@cosmicdrift/kumiko-framework 0.1.0

package/src/secrets/rotation.ts

@@ -0,0 +1,34 @@
+// KEK rotation: unwrap the DEK with the OLD kekVersion, re-wrap with the
+// CURRENT one. The ciphertext never changes — this is why envelope
+// encryption makes rotation affordable on large tables.
+
+import type { Envelope, MasterKeyProvider } from "./types";
+
+// Re-wrap the DEK of a single envelope so it references the current KEK
+// version. No-op when the envelope is already current (caller-side this
+// means "filter WHERE kekVersion != currentVersion" before calling).
+export async function rewrapDek(
+  envelope: Envelope,
+  provider: MasterKeyProvider,
+): Promise<Envelope> {
+  if (envelope.kekVersion === provider.currentVersion()) {
+    return envelope;
+  }
+  // Unwrap with the old KEK. Provider must still know the old version
+  // (keyring contains both until ops retires the old KEK).
+  const dek = await provider.unwrapDek(envelope.encryptedDek, envelope.kekVersion);
+  try {
+    const { encryptedDek, kekVersion } = await provider.wrapDek(dek);
+    return {
+      ciphertext: envelope.ciphertext,
+      iv: envelope.iv,
+      authTag: envelope.authTag,
+      encryptedDek,
+      kekVersion,
+    };
+  } finally {
+    // Zero the unwrapped DEK — it was held in plaintext only long enough
+    // to wrap it again.
+    dek.fill(0);
+  }
+}

package/src/secrets/types.ts

@@ -0,0 +1,107 @@
+// Envelope Encryption types. Separating DEK (per-value) from KEK (central)
+// is what makes key rotation cheap: on rotation we only re-wrap the small
+// encryptedDek, never touch the ciphertext.
+
+import type { TenantId } from "../engine";
+
+// Plaintext-secret wrapper (branded). Carries the actual string internally
+// but the nominal typing stops it from landing in an HTTP response by
+// accident — a response-serializer guard + the reveal() cost make the leak
+// intentional. Framework code that sees `Secret<string>` knows the caller
+// has already gone through the audited ctx.secrets.get path.
+//
+// The brand is a real (non-registered) Symbol so it exists at runtime for
+// isSecret() without clashing with user-land symbols of the same name.
+const SecretBrand: unique symbol = Symbol("kumiko.secret");
+
+export type Secret<T = string> = {
+  readonly [SecretBrand]: true;
+  readonly reveal: () => T;
+};
+
+// Implementation helper — bundled-features uses this to wrap a plaintext after
+// decryption. Kept in the framework so both sides share one canonical brand.
+export function createSecret<T>(value: T): Secret<T> {
+  return {
+    [SecretBrand]: true as const,
+    reveal: () => value,
+  };
+}
+
+// True for any object carrying the Secret brand. Used by the response guard
+// to reject leaks before serialization.
+export function isSecret(v: unknown): v is Secret<unknown> {
+  return typeof v === "object" && v !== null && SecretBrand in v;
+}
+
+// Per-read audit context. Populated by requireSecretsContext() wrapper so
+// handlers don't need to pass userId/handlerName manually on every call.
+// Undefined for framework-internal reads (rotation job, tests) — the audit
+// table stays a "who touched this credential" log, not a crash-report sink.
+export type SecretAuditContext = {
+  readonly userId: string;
+  readonly handlerName: string;
+};
+
+// Feature code can pass either the raw qualified-name string or a typed
+// handle returned by r.secret. The handle form is safer — renaming the
+// r.secret call updates all references through the import graph.
+export type SecretKeyRef = string | { readonly name: string };
+
+// The ctx.secrets contract. Concrete implementation lives in bundled-features
+// (createSecretsContext) where the DB and MasterKeyProvider are known. This
+// lean interface is what the framework's HandlerContext carries so engine
+// code can talk about it without pulling in bundled-features.
+export interface SecretsContext {
+  get(
+    tenantId: TenantId,
+    key: SecretKeyRef,
+    auditCtx?: SecretAuditContext,
+  ): Promise<Secret<string> | undefined>;
+  set(
+    tenantId: TenantId,
+    key: SecretKeyRef,
+    value: string,
+    opts?: { redact?: (plaintext: string) => string; hint?: string; updatedBy?: string },
+  ): Promise<void>;
+  delete(tenantId: TenantId, key: SecretKeyRef, opts?: { deletedBy?: string }): Promise<boolean>;
+}
+
+export type Envelope = {
+  // AES-256-GCM ciphertext of the plaintext, keyed with a DEK.
+  readonly ciphertext: Buffer;
+  // GCM nonce (12 bytes). Generated fresh per encryption.
+  readonly iv: Buffer;
+  // GCM auth tag (16 bytes). Guarantees the ciphertext wasn't tampered.
+  readonly authTag: Buffer;
+  // DEK wrapped with the current KEK. Decryption needs provider.unwrapDek
+  // with the kekVersion to recover the DEK.
+  readonly encryptedDek: Buffer;
+  // Which KEK version was used to wrap the DEK. On rotation, rows with old
+  // versions still decrypt — the provider keeps a keyring of historical KEKs.
+  readonly kekVersion: number;
+};
+
+// The contract a KEK backend must fulfil. The framework sees only this
+// interface; concrete implementations live in separate packages
+// (@cosmicdrift/kumiko-secrets-vault, @cosmicdrift/kumiko-secrets-aws-kms, ...). The default is
+// EnvMasterKeyProvider which reads keys from environment variables.
+export interface MasterKeyProvider {
+  // Wrap a fresh DEK with the current KEK. Returns the wrapped bytes + the
+  // KEK version used — the version ends up in the Envelope so decryption
+  // later knows which KEK to ask for.
+  wrapDek(dek: Buffer): Promise<{ encryptedDek: Buffer; kekVersion: number }>;
+
+  // Unwrap a previously-wrapped DEK. During rotation the provider must
+  // accept older kekVersion values (2-version window minimum), otherwise
+  // old rows become unreadable.
+  unwrapDek(encryptedDek: Buffer, kekVersion: number): Promise<Buffer>;
+
+  // Which KEK version new wraps use. Rotation flips this to a new value
+  // and older-version reads continue to work until rows are re-wrapped.
+  currentVersion(): number;
+
+  // Health check: can the provider talk to its backend? Used by
+  // /health/ready. Cheap probe, no KEK material read.
+  isAvailable(): Promise<boolean>;
+}

package/src/stack/db.ts

@@ -0,0 +1,104 @@
+import { drizzle } from "drizzle-orm/postgres-js";
+import postgres from "postgres";
+import { generateId } from "../utils";
+
+function requireEnv(name: string): string {
+  const value = process.env[name];
+  if (!value) {
+    throw new Error(
+      `Missing required env var: ${name}. Copy .env.example to .env and fill in values.`,
+    );
+  }
+  return value;
+}
+
+export type TestDb = {
+  db: ReturnType<typeof drizzle>;
+  client: ReturnType<typeof postgres>;
+  dbName: string;
+  cleanup: () => Promise<void>;
+};
+
+export type CreateTestDbOptions = {
+  /** Override TEST_DATABASE_URL. Rare — mostly for tests that want a
+   *  non-default Postgres (e.g. a read-replica probe). */
+  readonly baseUrl?: string;
+  /** Use a specific DB name instead of the default
+   *  `kumiko_test_<8chars>`. Combined with `persistent: true`, lets a
+   *  dev server keep state across restarts. Must be a legal Postgres
+   *  identifier — the caller is responsible for matching the usual
+   *  [a-z_0-9]+ shape. */
+  readonly dbName?: string;
+  /** When true, cleanup() is a no-op and the DB survives. Also
+   *  changes CREATE DATABASE to IF-NOT-EXISTS semantics so restarts
+   *  reuse the same storage. Default false (test contract: fresh DB
+   *  per call, dropped on cleanup). */
+  readonly persistent?: boolean;
+};
+
+/**
+ * Accepts a baseUrl string (legacy shorthand used by most tests) OR an
+ * options object. The string form is kept because thousands of tests
+ * call `createTestDb()` with no args; only dev-server and niche tests
+ * need the options form.
+ */
+export async function createTestDb(arg?: string | CreateTestDbOptions): Promise<TestDb> {
+  const opts: CreateTestDbOptions = typeof arg === "string" ? { baseUrl: arg } : (arg ?? {});
+  const url = opts.baseUrl ?? requireEnv("TEST_DATABASE_URL");
+  // slice(-8) — the last 8 hex chars of a UUIDv7 are pure random (the
+  // front 48 bits are a timestamp, which would collide across workers
+  // that start within the same millisecond).
+  const dbName = opts.dbName ?? `kumiko_test_${generateId().slice(-8)}`;
+  const adminUrl = url.replace(/\/[^/]+$/, "/postgres");
+
+  const adminClient = postgres(adminUrl);
+  try {
+    if (opts.persistent) {
+      // Postgres has no CREATE DATABASE IF NOT EXISTS; emulate with a
+      // catalog probe so restarts are idempotent.
+      const existing = await adminClient<{ exists: boolean }[]>`
+        SELECT EXISTS (SELECT 1 FROM pg_database WHERE datname = ${dbName}) AS exists
+      `;
+      if (!existing[0]?.exists) {
+        await adminClient.unsafe(`CREATE DATABASE "${dbName}"`);
+      }
+    } else {
+      await adminClient.unsafe(`CREATE DATABASE "${dbName}"`);
+    }
+  } finally {
+    await adminClient.end();
+  }
+
+  const testUrl = url.replace(/\/[^/]+$/, `/${dbName}`);
+  const client = postgres(testUrl);
+  const db = drizzle(client);
+
+  // Every ES-entity writes events; auto-create the events table so tests that
+  // go straight to createTestDb (not setupTestStack) also work out of the box.
+  // In persistent mode this is idempotent: createEventsTable emits IF NOT
+  // EXISTS so a second boot is a no-op.
+  const { createEventsTable } = await import("../event-store");
+  await createEventsTable(db);
+
+  return {
+    db,
+    client,
+    dbName,
+    cleanup: async () => {
+      await client.end();
+      // Persistent mode: dev-server owns the DB lifecycle — don't drop
+      // on process exit. `yarn kumiko clean-test-dbs` is the escape
+      // hatch when you really want to start over.
+      if (!opts.persistent) {
+        const admin = postgres(adminUrl);
+        try {
+          await admin.unsafe(`DROP DATABASE IF EXISTS "${dbName}"`);
+        } finally {
+          await admin.end();
+        }
+      }
+    },
+  };
+}
+
+export { requireEnv };

package/src/stack/event-collector.ts

@@ -0,0 +1,23 @@
+import type { SseEvent } from "../api/sse-broker";
+import type { SaveContext } from "../engine/types";
+
+export type EventCollector = {
+  readonly sse: SseEvent[];
+  readonly postSave: SaveContext[];
+  /** Clears all collected events — call in beforeEach for per-test isolation */
+  reset(): void;
+};
+
+export function createEventCollector(): EventCollector {
+  const sse: SseEvent[] = [];
+  const postSave: SaveContext[] = [];
+
+  return {
+    sse,
+    postSave,
+    reset() {
+      sse.length = 0;
+      postSave.length = 0;
+    },
+  };
+}

package/src/stack/index.ts

@@ -0,0 +1,32 @@
+// Runtime-safe Stack-Builder. Was hier liegt, wird vom dev-server zum Hochfahren
+// einer kompletten Kumiko-Instanz genutzt — DB, Redis, Hono-App, Dispatcher,
+// SSE-Broker. Die Files heißen historisch `test*` (createTestDb,
+// setupTestStack, TestUsers, …), bedienen aber heute Dev- UND Test-Code: das
+// ist genau derselbe Hochfahr-Pfad, nur einmal mit ephemeral-DB (test) und
+// einmal mit persistent-DB (dev).
+//
+// Wichtig: dieses Modul darf KEINE vitest-Imports enthalten und keine
+// Vitest-only Helper transitiv ziehen — sonst crasht jedes Tooling, das den
+// dev-server unter Node lädt (drizzle-kit, build-scripts).
+
+export {
+  type CreateTestDbOptions,
+  createTestDb,
+  type TestDb,
+} from "./db";
+export { createEventCollector, type EventCollector } from "./event-collector";
+export { createTestRedis, type TestRedis } from "./redis";
+export { createRequestHelper, type RequestHelper } from "./request-helper";
+export {
+  createEntityTable,
+  ensureEntityTable,
+  pushTables,
+  resetEventStore,
+} from "./table-helpers";
+export { setupTestStack, type TestStack, type TestStackOptions } from "./test-stack";
+export {
+  createTestUser,
+  TestUsers,
+  testTenantId,
+  testUserId,
+} from "./test-users";

package/src/stack/redis.ts

@@ -0,0 +1,44 @@
+import { generateId } from "../utils";
+import { requireEnv } from "./db";
+
+export type TestRedis = {
+  redis: import("ioredis").default;
+  /** Delete every key this test created (prefix-scoped). Replaces the old
+   *  `redis.flushdb()` — that wiped other parallel tests' BullMQ state. */
+  flushNamespace: () => Promise<void>;
+  cleanup: () => Promise<void>;
+};
+
+export async function createTestRedis(): Promise<TestRedis> {
+  const Redis = (await import("ioredis")).default;
+  const redisUrl = requireEnv("REDIS_URL");
+  // Every test gets a per-file key prefix on a shared DB (no DB-pool-of-15
+  // round-robin). Collisions at birthday-paradox rates are gone — the
+  // prefix space is unbounded. See Track B.3 in docs/plans/tests-refactor.
+  const prefix = `kt:${generateId().slice(-8)}:`;
+  const redis = new Redis(redisUrl, { keyPrefix: prefix });
+
+  async function flushNamespace(): Promise<void> {
+    // Open a prefix-less client for the scan — ioredis' keyPrefix is applied
+    // per-command but SCAN's returned keys are full names, so managing the
+    // del set with the prefix already on the connection is error-prone.
+    const raw = new Redis(redisUrl);
+    try {
+      const stream = raw.scanStream({ match: `${prefix}*`, count: 500 });
+      const keys: string[] = [];
+      for await (const batch of stream) keys.push(...batch);
+      if (keys.length > 0) await raw.del(...keys);
+    } finally {
+      raw.disconnect();
+    }
+  }
+
+  return {
+    redis,
+    flushNamespace,
+    cleanup: async () => {
+      await flushNamespace();
+      redis.disconnect();
+    },
+  };
+}

package/src/stack/request-helper.ts

@@ -0,0 +1,168 @@
+import type { Hono } from "hono";
+import type { JwtHelper } from "../api/jwt";
+import type { SessionUser } from "../engine/types";
+
+export type BatchCommand = { type: string; payload: unknown };
+
+export type RequestHelper = {
+  write: (
+    type: string,
+    payload: unknown,
+    user: SessionUser,
+    requestId?: string,
+  ) => Promise<Response>;
+  query: (type: string, payload: unknown, user: SessionUser) => Promise<Response>;
+  command: (type: string, payload: unknown, user: SessionUser) => Promise<Response>;
+  batch: (
+    commands: readonly BatchCommand[],
+    user: SessionUser,
+    requestId?: string,
+  ) => Promise<Response>;
+  raw: (
+    method: string,
+    path: string,
+    body?: unknown,
+    headers?: Record<string, string>,
+  ) => Promise<Response>;
+
+  /** write + json + assert isSuccess — returns data directly */
+  writeOk: <T = Record<string, unknown>>(
+    type: string,
+    payload: unknown,
+    user: SessionUser,
+    requestId?: string,
+  ) => Promise<T>;
+  /** write + json + assert isSuccess === false — returns the structured
+   *  WriteErrorInfo with `httpStatus` filled in from the HTTP response. */
+  writeErr: (
+    type: string,
+    payload: unknown,
+    user: SessionUser,
+  ) => Promise<import("../errors").WriteErrorInfo>;
+  /** query + json — returns data directly */
+  queryOk: <T = unknown>(type: string, payload: unknown, user: SessionUser) => Promise<T>;
+
+  /** write + additional HTTP headers (e.g. X-Correlation-ID). Returns the
+   *  raw Response so callers can assert on status + headers + body as needed. */
+  writeWithHeaders: (
+    type: string,
+    payload: unknown,
+    user: SessionUser,
+    extraHeaders: Record<string, string>,
+  ) => Promise<Response>;
+};
+
+export function createRequestHelper(app: Hono, jwt: JwtHelper): RequestHelper {
+  async function authHeader(user: SessionUser): Promise<Record<string, string>> {
+    const token = await jwt.sign(user);
+    return { Authorization: `Bearer ${token}` };
+  }
+
+  async function req(
+    method: string,
+    path: string,
+    body?: unknown,
+    headers?: Record<string, string>,
+  ): Promise<Response> {
+    const init: RequestInit = {
+      method,
+      headers: { "Content-Type": "application/json", ...headers },
+    };
+    if (body) init.body = JSON.stringify(body);
+    return app.request(path, init);
+  }
+
+  async function writeRaw(
+    type: string,
+    payload: unknown,
+    user: SessionUser,
+    requestId?: string,
+  ): Promise<Response> {
+    const headers = await authHeader(user);
+    return req("POST", "/api/write", { type, payload, requestId }, headers);
+  }
+
+  async function queryRaw(type: string, payload: unknown, user: SessionUser): Promise<Response> {
+    const headers = await authHeader(user);
+    return req("POST", "/api/query", { type, payload }, headers);
+  }
+
+  return {
+    write: writeRaw,
+    query: queryRaw,
+
+    async command(type, payload, user) {
+      const headers = await authHeader(user);
+      return req("POST", "/api/command", { type, payload }, headers);
+    },
+
+    async batch(commands, user, requestId) {
+      const headers = await authHeader(user);
+      return req("POST", "/api/batch", { commands, requestId }, headers);
+    },
+
+    raw: req,
+
+    async writeOk<T = Record<string, unknown>>(
+      type: string,
+      payload: unknown,
+      user: SessionUser,
+      requestId?: string,
+    ): Promise<T> {
+      const res = await writeRaw(type, payload, user, requestId);
+      // wire-body shape direkt nach JSON.parse — Caller-Code prüft danach
+      // selber ob isSuccess/error/data tatsächlich da sind.
+      const body = (await res.json()) as {
+        isSuccess?: boolean;
+        data?: unknown;
+        error?: { code?: string } | string;
+      };
+      // Success path still has { isSuccess: true, data }. Error responses now
+      // follow the error-contract shape { error: { code, i18nKey, ... } } with
+      // a 4xx/5xx status — no isSuccess flag. Detect either.
+      if (body.isSuccess !== true) {
+        const code =
+          (typeof body.error === "object" ? body.error?.code : undefined) ??
+          (typeof body.error === "string" ? body.error : "unknown");
+        throw new Error(`Expected write "${type}" to succeed but got error: ${code}`);
+      }
+      return body.data as T;
+    },
+
+    async writeErr(
+      type: string,
+      payload: unknown,
+      user: SessionUser,
+    ): Promise<import("../errors").WriteErrorInfo> {
+      const res = await writeRaw(type, payload, user);
+      const body = (await res.json()) as {
+        isSuccess?: boolean;
+        error?: Omit<import("../errors").WriteErrorInfo, "httpStatus">;
+      };
+      if (body.isSuccess === true) {
+        throw new Error(`Expected write "${type}" to fail but it succeeded`);
+      }
+      const wire = body.error;
+      if (!wire || typeof wire !== "object" || typeof wire.code !== "string") {
+        throw new Error(
+          `Expected error response for "${type}" but got unexpected shape: ${JSON.stringify(body)}`,
+        );
+      }
+      // The wire body doesn't carry httpStatus (it would be redundant with
+      // the HTTP response status). Fill it in from res.status so callers can
+      // assert against either code OR status without a second request round.
+      return { ...wire, httpStatus: res.status };
+    },
+
+    async queryOk<T = unknown>(type: string, payload: unknown, user: SessionUser): Promise<T> {
+      const res = await queryRaw(type, payload, user);
+      const body = (await res.json()) as { data: unknown };
+      return body.data as T;
+    },
+
+    async writeWithHeaders(type, payload, user, extraHeaders) {
+      const authHeaders = await authHeader(user);
+      return req("POST", "/api/write", { type, payload }, { ...authHeaders, ...extraHeaders });
+    },
+  };
+}

package/src/stack/table-helpers.ts

@@ -0,0 +1,104 @@
+import { generateDrizzleJson, generateMigration } from "drizzle-kit/api";
+import { getTableName, sql } from "drizzle-orm";
+import type { PgTable } from "drizzle-orm/pg-core";
+import type { drizzle } from "drizzle-orm/postgres-js";
+import { tableExists } from "../db/schema-inspection";
+import { buildDrizzleTable, toTableName } from "../db/table-builder";
+import type { TestStack } from "./test-stack";
+
+/**
+ * Syncs a Drizzle table to the database via drizzle-kit migration.
+ * No manual SQL — Drizzle generates CREATE/ALTER TABLE statements.
+ * Strict: raises a postgres `relation already exists` (42P07) error if
+ * the table is already there. Use `ensureEntityTable` for idempotent
+ * boot paths.
+ */
+export async function createEntityTable(
+  db: ReturnType<typeof drizzle>,
+  entity: import("../engine/types").EntityDefinition,
+  entityName?: string,
+): Promise<void> {
+  const table = buildDrizzleTable(entityName ?? "entity", entity);
+  await pushTables(db, { [entityName ?? "entity"]: table });
+}
+
+/**
+ * Idempotent variant of `createEntityTable`: checks whether the entity's
+ * table already exists and skips creation if so. Schema-drift is *not*
+ * detected — if the table is there but has the wrong columns, that's
+ * the caller's problem (the dev-server contract is "drop the DB by
+ * hand when you change the schema"). Tests should use
+ * `createEntityTable` instead, since they rely on fresh DBs.
+ */
+export async function ensureEntityTable(
+  db: ReturnType<typeof drizzle>,
+  entity: import("../engine/types").EntityDefinition,
+  entityName?: string,
+): Promise<boolean> {
+  const resolvedName = entity.table ?? toTableName(entityName ?? "entity");
+  if (await tableExists(db, `public.${resolvedName}`)) return false;
+  await createEntityTable(db, entity, entityName);
+  return true;
+}
+
+/**
+ * Pushes Drizzle table definitions to the database.
+ * Uses drizzle-kit's generateDrizzleJson + generateMigration to produce SQL,
+ * then executes it. Same SQL that `drizzle-kit push` would generate.
+ *
+ * @param prevTables - Previous table definitions (for ALTER TABLE scenarios).
+ *                     If omitted, assumes empty DB (CREATE TABLE).
+ */
+export async function pushTables(
+  db: ReturnType<typeof drizzle>,
+  tables: Record<string, unknown>,
+  prevTables?: Record<string, unknown>,
+): Promise<void> {
+  const prevJson = generateDrizzleJson(prevTables ?? {});
+  const targetJson = generateDrizzleJson(tables);
+  const statements = await generateMigration(prevJson, targetJson);
+  for (const stmt of statements) {
+    await db.execute(sql.raw(stmt));
+  }
+}
+
+/**
+ * Wipes event store + framework-state + the given feature read-models in
+ * one TRUNCATE, then re-registers the event-consumer state rows. Used in
+ * test beforeEach-hooks to return the stack to a clean slate without
+ * rebuilding it.
+ *
+ * Fixed list of framework tables (kumiko_events, kumiko_event_consumers,
+ * kumiko_archived_streams, kumiko_snapshots, kumiko_projections) is always
+ * included — any event-sourced test setup needs those cleared. The
+ * `extraTables` arg covers the feature's own read-model tables that would
+ * otherwise accumulate rows across tests.
+ *
+ * Accepts either a Drizzle PgTable (for locally-defined tables: getTableName
+ * extracts the SQL name) or a plain string (for SQL names whose Drizzle
+ * reference lives in another module and importing it for the TRUNCATE
+ * alone would be overkill). Both round-trip to the same TRUNCATE list.
+ *
+ * Pre-existing code duplicates this block 30+ times, each with its own
+ * list of extras. The helper collapses that to a one-liner per test and
+ * lets a future change to the framework-table set (e.g. adding a new
+ * consumer-state table) ripple through without touching every suite.
+ */
+export async function resetEventStore(
+  stack: TestStack,
+  extraTables: readonly (PgTable | string)[] = [],
+): Promise<void> {
+  const frameworkTables = [
+    "kumiko_events",
+    "kumiko_event_consumers",
+    "kumiko_archived_streams",
+    "kumiko_snapshots",
+    "kumiko_projections",
+  ];
+  const extraNames = extraTables.map((t) => (typeof t === "string" ? t : getTableName(t)));
+  const allTables = [...frameworkTables, ...extraNames];
+  await stack.db.execute(sql.raw(`TRUNCATE ${allTables.join(", ")} RESTART IDENTITY CASCADE`));
+  if (stack.eventDispatcher) {
+    await stack.eventDispatcher.ensureRegistered();
+  }
+}