@bedrock/vc-delivery 7.11.3 → 7.12.0

package/lib/ExchangeProcessor.js

@@ -288,10 +288,21 @@ export class ExchangeProcessor {
         // 4.2. Call subalgorithm `prepareStep`, passing `workflow`,
         // `exchange`, `step`, `receivedPresentation`, and
         // `receivedPresentationRequest` to perform any protocol-specific
-        // custom step preparation.
-        await prepareStep?.({
-          workflow, exchange, step, receivedPresentation
+        // custom step preparation. If `prepareStep` returns a `prepareResult`
+        // with `receivedPresentation` and/or `receivedPresentationRequest` set,
+        // then update `receivedPresentation` and/or
+        // `receivedPresentationRequest` accordingly.
+        const prepareResult = await prepareStep?.({
+          workflow, exchange, step,
+          receivedPresentation, receivedPresentationRequest
         });
+        if(prepareResult?.receivedPresentation !== undefined) {
+          receivedPresentation = prepareResult.receivedPresentation;
+        }
+        if(prepareResult?.receivedPresentationRequest) {
+          receivedPresentationRequest =
+            prepareResult.receivedPresentationRequest;
+        }
 
         // 4.3. If `receivedPresentation` is set, then call the
         // `validateReceivedPresentation` sub-algorithm, passing `workflow`,
@@ -312,20 +323,27 @@ export class ExchangeProcessor {
           });
         }
 
-        // 4.5. Set `isInputRequired` to the result of calling
+        // 4.5. If the implementation supports blocking callbacks that can
+        // return results to be added to exchange variables (or return errors),
+        // call the callback and store its results in
+        // `exchange.variables.results[exchange.step].callbackResults` or
+        // throw any error received.
+        // FIXME: to be implemented
+
+        // 4.6. Set `isInputRequired` to the result of calling
         // `inputRequired({step, receivedPresentation})`.
         const isInputRequired = await inputRequired?.({
           workflow, exchange, step, receivedPresentation
         }) ?? false;
 
-        // 4.6. If `isInputRequired` is true:
+        // 4.7. If `isInputRequired` is true:
         if(isInputRequired) {
-          // 4.6.1. If `response` is `null`, set it to an empty object.
+          // 4.7.1. If `response` is `null`, set it to an empty object.
           if(!response) {
             response = {};
           }
 
-          // 4.6.2. If `step.verifiablePresentationRequest` is set, call
+          // 4.7.2. If `step.verifiablePresentationRequest` is set, call
           // the `createVerifiablePresentationRequest` sub-algorithm, passing
           // `workflow`, `exchange`, `step`, and `response`.
           if(step.verifiablePresentationRequest) {
@@ -334,12 +352,13 @@ export class ExchangeProcessor {
             });
           }
 
-          // 4.6.3. Save the exchange and return `response`.
+          // 4.7.3. Save the exchange (and call any non-blocking callback
+          // in the step) and return `response`.
           await _updateExchange({workflow, exchange, meta, step});
           return response;
         }
 
-        // 4.7. Set `issueToClient` to `true` if `step.issueRequests` includes
+        // 4.8. Set `issueToClient` to `true` if `step.issueRequests` includes
         // any issuer requests for VCs that are to be sent to the client
         // (`issueRequest.result` is NOT set), otherwise set it to `false`.
         const issueRequestsParams = getIssueRequestsParams({
@@ -347,27 +366,28 @@ export class ExchangeProcessor {
         });
         const issueToClient = issueRequestsParams.some(p => !p.result);
 
-        // 4.8. If `step.verifiablePresentation` is set or `issueToClient` is
+        // 4.9. If `step.verifiablePresentation` is set or `issueToClient` is
         // `true`:
         if(step.verifiablePresentation || issueToClient) {
-          // 4.8.1. If `response` is not `null`
+          // 4.9.1. If `response` is not `null`
           if(response) {
-            // 4.8.1.1. If `response.verifiablePresentationRequest` is not set,
+            // 4.9.1.1. If `response.verifiablePresentationRequest` is not set,
             // set it to an empty object (to indicate that the exchange is
             // not yet complete).
             if(!response.verifiablePresentationRequest) {
               response.verifiablePresentationRequest = {};
             }
-            // 4.8.1.2. Save the exchange.
+            // 4.9.1.2. Save the exchange (and call any non-blocking callback
+            // in the step).
             await _updateExchange({workflow, exchange, meta, step});
-            // 4.8.1.3. Return `response`.
+            // 4.9.1.3. Return `response`.
             return response;
           }
 
-          // 4.8.2. Set `response` to an empty object.
+          // 4.9.2. Set `response` to an empty object.
           response = {};
 
-          // 4.8.3. If `step.verifiablePresentation` is set, set
+          // 4.9.3. If `step.verifiablePresentation` is set, set
           // `response.verifiablePresentation` to a copy of it, otherwise
           // set `response.verifiablePresentation` to a new, empty,
           // Verifiable Presentation (using VCDM 2.0 by default, but a custom
@@ -380,14 +400,14 @@ export class ExchangeProcessor {
         // issuance has been triggered
         issuanceTriggered = true;
 
-        // 4.9. Perform every issue request (optionally in parallel), returning
-        // an error response to the client if any fails (note: implementations
-        // can optionally implement failure recovery or retry issue requests at
-        // their own discretion):
-        // 4.9.1. For each issue request where `result` is set to an exchange
+        // 4.10. Perform every issue request (optionally in parallel),
+        // returning an error response to the client if any fails (note:
+        // implementations can optionally implement failure recovery or retry
+        // issue requests at their own discretion):
+        // 4.10.1. For each issue request where `result` is set to an exchange
         // variable path or name, save the issued credential in the referenced
         // exchange variable.
-        // 4.9.2. For each issue request where `result` is not specified, save
+        // 4.10.2. For each issue request where `result` is not specified, save
         // the issued credential in `response.verifiablePresentation`, i.e.,
         // for a VCDM presentation, append the issued credential to
         // `response.verifiablePresentation.verifiableCredential`.
@@ -396,44 +416,45 @@ export class ExchangeProcessor {
           verifiablePresentation: response?.verifiablePresentation
         });
 
-        // 4.10. If `response.verifiablePresentation` is set and the step
+        // 4.11. If `response.verifiablePresentation` is set and the step
         // configuration indicates it should be signed, sign the presentation
         // (e.g., by using a VCALM holder instance's `/presentations/create`
         // endpoint).
         // FIXME: implement
         //if(response?.verifiablePresentation) {}
 
-        // 4.11. If `step.redirectUrl` is set:
+        // 4.12. If `step.redirectUrl` is set:
         if(step.redirectUrl) {
-          // 4.11.1. If `response` is `null` then set it to an empty object.
+          // 4.12.1. If `response` is `null` then set it to an empty object.
           if(!response) {
             response = {};
           }
-          // 4.11.2. Set `response.redirectUrl` to `step.redirectUrl`.
+          // 4.12.2. Set `response.redirectUrl` to `step.redirectUrl`.
           response.redirectUrl = step.redirectUrl;
         }
 
-        // 4.12. If `step.nextStep` is not set then set `exchange.state` to
+        // 4.13. If `step.nextStep` is not set then set `exchange.state` to
         // `complete`.
         if(!step.nextStep) {
           exchange.state = 'complete';
         } else {
-          // 4.13. Otherwise, delete `exchange.variables.results[step.nextStep]`
+          // 4.14. Otherwise, delete `exchange.variables.results[step.nextStep]`
           // if it exists, and set `exchange.step` to `step.nextStep`.
           delete exchange.variables.results[step.nextStep];
           exchange.step = step.nextStep;
         }
 
-        // 4.14. Save the exchange.
+        // 4.15. Save the exchange (and call any non-blocking callback in
+        // the step).
         await _updateExchange({workflow, exchange, meta, step});
 
-        // 4.15. If `exchange.state` is `complete`, return `response` if it is
+        // 4.16. If `exchange.state` is `complete`, return `response` if it is
         // not `null`, otherwise return an empty object.
         if(exchange.state === 'complete') {
           return response ?? {};
         }
 
-        // 4.16. Set `receivedPresentation` to `null`.
+        // 4.17. Set `receivedPresentation` to `null`.
         receivedPresentation = null;
       }
     } catch(e) {

package/lib/helpers.js

@@ -2,7 +2,6 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as vcjwt from './vcjwt.js';
 import {decodeId, generateId} from 'bnid';
 import {compile} from '@bedrock/validation';
 import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
@@ -22,16 +21,6 @@ const ALLOWED_ERROR_KEYS = [
   'status'
 ];
 
-const JWT_FORMAT_ALIASES = new Set([
-  'application/jwt',
-  'application/vc+jwt',
-  'application/vp+jwt',
-  'jwt_vp',
-  'jwt_vp_json',
-  'jwt_vc_json-ld',
-  'jwt_vc_json'
-]);
-
 export function buildPresentationFromResults({
   presentation, verifyResult
 }) {
@@ -358,44 +347,6 @@ export function stripStacktrace(error) {
   return error;
 }
 
-export async function unenvelopeCredential({
-  envelopedCredential, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedCredential, format});
-
-  // only supported format is VC-JWT at this time
-  const credential = vcjwt.decodeVCJWTCredential({jwt: result.envelope});
-  return {credential, ...result};
-}
-
-export async function unenvelopePresentation({
-  envelopedPresentation, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedPresentation, format});
-
-  // only supported format is VC-JWT at this time
-  const presentation = vcjwt.decodeVCJWTPresentation({jwt: result.envelope});
-
-  // unenvelope any VCs in the presentation
-  let {verifiableCredential = []} = presentation;
-  if(!Array.isArray(verifiableCredential)) {
-    verifiableCredential = [verifiableCredential];
-  }
-  if(verifiableCredential.length > 0) {
-    presentation.verifiableCredential = await Promise.all(
-      verifiableCredential.map(async vc => {
-        if(vc?.type !== 'EnvelopedVerifiableCredential') {
-          return vc;
-        }
-        const {credential} = await unenvelopeCredential({
-          envelopedCredential: vc
-        });
-        return credential;
-      }));
-  }
-  return {presentation, ...result};
-}
-
 export async function validateStep({step} = {}) {
   // FIXME: use `ajv` and do JSON schema check
   if(Object.keys(step).length === 0) {
@@ -423,32 +374,6 @@ export async function validateStep({step} = {}) {
   }
 }
 
-function _getEnvelope({envelope, format}) {
-  const isString = typeof envelope === 'string';
-  if(isString) {
-    // supported formats
-    if(JWT_FORMAT_ALIASES.has(format)) {
-      format = 'application/jwt';
-    }
-  } else {
-    const {id} = envelope;
-    if(id?.startsWith('data:application/jwt,')) {
-      format = 'application/jwt';
-      envelope = id.slice('data:application/jwt,'.length);
-    }
-  }
-
-  if(format === 'application/jwt' && envelope !== undefined) {
-    return {envelope, format};
-  }
-
-  throw new BedrockError(
-    `Unsupported credential or presentation envelope format "${format}".`, {
-      name: 'NotSupportedError',
-      details: {httpStatusCode: 400, public: true}
-    });
-}
-
 export function validateVerifiablePresentation({schema, presentation}) {
   const validate = compile({schema});
   const {valid, error} = validate(presentation);

package/lib/oid4/authorizationRequest.js

@@ -12,6 +12,9 @@ import {randomUUID} from 'node:crypto';
 
 const {util: {BedrockError}} = bedrock;
 
+const ENCRYPTED_RESPONSE_MODES = new Set([
+  'direct_post.jwt', 'dc_api.jwt', 'dc_api'
+]);
 const OID4VP_JWT_TYP = 'oauth-authz-req+jwt';
 const TEXT_ENCODER = new TextEncoder();
 
@@ -28,6 +31,7 @@ export async function create({
   // get params from step OID4VP client profile to apply to the AR
   const {
     client_id, client_id_scheme,
+    dcql_query,
     nonce,
     presentation_definition,
     response_mode, response_uri
@@ -37,6 +41,10 @@ export async function create({
   // client_id_scheme (draft versions of OID4VP use this param)
   authorizationRequest.client_id_scheme = client_id_scheme ?? 'redirect_uri';
 
+  // dcql_query
+  authorizationRequest.dcql_query = dcql_query ??
+    authorizationRequest.dcql_query;
+
   // presentation_definition
   authorizationRequest.presentation_definition = presentation_definition ??
     authorizationRequest.presentation_definition;
@@ -175,8 +183,8 @@ async function _createClientMetaData({
     client_metadata.require_signed_request_object = true;
   }
 
-  // for response mode `direct_post.jwt`, offer encryption options
-  if(authorizationRequest.response_mode === 'direct_post.jwt') {
+  // offer encryption options for encrypted response modes
+  if(ENCRYPTED_RESPONSE_MODES.has(authorizationRequest.response_mode)) {
     // generate ECDH-ES P-256 key
     const kp = await generateKeyPair('ECDH-ES', {
       crv: 'P-256', extractable: true

package/lib/oid4/authorizationResponse.js

@@ -8,7 +8,6 @@ import {
 } from '../../schemas/bedrock-vc-workflow.js';
 import {compile} from '@bedrock/validation';
 import {oid4vp} from '@digitalbazaar/oid4-client';
-import {unenvelopePresentation} from '../helpers.js';
 
 const {util: {BedrockError}} = bedrock;
 
@@ -27,58 +26,46 @@ bedrock.events.on('bedrock.init', () => {
   });
 });
 
-export async function parse({req, exchange, clientProfileId} = {}) {
+export async function parse({
+  req, exchange, clientProfileId, authorizationRequest
+} = {}) {
   try {
     const {body} = req;
     const {
-      responseMode, parsed, protectedHeader
+      responseMode, parsed, protectedHeader,
+      recipientPublicJwk, recipientPublicJwkThumbprint,
+      vpTokenMediaType
     } = await oid4vp.verifier.parseAuthorizationResponse({
       body,
       getDecryptParameters() {
         return _getDecryptParameters({exchange, clientProfileId});
-      }
+      },
+      authorizationRequest
     });
 
-    // validate parsed presentation submission
+    // validate parsed presentation submission if given
     const {presentationSubmission} = parsed;
-    _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    if(presentationSubmission) {
+      _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    }
 
     // obtain `presentation` and optional `envelope` from parsed `vpToken`
     const {vpToken} = parsed;
     let presentation;
     let envelope;
 
-    if(oid4vp.authzResponse.submitsFormat({
-      presentationSubmission, format: 'mso_mdoc'
-    })) {
-      // `vp_token` is declared to be a base64url-encoded mDL device response
-      presentation = {
-        '@context': VC_CONTEXT_2,
-        id: `data:application/mdl-vp-token,${vpToken}`,
-        type: 'EnvelopedVerifiablePresentation'
-      };
-    } else if(typeof vpToken === 'string') {
-      // FIXME: remove unenveloping here and delegate it to VC API verifier;
-      // FIXME: check if envelope matches submission once verified
-      const {
-        envelope: raw, presentation: contents, format
-      } = await unenvelopePresentation({
-        envelopedPresentation: vpToken,
-        // FIXME: check `presentationSubmission` for VP format
-        format: 'application/jwt'
-      });
-      _validate(VALIDATORS.presentation, contents);
+    if(vpTokenMediaType !== 'application/vp') {
+      // `vp_token` contains some enveloped format
       presentation = {
         '@context': VC_CONTEXT_2,
-        id: `data:${format},${raw}`,
+        id: `data:${vpTokenMediaType},${vpToken}`,
         type: 'EnvelopedVerifiablePresentation'
       };
-      envelope = {raw, contents, format};
+      envelope = {mediaType: vpTokenMediaType};
     } else {
-      // simplest case: `vpToken` is a VP; validate it
+      // simplest case: `vpToken` is a VP; validate it against basic schema
       presentation = vpToken;
       _validate(VALIDATORS.presentation, presentation);
-      // FIXME: validate VP against presentation submission
     }
 
     return {
@@ -86,7 +73,9 @@ export async function parse({req, exchange, clientProfileId} = {}) {
       presentationSubmission,
       presentation,
       envelope,
-      protectedHeader
+      protectedHeader,
+      recipientPublicJwk,
+      recipientPublicJwkThumbprint
     };
   } catch(cause) {
     throw new BedrockError(

package/lib/oid4/http.js

@@ -405,7 +405,7 @@ function _normalizeCredentials({verifiablePresentation}) {
   // use raw format for each credential
   const {verifiableCredential} = verifiablePresentation;
   return verifiableCredential.map(vc => {
-    // parse any enveloped VC into its non-VC format
+    // parse any JWT-enveloped VC into its non-VC format
     if(vc.type === 'EnvelopedVerifiableCredential' &&
       vc.id?.startsWith('data:application/jwt,')) {
       return vc.id.slice('data:application/jwt,'.length);

package/lib/oid4/oid4vp.js

@@ -138,15 +138,8 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
 
-  // ensure authz response can be parsed
-  const {
-    presentation, envelope, presentationSubmission,
-    responseMode, protectedHeader
-  } = await parseAuthorizationResponse({
-    req, exchange: exchangeRecord.exchange, clientProfileId
-  });
-
   // process exchange and produce result
+  let parseResponseResult;
   const result = {};
   const exchangeProcessor = new ExchangeProcessor({
     workflow, exchangeRecord,
@@ -156,15 +149,11 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       });
       result.authorizationRequest = authorizationRequest;
 
-      // ensure response mode matches
-      if(responseMode !== authorizationRequest.response_mode) {
-        throw new BedrockError(
-          `The used response mode ("${responseMode}") does not match the ` +
-          `expected response mode ("${authorizationRequest.response_mode}".`, {
-            name: 'ConstraintError',
-            details: {httpStatusCode: 400, public: true}
-          });
-      }
+      // ensure authz response can be parsed
+      parseResponseResult = await parseAuthorizationResponse({
+        req, exchange: exchangeRecord.exchange, clientProfileId,
+        authorizationRequest
+      });
 
       // only mark exchange complete if there is nothing to be issued; this
       // handles same-step OID4VCI+OID4VP case
@@ -178,6 +167,9 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       if(redirect_uri) {
         result.redirect_uri = redirect_uri;
       }
+
+      const {presentation: receivedPresentation} = parseResponseResult;
+      return {receivedPresentation};
     },
     inputRequired({step}) {
       // indicate input always required to avoid automatically advancing
@@ -199,26 +191,61 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       verifyPresentationOptions.challenge = authorizationRequest.nonce;
       verifyPresentationOptions.domain = authorizationRequest.response_uri;
 
-      // if `direct_post.jwt` used w/ mDL presentation, include `mDL` options
-      if(responseMode === 'direct_post.jwt' &&
-        oid4vp.authzResponse.submitsFormat({
-          presentationSubmission, format: 'mso_mdoc'
-        })) {
+      // FIXME: OID4VP 1.0+ does not have a presentation submission
+      // handle mDL submission
+      const {envelope} = parseResponseResult;
+      if(envelope?.mediaType === 'application/mdl-vp-token') {
+        // generate `handover` for mDL verification
+        let handover;
+
+        // common `handover` parameters:
+        const origin = authorizationRequest?.expected_origins?.[0] ??
+          new URL(authorizationRequest.response_uri).origin;
+        const nonce = authorizationRequest.nonce;
+
+        // `direct_post.jwt` => ISO18013-7 Annex B
+        // FIXME: same response mode is also used for OID4VP 1.0 with
+        // `OpenID4VPHandover` where `presentationSubmission` will be absent;
+        // this is not yet supported
+        // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-invocation-via-redirects
+        const {responseMode} = parseResponseResult;
+        if(responseMode === 'direct_post.jwt') {
+          handover = {
+            type: 'AnnexBHandover',
+            // per ISO 18013-7 B the `mdocGeneratedNonce` is base64url-encoded
+            // and put into the `apu` protected header parameter, so parse that
+            // here and convert it to a UTF-8 string instead
+            mdocGeneratedNonce: Buffer
+              .from(parseResponseResult.protectedHeader?.apu ?? '', 'base64url')
+              .toString('utf8'),
+            clientId: authorizationRequest.client_id,
+            responseUri: authorizationRequest.response_uri,
+            verifierGeneratedNonce: nonce
+          };
+        } else if(responseMode === 'dc_api') {
+          // `dc_api` => ISO18013-7 Annex C
+          handover = {
+            type: 'dcapi',
+            origin,
+            nonce,
+            recipientPublicJwk: parseResponseResult.recipientPublicJwk
+          };
+        } else if(responseMode === 'dc_api.jwt') {
+          // `dc_api.jwt` => ISO18013-7 Annex D
+          handover = {
+            type: 'OpenID4VPDCAPIHandover',
+            origin,
+            nonce,
+            jwkThumbprint: parseResponseResult.recipientPublicJwkThumbprint
+          };
+        }
+
         verifyPresentationOptions.mdl = {
           ...verifyPresentationOptions.mdl,
-          // note: in session transcript:
-          // `domain` option above will be used for `responseUri`
-          // `challenge` option above will be used for `verifierGeneratedNonce`
-          // so do not send here to avoid redundancy
-          sessionTranscript: {
-            // per ISO 18013-7 the `mdocGeneratedNonce` is base64url-encoded
-            // and put into the `apu` protected header parameter -- and the
-            // VC API `mdl.sessionTranscript` option expects the
-            // `mdocGeneratedNonce` to be base64url-encoded, so we can pass
-            // it straight through
-            mdocGeneratedNonce: protectedHeader.apu,
-            clientId: authorizationRequest.client_id
-          }
+          // send encoded mDL `sessionTranscript`
+          sessionTranscript: Buffer
+            .from(await oid4vp.mdl.encodeSessionTranscript({handover}))
+            .toString('base64url')
         };
       }
 
@@ -234,6 +261,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       });
 
       // save OID4VP results in exchange
+      const {presentationSubmission} = parseResponseResult;
       exchange.variables.results[exchange.step] = {
         ...exchange.variables.results[exchange.step],
         openId: {
@@ -242,7 +270,9 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
           presentationSubmission
         }
       };
-      if(envelope) {
+      // FIXME: do w/o `parseResponseResult.envelope` to eliminate envelope
+      // parsing (let verifier do it)
+      if(parseResponseResult.envelope) {
         // include enveloped VP in step result
         exchange.variables.results[exchange.step]
           .envelopedPresentation = presentation;
@@ -251,7 +281,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       return verifyResult;
     }
   });
-  await exchangeProcessor.process({receivedPresentation: presentation});
+  await exchangeProcessor.process();
 
   return result;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.11.3",
+  "version": "7.12.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -40,7 +40,7 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
     "@digitalbazaar/http-client": "^4.2.0",
-    "@digitalbazaar/oid4-client": "^5.6.3",
+    "@digitalbazaar/oid4-client": "^5.8.0",
     "@digitalbazaar/vc": "^7.2.0",
     "@digitalbazaar/webkms-client": "^14.2.0",
     "assert-plus": "^1.0.0",

package/schemas/bedrock-vc-workflow.js

@@ -460,6 +460,14 @@ const oid4vpClientProfile = {
     client_id: {type: 'string'},
     client_id_scheme: {type: 'string'},
     client_metadata: {type: 'object'},
+    dcql_query: {type: 'object'},
+    expected_origins: {
+      type: 'array',
+      minItems: 1,
+      items: {
+        type: 'string'
+      }
+    },
     nonce: {type: 'string'},
     presentation_definition: {type: 'object'},
     response_mode: {type: 'string'},