@indigoai-us/hq-cloud 6.11.10 → 6.11.12

package/src/s3.ts

@@ -8,8 +8,16 @@
 
 import * as fs from "fs";
 import * as path from "path";
+import * as crypto from "crypto";
+import { Readable, Transform } from "stream";
+import { pipeline } from "stream/promises";
 import type { EntityContext } from "./types.js";
-import { resolveObjectIO, type ObjectIO, type PutPrecondition } from "./object-io.js";
+import {
+  resolveObjectIO,
+  type GetObjectStreamResult,
+  type ObjectIO,
+  type PutPrecondition,
+} from "./object-io.js";
 
 // Byte/metadata transport is resolved per-call via resolveObjectIO(ctx) — the
 // default is the AWS S3 SDK over STS-vended credentials (S3SdkObjectIO), but a
@@ -142,6 +150,7 @@ export function decodeSymlinkMetadataValue(value: string): string {
  * extension can encode additional fields if needed.
  */
 export const SYMLINK_BODY_PREFIX = "hq-symlink:";
+const SYMLINK_BODY_PREFIX_BYTES = Buffer.from(SYMLINK_BODY_PREFIX, "utf-8");
 
 /**
  * S3 user-metadata key carrying the source-side file mode (permission bits
@@ -230,6 +239,116 @@ export function encodeSymlinkBody(target: string): Buffer {
   return Buffer.from(SYMLINK_BODY_PREFIX + target, "utf-8");
 }
 
+function downloadTempPath(localPath: string): string {
+  const dir = path.dirname(localPath);
+  const random = crypto.randomBytes(10).toString("hex");
+  return path.join(dir, `.hq-tmp-${random}`);
+}
+
+function removeTempPath(tempPath: string): void {
+  try {
+    fs.unlinkSync(tempPath);
+  } catch {
+    // Best-effort cleanup; do not mask the transfer/materialization error.
+  }
+}
+
+async function getObjectStream(
+  io: ObjectIO,
+  key: string,
+): Promise<GetObjectStreamResult> {
+  if (io.getObjectStream) return io.getObjectStream(key);
+  const res = await io.getObject(key);
+  return {
+    body: (async function* () {
+      yield res.body;
+    })(),
+    metadata: res.metadata,
+  };
+}
+
+function bufferFromChunk(chunk: Uint8Array): Buffer {
+  if (Buffer.isBuffer(chunk)) return chunk;
+  return Buffer.from(chunk.buffer, chunk.byteOffset, chunk.byteLength);
+}
+
+function leadingBytes(chunks: Buffer[], totalLength: number, length: number): Buffer {
+  const out = Buffer.alloc(Math.min(totalLength, length));
+  let offset = 0;
+  for (const chunk of chunks) {
+    if (offset >= out.length) break;
+    const take = Math.min(chunk.length, out.length - offset);
+    chunk.copy(out, offset, 0, take);
+    offset += take;
+  }
+  return out;
+}
+
+async function collectRemainingChunks(
+  initialChunks: Buffer[],
+  iterator: AsyncIterator<Uint8Array>,
+): Promise<Buffer> {
+  const chunks = [...initialChunks];
+  let totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+  while (true) {
+    const next = await iterator.next();
+    if (next.done) break;
+    const chunk = bufferFromChunk(next.value);
+    if (chunk.length === 0) continue;
+    chunks.push(chunk);
+    totalLength += chunk.length;
+  }
+  return Buffer.concat(chunks, totalLength);
+}
+
+async function* regularDownloadChunks(
+  initialChunks: Buffer[],
+  iterator: AsyncIterator<Uint8Array>,
+): AsyncIterable<Buffer> {
+  for (const chunk of initialChunks) {
+    if (chunk.length > 0) yield chunk;
+  }
+  while (true) {
+    const next = await iterator.next();
+    if (next.done) break;
+    const chunk = bufferFromChunk(next.value);
+    if (chunk.length > 0) yield chunk;
+  }
+}
+
+class HashingTransform extends Transform {
+  private readonly hash = crypto.createHash("sha256");
+  size = 0;
+
+  _transform(
+    chunk: Buffer,
+    _encoding: BufferEncoding,
+    callback: (error?: Error | null, data?: Buffer) => void,
+  ): void {
+    this.hash.update(chunk);
+    this.size += chunk.length;
+    callback(null, chunk);
+  }
+
+  digest(): string {
+    return this.hash.digest("hex");
+  }
+}
+
+async function streamRegularFileToTemp(
+  tempPath: string,
+  initialChunks: Buffer[],
+  iterator: AsyncIterator<Uint8Array>,
+): Promise<{ hash: string; size: number }> {
+  const hashing = new HashingTransform();
+  await pipeline(
+    Readable.from(regularDownloadChunks(initialChunks, iterator)),
+    hashing,
+    fs.createWriteStream(tempPath, { flags: "wx" }),
+  );
+  return { hash: hashing.digest(), size: hashing.size };
+}
+
 /**
  * Batch pre-mint transport URLs for `keys` under `op` so the subsequent
  * per-file transfer calls (downloadFile/headRemoteFile/…) reuse them instead
@@ -558,15 +677,25 @@ export async function downloadFile(
   ctx: EntityContext,
   key: string,
   localPath: string,
-): Promise<{ metadata?: Record<string, string> }> {
+): Promise<{
+  metadata?: Record<string, string>;
+  contentHash?: string;
+  contentSize?: number;
+}> {
   const io = resolveObjectIO(ctx);
 
-  // The transport returns the full object body buffered + its user metadata.
-  // downloadFile already buffered the whole object (writeFileSync of the
-  // concatenated chunks), so buffering at the transport layer is behavior-
-  // preserving — symlink record bodies are tiny and regular files were read
-  // fully into memory regardless.
-  const { body: objectBody, metadata } = await io.getObject(key);
+  const { body, metadata } = await getObjectStream(io, key);
+  const iterator = body[Symbol.asyncIterator]();
+  const initialChunks: Buffer[] = [];
+  let initialLength = 0;
+  while (initialLength < SYMLINK_BODY_PREFIX_BYTES.length) {
+    const next = await iterator.next();
+    if (next.done) break;
+    const chunk = bufferFromChunk(next.value);
+    if (chunk.length === 0) continue;
+    initialChunks.push(chunk);
+    initialLength += chunk.length;
+  }
 
   const dir = path.dirname(localPath);
   if (!fs.existsSync(dir)) {
@@ -592,18 +721,31 @@ export async function downloadFile(
   // The body is already buffered (tiny for symlink records); reading it here
   // is behavior-preserving for regular files (whose body never starts with
   // the prefix per the SYMLINK_BODY_PREFIX doc). See SYMLINK_BODY_PREFIX.
-  const bodyString = objectBody.toString("utf-8");
+  const leading = leadingBytes(
+    initialChunks,
+    initialLength,
+    SYMLINK_BODY_PREFIX_BYTES.length,
+  );
+  const bodyHasSymlinkPrefix =
+    leading.length >= SYMLINK_BODY_PREFIX_BYTES.length &&
+    leading.subarray(0, SYMLINK_BODY_PREFIX_BYTES.length).equals(
+      SYMLINK_BODY_PREFIX_BYTES,
+    );
   const isSymlinkRecord =
     (typeof symlinkMarker === "string" && symlinkMarker.length > 0) ||
-    bodyString.startsWith(SYMLINK_BODY_PREFIX);
+    bodyHasSymlinkPrefix;
   if (isSymlinkRecord) {
+    const objectBody = await collectRemainingChunks(initialChunks, iterator);
     // The target lives in the body (marker-only metadata convention).
     // Symlink record bodies are bounded by target length (typically
     // <300 bytes for relative paths, hard-capped by S3's 5 GB object
-    // size); the transport already buffered it.
+    // size); only this branch buffers the body so regular files can stream.
     let symlinkTarget: string;
-    if (bodyString.startsWith(SYMLINK_BODY_PREFIX)) {
-      symlinkTarget = bodyString.slice(SYMLINK_BODY_PREFIX.length);
+    if (bodyHasSymlinkPrefix) {
+      symlinkTarget = objectBody.toString(
+        "utf-8",
+        SYMLINK_BODY_PREFIX_BYTES.length,
+      );
     } else {
       // Backward-compat fallback: a legacy upload from earlier in
       // this PR's lifetime stored the target in metadata (raw or
@@ -619,127 +761,100 @@ export async function downloadFile(
 
     if (symlinkTarget.length === 0) {
       throw new Error(
-        `Symlink record for ${key} had no target (body: ${bodyString.length} bytes, marker: ${symlinkMarker})`,
+        `Symlink record for ${key} had no target (body: ${objectBody.length} bytes, marker: ${symlinkMarker})`,
       );
     }
 
-    // Replace whatever's at localPath. unlink covers regular files; for
-    // a stale symlink this also frees the slot. ENOENT is fine — first
-    // download of this key has nothing to clear. Other errors propagate
-    // because they signal a real problem (permissions, parent missing).
+    const tempPath = downloadTempPath(localPath);
     try {
-      fs.unlinkSync(localPath);
-    } catch (err: unknown) {
-      if (
-        !err ||
-        typeof err !== "object" ||
-        !("code" in err) ||
-        (err as { code?: string }).code !== "ENOENT"
-      ) {
-        throw err;
-      }
+      fs.symlinkSync(symlinkTarget, tempPath);
+      fs.renameSync(tempPath, localPath);
+    } catch (err) {
+      removeTempPath(tempPath);
+      throw err;
     }
-    fs.symlinkSync(symlinkTarget, localPath);
     return { metadata };
   }
-
-  // Symmetric to the symlink branch above: when a key was previously a
-  // symlink and is later replaced in S3 by a regular object, the local
-  // path still holds the stale symlink from the last sync. Without this
-  // unlink, fs.writeFileSync follows the link and overwrites its
-  // target file's contents — leaving the link in place and the new
-  // regular object never materializing at the intended path. lstat
-  // (not statSync) avoids following the link to test what's there.
+  const tempPath = downloadTempPath(localPath);
+  let tempReady = true;
+  let streamed: { hash: string; size: number };
   try {
-    const existing = fs.lstatSync(localPath);
-    if (existing.isSymbolicLink()) {
-      fs.unlinkSync(localPath);
-    }
-  } catch (err: unknown) {
-    // ENOENT means nothing's there; let writeFileSync handle creation.
-    if (
-      err &&
-      typeof err === "object" &&
-      "code" in err &&
-      (err as { code?: string }).code !== "ENOENT"
-    ) {
-      throw err;
-    }
-  }
-
-  fs.writeFileSync(localPath, objectBody);
-
-  // Bug #5 — apply source-side mode after the byte write. See
-  // FILE_MODE_META_KEY for the metadata contract. Parses defensively:
-  // a malformed value falls through with no chmod so the umask default
-  // applies, matching the legacy back-compat path. fs.chmodSync
-  // follows symlinks — that's fine here because we're on the regular-
-  // file branch (the symlink branch above already returned).
-  //
-  // Codex P2 (PR #24 round 3): strict octal-only regex BEFORE parseInt.
-  // parseInt(modeOctal, 8) accepts partial-prefix garbage — "755junk"
-  // parses to 0o755 instead of NaN — so tampered or malformed metadata
-  // could still change local permissions unexpectedly. The regex
-  // requires 1–4 pure octal digits (`[0-7]{1,4}$`), which matches what
-  // the upload side stamps (`(mode & 0o777).toString(8)` → at most
-  // three digits, all 0–7) and rejects everything else.
-  const modeOctal = metadata?.[FILE_MODE_META_KEY];
-  if (typeof modeOctal === "string" && /^[0-7]{1,4}$/.test(modeOctal)) {
-    const parsed = parseInt(modeOctal, 8);
-    if (Number.isFinite(parsed) && parsed >= 0 && parsed <= 0o777) {
-      try {
-        fs.chmodSync(localPath, parsed);
-      } catch {
-        // chmod failure (read-only FS, EPERM) is non-fatal — the file
-        // is materialized, just with the umask default. Surface via
-        // S3-side metadata being present but the file not matching;
-        // a future operator-side audit can reconcile.
+    streamed = await streamRegularFileToTemp(tempPath, initialChunks, iterator);
+
+    // Bug #5 — apply source-side mode after the byte write. See
+    // FILE_MODE_META_KEY for the metadata contract. Parses defensively:
+    // a malformed value falls through with no chmod so the umask default
+    // applies, matching the legacy back-compat path. The staged path is a
+    // regular file, then it is atomically renamed over the destination.
+    //
+    // Codex P2 (PR #24 round 3): strict octal-only regex BEFORE parseInt.
+    // parseInt(modeOctal, 8) accepts partial-prefix garbage — "755junk"
+    // parses to 0o755 instead of NaN — so tampered or malformed metadata
+    // could still change local permissions unexpectedly. The regex
+    // requires 1–4 pure octal digits (`[0-7]{1,4}$`), which matches what
+    // the upload side stamps (`(mode & 0o777).toString(8)` → at most
+    // three digits, all 0–7) and rejects everything else.
+    const modeOctal = metadata?.[FILE_MODE_META_KEY];
+    if (typeof modeOctal === "string" && /^[0-7]{1,4}$/.test(modeOctal)) {
+      const parsed = parseInt(modeOctal, 8);
+      if (Number.isFinite(parsed) && parsed >= 0 && parsed <= 0o777) {
+        try {
+          fs.chmodSync(tempPath, parsed);
+        } catch {
+          // chmod failure (read-only FS, EPERM) is non-fatal — the file
+          // is materialized, just with the umask default. Surface via
+          // S3-side metadata being present but the file not matching;
+          // a future operator-side audit can reconcile.
+        }
       }
     }
-  }
 
-  // 5.37.0 — apply source-side mtime after the byte write (and after the
-  // chmod above; ordering between chmod and utimes doesn't matter, but
-  // both must run AFTER writeFileSync because writeFileSync resets mtime
-  // to wall-clock-now). See FILE_MTIME_META_KEY for the metadata contract.
-  //
-  // Strict-numeric regex BEFORE parseInt — same Codex P2 lesson as hq-mode.
-  // `^-?[0-9]{1,16}$` rejects partial-prefix garbage ("175junk" → 175),
-  // empty, double-signed, decimals, whitespace, and oversized strings. A
-  // single optional leading `-` is allowed so pre-epoch / reproducible-build
-  // timestamps round-trip (Codex PR #27 P2 — `mtimeMs === 0` and negative
-  // epoch values are legitimate). 16 digits comfortably covers any plausible
-  // epoch-ms value (year ~5138 is 16 digits; we'll cross that bridge later).
-  //
-  // fs.utimesSync FOLLOWS symlinks — that's fine here because we're on
-  // the regular-file branch (the symlink branch above already returned
-  // before we reach this code).
-  //
-  // Composition with the 5.36.0 lstat fast-path: the journal stamp at the
-  // share/sync call sites runs AFTER downloadFile returns, so the lstat
-  // it captures sees the post-utimes mtime. Verified in cli/sync.ts
-  // (downloadFile → lstatSync → updateEntry) and cli/share.ts (pull path
-  // similarly lstats after downloadFile). If a future caller stamps the
-  // journal BEFORE downloadFile completes, the fast-path will stale and
-  // re-hash every sync forever — keep the call-site invariant intact.
-  const mtimeRaw = metadata?.[FILE_MTIME_META_KEY];
-  if (typeof mtimeRaw === "string" && /^-?[0-9]{1,16}$/.test(mtimeRaw)) {
-    const mtimeMs = parseInt(mtimeRaw, 10);
-    if (Number.isFinite(mtimeMs)) {
-      try {
-        // utimesSync accepts seconds OR Date; use Date(ms) for precision.
-        // atime = mtime is fine — many filesystems are mounted noatime
-        // and distinguishing "access" vs "modification" time doesn't
-        // matter for sync semantics. Setting both keeps the on-disk
-        // state deterministic across receivers.
-        const mtimeDate = new Date(mtimeMs);
-        fs.utimesSync(localPath, mtimeDate, mtimeDate);
-      } catch {
-        // EPERM / read-only FS / file just unlinked → non-fatal. The
-        // file is materialized at write-time mtime; the source-of-truth
-        // can re-sync next pass.
+    // 5.37.0 — apply source-side mtime after the byte write (and after the
+    // chmod above; ordering between chmod and utimes doesn't matter, but
+    // both must run AFTER writeFileSync because writeFileSync resets mtime
+    // to wall-clock-now). See FILE_MTIME_META_KEY for the metadata contract.
+    //
+    // Strict-numeric regex BEFORE parseInt — same Codex P2 lesson as hq-mode.
+    // `^-?[0-9]{1,16}$` rejects partial-prefix garbage ("175junk" → 175),
+    // empty, double-signed, decimals, whitespace, and oversized strings. A
+    // single optional leading `-` is allowed so pre-epoch / reproducible-build
+    // timestamps round-trip (Codex PR #27 P2 — `mtimeMs === 0` and negative
+    // epoch values are legitimate). 16 digits comfortably covers any plausible
+    // epoch-ms value (year ~5138 is 16 digits; we'll cross that bridge later).
+    //
+    // The staged file is regular; rename preserves these stamps at localPath.
+    //
+    // Composition with the 5.36.0 lstat fast-path: the journal stamp at the
+    // share/sync call sites runs AFTER downloadFile returns, so the lstat
+    // it captures sees the post-utimes mtime. Verified in cli/sync.ts
+    // (downloadFile → lstatSync → updateEntry) and cli/share.ts (pull path
+    // similarly lstats after downloadFile). If a future caller stamps the
+    // journal BEFORE downloadFile completes, the fast-path will stale and
+    // re-hash every sync forever — keep the call-site invariant intact.
+    const mtimeRaw = metadata?.[FILE_MTIME_META_KEY];
+    if (typeof mtimeRaw === "string" && /^-?[0-9]{1,16}$/.test(mtimeRaw)) {
+      const mtimeMs = parseInt(mtimeRaw, 10);
+      if (Number.isFinite(mtimeMs)) {
+        try {
+          // utimesSync accepts seconds OR Date; use Date(ms) for precision.
+          // atime = mtime is fine — many filesystems are mounted noatime
+          // and distinguishing "access" vs "modification" time doesn't
+          // matter for sync semantics. Setting both keeps the on-disk
+          // state deterministic across receivers.
+          const mtimeDate = new Date(mtimeMs);
+          fs.utimesSync(tempPath, mtimeDate, mtimeDate);
+        } catch {
+          // EPERM / read-only FS / file just unlinked → non-fatal. The
+          // file is materialized at write-time mtime; the source-of-truth
+          // can re-sync next pass.
+        }
       }
     }
+
+    fs.renameSync(tempPath, localPath);
+    tempReady = false;
+  } finally {
+    if (tempReady) removeTempPath(tempPath);
   }
 
   // TODO: stamp hq-btime once Node lands lbirthtime (or birthtimeSync).
@@ -747,7 +862,7 @@ export async function downloadFile(
   // distinct creation time, so a future receiver upgrade picks it up
   // automatically without a server-side data migration.
 
-  return { metadata };
+  return { metadata, contentHash: streamed.hash, contentSize: streamed.size };
 }
 
 export interface RemoteFile {

package/src/scope-shrink.ts

@@ -28,7 +28,10 @@ import type {
   SyncJournal,
 } from "./types.js";
 import { hashFile, tombstoneEntry } from "./journal.js";
-import { isCoveredByAny } from "./prefix-coalesce.js";
+import {
+  isCoveredByAny,
+  type ScopePrefixInput,
+} from "./prefix-coalesce.js";
 
 export interface OrphanClassification {
   /** Relative path (journal key). */
@@ -59,9 +62,9 @@ export interface BuildScopeShrinkPlanInput {
   journal: SyncJournal;
   hqRoot: string;
   /** Coalesced prefixes used by the LAST pull for this company. */
-  lastPrefixSet: string[];
+  lastPrefixSet: readonly ScopePrefixInput[];
   /** Coalesced prefixes the CURRENT pull will use. */
-  currentPrefixSet: string[];
+  currentPrefixSet: readonly ScopePrefixInput[];
   /**
    * The caller's own Cognito `sub`. When set, a file the caller authored
    * (`entry.createdBySub === callerSub`) is NEVER orphaned by a scope shrink —

package/src/skill-telemetry.test.ts

@@ -536,6 +536,115 @@ describe("collectAndSendSkillTelemetry — hqRoot scoping", () => {
     await fs.rm(tmp, { recursive: true, force: true });
   });
 
+  it("R-F19: bounds a single oversized sanitized skill row before POST", async () => {
+    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "skill-tel-r-f19-"));
+    const projects = path.join(tmp, "projects");
+    const dir = path.join(projects, "-p");
+    await fs.mkdir(dir, { recursive: true });
+    const hugeSkill = `deploy-${"x".repeat(400_000)}`;
+    await fs.writeFile(
+      path.join(dir, "s.jsonl"),
+      row({
+        type: "user",
+        sessionId: "s-r-f19-singleton",
+        timestamp: "2026-06-19T11:00:00.000Z",
+        cwd: "/x",
+        uuid: "u-r-f19-singleton",
+        message: {
+          role: "user",
+          content: `<command-name>/${hugeSkill}</command-name>`,
+        },
+      }) + "\n",
+      "utf-8",
+    );
+
+    const captured: SkillInvocationBatch[] = [];
+    const logs: string[] = [];
+    const result = await collectAndSendSkillTelemetry({
+      client: stubClient(captured),
+      machineId: "m",
+      installerVersion: "t",
+      claudeProjectsRoot: projects,
+      codexSessionsRoot: path.join(tmp, "codex"),
+      cursorPath: path.join(tmp, "cursor.json"),
+      log: (msg) => logs.push(msg),
+    });
+
+    expect(result.eventsSent).toBe(1);
+    expect(captured).toHaveLength(1);
+    const wireSize = Buffer.byteLength(JSON.stringify(captured[0]), "utf-8");
+    expect(wireSize).toBeLessThanOrEqual(240 * 1024);
+    expect(captured[0].events[0].skill).not.toBe(hugeSkill);
+    expect(logs.some((line) => line.includes("oversized row truncated"))).toBe(
+      true,
+    );
+
+    await fs.rm(tmp, { recursive: true, force: true });
+  });
+
+  it("R-F19: a failed earlier skill batch prevents cursor advancement past it", async () => {
+    const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "skill-tel-r-f19-"));
+    const projects = path.join(tmp, "projects");
+    const dir = path.join(projects, "-p");
+    await fs.mkdir(dir, { recursive: true });
+    const file = path.join(dir, "s.jsonl");
+    await fs.writeFile(
+      file,
+      Array.from({ length: 101 }, (_, i) =>
+        row({
+          type: "user",
+          sessionId: "s-r-f19-prefix",
+          timestamp: `2026-06-19T12:${String(Math.floor(i / 60)).padStart(2, "0")}:${String(i % 60).padStart(2, "0")}.000Z`,
+          cwd: "/x",
+          uuid: `u-r-f19-${i}`,
+          message: {
+            role: "user",
+            content: `<command-name>/skill-${i}</command-name>`,
+          },
+        }),
+      ).join("\n") + "\n",
+      "utf-8",
+    );
+    const cursorPath = path.join(tmp, "cursor.json");
+    const captured: SkillInvocationBatch[] = [];
+    let calls = 0;
+    const client = {
+      async getTelemetryOptIn() {
+        return { enabled: true, updatedAt: null };
+      },
+      async postSkillInvocations(batch: SkillInvocationBatch) {
+        calls++;
+        if (calls === 1) throw new Error("first batch failed");
+        captured.push(batch);
+        return { ok: true, written: batch.events.length, skipped: [] };
+      },
+    };
+    const opts = {
+      client,
+      machineId: "m",
+      installerVersion: "t",
+      claudeProjectsRoot: projects,
+      codexSessionsRoot: path.join(tmp, "codex"),
+      cursorPath,
+    };
+
+    const first = await collectAndSendSkillTelemetry(opts);
+    expect(first.eventsSent).toBe(0);
+    expect(calls).toBe(1);
+    const cursorAfterFailure = JSON.parse(
+      await fs.readFile(cursorPath, "utf-8"),
+    ) as { files: Record<string, { offset: number }> };
+    expect(cursorAfterFailure.files[file]?.offset ?? 0).toBe(0);
+
+    const second = await collectAndSendSkillTelemetry(opts);
+    expect(second.eventsSent).toBe(101);
+    expect(captured.flatMap((b) => b.events.map((e) => e.skill))).toContain(
+      "skill-0",
+    );
+
+    await fs.rm(tmp, { recursive: true, force: true });
+  });
+
   it("picks up only newly-appended events on a later run (incremental offset)", async () => {
     const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "skill-tel-"));
     const projects = path.join(tmp, "projects");