulation.\n\n")
+            else:
+                new_content.append(curr_line)
+        else:
+            new_content.append(curr_line)
+
+    return "".join(new_content)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Replaces empty policy sections with 'No stipulation.'"
+    )
+    parser.add_argument(
+        "-d",
+        "--document",
+        metavar="PATH",
+        type=argparse.FileType("r"),
+        required=True,
+        help="path to the policy document to edit you wish to edit",
+    )
+    parser.add_argument(
+        "-o",
+        "--output",
+        metavar="PATH",
+        type=argparse.FileType("w"),
+        required=True,
+        help="path to output the edited policy document",
+    )
+
+    args = parser.parse_args()
+    contents = args.document.readlines()
+    args.document.close()
+
+    new_content = make_no_stipulations(contents)
+    args.output.write(new_content)
+    args.output.close()
+
+
+if __name__ == "__main__":
+    main()

tools/no-stipulations/no_stipulation_test.py

@@ -0,0 +1,143 @@
+import io
+import unittest
+
+from no_stipulation import make_no_stipulations
+
+document_input = io.StringIO(
+"""---
+title: Testament of Tester Testington
+subtitle: Version 1.0
+author:
+  - Tester Testington
+date: 3 June, 2021  
+copyright: |
+  Copyright 2021 Tester Testington of Test Town
+
+  This work is licensed under the Conspicuous Attribution 4.0 NT for Workgroups Testing license.
+---
+
+# 1. LOREM
+
+## 1.1 Ipsum
+
+### 1.1.1 Dolor
+
+### 1.1.2 Sit
+
+### 1.1.3 Amet
+
+Some content.
+
+### 1.1.4 Consectetur
+
+### 1.1.5 Adipiscing
+
+### 1.1.6 Elit
+
+## 1.2 Sed
+
+### 1.2.1 Do
+
+Some multi-line
+Content just to be
+Safe
+
+### 1.2.2 Eiusmod
+
+Some more content, finally!
+
+# 2. Tempor
+
+## 2.1 Incididunt
+
+### 2.1.1 Ut
+
+Some multi-paragraph
+
+Content just to be
+
+Safe
+
+## 2.2 Labore
+
+Something else.
+
+""").readlines()
+
+document_output = """---
+title: Testament of Tester Testington
+subtitle: Version 1.0
+author:
+  - Tester Testington
+date: 3 June, 2021  
+copyright: |
+  Copyright 2021 Tester Testington of Test Town
+
+  This work is licensed under the Conspicuous Attribution 4.0 NT for Workgroups Testing license.
+---
+
+# 1. LOREM
+
+## 1.1 Ipsum
+
+### 1.1.1 Dolor
+
+No stipulation.
+
+### 1.1.2 Sit
+
+No stipulation.
+
+### 1.1.3 Amet
+
+Some content.
+
+### 1.1.4 Consectetur
+
+No stipulation.
+
+### 1.1.5 Adipiscing
+
+No stipulation.
+
+### 1.1.6 Elit
+
+No stipulation.
+
+## 1.2 Sed
+
+### 1.2.1 Do
+
+Some multi-line
+Content just to be
+Safe
+
+### 1.2.2 Eiusmod
+
+Some more content, finally!
+
+# 2. Tempor
+
+## 2.1 Incididunt
+
+### 2.1.1 Ut
+
+Some multi-paragraph
+
+Content just to be
+
+Safe
+
+## 2.2 Labore
+
+Something else.
+
+"""
+
+class TestMakeNoStipulations(unittest.TestCase):
+    def test_make_no_stipulations_empty(self):
+        self.assertEqual(make_no_stipulations(""), "")
+
+    def test_make_no_stipulations_happy_path(self):
+        self.maxDiff = None
+        self.assertEqual(make_no_stipulations(document_input), document_output)