@hogsend/engine 0.2.0 → 0.4.0

package/src/journeys/journey-context.ts

@@ -1,6 +1,14 @@
-import type { HatchetClient } from "@hatchet-dev/typescript-sdk/v1/index.js";
+import type {
+  Conditions,
+  HatchetClient,
+} from "@hatchet-dev/typescript-sdk/v1/index.js";
+import {
+  Or,
+  SleepCondition,
+  UserEventCondition,
+} from "@hatchet-dev/typescript-sdk/v1/index.js";
 import type { DurationObject } from "@hogsend/core";
-import { evaluateEventCondition } from "@hogsend/core";
+import { durationToMs, evaluateEventCondition } from "@hogsend/core";
 import type { JourneyRegistry } from "@hogsend/core/registry";
 import {
   isValidTimeZone,
@@ -19,10 +27,32 @@ import type {
 } from "@hogsend/core/types";
 import { type Database, emailSends, journeyStates } from "@hogsend/db";
 import type { PostHogService } from "@hogsend/plugin-posthog";
-import { and, count, eq, max } from "drizzle-orm";
+import { and, count, eq, max, notInArray } from "drizzle-orm";
 import { checkEmailPreferences } from "../lib/enrollment-guards.js";
 import { ingestEvent } from "../lib/ingestion.js";
 import type { Logger } from "../lib/logger.js";
+import {
+  JOURNEY_EXECUTION_TIMEOUT,
+  JOURNEY_EXECUTION_TIMEOUT_HOURS,
+} from "./constants.js";
+import { JourneyExitedError } from "./errors.js";
+
+/** Journey statuses that are terminal — a journey in any of these must never be
+ * resurrected back to "active" by a wait resuming. Exported so the durable task
+ * runner can avoid clobbering a terminal row to "failed" on a cancel. */
+export const TERMINAL_STATUSES = ["completed", "failed", "exited"] as const;
+
+/** Upper bound for a `waitForEvent` timeout — the journey task's executionTimeout. */
+const MAX_WAIT_MS = durationToMs({ hours: JOURNEY_EXECUTION_TIMEOUT_HOURS });
+
+/**
+ * Quote a string as a CEL single-quoted string literal, escaping backslashes
+ * then single quotes. Used to embed an externally-supplied userId into a CEL
+ * filter expression without breaking it or allowing injection.
+ */
+function celStringLiteral(value: string): string {
+  return `'${value.replace(/\\/g, "\\\\").replace(/'/g, "\\'")}'`;
+}
 
 interface JourneyContextConfig {
   db: Database;
@@ -31,6 +61,12 @@ interface JourneyContextConfig {
     // Hatchet's real `sleepFor` accepts a number (milliseconds) in addition to
     // duration strings/objects; we use the number-ms form for `sleepUntil`.
     sleepFor: (duration: DurationObject | number) => Promise<unknown>;
+    // The forwarded object is the real Hatchet `DurableContext`, which also has
+    // `waitFor` (used by `waitForEvent`). Param mirrors the SDK signature so the
+    // real context is assignable; we read back the envelope as a plain record.
+    waitFor: (
+      conditions: Conditions | Conditions[],
+    ) => Promise<Record<string, unknown>>;
   };
   registry: JourneyRegistry;
   logger: Logger;
@@ -114,30 +150,103 @@ export function createJourneyContext(
     defaultSendWindow,
   } = config;
 
-  // Shared wait lifecycle: mark the state "waiting", durably sleep, mark it
-  // "active" again. `sleep` passes a DurationObject; `sleepUntil` passes a
-  // precomputed ms delay — Hatchet's `sleepFor` accepts both.
+  // Enter a durable wait: flip "active" → "waiting", but ONLY if the journey
+  // hasn't already reached a terminal state (e.g. exitOn fired before we got
+  // here). A no-op update means the journey is already done — abort the run.
+  const enterWait = async (nodeId: string): Promise<void> => {
+    const entered = await db
+      .update(journeyStates)
+      .set({ status: "waiting", currentNodeId: nodeId, updatedAt: new Date() })
+      .where(
+        and(
+          eq(journeyStates.id, stateId),
+          notInArray(journeyStates.status, [...TERMINAL_STATUSES]),
+        ),
+      )
+      .returning({ id: journeyStates.id });
+
+    if (entered.length === 0) {
+      throw new JourneyExitedError(stateId);
+    }
+  };
+
+  // Resume from a durable wait: flip "waiting" → "active", but ONLY if the row
+  // is still "waiting". If an exit/cancel landed during the wait the row is no
+  // longer "waiting" — abort instead of reviving a terminated journey to active
+  // (which would let a post-wait side effect fire after the journey exited).
+  const resumeFromWait = async (): Promise<void> => {
+    const resumed = await db
+      .update(journeyStates)
+      .set({ status: "active", updatedAt: new Date() })
+      .where(
+        and(eq(journeyStates.id, stateId), eq(journeyStates.status, "waiting")),
+      )
+      .returning({ id: journeyStates.id });
+
+    if (resumed.length === 0) {
+      throw new JourneyExitedError(stateId);
+    }
+  };
+
+  // Durable sleep with the guarded waiting → active lifecycle. `sleep` passes a
+  // DurationObject; `sleepUntil` passes a precomputed ms delay — Hatchet's
+  // `sleepFor` accepts both.
   const performSleep = async (
     durationOrMs: DurationObject | number,
     nodeId: string,
   ): Promise<{ sleptAt: string; resumedAt: string }> => {
     const sleptAt = new Date().toISOString();
+    await enterWait(nodeId);
+    await hatchetCtx.sleepFor(durationOrMs);
+    const resumedAt = new Date().toISOString();
+    await resumeFromWait();
+    return { sleptAt, resumedAt };
+  };
 
-    await db
-      .update(journeyStates)
-      .set({ status: "waiting", currentNodeId: nodeId, updatedAt: new Date() })
-      .where(eq(journeyStates.id, stateId));
+  // Durably wait for THIS user's `event` OR `timeout`, whichever fires first,
+  // sharing the same guarded lifecycle as `performSleep`.
+  const performWaitForEvent = async (
+    event: string,
+    timeout: DurationObject,
+    nodeId: string,
+  ): Promise<{ timedOut: boolean }> => {
+    // Reject a timeout longer than the journey task's executionTimeout up front
+    // so it fails fast at authoring time. (Eviction-capable engines may allow
+    // longer wall-clock waits, but we cap to the configured ceiling — raise
+    // JOURNEY_EXECUTION_TIMEOUT to lift it.)
+    if (durationToMs(timeout) > MAX_WAIT_MS) {
+      throw new RangeError(
+        `waitForEvent timeout exceeds the journey execution limit (${JOURNEY_EXECUTION_TIMEOUT})`,
+      );
+    }
 
-    await hatchetCtx.sleepFor(durationOrMs);
+    await enterWait(nodeId);
 
-    const resumedAt = new Date().toISOString();
+    // Wait for the user-scoped event or the timeout. The event branch filters on
+    // the pushed payload's top-level `userId` (see `ingestEvent`); the SDK turns
+    // the ms number into a Go duration string at serialization time.
+    const result = await hatchetCtx.waitFor(
+      Or(
+        new UserEventCondition(
+          event,
+          `input.userId == ${celStringLiteral(userId)}`,
+          "event",
+        ),
+        new SleepCondition(durationToMs(timeout), "timeout"),
+      ),
+    );
 
-    await db
-      .update(journeyStates)
-      .set({ status: "active", updatedAt: new Date() })
-      .where(eq(journeyStates.id, stateId));
+    // Discriminate on which branch's readableDataKey ("event"/"timeout") is
+    // present. The eviction-capable path returns the `{ CREATE: { … } }`
+    // envelope; the pre-eviction path returns the inner object UN-wrapped — so
+    // strip an optional `CREATE` layer first to handle both shapes identically.
+    const fired = (("CREATE" in result ? result.CREATE : result) ??
+      {}) as Record<string, unknown>;
+    const timedOut = !("event" in fired);
 
-    return { sleptAt, resumedAt };
+    await resumeFromWait();
+
+    return { timedOut };
   };
 
   return {
@@ -169,6 +278,14 @@ export function createJourneyContext(
       );
     },
 
+    async waitForEvent({ event, timeout, label }) {
+      return performWaitForEvent(
+        event,
+        timeout,
+        label ?? `wait-event:${event}`,
+      );
+    },
+
     async checkpoint(label) {
       await db
         .update(journeyStates)

package/src/lib/ingestion.ts

@@ -76,7 +76,7 @@ export async function ingestEvent(opts: {
       userEmail: event.userEmail,
       properties: serializableProperties,
     }),
-    checkExits(db, registry, {
+    checkExits(db, registry, hatchet, logger, {
       userId: event.userId,
       eventName: event.event,
       properties: event.properties,
@@ -130,6 +130,8 @@ export async function ingestEvent(opts: {
 async function checkExits(
   db: Database,
   registry: JourneyRegistry,
+  hatchet: HatchetClient,
+  logger: Logger,
   event: {
     userId: string;
     eventName: string;
@@ -147,6 +149,7 @@ async function checkExits(
   });
 
   const statesToExit: string[] = [];
+  const runIdsToCancel: string[] = [];
 
   for (const state of activeStates) {
     const journey = registry.get(state.journeyId);
@@ -163,6 +166,9 @@ async function checkExits(
 
     if (shouldExit) {
       statesToExit.push(state.id);
+      if (state.hatchetRunId) {
+        runIdsToCancel.push(state.hatchetRunId);
+      }
     }
 
     results.push({
@@ -181,6 +187,21 @@ async function checkExits(
         updatedAt: new Date(),
       })
       .where(inArray(journeyStates.id, statesToExit));
+
+    // Cancel the live durable runs so a journey suspended in a sleep or
+    // `waitForEvent` can't resume and fire after it has exited. Best-effort: a
+    // run may have already finished, and the in-run resume guard
+    // (JourneyExitedError) is the backstop if a cancel races a resume.
+    if (runIdsToCancel.length > 0) {
+      try {
+        await hatchet.runs.cancel({ ids: runIdsToCancel });
+      } catch (err) {
+        logger.warn("Failed to cancel exited journey runs", {
+          count: runIdsToCancel.length,
+          error: err instanceof Error ? err.message : String(err),
+        });
+      }
+    }
   }
 
   return results;

package/src/routes/admin/buckets.ts

@@ -10,7 +10,7 @@ const bucketSchema = z.object({
   enabled: z.boolean(),
   kind: z.enum(["dynamic", "manual"]),
   timeBased: z.boolean(),
-  reentry: z.enum(["once", "once_per_period", "unlimited"]),
+  entryLimit: z.enum(["once", "once_per_period", "unlimited"]),
   counts: z.object({
     active: z.number(),
     left: z.number(),
@@ -106,7 +106,7 @@ const getRoute = createRoute({
           schema: z.object({
             bucket: bucketSchema.extend({
               criteria: z.record(z.string(), z.unknown()).optional(),
-              reentryPeriod: z
+              entryPeriod: z
                 .record(z.string(), z.unknown())
                 .nullable()
                 .optional(),
@@ -267,7 +267,7 @@ export const bucketsRouter = new OpenAPIHono<AppEnv>()
         enabled: effectiveEnabled,
         kind: b.kind ?? "dynamic",
         timeBased: b.timeBased ?? false,
-        reentry: b.reentry ?? "unlimited",
+        entryLimit: b.entryLimit ?? "unlimited",
         counts: countsMap.get(b.id) ?? { ...emptyCounts },
       };
     });
@@ -366,11 +366,9 @@ export const bucketsRouter = new OpenAPIHono<AppEnv>()
           enabled: effectiveEnabled,
           kind: meta.kind ?? "dynamic",
           timeBased: meta.timeBased ?? false,
-          reentry: meta.reentry ?? "unlimited",
+          entryLimit: meta.entryLimit ?? "unlimited",
           criteria: meta.criteria as Record<string, unknown> | undefined,
-          reentryPeriod: meta.reentryPeriod as
-            | Record<string, unknown>
-            | undefined,
+          entryPeriod: meta.entryPeriod as Record<string, unknown> | undefined,
           minDwell: meta.minDwell as Record<string, unknown> | undefined,
           maxDwell: meta.maxDwell as Record<string, unknown> | undefined,
           reconcileEvery: meta.reconcileEvery as

package/src/worker.ts

@@ -79,12 +79,12 @@ export function createWorker(opts: CreateWorkerOptions): Worker {
       `Hogsend worker started with ${journeyTasks.length} journey task(s)`,
     );
 
-    await _worker.start();
-
     // Boot-time backfill / criteria-change re-eval (Section 6.6 B): diff each
-    // enabled bucket's criteriaHash against bucket_configs and enqueue a
-    // backfill/re-eval job where it differs. Best-effort — never block worker
-    // start; the cron is the backstop for time-based leaves regardless.
+    // enabled bucket's criteriaHash against bucket_configs and trigger a
+    // backfill/re-eval run where it differs. Kicked off BEFORE the listener
+    // because `_worker.start()` below does NOT return until the worker stops —
+    // anything after it is dead code at runtime. The triggers are fire-and-forget
+    // (runNoWait) and execute once the listener is up; best-effort, never blocks.
     enqueueBucketBackfills({
       db: container.db,
       logger: container.logger,
@@ -93,6 +93,8 @@ export function createWorker(opts: CreateWorkerOptions): Worker {
         error: err instanceof Error ? err.message : String(err),
       });
     });
+
+    await _worker.start();
   }
 
   return { start, stop };

package/src/workflows/bucket-backfill.ts

@@ -3,7 +3,6 @@ import type { JsonObject } from "@hatchet-dev/typescript-sdk/v1/types.js";
 import {
   type BucketMeta,
   type ConditionEval,
-  type DurationObject,
   durationToMs,
   evaluateCondition,
 } from "@hogsend/core";
@@ -16,7 +15,12 @@ import {
   importJobs,
   userEvents,
 } from "@hogsend/db";
-import { and, eq, gte, inArray, isNull, sql } from "drizzle-orm";
+import { and, eq, gt, gte, inArray, isNull, sql } from "drizzle-orm";
+import {
+  computeExpiresAt,
+  computeMaxDwellAt,
+  matchesEventCount,
+} from "../buckets/membership-epoch.js";
 import { getBucketRegistrySingleton } from "../buckets/registry-singleton.js";
 import { getJourneyRegistrySingleton } from "../journeys/registry-singleton.js";
 import { emitBucketTransition } from "../lib/bucket-emit.js";
@@ -28,7 +32,7 @@ import { createLogger } from "../lib/logger.js";
 const BATCH_SIZE = 500;
 
 /** import_jobs.format discriminator for the reused status record (Section 6.6). */
-const FIRST_TIME_FORMAT = "bucket-backfill";
+export const FIRST_TIME_FORMAT = "bucket-backfill";
 const REEVAL_FORMAT = "bucket-reeval";
 
 /**
@@ -199,6 +203,18 @@ async function backfillJoins(opts: {
     .set({ totalRows: matcherIds.length, updatedAt: new Date() })
     .where(eq(importJobs.id, jobId));
 
+  // Unconditional max-dwell TTL deadline, stamped once at insert (mirrors the
+  // live join, check-membership.ts). null when the bucket has no maxDwell; the
+  // TTL sweep (reconcileBucketTtlLeaves) filters isNotNull(maxDwellAt), so an
+  // unset value would never be force-left.
+  const maxDwellAt = computeMaxDwellAt(bucket);
+
+  // Fix C (DEFERRED): backfilled fastExpiry rows are NOT armed with a
+  // bucket:arm-expiry durable timer here — they are picked up by the next cron
+  // sweep instead (reconcileBucketLeaves / reconcileBucketTtlLeaves are the
+  // authoritative backstop). Conscious choice (cron cadence, default 5m), not an
+  // omission: arming at backfill would fan out one durable task per inserted row.
+
   let inserted = 0;
   for (let i = 0; i < matcherIds.length; i += BATCH_SIZE) {
     const chunk = matcherIds.slice(i, i + BATCH_SIZE);
@@ -214,14 +230,38 @@ async function backfillJoins(opts: {
       chunkContacts.map((c) => [c.externalId, c.email]),
     );
 
+    // Fix A: entryCount = 1 + prior memberships for each (user, bucket), the
+    // same monotonic ordinal the live join computes (check-membership.ts). On a
+    // FIRST-TIME backfill priorCount is 0 → entryCount 1 (unchanged); on a
+    // REEVAL re-join of a user with historical "left" rows it advances the
+    // epoch correctly. ONE batched GROUP BY per chunk (never per-user — the set-
+    // based path must not reintroduce the O(P) serial-query trap).
+    const priorCounts = await db
+      .select({
+        userId: bucketMemberships.userId,
+        cnt: sql<number>`count(*)::int`,
+      })
+      .from(bucketMemberships)
+      .where(
+        and(
+          eq(bucketMemberships.bucketId, bucket.id),
+          inArray(bucketMemberships.userId, chunk),
+        ),
+      )
+      .groupBy(bucketMemberships.userId);
+    const priorByUser = new Map(
+      priorCounts.map((r) => [r.userId, Number(r.cnt)]),
+    );
+
     const rows = chunk.map((userId) => ({
       userId,
       userEmail: emailByUser.get(userId) ?? null,
       bucketId: bucket.id,
       status: "active" as const,
       source: "backfill" as const,
-      entryCount: 1,
-      expiresAt: computeBackfillExpiresAt(bucket),
+      entryCount: 1 + (priorByUser.get(userId) ?? 0),
+      expiresAt: computeExpiresAt(bucket),
+      maxDwellAt,
       lastEvaluatedAt: new Date(),
     }));
 
@@ -343,8 +383,22 @@ async function selectEventMatchers(
     : null;
 
   // count gte N / exists → SELECT user_id ... GROUP BY HAVING. not_exists
-  // (absence) → live contacts with NO such event in the window (anti-join).
+  // (absence) → live contacts who EVER fired the event but have NONE in the
+  // window (lapsed-only). A bare windowed `not_exists within W` is treated as
+  // LAPSED-ONLY (never-active EXCLUDED) in BOTH this backfill and the cron
+  // (bucket-reconcile.ts reconcileBucketJoins, the everFired floor), so the two
+  // writers agree: brand-new never-active signups are NOT materialized for an
+  // absence-within-window bucket — only users who once did X and then stopped.
   if (criteria.check === "not_exists") {
+    // everFired floor: contacts who fired the event AT LEAST ONCE (no window),
+    // mirroring the cron's `ever_fired` semi-join. Excludes never-active
+    // contacts so the two writers select the same lapsed-only cohort.
+    const everFired = db
+      .selectDistinct({ userId: userEvents.userId })
+      .from(userEvents)
+      .where(eq(userEvents.event, criteria.eventName))
+      .as("ever_fired");
+
     const present = db
       .select({ userId: userEvents.userId })
       .from(userEvents)
@@ -360,115 +414,94 @@ async function selectEventMatchers(
     const rows = await db
       .select({ userId: contacts.externalId })
       .from(contacts)
+      .innerJoin(everFired, eq(everFired.userId, contacts.externalId))
       .leftJoin(present, eq(present.userId, contacts.externalId))
       .where(and(isNull(contacts.deletedAt), isNull(present.userId)));
     return rows.map((r) => r.userId);
   }
 
-  // exists / count: group counts then filter by the operator.
+  // exists / count: group counts then filter by the operator. Fix B: innerJoin
+  // live contacts (GDPR — only materialize memberships for non-deleted contacts
+  // that actually exist), mirroring selectEventLeavers in bucket-reconcile.ts.
+  // The not_exists branch above already filters contacts.deletedAt; without this
+  // join the positive-event path could materialize active rows for soft-deleted
+  // or orphan-event userIds, diverging from the live/reconcile paths.
   const rows = await db
     .select({
       userId: userEvents.userId,
       cnt: sql<number>`count(*)::int`,
     })
     .from(userEvents)
+    .innerJoin(contacts, eq(contacts.externalId, userEvents.userId))
     .where(
       and(
         eq(userEvents.event, criteria.eventName),
+        isNull(contacts.deletedAt),
         cutoff ? gte(userEvents.occurredAt, cutoff) : undefined,
       ),
     )
     .groupBy(userEvents.userId);
 
   return rows
-    .filter((r) => matchesCount(criteria, Number(r.cnt)))
+    .filter((r) => matchesEventCount(criteria, Number(r.cnt)))
     .map((r) => r.userId);
 }
 
-/** True when a windowed count satisfies the (exists/count) criterion. */
-function matchesCount(
-  criteria: Extract<ConditionEval, { type: "event" }>,
-  count: number,
-): boolean {
-  switch (criteria.check) {
-    case "exists":
-      return count > 0;
-    case "count": {
-      if (!criteria.operator || criteria.value === undefined) return count > 0;
-      switch (criteria.operator) {
-        case "gt":
-          return count > criteria.value;
-        case "gte":
-          return count >= criteria.value;
-        case "lt":
-          return count < criteria.value;
-        case "lte":
-          return count <= criteria.value;
-        case "eq":
-          return count === criteria.value;
-        default:
-          return false;
-      }
-    }
-    default:
-      return false;
-  }
-}
-
 /**
  * Composite/multi-condition fallback (the documented O(P) exception, Section 6.6):
- * a chunked per-contact `evaluateCondition` loop over live contacts. Property
+ * a per-contact `evaluateCondition` loop over live contacts. Property
  * sub-conditions evaluate against the contact's merged properties.
+ *
+ * KEYSET PAGINATION by `contacts.externalId` in BATCH_SIZE pages (mirrors
+ * reconcileBucketJoins' `externalId asc` paging): each page selects
+ * `WHERE externalId > :cursor ORDER BY externalId ASC LIMIT BATCH_SIZE`,
+ * evaluates the criteria per contact, then advances the cursor to the last
+ * externalId of the page — repeating until a short page ends the scan. The whole
+ * contacts table is never held in memory at once.
  */
 async function selectCompositeMatchers(
   db: Database,
   criteria: ConditionEval,
 ): Promise<string[]> {
-  const liveContacts = await db
-    .select({
-      externalId: contacts.externalId,
-      properties: contacts.properties,
-    })
-    .from(contacts)
-    .where(isNull(contacts.deletedAt));
-
   const matchers: string[] = [];
-  for (const contact of liveContacts) {
-    const isMember = await evaluateCondition({
-      condition: criteria,
-      ctx: {
-        db,
-        userId: contact.externalId,
-        journeyContext:
-          (contact.properties as Record<string, unknown> | null) ?? {},
-      },
-    });
-    if (isMember) matchers.push(contact.externalId);
-  }
-  return matchers;
-}
+  let cursor: string | null = null;
 
-/** now + within for time-based / fastExpiry buckets; null otherwise. */
-function computeBackfillExpiresAt(bucket: BucketMeta): Date | null {
-  if (!bucket.criteria) return null;
-  if (!bucket.timeBased && !bucket.fastExpiry) return null;
-  const within = firstWithin(bucket.criteria);
-  if (!within) return null;
-  return new Date(Date.now() + durationToMs(within));
-}
+  for (;;) {
+    const page = await db
+      .select({
+        externalId: contacts.externalId,
+        properties: contacts.properties,
+      })
+      .from(contacts)
+      .where(
+        and(
+          isNull(contacts.deletedAt),
+          cursor != null ? gt(contacts.externalId, cursor) : undefined,
+        ),
+      )
+      .orderBy(sql`${contacts.externalId} asc`)
+      .limit(BATCH_SIZE);
 
-/** Find the first EventCondition.within in a criteria tree (depth-first). */
-function firstWithin(criteria: ConditionEval): DurationObject | null {
-  if (criteria.type === "event" && criteria.within) {
-    return criteria.within;
-  }
-  if (criteria.type === "composite") {
-    for (const child of criteria.conditions) {
-      const found = firstWithin(child);
-      if (found) return found;
+    for (const contact of page) {
+      const isMember = await evaluateCondition({
+        condition: criteria,
+        ctx: {
+          db,
+          userId: contact.externalId,
+          journeyContext:
+            (contact.properties as Record<string, unknown> | null) ?? {},
+        },
+      });
+      if (isMember) matchers.push(contact.externalId);
     }
+
+    // A short page (fewer than a full batch) means the scan is exhausted.
+    if (page.length < BATCH_SIZE) break;
+    cursor = page[page.length - 1]?.externalId ?? null;
+    if (cursor == null) break;
   }
-  return null;
+
+  return matchers;
 }
 
 /**
@@ -535,7 +568,11 @@ export async function enqueueBucketBackfills(opts: {
 
       if (!job) continue;
 
-      await bucketBackfillTask.run({
+      // runNoWait (fire-and-forget): this is called from worker boot BEFORE the
+      // listener starts, so awaiting the run would deadlock (the run needs the
+      // listener that `_worker.start()` brings up). The triggered run queues and
+      // executes once listening; the task itself persists the criteriaHash.
+      await bucketBackfillTask.runNoWait({
         jobId: job.id,
         bucketId: bucket.id,
         mode,