@guilz-dev/belay 0.1.0

package/dist/installer.js

@@ -0,0 +1,169 @@
+import { existsSync } from 'node:fs';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+import { mergeCursorHooksFile } from './adapters/cursor/hooks.js';
+import { cursorLayout } from './adapters/layouts/cursor.js';
+import { resolveScopedPaths } from './adapters/layouts/scope.js';
+import { getAdapter } from './adapters/registry.js';
+import { dogfoodProject } from './commands/dogfood.js';
+import { detectAdapterName, loadConfigFile, mergeAndWriteConfig, writeConfigFile, } from './config-io.js';
+import { isFreshConfigInput, mergeConfig, normalizeConfig } from './core/config.js';
+import { runtimeIntegrityFiles, writeIntegrityManifest } from './core/integrity.js';
+import { resolveInitJudgeConfig } from './core/judge-config.js';
+import { bootstrapStateFiles, writeSkillArtifacts } from './installer/bootstrap.js';
+import { writeRuntimeArtifacts } from './installer/runtime-artifacts.js';
+import { applyInstallScope, resolveOperationScope } from './installer/scope-config.js';
+import { applyConfigPreset } from './presets.js';
+async function pathExists(filePath) {
+    try {
+        const { stat } = await import('node:fs/promises');
+        await stat(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function ensureDir(dirPath) {
+    await mkdir(dirPath, { recursive: true });
+}
+export async function loadHooksFile(hooksPath) {
+    if (!existsSync(hooksPath)) {
+        return { version: 1, hooks: {} };
+    }
+    const raw = await readFile(hooksPath, 'utf8');
+    try {
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object' || typeof parsed.version !== 'number') {
+            throw new Error('hooks.json must contain a numeric version field.');
+        }
+        if (!parsed.hooks || typeof parsed.hooks !== 'object') {
+            throw new Error('hooks.json must contain an object hooks field.');
+        }
+        return parsed;
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : 'Unknown JSON parse failure.';
+        throw new Error(`Invalid hooks.json at ${hooksPath}: ${detail}`);
+    }
+}
+export function mergeHooksFile(current, platform = process.platform, hooksDir, repoRoot) {
+    const resolvedRepo = path.resolve(repoRoot ?? process.cwd());
+    const resolvedHooksDir = hooksDir ?? cursorLayout.hooksDir(resolvedRepo);
+    return mergeCursorHooksFile(current, platform, resolvedHooksDir, resolvedRepo);
+}
+export async function initCursorProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const scope = await resolveOperationScope(repoRoot, 'cursor', options);
+    const paths = resolveScopedPaths(cursorLayout, scope, repoRoot);
+    const withSkill = options.withSkill === true;
+    const hooksFile = await loadHooksFile(paths.hooksSettingsPath);
+    const mergedHooks = mergeCursorHooksFile(hooksFile, process.platform, paths.hooksDir, repoRoot);
+    await ensureDir(paths.hooksDir);
+    const config = await mergeAndWriteConfig(repoRoot, 'cursor');
+    await applyInstallScope(repoRoot, 'cursor', scope, config);
+    await writeRuntimeArtifacts('cursor', paths);
+    await bootstrapStateFiles(repoRoot, config, paths);
+    if (withSkill) {
+        await writeSkillArtifacts('cursor', paths);
+    }
+    await mkdir(path.dirname(paths.hooksSettingsPath), { recursive: true });
+    await writeFile(paths.hooksSettingsPath, `${JSON.stringify(mergedHooks, null, 2)}\n`, 'utf8');
+    await writeIntegrityManifest(repoRoot, cursorLayout, runtimeIntegrityFiles(cursorLayout, paths));
+    return { repoRoot, withSkill };
+}
+export async function upgradeCursorProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const scope = await resolveOperationScope(repoRoot, 'cursor', options);
+    const paths = resolveScopedPaths(cursorLayout, scope, repoRoot);
+    const config = await mergeAndWriteConfig(repoRoot, 'cursor');
+    await applyInstallScope(repoRoot, 'cursor', scope, config);
+    await writeRuntimeArtifacts('cursor', paths);
+    const hooksFile = await loadHooksFile(paths.hooksSettingsPath);
+    const merged = mergeCursorHooksFile(hooksFile, process.platform, paths.hooksDir, repoRoot);
+    await mkdir(path.dirname(paths.hooksSettingsPath), { recursive: true });
+    await writeFile(paths.hooksSettingsPath, `${JSON.stringify(merged, null, 2)}\n`, 'utf8');
+    if (options.withSkill) {
+        await writeSkillArtifacts('cursor', paths);
+    }
+    await writeIntegrityManifest(repoRoot, cursorLayout, runtimeIntegrityFiles(cursorLayout, paths));
+    return { repoRoot };
+}
+function resolveAdapterName(options, repoRoot) {
+    if (options.adapter === 'claude') {
+        return 'claude';
+    }
+    if (options.adapter === 'codex') {
+        return 'codex';
+    }
+    if (options.adapter === 'cursor') {
+        return 'cursor';
+    }
+    if (repoRoot) {
+        return detectAdapterName(repoRoot);
+    }
+    return 'cursor';
+}
+async function applyInitJudgeConfig(repoRoot, adapterName, options) {
+    if (options.skipJudgeWrite) {
+        return;
+    }
+    const layout = getAdapter(adapterName).layout;
+    const configPath = layout.configPath(repoRoot);
+    let existingConfig = {};
+    if (await pathExists(configPath)) {
+        existingConfig = JSON.parse(await readFile(configPath, 'utf8'));
+    }
+    const isFresh = isFreshConfigInput(existingConfig);
+    const mergedConfig = await loadConfigFile(repoRoot, adapterName);
+    const hasExplicitJudgeFlags = options.judgeProfile || options.judgeProvider || options.judgeModel || options.judgeEndpoint;
+    const judge = resolveInitJudgeConfig({
+        isFresh,
+        hasExplicitJudgeFlags: Boolean(hasExplicitJudgeFlags),
+        judgeProfile: options.judgeProfile,
+        judgeProvider: options.judgeProvider,
+        judgeModel: options.judgeModel,
+        judgeEndpoint: options.judgeEndpoint,
+        acceptCloudJudge: options.acceptCloudJudge,
+        existingJudge: mergedConfig.judge,
+    });
+    const configWithJudge = normalizeConfig({ ...mergedConfig, version: 4, judge });
+    await writeConfigFile(repoRoot, configWithJudge, adapterName);
+}
+async function refreshIntegrityManifest(repoRoot, adapterName) {
+    const layout = getAdapter(adapterName).layout;
+    const config = await loadConfigFile(repoRoot, adapterName);
+    const scope = config.installScope === 'global' ? 'global' : 'project';
+    const paths = resolveScopedPaths(layout, scope, repoRoot);
+    await writeIntegrityManifest(repoRoot, layout, runtimeIntegrityFiles(layout, paths));
+}
+export async function initProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const adapterName = resolveAdapterName(options, repoRoot);
+    const adapter = getAdapter(adapterName);
+    const result = await adapter.install(repoRoot, options);
+    await applyInitJudgeConfig(repoRoot, adapterName, options);
+    if (options.preset) {
+        const existing = await loadConfigFile(repoRoot, adapterName);
+        const presetConfig = mergeConfig(applyConfigPreset(options.preset));
+        const merged = mergeConfig(presetConfig, existing);
+        await writeConfigFile(repoRoot, merged, adapterName);
+    }
+    if (options.dogfood === true) {
+        await dogfoodProject({ targetDir: repoRoot, adapter: adapterName });
+    }
+    await refreshIntegrityManifest(repoRoot, adapterName);
+    return {
+        repoRoot,
+        withSkill: result.withSkill,
+        dogfood: options.dogfood === true,
+        adapter: adapterName,
+    };
+}
+export async function upgradeProject(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const adapterName = resolveAdapterName(options, repoRoot);
+    await getAdapter(adapterName).upgrade(repoRoot, options);
+    await refreshIntegrityManifest(repoRoot, adapterName);
+    return { repoRoot, adapter: adapterName };
+}

package/dist/node-resolution.d.ts

@@ -0,0 +1,8 @@
+export interface NodeResolutionResult {
+    ok: boolean;
+    detail: string;
+    path?: string;
+}
+export declare function resolveNodeBinary(): NodeResolutionResult;
+export declare function buildRunnerScript(defaultNodePath: string): string;
+export declare function buildWindowsRunnerScript(defaultNodePath: string): string;

package/dist/node-resolution.js

@@ -0,0 +1,237 @@
+import { execFileSync } from 'node:child_process';
+import { accessSync, constants, existsSync } from 'node:fs';
+import { delimiter } from 'node:path';
+function isExecutable(path) {
+    if (!path) {
+        return false;
+    }
+    try {
+        accessSync(path, constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function firstExecutableInPath() {
+    const pathValue = process.env.PATH ?? '';
+    for (const segment of pathValue.split(delimiter)) {
+        if (!segment) {
+            continue;
+        }
+        const candidate = `${segment}/node`;
+        if (isExecutable(candidate)) {
+            return candidate;
+        }
+    }
+    return undefined;
+}
+function execTool(command, args) {
+    try {
+        const output = execFileSync(command, args, {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        return output || undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function resolveViaKnownManagers() {
+    const mise = execTool('mise', ['which', 'node']);
+    if (isExecutable(mise)) {
+        return mise;
+    }
+    const fnm = execTool('fnm', ['which']);
+    if (isExecutable(fnm)) {
+        return fnm;
+    }
+    const nvmScript = process.env.NVM_DIR && existsSync(`${process.env.NVM_DIR}/nvm.sh`)
+        ? `${process.env.NVM_DIR}/nvm.sh`
+        : existsSync(`${process.env.HOME ?? ''}/.nvm/nvm.sh`)
+            ? `${process.env.HOME ?? ''}/.nvm/nvm.sh`
+            : undefined;
+    if (!nvmScript) {
+        return undefined;
+    }
+    const command = `. "${nvmScript}" >/dev/null 2>&1 && nvm which current 2>/dev/null`;
+    const resolved = execTool('/bin/sh', ['-lc', command]);
+    if (isExecutable(resolved)) {
+        return resolved;
+    }
+    return undefined;
+}
+export function resolveNodeBinary() {
+    if (isExecutable(process.execPath)) {
+        return {
+            ok: true,
+            detail: 'Resolved via process.execPath.',
+            path: process.execPath,
+        };
+    }
+    const pathNode = firstExecutableInPath();
+    if (pathNode) {
+        return {
+            ok: true,
+            detail: 'Resolved via PATH.',
+            path: pathNode,
+        };
+    }
+    const managerNode = resolveViaKnownManagers();
+    if (managerNode) {
+        return {
+            ok: true,
+            detail: 'Resolved via mise/fnm/nvm.',
+            path: managerNode,
+        };
+    }
+    return {
+        ok: false,
+        detail: 'Unable to resolve Node from process.execPath, PATH, or known managers (mise/fnm/nvm).',
+    };
+}
+export function buildRunnerScript(defaultNodePath) {
+    const escapedDefault = defaultNodePath.replaceAll('\\', '\\\\').replaceAll('"', '\\"');
+    return `#!/bin/sh
+set -u
+
+DEFAULT_NODE="${escapedDefault}"
+
+resolve_node() {
+  if [ -n "$DEFAULT_NODE" ] && [ -x "$DEFAULT_NODE" ]; then
+    printf '%s\\n' "$DEFAULT_NODE"
+    return 0
+  fi
+
+  if command -v node >/dev/null 2>&1; then
+    command -v node
+    return 0
+  fi
+
+  if command -v mise >/dev/null 2>&1; then
+    NODE_FROM_MISE="$(mise which node 2>/dev/null || true)"
+    if [ -n "$NODE_FROM_MISE" ] && [ -x "$NODE_FROM_MISE" ]; then
+      printf '%s\\n' "$NODE_FROM_MISE"
+      return 0
+    fi
+  fi
+
+  if command -v fnm >/dev/null 2>&1; then
+    NODE_FROM_FNM="$(fnm which 2>/dev/null || true)"
+    if [ -n "$NODE_FROM_FNM" ] && [ -x "$NODE_FROM_FNM" ]; then
+      printf '%s\\n' "$NODE_FROM_FNM"
+      return 0
+    fi
+  fi
+
+  NVM_SCRIPT=""
+  if [ -n "\${NVM_DIR:-}" ] && [ -s "$NVM_DIR/nvm.sh" ]; then
+    NVM_SCRIPT="$NVM_DIR/nvm.sh"
+  elif [ -s "$HOME/.nvm/nvm.sh" ]; then
+    NVM_SCRIPT="$HOME/.nvm/nvm.sh"
+  fi
+
+  if [ -n "$NVM_SCRIPT" ]; then
+    NODE_FROM_NVM="$(/bin/sh -lc ". \\"$NVM_SCRIPT\\" >/dev/null 2>&1 && nvm which current 2>/dev/null" || true)"
+    if [ -n "$NODE_FROM_NVM" ] && [ -x "$NODE_FROM_NVM" ]; then
+      printf '%s\\n' "$NODE_FROM_NVM"
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+fail_gate() {
+  printf '{"permission":"deny","user_message":"belay could not resolve Node. Install or expose Node, run belay doctor, then retry."}\\n'
+  exit 0
+}
+
+fail_before_submit() {
+  printf '{"continue":false,"user_message":"belay could not resolve Node. Install or expose Node, run belay doctor, then retry."}\\n'
+  exit 0
+}
+
+fail_audit() {
+  echo "belay: unable to resolve Node for audit hook" >&2
+  printf '{}\\n'
+  exit 0
+}
+
+HOOK_NAME="\${1:-}"
+if [ -z "$HOOK_NAME" ]; then
+  fail_audit
+fi
+shift
+
+NODE_BIN="$(resolve_node || true)"
+if [ -z "$NODE_BIN" ]; then
+  case "$HOOK_NAME" in
+    belay-before-submit)
+      fail_before_submit
+      ;;
+    belay-shell-gate|belay-tool-gate)
+      fail_gate
+      ;;
+    *)
+      fail_audit
+      ;;
+  esac
+fi
+
+SCRIPT_DIR="$(CDPATH= cd -- "$(dirname "$0")" && pwd)"
+exec "$NODE_BIN" "$SCRIPT_DIR/$HOOK_NAME.mjs" "$@"
+`;
+}
+export function buildWindowsRunnerScript(defaultNodePath) {
+    const escapedDefault = defaultNodePath.replaceAll('\\', '\\\\');
+    return `@echo off
+setlocal EnableExtensions
+
+set "DEFAULT_NODE=${escapedDefault}"
+set "HOOK_NAME=%~1"
+if "%HOOK_NAME%"=="" goto fail_audit
+shift
+
+call :resolve_node
+if not defined NODE_BIN goto fail_by_hook
+
+"%NODE_BIN%" "%~dp0%HOOK_NAME%.mjs" %*
+exit /b 0
+
+:resolve_node
+if defined DEFAULT_NODE if exist "%DEFAULT_NODE%" (
+  set "NODE_BIN=%DEFAULT_NODE%"
+  exit /b 0
+)
+for %%I in (node.exe) do if not "%%~$PATH:I"=="" (
+  set "NODE_BIN=%%~$PATH:I"
+  exit /b 0
+)
+for %%I in ("%USERPROFILE%\\.nvm\\v*\\node.exe") do if exist "%%~fI" (
+  set "NODE_BIN=%%~fI"
+  exit /b 0
+)
+exit /b 1
+
+:fail_by_hook
+if /I "%HOOK_NAME%"=="belay-before-submit" goto fail_before_submit
+if /I "%HOOK_NAME%"=="belay-shell-gate" goto fail_gate
+if /I "%HOOK_NAME%"=="belay-tool-gate" goto fail_gate
+goto fail_audit
+
+:fail_gate
+echo {"permission":"deny","user_message":"belay could not resolve Node. Install or expose Node, run belay doctor, then retry."}
+exit /b 0
+
+:fail_before_submit
+echo {"continue":false,"user_message":"belay could not resolve Node. Install or expose Node, run belay doctor, then retry."}
+exit /b 0
+
+:fail_audit
+1>&2 echo belay: unable to resolve Node for audit hook
+echo {}
+exit /b 0
+`;
+}

package/dist/operational-insights.d.ts

@@ -0,0 +1,19 @@
+import type { BelayConfigV3 } from './core/config.js';
+export interface DogfoodStatus {
+    active: boolean;
+    mode: string;
+    unknownLocalEffect: string;
+    readyForEnforce: boolean;
+    gateEvents: number;
+    wouldBlockCount: number;
+    wouldBlockRate: number;
+    notes: string[];
+}
+export interface OperationalInsights {
+    repoRoot: string;
+    dogfood: DogfoodStatus;
+}
+export declare function isDogfoodConfig(config: BelayConfigV3): boolean;
+export declare function loadOperationalInsights(options?: {
+    targetDir?: string;
+}): Promise<OperationalInsights>;

package/dist/operational-insights.js

@@ -0,0 +1,24 @@
+import path from 'node:path';
+import { metricsProject } from './commands/metrics.js';
+import { loadConfigFile } from './config-io.js';
+export function isDogfoodConfig(config) {
+    return config.mode === 'audit' && config.policy.unknownLocalEffect === 'deny';
+}
+export async function loadOperationalInsights(options = {}) {
+    const repoRoot = path.resolve(options.targetDir ?? process.cwd());
+    const config = await loadConfigFile(repoRoot);
+    const metrics = await metricsProject({ targetDir: repoRoot });
+    return {
+        repoRoot,
+        dogfood: {
+            active: isDogfoodConfig(config),
+            mode: config.mode,
+            unknownLocalEffect: config.policy.unknownLocalEffect,
+            readyForEnforce: metrics.dogfood.readyForEnforce,
+            gateEvents: metrics.gateEvents,
+            wouldBlockCount: metrics.wouldBlockCount,
+            wouldBlockRate: metrics.wouldBlockRate,
+            notes: metrics.dogfood.notes,
+        },
+    };
+}

package/dist/presets.d.ts

@@ -0,0 +1,4 @@
+import type { BelayConfigV3 } from './core/config.js';
+export type ConfigPresetName = 'strict' | 'standard' | 'audit-first' | 'l1-full-recommended';
+export declare const CONFIG_PRESETS: Record<ConfigPresetName, Partial<BelayConfigV3>>;
+export declare function applyConfigPreset(preset: ConfigPresetName, extra?: Record<string, unknown>): Record<string, unknown>;

package/dist/presets.js

@@ -0,0 +1,95 @@
+import { DEFAULT_CONFIG_V3 } from './core/config.js';
+export const CONFIG_PRESETS = {
+    strict: {
+        mode: 'enforce',
+        policy: {
+            ...DEFAULT_CONFIG_V3.policy,
+            unknownLocalEffect: 'deny',
+            unparseableShell: 'deny',
+            confidenceThresholds: { allow: 0.9, flag: 0.8 },
+            modelAssist: { enabled: false },
+        },
+        sandbox: { ...DEFAULT_CONFIG_V3.sandbox },
+    },
+    standard: {
+        mode: 'enforce',
+    },
+    'audit-first': {
+        mode: 'audit',
+        policy: {
+            ...DEFAULT_CONFIG_V3.policy,
+            unknownLocalEffect: 'deny',
+            unparseableShell: 'deny',
+            confidenceThresholds: { allow: 0.88, flag: 0.72 },
+            modelAssist: { enabled: false },
+        },
+        sandbox: { ...DEFAULT_CONFIG_V3.sandbox },
+    },
+    'l1-full-recommended': {
+        mode: 'enforce',
+        policy: {
+            ...DEFAULT_CONFIG_V3.policy,
+            confidenceThresholds: { ...DEFAULT_CONFIG_V3.policy.confidenceThresholds },
+            modelAssist: { ...DEFAULT_CONFIG_V3.policy.modelAssist },
+        },
+        sandbox: {
+            enabled: true,
+            runtime: 'container',
+            denyNetworkByDefault: true,
+        },
+        egress: {
+            ...DEFAULT_CONFIG_V3.egress,
+            enabled: true,
+            demoteL3External: true,
+        },
+        approvalSigning: {
+            required: true,
+        },
+        controlPlane: {
+            ...DEFAULT_CONFIG_V3.controlPlane,
+            isolation: {
+                mode: 'separate-user',
+                verifyAgentWritable: true,
+            },
+        },
+    },
+};
+export function applyConfigPreset(preset, extra = {}) {
+    const base = CONFIG_PRESETS[preset] ?? CONFIG_PRESETS.standard;
+    return {
+        version: 3,
+        ...base,
+        ...extra,
+        policy: {
+            ...DEFAULT_CONFIG_V3.policy,
+            ...(base.policy ?? {}),
+            ...extra.policy,
+        },
+        sandbox: {
+            ...DEFAULT_CONFIG_V3.sandbox,
+            ...(base.sandbox ?? {}),
+            ...extra.sandbox,
+        },
+        egress: {
+            ...DEFAULT_CONFIG_V3.egress,
+            ...(base.egress ?? {}),
+            ...extra.egress,
+        },
+        approvalSigning: {
+            ...DEFAULT_CONFIG_V3.approvalSigning,
+            ...(base.approvalSigning ?? {}),
+            ...extra.approvalSigning,
+        },
+        controlPlane: {
+            ...DEFAULT_CONFIG_V3.controlPlane,
+            ...(base.controlPlane ?? {}),
+            ...extra.controlPlane,
+            isolation: {
+                ...DEFAULT_CONFIG_V3.controlPlane.isolation,
+                ...(base.controlPlane?.isolation ?? {}),
+                ...(extra.controlPlane
+                    ?.isolation ?? {}),
+            },
+        },
+    };
+}

package/dist/services/egress-service.d.ts

@@ -0,0 +1,57 @@
+import { loadConfigFile } from '../config-io.js';
+import { type BelayConfigV3 } from '../core/config.js';
+import type { ApprovalStateFile } from '../core/types.js';
+export interface EgressServiceOptions {
+    targetDir?: string;
+}
+export interface EgressStatusReport {
+    repoRoot: string;
+    enabled: boolean;
+    running: boolean;
+    host: string;
+    port: number;
+    pid: number | null;
+    startedAt: string | null;
+    boundRepoRoot: string | null;
+    repoRootMismatch: boolean;
+    foreignProxy: boolean;
+    portOccupied: boolean;
+    proxyEnv: Record<string, string>;
+}
+export declare function isEgressProxyActiveForRepo(config: BelayConfigV3, repoRoot: string, repoLocalStateDir: string): boolean;
+export declare function egressStatus(options?: EgressServiceOptions): Promise<EgressStatusReport>;
+export declare function startEgressProxy(options?: EgressServiceOptions): Promise<{
+    ok: boolean;
+    message: string;
+}>;
+export declare function stopEgressProxy(options?: EgressServiceOptions): Promise<{
+    ok: boolean;
+    message: string;
+}>;
+export declare function egressEnv(options?: EgressServiceOptions): Promise<{
+    ok: boolean;
+    message: string;
+    env: Record<string, string>;
+}>;
+export declare function formatEgressStatusReport(report: EgressStatusReport): string;
+export declare function createEgressApprovalStore(repoRoot: string, config: Awaited<ReturnType<typeof loadConfigFile>>): {
+    allowlistPath: string;
+    loadPending(): Promise<{
+        filePath: string;
+        state: ApprovalStateFile;
+    }>;
+    loadApproved(): Promise<{
+        filePath: string;
+        state: ApprovalStateFile;
+    }>;
+    writePending(_filePath: string, state: ApprovalStateFile): Promise<void>;
+    writeApproved(_filePath: string, state: ApprovalStateFile): Promise<void>;
+};
+export declare function writeEgressDaemonState(params: {
+    stateDir: string;
+    pid: number;
+    host: string;
+    port: number;
+    repoRoot: string;
+}): Promise<void>;
+export declare function clearEgressDaemonState(stateDir: string): Promise<void>;