@sun-asterisk/sunlint 1.3.47 → 1.3.49

package/skill-assets/sunlint-code-quality/rules/java/J011-null-safe-compare.md

@@ -0,0 +1,88 @@
+---
+title: Put Literals First in String Comparisons to Avoid NullPointerException
+impact: MEDIUM
+impactDescription: variable.equals("literal") throws NPE if variable is null; reversing operands makes comparisons null-safe without extra null checks
+tags: null-safety, best-practice, java, error-prone
+---
+
+## Put Literals First in String Comparisons to Avoid NullPointerException
+
+When comparing a string variable to a known literal value, placing the literal on the **left** side of `.equals()` prevents a `NullPointerException` if the variable is `null`. Since a string literal is never `null`, calling `.equals()` on it is always safe.
+
+**Incorrect (variable first — may throw NPE):**
+
+```java
+public boolean isActive(String status) {
+    return status.equals("ACTIVE"); // NPE if status is null
+}
+
+public void handleRequest(HttpServletRequest request) {
+    String method = request.getMethod();
+    if (method.equals("POST")) {    // NPE if method is null (unlikely but possible)
+        processPost();
+    }
+}
+
+public boolean checkRole(User user) {
+    String role = user.getRole();       // getRole() might return null
+    return role.equals("ADMIN");        // NPE
+}
+```
+
+**Correct (literal first — null-safe):**
+
+```java
+public boolean isActive(String status) {
+    return "ACTIVE".equals(status); // returns false if status is null — no NPE
+}
+
+public void handleRequest(HttpServletRequest request) {
+    String method = request.getMethod();
+    if ("POST".equals(method)) {    // safe even if method is null
+        processPost();
+    }
+}
+
+public boolean checkRole(User user) {
+    String role = user.getRole();
+    return "ADMIN".equals(role);    // null-safe
+}
+
+// Also applies to equalsIgnoreCase:
+public boolean isAdminIgnoreCase(String role) {
+    return "admin".equalsIgnoreCase(role); // null-safe
+}
+
+// Constant comparison:
+public static final String DEFAULT_LANG = "en";
+
+public boolean isDefaultLanguage(String lang) {
+    return DEFAULT_LANG.equals(lang); // constant on left — same principle
+}
+```
+
+**When to use Objects.equals() instead:**
+
+Use `Objects.equals(a, b)` when **both** values may be `null` and you want a symmetric comparison:
+
+```java
+// Objects.equals handles both nulls:
+boolean same = Objects.equals(user.getRole(), adminRole); // null-safe on both sides
+
+// Equivalent to:
+// user.getRole() == adminRole || (user.getRole() != null && user.getRole().equals(adminRole))
+```
+
+**compareTo / compareToIgnoreCase:**
+
+Note that reversing the literal changes the sign of the result:
+
+```java
+// Original:  x.compareTo("bar") > 0
+// Reversed: "bar".compareTo(x) < 0  ← sign flipped!
+
+// Be careful when converting compareTo usage
+if ("bar".compareTo(x) < 0) { ... } // equivalent to x.compareTo("bar") > 0
+```
+
+**Tools:** PMD (`LiteralsFirstInComparisons`), SonarQube (`S1132`), IntelliJ Inspections

package/skill-assets/sunlint-code-quality/rules/java/J012-use-enum-collections.md

@@ -0,0 +1,104 @@
+---
+title: Use EnumSet and EnumMap for Enum Keys
+impact: MEDIUM
+impactDescription: EnumSet and EnumMap use array-backed implementations that are significantly faster and more memory-efficient than HashSet/HashMap for enum keys
+tags: performance, best-practice, java, collections
+---
+
+## Use EnumSet and EnumMap for Enum Keys
+
+When working with collections whose elements or keys are enum values, `EnumSet` and `EnumMap` should be preferred over `HashSet` and `HashMap`. They use a compact array-backed representation internally — bit vectors for `EnumSet` and an array indexed by ordinal for `EnumMap` — providing better performance and less memory usage.
+
+**Incorrect (using general-purpose collections with enum keys):**
+
+```java
+public enum Permission { READ, WRITE, DELETE, ADMIN }
+
+public class User {
+    // Using HashSet for enum values — wastes memory, slower
+    private Set<Permission> permissions = new HashSet<>();
+
+    public boolean hasPermission(Permission p) {
+        return permissions.contains(p); // HashSet lookup — unnecessary overhead
+    }
+}
+
+public class RolePolicy {
+    // Using HashMap for enum keys — suboptimal
+    private Map<Permission, String> descriptions = new HashMap<>();
+
+    public void setupDescriptions() {
+        descriptions.put(Permission.READ, "Can read resources");
+        descriptions.put(Permission.WRITE, "Can write resources");
+        descriptions.put(Permission.ADMIN, "Full access");
+    }
+}
+```
+
+**Correct (using EnumSet / EnumMap):**
+
+```java
+import java.util.EnumSet;
+import java.util.EnumMap;
+
+public enum Permission { READ, WRITE, DELETE, ADMIN }
+
+public class User {
+    // EnumSet: compact bit-vector implementation, O(1) operations
+    private Set<Permission> permissions = EnumSet.noneOf(Permission.class);
+
+    public void grantPermission(Permission p) {
+        permissions.add(p);
+    }
+
+    public boolean hasPermission(Permission p) {
+        return permissions.contains(p);
+    }
+}
+
+public class RolePolicy {
+    // EnumMap: array-backed, indexed by enum ordinal
+    private Map<Permission, String> descriptions = new EnumMap<>(Permission.class);
+
+    public void setupDescriptions() {
+        descriptions.put(Permission.READ, "Can read resources");
+        descriptions.put(Permission.WRITE, "Can write resources");
+        descriptions.put(Permission.ADMIN, "Full access");
+    }
+}
+```
+
+**EnumSet factory methods:**
+
+```java
+// Empty set
+Set<Permission> none = EnumSet.noneOf(Permission.class);
+
+// All values
+Set<Permission> all = EnumSet.allOf(Permission.class);
+
+// Specific values
+Set<Permission> readOnly = EnumSet.of(Permission.READ);
+
+// Range (by ordinal order)
+Set<Permission> basic = EnumSet.range(Permission.READ, Permission.WRITE);
+
+// Complement
+Set<Permission> nonAdmin = EnumSet.complementOf(EnumSet.of(Permission.ADMIN));
+```
+
+**Performance comparison:**
+
+| Operation | HashSet | EnumSet |
+|-----------|---------|---------|
+| `add` | O(1) avg | O(1) bit op |
+| `contains` | O(1) avg | O(1) bit op |
+| Memory | ~40 bytes/entry | 1 bit/entry |
+| Iteration | Hash order | Enum ordinal order |
+
+**When to apply:**
+- Use `EnumSet` whenever you have a `Set<SomeEnum>`
+- Use `EnumMap` whenever you have a `Map<SomeEnum, V>`
+- Both are drop-in replacements that implement `Set` and `Map` respectively
+
+**Tools:** PMD (`UseEnumCollections`), IntelliJ Inspections

package/skill-assets/sunlint-code-quality/rules/java/J013-return-empty-not-null.md

@@ -0,0 +1,102 @@
+---
+title: Return Empty Collection Instead of null
+impact: MEDIUM
+impactDescription: returning null for collections forces every caller to perform a null check, causing NullPointerExceptions when they forget
+tags: null-safety, design, java, clean-code
+---
+
+## Return Empty Collection Instead of null
+
+Methods that return collections (`List`, `Set`, `Map`, arrays) should **never** return `null` to indicate "no results." Instead, return an empty collection. This eliminates the need for null checks on every call site, reduces potential `NullPointerException` bugs, and makes the API safer and more predictable.
+
+This principle is described in *Effective Java* by Joshua Bloch: *"Never return null in place of an empty array or collection."*
+
+**Incorrect (returning null):**
+
+```java
+public List<Order> getOrdersByUser(Long userId) {
+    List<Order> orders = orderRepository.findByUserId(userId);
+    if (orders.isEmpty()) {
+        return null; // forces callers to null-check
+    }
+    return orders;
+}
+
+public String[] getTagsForPost(Long postId) {
+    String[] tags = tagRepository.findByPost(postId);
+    if (tags == null || tags.length == 0) {
+        return null; // callers must check for null before iterating
+    }
+    return tags;
+}
+
+// Callers must remember to null-check — easy to forget:
+List<Order> orders = orderService.getOrdersByUser(userId);
+for (Order order : orders) { // NPE if orders is null
+    processOrder(order);
+}
+```
+
+**Correct (returning empty collections):**
+
+```java
+import java.util.Collections;
+import java.util.List;
+
+public List<Order> getOrdersByUser(Long userId) {
+    List<Order> orders = orderRepository.findByUserId(userId);
+    if (orders == null || orders.isEmpty()) {
+        return Collections.emptyList(); // immutable, no allocation overhead
+    }
+    return orders;
+}
+
+// Or with Stream API:
+public List<Order> getOrdersByUser(Long userId) {
+    return orderRepository.findByUserId(userId) != null
+        ? orderRepository.findByUserId(userId)
+        : Collections.emptyList();
+}
+
+// Using List.of() (Java 9+):
+public List<String> getTagsForPost(Long postId) {
+    List<String> tags = tagRepository.findByPost(postId);
+    return tags != null ? tags : List.of(); // immutable empty list
+}
+
+// Arrays:
+public String[] getPermissionsForRole(String role) {
+    String[] perms = permissionRepo.findByRole(role);
+    return perms != null ? perms : new String[0]; // empty array, not null
+}
+
+// Callers now iterate safely without null checks:
+List<Order> orders = orderService.getOrdersByUser(userId);
+for (Order order : orders) { // safe — at worst iterates 0 times
+    processOrder(order);
+}
+```
+
+**Preferred empty collection factories:**
+
+| Type | Factory |
+|------|---------|
+| `List<T>` | `Collections.emptyList()` or `List.of()` (Java 9+) |
+| `Set<T>` | `Collections.emptySet()` or `Set.of()` |
+| `Map<K,V>` | `Collections.emptyMap()` or `Map.of()` |
+| `T[]` | `new T[0]` |
+
+**Note:** `Collections.emptyList()`, `emptySet()`, and `emptyMap()` return immutable, singleton instances — no memory allocation per call. They are the most efficient choice.
+
+**Exception — when null has semantic meaning:**
+If `null` and "empty" are **intentionally different states** (e.g., "not loaded yet" vs "loaded but empty"), `Optional<List<T>>` or a domain wrapper class should be used instead of `null`.
+
+```java
+// Distinguish "not configured" from "configured but empty"
+public Optional<List<String>> getWhitelist(String service) {
+    if (!config.hasWhitelist(service)) return Optional.empty();
+    return Optional.of(config.getWhitelist(service));
+}
+```
+
+**Tools:** PMD (`ReturnEmptyCollectionRatherThanNull`), SonarQube (`S1168`), IntelliJ Inspections

package/skill-assets/sunlint-code-quality/rules/java/J014-hardcoded-crypto-key.md

@@ -0,0 +1,108 @@
+---
+title: Never Hardcode Cryptographic Keys or Initialization Vectors
+impact: HIGH
+impactDescription: hardcoded crypto keys or IVs give attackers permanent access to all encrypted data — compromised keys cannot be rotated without code changes
+tags: security, cryptography, java, secrets
+---
+
+## Never Hardcode Cryptographic Keys or Initialization Vectors
+
+Hardcoding cryptographic keys, passwords, secrets, or initialization vectors (IVs) directly in source code is a critical security vulnerability (OWASP A02: Cryptographic Failures). Once the code is in source control or compiled into a binary, the key is permanently exposed. Attackers who access the binary, source code, or logs can decrypt all data protected by that key.
+
+**Incorrect (hardcoded key/IV):**
+
+```java
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+public class EncryptionService {
+    // CRITICAL VULNERABILITY: key is hardcoded in source code
+    private static final byte[] SECRET_KEY = "MySuperSecretKey".getBytes(); // 16 bytes = AES-128
+    private static final byte[] IV = "InitVector123456".getBytes();          // hardcoded IV
+
+    public byte[] encrypt(byte[] data) throws Exception {
+        SecretKey key = new SecretKeySpec(SECRET_KEY, "AES");
+        IvParameterSpec ivSpec = new IvParameterSpec(IV);
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec);
+        return cipher.doFinal(data);
+    }
+}
+
+// Also bad: hardcoded passwords for key derivation
+public class KeyDerivation {
+    private static final String PASSWORD = "hardcoded_password_123"; // exposed in binary
+    private static final byte[] SALT = "fixed_salt".getBytes();      // static salt defeats PBKDF2
+}
+```
+
+**Correct (keys from secure storage):**
+
+```java
+import javax.crypto.*;
+import javax.crypto.spec.*;
+import java.security.SecureRandom;
+
+public class EncryptionService {
+    private final SecretKey key;
+
+    // Inject key via constructor — loaded from secure storage, not hardcoded
+    public EncryptionService(SecretKey key) {
+        this.key = key;
+    }
+
+    public EncryptedData encrypt(byte[] data) throws Exception {
+        // Always generate a random IV per encryption operation
+        byte[] iv = new byte[16];
+        new SecureRandom().nextBytes(iv);  // cryptographically random
+        IvParameterSpec ivSpec = new IvParameterSpec(iv);
+
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec);
+        byte[] ciphertext = cipher.doFinal(data);
+
+        return new EncryptedData(iv, ciphertext); // store IV alongside ciphertext
+    }
+}
+
+// Key loading from environment or secrets manager
+public class KeyLoader {
+    public SecretKey loadKeyFromEnv() {
+        String base64Key = System.getenv("AES_SECRET_KEY"); // from environment
+        if (base64Key == null) {
+            throw new IllegalStateException("AES_SECRET_KEY environment variable not set");
+        }
+        byte[] keyBytes = Base64.getDecoder().decode(base64Key);
+        return new SecretKeySpec(keyBytes, "AES");
+    }
+
+    // Or use Java KeyStore (JKS/PKCS12):
+    public SecretKey loadKeyFromKeystore(String keystorePath, char[] storePassword,
+                                          String alias, char[] keyPassword) throws Exception {
+        KeyStore ks = KeyStore.getInstance("PKCS12");
+        try (InputStream fis = new FileInputStream(keystorePath)) {
+            ks.load(fis, storePassword);
+        }
+        return (SecretKey) ks.getKey(alias, keyPassword);
+    }
+}
+```
+
+**Secure key management options:**
+
+| Method | Description |
+|--------|-------------|
+| Environment variables | Simple, good for containers (`AES_SECRET_KEY`) |
+| Java KeyStore (JKS/PKCS12) | Standard Java key storage |
+| AWS Secrets Manager / KMS | Cloud-managed, auditable |
+| HashiCorp Vault | Enterprise secret management |
+| Google Cloud Secret Manager | GCP-native secrets |
+
+**Additional rules:**
+- Always use a **random IV** per encryption — never a fixed IV.
+- IVs need not be secret but must be unique per encryption.
+- Use AES-GCM instead of AES-CBC where possible (provides authentication).
+- Key length: AES-128 minimum, AES-256 recommended.
+
+**Tools:** PMD (`HardCodedCryptoKey`, `InsecureCryptoIv`), SonarQube (`S2068`, `S3329`), SpotBugs (`HardCodedKey`)

package/skill-assets/sunlint-code-quality/rules/java/J015-optional-instead-of-null.md

@@ -0,0 +1,109 @@
+---
+title: Use Optional Instead of Returning null for Absent Values
+impact: MEDIUM
+impactDescription: returning null from methods forces callers to guess whether null is possible, leading to unchecked NullPointerExceptions
+tags: null-safety, design, java, clean-code
+---
+
+## Use Optional Instead of Returning null for Absent Values
+
+`null` is the most common source of `NullPointerException` in Java. When a method may or may not return a value (as opposed to returning a collection), use `java.util.Optional<T>` to make the "absence" explicit in the API contract. `Optional` forces callers to consciously handle the absent case.
+
+This is described in *Effective Java* Item 55: *"Return Optionals Judiciously."*
+
+**Incorrect (returning null):**
+
+```java
+// Caller cannot tell from the signature whether null is possible
+public User findUserByEmail(String email) {
+    return userRepository.findByEmail(email); // may return null — not obvious
+}
+
+public String getPreferredLanguage(Long userId) {
+    UserPreferences prefs = preferencesRepo.findByUser(userId);
+    if (prefs == null) return null; // unclear API contract
+    return prefs.getLanguage();
+}
+
+// Callers must remember to null-check:
+User user = userService.findUserByEmail("a@b.com");
+user.getName(); // NPE if forgotten
+```
+
+**Correct (using Optional):**
+
+```java
+import java.util.Optional;
+
+// Method signature clearly states: "this might not exist"
+public Optional<User> findUserByEmail(String email) {
+    User user = userRepository.findByEmail(email);
+    return Optional.ofNullable(user); // wraps null into empty Optional
+}
+
+public Optional<String> getPreferredLanguage(Long userId) {
+    return Optional.ofNullable(preferencesRepo.findByUser(userId))
+        .map(UserPreferences::getLanguage);
+}
+```
+
+**Handling Optional at call sites:**
+
+```java
+// Option 1: provide a default value
+String name = userService.findUserByEmail("a@b.com")
+    .map(User::getName)
+    .orElse("Guest");
+
+// Option 2: throw a meaningful exception if absent
+User user = userService.findUserByEmail("a@b.com")
+    .orElseThrow(() -> new UserNotFoundException("User not found: " + email));
+
+// Option 3: only proceed if present
+userService.findUserByEmail("a@b.com")
+    .ifPresent(user -> sendWelcomeEmail(user));
+
+// Option 4: ifPresentOrElse (Java 9+)
+userService.findUserByEmail("a@b.com")
+    .ifPresentOrElse(
+        user -> logger.info("Found user: {}", user.getId()),
+        () -> logger.info("User not found")
+    );
+
+// Option 5: transform and fall back
+String language = getPreferredLanguage(userId)
+    .filter(lang -> supportedLanguages.contains(lang))
+    .orElse("en");
+```
+
+**When NOT to use Optional:**
+
+```java
+// 1. Do NOT use Optional for fields — use null or default values
+public class User {
+    private Optional<String> middleName; // bad: not serializable, adds overhead
+    private String middleName;           // good: use null or ""
+}
+
+// 2. Do NOT use Optional for method parameters — use overloading or @Nullable
+public void createUser(Optional<String> role) { ... } // bad
+public void createUser(String role) { ... }           // good: role can be nullable
+public void createUser() { ... }                      // good: overload for absent role
+
+// 3. Do NOT use Optional for collections — return empty collection instead
+public Optional<List<Order>> getOrders() { ... }       // bad: double-wrap
+public List<Order> getOrders() { ... }                 // good: return empty list
+
+// 4. Do NOT use Optional.get() without checking — defeats the purpose
+user.get().getName(); // same as null, throws NoSuchElementException
+```
+
+**Optional factory methods:**
+
+```java
+Optional.of(value)          // value must be non-null; throws NPE if null
+Optional.ofNullable(value)  // safe: wraps null into empty Optional
+Optional.empty()            // explicitly empty
+```
+
+**Tools:** IntelliJ Inspections (`OptionalUsedAsFieldOrParameterType`), SonarQube (`S3553`, `S2789`), PMD

package/skill-assets/sunlint-code-quality/rules/php-laravel/AGENTS.md

@@ -0,0 +1,124 @@
+# Laravel Framework — SunLint Agent Guide
+
+> Priority directives for AI agents working on Laravel projects.
+> Rule files: `.agent/skills/sunlint-code-quality/rules/`
+
+---
+
+## Critical Patterns — Apply Every Time
+
+### Validation
+- **Always** use `php artisan make:request` → `FormRequest` class, never `$request->validate()` in controller
+- In the controller use `$request->validated()` — never `$request->all()` or `$request->input()` wholesale
+- See: `LV001-form-request-validation.md`
+
+### N+1 Queries
+- **Always** check: does this controller/service access a relation in a loop or collection?
+- If yes → add `->with(['relation'])` to the query **before** the loop
+- Use `->withCount('relation')` instead of `->relation->count()` in loops  
+- See: `LV002-eager-load-no-n-plus-1.md`
+
+### Mass Assignment
+- Every new Model must define explicit `$fillable = [...]`
+- **Never**: `protected $guarded = []`
+- **Never**: `Model::create($request->all())` — use `$request->validated()`
+- See: `LV004-fillable-mass-assignment.md`
+
+### Passwords
+- `Hash::make($password)` to store, `Hash::check($plain, $hash)` to verify
+- **Never** `md5()`, `sha1()`, or raw `password_hash()` for passwords
+- See: `LV007-hash-passwords.md`
+
+### Authorization
+- **Never** `if ($user->role === 'admin')` scattered in controllers
+- Generate a Policy: `php artisan make:policy ModelPolicy --model=Model`
+- Use `$this->authorize('action', $model)` or Form Request `authorize()`
+- See: `LV005-policies-gates-authorization.md`
+
+---
+
+## Architecture Patterns
+
+### Controller responsibility
+Controllers do exactly 3 things: validate input → call service → return response.
+No business logic, no DB queries, no calculations in controllers.
+```php
+// Controller
+public function store(StoreOrderRequest $request): JsonResponse
+{
+    $order = $this->orderService->placeOrder($request->user(), $request->validated());
+    return OrderResource::make($order)->response()->setStatusCode(201);
+}
+```
+See: `LV012-service-layer.md`
+
+### API Responses
+- Always use `php artisan make:resource` → never `->toArray()`, `->toJson()` or raw `response()->json($model)`
+- Sensitive columns (`password`, `remember_token`) must be in `$hidden` on the model
+- See: `LV009-api-resources.md`
+
+### Configuration
+- `env()` appears **only** in `config/*.php` files — never in app code (breaks after `config:cache`)
+- App code always uses `config('key.sub_key')` with optional default
+- See: `LV003-config-not-env.md`
+
+### Heavy Operations (email, API calls, reports)
+- Any external call or operation > ~200ms → `Job::dispatch()->onQueue('name')`
+- Job class implements `ShouldQueue`, handles `failed()` method
+- See: `LV006-queue-heavy-tasks.md`
+
+### Large Data Sets
+- No `Model::all()` or unbounded `->get()` in commands/jobs
+- Use `->chunkById(500, fn($batch) => ...)` or `->cursor()` for iteration
+- See: `LV010-chunk-large-datasets.md`
+
+### Multi-step Writes
+- Any sequence of 2+ DB writes that must be atomic → wrap in `DB::transaction(fn() => { ... })`
+- dispatch jobs inside transactions: `Job::dispatch($model)->afterCommit()`
+- See: `LV011-db-transactions.md`
+
+### Route Model Binding
+- Route params matching a Model name auto-resolve — no manual `findOrFail()`
+- `Route::get('/posts/{post}', ...)` → controller receives `Post $post` directly
+- See: `LV008-route-model-binding.md`
+
+### Dependency Injection
+- Register services in `AppServiceProvider::register()` as singletons/bindings
+- Controllers receive via constructor — never `new Service()` inside a method
+- See: `LV014-service-container.md`
+
+---
+
+## Run Commands
+
+```bash
+php artisan make:request  StoreXxxRequest   # validation
+php artisan make:policy   XxxPolicy --model=Xxx
+php artisan make:resource XxxResource
+php artisan make:job      ProcessXxx
+php artisan make:service  XxxService        # (if using stubs)
+
+php artisan test --filter ClassName         # run specific test
+php artisan test --coverage                 # coverage report
+php artisan config:cache                    # validate no env() in app code
+php artisan route:list --path=api           # audit routes
+php artisan telescope:install               # install query/request debugger
+```
+
+---
+
+## What NOT to do (quick reference)
+
+| ❌ Wrong | ✅ Correct |
+|---|---|
+| `$request->validate([...])` in controller | `FormRequest` class |
+| `$request->all()` | `$request->validated()` |
+| `Post::all()` | `Post::with([...])->paginate(20)` |
+| `$post->comments->count()` in loop | `Post::withCount('comments')` |
+| `env('KEY')` in service | `config('prefix.key')` |
+| `$guarded = []` | `$fillable = ['col1', 'col2']` |
+| `if ($user->role === 'admin')` | `$this->authorize('action', $model)` |
+| `md5($password)` | `Hash::make($password)` |
+| `response()->json($model)` | `ModelResource::make($model)` |
+| `Mail::send()` in controller | `SendMailJob::dispatch()->onQueue(...)` |
+| `new OrderService()` in controller | Constructor DI auto-resolved by container |