axexec 1.0.0 → 1.1.0

package/README.md

@@ -162,6 +162,23 @@ GITHUB_TOKEN=ghp_... axexec -a copilot "Write tests"
 ```
 
 For Claude, `CLAUDE_CODE_OAUTH_TOKEN` (generated via `claude setup-token`) also works.
+For Copilot, token precedence is `COPILOT_GITHUB_TOKEN`, then `GH_TOKEN`, then
+`GITHUB_TOKEN`.
+
+For OpenCode, if multiple provider API keys are set, axexec uses the model
+prefix (`anthropic/...`, `openai/...`, `google/...`) to disambiguate. When
+multiple keys are present and no provider prefix is available, set
+`AX_OPENCODE_CREDENTIALS` explicitly. This value must be a JSON-encoded
+Credentials object (not a raw API key), for example:
+
+```json
+{
+  "agent": "opencode",
+  "type": "api-key",
+  "provider": "openai",
+  "data": { "apiKey": "sk-..." }
+}
+```
 
 ## Isolation
 
@@ -173,6 +190,10 @@ axexec provides complete environment isolation:
 4. Sets environment variables to point agents at the temp directory
 5. Cleans up the temp directory after execution
 
+Codex runs with `--dangerously-bypass-approvals-and-sandbox`, so `--allow` /
+`--deny` do not constrain Codex. Run axexec inside an external sandbox if you
+need enforcement.
+
 Agents **never** access:
 
 - User's home directory config (`~/.claude`, `~/.codex`, `~/.gemini`)

package/dist/agents/claude-code/types.d.ts

@@ -77,8 +77,8 @@ type ClaudeUserEvent = z.infer<typeof ClaudeUserEvent>;
 declare const ClaudeResultEvent: z.ZodObject<{
     type: z.ZodLiteral<"result">;
     subtype: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
         cancelled: "cancelled";
     }>;
     timestamp: z.ZodOptional<z.ZodString>;
@@ -153,8 +153,8 @@ declare const ClaudeEvent: z.ZodDiscriminatedUnion<[z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     type: z.ZodLiteral<"result">;
     subtype: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
         cancelled: "cancelled";
     }>;
     timestamp: z.ZodOptional<z.ZodString>;

package/dist/agents/codex/adapter.js

@@ -16,23 +16,18 @@ const CODEX_INFO = {
  * Prepares the command to spawn Codex CLI.
  */
 function prepareCommand(options) {
-    // Build CLI arguments.
-    // Enable network access in sandbox: Codex blocks network by default in
-    // workspace-write mode, but other agents (Gemini, OpenCode) allow it by
-    // default. For unified behavior, enable it. This keeps file-level sandbox
-    // protections while allowing gh, curl, etc.
     const cliArguments = [
         "exec",
         "--json",
-        "--full-auto",
-        "-c",
-        "sandbox_workspace_write.network_access=true",
-        // Add model flag if specified (o4-mini, gpt-5.1-codex, gpt-5.2, etc.)
-        ...(options.model ? ["--model", options.model] : []),
-        // Use "--" to prevent prompt from being misinterpreted as a flag
-        "--",
-        options.prompt,
+        // Run Codex without internal approvals/sandbox; no Codex-enforced restrictions apply.
+        "--dangerously-bypass-approvals-and-sandbox",
     ];
+    // Add model flag if specified (o4-mini, gpt-5.1-codex, gpt-5.2, etc.)
+    if (options.model) {
+        cliArguments.push("--model", options.model);
+    }
+    // Use "--" to prevent prompt from being misinterpreted as a flag
+    cliArguments.push("--", options.prompt);
     const environment = {};
     // Pass through authentication environment variable.
     // If not set, Codex CLI will handle auth errors on its own.

package/dist/agents/gemini/types.d.ts

@@ -41,8 +41,8 @@ declare const GeminiToolResultEvent: z.ZodObject<{
     type: z.ZodLiteral<"tool_result">;
     tool_id: z.ZodString;
     status: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
     }>;
     output: z.ZodOptional<z.ZodString>;
     error: z.ZodOptional<z.ZodObject<{
@@ -67,8 +67,8 @@ type GeminiErrorEvent = z.infer<typeof GeminiErrorEvent>;
 declare const GeminiResultEvent: z.ZodObject<{
     type: z.ZodLiteral<"result">;
     status: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
     }>;
     error: z.ZodOptional<z.ZodObject<{
         type: z.ZodString;
@@ -109,8 +109,8 @@ declare const GeminiEvent: z.ZodDiscriminatedUnion<[z.ZodObject<{
     type: z.ZodLiteral<"tool_result">;
     tool_id: z.ZodString;
     status: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
     }>;
     output: z.ZodOptional<z.ZodString>;
     error: z.ZodOptional<z.ZodObject<{
@@ -129,8 +129,8 @@ declare const GeminiEvent: z.ZodDiscriminatedUnion<[z.ZodObject<{
 }, z.core.$strip>, z.ZodObject<{
     type: z.ZodLiteral<"result">;
     status: z.ZodEnum<{
-        success: "success";
         error: "error";
+        success: "success";
     }>;
     error: z.ZodOptional<z.ZodObject<{
         type: z.ZodString;

package/dist/build-agent-environment.d.ts

@@ -0,0 +1,2 @@
+declare function buildBaseEnvironment(additionalExclusions?: string[]): Record<string, string>;
+export { buildBaseEnvironment };

package/dist/build-agent-environment.js

@@ -0,0 +1,19 @@
+const VAULT_ENV_EXCLUSIONS = ["AXVAULT", "AXVAULT_URL", "AXVAULT_API_KEY"];
+function isAxCredentialEnvironment(key) {
+    return key.startsWith("AX_") && key.endsWith("_CREDENTIALS");
+}
+function buildBaseEnvironment(additionalExclusions = []) {
+    const allExclusions = new Set([
+        ...VAULT_ENV_EXCLUSIONS,
+        ...additionalExclusions,
+    ]);
+    const entries = Object.entries(process.env).flatMap(([key, value]) => {
+        if (value === undefined)
+            return [];
+        if (allExclusions.has(key) || isAxCredentialEnvironment(key))
+            return [];
+        return [[key, value]];
+    });
+    return Object.fromEntries(entries);
+}
+export { buildBaseEnvironment };

package/dist/build-execution-metadata.d.ts

@@ -0,0 +1,10 @@
+import type { AgentCli } from "./types/events.js";
+import type { RunAgentOptions, ExecutionMetadata } from "./types/run-result.js";
+import type { Credentials } from "./credentials/credentials.js";
+import type { installCredentials } from "./credentials/install-credentials.js";
+type CredentialInstallResult = Awaited<ReturnType<typeof installCredentials>>;
+/**
+ * Builds the execution metadata for the result.
+ */
+declare function buildExecutionMetadata(agentId: AgentCli, options: RunAgentOptions, credentialResult: CredentialInstallResult | undefined, credentials: Credentials | undefined, preserved: boolean): ExecutionMetadata;
+export { buildExecutionMetadata };

package/dist/build-execution-metadata.js

@@ -0,0 +1,27 @@
+/**
+ * Builds the execution metadata for the result.
+ */
+function buildExecutionMetadata(agentId, options, credentialResult, credentials, preserved) {
+    const execution = {
+        agent: agentId,
+        model: options.model,
+    };
+    // Add directory info if an isolated directory was created
+    if (credentialResult) {
+        execution.directories = {
+            base: credentialResult.baseDirectory,
+            config: credentialResult.configDirectory,
+            data: credentialResult.dataDirectory,
+            preserved,
+        };
+    }
+    // Add credential info if credentials were used
+    if (credentials) {
+        execution.credentials = {
+            type: credentials.type,
+            provider: credentials.provider,
+        };
+    }
+    return execution;
+}
+export { buildExecutionMetadata };

package/dist/build-permissions-config.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Permission config building for agent execution.
+ */
+import type { AgentCli } from "./types/events.js";
+import type { RunAgentOptions } from "./types/run-result.js";
+import type { installCredentials } from "./credentials/install-credentials.js";
+type CredentialInstallResult = Awaited<ReturnType<typeof installCredentials>>;
+/** Result of building permissions config */
+type BuildConfigResult = {
+    ok: true;
+    env: Record<string, string>;
+    warnings: string[];
+} | {
+    ok: false;
+    exitCode: number;
+    errors: string[];
+};
+/**
+ * Builds agent config with permissions.
+ *
+ * Requires credentialResult for the config directory.
+ */
+declare function buildPermissionsConfig(agentId: AgentCli, options: Pick<RunAgentOptions, "allow" | "deny">, credentialResult: CredentialInstallResult): BuildConfigResult;
+export { buildPermissionsConfig };

package/dist/build-permissions-config.js

@@ -0,0 +1,48 @@
+/**
+ * Permission config building for agent execution.
+ */
+import { buildAgentConfig } from "axconfig";
+/**
+ * Builds agent config with permissions.
+ *
+ * Requires credentialResult for the config directory.
+ */
+function buildPermissionsConfig(agentId, options, credentialResult) {
+    try {
+        const configResult = buildAgentConfig({
+            agentId,
+            allow: options.allow,
+            deny: options.deny,
+            output: credentialResult.configDirectory,
+        });
+        if (!configResult.ok) {
+            const errors = [];
+            if ("message" in configResult) {
+                errors.push(`Error: ${configResult.message}`);
+            }
+            else {
+                errors.push("Error building config: permission errors");
+                for (const error of configResult.errors) {
+                    errors.push(`  - ${error.reason}`);
+                }
+            }
+            return { ok: false, exitCode: configResult.exitCode, errors };
+        }
+        const warnings = configResult.warnings.map((warning) => `Warning: ${warning.reason}`);
+        // Merge config env with credential env (config env takes precedence)
+        return {
+            ok: true,
+            env: { ...credentialResult.env, ...configResult.env },
+            warnings,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            ok: false,
+            exitCode: 1,
+            errors: [`Error parsing permissions: ${message}`],
+        };
+    }
+}
+export { buildPermissionsConfig };

package/dist/credentials/credentials.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Credential schema and parser.
+ *
+ * Temporary local copy of the axshared credentials schema.
+ * Remove once axshared exports an equivalent parser with matching validation.
+ */
+import { z } from "zod";
+/** Zod schema for Credentials */
+declare const Credentials: z.ZodObject<{
+    agent: z.ZodEnum<{
+        claude: "claude";
+        codex: "codex";
+        gemini: "gemini";
+        opencode: "opencode";
+        copilot: "copilot";
+    }>;
+    type: z.ZodEnum<{
+        "oauth-credentials": "oauth-credentials";
+        "oauth-token": "oauth-token";
+        "api-key": "api-key";
+    }>;
+    provider: z.ZodOptional<z.ZodString>;
+    data: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+}, z.core.$strip>;
+type Credentials = z.infer<typeof Credentials>;
+type ParseCredentialsResult = {
+    ok: true;
+    credentials: Credentials;
+} | {
+    ok: false;
+    error: string;
+};
+/**
+ * Parse and validate credentials from unknown input.
+ *
+ * @returns Validated Credentials or error details
+ */
+declare function parseCredentials(input: unknown): ParseCredentialsResult;
+export { Credentials, parseCredentials };

package/dist/credentials/credentials.js

@@ -0,0 +1,73 @@
+/**
+ * Credential schema and parser.
+ *
+ * Temporary local copy of the axshared credentials schema.
+ * Remove once axshared exports an equivalent parser with matching validation.
+ */
+import { z } from "zod";
+import { AGENT_CLIS } from "axshared";
+import { resolveStringField } from "./resolve-string-field.js";
+/** Credential storage types */
+const CREDENTIAL_TYPES = [
+    "oauth-credentials",
+    "oauth-token",
+    "api-key",
+];
+/** Zod schema for credential type validation and parsing */
+const CredentialType = z.enum(CREDENTIAL_TYPES);
+/** Zod schema for Credentials */
+const Credentials = z
+    .object({
+    /** Agent this credential belongs to */
+    agent: z.enum(AGENT_CLIS),
+    /** Credential storage type */
+    type: CredentialType,
+    /** Provider identifier for multi-provider agents like OpenCode */
+    provider: z.string().trim().min(1).optional(),
+    /** The actual credential data (format depends on type and agent) */
+    data: z.record(z.string(), z.unknown()),
+})
+    .superRefine((value, context) => {
+    if (value.type === "api-key") {
+        const apiKey = resolveStringField(value.data, "apiKey", "key");
+        if (!apiKey) {
+            context.addIssue({
+                code: "custom",
+                path: ["data"],
+                message: 'api-key credentials require "apiKey" or "key"',
+            });
+        }
+    }
+    if (value.type === "oauth-token") {
+        const oauthToken = resolveStringField(value.data, "oauthToken", "token");
+        if (!oauthToken) {
+            context.addIssue({
+                code: "custom",
+                path: ["data"],
+                message: 'oauth-token credentials require "oauthToken" or "token"',
+            });
+        }
+    }
+    // oauth-credentials payloads are provider-specific and intentionally
+    // not validated beyond basic schema checks here.
+});
+function formatParseError(error) {
+    return error.issues
+        .map((issue) => {
+        const path = issue.path.length > 0 ? issue.path.map(String).join(".") : "root";
+        return `${path}: ${issue.message}`;
+    })
+        .join("; ");
+}
+/**
+ * Parse and validate credentials from unknown input.
+ *
+ * @returns Validated Credentials or error details
+ */
+function parseCredentials(input) {
+    const result = Credentials.safeParse(input);
+    if (result.success)
+        return { ok: true, credentials: result.data };
+    return { ok: false, error: formatParseError(result.error) };
+}
+export { Credentials, parseCredentials };

package/dist/credentials/get-credential-environment.d.ts

@@ -1,13 +1,15 @@
 /**
  * Environment variable helpers for credential-based auth.
+ *
+ * Each agent has its own env var requirements. This module extracts
+ * the appropriate values from Credentials and returns them as env vars.
  */
-import type { AgentCli } from "axshared";
-import type { RawCredentials } from "./types.js";
+import type { Credentials } from "./credentials.js";
 /**
  * Gets additional environment variables for credential-based auth.
  *
- * Some agents use environment variables for API keys in addition to
- * or instead of file-based credentials.
+ * Some agents use environment variables for API keys or OAuth tokens
+ * in addition to or instead of file-based credentials.
  */
-declare function getCredentialEnvironment(agentId: AgentCli, credentials: RawCredentials): Record<string, string>;
+declare function getCredentialEnvironment(credentials: Credentials): Record<string, string>;
 export { getCredentialEnvironment };

package/dist/credentials/get-credential-environment.js

@@ -1,42 +1,72 @@
 /**
  * Environment variable helpers for credential-based auth.
+ *
+ * Each agent has its own env var requirements. This module extracts
+ * the appropriate values from Credentials and returns them as env vars.
  */
+import { resolveStringField } from "./resolve-string-field.js";
 /**
  * Gets additional environment variables for credential-based auth.
  *
- * Some agents use environment variables for API keys in addition to
- * or instead of file-based credentials.
+ * Some agents use environment variables for API keys or OAuth tokens
+ * in addition to or instead of file-based credentials.
  */
-function getCredentialEnvironment(agentId, credentials) {
+function getCredentialEnvironment(credentials) {
     const environment = {};
-    switch (agentId) {
+    // Extract API key from credentials data
+    const apiKey = resolveStringField(credentials.data, "apiKey", "key");
+    // Extract OAuth token from credentials data
+    const oauthToken = resolveStringField(credentials.data, "oauthToken", "token");
+    switch (credentials.agent) {
         case "claude": {
-            if (credentials.apiKey) {
-                environment["ANTHROPIC_API_KEY"] = credentials.apiKey;
+            if (credentials.type === "api-key" && apiKey) {
+                environment["ANTHROPIC_API_KEY"] = apiKey;
+            }
+            else if (credentials.type === "oauth-token" && oauthToken) {
+                environment["CLAUDE_CODE_OAUTH_TOKEN"] = oauthToken;
             }
             break;
         }
         case "codex": {
-            if (credentials.apiKey) {
-                environment["OPENAI_API_KEY"] = credentials.apiKey;
+            if (credentials.type === "api-key" && apiKey) {
+                environment["OPENAI_API_KEY"] = apiKey;
             }
             break;
         }
         case "gemini": {
-            if (credentials.apiKey) {
-                environment["GEMINI_API_KEY"] = credentials.apiKey;
+            if (credentials.type === "api-key" && apiKey) {
+                environment["GEMINI_API_KEY"] = apiKey;
             }
             break;
         }
         case "opencode": {
-            if (credentials.apiKey) {
-                environment["ANTHROPIC_API_KEY"] = credentials.apiKey;
+            // OpenCode supports multiple providers, env var depends on provider
+            const provider = credentials.provider ?? "anthropic";
+            if (credentials.type === "api-key" && apiKey) {
+                switch (provider) {
+                    case "anthropic": {
+                        environment["ANTHROPIC_API_KEY"] = apiKey;
+                        break;
+                    }
+                    case "openai": {
+                        environment["OPENAI_API_KEY"] = apiKey;
+                        break;
+                    }
+                    case "gemini":
+                    case "google": {
+                        environment["GEMINI_API_KEY"] = apiKey;
+                        break;
+                    }
+                }
             }
             break;
         }
         case "copilot": {
-            if (credentials.githubToken) {
-                environment["GITHUB_TOKEN"] = credentials.githubToken;
+            // Copilot uses GitHub token as its credential
+            if (credentials.type === "api-key" && apiKey) {
+                environment["COPILOT_GITHUB_TOKEN"] = apiKey;
+                environment["GH_TOKEN"] = apiKey;
+                environment["GITHUB_TOKEN"] = apiKey;
             }
             break;
         }

package/dist/credentials/get-environment-trimmed.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Gets trimmed environment variable value, treating empty/whitespace as undefined.
+ */
+declare function getEnvironmentTrimmed(key: string): string | undefined;
+export { getEnvironmentTrimmed };

package/dist/credentials/get-environment-trimmed.js

@@ -0,0 +1,8 @@
+/**
+ * Gets trimmed environment variable value, treating empty/whitespace as undefined.
+ */
+function getEnvironmentTrimmed(key) {
+    const value = process.env[key]?.trim();
+    return value || undefined;
+}
+export { getEnvironmentTrimmed };

package/dist/credentials/install-credentials.d.ts

@@ -1,25 +1,26 @@
 /**
  * Credential installation for isolated agent execution.
  *
- * Writes raw credentials to a temporary directory in agent-specific formats,
+ * Writes credentials to a temporary directory in agent-specific formats,
  * then returns the environment variables needed to point the agent at that
  * directory. This ensures complete isolation - agents never discover or use
  * locally installed credentials.
  */
 import { type AgentCli } from "axshared";
-import type { InstallResult, RawCredentials } from "./types.js";
-export type { RawCredentials } from "./types.js";
+import type { Credentials } from "./credentials.js";
+import type { InstallResult } from "./types.js";
+type WarningWriter = (message: string) => void;
 /**
- * Installs credentials to a temporary directory and returns isolation env vars.
+ * Installs credentials (if provided) to a temporary directory and returns isolation env vars.
  *
  * This function:
  * 1. Creates a temp directory structure appropriate for the agent
- * 2. Writes credential files in the agent-specific format
+ * 2. Writes credential files in the agent-specific format (if provided)
  * 3. Returns environment variables that point the agent at the temp directory
  *
  * The caller is responsible for cleaning up the temp directory after use.
  */
-declare function installCredentials(agentId: AgentCli, credentials: RawCredentials): Promise<InstallResult>;
+declare function installCredentials(agentId: AgentCli, credentials?: Credentials, warn?: WarningWriter): Promise<InstallResult>;
 /**
  * Cleanup for use in finally blocks.
  */

package/dist/credentials/install-credentials.js

@@ -1,7 +1,7 @@
 /**
  * Credential installation for isolated agent execution.
  *
- * Writes raw credentials to a temporary directory in agent-specific formats,
+ * Writes credentials to a temporary directory in agent-specific formats,
  * then returns the environment variables needed to point the agent at that
  * directory. This ensures complete isolation - agents never discover or use
  * locally installed credentials.
@@ -42,14 +42,14 @@ async function createTemporaryDirectories(agentId) {
 /**
  * Installs agent-specific credentials to the appropriate directory.
  */
-function installAgentCredentials(agentId, configDirectory, dataDirectory, credentials) {
+function installAgentCredentials(agentId, configDirectory, dataDirectory, credentials, warn) {
     switch (agentId) {
         case "claude": {
             installClaudeCredentials(configDirectory, credentials);
             break;
         }
         case "codex": {
-            installCodexCredentials(configDirectory, credentials);
+            installCodexCredentials(configDirectory, credentials, warn);
             break;
         }
         case "gemini": {
@@ -57,7 +57,7 @@ function installAgentCredentials(agentId, configDirectory, dataDirectory, creden
             break;
         }
         case "opencode": {
-            installOpenCodeCredentials(dataDirectory, credentials);
+            installOpenCodeCredentials(dataDirectory, credentials, warn);
             break;
         }
         case "copilot": {
@@ -67,26 +67,36 @@ function installAgentCredentials(agentId, configDirectory, dataDirectory, creden
     }
 }
 /**
- * Installs credentials to a temporary directory and returns isolation env vars.
+ * Installs credentials (if provided) to a temporary directory and returns isolation env vars.
  *
  * This function:
  * 1. Creates a temp directory structure appropriate for the agent
- * 2. Writes credential files in the agent-specific format
+ * 2. Writes credential files in the agent-specific format (if provided)
  * 3. Returns environment variables that point the agent at the temp directory
  *
  * The caller is responsible for cleaning up the temp directory after use.
  */
-async function installCredentials(agentId, credentials) {
+async function installCredentials(agentId, credentials, warn) {
     const { baseDirectory, configDirectory, dataDirectory } = await createTemporaryDirectories(agentId);
-    installAgentCredentials(agentId, configDirectory, dataDirectory, credentials);
-    const runtimeEnvironment = buildAgentRuntimeEnvironment(agentId, configDirectory, dataDirectory);
-    const credentialEnvironment = getCredentialEnvironment(agentId, credentials);
-    return {
-        env: { ...runtimeEnvironment, ...credentialEnvironment },
-        configDirectory,
-        dataDirectory,
-        baseDirectory,
-    };
+    try {
+        if (credentials) {
+            installAgentCredentials(agentId, configDirectory, dataDirectory, credentials, warn);
+        }
+        const runtimeEnvironment = buildAgentRuntimeEnvironment(agentId, configDirectory, dataDirectory);
+        const credentialEnvironment = credentials
+            ? getCredentialEnvironment(credentials)
+            : {};
+        return {
+            env: { ...runtimeEnvironment, ...credentialEnvironment },
+            configDirectory,
+            dataDirectory,
+            baseDirectory,
+        };
+    }
+    catch (error) {
+        await cleanupCredentials(baseDirectory);
+        throw error;
+    }
 }
 /**
  * Cleanup for use in finally blocks.

package/dist/credentials/resolve-string-field.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Resolves a string field from a data object, checking primary and fallback keys.
+ * Returns trimmed value if non-empty, undefined otherwise.
+ * Empty strings and whitespace-only values are treated as missing.
+ */
+declare function resolveStringField(data: Record<string, unknown>, primaryKey: string, fallbackKey: string): string | undefined;
+export { resolveStringField };

package/dist/credentials/resolve-string-field.js

@@ -0,0 +1,21 @@
+/**
+ * Resolves a string field from a data object, checking primary and fallback keys.
+ * Returns trimmed value if non-empty, undefined otherwise.
+ * Empty strings and whitespace-only values are treated as missing.
+ */
+function resolveStringField(data, primaryKey, fallbackKey) {
+    const primary = data[primaryKey];
+    if (typeof primary === "string") {
+        const trimmed = primary.trim();
+        if (trimmed)
+            return trimmed;
+    }
+    const fallback = data[fallbackKey];
+    if (typeof fallback === "string") {
+        const trimmed = fallback.trim();
+        if (trimmed)
+            return trimmed;
+    }
+    return undefined;
+}
+export { resolveStringField };