shroud-privacy 2.0.0

package/dist/hooks.js

@@ -0,0 +1,457 @@
+/**
+ * OpenClaw lifecycle hooks for the Shroud privacy plugin.
+ *
+ * Registers 5 hooks:
+ * 1. before_prompt_build  (async) -- obfuscate user prompt via prependContext
+ * 2. before_llm_send     (async) -- obfuscate LLM input messages + return transformResponse for deobfuscation
+ * 3. before_tool_call    (async) -- deobfuscate tool params (+ depth tracking)
+ * 4. tool_result_persist  (SYNC) -- obfuscate tool result message
+ * 5. message_sending     (async) -- deobfuscate outbound message content (fallback)
+ */
+import { createHash, randomBytes } from "node:crypto";
+import { writeFileSync } from "node:fs";
+import { BUILTIN_PATTERNS } from "./detectors/regex.js";
+const STATS_FILE = process.env.SHROUD_STATS_FILE || "/tmp/shroud-stats.json";
+function dumpStatsFile(obfuscator) {
+    try {
+        const stats = obfuscator.getStats();
+        stats.updatedAt = new Date().toISOString();
+        stats.source = "openclaw";
+        stats.pid = process.pid;
+        writeFileSync(STATS_FILE, JSON.stringify(stats, null, 2) + "\n");
+    }
+    catch {
+        // best-effort
+    }
+}
+// ---------------------------------------------------------------------------
+// Hashing utilities (audit proof hashes)
+// ---------------------------------------------------------------------------
+function sha256Hex(text) {
+    return createHash("sha256").update(text).digest("hex");
+}
+function safeHash(text, salt) {
+    return sha256Hex(salt + text);
+}
+function truncateHash(hash, n) {
+    return hash.slice(0, n);
+}
+// ---------------------------------------------------------------------------
+// String walking helper
+// ---------------------------------------------------------------------------
+/**
+ * Deep-walk an unknown message structure and obfuscate/deobfuscate all
+ * string leaves.  OpenClaw message payloads can be a plain string, an
+ * array of content blocks, or a nested object — this handles all three.
+ */
+function walkStrings(value, fn) {
+    if (typeof value === "string")
+        return fn(value);
+    if (Array.isArray(value)) {
+        return value.map((item) => {
+            if (typeof item === "object" && item !== null && "text" in item && typeof item.text === "string") {
+                return { ...item, text: fn(item.text) };
+            }
+            return walkStrings(item, fn);
+        });
+    }
+    if (typeof value === "object" && value !== null) {
+        const out = {};
+        for (const [k, v] of Object.entries(value)) {
+            if (typeof v === "string") {
+                out[k] = fn(v);
+            }
+            else {
+                out[k] = v; // don't recurse arbitrarily into unknown objects
+            }
+        }
+        return out;
+    }
+    return value;
+}
+// ---------------------------------------------------------------------------
+// obfuscateMessages (original, no stats)
+// ---------------------------------------------------------------------------
+function obfuscateMessages(messages, obfuscator) {
+    return messages.map((msg) => {
+        if (!msg || typeof msg !== "object")
+            return msg;
+        if (typeof msg.content === "string") {
+            const result = obfuscator.obfuscate(msg.content);
+            if (result.entities.length === 0)
+                return msg;
+            return { ...msg, content: result.obfuscated };
+        }
+        if (Array.isArray(msg.content)) {
+            const newContent = msg.content.map((block) => {
+                if (block && typeof block === "object" && typeof block.text === "string") {
+                    const result = obfuscator.obfuscate(block.text);
+                    if (result.entities.length === 0)
+                        return block;
+                    return { ...block, text: result.obfuscated };
+                }
+                return block;
+            });
+            return { ...msg, content: newContent };
+        }
+        return msg;
+    });
+}
+// ---------------------------------------------------------------------------
+// obfuscateMessagesWithStats (audit-aware)
+// ---------------------------------------------------------------------------
+function obfuscateMessagesWithStats(messages, obfuscator, config) {
+    const stats = {
+        totalEntities: 0,
+        byCategory: {},
+        byRule: {},
+        messagesTouched: 0,
+        blocksTouched: 0,
+        inputChars: 0,
+        outputChars: 0,
+        fakesSample: [],
+    };
+    const maxFakes = config.auditMaxFakesSample;
+    const obfuscatedMessages = messages.map((msg) => {
+        if (!msg || typeof msg !== "object")
+            return msg;
+        if (typeof msg.content === "string") {
+            const result = obfuscator.obfuscate(msg.content);
+            stats.inputChars += msg.content.length;
+            stats.outputChars += result.obfuscated.length;
+            if (result.entities.length > 0) {
+                stats.messagesTouched++;
+                stats.blocksTouched++;
+                accumulateStats(stats, result, maxFakes);
+            }
+            if (result.entities.length === 0)
+                return msg;
+            return { ...msg, content: result.obfuscated };
+        }
+        if (Array.isArray(msg.content)) {
+            let msgTouched = false;
+            const newContent = msg.content.map((block) => {
+                if (block && typeof block === "object" && typeof block.text === "string") {
+                    const result = obfuscator.obfuscate(block.text);
+                    stats.inputChars += block.text.length;
+                    stats.outputChars += result.obfuscated.length;
+                    if (result.entities.length > 0) {
+                        msgTouched = true;
+                        stats.blocksTouched++;
+                        accumulateStats(stats, result, maxFakes);
+                    }
+                    if (result.entities.length === 0)
+                        return block;
+                    return { ...block, text: result.obfuscated };
+                }
+                return block;
+            });
+            if (msgTouched)
+                stats.messagesTouched++;
+            return { ...msg, content: newContent };
+        }
+        return msg;
+    });
+    return { messages: obfuscatedMessages, stats };
+}
+function accumulateStats(stats, result, maxFakes) {
+    for (const entity of result.entities) {
+        stats.totalEntities++;
+        stats.byCategory[entity.category] = (stats.byCategory[entity.category] || 0) + 1;
+        stats.byRule[entity.detector] = (stats.byRule[entity.detector] || 0) + 1;
+    }
+    // Collect fake values only (never real values)
+    if (maxFakes > 0 && stats.fakesSample.length < maxFakes) {
+        for (const fake of Object.values(result.mappingsUsed)) {
+            if (stats.fakesSample.length >= maxFakes)
+                break;
+            stats.fakesSample.push(fake);
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Audit log emitters
+// ---------------------------------------------------------------------------
+function emitAuditLog(logger, config, requestId, stats, totalMessages, concatenatedOriginal, concatenatedObfuscated) {
+    const byCatStr = Object.entries(stats.byCategory)
+        .map(([k, v]) => `${k}:${v}`)
+        .join(",");
+    const byRuleStr = Object.entries(stats.byRule)
+        .map(([k, v]) => `${k}:${v}`)
+        .join(",");
+    const modified = stats.inputChars !== stats.outputChars || stats.totalEntities > 0;
+    const charDelta = stats.outputChars - stats.inputChars;
+    // Always compute proof hashes when proofs enabled
+    let proofHashIn = "";
+    let proofHashOut = "";
+    if (config.auditIncludeProofHashes) {
+        proofHashIn = truncateHash(safeHash(concatenatedOriginal, config.auditHashSalt), config.auditHashTruncate);
+        proofHashOut = truncateHash(safeHash(concatenatedObfuscated, config.auditHashSalt), config.auditHashTruncate);
+    }
+    if (config.auditLogFormat === "json") {
+        const obj = {
+            event: "shroud.audit.before_llm_send",
+            req: requestId,
+            ts: new Date().toISOString(),
+            modified,
+            totalEntities: stats.totalEntities,
+            messagesTouched: stats.messagesTouched,
+            blocksTouched: stats.blocksTouched,
+            inputChars: stats.inputChars,
+            outputChars: stats.outputChars,
+            charDelta,
+            byCategory: stats.byCategory,
+            byRule: stats.byRule,
+        };
+        if (config.auditIncludeProofHashes) {
+            obj.proofIn = proofHashIn;
+            obj.proofOut = proofHashOut;
+        }
+        if (config.auditMaxFakesSample > 0 && stats.fakesSample.length > 0) {
+            obj.fakesSample = stats.fakesSample;
+        }
+        logger?.info(JSON.stringify(obj));
+    }
+    else {
+        const parts = [
+            `[shroud][audit] OBFUSCATE req=${requestId}`,
+            `entities=${stats.totalEntities}`,
+            `touched=${stats.messagesTouched}/${totalMessages}`,
+            `blocks=${stats.blocksTouched}`,
+            `chars=${stats.inputChars}->${stats.outputChars} (delta=${charDelta >= 0 ? "+" : ""}${charDelta})`,
+            `modified=${modified ? "YES" : "NO"}`,
+            `byCat=${byCatStr || "none"}`,
+            `byRule=${byRuleStr || "none"}`,
+        ];
+        if (config.auditIncludeProofHashes) {
+            parts.push(`proof_in=${proofHashIn} proof_out=${proofHashOut}`);
+        }
+        if (config.auditMaxFakesSample > 0 && stats.fakesSample.length > 0) {
+            parts.push(`fakes=[${stats.fakesSample.join("|")}]`);
+        }
+        logger?.info(parts.join(" | "));
+    }
+}
+function emitDeobfuscationAuditLog(logger, config, requestId, replacementCount) {
+    if (config.auditLogFormat === "json") {
+        logger?.info(JSON.stringify({
+            event: "shroud.audit.deobfuscation",
+            req: requestId,
+            ts: new Date().toISOString(),
+            modified: replacementCount > 0,
+            deobfuscations: replacementCount,
+        }));
+    }
+    else {
+        logger?.info(`[shroud][audit] DEOBFUSCATE req=${requestId} | replacements=${replacementCount} | modified=${replacementCount > 0 ? "YES" : "NO"}`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Hook registration
+// ---------------------------------------------------------------------------
+export function registerHooks(api, obfuscator) {
+    const config = obfuscator.config;
+    const auditActive = config.auditEnabled || config.verboseLogging;
+    // -----------------------------------------------------------------------
+    // 1. before_prompt_build (async): obfuscate user prompt
+    // -----------------------------------------------------------------------
+    api.on("before_prompt_build", async (event) => {
+        const prompt = event?.prompt;
+        if (typeof prompt !== "string" || !prompt)
+            return;
+        const result = obfuscator.obfuscate(prompt);
+        if (result.entities.length === 0)
+            return;
+        dumpStatsFile(obfuscator);
+        api.logger?.info(`[shroud] before_prompt_build: obfuscated ${result.entities.length} entities`);
+        return {
+            prependContext: [
+                "--- SHROUD PRIVACY LAYER ---",
+                "The following user message has been privacy-filtered.",
+                "Use ONLY the sanitized version below. Do NOT reference the original values.",
+                "",
+                result.obfuscated,
+                "--- END SHROUD ---",
+            ].join("\n"),
+        };
+    });
+    // -----------------------------------------------------------------------
+    // 2. before_llm_send (async): obfuscate LLM input + provide response deobfuscator
+    // -----------------------------------------------------------------------
+    api.on("before_llm_send", async (event) => {
+        if (!Array.isArray(event?.messages))
+            return;
+        // Reset tool depth at the start of each LLM turn — tool calls from the
+        // previous turn are complete, so the counter should not carry over.
+        if (obfuscator.toolDepth > 0) {
+            obfuscator.resetToolDepth();
+        }
+        const totalMessages = event.messages.length;
+        let obfuscatedMessages;
+        let requestId = "";
+        if (auditActive) {
+            requestId = randomBytes(8).toString("hex");
+            const { messages: msgs, stats } = obfuscateMessagesWithStats(event.messages, obfuscator, config);
+            obfuscatedMessages = msgs;
+            // Build concatenated texts for proof hashes
+            let concatenatedOriginal = "";
+            let concatenatedObfuscated = "";
+            if (config.auditIncludeProofHashes) {
+                for (let i = 0; i < event.messages.length; i++) {
+                    const orig = event.messages[i];
+                    const obf = obfuscatedMessages[i];
+                    if (typeof orig?.content === "string") {
+                        concatenatedOriginal += orig.content;
+                        concatenatedObfuscated += (obf?.content ?? "");
+                    }
+                    else if (Array.isArray(orig?.content)) {
+                        for (let j = 0; j < orig.content.length; j++) {
+                            const origBlock = orig.content[j];
+                            const obfBlock = obf?.content?.[j];
+                            if (typeof origBlock?.text === "string") {
+                                concatenatedOriginal += origBlock.text;
+                                concatenatedObfuscated += (obfBlock?.text ?? "");
+                            }
+                        }
+                    }
+                }
+            }
+            try {
+                emitAuditLog(api.logger, config, requestId, stats, totalMessages, concatenatedOriginal, concatenatedObfuscated);
+            }
+            catch {
+                // Logging is best-effort
+            }
+        }
+        else {
+            obfuscatedMessages = obfuscateMessages(event.messages, obfuscator);
+        }
+        dumpStatsFile(obfuscator);
+        api.logger?.info("[shroud] before_llm_send: obfuscated messages + installed transformResponse");
+        const capturedReqId = requestId;
+        return {
+            messages: obfuscatedMessages,
+            transformResponse: (text) => {
+                if (auditActive) {
+                    try {
+                        const { text: deobfuscated, replacementCount } = obfuscator.deobfuscateWithStats(text);
+                        if (replacementCount > 0) {
+                            try {
+                                emitDeobfuscationAuditLog(api.logger, config, capturedReqId, replacementCount);
+                            }
+                            catch {
+                                // best-effort
+                            }
+                        }
+                        dumpStatsFile(obfuscator);
+                        return deobfuscated;
+                    }
+                    catch {
+                        const result = obfuscator.deobfuscate(text);
+                        dumpStatsFile(obfuscator);
+                        return result;
+                    }
+                }
+                const result = obfuscator.deobfuscate(text);
+                dumpStatsFile(obfuscator);
+                return result;
+            },
+        };
+    });
+    // -----------------------------------------------------------------------
+    // 3. before_tool_call (async): deobfuscate tool params + track depth
+    // -----------------------------------------------------------------------
+    api.on("before_tool_call", async (event) => {
+        if (!event?.params || typeof event.params !== "object")
+            return;
+        // Tool chain depth tracking
+        const depth = obfuscator.enterToolCall();
+        if (depth > config.maxToolDepth) {
+            api.logger?.warn(`[shroud][depth] Tool chain depth ${depth} exceeds max ${config.maxToolDepth} — possible infinite recursion`);
+        }
+        if (depth > 1) {
+            api.logger?.info(`[shroud][depth] Nested tool call at depth ${depth}: ${event.toolName ?? "?"}`);
+        }
+        const serialized = JSON.stringify(event.params);
+        const deobfuscated = obfuscator.deobfuscate(serialized);
+        if (serialized === deobfuscated)
+            return;
+        api.logger?.info(`[shroud] before_tool_call(${event.toolName ?? "?"}): deobfuscated params`);
+        try {
+            return { params: JSON.parse(deobfuscated) };
+        }
+        catch {
+            api.logger?.warn("[shroud] Failed to parse deobfuscated tool params");
+        }
+    });
+    // -----------------------------------------------------------------------
+    // 4. tool_result_persist (SYNC): obfuscate tool result message
+    // -----------------------------------------------------------------------
+    api.on("tool_result_persist", (event) => {
+        if (!event?.message)
+            return;
+        // Exit tool depth
+        obfuscator.exitToolCall();
+        const obfuscated = walkStrings(event.message, (s) => {
+            const result = obfuscator.obfuscate(s);
+            return result.obfuscated;
+        });
+        dumpStatsFile(obfuscator);
+        return { message: obfuscated };
+    });
+    // -----------------------------------------------------------------------
+    // 5. message_sending (async): deobfuscate outbound message content
+    // -----------------------------------------------------------------------
+    api.on("message_sending", async (event) => {
+        if (typeof event?.content !== "string")
+            return;
+        const deobfuscated = obfuscator.deobfuscate(event.content);
+        if (deobfuscated === event.content)
+            return;
+        api.logger?.info("[shroud] message_sending: deobfuscated outbound message");
+        dumpStatsFile(obfuscator);
+        return { content: deobfuscated };
+    });
+    // -----------------------------------------------------------------------
+    // Tool: shroud-stats — rulebase view with hit counters
+    // -----------------------------------------------------------------------
+    api.registerTool({
+        name: "shroud-stats",
+        description: "Show Shroud privacy plugin status: active rules, per-rule hit counts, store size, and config summary.",
+        inputSchema: { type: "object", properties: {}, additionalProperties: false },
+        handler: async () => {
+            const stats = obfuscator.config;
+            const overrides = stats.detectorOverrides;
+            const obStats = obfuscator.getStats();
+            const rules = BUILTIN_PATTERNS.map((p) => {
+                const ov = overrides[p.name];
+                const enabled = ov?.enabled !== false;
+                const confidence = ov?.confidence ?? p.confidence;
+                const hits = obStats.ruleHits[`regex:${p.name}`] ?? 0;
+                return { name: p.name, category: p.category, enabled, confidence, hits };
+            });
+            rules.sort((a, b) => b.hits - a.hits);
+            const maxName = Math.max(...rules.map((r) => r.name.length), 4);
+            const maxCat = Math.max(...rules.map((r) => r.category.length), 8);
+            const header = `${"Rule".padEnd(maxName)}  ${"Category".padEnd(maxCat)}  Status    Conf   Hits`;
+            const sep = "─".repeat(header.length);
+            const rows = rules.map((r) => {
+                const status = r.enabled ? "active" : "DISABLED";
+                const bar = r.hits > 0 ? " " + "█".repeat(Math.min(Math.ceil(Math.log2(r.hits + 1)), 16)) : "";
+                return `${r.name.padEnd(maxName)}  ${r.category.padEnd(maxCat)}  ${status.padEnd(8)}  ${r.confidence.toFixed(2).padStart(4)}  ${String(r.hits).padStart(5)}${bar}`;
+            });
+            const lines = [
+                `Shroud Rule Hits (since gateway start)`,
+                sep,
+                header,
+                sep,
+                ...rows,
+                sep,
+                `Store: ${obStats.storeMappings} active mappings`,
+                `Audit: ${stats.auditEnabled || stats.verboseLogging ? "enabled" : "disabled"}`,
+                `Redaction: ${stats.redactionLevel}`,
+            ];
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+        },
+    });
+}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Shroud -- OpenClaw privacy plugin.
+ *
+ * Automatically obfuscates sensitive data before it reaches the LLM
+ * and deobfuscates responses before they reach the user.
+ */
+declare const _default: {
+    id: string;
+    name: string;
+    register(api: any): void;
+};
+export default _default;

package/dist/index.js

@@ -0,0 +1,58 @@
+/**
+ * Shroud -- OpenClaw privacy plugin.
+ *
+ * Automatically obfuscates sensitive data before it reaches the LLM
+ * and deobfuscates responses before they reach the user.
+ */
+import { resolveConfig } from "./config.js";
+import { Obfuscator } from "./obfuscator.js";
+import { registerHooks } from "./hooks.js";
+export default {
+    id: "shroud-privacy",
+    name: "Shroud",
+    register(api) {
+        const config = resolveConfig(api.pluginConfig);
+        const obfuscator = new Obfuscator(config);
+        registerHooks(api, obfuscator);
+        // Register shroud_status tool
+        api.registerTool({
+            name: "shroud_status",
+            description: "Show Shroud privacy stats: entity counts, session info, audit status",
+            inputSchema: {
+                type: "object",
+                properties: {},
+                additionalProperties: false,
+            },
+            handler: async () => ({
+                content: [
+                    {
+                        type: "text",
+                        text: JSON.stringify(obfuscator.getStats(), null, 2),
+                    },
+                ],
+            }),
+        });
+        // Register shroud_reset tool
+        api.registerTool({
+            name: "shroud_reset",
+            description: "Clear all Shroud mappings and start a fresh privacy session",
+            inputSchema: {
+                type: "object",
+                properties: {},
+                additionalProperties: false,
+            },
+            handler: async () => {
+                obfuscator.reset();
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: "Shroud session reset. All mappings cleared.",
+                        },
+                    ],
+                };
+            },
+        });
+        api.logger?.info("[shroud] Plugin loaded — native TypeScript, no proxy required.");
+    },
+};

package/dist/mapping.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Deterministic mapping engine using HMAC + salt for irreversible obfuscation.
+ *
+ * Uses HMAC-SHA256(secretKey, salt + tenantId + value) to produce a seed, then
+ * indexes into the appropriate generator's fake value pool. The salt adds
+ * randomness so that the same real value produces different fake values across
+ * sessions (unless the same salt is reused), preventing inference attacks.
+ *
+ * When tenantId is set, it's incorporated into the HMAC message, ensuring the
+ * same value produces different fakes for different tenants.
+ */
+import { Category } from "./types.js";
+import type { BaseGenerator } from "./generators/base.js";
+import { SubnetMapper } from "./generators/network.js";
+export declare class MappingEngine {
+    private readonly _secretKey;
+    private readonly _salt;
+    private readonly _tenantId;
+    private readonly _generators;
+    constructor(secretKey: string, salt?: string, subnetMapper?: SubnetMapper, tenantId?: string);
+    /** Return the current salt (for persistence/restore). */
+    get salt(): string;
+    private _registerDefaults;
+    /** Register a custom generator for a category. */
+    registerGenerator(category: Category, generator: BaseGenerator): void;
+    /**
+     * Compute a deterministic seed from a real value using HMAC + salt + tenantId.
+     * Reads first 6 bytes as unsigned int (stays in safe integer range).
+     */
+    computeSeed(value: string): number;
+    /** Map a real value to a fake value, preserving format of original. */
+    mapValue(value: string, category: Category): string;
+}

package/dist/mapping.js

@@ -0,0 +1,72 @@
+/**
+ * Deterministic mapping engine using HMAC + salt for irreversible obfuscation.
+ *
+ * Uses HMAC-SHA256(secretKey, salt + tenantId + value) to produce a seed, then
+ * indexes into the appropriate generator's fake value pool. The salt adds
+ * randomness so that the same real value produces different fake values across
+ * sessions (unless the same salt is reused), preventing inference attacks.
+ *
+ * When tenantId is set, it's incorporated into the HMAC message, ensuring the
+ * same value produces different fakes for different tenants.
+ */
+import { createHmac, randomBytes } from "node:crypto";
+import { NameGenerator } from "./generators/names.js";
+import { NetworkGenerator, SubnetMapper } from "./generators/network.js";
+import { CodeGenerator } from "./generators/codes.js";
+export class MappingEngine {
+    _secretKey;
+    _salt;
+    _tenantId;
+    _generators = new Map();
+    constructor(secretKey, salt, subnetMapper, tenantId) {
+        this._secretKey = Buffer.from(secretKey, "utf-8");
+        this._salt = Buffer.from(salt ?? randomBytes(16).toString("hex"), "utf-8");
+        this._tenantId = tenantId ?? "";
+        this._registerDefaults(subnetMapper);
+    }
+    /** Return the current salt (for persistence/restore). */
+    get salt() {
+        return this._salt.toString("utf-8");
+    }
+    _registerDefaults(subnetMapper) {
+        const generators = [
+            new NameGenerator(),
+            new NetworkGenerator(subnetMapper ?? new SubnetMapper()),
+            new CodeGenerator(),
+        ];
+        for (const gen of generators) {
+            for (const cat of gen.categories) {
+                this._generators.set(cat, gen);
+            }
+        }
+    }
+    /** Register a custom generator for a category. */
+    registerGenerator(category, generator) {
+        this._generators.set(category, generator);
+    }
+    /**
+     * Compute a deterministic seed from a real value using HMAC + salt + tenantId.
+     * Reads first 6 bytes as unsigned int (stays in safe integer range).
+     */
+    computeSeed(value) {
+        const parts = [this._salt];
+        if (this._tenantId) {
+            parts.push(Buffer.from(this._tenantId, "utf-8"));
+        }
+        parts.push(Buffer.from(value, "utf-8"));
+        const msg = Buffer.concat(parts);
+        const digest = createHmac("sha256", this._secretKey).update(msg).digest();
+        return digest.readUIntBE(0, 6);
+    }
+    /** Map a real value to a fake value, preserving format of original. */
+    mapValue(value, category) {
+        const gen = this._generators.get(category);
+        if (gen === undefined) {
+            // Fallback: hash-based opaque token
+            const seed = this.computeSeed(value);
+            return `[REDACTED-${category}-${String(seed % 10000).padStart(4, "0")}]`;
+        }
+        const seed = this.computeSeed(value);
+        return gen.generate(category, seed, value);
+    }
+}