vigilsec 0.1.0__tar.gz

vigilsec-0.1.0/LICENSE

@@ -0,0 +1,73 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             Prem Kumar Akula
+Licensed Work:        Vigil
+                      The Licensed Work is (c) 2026 Prem Kumar Akula
+Additional Use Grant: You may make production use of the Licensed Work,
+                      provided such use does not include offering the Licensed
+                      Work to third parties on a hosted or embedded basis in
+                      order to compete with Vigil's paid commercial offerings.
+Change Date:          Four years from the date the specific Licensed Work
+                      version is first publicly distributed under this License.
+Change License:       MIT License
+
+For information about alternative licensing arrangements for the Licensed
+Work, please contact: prem.fwss@gmail.com
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source License, as defined by the Open Source Initiative. However, the
+Licensed Work will eventually be made available under an Open Source License,
+as stated in this License.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+-----------------------------------------------------------------------------
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.

vigilsec-0.1.0/PKG-INFO

@@ -0,0 +1,290 @@
+Metadata-Version: 2.4
+Name: vigilsec
+Version: 0.1.0
+Summary: AI coding security co-pilot — blocks insecure code at generation time
+Author-email: Prem Kumar Akula <prem.fwss@gmail.com>
+License-Expression: BUSL-1.1
+Project-URL: Homepage, https://thefwss.com/vigil
+Project-URL: Feedback, https://thefwss.com/vigil
+Keywords: security,devsecops,docker,ai,claude,static-analysis,linter
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# Vigil
+
+**AI coding security co-pilot — blocks insecure code at the moment of generation.**
+
+Vigil intercepts every file an AI coding assistant writes and blocks it if CRITICAL or HIGH security findings are detected — before the file hits disk. It's the only tool that operates at generation time rather than post-commit.
+
+```
+AI writes file → vigil scan → exit 2 → Claude Code blocks the write
+```
+
+---
+
+## The Problem
+
+AI coding assistants reproduce the most common patterns in their training data. The most common patterns are insecure defaults.
+
+The clearest example: every existing IaC scanner (Checkov, Trivy, Snyk, Semgrep) misses the docker-compose port binding that exposes your database to the internet:
+
+```yaml
+ports:
+  - "5432:5432"   # ← binds to 0.0.0.0, bypasses UFW, reachable from anywhere
+```
+
+The correct form is `"127.0.0.1:5432:5432"`. Vigil catches it. Nothing else does.
+
+---
+
+## Install
+
+```bash
+pip install vigilsec
+```
+
+**Wire the Claude Code hook (one time):**
+
+```bash
+vigil init --global
+```
+
+That's it. Every file Claude Code writes is now scanned before it saves. Reload Claude Code to activate.
+
+---
+
+## Usage
+
+```bash
+# Scan a single file
+vigil scan docker-compose.yml
+
+# Scan a directory
+vigil scan ./my-project/
+
+# JSON output (for CI / dashboards)
+vigil scan ./my-project/ --format json
+
+# SARIF output (for GitHub Advanced Security)
+vigil scan ./my-project/ --format sarif > results.sarif
+
+# Only report HIGH and above
+vigil scan ./my-project/ --severity HIGH
+
+# Open feedback & waitlist form
+vigil feedback
+```
+
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| `0` | No findings — write proceeds |
+| `1` | Advisory findings only (MEDIUM / LOW / INFO) |
+| `2` | CRITICAL or HIGH found — **Claude Code blocks the write** |
+
+---
+
+## Rules
+
+35 rules across 9 categories. All built-in, stdlib-only, zero runtime dependencies.
+
+### Secrets & Injection (10 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-S001 | CRITICAL | Hardcoded AWS / cloud API keys |
+| VGL-S002 | CRITICAL | Hardcoded passwords (`password =`, `passwd =`) |
+| VGL-S003 | HIGH | Generic API key / token assignments |
+| VGL-S004 | HIGH | Generic secret / credential assignments |
+| VGL-S005 | CRITICAL | JWT signing secrets |
+| VGL-S006 | CRITICAL | PEM private keys |
+| VGL-S007 | CRITICAL | Credential-embedded database URLs (`postgres://user:pass@host`) |
+| VGL-S008 | CRITICAL | Stripe live keys (`sk_live_...`) |
+| VGL-S009 | CRITICAL | Slack tokens (`xoxb-`, `xoxp-`) |
+| VGL-S010 | CRITICAL | OpenAI, GitHub, GitLab, Google provider keys |
+| VGL-I001 | CRITICAL | `eval()` with variable input |
+| VGL-I002 | HIGH | `subprocess(shell=True)` with variable input |
+| VGL-I003 | HIGH | `os.system()` with variable input |
+
+### Docker IaC (2 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-D001 | CRITICAL | `"PORT:PORT"` binding — bypasses UFW, exposes to internet |
+| VGL-D002 | HIGH | Hardcoded secrets in `environment:` blocks |
+
+### Dockerfile Hardening (3 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-DF001 | HIGH | Container running as root (no `USER` directive) |
+| VGL-DF002 | MEDIUM | Unpinned `:latest` base image |
+| VGL-DF003 | CRITICAL | Secrets baked into image layers via `ENV`/`ARG` |
+
+### nginx (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-N001 | HIGH | Missing security headers, `server_tokens on`, deprecated TLS |
+
+### Kubernetes (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-K001 | CRITICAL/HIGH | `privileged: true`, `hostNetwork/hostPID/hostIPC: true` |
+
+### IAM Policies (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-IAM001 | CRITICAL/HIGH | `"Action": "*"` and `"Resource": "*"` wildcards |
+
+### AI Agent Patterns (7 rules)
+
+New category — catches the security anti-patterns unique to AI-generated agentic code.
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-A001 | CRITICAL | LLM output piped to `subprocess.run()` / `os.system()` |
+| VGL-A002 | HIGH | Hardcoded `auto_approve = True` / `skip_confirmation = True` |
+| VGL-A003 | HIGH | Unbounded `while True` loop making LLM calls with no iteration cap |
+| VGL-A004 | HIGH | LLM response content written directly to filesystem |
+| VGL-PI001 | CRITICAL | User input embedded in system prompt |
+| VGL-PI002 | HIGH | Raw `request.body` passed as LLM message content |
+| VGL-PI003 | HIGH | `str.format()` on `system_prompt` variables with user-controlled data |
+| VGL-PI004 | MEDIUM | Unsanitized tool output appended to conversation |
+
+### MCP Server Security (3 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-MCP001 | CRITICAL | Injection strings in tool descriptions (`ignore previous instructions`) |
+| VGL-MCP002 | HIGH | Dynamic tool descriptions built from user-controlled data |
+| VGL-MCP003 | HIGH | Shell execution inside MCP handlers without a sandbox |
+
+### Shell Scripts (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-S011 | HIGH | Secret variable passed inline to subprocess or SSH command — visible in `ps aux` on both machines |
+
+### Dependency CVEs (2 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-DEP001 | HIGH | Python CVEs via `pip-audit` (runs on every `requirements.txt` change) |
+| VGL-DEP002 | HIGH | npm CVEs via `npm audit` (runs on every `package.json` change) |
+
+### Trivy IaC Deep Scan (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-T001 | HIGH | Dockerfile and Terraform misconfigurations via Trivy |
+
+---
+
+## Configuration
+
+Place a `.vigilrc` file in your project root (or any ancestor directory):
+
+```toml
+# .vigilrc
+disabled_rules = ["VGL-T001"]        # skip trivy scan for this project
+min_severity   = "HIGH"              # only report HIGH and above
+exclude_paths  = ["vendor", "legacy"]
+telemetry      = false               # opt out of anonymous local telemetry
+```
+
+Vigil walks up the directory tree to find the nearest `.vigilrc`. Child config always wins over parent. Monorepos can have per-project overrides alongside a workspace default.
+
+**Inline suppression** — for a specific line you've reviewed and accepted:
+
+```python
+auto_approve = True  # vigil: ignore
+```
+
+Same pattern as `# noqa` (flake8) and `# nosec` (bandit).
+
+---
+
+## Opt-out
+
+Vigil collects anonymous, local-only telemetry: rule ID, severity, and file extension. No file paths, no code, no identifiable data. Stored at `~/.vigil/events.jsonl` — never sent anywhere.
+
+Opt out permanently:
+
+```bash
+export VIGIL_NO_TELEMETRY=1
+```
+
+Or in `.vigilrc`:
+
+```toml
+telemetry = false
+```
+
+---
+
+## Adding a Rule
+
+```python
+# src/vigil/rules/my_category.py
+from pathlib import Path
+from .base import Finding, Rule, Severity
+
+class MyRule(Rule):
+    id = "VGL-X001"
+    name = "Descriptive rule name"
+    severity = Severity.HIGH
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix == ".yml"
+
+    def check(self, path: Path) -> list[Finding]:
+        findings = []
+        for i, line in enumerate(path.read_text().splitlines(), 1):
+            if "bad_pattern" in line:
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message="Found bad pattern",
+                    file_path=path,
+                    line=i,
+                    snippet=line.strip(),
+                    fix="Do this instead.",
+                ))
+        return findings
+```
+
+Then add it to `DEFAULT_RULES` in `src/vigil/rules/__init__.py`. Write tests. Done.
+
+---
+
+## Development
+
+```bash
+git clone http://your-gitea/fwss/vigil.git
+cd vigil
+python3 -m venv venv && source venv/bin/activate
+pip install -e ".[dev]"
+pytest tests/ -v
+```
+
+---
+
+## License
+
+[Business Source License 1.1](LICENSE) — free for non-commercial use. Commercial use requires a license agreement. Converts to MIT on 2030-06-26.
+
+---
+
+## Feedback & Waitlist
+
+Found a false positive? Want a rule that doesn't exist yet? Building with AI agents and hitting patterns Vigil should catch?
+
+[Join the waitlist → thefwss.com/vigil](https://thefwss.com/vigil)
+
+Or: `vigil feedback`

vigilsec-0.1.0/README.md

@@ -0,0 +1,276 @@
+# Vigil
+
+**AI coding security co-pilot — blocks insecure code at the moment of generation.**
+
+Vigil intercepts every file an AI coding assistant writes and blocks it if CRITICAL or HIGH security findings are detected — before the file hits disk. It's the only tool that operates at generation time rather than post-commit.
+
+```
+AI writes file → vigil scan → exit 2 → Claude Code blocks the write
+```
+
+---
+
+## The Problem
+
+AI coding assistants reproduce the most common patterns in their training data. The most common patterns are insecure defaults.
+
+The clearest example: every existing IaC scanner (Checkov, Trivy, Snyk, Semgrep) misses the docker-compose port binding that exposes your database to the internet:
+
+```yaml
+ports:
+  - "5432:5432"   # ← binds to 0.0.0.0, bypasses UFW, reachable from anywhere
+```
+
+The correct form is `"127.0.0.1:5432:5432"`. Vigil catches it. Nothing else does.
+
+---
+
+## Install
+
+```bash
+pip install vigilsec
+```
+
+**Wire the Claude Code hook (one time):**
+
+```bash
+vigil init --global
+```
+
+That's it. Every file Claude Code writes is now scanned before it saves. Reload Claude Code to activate.
+
+---
+
+## Usage
+
+```bash
+# Scan a single file
+vigil scan docker-compose.yml
+
+# Scan a directory
+vigil scan ./my-project/
+
+# JSON output (for CI / dashboards)
+vigil scan ./my-project/ --format json
+
+# SARIF output (for GitHub Advanced Security)
+vigil scan ./my-project/ --format sarif > results.sarif
+
+# Only report HIGH and above
+vigil scan ./my-project/ --severity HIGH
+
+# Open feedback & waitlist form
+vigil feedback
+```
+
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| `0` | No findings — write proceeds |
+| `1` | Advisory findings only (MEDIUM / LOW / INFO) |
+| `2` | CRITICAL or HIGH found — **Claude Code blocks the write** |
+
+---
+
+## Rules
+
+35 rules across 9 categories. All built-in, stdlib-only, zero runtime dependencies.
+
+### Secrets & Injection (10 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-S001 | CRITICAL | Hardcoded AWS / cloud API keys |
+| VGL-S002 | CRITICAL | Hardcoded passwords (`password =`, `passwd =`) |
+| VGL-S003 | HIGH | Generic API key / token assignments |
+| VGL-S004 | HIGH | Generic secret / credential assignments |
+| VGL-S005 | CRITICAL | JWT signing secrets |
+| VGL-S006 | CRITICAL | PEM private keys |
+| VGL-S007 | CRITICAL | Credential-embedded database URLs (`postgres://user:pass@host`) |
+| VGL-S008 | CRITICAL | Stripe live keys (`sk_live_...`) |
+| VGL-S009 | CRITICAL | Slack tokens (`xoxb-`, `xoxp-`) |
+| VGL-S010 | CRITICAL | OpenAI, GitHub, GitLab, Google provider keys |
+| VGL-I001 | CRITICAL | `eval()` with variable input |
+| VGL-I002 | HIGH | `subprocess(shell=True)` with variable input |
+| VGL-I003 | HIGH | `os.system()` with variable input |
+
+### Docker IaC (2 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-D001 | CRITICAL | `"PORT:PORT"` binding — bypasses UFW, exposes to internet |
+| VGL-D002 | HIGH | Hardcoded secrets in `environment:` blocks |
+
+### Dockerfile Hardening (3 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-DF001 | HIGH | Container running as root (no `USER` directive) |
+| VGL-DF002 | MEDIUM | Unpinned `:latest` base image |
+| VGL-DF003 | CRITICAL | Secrets baked into image layers via `ENV`/`ARG` |
+
+### nginx (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-N001 | HIGH | Missing security headers, `server_tokens on`, deprecated TLS |
+
+### Kubernetes (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-K001 | CRITICAL/HIGH | `privileged: true`, `hostNetwork/hostPID/hostIPC: true` |
+
+### IAM Policies (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-IAM001 | CRITICAL/HIGH | `"Action": "*"` and `"Resource": "*"` wildcards |
+
+### AI Agent Patterns (7 rules)
+
+New category — catches the security anti-patterns unique to AI-generated agentic code.
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-A001 | CRITICAL | LLM output piped to `subprocess.run()` / `os.system()` |
+| VGL-A002 | HIGH | Hardcoded `auto_approve = True` / `skip_confirmation = True` |
+| VGL-A003 | HIGH | Unbounded `while True` loop making LLM calls with no iteration cap |
+| VGL-A004 | HIGH | LLM response content written directly to filesystem |
+| VGL-PI001 | CRITICAL | User input embedded in system prompt |
+| VGL-PI002 | HIGH | Raw `request.body` passed as LLM message content |
+| VGL-PI003 | HIGH | `str.format()` on `system_prompt` variables with user-controlled data |
+| VGL-PI004 | MEDIUM | Unsanitized tool output appended to conversation |
+
+### MCP Server Security (3 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-MCP001 | CRITICAL | Injection strings in tool descriptions (`ignore previous instructions`) |
+| VGL-MCP002 | HIGH | Dynamic tool descriptions built from user-controlled data |
+| VGL-MCP003 | HIGH | Shell execution inside MCP handlers without a sandbox |
+
+### Shell Scripts (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-S011 | HIGH | Secret variable passed inline to subprocess or SSH command — visible in `ps aux` on both machines |
+
+### Dependency CVEs (2 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-DEP001 | HIGH | Python CVEs via `pip-audit` (runs on every `requirements.txt` change) |
+| VGL-DEP002 | HIGH | npm CVEs via `npm audit` (runs on every `package.json` change) |
+
+### Trivy IaC Deep Scan (1 rule)
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| VGL-T001 | HIGH | Dockerfile and Terraform misconfigurations via Trivy |
+
+---
+
+## Configuration
+
+Place a `.vigilrc` file in your project root (or any ancestor directory):
+
+```toml
+# .vigilrc
+disabled_rules = ["VGL-T001"]        # skip trivy scan for this project
+min_severity   = "HIGH"              # only report HIGH and above
+exclude_paths  = ["vendor", "legacy"]
+telemetry      = false               # opt out of anonymous local telemetry
+```
+
+Vigil walks up the directory tree to find the nearest `.vigilrc`. Child config always wins over parent. Monorepos can have per-project overrides alongside a workspace default.
+
+**Inline suppression** — for a specific line you've reviewed and accepted:
+
+```python
+auto_approve = True  # vigil: ignore
+```
+
+Same pattern as `# noqa` (flake8) and `# nosec` (bandit).
+
+---
+
+## Opt-out
+
+Vigil collects anonymous, local-only telemetry: rule ID, severity, and file extension. No file paths, no code, no identifiable data. Stored at `~/.vigil/events.jsonl` — never sent anywhere.
+
+Opt out permanently:
+
+```bash
+export VIGIL_NO_TELEMETRY=1
+```
+
+Or in `.vigilrc`:
+
+```toml
+telemetry = false
+```
+
+---
+
+## Adding a Rule
+
+```python
+# src/vigil/rules/my_category.py
+from pathlib import Path
+from .base import Finding, Rule, Severity
+
+class MyRule(Rule):
+    id = "VGL-X001"
+    name = "Descriptive rule name"
+    severity = Severity.HIGH
+
+    def applies_to(self, path: Path) -> bool:
+        return path.suffix == ".yml"
+
+    def check(self, path: Path) -> list[Finding]:
+        findings = []
+        for i, line in enumerate(path.read_text().splitlines(), 1):
+            if "bad_pattern" in line:
+                findings.append(Finding(
+                    rule_id=self.id,
+                    severity=self.severity,
+                    message="Found bad pattern",
+                    file_path=path,
+                    line=i,
+                    snippet=line.strip(),
+                    fix="Do this instead.",
+                ))
+        return findings
+```
+
+Then add it to `DEFAULT_RULES` in `src/vigil/rules/__init__.py`. Write tests. Done.
+
+---
+
+## Development
+
+```bash
+git clone http://your-gitea/fwss/vigil.git
+cd vigil
+python3 -m venv venv && source venv/bin/activate
+pip install -e ".[dev]"
+pytest tests/ -v
+```
+
+---
+
+## License
+
+[Business Source License 1.1](LICENSE) — free for non-commercial use. Commercial use requires a license agreement. Converts to MIT on 2030-06-26.
+
+---
+
+## Feedback & Waitlist
+
+Found a false positive? Want a rule that doesn't exist yet? Building with AI agents and hitting patterns Vigil should catch?
+
+[Join the waitlist → thefwss.com/vigil](https://thefwss.com/vigil)
+
+Or: `vigil feedback`

vigilsec-0.1.0/pyproject.toml

@@ -0,0 +1,36 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "vigilsec"
+version = "0.1.0"
+description = "AI coding security co-pilot — blocks insecure code at generation time"
+readme = "README.md"
+license = "BUSL-1.1"
+license-files = ["LICENSE"]
+authors = [{name = "Prem Kumar Akula", email = "prem.fwss@gmail.com"}]
+requires-python = ">=3.11"
+dependencies = []
+keywords = ["security", "devsecops", "docker", "ai", "claude", "static-analysis", "linter"]
+
+[project.urls]
+Homepage = "https://thefwss.com/vigil"
+Feedback = "https://thefwss.com/vigil"
+
+[project.scripts]
+vigil = "vigil.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+pythonpath = ["src"]
+
+[tool.bandit]
+exclude_dirs = ["tests", ".venv", "venv"]
+# B101: assert in tests; B404/B603/B607: vigil intentionally shells out to trivy/pip-audit/npm
+# with hardcoded command names and list-form args — no shell injection possible
+# B110: bare except in telemetry.py is intentional — telemetry must never crash a scan
+skips = ["B101", "B404", "B603", "B607", "B110"]

vigilsec-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

vigilsec-0.1.0/src/vigil/__init__.py

@@ -0,0 +1,2 @@
+"""Vigil — AI coding security co-pilot."""
+__version__ = "0.1.0"