@prisma-next/extension-cipherstash 0.0.1

package/src/exports/control.ts

@@ -0,0 +1,120 @@
+/**
+ * Control-plane descriptor for the CipherStash extension.
+ *
+ * **On-disk-in-package authoring.** The extension's contract +
+ * migrations are emitted by the same pipeline application authors use:
+ *
+ *   `prisma-next contract emit` → `<package>/src/contract/contract.{json,d.ts}`
+ *   `prisma-next migration plan` → `<package>/migrations/cipherstash/<dir>/...`
+ *
+ * The descriptor wires those JSON artefacts via JSON-import declarations
+ * so they flow through the consuming application's module resolver
+ * without filesystem assumptions, and synthesises the canonical
+ * {@link import('@prisma-next/migration-tools/package').MigrationPackage}
+ * shape (gaining `dirPath` from `import.meta.url`) for the framework's
+ * runner / verifier to consume.
+ *
+ * Wired surfaces:
+ *
+ *   - `contractSpace.{contractJson,migrations,headRef}` — sourced from
+ *     the on-disk artefacts emitted by `build:contract-space`.
+ *   - `types.codecTypes.controlPlaneHooks[CIPHERSTASH_STRING_CODEC_ID]`
+ *     — the lifecycle hook the SQL planner extracts via
+ *     `extractCodecControlHooks` and inlines into the application's
+ *     migration via `planFieldEventOperations`. Implements
+ *     `add_search_config` / `remove_search_config` / rotate behaviour
+ *     for `searchable: true` `Encrypted<string>` columns.
+ *
+ * @see docs/architecture docs/adrs/ADR 211 - Contract spaces.md
+ *   (on-disk-in-package authoring convention).
+ * @see packages/3-extensions/test-contract-space/src/exports/control.ts
+ *   (reference model).
+ */
+
+import { fileURLToPath } from 'node:url';
+import type { Contract } from '@prisma-next/contract/types';
+import type { SqlControlExtensionDescriptor } from '@prisma-next/family-sql/control';
+import type { ContractSpace } from '@prisma-next/framework-components/control';
+import type { OnDiskMigrationPackage } from '@prisma-next/migration-tools/package';
+import type { SqlStorage } from '@prisma-next/sql-contract/types';
+import baselineMetadata from '../../migrations/cipherstash/20260601T0000_install_eql_bundle/migration.json' with {
+  type: 'json',
+};
+import baselineOps from '../../migrations/cipherstash/20260601T0000_install_eql_bundle/ops.json' with {
+  type: 'json',
+};
+import headRef from '../../migrations/cipherstash/refs/head.json' with { type: 'json' };
+import contractJson from '../contract/contract.json' with { type: 'json' };
+import {
+  CIPHERSTASH_BASELINE_MIGRATION_NAME,
+  CIPHERSTASH_SPACE_ID,
+  CIPHERSTASH_STRING_CODEC_ID,
+} from '../extension-metadata/constants';
+import { cipherstashPackMeta } from '../extension-metadata/descriptor-meta';
+import { cipherstashStringCodecHooks } from '../migration/cipherstash-codec';
+import {
+  asCipherstashContract,
+  asCipherstashMigrationMetadata,
+  asCipherstashMigrationOps,
+} from './contract-space-typing';
+
+/**
+ * Resolve a migration package's on-disk path from this descriptor module's
+ * URL. The framework's runner uses `dirPath` for diagnostic messages and
+ * to locate sibling files (e.g. `start-contract.json` for non-baseline
+ * migrations); pinning it from `import.meta.url` keeps the value correct
+ * regardless of where the consuming application installs the package
+ * (workspace, node_modules, bundled, etc.).
+ */
+function resolveMigrationDirPath(dirName: string): string {
+  return fileURLToPath(
+    new URL(`../../migrations/${CIPHERSTASH_SPACE_ID}/${dirName}/`, import.meta.url),
+  );
+}
+
+const baselinePackage: OnDiskMigrationPackage = {
+  dirName: CIPHERSTASH_BASELINE_MIGRATION_NAME,
+  dirPath: resolveMigrationDirPath(CIPHERSTASH_BASELINE_MIGRATION_NAME),
+  metadata: asCipherstashMigrationMetadata(baselineMetadata),
+  ops: asCipherstashMigrationOps(baselineOps),
+};
+
+const cipherstashContractSpace: ContractSpace<Contract<SqlStorage>> = {
+  contractJson: asCipherstashContract(contractJson),
+  migrations: [baselinePackage],
+  headRef,
+};
+
+const cipherstashExtensionDescriptor: SqlControlExtensionDescriptor<'postgres'> = {
+  // Spread pack-meta first so it contributes `kind` / `id` / `familyId`
+  // / `targetId` / `version` / `authoring` / `types.{codecTypes,storage}`
+  // — then overlay the contract-space block and the codec lifecycle
+  // hook on top. The two `types.codecTypes` slots (`codecInstances`
+  // from pack-meta, `controlPlaneHooks` from this descriptor) coexist
+  // on the same path and are merged below.
+  ...cipherstashPackMeta,
+  contractSpace: cipherstashContractSpace,
+  /**
+   * Free-form `types.codecTypes.controlPlaneHooks` block — the SQL
+   * family's `extractCodecControlHooks` (in `@prisma-next/family-sql/
+   * control`) finds hooks via duck-typing on this exact path. Mirrors
+   * pgvector's wiring at `packages/3-extensions/pgvector/src/exports/
+   * control.ts`.
+   */
+  types: {
+    ...cipherstashPackMeta.types,
+    codecTypes: {
+      ...cipherstashPackMeta.types.codecTypes,
+      controlPlaneHooks: {
+        [CIPHERSTASH_STRING_CODEC_ID]: cipherstashStringCodecHooks,
+      },
+    },
+  },
+  create: () => ({
+    familyId: 'sql' as const,
+    targetId: 'postgres' as const,
+  }),
+};
+
+export { cipherstashExtensionDescriptor };
+export default cipherstashExtensionDescriptor;

package/src/exports/middleware.ts

@@ -0,0 +1,24 @@
+/**
+ * Public middleware surface for the cipherstash extension.
+ *
+ * Consumers register the bulk-encrypt middleware in their runtime so
+ * `EncryptedString` envelopes embedded in `INSERT` / `UPDATE` plans get
+ * encrypted in batches before encode runs:
+ *
+ * ```ts
+ * import { createCipherstashRuntimeDescriptor } from '@prisma-next/extension-cipherstash/runtime';
+ * import { bulkEncryptMiddleware } from '@prisma-next/extension-cipherstash/middleware';
+ *
+ * const runtime = createRuntime({
+ *   extensionPacks: [createCipherstashRuntimeDescriptor({ sdk })],
+ *   middleware: [bulkEncryptMiddleware(sdk)],
+ * });
+ * ```
+ *
+ * `SqlRuntimeExtensionDescriptor` does not own a middleware slot, so
+ * the descriptor wrapper (`createCipherstashRuntimeDescriptor`) and
+ * the middleware are composed manually by callers — by convention,
+ * once per cipherstash SDK binding.
+ */
+
+export { bulkEncryptMiddleware } from '../middleware/bulk-encrypt';

package/src/exports/migration.ts

@@ -0,0 +1,43 @@
+/**
+ * Public migration-time entry point for the cipherstash extension.
+ *
+ * Re-exports the user-callable factory functions used in hand-written
+ * migrations (or auto-imported by the planner-generated `migration.ts`)
+ * to wire EQL search-config rows alongside structural DDL:
+ *
+ * ```ts
+ * import { Migration, MigrationCLI, createTable } from '@prisma-next/target-postgres/migration';
+ * import { cipherstashAddSearchConfig } from '@prisma-next/extension-cipherstash/migration';
+ *
+ * export default class M extends Migration {
+ *   override get operations() {
+ *     return [
+ *       createTable('public', 'user', [
+ *         { name: 'email', typeSql: 'eql_v2_encrypted', defaultSql: '', nullable: false },
+ *         { name: 'id', typeSql: 'text', defaultSql: '', nullable: false },
+ *       ]),
+ *       cipherstashAddSearchConfig({ table: 'user', column: 'email', index: 'unique' }),
+ *     ];
+ *   }
+ * }
+ *
+ * MigrationCLI.run(import.meta.url, M);
+ * ```
+ *
+ * Identical ergonomics to `createTable` / `setNotNull` etc. from
+ * `@prisma-next/target-postgres/migration`. The codec lifecycle hook
+ * for `Encrypted<string>` columns calls these factories automatically
+ * when planning a contract diff.
+ *
+ * @see ADR 195 — Planner IR with two renderers.
+ * @see ADR 212 — Codec lifecycle hooks.
+ */
+
+export type {
+  CipherstashSearchConfigArgs,
+  CipherstashSearchIndex,
+} from '../migration/call-classes';
+export {
+  cipherstashAddSearchConfig,
+  cipherstashRemoveSearchConfig,
+} from '../migration/call-classes';

package/src/exports/operation-types.ts

@@ -0,0 +1,16 @@
+/**
+ * Operation type definitions for the cipherstash extension.
+ *
+ * Re-export from the types module for the public
+ * `@prisma-next/extension-cipherstash/operation-types` subpath. The
+ * contract emitter pulls these via the `types.operationTypes` /
+ * `types.queryOperationTypes` import declarations on
+ * `cipherstashPackMeta` (see `../extension-metadata/descriptor-meta.ts`); user code
+ * may also import them directly when authoring TS-side type
+ * compositions.
+ *
+ * @see ADR 211 — Extension operator surface (namespaced replacement
+ *   operators must project type-visibility through `QueryOperationTypes`).
+ */
+
+export type { QueryOperationTypes } from '../types/operation-types';

package/src/exports/pack.ts

@@ -0,0 +1,13 @@
+/**
+ * Pack entry point for the cipherstash extension.
+ *
+ * Re-exports the SDK-free pack metadata so TS contract authoring
+ * (`defineContract({ extensionPacks: { cipherstash: cipherstashPack } })`)
+ * can enable the `cipherstash.*` PSL/TS namespace and the storage type
+ * registration without pulling in any runtime code (envelope, SDK,
+ * codec runtime, middleware).
+ *
+ * Mirrors `packages/3-extensions/pgvector/src/exports/pack.ts`.
+ */
+
+export { cipherstashPackMeta as default } from '../extension-metadata/descriptor-meta';

package/src/exports/runtime.ts

@@ -0,0 +1,110 @@
+/**
+ * Runtime-plane entry point for the CipherStash extension.
+ *
+ * Consumed at query time by application runtimes that need to encode /
+ * decode `cipherstash/string@1` columns (envelope class) and talk to the
+ * CipherStash SDK shape the codec runtime + bulk-encrypt middleware
+ * depend on.
+ *
+ * The runtime entry point is deliberately separate from `./control`
+ * (descriptor, codec lifecycle hook, contract-space artefacts) so apps
+ * that only emit migrations against cipherstash never load the runtime,
+ * and apps that only run queries never load the migration-time
+ * descriptor — the control plane and runtime plane are tree-shakable
+ * along this seam.
+ *
+ * `createCipherstashRuntimeDescriptor({ sdk })` is the recommended
+ * composition entry — it bundles the SDK-bound codec, the parameterized
+ * codec descriptor, and the runtime-plane `codecInstances` slot into a
+ * single `SqlRuntimeExtensionDescriptor<'postgres'>` mirroring
+ * pgvector's `runtime.ts` precedent. The bulk-encrypt middleware ships
+ * separately at `@prisma-next/extension-cipherstash/middleware` because
+ * `SqlRuntimeExtensionDescriptor` does not own a middleware slot;
+ * consumers register it via `createRuntime({ middleware:
+ * [bulkEncryptMiddleware(sdk)] })`.
+ */
+
+import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';
+import { cipherstashQueryOperations } from '../execution/operators';
+import { createParameterizedCodecDescriptors } from '../execution/parameterized';
+import type { CipherstashSdk } from '../execution/sdk';
+import {
+  CIPHERSTASH_EXTENSION_VERSION,
+  CIPHERSTASH_SPACE_ID,
+} from '../extension-metadata/constants';
+
+export type { CipherstashStringCodec } from '../execution/codec-runtime';
+export {
+  CIPHERSTASH_STRING_CODEC_ID,
+  createCipherstashStringCodec,
+} from '../execution/codec-runtime';
+export type { DecryptAllOptions } from '../execution/decrypt-all';
+export { decryptAll } from '../execution/decrypt-all';
+export type {
+  EncryptedStringFromInternalArgs,
+  EncryptedStringHandle,
+} from '../execution/envelope';
+export { EncryptedString } from '../execution/envelope';
+export type { CipherstashStringParams } from '../execution/parameterized';
+export {
+  createParameterizedCodecDescriptors,
+  encryptedStringParamsSchema,
+  renderEncryptedStringOutputType,
+} from '../execution/parameterized';
+export type {
+  CipherstashBulkDecryptArgs,
+  CipherstashBulkEncryptArgs,
+  CipherstashRoutingKey,
+  CipherstashSdk,
+  CipherstashSingleDecryptArgs,
+} from '../execution/sdk';
+
+export { CIPHERSTASH_EXTENSION_VERSION };
+
+export interface CreateCipherstashRuntimeDescriptorOptions {
+  readonly sdk: CipherstashSdk;
+}
+
+/**
+ * Compose the SDK-bound codec runtime + parameterized codec descriptors
+ * + runtime-plane codec-instances metadata into a single
+ * `SqlRuntimeExtensionDescriptor<'postgres'>`.
+ *
+ * The descriptor is per-SDK: cipherstash's codec captures the SDK at
+ * `decode` time (read-side single-cell `decrypt`) and the bulk-encrypt
+ * middleware captures it at `beforeExecute` time (write-side bulk
+ * round-trip). Multi-tenant deployments construct one descriptor per
+ * tenant SDK so per-tenant key material never crosses runtimes.
+ *
+ * Mirrors `packages/3-extensions/pgvector/src/exports/runtime.ts` —
+ * pgvector's vectorRuntimeDescriptor is a static default-export because
+ * its codec is fully stateless; cipherstash needs the factory wrapper
+ * because the codec depends on `sdk`.
+ */
+export function createCipherstashRuntimeDescriptor(
+  opts: CreateCipherstashRuntimeDescriptorOptions,
+): SqlRuntimeExtensionDescriptor<'postgres'> {
+  const { sdk } = opts;
+  const parameterizedDescriptors = createParameterizedCodecDescriptors(sdk);
+
+  return {
+    kind: 'extension' as const,
+    id: CIPHERSTASH_SPACE_ID,
+    version: CIPHERSTASH_EXTENSION_VERSION,
+    familyId: 'sql' as const,
+    targetId: 'postgres' as const,
+    types: {
+      codecTypes: {
+        codecDescriptors: parameterizedDescriptors,
+      },
+    },
+    codecs: () => parameterizedDescriptors,
+    queryOperations: () => cipherstashQueryOperations(),
+    create() {
+      return {
+        familyId: 'sql' as const,
+        targetId: 'postgres' as const,
+      };
+    },
+  };
+}

package/src/extension-metadata/codec-metadata.ts

@@ -0,0 +1,81 @@
+/**
+ * SDK-free codec used in pack-meta (`cipherstashPackMeta.types.codecTypes
+ * .codecInstances`). Pack-meta consumers only read codec *metadata*
+ * (`typeId`, `targetTypes`, `traits`, `renderOutputType`) at contract
+ * emit time — they never call `encode`/`decode`.
+ *
+ * The SDK-bound runtime codec for actual `encode`/`decode` lives in
+ * `../execution/codec-runtime`; it is resolved through
+ * `RuntimeParameterizedCodecDescriptor.factory` at runtime instead of
+ * through pack-meta's `codecInstances`.
+ *
+ * Keeping the SDK-free metadata in its own module — and *not* importing
+ * the runtime `CipherstashStringCodec` class — preserves the control
+ * vs runtime split. Control-plane consumers (`exports/control.ts`,
+ * `exports/pack.ts`) pull this file but never touch the envelope, the
+ * SDK interface, or the bulk-encrypt middleware. The bundling-isolation
+ * test pins this property by snapshotting that the control entry's
+ * chunk graph does not transitively load `envelope-*.mjs`.
+ *
+ * `encode`/`decode` throw with a clear hint in the misuse case so
+ * accidental wiring of the metadata codec into a real runtime path
+ * surfaces immediately instead of silently no-op'ing.
+ */
+
+import type { JsonValue } from '@prisma-next/contract/types';
+import { type AnyCodecDescriptor, CodecImpl } from '@prisma-next/framework-components/codec';
+import { CIPHERSTASH_STRING_CODEC_ID, EQL_V2_ENCRYPTED_TYPE } from './constants';
+
+const METADATA_DESCRIPTOR: AnyCodecDescriptor = {
+  codecId: CIPHERSTASH_STRING_CODEC_ID,
+  traits: [],
+  targetTypes: [EQL_V2_ENCRYPTED_TYPE],
+  meta: { db: { sql: { postgres: { nativeType: EQL_V2_ENCRYPTED_TYPE } } } },
+  paramsSchema: {
+    '~standard': {
+      version: 1,
+      vendor: 'cipherstash',
+      validate: (value: unknown) => ({ value }),
+    },
+  },
+  isParameterized: false,
+  renderOutputType: () => 'EncryptedString',
+  factory: () => () => {
+    throw new Error('cipherstash codec: metadata descriptor factory is not callable');
+  },
+};
+
+class CipherstashStringCodecMetadata extends CodecImpl<
+  typeof CIPHERSTASH_STRING_CODEC_ID,
+  readonly [],
+  unknown,
+  unknown
+> {
+  async encode(): Promise<unknown> {
+    throw new Error(
+      'cipherstash codec: encode called on the pack-meta metadata codec. ' +
+        'Construct a runtime descriptor via `createCipherstashRuntimeDescriptor({ sdk })` and use that instead.',
+    );
+  }
+
+  async decode(): Promise<unknown> {
+    throw new Error(
+      'cipherstash codec: decode called on the pack-meta metadata codec. ' +
+        'Construct a runtime descriptor via `createCipherstashRuntimeDescriptor({ sdk })` and use that instead.',
+    );
+  }
+
+  encodeJson(): JsonValue {
+    return { $encryptedString: '<opaque>' };
+  }
+
+  decodeJson(): unknown {
+    throw new Error(
+      'cipherstash codec: decodeJson is not supported; envelopes do not round-trip through JSON.',
+    );
+  }
+}
+
+export const cipherstashStringCodecMetadata = new CipherstashStringCodecMetadata(
+  METADATA_DESCRIPTOR,
+);

package/src/extension-metadata/constants.ts

@@ -0,0 +1,70 @@
+/**
+ * Static names and identifiers used across CipherStash's contract space.
+ *
+ * Centralising the strings here so:
+ *   - the contract IR (`./contract`), the migration ops (`./migrations`),
+ *     the head ref (`./head-ref`), and the descriptor (`../exports/control`)
+ *     all reference the same values without typos;
+ *   - the `cipherstash:*` invariantId namespace is locked in one place
+ *     (once published, an invariantId cannot be renamed).
+ *
+ * The space identifier `'cipherstash'` is what the framework writes to
+ * `migrations/cipherstash/` in the user's repo and what the marker table's
+ * `space` column carries for CipherStash-owned rows.
+ */
+
+export const CIPHERSTASH_SPACE_ID = 'cipherstash';
+
+/**
+ * Version advertised by both `cipherstashPackMeta.version` (control plane)
+ * and the SDK-bound `SqlRuntimeExtensionDescriptor` (runtime plane).
+ *
+ * Single source of truth so the descriptor surfaces and the contract-emit
+ * pack metadata cannot drift apart; consumed downstream by capability
+ * gating and contract round-trips.
+ */
+export const CIPHERSTASH_EXTENSION_VERSION = '0.0.1' as const;
+
+/**
+ * Codec id the application-side `Encrypted<string>` lowering targets.
+ * Lives here so the codec lifecycle hook (which emits
+ * `add_search_config` / `remove_search_config` ops on field events) and
+ * the descriptor's `controlPlaneHooks` wiring share the same constant.
+ */
+export const CIPHERSTASH_STRING_CODEC_ID = 'cipherstash/string@1';
+
+/** Schema CipherStash installs its functions/operators/casts/types into. */
+export const EQL_V2_SCHEMA = 'eql_v2';
+
+/** Configuration table used by EQL's per-column index configuration. */
+export const EQL_V2_CONFIGURATION_TABLE = 'eql_v2_configuration';
+
+/** Enum type backing the `state` column on `eql_v2_configuration`. */
+export const EQL_V2_CONFIGURATION_STATE_TYPE = 'eql_v2_configuration_state';
+
+/** JSONB-domain composite type user `Encrypted<string>` columns reference. */
+export const EQL_V2_ENCRYPTED_TYPE = 'eql_v2_encrypted';
+
+/**
+ * Migration directory name for the baseline.
+ *
+ * Per the framework's per-space layout convention this name is
+ * preserved verbatim when the framework writes the package to
+ * `migrations/cipherstash/<this-name>/` in the user's repo.
+ */
+export const CIPHERSTASH_BASELINE_MIGRATION_NAME = '20260601T0000_install_eql_bundle';
+
+/**
+ * `cipherstash:*` invariantIds emitted by the baseline migration. Each
+ * `cipherstash:*` id, once published, is immutable: downstream
+ * consumers (other extensions, the marker table) reference them by
+ * literal string match.
+ *
+ * Today the baseline emits a single op (`installBundle`); the bundle
+ * SQL is the source of truth for every typed object it creates inside
+ * the `eql_v2` schema. New bundle versions or additional structural
+ * ops will mint new `cipherstash:*` ids alongside this entry.
+ */
+export const CIPHERSTASH_INVARIANTS = {
+  installBundle: 'cipherstash:install-eql-bundle-v1',
+} as const;

package/src/extension-metadata/descriptor-meta.ts

@@ -0,0 +1,76 @@
+/**
+ * Pack metadata for the cipherstash extension.
+ *
+ * Mirrors `packages/3-extensions/pgvector/src/extension-metadata/descriptor-meta.ts` —
+ * the metadata block that gets serialized into `contract.json`'s
+ * `extensionPacks.cipherstash` slot at emit time.
+ *
+ * SDK-free: the runtime descriptor layers SDK-bound codec instances on
+ * top at execution time. The `codecInstances` slot here uses the
+ * metadata-only
+ * codec from `./codec-metadata` because pack-meta consumers only read
+ * codec metadata (typeId, targetTypes, traits, renderOutputType);
+ * runtime encode/decode always go through the SDK-bound codec produced
+ * by `RuntimeParameterizedCodecDescriptor.factory` (see
+ * `./parameterized`).
+ *
+ * The control descriptor in `../exports/control.ts` spreads this pack
+ * meta so the framework's contract emitter sees `authoring`,
+ * `types.codecTypes.codecInstances`, and `types.storage` alongside
+ * the contract-space and codec-lifecycle-hooks blocks already wired
+ * by the codec lifecycle hook block.
+ */
+
+import { cipherstashAuthoringTypes } from '../contract/authoring';
+import { cipherstashStringCodecMetadata } from './codec-metadata';
+import {
+  CIPHERSTASH_EXTENSION_VERSION,
+  CIPHERSTASH_SPACE_ID,
+  CIPHERSTASH_STRING_CODEC_ID,
+  EQL_V2_ENCRYPTED_TYPE,
+} from './constants';
+
+export { CIPHERSTASH_EXTENSION_VERSION };
+
+export const cipherstashPackMeta = {
+  kind: 'extension',
+  id: CIPHERSTASH_SPACE_ID,
+  familyId: 'sql',
+  targetId: 'postgres',
+  version: CIPHERSTASH_EXTENSION_VERSION,
+  authoring: {
+    type: cipherstashAuthoringTypes,
+  },
+  types: {
+    codecTypes: {
+      codecInstances: [cipherstashStringCodecMetadata],
+      // `renderOutputType` returns the bare type name `EncryptedString`
+      // for parameterized cipherstash columns; the contract emitter
+      // needs to import the type alongside that occurrence so the
+      // generated `.d.ts` typechecks cleanly. Mirrors pgvector's
+      // `Vector` typeImports declaration.
+      typeImports: [
+        {
+          package: '@prisma-next/extension-cipherstash/runtime',
+          named: 'EncryptedString',
+          alias: 'EncryptedString',
+        },
+      ],
+    },
+    queryOperationTypes: {
+      import: {
+        package: '@prisma-next/extension-cipherstash/operation-types',
+        named: 'QueryOperationTypes',
+        alias: 'CipherstashQueryOperationTypes',
+      },
+    },
+    storage: [
+      {
+        typeId: CIPHERSTASH_STRING_CODEC_ID,
+        familyId: 'sql',
+        targetId: 'postgres',
+        nativeType: EQL_V2_ENCRYPTED_TYPE,
+      },
+    ],
+  },
+} as const;