@gotgenes/pi-permission-system 8.1.0 → 8.2.1

package/src/handlers/gates/bash-token-classification.ts

@@ -0,0 +1,105 @@
+/**
+ * Pure, synchronous token-classification helpers for bash path extraction.
+ *
+ * Exports two classifiers consumed by `bash-path-extractor.ts`:
+ *   - `classifyTokenAsPathCandidate` — strict gate for the external-directory guard.
+ *   - `classifyTokenAsRuleCandidate` — broader gate for cross-cutting `path` rules.
+ *
+ * Both classifiers share the private `rejectNonPathToken` predicate that captures
+ * the seven rejection cases common to both (the production clone this module was
+ * extracted to eliminate).
+ */
+
+// ── Public classifiers ─────────────────────────────────────────────────────
+
+/**
+ * Strict path-candidate classifier for the external-directory guard.
+ *
+ * Accepts tokens that unambiguously look like filesystem paths:
+ * - Absolute paths (starting with `/`)
+ * - Home-relative paths (starting with `~/`)
+ * - Parent-traversal paths (containing `..`)
+ *
+ * Returns the raw token string if it qualifies, or `null` to skip.
+ */
+export function classifyTokenAsPathCandidate(token: string): string | null {
+  if (rejectNonPathToken(token)) return null;
+
+  if (token.startsWith("/")) return token;
+  if (token.startsWith("~/")) return token;
+  if (token.includes("..")) return token;
+
+  return null;
+}
+
+/**
+ * Broader token classifier for cross-cutting `path` permission rules.
+ *
+ * Accepts the same shapes as `classifyTokenAsPathCandidate`, plus:
+ * - Dot-files and `./`-relative paths (starting with `.`)
+ * - Any relative path containing `/` (e.g. `src/foo.ts`)
+ *
+ * The `~/foo` case is covered by `includes("/")` — no separate `~/` branch needed.
+ *
+ * Does NOT require the strict "must start with `/` or `~/` or contain `..`"
+ * gate that the external-directory classifier uses.
+ *
+ * Returns the raw token string if it qualifies, or `null` to skip.
+ */
+export function classifyTokenAsRuleCandidate(token: string): string | null {
+  if (rejectNonPathToken(token)) return null;
+
+  if (token.startsWith(".")) return token;
+  if (token.includes("/")) return token; // covers ~/ paths and all relative paths with /
+  if (token.includes("..")) return token; // bare ".." (no slash)
+
+  return null;
+}
+
+// ── Private rejection predicate ────────────────────────────────────────────
+
+/**
+ * URL pattern to skip tokens that look like URLs rather than paths.
+ */
+const URL_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//i;
+
+/**
+ * Regex metacharacter sequences that are never found in real filesystem paths.
+ * If a token contains any of these, it is almost certainly a regex pattern
+ * (e.g. a grep argument) rather than a path.
+ */
+const REGEX_METACHAR_PATTERN = /\.\*|\.\+|\\\||\\\(|\\\)|\[.*?\]|\^\//;
+
+/**
+ * Shared rejection prelude: returns `true` when a token can never be a
+ * filesystem path, regardless of which classifier is asking.
+ *
+ * Rejects: empty tokens, flags (leading `-`), env assignments (`FOO=/bar`),
+ * URLs, `@scope/package` patterns, bare-slash tokens, and regex metacharacter
+ * sequences.
+ */
+function rejectNonPathToken(token: string): boolean {
+  if (!token) return true;
+  if (token.startsWith("-")) return true;
+
+  // Env assignment: = appears before any /  (FOO=/bar is an assignment,
+  // /foo=bar is not because the slash comes first).
+  const eqIndex = token.indexOf("=");
+  const slashIndex = token.indexOf("/");
+  if (eqIndex !== -1 && (slashIndex === -1 || eqIndex < slashIndex))
+    return true;
+
+  if (URL_PATTERN.test(token)) return true;
+
+  // @scope/package patterns (npm scoped packages) — but @/ is allowed through
+  // since it looks like an absolute-rooted path, not an npm scope.
+  if (token.startsWith("@") && !token.startsWith("@/")) return true;
+
+  // Bare-slash tokens (/, //, ///) resolve to filesystem root and are never
+  // meaningful path arguments in practice.
+  if (/^\/+$/.test(token)) return true;
+
+  if (REGEX_METACHAR_PATTERN.test(token)) return true;
+
+  return false;
+}

package/src/handlers/gates/descriptor.ts

@@ -3,6 +3,7 @@ import type { PermissionPromptDecision } from "#src/permission-dialog";
 import type { PermissionDecisionEvent } from "#src/permission-events";
 import type { PromptPermissionDetails } from "#src/permission-prompter";
 import type { Rule } from "#src/rule";
+import type { SessionApproval } from "#src/session-approval";
 import type { PermissionCheckResult, PermissionState } from "#src/types";
 
 // ── Descriptor types ───────────────────────────────────────────────────────
@@ -22,12 +23,11 @@ export interface GateDescriptor {
   /** Structured denial context — the runner formats messages from this. */
   denialContext: DenialContext;
   /**
-   * Session-approval suggestion for "for this session" option.
-   * Single pattern or multiple patterns (bash external-directory gate).
+   * Session-approval suggestion for the "for this session" option.
+   * Wraps either a single pattern or multiple patterns behind a unified
+   * interface — the runner never needs to know which case applies.
    */
-  sessionApproval?:
-    | { surface: string; pattern: string }
-    | { surface: string; patterns: string[] };
+  sessionApproval?: SessionApproval;
   /** Details passed to the interactive permission prompt (requestId is added by the runner). */
   promptDetails: Omit<PromptPermissionDetails, "requestId">;
   /** Extra context fields written to the review log alongside gate outcomes. */
@@ -87,7 +87,7 @@ export interface GateRunnerDeps {
     sessionRules?: Rule[],
   ): PermissionCheckResult;
   getSessionRuleset(): Rule[];
-  approveSessionRule(surface: string, pattern: string): void;
+  recordSessionApproval(approval: SessionApproval): void;
   writeReviewLog(event: string, details: Record<string, unknown>): void;
   emitDecision(event: PermissionDecisionEvent): void;
   canConfirm(): boolean;

package/src/handlers/gates/external-directory.ts

@@ -4,6 +4,7 @@ import {
   isPiInfrastructureRead,
   normalizePathForComparison,
 } from "#src/path-utils";
+import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { GateResult } from "./descriptor";
 import { formatExternalDirectoryAskPrompt } from "./external-directory-messages";
@@ -83,10 +84,7 @@ export function describeExternalDirectoryGate(
       cwd: tcc.cwd,
       agentName: tcc.agentName ?? undefined,
     },
-    sessionApproval: {
-      surface: "external_directory",
-      pattern,
-    },
+    sessionApproval: SessionApproval.single("external_directory", pattern),
     promptDetails: {
       source: "tool_call",
       agentName: tcc.agentName,

package/src/handlers/gates/helpers.ts

@@ -1,4 +1,7 @@
-import type { PermissionDecisionResolution } from "#src/permission-events";
+import type {
+  PermissionDecisionEvent,
+  PermissionDecisionResolution,
+} from "#src/permission-events";
 import type { PermissionCheckResult } from "#src/types";
 
 /**
@@ -17,6 +20,32 @@ export function deriveDecisionValue(
   return toolName;
 }
 
+/**
+ * Build a `PermissionDecisionEvent` from the gate's inputs.
+ *
+ * Centralises the `origin / agentName / matchedPattern ?? null` normalization
+ * that is otherwise duplicated across the session-hit path and the gate-result
+ * path in `runGateCheck`.
+ */
+export function buildDecisionEvent(
+  decision: { surface: string; value: string },
+  check: Pick<PermissionCheckResult, "origin" | "matchedPattern">,
+  agentName: string | null,
+  result: "allow" | "deny",
+  resolution: PermissionDecisionResolution,
+): PermissionDecisionEvent {
+  return {
+    surface: decision.surface,
+    value: decision.value,
+    result,
+    resolution,
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
+    origin: check.origin ?? null,
+    agentName: agentName ?? null,
+    matchedPattern: check.matchedPattern ?? null,
+  };
+}
+
 /**
  * Map the gate outcome back to a PermissionDecisionResolution.
  *

package/src/handlers/gates/path.ts

@@ -1,5 +1,6 @@
 import { getPathBearingToolPath } from "#src/path-utils";
 import type { Rule } from "#src/rule";
+import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor, GateResult } from "./descriptor";
@@ -55,10 +56,7 @@ export function describePathGate(
       pathValue: filePath,
       agentName: tcc.agentName ?? undefined,
     },
-    sessionApproval: {
-      surface: "path",
-      pattern,
-    },
+    sessionApproval: SessionApproval.single("path", pattern),
     promptDetails: {
       source: "tool_call",
       agentName: tcc.agentName,

package/src/handlers/gates/runner.ts

@@ -7,7 +7,7 @@ import type { PermissionPromptDecision } from "#src/permission-dialog";
 import { applyPermissionGate } from "#src/permission-gate";
 import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor, GateRunnerDeps } from "./descriptor";
-import { deriveResolution } from "./helpers";
+import { buildDecisionEvent, deriveResolution } from "./helpers";
 import type { GateOutcome } from "./types";
 
 /**
@@ -56,37 +56,21 @@ export async function runGateCheck(
       resolution: "session_approved",
       sessionApprovalPattern: check.matchedPattern,
     });
-    deps.emitDecision({
-      surface: descriptor.decision.surface,
-      value: descriptor.decision.value,
-      result: "allow",
-      resolution: "session_approved",
-      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
-      origin: check.origin ?? null,
-      agentName: agentName ?? null,
-      matchedPattern: check.matchedPattern ?? null,
-    });
+    deps.emitDecision(
+      buildDecisionEvent(
+        descriptor.decision,
+        check,
+        agentName,
+        "allow",
+        "session_approved",
+      ),
+    );
     return { action: "allow" };
   }
 
   // 3. Apply the deny/ask/allow gate
   const canConfirm = deps.canConfirm();
 
-  // Resolve the first pattern for applyPermissionGate's sessionApproval param
-  const singleSessionApproval = descriptor.sessionApproval
-    ? "pattern" in descriptor.sessionApproval
-      ? {
-          surface: descriptor.sessionApproval.surface,
-          pattern: descriptor.sessionApproval.pattern,
-        }
-      : descriptor.sessionApproval.patterns.length > 0
-        ? {
-            surface: descriptor.sessionApproval.surface,
-            pattern: descriptor.sessionApproval.patterns[0],
-          }
-        : undefined
-    : undefined;
-
   // Construct messages from the centralized formatter.
   const messages = {
     denyReason: formatDenyReason(descriptor.denialContext),
@@ -99,7 +83,7 @@ export async function runGateCheck(
   const gateResult = await applyPermissionGate({
     state: check.state,
     canConfirm,
-    sessionApproval: singleSessionApproval,
+    sessionApproval: descriptor.sessionApproval?.toGateApproval(),
     promptForApproval: async () => {
       const decision = await deps.promptPermission({
         requestId: toolCallId,
@@ -119,37 +103,26 @@ export async function runGateCheck(
     gateResult.action === "allow" && gateResult.sessionApproval !== undefined;
 
   // 5. Emit decision event
-  deps.emitDecision({
-    surface: descriptor.decision.surface,
-    value: descriptor.decision.value,
-    result: gateResult.action === "allow" ? "allow" : "deny",
-    resolution: deriveResolution(
-      check.state,
-      gateResult.action,
-      hasSessionApproval,
-      canConfirm,
-      autoApproved,
+  deps.emitDecision(
+    buildDecisionEvent(
+      descriptor.decision,
+      check,
+      agentName,
+      gateResult.action === "allow" ? "allow" : "deny",
+      deriveResolution(
+        check.state,
+        gateResult.action,
+        hasSessionApproval,
+        canConfirm,
+        autoApproved,
+      ),
     ),
-    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
-    origin: check.origin ?? null,
-    agentName: agentName ?? null,
-    matchedPattern: check.matchedPattern ?? null,
-  });
+  );
 
-  // 6. Record session approval(s)
-  if (gateResult.action === "allow" && hasSessionApproval) {
-    if (descriptor.sessionApproval) {
-      if ("patterns" in descriptor.sessionApproval) {
-        for (const pattern of descriptor.sessionApproval.patterns) {
-          deps.approveSessionRule(descriptor.sessionApproval.surface, pattern);
-        }
-      } else {
-        deps.approveSessionRule(
-          descriptor.sessionApproval.surface,
-          descriptor.sessionApproval.pattern,
-        );
-      }
-    }
+  // 6. Record session approval — tell the store; it owns the per-pattern loop
+  // hasSessionApproval already implies gateResult.action === "allow"
+  if (hasSessionApproval && descriptor.sessionApproval) {
+    deps.recordSessionApproval(descriptor.sessionApproval);
   }
 
   if (gateResult.action === "block") {

package/src/handlers/gates/tool.ts

@@ -1,6 +1,7 @@
 import { getPathBearingToolPath, PATH_BEARING_TOOLS } from "#src/path-utils";
 import { suggestSessionPattern } from "#src/pattern-suggest";
 import { formatAskPrompt } from "#src/permission-prompts";
+import { SessionApproval } from "#src/session-approval";
 import type { ToolPreviewFormatter } from "#src/tool-preview-formatter";
 import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor } from "./descriptor";
@@ -61,10 +62,10 @@ export function describeToolGate(
       agentName: tcc.agentName ?? undefined,
       input: tcc.input,
     },
-    sessionApproval: {
-      surface: suggestion.surface,
-      pattern: suggestion.pattern,
-    },
+    sessionApproval: SessionApproval.single(
+      suggestion.surface,
+      suggestion.pattern,
+    ),
     promptDetails: {
       source: "tool_call",
       agentName: tcc.agentName,

package/src/handlers/permission-gate-handler.ts

@@ -99,14 +99,15 @@ export class PermissionGateHandler {
       sessionRules,
     ) => this.session.checkPermission(surface, input, agent, sessionRules);
     const getSessionRuleset = () => this.session.getSessionRuleset();
-    const approveSessionRule = (surface: string, pattern: string) =>
-      this.session.approveSessionRule(surface, pattern);
+    const recordSessionApproval: GateRunnerDeps["recordSessionApproval"] = (
+      approval,
+    ) => this.session.recordSessionApproval(approval);
 
     // ── Shared runner deps (built once, reused for all gates) ────────────
     const runnerDeps: GateRunnerDeps = {
       checkPermission,
       getSessionRuleset,
-      approveSessionRule,
+      recordSessionApproval,
       writeReviewLog,
       emitDecision,
       canConfirm,

package/src/permission-manager.ts

@@ -1,7 +1,6 @@
 import { isPermissionState } from "./common";
 import { normalizeInput } from "./input-normalizer";
 import { normalizeFlatConfig } from "./normalize";
-import { mergeFlatPermissions } from "./permission-merge";
 import {
   FilePolicyLoader,
   type PolicyLoader,
@@ -10,6 +9,7 @@ import {
 } from "./policy-loader";
 import type { Rule, RuleOrigin, Ruleset } from "./rule";
 import { evaluate, evaluateFirst } from "./rule";
+import { mergeScopesWithOrigins } from "./scope-merge";
 import {
   composeRuleset,
   synthesizeBaseline,
@@ -90,58 +90,15 @@ export class PermissionManager {
     const agentConfig = this.loader.loadAgentConfig(agentName);
     const projectAgentConfig = this.loader.loadProjectAgentConfig(agentName);
 
-    // Merge permission objects across scopes (lowest → highest precedence).
-    // Build a parallel origin map that tracks which scope contributed each
-    // (surface, pattern) entry, mirroring mergeFlatPermissions() semantics.
-    type OriginMap = Map<string, Map<string, RuleOrigin>>;
-    const origins: OriginMap = new Map();
-    let mergedPermission: FlatPermissionConfig = {};
-
-    for (const [scopeName, scope] of [
+    // Merge permission objects across scopes (lowest → highest precedence),
+    // building a parallel origin map that tracks which scope contributed each
+    // (surface, pattern) entry.
+    const { mergedPermission, origins } = mergeScopesWithOrigins([
       ["global", globalConfig],
       ["project", projectConfig],
       ["agent", agentConfig],
       ["project-agent", projectAgentConfig],
-    ] as const) {
-      if (!scope.permission) continue;
-
-      for (const [surface, value] of Object.entries(scope.permission)) {
-        const baseVal = mergedPermission[surface];
-        /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
-        const bothObjects =
-          typeof baseVal === "object" &&
-          baseVal !== null &&
-          typeof value === "object" &&
-          value !== null;
-        /* eslint-enable @typescript-eslint/no-unnecessary-condition */
-
-        if (bothObjects) {
-          // Shallow-merge: each incoming pattern is attributed to this scope;
-          // existing patterns from lower scopes keep their earlier origin.
-          if (!origins.has(surface)) origins.set(surface, new Map());
-          for (const pattern of Object.keys(value)) {
-            origins.get(surface)?.set(pattern, scopeName);
-          }
-        } else {
-          // Full replacement: this scope takes over the entire surface entry.
-          const surfaceOrigins = new Map<string, RuleOrigin>();
-          if (typeof value === "string") {
-            surfaceOrigins.set("*", scopeName);
-            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check
-          } else if (typeof value === "object" && value !== null) {
-            for (const pattern of Object.keys(value)) {
-              surfaceOrigins.set(pattern, scopeName);
-            }
-          }
-          origins.set(surface, surfaceOrigins);
-        }
-      }
-
-      mergedPermission = mergeFlatPermissions(
-        mergedPermission,
-        scope.permission,
-      );
-    }
+    ]);
 
     // Extract the universal fallback from permission["*"].
     // The "*" key feeds synthesizeDefaults() only — it is NOT included as a

package/src/permission-session.ts

@@ -12,6 +12,7 @@ import type { PermissionManager } from "./permission-manager";
 import type { PromptPermissionDetails } from "./permission-prompter";
 import type { Rule } from "./rule";
 import { createPermissionManagerForCwd } from "./runtime";
+import type { SessionApproval } from "./session-approval";
 import type { SessionLogger } from "./session-logger";
 import { SessionRules } from "./session-rules";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
@@ -127,8 +128,8 @@ export class PermissionSession {
     return this.sessionRules.getRuleset();
   }
 
-  approveSessionRule(surface: string, pattern: string): void {
-    this.sessionRules.approve(surface, pattern);
+  recordSessionApproval(approval: SessionApproval): void {
+    this.sessionRules.record(approval);
   }
 
   // ── Session lifecycle ────────────────────────────────────────────────────

package/src/scope-merge.ts

@@ -0,0 +1,72 @@
+import { mergeFlatPermissions } from "#src/permission-merge";
+import type { RuleOrigin } from "#src/rule";
+import type { FlatPermissionConfig, ScopeConfig } from "#src/types";
+
+/** Surface → (pattern → originating scope). */
+type OriginMap = Map<string, Map<string, RuleOrigin>>;
+
+/** Result of merging permission objects across scopes with provenance tracking. */
+export interface MergedScopes {
+  /** Fully merged flat permission config (lowest → highest precedence). */
+  mergedPermission: FlatPermissionConfig;
+  /** Maps each surface to a per-pattern origin (which scope contributed it). */
+  origins: OriginMap;
+}
+
+/**
+ * Merge permission objects across scopes (lowest → highest precedence) while
+ * tracking which scope contributed each (surface, pattern) entry.
+ *
+ * Mirrors mergeFlatPermissions() semantics for origin attribution:
+ * - Both base and incoming are objects → shallow-merge: each incoming pattern
+ *   is attributed to this scope; patterns the higher scope does not redefine
+ *   keep their earlier origin.
+ * - Otherwise → full replacement: this scope takes over the entire surface
+ *   entry, discarding all lower-scope attribution.
+ */
+export function mergeScopesWithOrigins(
+  scopes: readonly (readonly [RuleOrigin, ScopeConfig])[],
+): MergedScopes {
+  const origins: OriginMap = new Map();
+  let mergedPermission: FlatPermissionConfig = {};
+
+  for (const [scopeName, scope] of scopes) {
+    if (!scope.permission) continue;
+
+    for (const [surface, value] of Object.entries(scope.permission)) {
+      const baseVal = mergedPermission[surface];
+      /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
+      const bothObjects =
+        typeof baseVal === "object" &&
+        baseVal !== null &&
+        typeof value === "object" &&
+        value !== null;
+      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
+
+      if (bothObjects) {
+        // Shallow-merge: each incoming pattern is attributed to this scope;
+        // existing patterns from lower scopes keep their earlier origin.
+        if (!origins.has(surface)) origins.set(surface, new Map());
+        for (const pattern of Object.keys(value)) {
+          origins.get(surface)?.set(pattern, scopeName);
+        }
+      } else {
+        // Full replacement: this scope takes over the entire surface entry.
+        const surfaceOrigins = new Map<string, RuleOrigin>();
+        if (typeof value === "string") {
+          surfaceOrigins.set("*", scopeName);
+          // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check
+        } else if (typeof value === "object" && value !== null) {
+          for (const pattern of Object.keys(value)) {
+            surfaceOrigins.set(pattern, scopeName);
+          }
+        }
+        origins.set(surface, surfaceOrigins);
+      }
+    }
+
+    mergedPermission = mergeFlatPermissions(mergedPermission, scope.permission);
+  }
+
+  return { mergedPermission, origins };
+}

package/src/session-approval.ts

@@ -0,0 +1,43 @@
+/**
+ * Value object for a session-scoped approval: one surface, one-or-more patterns.
+ *
+ * Owned by gate descriptors and passed to the session store — the runner never
+ * needs to know whether there is one pattern or many.
+ */
+export class SessionApproval {
+  private constructor(
+    readonly surface: string,
+    readonly patterns: readonly string[],
+  ) {}
+
+  /** Create an approval for a single pattern (the common case). */
+  static single(surface: string, pattern: string): SessionApproval {
+    return new SessionApproval(surface, [pattern]);
+  }
+
+  /**
+   * Create an approval for multiple patterns (e.g. bash external-directory
+   * gates that cover several uncovered paths in one prompt).
+   */
+  static multiple(
+    surface: string,
+    patterns: readonly string[],
+  ): SessionApproval {
+    return new SessionApproval(surface, [...patterns]);
+  }
+
+  /** Representative pattern for the interactive prompt — the first, if any. */
+  get representativePattern(): string | undefined {
+    return this.patterns[0];
+  }
+
+  /**
+   * Single-pattern shape `applyPermissionGate` echoes back to the caller.
+   * Returns `undefined` when patterns is empty (degenerate case).
+   */
+  toGateApproval(): { surface: string; pattern: string } | undefined {
+    const pattern = this.representativePattern;
+    if (pattern === undefined) return undefined;
+    return { surface: this.surface, pattern };
+  }
+}

package/src/session-rules.ts

@@ -1,6 +1,7 @@
 import { dirname, sep } from "node:path";
 
 import type { Ruleset } from "./rule";
+import type { SessionApproval } from "./session-approval";
 
 /**
  * Ephemeral in-memory store of session-scoped permission approvals.
@@ -29,6 +30,18 @@ export class SessionRules {
     return [...this.rules];
   }
 
+  /**
+   * Record all patterns from a `SessionApproval` value object.
+   *
+   * The loop lives here so callers never need to know whether an approval
+   * carries one pattern or many — they just tell the store to record it.
+   */
+  record(approval: SessionApproval): void {
+    for (const pattern of approval.patterns) {
+      this.approve(approval.surface, pattern);
+    }
+  }
+
   /** Remove all session approvals. */
   clear(): void {
     this.rules = [];