@fjall/eslint-plugin 2.18.1

package/mask-error-message-at-boundary.js

@@ -0,0 +1,673 @@
+/**
+ * ESLint Rule: mask-error-message-at-boundary
+ *
+ * Flags error-shaped leaf accesses that reach a sink without being wrapped
+ * in `maskSensitiveOutput(...)`.
+ *
+ * Leaf access shapes flagged:
+ *   - `<expr>.error.message` / `<expr>.error?.message`
+ *   - `<expr>.error.reason` / `<expr>.error?.reason`
+ *   - `<bareErrorBinding>.message` / `.reason` where the binding name is
+ *     `err`, `error`, `cause`, or `rejection` (common error-handler param)
+ *   - `<expr>.reason` (Promise rejection / settled-result shape)
+ *   - `<expr>.error` / `<expr>.errorMessage` — server-error envelope reads.
+ *     The webapp's JSON failure shape is `{ error: string }` or
+ *     `{ errorMessage: string }`. Reading either and routing the string to
+ *     a state setter / PostHog trackEvent / logger without masking lands an
+ *     unmasked server-side credential straight into the UI sink. This
+ *     classification SKIPS when the access is itself the .object of another
+ *     non-computed MemberExpression (so `data.error.message` falls back to
+ *     the established `.error.message` path) and when the receiver is an
+ *     ERROR_BINDING name (so `err.error` / `err.errorMessage` — wrapped-
+ *     error shapes — are not double-flagged).
+ *   - `getErrorMessage(...)` / `getErrorStack(...)` / `formatErrorString(...)`
+ *     / `extractMessage(...)` / `formatAwsError(...)` / `formatAwsErrorMessage(...)`
+ *     — helper-indirection shapes that delegate to `error.message` /
+ *     `error.stack` internally. The CallExpression itself is the leaf;
+ *     `findEnclosingSink` is reused to determine whether it reaches a
+ *     flagged sink without `maskSensitiveOutput` in the ancestor chain.
+ *     `getErrorCode` is excluded — return values are short identifier
+ *     codes (ENOENT, AccessDenied), not credential vectors.
+ *   - `<errBinding>.toString()` and `String(<errBinding>)` — coercion
+ *     shapes that produce the same string surface as `.message`.
+ *     Binding name must be in ERROR_BINDING_NAMES; arity must match
+ *     the canonical shape (zero-arg `.toString()` / single-arg `String`).
+ *
+ * Sinks covered:
+ *   - `logger.{info,warn,error,fatal}` / `serverLogger.{…}` (any object
+ *     whose name ends in /logger$/i; `debug` is exempt — verbose opt-in)
+ *   - `console.{log,warn,error}`
+ *   - `*.set<Capital>(...)` — React/Ink state setter (UI sink)
+ *   - bare `set<Capital>(...)` — useState idiom
+ *   - `*.record<Capital>(...)` — tracker / activity-API persistence sink
+ *   - `*.on<Capital>(...)` — callback-shaped boundary (callbacks.onError,
+ *     callbacks.onLog, callbacks.onProgress, callbacks.onStackComplete, …)
+ *   - `new XxxError(...)` — custom-Error ctor sink (any name matching
+ *     /Error$/ except built-in `Error`). The ctor stores the unmasked
+ *     value in `Error.message`, which then propagates to a Result via
+ *     `failure(new XxxError(...))` and reaches downstream sinks
+ *     (loggers, persistence, tracker.recordFailure) without further
+ *     masking opportunity. Catching at the ctor closes the gap before
+ *     the value crosses the Result boundary.
+ *
+ * Complements `require-masked-log-payload`, which targets credential-prone
+ * keys in 3rd-arg logger payload OBJECTS. This rule targets leaf access
+ * shapes regardless of payload structure (template literals, direct
+ * setX(args), record* persistence, callback invocations).
+ *
+ * Per `.claude/rules/security-standards.md § "Credential masking"`
+ * (subsection "Helper-indirection counts"):
+ *
+ *   "Mask at the outermost boundary where output leaves your control —
+ *    callbacks, logs, UI sinks, persistence."
+ *
+ * Required shape:
+ *   deps.setError(maskSensitiveOutput(result.error.message))
+ *   logger.error("X", `failed: ${maskSensitiveOutput(err.error.message)}`)
+ *   callbacks.onError?.(new Error(maskSensitiveOutput(error.message)))
+ *   failure(new AwsExecError(`Failed: ${maskSensitiveOutput(error.message)}`))
+ * Rejected shape:
+ *   deps.setError(result.error.message)
+ *   logger.error("X", `failed: ${err.error.message}`)
+ *   callbacks.onError?.(new Error(error.message))
+ *   failure(new AwsExecError(`Failed: ${error.message}`))
+ *
+ * Exempt contexts:
+ *   - any ancestor CallExpression whose callee is `maskSensitiveOutput`
+ *   - inside `throw` (intentional propagation; caller responsibility) —
+ *     wins over the NewExpression sink, so `throw new XxxError(<leaf>)`
+ *     stays exempt
+ *   - inside `failure(...)` / `success(...)` Result wrappers when the
+ *     wrapped value is a built-in `new Error(...)` or a non-ctor value
+ *     (callers mask at their sinks). When the wrapped value is a custom
+ *     `new XxxError(...)` ctor, the ctor itself is the sink — failure()
+ *     no longer exempts it.
+ *   - built-in `new Error(...)` is not itself a sink — walking continues
+ *     so `callbacks.onError(new Error(<leaf>))` is caught at the callback
+ *     boundary, and `throw new Error(...)` / `failure(new Error(...))`
+ *     remain exempt because the throw / failure ancestor catches them.
+ *
+ * Escape hatch: `// eslint-disable-next-line fjall/mask-error-message-at-boundary`
+ * with a one-line justification when the value is provably non-sensitive
+ * (e.g. an internal-only enum tag wrapped as Error.message).
+ *
+ * Known limitations (interprocedural flow):
+ *   The rule is AST-local. It tracks flow across `VariableDeclarator` /
+ *   `AssignmentExpression` to closure reads, template-literal bind, and
+ *   `makeError(...)` construction within the same function scope. It does
+ *   NOT follow flow across function boundaries — when an error-derived
+ *   string is bound inside one function and returned to a caller that
+ *   then routes it to a sink, the rule cannot connect the two sites.
+ *
+ *   Specifically uncaught:
+ *     - Helper returns an unmasked error message; caller passes the return
+ *       value to a logger / state setter / persistence call.
+ *     - Method on a class stores `err.message` on `this.lastError`; another
+ *       method on the same class reads `this.lastError` and routes it.
+ *     - Async producer rejects with an unmasked Error; consumer's
+ *       `.catch(err => sink(err.message))` is caught (local), but
+ *       `.catch(handleError)` where `handleError` is defined elsewhere
+ *       and routes to a sink is not.
+ *
+ *   These shapes still require manual discipline at the boundary. See
+ *   `.claude/rules/security-standards.md § "Helper-indirection counts"`
+ *   for the rule the linter cannot mechanise.
+ */
+
+const STATE_SETTER_RE = /^set[A-Z]/;
+const STATE_SETTER_DENYLIST = new Set([
+  "setTimeout",
+  "setInterval",
+  "setImmediate"
+]);
+const RECORDER_RE = /^record[A-Z]/;
+const CALLBACK_RE = /^on[A-Z]/;
+const CUSTOM_ERROR_CTOR_RE = /Error$/;
+const LOGGER_RECEIVER_RE = /logger$/i;
+const LOGGER_LEVEL_NAMES = new Set(["info", "warn", "error", "fatal"]);
+const CONSOLE_LEVEL_NAMES = new Set(["log", "warn", "error"]);
+const INTERNAL_PASSTHROUGH_CALLEES = new Set(["failure", "success"]);
+const BUILT_IN_ERROR_CTORS = new Set([
+  "Error",
+  "TypeError",
+  "RangeError",
+  "SyntaxError",
+  "URIError",
+  "EvalError",
+  "ReferenceError"
+]);
+const ERROR_BINDING_NAMES = new Set([
+  "err",
+  "error",
+  "e",
+  "ex",
+  "caught",
+  "cause",
+  "rejection"
+]);
+const ERROR_EXTRACTOR_CALLEES = new Set([
+  "getErrorMessage",
+  "getErrorStack",
+  "formatErrorString",
+  "extractMessage",
+  "formatAwsError",
+  "formatAwsErrorMessage"
+]);
+// `failure(makeError(...))` passthrough would hide this otherwise; sink-status fires at construction.
+const ERROR_BUILDER_CALLEES = new Set(["makeError"]);
+const BOOLEAN_RETURN_METHODS = new Set([
+  "includes",
+  "startsWith",
+  "endsWith",
+  "test",
+  "match",
+  "search",
+  "indexOf",
+  "lastIndexOf"
+]);
+// Lockstep with masking helpers in webapp/scripts/deploymentJobHandler/helpers.ts (maskAndTruncate)
+// and cli/src/util/api/FjallApiClientErrors.ts (maskAndBound). Both call maskSensitiveOutput internally.
+const MASKING_HELPER_CALLEES = new Set([
+  "maskSensitiveOutput",
+  "maskAndTruncate",
+  "maskAndBound"
+]);
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Require maskSensitiveOutput() around <expr>.error.message values that reach logger / state-setter / tracker / activity sinks.",
+      category: "Possible Errors",
+      recommended: true
+    },
+    messages: {
+      unmasked:
+        "Unmasked `{{leaf}}` reaches sink `{{sink}}`. Wrap with maskSensitiveOutput(...) per security-standards.md § 'Where to Mask'."
+    },
+    schema: []
+  },
+
+  create(context) {
+    // Dedup by (ConditionalExpression, sink-label) — masking the whole ternary fixes all branches at once.
+    const reportedConditionalSinks = new Set();
+
+    function reportOnce(node, leafLabel, sinkLabel) {
+      let conditional = null;
+      let p = node.parent;
+      while (p) {
+        if (p.type === "ConditionalExpression") {
+          conditional = p;
+          break;
+        }
+        if (
+          p.type === "FunctionDeclaration" ||
+          p.type === "FunctionExpression" ||
+          p.type === "ArrowFunctionExpression" ||
+          p.type === "Program"
+        ) {
+          break;
+        }
+        p = p.parent;
+      }
+      if (conditional && conditional.range) {
+        const key = `${conditional.range[0]}-${conditional.range[1]}::${sinkLabel}`;
+        if (reportedConditionalSinks.has(key)) return;
+        reportedConditionalSinks.add(key);
+      }
+      context.report({
+        node,
+        messageId: "unmasked",
+        data: { leaf: leafLabel, sink: sinkLabel }
+      });
+    }
+
+    return {
+      MemberExpression(node) {
+        const leaf = classifyErrorLeaf(node, context);
+        if (!leaf) return;
+
+        const sinkInfo = findEnclosingSink(
+          node,
+          context,
+          undefined,
+          leaf.shape
+        );
+        if (!sinkInfo || sinkInfo.kind !== "sink") return;
+
+        reportOnce(node, leaf.label, sinkInfo.label);
+      },
+      CallExpression(node) {
+        const calleeName = getCalleeIdentifierName(node.callee);
+
+        if (calleeName !== null && ERROR_EXTRACTOR_CALLEES.has(calleeName)) {
+          const sinkInfo = findEnclosingSink(
+            node,
+            context,
+            undefined,
+            "strict"
+          );
+          if (!sinkInfo || sinkInfo.kind !== "sink") return;
+          reportOnce(node, `${calleeName}(...)`, sinkInfo.label);
+          return;
+        }
+
+        if (
+          calleeName === "String" &&
+          node.arguments.length === 1 &&
+          node.arguments[0].type === "Identifier" &&
+          ERROR_BINDING_NAMES.has(node.arguments[0].name)
+        ) {
+          const sinkInfo = findEnclosingSink(
+            node,
+            context,
+            undefined,
+            "strict"
+          );
+          if (!sinkInfo || sinkInfo.kind !== "sink") return;
+          reportOnce(node, `String(${node.arguments[0].name})`, sinkInfo.label);
+          return;
+        }
+
+        if (
+          node.arguments.length === 0 &&
+          node.callee.type === "MemberExpression" &&
+          !node.callee.computed &&
+          node.callee.property.type === "Identifier" &&
+          node.callee.property.name === "toString" &&
+          node.callee.object.type === "Identifier" &&
+          ERROR_BINDING_NAMES.has(node.callee.object.name)
+        ) {
+          const sinkInfo = findEnclosingSink(
+            node,
+            context,
+            undefined,
+            "strict"
+          );
+          if (!sinkInfo || sinkInfo.kind !== "sink") return;
+          reportOnce(
+            node,
+            `${node.callee.object.name}.toString()`,
+            sinkInfo.label
+          );
+        }
+      }
+    };
+  }
+};
+
+function classifyErrorLeaf(node, context) {
+  if (
+    node.type !== "MemberExpression" ||
+    node.computed ||
+    node.property.type !== "Identifier"
+  ) {
+    return null;
+  }
+  const propName = node.property.name;
+
+  if (propName === "message" || propName === "reason") {
+    let object = node.object;
+    if (object.type === "ChainExpression") object = object.expression;
+
+    if (
+      object.type === "MemberExpression" &&
+      !object.computed &&
+      object.property.type === "Identifier" &&
+      object.property.name === "error"
+    ) {
+      return { label: `*.error.${propName}`, shape: "strict" };
+    }
+
+    if (object.type === "Identifier" && ERROR_BINDING_NAMES.has(object.name)) {
+      return { label: `${object.name}.${propName}`, shape: "strict" };
+    }
+
+    if (propName === "reason" && object.type === "Identifier") {
+      return { label: `${object.name}.reason`, shape: "strict" };
+    }
+
+    if (
+      propName === "reason" &&
+      object.type === "MemberExpression" &&
+      !object.computed
+    ) {
+      const receiverName = extractReceiverName(object);
+      return {
+        label: receiverName ? `${receiverName}.reason` : "*.reason",
+        shape: "strict"
+      };
+    }
+
+    return null;
+  }
+
+  if (propName === "error" || propName === "errorMessage") {
+    let visualNode = node;
+    let visualParent = node.parent;
+    if (visualParent && visualParent.type === "ChainExpression") {
+      visualNode = visualParent;
+      visualParent = visualParent.parent;
+    }
+    if (
+      visualParent &&
+      visualParent.type === "MemberExpression" &&
+      visualParent.object === visualNode &&
+      !visualParent.computed
+    ) {
+      return null;
+    }
+    if (
+      visualParent &&
+      visualParent.type === "CallExpression" &&
+      visualParent.callee === visualNode
+    ) {
+      return null;
+    }
+
+    let object = node.object;
+    if (object.type === "ChainExpression") object = object.expression;
+    if (object.type === "Identifier" && ERROR_BINDING_NAMES.has(object.name)) {
+      return null;
+    }
+    if (context && isZodSafeParseReceiver(object, context)) {
+      return null;
+    }
+
+    const receiverName = extractReceiverName(object);
+    return {
+      label: receiverName ? `${receiverName}.${propName}` : `*.${propName}`,
+      shape: "envelope"
+    };
+  }
+
+  return null;
+}
+
+/**
+ * Returns true when `objectNode` is an Identifier bound from a
+ * `<schema>.safeParse(...)` call. `parsed.error` in that shape is a
+ * `ZodError` object, not a server-error envelope, and the rule's
+ * credential-leak premise doesn't apply.
+ */
+function isZodSafeParseReceiver(objectNode, context) {
+  if (objectNode.type !== "Identifier") return false;
+  const scope = context.sourceCode.getScope(objectNode);
+  const variable = findVariableInScopeChain(scope, objectNode.name);
+  if (!variable) return false;
+  for (const ref of variable.references) {
+    if (!ref.writeExpr) continue;
+    const init = ref.writeExpr;
+    if (init.type !== "CallExpression") continue;
+    if (init.callee.type !== "MemberExpression") continue;
+    if (init.callee.property.type !== "Identifier") continue;
+    if (init.callee.property.name === "safeParse") return true;
+  }
+  return false;
+}
+
+/**
+ * Walks up from the leaf `.error.message` access. Returns:
+ *   { kind: "exempt" }       — wrapped/internal context, do not flag
+ *   { kind: "sink", label }  — reaches a flagged sink
+ *   null                     — no sink reached (comparison, return value, etc.)
+ *
+ * Stops at function boundaries.
+ *
+ * Custom-Error NewExpression sinks (`new XxxError(...)`) are recorded as a
+ * candidate rather than fired immediately. This lets ThrowStatement and
+ * `maskSensitiveOutput()` ancestors win — `throw new XxxError(error.message)`
+ * stays exempt — while still firing inside `failure()` / `success()` and at
+ * the function boundary.
+ *
+ * When the walk reaches a `VariableDeclarator` init or `AssignmentExpression`
+ * right with an `Identifier` LHS, scope analysis traces the binding's read
+ * references and recursively walks from each. This closes the assignment-
+ * then-use and template-literal-then-bind gaps. `visited` (keyed on the
+ * write site's range+name) prevents cycles when bindings reassign each other.
+ */
+function findEnclosingSink(leaf, context, visited, leafShape) {
+  if (!visited) visited = new Set();
+  if (leafShape === undefined) leafShape = "strict";
+  let previous = leaf;
+  let current = leaf.parent;
+  let candidateSink = null;
+  while (current) {
+    if (current.type === "ThrowStatement") {
+      return { kind: "exempt" };
+    }
+
+    // ConditionalExpression test branch — boolean check, not a value flow.
+    // `cond ? a : b` with leaf in `cond`: the binding receives `a` or `b`,
+    // never the leaf's string value. Stop tracking.
+    if (current.type === "ConditionalExpression" && current.test === previous) {
+      return candidateSink;
+    }
+
+    // LogicalExpression — same shape when the leaf is on the LEFT of `&&`/`||`
+    // and is being used as a boolean check (the right side is what propagates).
+    // We can't always tell intent, but `.includes()`/`.startsWith()` etc. on a
+    // leaf are clearly boolean checks. Conservatively: when the leaf reaches a
+    // CallExpression whose callee is a MemberExpression on the leaf chain
+    // (e.g. `err.message.includes(...)`), the value being propagated is the
+    // method's return type, not the leaf string.
+    if (
+      current.type === "MemberExpression" &&
+      current.object === previous &&
+      !current.computed &&
+      current.property.type === "Identifier" &&
+      BOOLEAN_RETURN_METHODS.has(current.property.name)
+    ) {
+      // Walk continues, but mark that the in-flight value is a boolean.
+      // Since the parent CallExpression returns boolean, the leaf string
+      // doesn't reach the binding. Record a marker by short-circuiting.
+      // Find the enclosing CallExpression and skip past it.
+      let methodCall = current.parent;
+      if (
+        methodCall &&
+        methodCall.type === "CallExpression" &&
+        methodCall.callee === current
+      ) {
+        previous = methodCall;
+        current = methodCall.parent;
+        continue;
+      }
+    }
+
+    if (current.type === "NewExpression") {
+      const ctorName = getCalleeIdentifierName(current.callee);
+      if (
+        candidateSink === null &&
+        ctorName !== null &&
+        !BUILT_IN_ERROR_CTORS.has(ctorName) &&
+        CUSTOM_ERROR_CTOR_RE.test(ctorName) &&
+        leafShape !== "envelope"
+      ) {
+        candidateSink = { kind: "sink", label: `new ${ctorName}` };
+      }
+    }
+
+    if (current.type === "CallExpression") {
+      const calleeName = getCalleeIdentifierName(current.callee);
+      if (calleeName !== null && MASKING_HELPER_CALLEES.has(calleeName)) {
+        return { kind: "exempt" };
+      }
+      if (calleeName !== null && INTERNAL_PASSTHROUGH_CALLEES.has(calleeName)) {
+        return candidateSink ?? { kind: "exempt" };
+      }
+      if (calleeName !== null && ERROR_BUILDER_CALLEES.has(calleeName)) {
+        return candidateSink ?? { kind: "sink", label: `${calleeName}(...)` };
+      }
+
+      const sinkLabel = classifyCallee(current.callee);
+      if (sinkLabel) {
+        return candidateSink ?? { kind: "sink", label: sinkLabel };
+      }
+
+      // Order-dependent: passthroughs and sinks return above; only reached
+      // when the leaf is an argument to an unrecognised callable.
+      if (previous !== current.callee) {
+        return candidateSink;
+      }
+    }
+
+    if (
+      context &&
+      current.type === "VariableDeclarator" &&
+      current.id.type === "Identifier" &&
+      current.init !== null
+    ) {
+      const bindingSink = traceBindingFromWrite(
+        current.id,
+        context,
+        visited,
+        leafShape
+      );
+      return bindingSink ?? candidateSink;
+    }
+
+    if (
+      context &&
+      current.type === "AssignmentExpression" &&
+      current.operator === "=" &&
+      current.left.type === "Identifier"
+    ) {
+      const bindingSink = traceBindingFromWrite(
+        current.left,
+        context,
+        visited,
+        leafShape
+      );
+      return bindingSink ?? candidateSink;
+    }
+
+    if (
+      current.type === "FunctionDeclaration" ||
+      current.type === "FunctionExpression" ||
+      current.type === "ArrowFunctionExpression"
+    ) {
+      return candidateSink;
+    }
+
+    previous = current;
+    current = current.parent;
+  }
+  return candidateSink;
+}
+
+/**
+ * Trace forward read-references of a binding written at `writeIdNode`.
+ * Returns a sink if any read reference walks up into one, else null.
+ */
+function traceBindingFromWrite(writeIdNode, context, visited, leafShape) {
+  const key = writeIdNode.range
+    ? `${writeIdNode.range[0]}-${writeIdNode.range[1]}-${writeIdNode.name}`
+    : null;
+  if (key !== null) {
+    if (visited.has(key)) return null;
+    visited.add(key);
+  }
+
+  const scope = context.sourceCode.getScope(writeIdNode);
+  const variable = findVariableInScopeChain(scope, writeIdNode.name);
+  if (!variable) return null;
+
+  for (const ref of variable.references) {
+    if (!ref.isRead()) continue;
+    if (ref.identifier === writeIdNode) continue;
+    const refSink = findEnclosingSink(
+      ref.identifier,
+      context,
+      visited,
+      leafShape
+    );
+    if (refSink && refSink.kind === "sink") return refSink;
+  }
+  return null;
+}
+
+function findVariableInScopeChain(scope, name) {
+  let s = scope;
+  while (s) {
+    const v = s.variables.find((v) => v.name === name);
+    if (v) return v;
+    s = s.upper;
+  }
+  return null;
+}
+
+/**
+ * Returns a label when `callee` matches a sink we flag, else null.
+ */
+function classifyCallee(callee) {
+  if (callee.type === "ChainExpression") callee = callee.expression;
+
+  if (callee.type === "Identifier") {
+    if (
+      STATE_SETTER_RE.test(callee.name) &&
+      !STATE_SETTER_DENYLIST.has(callee.name)
+    ) {
+      return callee.name;
+    }
+    return null;
+  }
+
+  if (callee.type !== "MemberExpression" || callee.computed) return null;
+  if (callee.property.type !== "Identifier") return null;
+  const propName = callee.property.name;
+
+  const receiver = callee.object;
+
+  if (LOGGER_LEVEL_NAMES.has(propName)) {
+    const receiverName = extractReceiverName(receiver);
+    if (receiverName && LOGGER_RECEIVER_RE.test(receiverName)) {
+      return `${receiverName}.${propName}`;
+    }
+  }
+
+  if (
+    receiver.type === "Identifier" &&
+    receiver.name === "console" &&
+    CONSOLE_LEVEL_NAMES.has(propName)
+  ) {
+    return `console.${propName}`;
+  }
+
+  if (STATE_SETTER_RE.test(propName) && !STATE_SETTER_DENYLIST.has(propName)) {
+    return calleePathLabel(receiver, propName);
+  }
+
+  if (RECORDER_RE.test(propName)) {
+    return calleePathLabel(receiver, propName);
+  }
+
+  if (CALLBACK_RE.test(propName)) {
+    return calleePathLabel(receiver, propName);
+  }
+
+  return null;
+}
+
+function extractReceiverName(node) {
+  if (!node) return null;
+  if (node.type === "Identifier") return node.name;
+  if (node.type === "MemberExpression" && !node.computed) {
+    if (node.property.type === "Identifier") return node.property.name;
+  }
+  if (node.type === "ThisExpression") return "this";
+  return null;
+}
+
+function calleePathLabel(receiver, propName) {
+  const receiverName = extractReceiverName(receiver);
+  return receiverName ? `${receiverName}.${propName}` : propName;
+}
+
+function getCalleeIdentifierName(callee) {
+  if (!callee) return null;
+  if (callee.type === "ChainExpression") callee = callee.expression;
+  if (callee.type === "Identifier") return callee.name;
+  return null;
+}