depot-linux 0.1.0

data/lib/depot/packages/rpm.rb

@@ -0,0 +1,301 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "open3"
+
+module Depot
+  class RpmPackage
+    MAGIC = "\xED\xAB\xEE\xDB".b.freeze
+    HEADER_MAGIC = "\x8E\xAD\xE8".b.freeze
+    HICOLOR_ICON_PATH = %r{/icons/hicolor/([^/]+)/apps/([^/]+)\.(png|svg|xpm)\z}i
+    IMAGE_EXT = /\.(png|svg|xpm)\z/i
+    SCRIPT_TAGS = {
+      1023 => "preinstall",
+      1024 => "postinstall",
+      1025 => "preuninstall",
+      1026 => "postuninstall",
+      1065 => "verify",
+      1085 => "triggerinstall",
+      1086 => "triggeruninstall",
+      1087 => "triggerpostuninstall"
+    }.freeze
+    TAGS = {
+      1000 => "Name",
+      1001 => "Version",
+      1002 => "Release",
+      1004 => "Summary",
+      1005 => "Description",
+      1014 => "License",
+      1015 => "Packager",
+      1020 => "URL",
+      1021 => "OS",
+      1022 => "Architecture",
+      1049 => "Requires",
+      1116 => "DirIndexes",
+      1117 => "BaseNames",
+      1118 => "DirNames",
+      1124 => "PayloadFormat",
+      1125 => "PayloadCompressor",
+      1126 => "PayloadFlags"
+    }.merge(SCRIPT_TAGS.transform_values { |name| "Script:#{name}" }).freeze
+
+    attr_reader :path
+
+    def initialize(path)
+      @path = path
+    end
+
+    def valid?
+      rpm_magic? && header_fields.any?
+    rescue FormatError
+      false
+    end
+
+    def header_fields
+      @header_fields ||= parse_main_header
+    end
+
+    def package_fields
+      fields = header_fields
+      {
+        "Name" => fields["Name"],
+        "Version" => fields["Version"],
+        "Release" => fields["Release"],
+        "Architecture" => fields["Architecture"],
+        "Summary" => fields["Summary"],
+        "Description" => fields["Description"],
+        "License" => fields["License"],
+        "Packager" => fields["Packager"],
+        "URL" => fields["URL"],
+        "PayloadFormat" => fields["PayloadFormat"],
+        "PayloadCompressor" => fields["PayloadCompressor"],
+        "PayloadFlags" => fields["PayloadFlags"]
+      }.compact
+    end
+
+    def display_name
+      header_fields["Name"] || File.basename(path, ".rpm")
+    end
+
+    def version_label
+      [header_fields["Version"], header_fields["Release"]].compact.join("-")
+    end
+
+    def requires
+      Array(header_fields["Requires"]).reject { |name| name.start_with?("rpmlib(") }.uniq
+    end
+
+    def scriptlets
+      header_fields.filter_map do |key, value|
+        next unless key.start_with?("Script:") && value.to_s.strip != ""
+
+        key.delete_prefix("Script:")
+      end
+    end
+
+    def members
+      @members ||= list_payload
+    end
+
+    def clean_members
+      members.map { |entry| clean_entry(entry) }
+    end
+
+    def desktop_entries
+      payload_entries.select { |entry| entry.end_with?(".desktop") }
+    end
+
+    def primary_desktop_entry
+      desktop_entries.min_by { |entry| desktop_score(entry) }
+    end
+
+    def image_entries
+      payload_entries.select { |entry| entry.match?(IMAGE_EXT) }
+    end
+
+    def icon_entries
+      payload_entries.select { |entry| entry.match?(HICOLOR_ICON_PATH) }
+    end
+
+    def executable_candidates
+      payload_entries.reject { |entry| entry.end_with?("/") }
+                     .select { |entry| executable_name?(entry) }
+                     .first(24)
+    end
+
+    def file_entries
+      entries = header_file_entries
+      entries.empty? ? clean_members : entries
+    end
+
+    def header_file_entries
+      fields = header_fields
+      bases = Array(fields["BaseNames"])
+      dirs = Array(fields["DirNames"])
+      indexes = Array(fields["DirIndexes"])
+      return [] if bases.empty? || dirs.empty? || indexes.empty?
+
+      bases.each_with_index.map do |base, index|
+        dir = dirs[indexes[index].to_i].to_s
+        clean_entry(File.join(dir, base))
+      end
+    end
+
+    def read_entry(entry)
+      wanted = clean_entry(entry)
+      candidates = [wanted, "./#{wanted}"].uniq
+      candidates.each do |candidate|
+        stdout, stderr, status = Open3.capture3("bsdtar", "-xOf", path, candidate)
+        return stdout if status.success?
+
+        @last_read_error = stderr.empty? ? stdout : stderr
+      end
+
+      raise FormatError, "Could not read #{entry}: #{@last_read_error}"
+    end
+
+    def extract_to(destination)
+      FileUtils.mkdir_p(destination)
+      assert_bsdtar!
+      assert_safe_entries!
+      stdout, stderr, status = Open3.capture3("bsdtar", "-xf", path, "-C", destination)
+      raise FormatError, "Could not extract RPM payload: #{stderr.empty? ? stdout : stderr}" unless status.success?
+    end
+
+    class FormatError < StandardError; end
+
+    private
+
+    def rpm_magic?
+      File.open(path, "rb") { |file| file.read(4) == MAGIC }
+    rescue SystemCallError
+      false
+    end
+
+    def parse_main_header
+      File.open(path, "rb") do |file|
+        file.binmode
+        raise FormatError, "Not an RPM file" unless file.read(4) == MAGIC
+
+        file.pos = 96
+        read_header(file)
+        file.pos += (8 - (file.pos % 8)) % 8
+        entries, store = read_header(file)
+        fields = {}
+        entries.each do |tag, type, offset, count|
+          name = TAGS[tag]
+          next unless name
+
+          fields[name] = header_value(type, offset, count, store)
+        end
+        fields
+      end
+    end
+
+    def read_header(file)
+      magic = file.read(3)
+      raise FormatError, "Invalid RPM header" unless magic == HEADER_MAGIC
+
+      file.read(1)
+      file.read(4)
+      index_count = file.read(4).unpack1("N")
+      store_size = file.read(4).unpack1("N")
+      entries = index_count.times.map { file.read(16).unpack("N4") }
+      store = file.read(store_size)
+      raise FormatError, "Truncated RPM header store" unless store && store.bytesize == store_size
+
+      [entries, store]
+    end
+
+    def header_value(type, offset, count, store)
+      case type
+      when 2
+        store.byteslice(offset, count).unpack("C*")
+      when 3
+        store.byteslice(offset, count * 2).unpack("n*")
+      when 4
+        store.byteslice(offset, count * 4).unpack("N*")
+      when 5
+        store.byteslice(offset, count * 8).unpack("Q>*")
+      when 6, 9
+        store.byteslice(offset..).split("\0", 2).first.to_s
+      when 8
+        store.byteslice(offset..).split("\0").first(count)
+      when 7
+        store.byteslice(offset, count)
+      else
+        nil
+      end
+    end
+
+    def list_payload
+      assert_bsdtar!
+      stdout, stderr, status = Open3.capture3("bsdtar", "-tf", path)
+      raise FormatError, "Could not list RPM payload: #{stderr.empty? ? stdout : stderr}" unless status.success?
+
+      stdout.lines.map(&:chomp).reject(&:empty?)
+    end
+
+    def assert_bsdtar!
+      return if command_available?("bsdtar")
+
+      raise FormatError, "RPM portable extraction requires bsdtar/libarchive."
+    end
+
+    def assert_safe_entries!
+      unsafe = payload_entries.find do |entry|
+        clean = clean_entry(entry)
+        entry.start_with?("/") || clean.split("/").include?("..")
+      end
+      raise FormatError, "Unsafe path in RPM payload: #{unsafe}" if unsafe
+    end
+
+    def payload_entries
+      entries = header_file_entries
+      entries.empty? ? clean_members : entries
+    end
+
+    def clean_entry(entry)
+      entry.to_s.sub(%r{\A\./}, "").sub(%r{\A/+}, "")
+    end
+
+    def executable_name?(entry)
+      base = File.basename(entry)
+      return true if entry.include?("/bin/") && !base.include?(".")
+      return true if entry.start_with?("opt/") && !base.include?(".")
+
+      false
+    end
+
+    def desktop_score(entry)
+      base = File.basename(entry, ".desktop").downcase
+      package_name = display_name.to_s.downcase
+      [
+        clean_entry(entry).match?(%r{/share/applications/[^/]+\.desktop\z}) ? 0 : 1,
+        base.include?("url") || base.include?("handler") ? 1 : 0,
+        !package_name.empty? && base.include?(package_name) ? 0 : 1,
+        clean_entry(entry).length
+      ]
+    end
+
+    def parse_desktop_entry(contents)
+      metadata = {}
+      in_desktop_entry = false
+      contents.each_line(chomp: true) do |line|
+        if line.start_with?("[")
+          in_desktop_entry = line.strip == "[Desktop Entry]"
+          next
+        end
+        next unless in_desktop_entry
+
+        key, value = line.split("=", 2)
+        metadata[key] = value if value && !metadata.key?(key)
+      end
+      metadata
+    end
+
+    def command_available?(command)
+      ENV.fetch("PATH", "").split(File::PATH_SEPARATOR).any? { |dir| File.executable?(File.join(dir, command)) }
+    end
+  end
+end

data/lib/depot/paths.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "fileutils"
+
+module Depot
+  module Paths
+    module_function
+
+    def data_home
+      ENV.fetch("XDG_DATA_HOME", File.join(Dir.home, ".local", "share"))
+    end
+
+    def config_home
+      ENV.fetch("XDG_CONFIG_HOME", File.join(Dir.home, ".config"))
+    end
+
+    def state_home
+      ENV.fetch("XDG_STATE_HOME", File.join(Dir.home, ".local", "state"))
+    end
+
+    def data_dir
+      File.join(data_home, "depot")
+    end
+
+    def config_dir
+      File.join(config_home, "depot")
+    end
+
+    def state_dir
+      File.join(state_home, "depot")
+    end
+
+    def apps_dir
+      File.join(data_dir, "apps")
+    end
+
+    def manifests_dir
+      File.join(data_dir, "manifests")
+    end
+
+    def desktop_entries_dir
+      File.join(data_home, "applications")
+    end
+
+    def icon_root
+      File.join(data_home, "icons", "hicolor")
+    end
+
+    def settings_path
+      File.join(config_dir, "settings.json")
+    end
+
+    def ensure_base_dirs
+      FileUtils.mkdir_p([data_dir, config_dir, state_dir, apps_dir, manifests_dir, desktop_entries_dir])
+    end
+  end
+end

data/lib/depot/result.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Depot
+  Result = Struct.new(:ok?, :value, :warnings, :error, keyword_init: true) do
+    def self.ok(value = nil, warnings: [])
+      new(ok?: true, value:, warnings:, error: nil)
+    end
+
+    def self.err(error, warnings: [])
+      new(ok?: false, value: nil, warnings:, error:)
+    end
+  end
+end

data/lib/depot/sandbox.rb

@@ -0,0 +1,285 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "shellwords"
+require "time"
+require_relative "desktop_entry"
+require_relative "manifest_store"
+require_relative "paths"
+require_relative "result"
+require_relative "settings"
+
+module Depot
+  module Sandbox
+    PORTABLE_BACKENDS = %w[appimage deb-portable rpm-portable archive-portable].freeze
+    MODES = %w[inherit enabled disabled].freeze
+    PROFILES = %w[relaxed balanced strict].freeze
+    HOME_ACCESS = %w[isolated documents full].freeze
+
+    module_function
+
+    def apply(manifest, settings: Settings.new.load, store: ManifestStore.new)
+      normalized = normalize(manifest, settings)
+      normalized = write_or_remove_launcher(normalized, settings)
+      rewrite_desktop_entry(normalized) if portable?(normalized)
+      path = store.write(normalized)
+      Result.ok(normalized.merge("manifest_path" => path))
+    rescue SystemCallError => e
+      Result.err("Could not update sandbox settings: #{e.message}")
+    end
+
+    def set(app_id, values = {}, store: ManifestStore.new, settings: Settings.new.load)
+      manifest = store.find(app_id)
+      return Result.err("No installed app found for #{app_id}.") unless manifest
+
+      sandbox = normalize(manifest, settings).fetch("sandbox", {})
+      mode = values["mode"] || values[:mode]
+      profile = values["profile"] || values[:profile]
+      home_access = values["home_access"] || values[:home_access]
+      return Result.err("Sandbox mode must be one of: #{MODES.join(", ")}.") if mode && !MODES.include?(mode.to_s)
+      return Result.err("Sandbox profile must be one of: #{PROFILES.join(", ")}.") if profile && !PROFILES.include?(profile.to_s)
+      return Result.err("Sandbox home access must be one of: #{HOME_ACCESS.join(", ")}.") if home_access && !HOME_ACCESS.include?(home_access.to_s)
+
+      sandbox["mode"] = normalize_choice(mode, MODES, sandbox.fetch("mode", "inherit"))
+      sandbox["profile"] = normalize_choice(profile, PROFILES, sandbox.fetch("profile", "balanced"))
+      sandbox["home_access"] = normalize_choice(home_access, HOME_ACCESS, sandbox.fetch("home_access", "documents"))
+      sandbox["network"] = bool_value(values.key?("network") ? values["network"] : values[:network], sandbox.fetch("network", true))
+      sandbox["updated_at"] = Time.now.utc.iso8601
+      apply(manifest.merge("sandbox" => sandbox), settings:, store:)
+    end
+
+    def launch_path(manifest, settings: Settings.new.load)
+      normalized = normalize(manifest, settings)
+      sandbox = normalized.fetch("sandbox", {})
+      launcher = sandbox["launcher"]
+      return launcher if effective_enabled?(normalized, settings) && launcher.to_s != "" && File.executable?(launcher)
+
+      normalized["installed_executable"]
+    end
+
+    def summary(manifest, settings: Settings.new.load)
+      normalized = normalize(manifest, settings)
+      sandbox = normalized.fetch("sandbox", {})
+      if normalized["backend"] == "flatpak"
+        return "Flatpak managed"
+      end
+      unless portable?(normalized)
+        return "Unsupported for this backend"
+      end
+
+      mode = sandbox.fetch("mode", "inherit")
+      state = effective_enabled?(normalized, settings) ? "enabled" : "disabled"
+      manager = command_available?("bwrap") ? "Bubblewrap" : "Bubblewrap missing"
+      "#{state} (#{mode}, #{sandbox.fetch("profile", "balanced")}, #{sandbox.fetch("home_access", "documents")} home, #{sandbox.fetch("network", true) ? "network" : "no network"}, #{manager})"
+    end
+
+    def normalize(manifest, settings = Settings.new.load)
+      sandbox = manifest.fetch("sandbox", {}).dup
+      backend = manifest["backend"]
+      if backend == "flatpak"
+        sandbox["manager"] = "flatpak"
+        sandbox["mode"] ||= "enabled"
+        sandbox["enabled"] = true
+        return manifest.merge("sandbox" => sandbox)
+      end
+
+      sandbox["manager"] = "bubblewrap" if portable?(manifest)
+      sandbox["mode"] ||= legacy_mode(sandbox)
+      sandbox["profile"] = normalize_choice(sandbox["profile"], PROFILES, settings.fetch("sandbox_profile", "balanced"))
+      sandbox["home_access"] = normalize_choice(sandbox["home_access"], HOME_ACCESS, settings.fetch("sandbox_home_access", "documents"))
+      sandbox["network"] = bool_value(sandbox.fetch("network", settings.fetch("sandbox_network", true)), true)
+      sandbox["enabled"] = effective_enabled?(manifest.merge("sandbox" => sandbox), settings)
+      manifest.merge("sandbox" => sandbox)
+    end
+
+    def effective_enabled?(manifest, settings = Settings.new.load)
+      return true if manifest["backend"] == "flatpak"
+      return false unless portable?(manifest)
+
+      mode = manifest.fetch("sandbox", {}).fetch("mode", "inherit")
+      return true if mode == "enabled"
+      return false if mode == "disabled"
+
+      %w[prefer-on on enabled].include?(settings.fetch("sandbox_preference", "ask"))
+    end
+
+    def portable?(manifest)
+      PORTABLE_BACKENDS.include?(manifest["backend"])
+    end
+
+    def command_available?(command)
+      ENV.fetch("PATH", "").split(File::PATH_SEPARATOR).any? { |dir| File.executable?(File.join(dir, command)) }
+    end
+
+    def normalize_choice(value, allowed, fallback)
+      value = value.to_s
+      allowed.include?(value) ? value : fallback
+    end
+
+    def bool_value(value, fallback)
+      return value if value == true || value == false
+      return true if value.to_s == "true"
+      return false if value.to_s == "false"
+
+      fallback
+    end
+
+    def legacy_mode(sandbox)
+      return "enabled" if sandbox["enabled"] == true
+
+      "inherit"
+    end
+
+    def write_or_remove_launcher(manifest, settings)
+      sandbox = manifest.fetch("sandbox", {})
+      launcher = sandbox["launcher"]
+      if !effective_enabled?(manifest, settings) || !portable?(manifest)
+        FileUtils.rm_f(launcher) if safe_launcher_path?(manifest, launcher)
+        sandbox.delete("launcher")
+        sandbox["enabled"] = false
+        return manifest.merge("sandbox" => sandbox)
+      end
+
+      app_dir = app_dir_for(manifest)
+      return manifest unless app_dir
+
+      FileUtils.mkdir_p(app_dir)
+      FileUtils.mkdir_p(File.join(app_dir, "sandbox-home"))
+      launcher = File.join(app_dir, "depot-sandbox-launch")
+      File.write(launcher, launcher_script(manifest, app_dir))
+      File.chmod(0o755, launcher)
+      manifest["created_files"] = (manifest["created_files"].to_a + [launcher]).uniq
+      sandbox["launcher"] = launcher
+      sandbox["enabled"] = true
+      manifest.merge("sandbox" => sandbox)
+    end
+
+    def app_dir_for(manifest)
+      manifest.fetch("created_dirs", []).find { |path| path.to_s.start_with?(Paths.apps_dir) } ||
+        safe_parent_app_dir(manifest["installed_executable"])
+    end
+
+    def safe_parent_app_dir(path)
+      expanded = File.expand_path(path.to_s)
+      root = File.expand_path(Paths.apps_dir)
+      return nil unless expanded.start_with?(root + File::SEPARATOR)
+
+      parts = expanded.delete_prefix(root + File::SEPARATOR).split(File::SEPARATOR)
+      return nil if parts.empty?
+
+      File.join(root, parts.first)
+    end
+
+    def safe_launcher_path?(manifest, path)
+      return false if path.to_s.empty?
+
+      app_dir = app_dir_for(manifest)
+      return false unless app_dir
+
+      File.expand_path(path).start_with?(File.expand_path(app_dir) + File::SEPARATOR)
+    end
+
+    def launcher_script(manifest, app_dir)
+      sandbox = manifest.fetch("sandbox", {})
+      real_exec = manifest.fetch("installed_executable")
+      home_dir = Dir.home
+      sandbox_home = File.join(app_dir, "sandbox-home")
+      network = sandbox.fetch("network", true)
+      home_access = sandbox.fetch("home_access", "documents")
+
+      <<~SH
+        #!/usr/bin/env bash
+        set -e
+
+        REAL_EXEC=#{Shellwords.escape(real_exec)}
+        APP_DIR=#{Shellwords.escape(app_dir)}
+        SANDBOX_HOME=#{Shellwords.escape(sandbox_home)}
+        HOST_HOME=#{Shellwords.escape(home_dir)}
+
+        if [ "${DEPOT_DISABLE_SANDBOX:-}" = "1" ] || ! command -v bwrap >/dev/null 2>&1; then
+          exec "$REAL_EXEC" "$@"
+        fi
+
+        mkdir -p "$SANDBOX_HOME"
+        args=(--die-with-parent --unshare-ipc --unshare-pid --proc /proc --dev /dev --tmpfs /tmp)
+        add_ro() { [ -e "$1" ] && args+=(--ro-bind "$1" "$1"); }
+        add_rw() { [ -e "$1" ] && args+=(--bind "$1" "$1"); }
+
+        for path in /usr /bin /sbin /lib /lib64 /etc /opt; do
+          add_ro "$path"
+        done
+
+        #{home_setup_script(home_access)}
+        if [[ "$APP_DIR" == "$HOST_HOME/"* ]]; then
+          app_mount_parent="$SANDBOX_HOME/${APP_DIR#"$HOST_HOME/"}"
+          mkdir -p "$(dirname "$app_mount_parent")"
+        fi
+        args+=(--bind "$APP_DIR" "$APP_DIR")
+        args+=(--setenv DEPOT_SANDBOXED 1)
+
+        if [ -n "${XDG_RUNTIME_DIR:-}" ] && [ -d "$XDG_RUNTIME_DIR" ]; then
+          args+=(--bind "$XDG_RUNTIME_DIR" "$XDG_RUNTIME_DIR")
+        fi
+        if [ -n "${XAUTHORITY:-}" ] && [ -f "$XAUTHORITY" ]; then
+          args+=(--ro-bind "$XAUTHORITY" "$XAUTHORITY")
+        fi
+        if [ -d /tmp/.X11-unix ]; then
+          args+=(--ro-bind /tmp/.X11-unix /tmp/.X11-unix)
+        fi
+
+        #{network ? "" : "args+=(--unshare-net)"}
+
+        args+=(--chdir #{Shellwords.escape(File.dirname(real_exec))})
+        exec bwrap "${args[@]}" "$REAL_EXEC" "$@"
+      SH
+    end
+
+    def home_setup_script(home_access)
+      case home_access
+      when "full"
+        <<~SH.strip
+          args+=(--bind "$HOST_HOME" "$HOST_HOME")
+          args+=(--setenv HOME "$HOST_HOME")
+        SH
+      when "documents"
+        <<~SH.strip
+          args+=(--bind "$SANDBOX_HOME" "$HOST_HOME")
+          args+=(--setenv HOME "$HOST_HOME")
+          for dir in Desktop Documents Downloads Pictures Music Videos; do
+            if [ -d "$HOST_HOME/$dir" ]; then
+              mkdir -p "$SANDBOX_HOME/$dir"
+              args+=(--bind "$HOST_HOME/$dir" "$HOST_HOME/$dir")
+            fi
+          done
+        SH
+      else
+        <<~SH.strip
+          args+=(--bind "$SANDBOX_HOME" "$HOST_HOME")
+          args+=(--setenv HOME "$HOST_HOME")
+        SH
+      end
+    end
+
+    def rewrite_desktop_entry(manifest)
+      desktop_path = manifest["desktop_entry"]
+      return unless desktop_path && !desktop_path.empty?
+
+      FileUtils.mkdir_p(File.dirname(desktop_path))
+      entry = DesktopEntry.new(
+        app_id: manifest.fetch("app_id"),
+        name: manifest.fetch("display_name"),
+        exec_path: launch_path(manifest),
+        icon_name: active_icon_name(manifest)
+      )
+      File.write(desktop_path, entry.contents)
+      manifest["created_files"] = (manifest["created_files"].to_a + [desktop_path]).uniq
+    end
+
+    def active_icon_name(manifest)
+      custom = manifest["custom_icon"]
+      return custom["path"] if custom && custom["path"].to_s != ""
+
+      manifest["default_icon_name"]
+    end
+  end
+end

data/lib/depot/settings.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "json"
+require "fileutils"
+require_relative "paths"
+
+module Depot
+  class Settings
+    DEFAULTS = {
+      "warning_verbosity" => "normal",
+      "theme" => "system",
+      "default_install_location" => "user",
+      "sandbox_preference" => "ask",
+      "sandbox_profile" => "balanced",
+      "sandbox_home_access" => "documents",
+      "sandbox_network" => true,
+      "desktop_integration" => true,
+      "updates_enabled" => true
+    }.freeze
+
+    attr_reader :path
+
+    def initialize(path = Paths.settings_path)
+      @path = path
+    end
+
+    def load
+      return DEFAULTS.dup unless File.exist?(path)
+
+      parsed = JSON.parse(File.read(path))
+      DEFAULTS.merge(parsed)
+    rescue JSON::ParserError
+      DEFAULTS.dup
+    end
+
+    def save(values)
+      FileUtils.mkdir_p(File.dirname(path))
+      normalized = DEFAULTS.merge(values.transform_keys(&:to_s))
+      File.write(path, JSON.pretty_generate(normalized) + "\n")
+      normalized
+    end
+  end
+end