@openparachute/agent 0.1.2 → 0.2.2

package/src/web/telegram-validate.ts

@@ -1,107 +0,0 @@
-/**
- * Validate a Telegram bot token by calling Telegram's `/getMe`.
- *
- * The setup wizard captures a bot token from the operator and needs to verify
- * three things before persisting it: the token authenticates, the account is
- * a bot (`is_bot=true`), and we know the bot's @username for the wizard's
- * "now go DM @<username>" instruction in the test-message step.
- *
- * Telegram returns `{ ok: true, result: { id, username, first_name, is_bot, ... } }`
- * on success; on auth failure the body is `{ ok: false, error_code: 401, description }`.
- * Network failures bubble up as 502 with a clear unreachable message — same
- * shape as discord-validate.ts so the wizard can render either with one
- * surface.
- *
- * We also enforce the BotFather token shape (`<digits>:<35+ chars>`) before
- * calling out: a clearly malformed token wastes a network round-trip and
- * Telegram's 401 response is less useful than a local "token format invalid".
- *
- * The fetch is injectable for tests; in production it shells through the
- * default global `fetch`.
- */
-const TELEGRAM_API = 'https://api.telegram.org';
-const TOKEN_SHAPE = /^[0-9]+:[A-Za-z0-9_-]{35,}$/;
-
-export interface TelegramIdentity {
-  id: number;
-  username: string;
-  firstName: string;
-  isBot: boolean;
-}
-
-export type TelegramValidateResult =
-  | { ok: true; identity: TelegramIdentity }
-  | { ok: false; status: number; error: string };
-
-interface TelegramGetMeBody {
-  ok?: unknown;
-  result?: {
-    id?: unknown;
-    username?: unknown;
-    first_name?: unknown;
-    is_bot?: unknown;
-  };
-  description?: unknown;
-}
-
-export async function validateTelegramBotToken(
-  token: string,
-  fetchImpl: typeof fetch = fetch,
-): Promise<TelegramValidateResult> {
-  const trimmed = token.trim();
-  if (!trimmed) return { ok: false, status: 400, error: 'token is empty' };
-  if (!TOKEN_SHAPE.test(trimmed)) {
-    return {
-      ok: false,
-      status: 400,
-      error: 'token format invalid (expected <digits>:<35+ chars>, e.g. 123456:ABCdef…)',
-    };
-  }
-
-  let res: Response;
-  try {
-    res = await fetchImpl(`${TELEGRAM_API}/bot${trimmed}/getMe`, {
-      headers: { Accept: 'application/json' },
-    });
-  } catch (err) {
-    return {
-      ok: false,
-      status: 502,
-      error: `telegram unreachable: ${err instanceof Error ? err.message : String(err)}`,
-    };
-  }
-
-  // Telegram returns 401/404 for bad tokens but always with a JSON body.
-  // Parse first, then decide.
-  let body: TelegramGetMeBody;
-  try {
-    body = (await res.json()) as TelegramGetMeBody;
-  } catch {
-    return { ok: false, status: 502, error: `telegram returned non-JSON body (HTTP ${res.status})` };
-  }
-
-  if (body.ok !== true) {
-    const desc = typeof body.description === 'string' ? body.description : `HTTP ${res.status}`;
-    // 401 is the canonical "bad token" — surface as 401 for the wizard step.
-    const status = res.status === 401 || res.status === 404 ? 401 : res.status || 400;
-    return { ok: false, status, error: `telegram rejected token: ${desc}` };
-  }
-
-  const r = body.result;
-  if (!r || typeof r.id !== 'number' || typeof r.username !== 'string' || typeof r.first_name !== 'string') {
-    return { ok: false, status: 502, error: 'telegram returned malformed getMe body' };
-  }
-  if (r.is_bot !== true) {
-    return { ok: false, status: 400, error: 'token is not a bot token (result.is_bot=false)' };
-  }
-
-  return {
-    ok: true,
-    identity: {
-      id: r.id,
-      username: r.username,
-      firstName: r.first_name,
-      isBot: true,
-    },
-  };
-}

package/src/web/vault-proxy.test.ts

@@ -1,214 +0,0 @@
-/**
- * Coverage for the JWT-forwarding helper that paraclaw uses to call vault
- * REST endpoints with the operator's hub-issued session JWT
- * (`docs/design/2026-04-29-vault-management-ui.md` § Admin auth model).
- *
- * The contract under test: pass through the Authorization header verbatim,
- * surface vault status codes verbatim (401/403 must reach the browser so it
- * can trigger an OAuth consent flow), parse JSON bodies, and turn network
- * failures into a 502 — never a thrown exception, because the route handler
- * mirrors `result.status` to the browser unmodified.
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
-
-import { clearHubDiscoveryCache } from './hub-discovery.js';
-import { forwardToVault, mintVaultTokenHttp, resolveVaultBaseUrl } from './vault-proxy.js';
-
-let prevHub: string | undefined;
-
-beforeEach(() => {
-  prevHub = process.env.PARACHUTE_HUB_ORIGIN;
-  delete process.env.PARACHUTE_AGENT_HUB_ORIGIN;
-  delete process.env.PARACLAW_HUB_ORIGIN;
-  process.env.PARACHUTE_HUB_ORIGIN = 'https://parachute.example';
-  clearHubDiscoveryCache();
-});
-
-afterEach(() => {
-  if (prevHub === undefined) delete process.env.PARACHUTE_HUB_ORIGIN;
-  else process.env.PARACHUTE_HUB_ORIGIN = prevHub;
-  clearHubDiscoveryCache();
-});
-
-function jsonResponse(status: number, body: unknown): Response {
-  const text = body === undefined ? '' : JSON.stringify(body);
-  return new Response(text, { status, headers: { 'content-type': 'application/json' } });
-}
-
-describe('forwardToVault', () => {
-  it('GETs the right URL with the operator JWT', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(200, { tokens: [] }));
-    const result = await forwardToVault({
-      method: 'GET',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens',
-      authHeader: 'Bearer the-jwt',
-      fetchImpl,
-    });
-    expect(result.status).toBe(200);
-    expect(result.body).toEqual({ tokens: [] });
-    expect(fetchImpl).toHaveBeenCalledWith(
-      'https://h/vault/work/tokens',
-      expect.objectContaining({
-        method: 'GET',
-        headers: expect.objectContaining({
-          Authorization: 'Bearer the-jwt',
-          Accept: 'application/json',
-        }),
-      }),
-    );
-  });
-
-  it('POSTs JSON body with content-type header', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(201, { id: 't_abc', token: 'pvt_x' }));
-    await forwardToVault({
-      method: 'POST',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens',
-      authHeader: 'Bearer x',
-      body: { label: 'test', scopes: ['vault:read'] },
-      fetchImpl,
-    });
-    expect(fetchImpl).toHaveBeenCalledWith(
-      'https://h/vault/work/tokens',
-      expect.objectContaining({
-        method: 'POST',
-        body: JSON.stringify({ label: 'test', scopes: ['vault:read'] }),
-        headers: expect.objectContaining({
-          'Content-Type': 'application/json',
-        }),
-      }),
-    );
-  });
-
-  it('strips a trailing slash off vaultBaseUrl so subpath joins cleanly', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(200, {}));
-    await forwardToVault({
-      method: 'GET',
-      vaultBaseUrl: 'https://h/vault/work/',
-      subpath: '/tokens',
-      authHeader: 'Bearer x',
-      fetchImpl,
-    });
-    expect(fetchImpl).toHaveBeenCalledWith('https://h/vault/work/tokens', expect.anything());
-  });
-
-  it('mirrors a 401 from the vault — caller surfaces it for consent prompt', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(401, { error: 'missing vault:work:admin' }));
-    const result = await forwardToVault({
-      method: 'GET',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens',
-      authHeader: 'Bearer x',
-      fetchImpl,
-    });
-    expect(result.status).toBe(401);
-    expect(result.body).toEqual({ error: 'missing vault:work:admin' });
-  });
-
-  it('returns a 502 with structured body when fetch throws', async () => {
-    const fetchImpl = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
-    const result = await forwardToVault({
-      method: 'GET',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens',
-      authHeader: 'Bearer x',
-      fetchImpl,
-    });
-    expect(result.status).toBe(502);
-    expect(result.body).toMatchObject({ error: expect.stringContaining('ECONNREFUSED') });
-  });
-
-  it('handles a non-JSON body without throwing', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(new Response('<!DOCTYPE html>504 from edge', { status: 504 }));
-    const result = await forwardToVault({
-      method: 'GET',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens',
-      authHeader: 'Bearer x',
-      fetchImpl,
-    });
-    expect(result.status).toBe(504);
-    expect(result.body).toMatchObject({ error: expect.stringContaining('non-JSON') });
-  });
-
-  it('handles an empty body by returning null', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(new Response('', { status: 200 }));
-    const result = await forwardToVault({
-      method: 'DELETE',
-      vaultBaseUrl: 'https://h/vault/work',
-      subpath: '/tokens/t_abc',
-      authHeader: 'Bearer x',
-      fetchImpl,
-    });
-    expect(result.status).toBe(200);
-    expect(result.body).toBeNull();
-  });
-});
-
-describe('resolveVaultBaseUrl', () => {
-  it('returns the hub-published URL when the name matches', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(
-      jsonResponse(200, {
-        vaults: [
-          { name: 'work', url: 'https://h/vault/work', version: '0.4.7' },
-          { name: 'personal', url: 'https://h/vault/personal/', version: '0.4.7' },
-        ],
-      }),
-    );
-    expect(await resolveVaultBaseUrl('work', fetchImpl)).toBe('https://h/vault/work');
-  });
-
-  it('strips trailing slash from the hub-published URL', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(
-      jsonResponse(200, {
-        vaults: [{ name: 'personal', url: 'https://h/vault/personal/', version: '0.4.7' }],
-      }),
-    );
-    expect(await resolveVaultBaseUrl('personal', fetchImpl)).toBe('https://h/vault/personal');
-  });
-
-  it('returns null when the vault name is unknown', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(200, { vaults: [] }));
-    expect(await resolveVaultBaseUrl('ghost', fetchImpl)).toBeNull();
-  });
-});
-
-describe('mintVaultTokenHttp', () => {
-  it('POSTs to /tokens with label + scopes + null expires_at', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(201, { id: 't_x', token: 'pvt_x' }));
-    const result = await mintVaultTokenHttp({
-      vaultBaseUrl: 'https://h/vault/work',
-      authHeader: 'Bearer x',
-      label: 'claw-personal',
-      scopes: ['vault:read', 'vault:write'],
-      fetchImpl,
-    });
-    expect(result.status).toBe(201);
-    expect(fetchImpl).toHaveBeenCalledWith(
-      'https://h/vault/work/tokens',
-      expect.objectContaining({
-        method: 'POST',
-        body: JSON.stringify({
-          label: 'claw-personal',
-          scopes: ['vault:read', 'vault:write'],
-          expires_at: null,
-        }),
-      }),
-    );
-  });
-
-  it('passes expires_at through when provided', async () => {
-    const fetchImpl = vi.fn().mockResolvedValue(jsonResponse(201, { id: 't_x', token: 'pvt_x' }));
-    await mintVaultTokenHttp({
-      vaultBaseUrl: 'https://h/vault/work',
-      authHeader: 'Bearer x',
-      label: 'short-lived',
-      scopes: ['vault:read'],
-      expiresAt: '2026-12-31T00:00:00Z',
-      fetchImpl,
-    });
-    const callArgs = fetchImpl.mock.calls[0]![1] as { body: string };
-    expect(JSON.parse(callArgs.body)).toMatchObject({ expires_at: '2026-12-31T00:00:00Z' });
-  });
-});

package/src/web/vault-proxy.ts

@@ -1,120 +0,0 @@
-/**
- * JWT-forwarding helper for paraclaw → vault HTTP calls.
- *
- * Per the chosen v1 admin auth model (Option C in
- * `docs/design/2026-04-29-vault-management-ui.md` § Admin auth model):
- * paraclaw forwards the *operator's* hub-issued session JWT to the vault
- * unmodified. The vault validates `vault:<name>:admin` against the hub's
- * JWKS — same path it uses for any hub-issued JWT — so paraclaw doesn't
- * downgrade or re-issue.
- *
- * The helper is intentionally thin: name → URL resolution lives in the
- * caller (route handlers do that via `fetchHubVaults()`); this just wraps
- * fetch with the right headers and surfaces vault errors as structured
- * results so the route handler can propagate the status verbatim.
- */
-import { fetchHubVaults, type VaultListing, type FetchLike } from './hub-discovery.js';
-
-export interface VaultProxyOpts {
-  method: 'GET' | 'POST' | 'DELETE';
-  /** Vault base URL, no trailing slash, no `/tokens` suffix. */
-  vaultBaseUrl: string;
-  /** Sub-path, must start with `/` (e.g. `/tokens`, `/tokens/t_abc123def456`). */
-  subpath: string;
-  /** Operator's `Authorization: Bearer <jwt>` header value, forwarded as-is. */
-  authHeader: string;
-  /** Optional JSON body — POST only. */
-  body?: unknown;
-  /** Test seam. */
-  fetchImpl?: FetchLike;
-}
-
-export interface VaultProxyResult {
-  status: number;
-  body: unknown;
-}
-
-/**
- * Forward a request to a vault and return the parsed result. Network errors
- * surface as 502; HTTP errors come back with the vault's status so the route
- * handler can mirror it (a 401 from vault means the caller's JWT is missing
- * `vault:<name>:admin` — surface that to the browser to trigger consent).
- */
-export async function forwardToVault(opts: VaultProxyOpts): Promise<VaultProxyResult> {
-  const fetchImpl = opts.fetchImpl ?? fetch;
-  const url = `${opts.vaultBaseUrl.replace(/\/+$/, '')}${opts.subpath}`;
-  const headers: Record<string, string> = {
-    Authorization: opts.authHeader,
-    Accept: 'application/json',
-  };
-  const init: RequestInit = { method: opts.method, headers };
-  if (opts.body !== undefined) {
-    headers['Content-Type'] = 'application/json';
-    init.body = JSON.stringify(opts.body);
-  }
-  let res: Response;
-  try {
-    res = await fetchImpl(url, init);
-  } catch (err) {
-    return {
-      status: 502,
-      body: { error: `vault unreachable: ${err instanceof Error ? err.message : String(err)}` },
-    };
-  }
-  let body: unknown = null;
-  const text = await res.text();
-  if (text.length > 0) {
-    try {
-      body = JSON.parse(text);
-    } catch {
-      body = { error: `vault returned non-JSON: ${text.slice(0, 200)}` };
-    }
-  }
-  return { status: res.status, body };
-}
-
-/**
- * Resolve a vault name to its hub-published base URL. Returns null if the
- * name doesn't match any registered vault — caller responds 404.
- *
- * The base URL is the well-known doc's `vault.url`, which is the
- * public-routable form (e.g. `https://hub.tail.../vault/<name>`). Strip
- * any trailing slash before returning so callers can append `/tokens`
- * etc. without double-slashing.
- */
-export async function resolveVaultBaseUrl(name: string, fetchImpl?: FetchLike): Promise<string | null> {
-  const vaults: VaultListing[] = await fetchHubVaults(fetchImpl);
-  const hit = vaults.find((v) => v.name === name);
-  if (!hit) return null;
-  return hit.url.replace(/\/+$/, '');
-}
-
-/**
- * Mint a vault token via HTTP. Used both by the public `POST /api/vaults/
- * /:name/tokens` endpoint and by the legacy implicit-mint paths in
- * `/attach-vault` / `POST /api/groups` so the shell-out can go.
- *
- * Returns the vault's response verbatim (status + body) — the route handler
- * decides what to surface to the browser.
- */
-export async function mintVaultTokenHttp(opts: {
-  vaultBaseUrl: string;
-  authHeader: string;
-  label: string;
-  scopes: string[];
-  expiresAt?: string | null;
-  fetchImpl?: FetchLike;
-}): Promise<VaultProxyResult> {
-  return forwardToVault({
-    method: 'POST',
-    vaultBaseUrl: opts.vaultBaseUrl,
-    subpath: '/tokens',
-    authHeader: opts.authHeader,
-    body: {
-      label: opts.label,
-      scopes: opts.scopes,
-      expires_at: opts.expiresAt ?? null,
-    },
-    fetchImpl: opts.fetchImpl,
-  });
-}

package/src/web/wire-channel.ts

@@ -1,181 +0,0 @@
-/**
- * Proactively wire a DM channel (Discord OR Telegram) to an agent group BEFORE
- * the first inbound message arrives.
- *
- * ## Why proactive
- *
- * The reactive flow (`src/modules/permissions/channel-approval.ts`) escalates
- * any unwired-channel mention to the owner via DM card. Two problems for a
- * fresh-install setup wizard:
- *
- *   1. `messaging_groups` rows do not exist until the first inbound arrives,
- *      so an operator finishing setup has no DM to send to themselves.
- *   2. `channel-approval.ts:73-77` silently drops if `getAllAgentGroups()
- *      .length === 0`. Even after the wizard creates the agent group, the
- *      first message would be dropped because the wiring path never runs
- *      until an unwired mention reaches the router.
- *
- * The Discord fix mirrors `scripts/init-first-agent.ts`'s `wireIfMissing`
- * exactly (lines 155-166): synthesize the DM platform_id, INSERT
- * messaging_groups + messaging_group_agents with the same defaults
- * init-first-agent.ts uses. Any deviation from those defaults silently
- * changes engage/sender behavior — keep behavior parity, do not "improve"
- * them here.
- *
- * Telegram uses the same canonical defaults; only the platform_id shape
- * differs:
- *
- *   - Discord:   `discord:@me:<botUserId>` — addressee-routed; ANY user DM
- *     to the bot lands on the bot's own @me channel. The wizard wires the
- *     bot's user id once and every operator who DMs the bot is matched by
- *     the same MGA's `sender_scope: 'all'`.
- *   - Telegram:  `telegram:<userId>` — chat-id-routed; the chat_id of a DM
- *     between the bot and a user equals the user's Telegram user id
- *     (positive int; group/channel ids are negative). The wizard wires the
- *     OPERATOR's user id, so only that specific user's DMs match.
- *
- * The architectural fix is documented in PR #31 (paraclaw#27 phase 1) and a
- * follow-up issue against the channel-approval silent-drop bug (NanoClaw
- * upstream).
- */
-import {
-  createMessagingGroup,
-  createMessagingGroupAgent,
-  getMessagingGroupAgentByPair,
-  getMessagingGroupByPlatform,
-} from '../db/messaging-groups.js';
-import { encodePlatformId } from '../platform-id.js';
-import type { AgentGroup, MessagingGroup } from '../types.js';
-
-export type ChannelKind = 'discord' | 'telegram';
-
-function generateId(prefix: string): string {
-  return `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
-}
-
-export interface WireDmInput {
-  channelType: ChannelKind;
-  agentGroup: AgentGroup;
-  /**
-   * Bot identity used as the second segment of the v2 platform_id
-   * (`<channel>:<botId>:<native>`). For Discord this is the bot
-   * application id (DISCORD_APPLICATION_ID). For Telegram this is the
-   * `id` returned by `getMe`. Resolved by the caller from the active
-   * adapter at wire time.
-   */
-  botId: string;
-  /**
-   * For Discord: the BOT's own user id (snowflake) — forms the native
-   * segment `@me:<botUserId>` of `discord:<botId>:@me:<botUserId>`. For most
-   * Discord bots this equals `botId`, but it is kept distinct because
-   * application-id and user-id can diverge for legacy bot accounts.
-   *
-   * For Telegram: the OPERATOR's user id (positive int as string). The
-   * native segment is the chat_id, and Telegram DM chat_id == user_id, so
-   * this is what we wire as the third segment of `telegram:<botId>:<id>`.
-   */
-  botUserId: string;
-  /** Optional display name for the messaging_groups row. */
-  displayName?: string;
-}
-
-export interface WireDmResult {
-  channelType: ChannelKind;
-  messagingGroupId: string;
-  messagingGroupAgentId: string;
-  platformId: string;
-  created: { messagingGroup: boolean; wiring: boolean };
-}
-
-function platformIdFor(channelType: ChannelKind, botId: string, userId: string): string {
-  switch (channelType) {
-    case 'discord':
-      // v2 Discord DM platform_id: `discord:<botId>:@me:<botUserId>`. The
-      // native segment (`@me:<botUserId>`) is what the Chat SDK adapter
-      // produces from `channelIdFromThreadId` for a bot DM channel; the
-      // bridge prepends `<botId>` so messaging_groups keys per-bot.
-      return encodePlatformId('discord', botId, `@me:${userId}`);
-    case 'telegram':
-      // v2 Telegram DM platform_id: `telegram:<botId>:<chatId>` where the
-      // chat_id of a bot-↔-user DM equals the user's Telegram user id.
-      // Encoding the bot id as the second segment is what makes two
-      // Telegram bots' identical DM chat_ids resolve to distinct
-      // messaging_groups rows (see src/platform-id.ts module comment).
-      return encodePlatformId('telegram', botId, userId);
-  }
-}
-
-/**
- * Wire a DM channel to an agent group. Idempotent — safe to re-run; if the
- * messaging_groups row OR the messaging_group_agents pair already exists,
- * we leave it alone and report `created: false`.
- */
-export function wireDmToAgent(input: WireDmInput): WireDmResult {
-  const { channelType, agentGroup, botId, botUserId, displayName } = input;
-  if (!botUserId.trim()) {
-    throw new Error('botUserId is required');
-  }
-  if (!botId.trim()) {
-    throw new Error('botId is required');
-  }
-
-  const userId = botUserId.trim();
-  const platformId = platformIdFor(channelType, botId.trim(), userId);
-  const now = new Date().toISOString();
-
-  let mg: MessagingGroup | undefined = getMessagingGroupByPlatform(channelType, platformId);
-  let createdMg = false;
-  if (!mg) {
-    const mgId = generateId('mg');
-    createMessagingGroup({
-      id: mgId,
-      channel_type: channelType,
-      platform_id: platformId,
-      name: displayName ?? null,
-      is_group: 0,
-      unknown_sender_policy: 'strict',
-      created_at: now,
-    });
-    mg = getMessagingGroupByPlatform(channelType, platformId);
-    if (!mg) {
-      throw new Error(`failed to read back messaging_groups row after insert (platform_id=${platformId})`);
-    }
-    createdMg = true;
-  }
-
-  const existing = getMessagingGroupAgentByPair(mg.id, agentGroup.id);
-  if (existing) {
-    return {
-      channelType,
-      messagingGroupId: mg.id,
-      messagingGroupAgentId: existing.id,
-      platformId,
-      created: { messagingGroup: createdMg, wiring: false },
-    };
-  }
-
-  const mgaId = generateId('mga');
-  createMessagingGroupAgent({
-    id: mgaId,
-    messaging_group_id: mg.id,
-    agent_group_id: agentGroup.id,
-    // Defaults below MUST match scripts/init-first-agent.ts:155-166. DM rows
-    // (is_group=0) are always 'pattern' + '.' so the agent responds to every
-    // message; group rows would be 'mention'. We only create DM rows here.
-    engage_mode: 'pattern',
-    engage_pattern: '.',
-    sender_scope: 'all',
-    ignored_message_policy: 'drop',
-    session_mode: 'shared',
-    priority: 0,
-    created_at: now,
-  });
-
-  return {
-    channelType,
-    messagingGroupId: mg.id,
-    messagingGroupAgentId: mgaId,
-    platformId,
-    created: { messagingGroup: createdMg, wiring: true },
-  };
-}