arize-phoenix 4.35.2__py3-none-any.whl → 5.0.0__py3-none-any.whl

phoenix/config.py

@@ -1,13 +1,19 @@
+import logging
 import os
 import re
 import tempfile
-from logging import getLogger
+from dataclasses import dataclass
+from datetime import timedelta
+from enum import Enum
 from pathlib import Path
-from typing import Dict, List, Optional, Tuple
+from typing import Dict, List, Optional, Tuple, overload
+from urllib.parse import urlparse
+
+from phoenix.utilities.logging import log_a_list
 
 from .utilities.re import parse_env_headers
 
-logger = getLogger(__name__)
+logger = logging.getLogger(__name__)
 
 # Phoenix environment variables
 ENV_PHOENIX_PORT = "PHOENIX_PORT"
@@ -56,6 +62,24 @@ ENV_PHOENIX_ENABLE_PROMETHEUS = "PHOENIX_ENABLE_PROMETHEUS"
 """
 Whether to enable Prometheus. Defaults to false.
 """
+ENV_LOGGING_MODE = "PHOENIX_LOGGING_MODE"
+"""
+The logging mode (either 'default' or 'structured').
+"""
+ENV_LOGGING_LEVEL = "PHOENIX_LOGGING_LEVEL"
+"""
+The logging level ('debug', 'info', 'warning', 'error', 'critical') for the Phoenix backend. For
+database logging see ENV_DB_LOGGING_LEVEL. Defaults to info.
+"""
+ENV_DB_LOGGING_LEVEL = "PHOENIX_DB_LOGGING_LEVEL"
+"""
+The logging level ('debug', 'info', 'warning', 'error', 'critical') for the Phoenix ORM.
+Defaults to warning.
+"""
+ENV_LOG_MIGRATIONS = "PHOENIX_LOG_MIGRATIONS"
+"""
+Whether or not to log migrations. Defaults to true.
+"""
 
 # Phoenix server OpenTelemetry instrumentation environment variables
 ENV_PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_HTTP_ENDPOINT = (
@@ -65,10 +89,50 @@ ENV_PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_GRPC_ENDPOINT = (
     "PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_GRPC_ENDPOINT"
 )
 
-# Auth is under active development. Phoenix users are strongly advised not to
-# set these environment variables until the feature is officially released.
-ENV_DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH = "DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
-ENV_DANGEROUSLY_SET_PHOENIX_SECRET = "DANGEROUSLY_SET_PHOENIX_SECRET"
+# Authentication settings
+ENV_PHOENIX_ENABLE_AUTH = "PHOENIX_ENABLE_AUTH"
+ENV_PHOENIX_DISABLE_RATE_LIMIT = "PHOENIX_DISABLE_RATE_LIMIT"
+ENV_PHOENIX_SECRET = "PHOENIX_SECRET"
+ENV_PHOENIX_API_KEY = "PHOENIX_API_KEY"
+ENV_PHOENIX_USE_SECURE_COOKIES = "PHOENIX_USE_SECURE_COOKIES"
+ENV_PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES = "PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before access tokens expire.
+"""
+ENV_PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES = "PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before refresh tokens expire.
+"""
+ENV_PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES = "PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before password reset tokens expire.
+"""
+
+# SMTP settings
+ENV_PHOENIX_SMTP_HOSTNAME = "PHOENIX_SMTP_HOSTNAME"
+"""
+The SMTP server hostname to use for sending emails. SMTP is disabled if this is not set.
+"""
+ENV_PHOENIX_SMTP_PORT = "PHOENIX_SMTP_PORT"
+"""
+The SMTP server port to use for sending emails. Defaults to 587.
+"""
+ENV_PHOENIX_SMTP_USERNAME = "PHOENIX_SMTP_USERNAME"
+"""
+The SMTP server username to use for sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_PASSWORD = "PHOENIX_SMTP_PASSWORD"
+"""
+The SMTP server password to use for sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_MAIL_FROM = "PHOENIX_SMTP_MAIL_FROM"
+"""
+The email address to use as the sender when sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_VALIDATE_CERTS = "PHOENIX_SMTP_VALIDATE_CERTS"
+"""
+Whether to validate SMTP server certificates. Defaults to true.
+"""
 
 
 def server_instrumentation_is_enabled() -> bool:
@@ -110,12 +174,16 @@ def get_working_dir() -> Path:
     return Path.home().resolve() / ".phoenix"
 
 
-def get_boolean_env_var(env_var: str) -> Optional[bool]:
+@overload
+def _bool_val(env_var: str) -> Optional[bool]: ...
+@overload
+def _bool_val(env_var: str, default: bool) -> bool: ...
+def _bool_val(env_var: str, default: Optional[bool] = None) -> Optional[bool]:
     """
-    Parses a boolean environment variable, returning None if the variable is not set.
+    Parses a boolean environment variable, returning `default` if the variable is not set.
     """
     if (value := os.environ.get(env_var)) is None:
-        return None
+        return default
     assert (lower := value.lower()) in (
         "true",
         "false",
@@ -123,44 +191,234 @@ def get_boolean_env_var(env_var: str) -> Optional[bool]:
     return lower == "true"
 
 
+@overload
+def _float_val(env_var: str) -> Optional[float]: ...
+@overload
+def _float_val(env_var: str, default: float) -> float: ...
+def _float_val(env_var: str, default: Optional[float] = None) -> Optional[float]:
+    """
+    Parses a numeric environment variable, returning `default` if the variable is not set.
+    """
+    if (value := os.environ.get(env_var)) is None:
+        return default
+    try:
+        return float(value)
+    except ValueError:
+        raise ValueError(
+            f"Invalid value for environment variable {env_var}: {value}. "
+            f"Value must be a number."
+        )
+
+
+@overload
+def _int_val(env_var: str) -> Optional[int]: ...
+@overload
+def _int_val(env_var: str, default: int) -> int: ...
+def _int_val(env_var: str, default: Optional[int] = None) -> Optional[int]:
+    """
+    Parses a numeric environment variable, returning `default` if the variable is not set.
+    """
+    if (value := os.environ.get(env_var)) is None:
+        return default
+    try:
+        return int(value)
+    except ValueError:
+        raise ValueError(
+            f"Invalid value for environment variable {env_var}: {value}. "
+            f"Value must be an integer."
+        )
+
+
 def get_env_enable_auth() -> bool:
     """
-    Gets the value of the DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH environment variable.
+    Gets the value of the PHOENIX_ENABLE_AUTH environment variable.
+    """
+    return _bool_val(ENV_PHOENIX_ENABLE_AUTH, False)
+
+
+def get_env_disable_rate_limit() -> bool:
+    """
+    Gets the value of the PHOENIX_DISABLE_RATE_LIMIT environment variable.
     """
-    return get_boolean_env_var(ENV_DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH) is True
+    return _bool_val(ENV_PHOENIX_DISABLE_RATE_LIMIT, False)
 
 
 def get_env_phoenix_secret() -> Optional[str]:
     """
-    Gets the value of the DANGEROUSLY_SET_PHOENIX_SECRET environment variable
+    Gets the value of the PHOENIX_SECRET environment variable
     and performs validation.
     """
-    phoenix_secret = os.environ.get(ENV_DANGEROUSLY_SET_PHOENIX_SECRET)
+    phoenix_secret = os.environ.get(ENV_PHOENIX_SECRET)
     if phoenix_secret is None:
         return None
-    # todo: add validation for the phoenix secret
+    from phoenix.auth import REQUIREMENTS_FOR_PHOENIX_SECRET
+
+    REQUIREMENTS_FOR_PHOENIX_SECRET.validate(phoenix_secret, "Phoenix secret")
     return phoenix_secret
 
 
-def get_auth_settings() -> Tuple[bool, Optional[str]]:
+def get_env_phoenix_use_secure_cookies() -> bool:
+    return _bool_val(ENV_PHOENIX_USE_SECURE_COOKIES, False)
+
+
+def get_env_phoenix_api_key() -> Optional[str]:
+    return os.environ.get(ENV_PHOENIX_API_KEY)
+
+
+def get_env_auth_settings() -> Tuple[bool, Optional[str]]:
     """
     Gets auth settings and performs validation.
     """
     enable_auth = get_env_enable_auth()
     phoenix_secret = get_env_phoenix_secret()
-    if enable_auth:
-        assert phoenix_secret, (
-            "DANGEROUSLY_SET_PHOENIX_SECRET must be set "
-            "when auth is enabled with DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
-        )
-    else:
-        assert not phoenix_secret, (
-            "DANGEROUSLY_SET_PHOENIX_SECRET cannot be set "
-            "unless auth is enabled with DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
+    if enable_auth and not phoenix_secret:
+        raise ValueError(
+            f"`{ENV_PHOENIX_SECRET}` must be set when "
+            f"auth is enabled with `{ENV_PHOENIX_ENABLE_AUTH}`"
         )
     return enable_auth, phoenix_secret
 
 
+def get_env_password_reset_token_expiry() -> timedelta:
+    """
+    Gets the password reset token expiry.
+    """
+    from phoenix.auth import DEFAULT_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_access_token_expiry() -> timedelta:
+    """
+    Gets the access token expiry.
+    """
+    from phoenix.auth import DEFAULT_ACCESS_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_ACCESS_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_refresh_token_expiry() -> timedelta:
+    """
+    Gets the refresh token expiry.
+    """
+    from phoenix.auth import DEFAULT_REFRESH_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_REFRESH_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_smtp_username() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_USERNAME) or ""
+
+
+def get_env_smtp_password() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_PASSWORD) or ""
+
+
+def get_env_smtp_mail_from() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_MAIL_FROM) or "noreply@arize.com"
+
+
+def get_env_smtp_hostname() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_HOSTNAME) or ""
+
+
+def get_env_smtp_port() -> int:
+    port = _int_val(ENV_PHOENIX_SMTP_PORT, 587)
+    assert 0 < port <= 65_535
+    return port
+
+
+def get_env_smtp_validate_certs() -> bool:
+    return _bool_val(ENV_PHOENIX_SMTP_VALIDATE_CERTS, True)
+
+
+@dataclass(frozen=True)
+class OAuth2ClientConfig:
+    idp_name: str
+    idp_display_name: str
+    client_id: str
+    client_secret: str
+    oidc_config_url: str
+
+    @classmethod
+    def from_env(cls, idp_name: str) -> "OAuth2ClientConfig":
+        idp_name_upper = idp_name.upper()
+        if not (
+            client_id := os.getenv(
+                client_id_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_CLIENT_ID"
+            )
+        ):
+            raise ValueError(
+                f"A client id must be set for the {idp_name} OAuth2 IDP "
+                f"via the {client_id_env_var} environment variable"
+            )
+        if not (
+            client_secret := os.getenv(
+                client_secret_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_CLIENT_SECRET"
+            )
+        ):
+            raise ValueError(
+                f"A client secret must be set for the {idp_name} OAuth2 IDP "
+                f"via the {client_secret_env_var} environment variable"
+            )
+        if not (
+            oidc_config_url := (
+                os.getenv(
+                    oidc_config_url_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_OIDC_CONFIG_URL",
+                )
+            )
+        ):
+            raise ValueError(
+                f"An OpenID Connect configuration URL must be set for the {idp_name} OAuth2 IDP "
+                f"via the {oidc_config_url_env_var} environment variable"
+            )
+        if urlparse(oidc_config_url).scheme != "https":
+            raise ValueError(
+                f"Server metadata URL for {idp_name} OAuth2 IDP "
+                "must be a valid URL using the https protocol"
+            )
+        return cls(
+            idp_name=idp_name,
+            idp_display_name=os.getenv(
+                f"PHOENIX_OAUTH2_{idp_name_upper}_DISPLAY_NAME",
+                _get_default_idp_display_name(idp_name),
+            ),
+            client_id=client_id,
+            client_secret=client_secret,
+            oidc_config_url=oidc_config_url,
+        )
+
+
+def get_env_oauth2_settings() -> List[OAuth2ClientConfig]:
+    """
+    Get OAuth2 settings from environment variables.
+    """
+
+    idp_names = set()
+    pattern = re.compile(
+        r"^PHOENIX_OAUTH2_(\w+)_(DISPLAY_NAME|CLIENT_ID|CLIENT_SECRET|OIDC_CONFIG_URL)$"
+    )
+    for env_var in os.environ:
+        if (match := pattern.match(env_var)) is not None and (idp_name := match.group(1).lower()):
+            idp_names.add(idp_name)
+    return [OAuth2ClientConfig.from_env(idp_name) for idp_name in sorted(idp_names)]
+
+
 PHOENIX_DIR = Path(__file__).resolve().parent
 # Server config
 SERVER_DIR = PHOENIX_DIR / "server"
@@ -184,8 +442,6 @@ EXPORT_DIR = ROOT_DIR / "exports"
 INFERENCES_DIR = ROOT_DIR / "inferences"
 TRACE_DATASETS_DIR = ROOT_DIR / "trace_datasets"
 
-ENABLE_AUTH, PHOENIX_SECRET = get_auth_settings()
-
 
 def ensure_working_dir() -> None:
     """
@@ -331,5 +587,91 @@ def get_web_base_url() -> str:
     return get_base_url()
 
 
+class LoggingMode(Enum):
+    DEFAULT = "default"
+    STRUCTURED = "structured"
+
+
+def get_env_logging_mode() -> LoggingMode:
+    if (logging_mode := os.getenv(ENV_LOGGING_MODE)) is None:
+        return LoggingMode.DEFAULT
+    try:
+        return LoggingMode(logging_mode.lower().strip())
+    except ValueError:
+        raise ValueError(
+            f"Invalid value `{logging_mode}` for env var `{ENV_LOGGING_MODE}`. "
+            f"Valid values are: {log_a_list([mode.value for mode in LoggingMode],'and')} "
+            "(case-insensitive)."
+        )
+
+
+def get_env_logging_level() -> int:
+    return _get_logging_level(
+        env_var=ENV_LOGGING_LEVEL,
+        default_level=logging.INFO,
+    )
+
+
+def get_env_db_logging_level() -> int:
+    return _get_logging_level(
+        env_var=ENV_DB_LOGGING_LEVEL,
+        default_level=logging.WARNING,
+    )
+
+
+def _get_logging_level(env_var: str, default_level: int) -> int:
+    logging_level = os.getenv(env_var)
+    if not logging_level:
+        return default_level
+
+    # levelNamesMapping = logging.getLevelNamesMapping() is not supported in python 3.8
+    # but is supported in 3.12. Hence, we define the mapping ourselves and will remove
+    # this once we drop support for older python versions
+    levelNamesMapping = logging._nameToLevel.copy()
+
+    valid_values = [level for level in levelNamesMapping if level != "NOTSET"]
+
+    if logging_level.upper() not in valid_values:
+        raise ValueError(
+            f"Invalid value `{logging_level}` for env var `{env_var}`. "
+            f"Valid values are: {log_a_list(valid_values,'and')} (case-insensitive)."
+        )
+    return levelNamesMapping[logging_level.upper()]
+
+
+def get_env_log_migrations() -> bool:
+    log_migrations = os.getenv(ENV_LOG_MIGRATIONS)
+    # Default to True
+    if log_migrations is None:
+        return True
+
+    if log_migrations.lower() == "true":
+        return True
+    elif log_migrations.lower() == "false":
+        return False
+    else:
+        raise ValueError(
+            f"Invalid value for environment variable {ENV_LOG_MIGRATIONS}: "
+            f"{log_migrations}. Value values are 'TRUE' and 'FALSE' (case-insensitive)."
+        )
+
+
+class OAuth2Idp(Enum):
+    AWS_COGNITO = "aws_cognito"
+    GOOGLE = "google"
+    MICROSOFT_ENTRA_ID = "microsoft_entra_id"
+
+
+def _get_default_idp_display_name(idp_name: str) -> str:
+    """
+    Get the default display name for an OAuth2 IDP.
+    """
+    if idp_name == OAuth2Idp.AWS_COGNITO.value:
+        return "AWS Cognito"
+    if idp_name == OAuth2Idp.MICROSOFT_ENTRA_ID.value:
+        return "Microsoft Entra ID"
+    return idp_name.replace("_", " ").title()
+
+
 DEFAULT_PROJECT_NAME = "default"
 _KUBERNETES_PHOENIX_PORT_PATTERN = re.compile(r"^tcp://\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}:\d+$")

phoenix/db/alembic.ini

@@ -83,37 +83,3 @@ version_path_separator = os  # Use os.pathsep. Default configuration used for ne
 # ruff.executable = %(here)s/.venv/bin/ruff
 # ruff.options = --fix REVISION_SCRIPT_FILENAME
 
-# Logging configuration
-[loggers]
-keys = root,sqlalchemy,alembic
-
-[handlers]
-keys = console
-
-[formatters]
-keys = generic
-
-[logger_root]
-level = WARN
-handlers = console
-qualname =
-
-[logger_sqlalchemy]
-level = WARN
-handlers =
-qualname = sqlalchemy.engine
-
-[logger_alembic]
-level = WARN
-handlers =
-qualname = alembic
-
-[handler_console]
-class = StreamHandler
-args = (sys.stderr,)
-level = NOTSET
-formatter = generic
-
-[formatter_generic]
-format = %(levelname)-5.5s [%(name)s] %(message)s
-datefmt = %H:%M:%S

phoenix/db/engines.py

@@ -13,7 +13,7 @@ from sqlalchemy import URL, StaticPool, event, make_url
 from sqlalchemy.ext.asyncio import AsyncEngine, create_async_engine
 from typing_extensions import assert_never
 
-from phoenix.config import get_env_database_schema
+from phoenix.config import LoggingMode, get_env_database_schema
 from phoenix.db.helpers import SupportedSQLDialect
 from phoenix.db.migrate import migrate_in_thread
 from phoenix.db.models import init_models
@@ -64,7 +64,7 @@ def get_async_db_url(connection_str: str) -> URL:
 def create_engine(
     connection_str: str,
     migrate: bool = True,
-    echo: bool = False,
+    log_to_stdout: bool = False,
 ) -> AsyncEngine:
     """
     Factory to create a SQLAlchemy engine from a URL string.
@@ -74,10 +74,25 @@ def create_engine(
         raise ValueError("Failed to parse database from connection string")
     backend = SupportedSQLDialect(url.get_backend_name())
     url = get_async_db_url(url.render_as_string(hide_password=False))
+    # If Phoenix is run as an application, we want to pass log_migrations_to_stdout=False
+    # and let the configured sqlalchemy logger handle the migration logs
+    log_migrations_to_stdout = (
+        Settings.log_migrations and Settings.logging_mode != LoggingMode.STRUCTURED
+    )
     if backend is SupportedSQLDialect.SQLITE:
-        return aio_sqlite_engine(url=url, migrate=migrate, echo=echo)
+        return aio_sqlite_engine(
+            url=url,
+            migrate=migrate,
+            log_to_stdout=log_to_stdout,
+            log_migrations_to_stdout=log_migrations_to_stdout,
+        )
     elif backend is SupportedSQLDialect.POSTGRESQL:
-        return aio_postgresql_engine(url=url, migrate=migrate, echo=echo)
+        return aio_postgresql_engine(
+            url=url,
+            migrate=migrate,
+            log_to_stdout=log_to_stdout,
+            log_migrations_to_stdout=log_migrations_to_stdout,
+        )
     else:
         assert_never(backend)
 
@@ -85,8 +100,9 @@ def create_engine(
 def aio_sqlite_engine(
     url: URL,
     migrate: bool = True,
-    echo: bool = False,
     shared_cache: bool = True,
+    log_to_stdout: bool = False,
+    log_migrations_to_stdout: bool = True,
 ) -> AsyncEngine:
     database = url.database or ":memory:"
     if database.startswith("file:"):
@@ -105,7 +121,7 @@ def aio_sqlite_engine(
 
     engine = create_async_engine(
         url=url,
-        echo=echo,
+        echo=log_to_stdout,
         json_serializer=_dumps,
         async_creator=async_creator,
         poolclass=StaticPool,
@@ -123,7 +139,7 @@ def aio_sqlite_engine(
     else:
         sync_engine = sqlalchemy.create_engine(
             url=url.set(drivername="sqlite"),
-            echo=Settings.log_migrations,
+            echo=log_migrations_to_stdout,
             json_serializer=_dumps,
             creator=lambda: sqlean.connect(f"file:{database}", uri=True),
         )
@@ -143,14 +159,15 @@ def set_postgresql_search_path(schema: str) -> Callable[[Connection, Any], None]
 def aio_postgresql_engine(
     url: URL,
     migrate: bool = True,
-    echo: bool = False,
+    log_to_stdout: bool = False,
+    log_migrations_to_stdout: bool = True,
 ) -> AsyncEngine:
-    engine = create_async_engine(url=url, echo=echo, json_serializer=_dumps)
+    engine = create_async_engine(url=url, echo=log_to_stdout, json_serializer=_dumps)
     if not migrate:
         return engine
     sync_engine = sqlalchemy.create_engine(
         url=url.set(drivername="postgresql+psycopg"),
-        echo=Settings.log_migrations,
+        echo=log_migrations_to_stdout,
         json_serializer=_dumps,
     )
     if schema := get_env_database_schema():

phoenix/db/enums.py

@@ -0,0 +1,20 @@
+from enum import Enum
+from typing import Mapping, Type
+
+from sqlalchemy.orm import InstrumentedAttribute
+
+from phoenix.db import models
+from phoenix.db.models import AuthMethod
+
+__all__ = ["AuthMethod", "UserRole", "COLUMN_ENUMS"]
+
+
+class UserRole(Enum):
+    SYSTEM = "SYSTEM"
+    ADMIN = "ADMIN"
+    MEMBER = "MEMBER"
+
+
+COLUMN_ENUMS: Mapping[InstrumentedAttribute[str], Type[Enum]] = {
+    models.UserRole.name: UserRole,
+}