opensecurity 0.1.0

package/dist/pr-comment.js

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+/**
+ * PR Comment Reporter
+ *
+ * Reads a scan-results.json file and outputs a Markdown summary
+ * suitable for posting as a GitHub PR comment.
+ *
+ * Usage: node dist/pr-comment.js <scan-results.json>
+ */
+import fs from "node:fs";
+const SEVERITY_EMOJI = {
+    critical: "🔴",
+    high: "🟠",
+    medium: "🟡",
+    low: "🔵"
+};
+const SEVERITY_ORDER = ["critical", "high", "medium", "low"];
+const MAX_FINDINGS_PER_SEVERITY = 10;
+function loadResults(filePath) {
+    const raw = fs.readFileSync(filePath, "utf8").trim();
+    if (!raw || raw === "No findings.") {
+        return { findings: [] };
+    }
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return { findings: [] };
+    }
+}
+function groupBySeverity(findings) {
+    const groups = {
+        critical: [],
+        high: [],
+        medium: [],
+        low: []
+    };
+    for (const f of findings) {
+        groups[f.severity]?.push(f);
+    }
+    return groups;
+}
+function renderSummaryTable(groups) {
+    const lines = [];
+    lines.push("| Severity | Count |");
+    lines.push("|----------|-------|");
+    for (const sev of SEVERITY_ORDER) {
+        const count = groups[sev].length;
+        if (count > 0) {
+            lines.push(`| ${SEVERITY_EMOJI[sev]} ${sev.toUpperCase()} | ${count} |`);
+        }
+    }
+    return lines.join("\n");
+}
+function renderFindingRow(f) {
+    const location = f.line ? `\`${f.file}:${f.line}\`` : `\`${f.file}\``;
+    const owasp = f.owasp ? ` — ${f.owasp}` : "";
+    const pkg = f.category === "dependency" && f.packageName
+        ? ` 📦 \`${f.packageName}${f.packageVersion ? `@${f.packageVersion}` : ""}\``
+        : "";
+    const rec = f.recommendation ? `\n    > 💡 ${f.recommendation}` : "";
+    return `- **${f.title}** (${location})${owasp}${pkg}\n  ${f.description}${rec}`;
+}
+function renderMarkdown(result) {
+    const lines = [];
+    const total = result.findings.length;
+    lines.push("## 🔒 OpenSecurity Scan Results");
+    lines.push("");
+    if (total === 0) {
+        lines.push("✅ **No security findings detected.** Great job!");
+        return lines.join("\n");
+    }
+    const groups = groupBySeverity(result.findings);
+    const criticalCount = groups.critical.length + groups.high.length;
+    if (criticalCount > 0) {
+        lines.push(`> ⚠️ **${criticalCount} critical/high severity issue${criticalCount > 1 ? "s" : ""} found.** Please review before merging.`);
+    }
+    else {
+        lines.push(`> ℹ️ **${total} finding${total > 1 ? "s" : ""} detected.** No critical issues.`);
+    }
+    lines.push("");
+    lines.push("### Summary");
+    lines.push("");
+    lines.push(renderSummaryTable(groups));
+    lines.push("");
+    for (const sev of SEVERITY_ORDER) {
+        const items = groups[sev];
+        if (items.length === 0)
+            continue;
+        lines.push(`### ${SEVERITY_EMOJI[sev]} ${sev.toUpperCase()} (${items.length})`);
+        lines.push("");
+        const shown = items.slice(0, MAX_FINDINGS_PER_SEVERITY);
+        for (const f of shown) {
+            lines.push(renderFindingRow(f));
+        }
+        if (items.length > MAX_FINDINGS_PER_SEVERITY) {
+            const remaining = items.length - MAX_FINDINGS_PER_SEVERITY;
+            lines.push(`\n<details><summary>…and ${remaining} more ${sev} finding${remaining > 1 ? "s" : ""}</summary>\n`);
+            for (const f of items.slice(MAX_FINDINGS_PER_SEVERITY)) {
+                lines.push(renderFindingRow(f));
+            }
+            lines.push("\n</details>");
+        }
+        lines.push("");
+    }
+    lines.push("---");
+    lines.push("*Generated by [OpenSecurity](https://github.com/opensecurity) 🛡️*");
+    return lines.join("\n");
+}
+// --- Main ---
+const args = process.argv.slice(2);
+const inputFile = args[0];
+if (!inputFile) {
+    console.error("Usage: node pr-comment.js <scan-results.json>");
+    process.exit(1);
+}
+const result = loadResults(inputFile);
+console.log(renderMarkdown(result));

package/dist/progress.js

@@ -0,0 +1,150 @@
+/**
+ * CLI UX utilities: progress spinner, verbose logging, and formatting.
+ */
+const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+const SPINNER_INTERVAL = 80;
+export class Logger {
+    level;
+    constructor(options = {}) {
+        if (options.silent) {
+            this.level = "silent";
+        }
+        else if (options.verbose) {
+            this.level = "verbose";
+        }
+        else {
+            this.level = "normal";
+        }
+    }
+    info(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`ℹ ${message}`);
+    }
+    verbose(message) {
+        if (this.level !== "verbose")
+            return;
+        console.error(`  ${dim(message)}`);
+    }
+    success(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`✅ ${message}`);
+    }
+    warn(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`⚠️  ${message}`);
+    }
+    error(message) {
+        console.error(`❌ ${message}`);
+    }
+}
+export class Spinner {
+    frame = 0;
+    timer = null;
+    message;
+    stream;
+    active = false;
+    constructor(message) {
+        this.message = message;
+        this.stream = process.stderr;
+    }
+    start() {
+        if (!this.stream.isTTY)
+            return;
+        this.active = true;
+        this.render();
+        this.timer = setInterval(() => this.render(), SPINNER_INTERVAL);
+    }
+    update(message) {
+        this.message = message;
+    }
+    pause() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        if (this.active) {
+            this.clearLine();
+        }
+    }
+    resume() {
+        if (!this.active || !this.stream.isTTY)
+            return;
+        if (this.timer)
+            return;
+        this.render();
+        this.timer = setInterval(() => this.render(), SPINNER_INTERVAL);
+    }
+    stop(finalMessage) {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        if (this.active) {
+            this.clearLine();
+            if (finalMessage) {
+                this.stream.write(`${finalMessage}\n`);
+            }
+        }
+        this.active = false;
+    }
+    render() {
+        const symbol = SPINNER_FRAMES[this.frame % SPINNER_FRAMES.length];
+        this.frame += 1;
+        this.clearLine();
+        this.stream.write(`${symbol} ${this.message}`);
+    }
+    clearLine() {
+        this.stream.write("\r\x1b[K");
+    }
+}
+/**
+ * Format duration in human-readable form.
+ */
+export function formatDuration(ms) {
+    if (ms < 1000)
+        return `${Math.round(ms)}ms`;
+    const seconds = ms / 1000;
+    if (seconds < 60)
+        return `${seconds.toFixed(1)}s`;
+    const minutes = Math.floor(seconds / 60);
+    const remainingSeconds = Math.round(seconds % 60);
+    return `${minutes}m ${remainingSeconds}s`;
+}
+/**
+ * Format a count with plural suffix.
+ */
+export function pluralize(count, singular, plural) {
+    return count === 1 ? `${count} ${singular}` : `${count} ${plural ?? singular + "s"}`;
+}
+/**
+ * Dim text using ANSI escape codes (stderr only).
+ */
+function dim(text) {
+    return `\x1b[2m${text}\x1b[0m`;
+}
+/**
+ * Bold text using ANSI escape codes.
+ */
+export function bold(text) {
+    return `\x1b[1m${text}\x1b[0m`;
+}
+/**
+ * Colored severity label.
+ */
+export function severityColor(severity) {
+    switch (severity) {
+        case "critical":
+            return `\x1b[31m${severity.toUpperCase()}\x1b[0m`; // red
+        case "high":
+            return `\x1b[33m${severity.toUpperCase()}\x1b[0m`; // yellow
+        case "medium":
+            return `\x1b[36m${severity.toUpperCase()}\x1b[0m`; // cyan
+        case "low":
+            return `\x1b[34m${severity.toUpperCase()}\x1b[0m`; // blue
+        default:
+            return severity.toUpperCase();
+    }
+}

package/dist/proxy.js

@@ -0,0 +1,93 @@
+import http from "node:http";
+import { URL, pathToFileURL } from "node:url";
+const DEFAULT_PORT = 8787;
+const DEFAULT_OPENAI_BASE = "https://api.openai.com";
+export async function startProxyServer(options = {}) {
+    const port = options.port ?? Number(process.env.OPENSECURITY_PROXY_PORT ?? DEFAULT_PORT);
+    const openaiBase = process.env.OPENSECURITY_OPENAI_BASE ?? DEFAULT_OPENAI_BASE;
+    const proxyApiKey = process.env.OPENSECURITY_PROXY_API_KEY;
+    if (!proxyApiKey || !proxyApiKey.trim()) {
+        throw new Error("OPENSECURITY_PROXY_API_KEY is required to run the OAuth backend.");
+    }
+    const server = http.createServer(async (req, res) => {
+        try {
+            if (req.method !== "POST") {
+                res.writeHead(405);
+                res.end("Method Not Allowed");
+                return;
+            }
+            const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+            if (url.pathname !== "/v1/responses" && url.pathname !== "/v1/chat/completions") {
+                res.writeHead(404);
+                res.end("Not Found");
+                return;
+            }
+            const auth = req.headers.authorization ?? "";
+            if (!auth.startsWith("Bearer ")) {
+                res.writeHead(401);
+                res.end("Missing Authorization Bearer token.");
+                return;
+            }
+            const bearerToken = auth.slice("Bearer ".length).trim();
+            const apiKey = resolveApiKey(bearerToken, proxyApiKey);
+            if (!bearerToken.startsWith("sk-")) {
+                await validateOauthToken(bearerToken);
+            }
+            const body = await readRequestBody(req);
+            const upstreamUrl = `${openaiBase}${url.pathname}${url.search}`;
+            const upstreamRes = await fetch(upstreamUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": req.headers["content-type"] ?? "application/json",
+                    Authorization: `Bearer ${apiKey}`
+                },
+                body: body.length ? new Uint8Array(body) : undefined
+            });
+            const responseBody = await upstreamRes.arrayBuffer();
+            res.writeHead(upstreamRes.status, {
+                "Content-Type": upstreamRes.headers.get("content-type") ?? "application/json"
+            });
+            res.end(Buffer.from(responseBody));
+        }
+        catch (err) {
+            res.writeHead(500);
+            res.end(err?.message ?? "Proxy error.");
+        }
+    });
+    await new Promise((resolve) => server.listen(port, resolve));
+    console.log(`OpenSecurity OAuth proxy listening on http://localhost:${port}`);
+    console.log("Forwarding OpenAI API requests for Codex OAuth tokens.");
+}
+function resolveApiKey(token, proxyApiKey) {
+    if (proxyApiKey && proxyApiKey.trim()) {
+        return proxyApiKey.trim();
+    }
+    if (!token.startsWith("sk-")) {
+        throw new Error("Proxy requires OPENSECURITY_PROXY_API_KEY to call OpenAI with OAuth tokens.");
+    }
+    return token;
+}
+async function validateOauthToken(token) {
+    const res = await fetch("https://auth.openai.com/userinfo", {
+        headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`OAuth token validation failed: ${res.status} ${text}`);
+    }
+}
+function readRequestBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+        req.on("end", () => resolve(Buffer.concat(chunks)));
+        req.on("error", reject);
+    });
+}
+const isEntryPoint = process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (isEntryPoint) {
+    startProxyServer().catch((err) => {
+        console.error(err?.message ?? err);
+        process.exit(1);
+    });
+}

package/dist/rules/defaultRules.js

@@ -0,0 +1,177 @@
+export const DEFAULT_RULES = [
+    {
+        id: "js-eval-injection",
+        name: "Eval Injection",
+        description: "Untrusted data reaches eval or Function",
+        severity: "high",
+        owasp: "A03:2021 Injection",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } },
+            { id: "src-readline", name: "readline.question", matcher: { callee: "readline.question" } }
+        ],
+        sinks: [
+            { id: "sink-eval", name: "eval", matcher: { callee: "eval" } },
+            { id: "sink-function", name: "Function", matcher: { callee: "Function" } }
+        ],
+        sanitizers: [
+            { id: "san-sanitize", name: "sanitize", matcher: { callee: "sanitize" } },
+            { id: "san-escape", name: "escape", matcher: { callee: "escape" } },
+            { id: "san-validator-escape", name: "validator.escape", matcher: { callee: "validator.escape" } }
+        ]
+    },
+    {
+        id: "js-command-injection",
+        name: "Command Injection",
+        description: "Untrusted data reaches child_process execution",
+        severity: "critical",
+        owasp: "A03:2021 Injection",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } }
+        ],
+        sinks: [
+            { id: "sink-exec", name: "child_process.exec", matcher: { callee: "child_process.exec" } },
+            { id: "sink-execsync", name: "child_process.execSync", matcher: { callee: "child_process.execSync" } },
+            { id: "sink-spawn", name: "child_process.spawn", matcher: { callee: "child_process.spawn" } },
+            { id: "sink-spawnsync", name: "child_process.spawnSync", matcher: { callee: "child_process.spawnSync" } },
+            { id: "sink-execfile", name: "child_process.execFile", matcher: { callee: "child_process.execFile" } },
+            { id: "sink-execfilesync", name: "child_process.execFileSync", matcher: { callee: "child_process.execFileSync" } }
+        ],
+        sanitizers: [
+            { id: "san-shellescape", name: "shellescape", matcher: { callee: "shellescape" } },
+            { id: "san-escapeshellarg", name: "escapeShellArg", matcher: { callee: "escapeShellArg" } }
+        ]
+    },
+    {
+        id: "js-ssrf",
+        name: "Server-Side Request Forgery",
+        description: "Untrusted data reaches network request",
+        severity: "high",
+        owasp: "A10:2021 Server-Side Request Forgery",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } }
+        ],
+        sinks: [
+            { id: "sink-fetch", name: "fetch", matcher: { callee: "fetch" } },
+            { id: "sink-axios", name: "axios", matcher: { callee: "axios" } },
+            { id: "sink-axios-get", name: "axios.get", matcher: { callee: "axios.get" } },
+            { id: "sink-axios-post", name: "axios.post", matcher: { callee: "axios.post" } },
+            { id: "sink-axios-request", name: "axios.request", matcher: { callee: "axios.request" } },
+            { id: "sink-got", name: "got", matcher: { callee: "got" } },
+            { id: "sink-got-get", name: "got.get", matcher: { callee: "got.get" } },
+            { id: "sink-got-post", name: "got.post", matcher: { callee: "got.post" } },
+            { id: "sink-undici-request", name: "undici.request", matcher: { callee: "undici.request" } },
+            { id: "sink-undici-fetch", name: "undici.fetch", matcher: { callee: "undici.fetch" } },
+            { id: "sink-http-get", name: "http.get", matcher: { callee: "http.get" } },
+            { id: "sink-https-get", name: "https.get", matcher: { callee: "https.get" } },
+            { id: "sink-request", name: "request", matcher: { callee: "request" } },
+            { id: "sink-request-get", name: "request.get", matcher: { callee: "request.get" } },
+            { id: "sink-request-post", name: "request.post", matcher: { callee: "request.post" } },
+            { id: "sink-superagent-get", name: "superagent.get", matcher: { callee: "superagent.get" } },
+            { id: "sink-superagent-post", name: "superagent.post", matcher: { callee: "superagent.post" } }
+        ],
+        sanitizers: [
+            { id: "san-sanitizeurl", name: "sanitizeUrl", matcher: { callee: "sanitizeUrl" } },
+            { id: "san-validateurl", name: "validateUrl", matcher: { callee: "validateUrl" } },
+            { id: "san-encodeuri", name: "encodeURI", matcher: { callee: "encodeURI" } },
+            { id: "san-encodeuricomp", name: "encodeURIComponent", matcher: { callee: "encodeURIComponent" } }
+        ]
+    },
+    {
+        id: "js-path-traversal",
+        name: "Path Traversal",
+        description: "Untrusted data reaches filesystem APIs",
+        severity: "high",
+        owasp: "A01:2021 Broken Access Control",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } },
+            { id: "src-readline", name: "readline.question", matcher: { callee: "readline.question" } }
+        ],
+        sinks: [
+            { id: "sink-readfile", name: "fs.readFile", matcher: { callee: "fs.readFile" } },
+            { id: "sink-readfilesync", name: "fs.readFileSync", matcher: { callee: "fs.readFileSync" } },
+            { id: "sink-writefile", name: "fs.writeFile", matcher: { callee: "fs.writeFile" } },
+            { id: "sink-writefilesync", name: "fs.writeFileSync", matcher: { callee: "fs.writeFileSync" } },
+            { id: "sink-appendfile", name: "fs.appendFile", matcher: { callee: "fs.appendFile" } },
+            { id: "sink-appendfilesync", name: "fs.appendFileSync", matcher: { callee: "fs.appendFileSync" } },
+            { id: "sink-createreadstream", name: "fs.createReadStream", matcher: { callee: "fs.createReadStream" } },
+            { id: "sink-createwritestream", name: "fs.createWriteStream", matcher: { callee: "fs.createWriteStream" } },
+            { id: "sink-readdir", name: "fs.readdir", matcher: { callee: "fs.readdir" } },
+            { id: "sink-readdirsync", name: "fs.readdirSync", matcher: { callee: "fs.readdirSync" } },
+            { id: "sink-stat", name: "fs.stat", matcher: { callee: "fs.stat" } },
+            { id: "sink-statsync", name: "fs.statSync", matcher: { callee: "fs.statSync" } },
+            { id: "sink-lstat", name: "fs.lstat", matcher: { callee: "fs.lstat" } },
+            { id: "sink-lstatsync", name: "fs.lstatSync", matcher: { callee: "fs.lstatSync" } },
+            { id: "sink-rm", name: "fs.rm", matcher: { callee: "fs.rm" } },
+            { id: "sink-rmsync", name: "fs.rmSync", matcher: { callee: "fs.rmSync" } },
+            { id: "sink-unlink", name: "fs.unlink", matcher: { callee: "fs.unlink" } },
+            { id: "sink-unlinksync", name: "fs.unlinkSync", matcher: { callee: "fs.unlinkSync" } },
+            { id: "sink-rmdir", name: "fs.rmdir", matcher: { callee: "fs.rmdir" } },
+            { id: "sink-rmdirsync", name: "fs.rmdirSync", matcher: { callee: "fs.rmdirSync" } }
+        ],
+        sanitizers: [
+            { id: "san-path-normalize", name: "path.normalize", matcher: { callee: "path.normalize" } },
+            { id: "san-path-resolve", name: "path.resolve", matcher: { callee: "path.resolve" } },
+            { id: "san-path-join", name: "path.join", matcher: { callee: "path.join" } }
+        ]
+    },
+    {
+        id: "js-sqli",
+        name: "SQL Injection",
+        description: "Untrusted data reaches database query execution",
+        severity: "critical",
+        owasp: "A03:2021 Injection",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } }
+        ],
+        sinks: [
+            { id: "sink-mysql-query", name: "mysql.query", matcher: { callee: "mysql.query" } },
+            { id: "sink-mysql2-query", name: "mysql2.query", matcher: { callee: "mysql2.query" } },
+            { id: "sink-pg-query", name: "pg.query", matcher: { callee: "pg.query" } },
+            { id: "sink-client-query", name: "client.query", matcher: { callee: "client.query" } },
+            { id: "sink-pool-query", name: "pool.query", matcher: { callee: "pool.query" } },
+            { id: "sink-connection-query", name: "connection.query", matcher: { callee: "connection.query" } },
+            { id: "sink-db-query", name: "db.query", matcher: { callee: "db.query" } },
+            { id: "sink-sequelize-query", name: "sequelize.query", matcher: { callee: "sequelize.query" } },
+            { id: "sink-knex-raw", name: "knex.raw", matcher: { callee: "knex.raw" } }
+        ],
+        sanitizers: [
+            { id: "san-sql-escape", name: "escape", matcher: { callee: "escape" } },
+            { id: "san-sql-escapeid", name: "escapeId", matcher: { callee: "escapeId" } },
+            { id: "san-sql-parameterize", name: "parameterize", matcher: { callee: "parameterize" } }
+        ]
+    },
+    {
+        id: "js-xss-template",
+        name: "XSS (Server Templates)",
+        description: "Untrusted data reaches server response rendering",
+        severity: "high",
+        owasp: "A03:2021 Injection",
+        sources: [
+            { id: "src-getUserInput", name: "getUserInput", matcher: { callee: "getUserInput" } },
+            { id: "src-req-param", name: "req.param", matcher: { callee: "req.param" } },
+            { id: "src-prompt", name: "prompt", matcher: { callee: "prompt" } }
+        ],
+        sinks: [
+            { id: "sink-res-send", name: "res.send", matcher: { callee: "res.send" } },
+            { id: "sink-res-write", name: "res.write", matcher: { callee: "res.write" } },
+            { id: "sink-res-end", name: "res.end", matcher: { callee: "res.end" } },
+            { id: "sink-res-render", name: "res.render", matcher: { callee: "res.render" } },
+            { id: "sink-reply-send", name: "reply.send", matcher: { callee: "reply.send" } }
+        ],
+        sanitizers: [
+            { id: "san-escape", name: "escape", matcher: { callee: "escape" } },
+            { id: "san-encodeuri", name: "encodeURI", matcher: { callee: "encodeURI" } },
+            { id: "san-encodeuricomp", name: "encodeURIComponent", matcher: { callee: "encodeURIComponent" } }
+        ]
+    }
+];

package/dist/rules/loadRules.js

@@ -0,0 +1,14 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { DEFAULT_RULES } from "./defaultRules.js";
+export async function loadRules(rulesPath, cwd) {
+    if (!rulesPath)
+        return DEFAULT_RULES;
+    const resolved = path.isAbsolute(rulesPath) ? rulesPath : path.join(cwd, rulesPath);
+    const raw = await fs.readFile(resolved, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) {
+        throw new Error("Rules file must be a JSON array");
+    }
+    return parsed;
+}