@syntesseraai/opencode-feature-factory 0.1.19 → 0.1.20

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@syntesseraai/opencode-feature-factory",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "description": "OpenCode plugin for Feature Factory agents - provides planning, implementation, review, testing, and validation agents",
   "type": "module",
   "license": "MIT",

package/src/index.ts

@@ -1,10 +1,38 @@
-import type { Plugin, Hooks } from '@opencode-ai/plugin';
+import type { Plugin, Hooks, PluginInput } from '@opencode-ai/plugin';
 import * as path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { mkdir, access, writeFile, readFile } from 'node:fs/promises';
 import { constants as fsConstants } from 'node:fs';
 import { createQualityGateHooks } from './stop-quality-gate';
 
+const SERVICE_NAME = 'feature-factory';
+
+type Client = PluginInput['client'];
+
+/**
+ * Log a message using the OpenCode client's structured logging.
+ * Silently fails if logging is unavailable.
+ */
+async function log(
+  client: Client,
+  level: 'debug' | 'info' | 'warn' | 'error',
+  message: string,
+  extra?: Record<string, unknown>
+): Promise<void> {
+  try {
+    await client.app.log({
+      body: {
+        service: SERVICE_NAME,
+        level,
+        message,
+        extra,
+      },
+    });
+  } catch {
+    // Logging failure should not affect plugin operation
+  }
+}
+
 /**
  * List of agent templates to sync to projects.
  * Each entry maps a destination filename to its template path relative to this module.
@@ -147,7 +175,7 @@ function mergeHooks(...hookSets: Partial<Hooks>[]): Hooks {
  * - If management/ci.sh does not exist, quality gate does not run
  */
 export const FeatureFactoryPlugin: Plugin = async (input) => {
-  const { worktree, directory } = input;
+  const { worktree, directory, client } = input;
   const rootDir = resolveRootDir({ worktree, directory });
 
   // Skip if no valid directory (e.g., global config with no project)
@@ -158,16 +186,21 @@ export const FeatureFactoryPlugin: Plugin = async (input) => {
   // Run initial sync on plugin load (silent - errors are swallowed)
   try {
     await ensureAgentsInstalled(rootDir);
-  } catch {
-    // Silent autosync shouldn't crash OpenCode startup
+  } catch (error) {
+    await log(client, 'warn', 'agent-sync.init-error', {
+      rootDir,
+      error: String(error),
+    });
   }
 
   // Create quality gate hooks
   let qualityGateHooks: Partial<Hooks> = {};
   try {
     qualityGateHooks = await createQualityGateHooks(input);
-  } catch {
-    // Silent failure - quality gate shouldn't crash OpenCode startup
+  } catch (error) {
+    await log(client, 'error', 'quality-gate.init-error', {
+      error: String(error),
+    });
   }
 
   // Agent sync hooks
@@ -177,8 +210,11 @@ export const FeatureFactoryPlugin: Plugin = async (input) => {
       if (event.type === 'installation.updated') {
         try {
           await ensureAgentsInstalled(rootDir);
-        } catch {
-          // Silent failure
+        } catch (error) {
+          await log(client, 'warn', 'agent-sync.update-error', {
+            rootDir,
+            error: String(error),
+          });
         }
       }
     },

package/src/stop-quality-gate.test.ts

@@ -6,56 +6,7 @@
  * - isSessionReadOnly: determines if session has write permissions
  */
 
-// Re-implement the functions here for testing since they're not exported
-// This allows us to test the logic without modifying the source file exports
-
-const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
-  // AWS Access Key IDs
-  { pattern: /AKIA[0-9A-Z]{16}/g, replacement: '[REDACTED_AWS_KEY]' },
-  // GitHub Personal Access Tokens (classic)
-  { pattern: /ghp_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
-  // GitHub Personal Access Tokens (fine-grained)
-  { pattern: /github_pat_[A-Za-z0-9_]{22,}/g, replacement: '[REDACTED_GH_TOKEN]' },
-  // GitHub OAuth tokens
-  { pattern: /gho_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
-  // GitHub App tokens (user-to-server and server-to-server)
-  { pattern: /ghu_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
-  { pattern: /ghs_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
-  // GitLab Personal Access Tokens
-  { pattern: /glpat-[A-Za-z0-9-]{20,}/g, replacement: '[REDACTED_GITLAB_TOKEN]' },
-  // npm tokens
-  { pattern: /npm_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_NPM_TOKEN]' },
-  // Bearer tokens
-  { pattern: /Bearer\s+[\w\-.]+/gi, replacement: 'Bearer [REDACTED]' },
-  // API keys (api_key, api-key, apikey, apikeys, etc.)
-  { pattern: /api[_-]?keys?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'api_key=[REDACTED]' },
-  // Tokens (token, tokens)
-  { pattern: /tokens?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'token=[REDACTED]' },
-  // Passwords
-  { pattern: /passwords?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'password=[REDACTED]' },
-  // Generic secrets
-  { pattern: /secrets?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'secret=[REDACTED]' },
-  // Base64-encoded long strings that look like secrets (40+ chars of base64 alphabet)
-  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/g, replacement: '[REDACTED_BASE64]' },
-  // Private keys (RSA, DSA, EC, OpenSSH, etc.)
-  {
-    pattern: /-----BEGIN[\s\w]+PRIVATE KEY-----[\s\S]*?-----END[\s\w]+PRIVATE KEY-----/g,
-    replacement: '[REDACTED_PRIVATE_KEY]',
-  },
-  // Database connection strings with credentials (postgres, postgresql, mysql, mongodb, redis)
-  {
-    pattern: /(postgres|postgresql|mysql|mongodb(\+srv)?|rediss?):\/\/[^\s]+:[^@\s]+@[^\s]+/gi,
-    replacement: '[REDACTED_CONNECTION_STRING]',
-  },
-];
-
-function sanitizeOutput(output: string): string {
-  let sanitized = output;
-  for (const { pattern, replacement } of SECRET_PATTERNS) {
-    sanitized = sanitized.replace(pattern, replacement);
-  }
-  return sanitized;
-}
+import { SECRET_PATTERNS, sanitizeOutput } from './stop-quality-gate';
 
 interface PermissionRule {
   permission: string;
@@ -204,14 +155,44 @@ describe('sanitizeOutput', () => {
   });
 
   describe('tokens', () => {
-    it('should redact token assignments', () => {
+    it('should redact token assignments with 8+ char values', () => {
       const input = 'token=ghp_xxxxxxxxxxxxxxxxxxxx';
       const result = sanitizeOutput(input);
       expect(result).toBe('token=[REDACTED]');
     });
 
-    it('should redact tokens plural', () => {
-      const input = 'tokens: secret123';
+    it('should redact tokens plural with 8+ char values', () => {
+      const input = 'tokens: secret12345';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED]');
+    });
+
+    it('should NOT redact token with short values (less than 8 chars)', () => {
+      const input = 'token=abc123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=abc123');
+    });
+
+    it('should NOT redact phrases like "token count: 5" (value too short)', () => {
+      const input = 'token count: 5';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token count: 5');
+    });
+
+    it('should NOT redact "token: abc" (value too short)', () => {
+      const input = 'token: abc';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token: abc');
+    });
+
+    it('should redact actual token values that are 8+ chars', () => {
+      const input = 'token=abcd1234efgh';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED]');
+    });
+
+    it('should redact quoted tokens with 8+ char values', () => {
+      const input = 'token="my-secret-token-value"';
       const result = sanitizeOutput(input);
       expect(result).toBe('token=[REDACTED]');
     });
@@ -270,6 +251,33 @@ describe('sanitizeOutput', () => {
       const result = sanitizeOutput(base64);
       expect(result).toBe('[REDACTED_BASE64]');
     });
+
+    it('should redact base64 strings up to 500 chars (ReDoS prevention)', () => {
+      // Generate a 500-char base64 string
+      const base64 = 'A'.repeat(500);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe('[REDACTED_BASE64]');
+    });
+
+    it('should handle base64 strings over 500 chars by matching only first 500 (ReDoS prevention)', () => {
+      // Generate a 501-char base64 string - only first 500 chars match
+      const base64 = 'A'.repeat(501);
+      const result = sanitizeOutput(base64);
+      // Pattern matches the first 500 chars, leaving 1 char behind
+      expect(result).toBe('[REDACTED_BASE64]A');
+    });
+
+    it('should handle base64 at exactly 40 chars (minimum threshold)', () => {
+      const base64 = 'A'.repeat(40);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe('[REDACTED_BASE64]');
+    });
+
+    it('should NOT redact base64 strings under 40 chars', () => {
+      const base64 = 'A'.repeat(39);
+      const result = sanitizeOutput(base64);
+      expect(result).toBe(base64);
+    });
   });
 
   describe('multiple secrets', () => {
@@ -335,6 +343,130 @@ Done loading.`);
     });
   });
 
+  describe('GCP credentials', () => {
+    it('should redact GCP API keys', () => {
+      const input = 'Using GCP key: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using GCP key: [REDACTED_GCP_KEY]');
+    });
+
+    it('should redact multiple GCP API keys', () => {
+      const input =
+        'Key1: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe Key2: AIzaSyB-1234567890abcdefghijklmnopqrstu';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Key1: [REDACTED_GCP_KEY] Key2: [REDACTED_GCP_KEY]');
+    });
+
+    it('should not redact partial GCP API key patterns', () => {
+      const input = 'AIza123'; // Too short
+      const result = sanitizeOutput(input);
+      expect(result).toBe('AIza123');
+    });
+
+    it('should redact GCP OAuth tokens', () => {
+      const input = 'Authorization: ya29.a0AfH6SMBx-example-token-value_123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Authorization: [REDACTED_GCP_TOKEN]');
+    });
+
+    it('should redact GCP OAuth tokens with various characters', () => {
+      const input = 'token=ya29.Gl-abc_XYZ-123';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('token=[REDACTED_GCP_TOKEN]');
+    });
+  });
+
+  describe('Slack tokens', () => {
+    it('should redact Slack bot tokens', () => {
+      const input = 'SLACK_BOT_TOKEN=xoxb-123456789012-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('SLACK_BOT_TOKEN=[REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack user tokens', () => {
+      const input =
+        'Using xoxp-123456789012-123456789012-123456789012-abcdef1234567890abcdef1234567890';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack app tokens', () => {
+      const input =
+        'APP_TOKEN=xapp-1-A0123BCDEFG-1234567890123-abcdefghijklmnopqrstuvwxyz0123456789';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('APP_TOKEN=[REDACTED_SLACK_TOKEN]');
+    });
+
+    it('should redact Slack webhook URLs', () => {
+      const input =
+        'Webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Webhook: https://[REDACTED_SLACK_WEBHOOK]');
+    });
+
+    it('should redact multiple different Slack token types', () => {
+      const input = `
+        Bot: xoxb-123-456-abc
+        User: xoxp-789-012-def
+        App: xapp-345-ghi
+      `;
+      const result = sanitizeOutput(input);
+      expect(result).toContain('[REDACTED_SLACK_TOKEN]');
+      expect(result).not.toContain('xoxb-');
+      expect(result).not.toContain('xoxp-');
+      expect(result).not.toContain('xapp-');
+    });
+  });
+
+  describe('Stripe keys', () => {
+    it('should redact Stripe live secret keys', () => {
+      // 24 chars after sk_live_: 51ABC123DEF456GHI789JKLM
+      const input = 'STRIPE_SECRET_KEY=sk_live_51ABC123DEF456GHI789JKLM';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('STRIPE_SECRET_KEY=[REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact Stripe test secret keys', () => {
+      // 24 chars after sk_test_: 51ABC123DEF456GHI789JKLM
+      const input = 'Using sk_test_51ABC123DEF456GHI789JKLM for testing';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
+    });
+
+    it('should redact Stripe live restricted keys', () => {
+      // 24 chars after rk_live_: 51ABC123DEF456GHI789JKLM
+      const input = 'RESTRICTED_KEY=rk_live_51ABC123DEF456GHI789JKLM';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('RESTRICTED_KEY=[REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact Stripe test restricted keys', () => {
+      // 24 chars after rk_test_: 51ABC123DEF456GHI789JKLM
+      const input = 'Using rk_test_51ABC123DEF456GHI789JKLM for testing';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
+    });
+
+    it('should not redact Stripe keys that are too short', () => {
+      const input = 'sk_live_short'; // Less than 24 characters after prefix
+      const result = sanitizeOutput(input);
+      expect(result).toBe('sk_live_short');
+    });
+
+    it('should redact multiple Stripe keys', () => {
+      // 24 chars after each prefix
+      const input = 'Live: sk_live_51ABC123DEF456GHI789JKLM Test: sk_test_51XYZ789ABC123DEF456GHIJ';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('Live: [REDACTED_STRIPE_KEY] Test: [REDACTED_STRIPE_KEY]');
+    });
+
+    it('should redact long Stripe keys', () => {
+      const input = 'sk_live_51ABC123DEF456GHI789JKLmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_STRIPE_KEY]');
+    });
+  });
+
   describe('database connection strings', () => {
     it('should redact PostgreSQL connection strings', () => {
       const input = 'DATABASE_URL=postgres://admin:secretpass123@db.example.com:5432/mydb';
@@ -365,6 +497,30 @@ Done loading.`);
       const result = sanitizeOutput(input);
       expect(result).toBe('[REDACTED_CONNECTION_STRING]');
     });
+
+    it('should redact connection strings with URL-encoded passwords', () => {
+      const input = 'mongodb://user:p%40ss%23word@host/db';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact PostgreSQL with URL-encoded @ in password', () => {
+      const input = 'postgres://admin:secret%40pass@db.example.com:5432/mydb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact connection strings with multiple URL-encoded characters', () => {
+      const input = 'mysql://root:p%40ss%3Dw%26rd%21@localhost:3306/testdb';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
+
+    it('should redact MongoDB+srv with URL-encoded password', () => {
+      const input = 'mongodb+srv://user:my%40complex%23pass@cluster.mongodb.net/database';
+      const result = sanitizeOutput(input);
+      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
+    });
   });
 
   describe('non-secret content', () => {

package/src/stop-quality-gate.ts

@@ -6,7 +6,7 @@ const CI_TIMEOUT_MS = 300000; // 5 minutes
 const SESSION_TTL_MS = 3600000; // 1 hour
 const CLEANUP_INTERVAL_MS = 600000; // 10 minutes
 
-const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
+export const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
   // AWS Access Key IDs
   { pattern: /AKIA[0-9A-Z]{16}/g, replacement: '[REDACTED_AWS_KEY]' },
   // GitHub Personal Access Tokens (classic)
@@ -22,35 +22,57 @@ const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
   { pattern: /glpat-[A-Za-z0-9-]{20,}/g, replacement: '[REDACTED_GITLAB_TOKEN]' },
   // npm tokens
   { pattern: /npm_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_NPM_TOKEN]' },
+  // Slack bot tokens
+  { pattern: /xoxb-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack user tokens
+  { pattern: /xoxp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack app tokens
+  { pattern: /xapp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+  // Slack webhook URLs
+  { pattern: /hooks\.slack\.com\/services\/[A-Z0-9/]+/g, replacement: '[REDACTED_SLACK_WEBHOOK]' },
+  // Stripe live secret keys
+  { pattern: /sk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe test secret keys
+  { pattern: /sk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe live restricted keys
+  { pattern: /rk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+  // Stripe test restricted keys
+  { pattern: /rk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
   // Bearer tokens
   { pattern: /Bearer\s+[\w\-.]+/gi, replacement: 'Bearer [REDACTED]' },
   // API keys (api_key, api-key, apikey, apikeys, etc.)
   { pattern: /api[_-]?keys?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'api_key=[REDACTED]' },
-  // Tokens (token, tokens)
-  { pattern: /tokens?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'token=[REDACTED]' },
+  // Tokens (token, tokens) - require minimum 8 char value to reduce false positives
+  { pattern: /tokens?[=:\s]+['"]?([A-Za-z0-9_-]{8,})['"]?/gi, replacement: 'token=[REDACTED]' },
   // Passwords
   { pattern: /passwords?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'password=[REDACTED]' },
   // Generic secrets
   { pattern: /secrets?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'secret=[REDACTED]' },
-  // Base64-encoded long strings that look like secrets (40+ chars of base64 alphabet)
-  { pattern: /[A-Za-z0-9+/]{40,}={0,2}/g, replacement: '[REDACTED_BASE64]' },
+  // Base64-encoded long strings that look like secrets (40-500 chars to prevent ReDoS)
+  { pattern: /[A-Za-z0-9+/]{40,500}={0,2}/g, replacement: '[REDACTED_BASE64]' },
   // Private keys (RSA, DSA, EC, OpenSSH, etc.)
   {
     pattern: /-----BEGIN[\s\w]+PRIVATE KEY-----[\s\S]*?-----END[\s\w]+PRIVATE KEY-----/g,
     replacement: '[REDACTED_PRIVATE_KEY]',
   },
   // Database connection strings with credentials (postgres, postgresql, mysql, mongodb, redis)
+  // Password portion handles URL-encoded characters like %40 (for @) and %23 (for #)
   {
-    pattern: /(postgres|postgresql|mysql|mongodb(\+srv)?|rediss?):\/\/[^\s]+:[^@\s]+@[^\s]+/gi,
+    pattern:
+      /(postgres|postgresql|mysql|mongodb(\+srv)?|rediss?):\/\/[^\s/:]+:(?:[^@\s]|%[0-9A-Fa-f]{2})+@[^\s]+/gi,
     replacement: '[REDACTED_CONNECTION_STRING]',
   },
+  // GCP API keys
+  { pattern: /AIza[0-9A-Za-z_-]{35}/g, replacement: '[REDACTED_GCP_KEY]' },
+  // GCP OAuth tokens
+  { pattern: /ya29\.[0-9A-Za-z_-]+/g, replacement: '[REDACTED_GCP_TOKEN]' },
 ];
 
 /**
  * Sanitizes CI output by redacting common secret patterns before sending to the LLM.
  * This helps prevent accidental exposure of sensitive information in prompts.
  */
-function sanitizeOutput(output: string): string {
+export function sanitizeOutput(output: string): string {
   let sanitized = output;
   for (const { pattern, replacement } of SECRET_PATTERNS) {
     sanitized = sanitized.replace(pattern, replacement);
@@ -234,10 +256,20 @@ export async function createQualityGateHooks(input: PluginInput): Promise<Partia
       });
 
       let timeoutId: ReturnType<typeof setTimeout> | null = null;
+      let forceKillTimeoutId: ReturnType<typeof setTimeout> | null = null;
       const timeoutPromise = new Promise<void>((resolve) => {
         timeoutId = setTimeout(() => {
           timedOut = true;
-          proc.kill();
+          // Graceful termination: SIGTERM first, then SIGKILL after grace period
+          proc.kill('SIGTERM');
+          forceKillTimeoutId = setTimeout(() => {
+            // Force kill if still running after grace period
+            try {
+              proc.kill('SIGKILL');
+            } catch {
+              // Process already terminated
+            }
+          }, 5000);
           resolve();
         }, CI_TIMEOUT_MS);
       });
@@ -245,10 +277,13 @@ export async function createQualityGateHooks(input: PluginInput): Promise<Partia
       // Race the process completion against the timeout
       await Promise.race([proc.exited, timeoutPromise]);
 
-      // Clear timeout if process completed before timeout
+      // Clear timeouts if process completed before timeout
       if (timeoutId) {
         clearTimeout(timeoutId);
       }
+      if (forceKillTimeoutId) {
+        clearTimeout(forceKillTimeoutId);
+      }
 
       const exitCode = proc.exitCode;
       const stdout = await new Response(proc.stdout).text();