ship-safe 5.0.1 → 6.1.0

package/cli/commands/ci.js

@@ -19,6 +19,7 @@
 
 import fs from 'fs';
 import path from 'path';
+import { execFileSync } from 'child_process';
 import { buildOrchestrator } from '../agents/index.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
@@ -85,7 +86,7 @@ export async function ciCommand(targetPath = '.', options = {}) {
 
   // ── Agent Scan ───────────────────────────────────────────────────────────
   const orchestrator = buildOrchestrator();
-  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+  const results = await orchestrator.runAll(absolutePath, { quiet: true }); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
   const agentFindings = results.findings;
 
   // ── Dependency Audit ─────────────────────────────────────────────────────
@@ -164,6 +165,15 @@ export async function ciCommand(targetPath = '.', options = {}) {
     }
   }
 
+  // ── GitHub PR Comment ──────────────────────────────────────────────────
+  if (options.githubPr) {
+    try {
+      postPRComment(scoreResult, allFindings, depVulns, absolutePath, duration);
+    } catch (err) {
+      console.log(`[ship-safe] Warning: Could not post PR comment: ${err.message}`);
+    }
+  }
+
   // ── Exit Code ────────────────────────────────────────────────────────────
   const pass = determinePass(scoreResult, allFindings, threshold, failOn);
   if (!pass) {
@@ -242,6 +252,76 @@ function buildSARIF(findings, rootPath) {
   };
 }
 
+/**
+ * Post a summary comment on the current GitHub PR using the `gh` CLI.
+ * Requires: `gh` installed and authenticated, running in a PR context.
+ */
+function postPRComment(scoreResult, findings, depVulns, rootPath, duration) {
+  // Detect PR number from environment (GitHub Actions sets GITHUB_REF)
+  let prNumber = process.env.GITHUB_PR_NUMBER || '';
+
+  if (!prNumber) {
+    // Try to detect from GITHUB_REF (refs/pull/123/merge)
+    const ref = process.env.GITHUB_REF || '';
+    const match = ref.match(/refs\/pull\/(\d+)\//);
+    if (match) prNumber = match[1];
+  }
+
+  if (!prNumber) {
+    // Try gh pr view to get current PR
+    try {
+      const prJson = execFileSync('gh', ['pr', 'view', '--json', 'number'], { // ship-safe-ignore — execFileSync, not MCP
+        cwd: rootPath, stdio: ['pipe', 'pipe', 'pipe'], // ship-safe-ignore
+      }).toString();
+      const parsed = JSON.parse(prJson);
+      prNumber = String(parsed.number);
+    } catch {
+      console.log('[ship-safe] No PR detected — skipping PR comment');
+      return;
+    }
+  }
+
+  const critical = findings.filter(f => f.severity === 'critical').length;
+  const high = findings.filter(f => f.severity === 'high').length;
+  const medium = findings.filter(f => f.severity === 'medium').length;
+  const low = findings.filter(f => f.severity === 'low').length;
+
+  const gradeEmoji = { A: '🟢', B: '🔵', C: '🟡', D: '🟠', F: '🔴' };
+  const emoji = gradeEmoji[scoreResult.grade.letter] || '⚪';
+
+  // Build markdown body
+  let body = `## ${emoji} Ship Safe Security Report\n\n`;
+  body += `| Metric | Value |\n|--------|-------|\n`;
+  body += `| **Score** | ${scoreResult.score}/100 (${scoreResult.grade.letter}) |\n`;
+  body += `| **Findings** | ${findings.length} total (${critical}C ${high}H ${medium}M ${low}L) |\n`;
+  body += `| **Dep CVEs** | ${depVulns.length} |\n`;
+  body += `| **Duration** | ${duration}s |\n\n`;
+
+  if (critical > 0 || high > 0) {
+    body += `### Critical & High Findings\n\n`;
+    body += `| Severity | File | Issue |\n|----------|------|-------|\n`;
+    for (const f of findings.filter(f => f.severity === 'critical' || f.severity === 'high').slice(0, 20)) {
+      const rel = path.relative(rootPath, f.file).replace(/\\/g, '/');
+      body += `| ${f.severity.toUpperCase()} | \`${rel}:${f.line}\` | ${(f.title || f.rule).slice(0, 60)} |\n`;
+    }
+    body += '\n';
+  }
+
+  if (findings.length === 0 && depVulns.length === 0) {
+    body += '> No security issues found — looking good! 🎉\n\n';
+  }
+
+  body += `<sub>Generated by <a href="https://shipsafecli.com">Ship Safe</a></sub>`;
+
+  // Post comment via gh CLI
+  execFileSync('gh', ['pr', 'comment', prNumber, '--body', body], { // ship-safe-ignore — execFileSync, not MCP
+    cwd: rootPath,
+    stdio: ['pipe', 'pipe', 'pipe'], // ship-safe-ignore
+  });
+
+  console.log(`[ship-safe] PR comment posted on #${prNumber}`);
+}
+
 async function findFiles(rootPath) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
   const gitignoreGlobs = loadGitignorePatterns(rootPath);

package/cli/commands/deps.js

@@ -87,15 +87,34 @@ export async function depsCommand(targetPath = '.', options = {}) {
     process.exit(0);
   }
 
-  // ── 4. Display findings ───────────────────────────────────────────────────
+  // ── 4. Enrich with EPSS scores ──────────────────────────────────────────
+  const cves = vulns.map(v => v.cve).filter(Boolean);
+  if (cves.length > 0) {
+    const epssSpinner = ora({ text: 'Fetching EPSS exploit probability scores...', color: 'cyan' }).start();
+    try {
+      const epssData = await fetchEPSS(cves);
+      for (const v of vulns) {
+        if (v.cve && epssData[v.cve]) {
+          v.epss = epssData[v.cve].epss;
+          v.percentile = epssData[v.cve].percentile;
+        }
+      }
+      epssSpinner.succeed(chalk.gray(`EPSS scores fetched for ${Object.keys(epssData).length} CVE(s)`));
+    } catch {
+      epssSpinner.stop();
+      // EPSS is optional — continue without it
+    }
+  }
+
+  // ── 5. Display findings ───────────────────────────────────────────────────
   printDepFindings(vulns, pm);
 
-  // ── 5. Optionally fix ─────────────────────────────────────────────────────
+  // ── 6. Optionally fix ─────────────────────────────────────────────────────
   if (options.fix) {
     console.log();
     console.log(chalk.cyan(`  Running: ${pm.fixCommand}`));
     try {
-      execSync(pm.fixCommand, { cwd: absolutePath, stdio: 'inherit' });
+      execSync(pm.fixCommand, { cwd: absolutePath, stdio: 'inherit' }); // ship-safe-ignore — command is a hardcoded package manager command, not user input
     } catch {
       output.warning('Fix command exited with errors — some vulnerabilities may require manual updates.');
     }
@@ -178,7 +197,7 @@ function detectPackageManager(rootPath) {
 function runAudit(pm, cwd) {
   let stdout;
   try {
-    stdout = execSync(pm.auditCommand, { cwd, stdio: ['pipe', 'pipe', 'pipe'] }).toString();
+    stdout = execSync(pm.auditCommand, { cwd, stdio: ['pipe', 'pipe', 'pipe'] }).toString(); // ship-safe-ignore — command is a hardcoded package manager audit command, not user input
   } catch (err) {
     // npm/yarn/pnpm exit with code 1 when vulns found — that's expected
     if (err.stdout) {
@@ -366,6 +385,46 @@ function parseBundlerAudit(text) {
   return vulns;
 }
 
+// =============================================================================
+// EPSS (Exploit Prediction Scoring System)
+// =============================================================================
+
+/**
+ * Fetch EPSS scores from FIRST.org API for a list of CVEs.
+ * Returns { 'CVE-2023-1234': { epss: 0.942, percentile: 0.99 }, ... }
+ * API docs: https://www.first.org/epss/api
+ */
+async function fetchEPSS(cves) {
+  if (cves.length === 0) return {};
+
+  // API accepts up to 100 CVEs per request — batch if needed
+  const results = {};
+  const batches = [];
+  for (let i = 0; i < cves.length; i += 100) {
+    batches.push(cves.slice(i, i + 100));
+  }
+
+  for (const batch of batches) {
+    const url = `https://api.first.org/data/v1/epss?cve=${batch.join(',')}`; // ship-safe-ignore — hardcoded FIRST.org API endpoint, CVE IDs are from audit results not user input
+    const response = await fetch(url, { // ship-safe-ignore — EPSS API fetch with fixed base URL
+      headers: { 'Accept': 'application/json' },
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (!response.ok) continue;
+
+    const json = await response.json();
+    for (const entry of (json.data || [])) {
+      results[entry.cve] = {
+        epss: parseFloat(entry.epss),
+        percentile: parseFloat(entry.percentile),
+      };
+    }
+  }
+
+  return results;
+}
+
 // =============================================================================
 // OUTPUT
 // =============================================================================
@@ -408,6 +467,16 @@ function printDepFindings(vulns, pm) {
     if (v.cve) {
       console.log(chalk.gray(`              ${v.cve}`) + (v.url ? chalk.gray(`  ${v.url}`) : ''));
     }
+    if (v.epss != null) {
+      const pct = (v.epss * 100).toFixed(1);
+      const epssColor = v.epss >= 0.5 ? chalk.red.bold
+        : v.epss >= 0.1 ? chalk.yellow
+        : chalk.gray;
+      const label = v.epss >= 0.5 ? ' — actively exploited in the wild'
+        : v.epss >= 0.1 ? ' — elevated exploit activity'
+        : '';
+      console.log(epssColor(`              EPSS: ${pct}% exploit probability`) + chalk.gray(label));
+    }
     if (v.fix) {
       console.log(chalk.gray('              Fix: ') + chalk.cyan(v.fix));
     }

package/cli/commands/diff.js

@@ -0,0 +1,200 @@
+/**
+ * Diff Command
+ * =============
+ *
+ * Scan only changed files (git diff) for security issues.
+ * Much faster than a full audit — perfect for pre-commit hooks and PR reviews.
+ *
+ * USAGE:
+ *   ship-safe diff              Scan uncommitted changes (staged + unstaged)
+ *   ship-safe diff --staged     Scan only staged changes
+ *   ship-safe diff HEAD~3       Scan changes in last 3 commits
+ *   ship-safe diff main         Scan changes since branching from main
+ */
+
+import { execFileSync } from 'child_process';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_EXTENSIONS, SKIP_FILENAMES } from '../utils/patterns.js';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+
+// =============================================================================
+// DIFF COMMAND
+// =============================================================================
+
+export async function diffCommand(ref, options) {
+  const targetPath = options.path || process.cwd();
+  const absolutePath = path.resolve(targetPath);
+
+  // ── Get changed files from git ────────────────────────────────────────────
+  const spinner = ora(chalk.white('Getting changed files from git...')).start();
+
+  let gitArgs;
+  if (options.staged) {
+    gitArgs = ['diff', '--cached', '--name-only', '--diff-filter=ACMR'];
+  } else if (ref) {
+    gitArgs = ['diff', '--name-only', '--diff-filter=ACMR', ref];
+  } else {
+    // Uncommitted changes: both staged and unstaged
+    gitArgs = ['diff', '--name-only', '--diff-filter=ACMR', 'HEAD'];
+  }
+
+  let changedFiles;
+  try {
+    const output = execFileSync('git', gitArgs, {
+      cwd: absolutePath,
+      encoding: 'utf-8',
+      timeout: 10_000,
+    }).trim();
+
+    if (!output) {
+      spinner.succeed(chalk.green('No changed files detected'));
+      console.log(chalk.gray('\n  Nothing to scan. Your working tree is clean.\n'));
+      return;
+    }
+
+    changedFiles = output
+      .split('\n')
+      .map(f => f.trim())
+      .filter(f => f.length > 0)
+      .map(f => path.resolve(absolutePath, f))
+      .filter(f => {
+        const ext = path.extname(f).toLowerCase();
+        if (SKIP_EXTENSIONS.has(ext)) return false;
+        const basename = path.basename(f);
+        if (SKIP_FILENAMES.has(basename)) return false;
+        return true;
+      });
+
+    spinner.succeed(chalk.white(`${changedFiles.length} changed file(s) to scan`));
+  } catch (err) {
+    // Fallback for repos with no commits yet
+    if (err.message?.includes('unknown revision')) {
+      try {
+        const output = execFileSync('git', ['diff', '--cached', '--name-only', '--diff-filter=ACMR'], {
+          cwd: absolutePath,
+          encoding: 'utf-8',
+          timeout: 10_000,
+        }).trim();
+
+        changedFiles = output
+          .split('\n')
+          .map(f => f.trim())
+          .filter(f => f.length > 0)
+          .map(f => path.resolve(absolutePath, f))
+          .filter(f => {
+            const ext = path.extname(f).toLowerCase();
+            if (SKIP_EXTENSIONS.has(ext)) return false;
+            const basename = path.basename(f);
+            if (SKIP_FILENAMES.has(basename)) return false;
+            return true;
+          });
+
+        if (!changedFiles.length) {
+          spinner.succeed(chalk.green('No changed files detected'));
+          return;
+        }
+        spinner.succeed(chalk.white(`${changedFiles.length} changed file(s) to scan`));
+      } catch {
+        spinner.fail(chalk.red('Not a git repository or git not available'));
+        process.exit(1);
+      }
+    } else {
+      spinner.fail(chalk.red('Failed to get changed files from git'));
+      console.error(chalk.gray(`  ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  if (changedFiles.length === 0) {
+    console.log(chalk.gray('\n  No scannable files in the diff.\n'));
+    return;
+  }
+
+  // ── Print header ──────────────────────────────────────────────────────────
+  console.log();
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log(chalk.cyan.bold('  Ship Safe — Diff Scan'));
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log();
+  console.log(chalk.gray(`  Scanning ${changedFiles.length} changed file(s):`));
+  for (const f of changedFiles.slice(0, 10)) {
+    console.log(chalk.gray(`    ${path.relative(absolutePath, f)}`));
+  }
+  if (changedFiles.length > 10) {
+    console.log(chalk.gray(`    ... and ${changedFiles.length - 10} more`));
+  }
+  console.log();
+
+  // ── Run agents on changed files only ──────────────────────────────────────
+  const agentSpinner = ora(chalk.white('Running security agents on diff...')).start();
+
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, {
+    timeout: options.timeout || 30_000,
+    changedFiles,
+  });
+
+  const findings = results.findings || [];
+  agentSpinner.succeed(
+    findings.length === 0
+      ? chalk.green('No security issues in changed files')
+      : chalk.yellow(`${findings.length} finding(s) in changed files`)
+  );
+
+  // ── Score ─────────────────────────────────────────────────────────────────
+  if (findings.length > 0) {
+    const scoringEngine = new ScoringEngine();
+    const scoreResult = scoringEngine.compute(findings, []);
+    scoreResult.score = Math.round(scoreResult.score * 10) / 10;
+
+    const scoreColor = scoreResult.score >= 75 ? chalk.green.bold : scoreResult.score >= 60 ? chalk.yellow.bold : chalk.red.bold;
+
+    console.log();
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+
+    // Print findings
+    let shown = 0;
+    for (const f of findings) {
+      if (shown >= 20) {
+        console.log(chalk.gray(`\n  ... and ${findings.length - 20} more findings`));
+        break;
+      }
+      const sevColor = f.severity === 'critical' ? chalk.red :
+                        f.severity === 'high' ? chalk.yellow :
+                        f.severity === 'medium' ? chalk.cyan : chalk.gray;
+      const relPath = path.relative(absolutePath, f.file);
+      console.log(`  ${sevColor(`[${f.severity.toUpperCase()}]`)} ${chalk.white(f.title)}`);
+      console.log(chalk.gray(`    ${relPath}:${f.line} → ${f.fix || f.description}`));
+      shown++;
+    }
+
+    console.log();
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+    console.log(
+      chalk.white.bold('  Diff Score: ') +
+      scoreColor(`${scoreResult.score}/100 ${scoreResult.grade.letter}`)
+    );
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+  }
+
+  // ── JSON output ───────────────────────────────────────────────────────────
+  if (options.json) {
+    const output = {
+      command: 'diff',
+      ref: ref || (options.staged ? '--staged' : 'HEAD'),
+      changedFiles: changedFiles.map(f => path.relative(absolutePath, f)),
+      findings,
+      totalFindings: findings.length,
+    };
+    console.log(JSON.stringify(output, null, 2));
+  }
+
+  console.log();
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log();
+
+  process.exit(findings.length > 0 ? 1 : 0);
+}

package/cli/commands/doctor.js

@@ -17,10 +17,20 @@ import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 
-const __filename = fileURLToPath(import.meta.url);
+const __filename = fileURLToPath(import.meta.url); // ship-safe-ignore — module's own path via import.meta.url, not user input
 const __dirname = dirname(__filename);
 const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
 
+function isNewerVersion(latest, current) {
+  const a = latest.split('.').map(Number);
+  const b = current.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((a[i] || 0) > (b[i] || 0)) return true;
+    if ((a[i] || 0) < (b[i] || 0)) return false;
+  }
+  return false;
+}
+
 export async function doctorCommand() {
   console.log();
   console.log(chalk.cyan.bold('  Ship Safe Doctor'));
@@ -66,8 +76,8 @@ export async function doctorCommand() {
 
   // 4. API keys
   const apiKeys = [
-    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false },
-    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false },
+    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false }, // ship-safe-ignore — env var names in diagnostic check, no key values
+    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false }, // ship-safe-ignore — env var name in diagnostic check, no key value
     { name: 'Google AI API key', env: 'GOOGLE_API_KEY', required: false },
   ];
   for (const key of apiKeys) {
@@ -115,7 +125,7 @@ export async function doctorCommand() {
     const latest = execFileSync('npm', ['view', 'ship-safe', 'version'], {
       encoding: 'utf-8', timeout: 5000, shell: true,
     }).trim();
-    if (latest && latest !== PACKAGE_VERSION) {
+    if (latest && latest !== PACKAGE_VERSION && isNewerVersion(latest, PACKAGE_VERSION)) {
       const msg = ['v', latest, ' available (current: v', PACKAGE_VERSION, ')'].join('');
       info(msg);
     } else if (latest) {

package/cli/commands/fix.js

@@ -148,7 +148,7 @@ function buildEnvVarSuggestions(results) {
 
 /**
  * Convert a pattern name to a sensible env var name.
- * e.g. "OpenAI API Key" → "OPENAI_API_KEY"
+ * e.g. "OpenAI API Key" → "OPENAI_API_KEY" // ship-safe-ignore — env var name in doc comment, not a secret value
  */
 function patternToEnvVar(patternName) {
   return patternName

package/cli/commands/guard.js

@@ -136,6 +136,10 @@ export async function guardCommand(action, options = {}) {
     process.exit(1);
   }
 
+  if (options.generateHooks) {
+    return generateClaudeHooks(cwd);
+  }
+
   if (action === 'remove') {
     return removeHooks(gitDir, cwd);
   }
@@ -278,6 +282,101 @@ function removeHooks(gitDir, cwd) {
   }
 }
 
+// =============================================================================
+// CLAUDE CODE DEFENSIVE HOOKS
+// =============================================================================
+
+function generateClaudeHooks(cwd) {
+  output.header('Generating Defensive Claude Code Hooks');
+
+  const claudeDir = path.join(cwd, '.claude');
+  const settingsPath = path.join(claudeDir, 'settings.json');
+
+  // Defensive hooks that block common attack patterns
+  const preToolCmd = [
+    'node -e "',
+    'const c=process.argv[1]||String();',
+    'const bad=[/curl.*[|].*(?:bash|sh|node|python)/i,/wget.*[|].*(?:bash|sh)/i,',
+    '/rm\\s+-rf\\s+\\//,/webhook[.]site|requestbin|ngrok[.]io|pipedream/i,',
+    '/base64.*-d.*[|].*(?:bash|sh)/i];',
+    'const m=bad.find(r=>r.test(c));',
+    'if(m){console.error(String.fromCharCode(10060)+String.fromCharCode(32)+c.slice(0,80));process.exit(1)}',
+    '" "$INPUT"',
+  ].join('');
+
+  const postToolCmd = [
+    'node -e "',
+    'const f=process.argv[1]||String();',
+    'if(/[.]env$|[.]env[.]/.test(f)){console.log(String.fromCharCode(9888)+String.fromCharCode(32)+f)}',
+    '" "$INPUT"',
+  ].join('');
+
+  const defensiveHooks = {
+    hooks: {
+      PreToolUse: [
+        {
+          matcher: 'Bash',
+          command: preToolCmd,
+          description: 'Ship Safe: Block dangerous command patterns (curl|bash, rm -rf /, exfil domains)',
+        },
+      ],
+      PostToolUse: [
+        {
+          matcher: 'Write',
+          command: postToolCmd,
+          description: 'Ship Safe: Alert when .env files are modified',
+        },
+      ],
+    },
+  };
+
+  // Merge with existing settings
+  let existing = {};
+  if (fs.existsSync(settingsPath)) {
+    try {
+      existing = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
+    } catch { /* fresh start */ }
+  }
+
+  // Merge hooks — don't overwrite existing hooks, append
+  if (!existing.hooks) existing.hooks = {};
+  if (!existing.hooks.PreToolUse) existing.hooks.PreToolUse = [];
+  if (!existing.hooks.PostToolUse) existing.hooks.PostToolUse = [];
+
+  // Check if ship-safe hooks already present
+  const hasPreHook = existing.hooks.PreToolUse.some(h => h.description?.includes('Ship Safe'));
+  const hasPostHook = existing.hooks.PostToolUse.some(h => h.description?.includes('Ship Safe'));
+
+  if (hasPreHook && hasPostHook) {
+    output.warning('Ship Safe hooks already installed in .claude/settings.json');
+    return;
+  }
+
+  if (!hasPreHook) {
+    existing.hooks.PreToolUse.push(...defensiveHooks.hooks.PreToolUse);
+  }
+  if (!hasPostHook) {
+    existing.hooks.PostToolUse.push(...defensiveHooks.hooks.PostToolUse);
+  }
+
+  // Write
+  if (!fs.existsSync(claudeDir)) fs.mkdirSync(claudeDir, { recursive: true });
+  fs.writeFileSync(settingsPath, JSON.stringify(existing, null, 2) + '\n');
+
+  output.success('Defensive hooks installed in .claude/settings.json');
+  console.log();
+  console.log(chalk.gray('  Hooks installed:'));
+  console.log(chalk.gray('    PreToolUse  → Block curl|bash, rm -rf /, exfil domains'));
+  console.log(chalk.gray('    PostToolUse → Alert on .env file modifications'));
+  console.log();
+  console.log(chalk.gray('  These hooks protect against:'));
+  console.log(chalk.gray('    • Remote code execution via piped downloads'));
+  console.log(chalk.gray('    • Data exfiltration to webhook.site/ngrok/requestbin'));
+  console.log(chalk.gray('    • Destructive filesystem operations'));
+  console.log(chalk.gray('    • Unauthorized .env modifications'));
+  console.log();
+}
+
 // =============================================================================
 // UTILITIES
 // =============================================================================