diff --git a/compiler/package-lock.json b/compiler/package-lock.json index ed183152ca..56c687fd0d 100644 --- a/compiler/package-lock.json +++ b/compiler/package-lock.json @@ -33,6 +33,10 @@ "node": ">=14" } }, + "../compiler-rs/compiler-wasm-lib/pkg": { + "name": "compiler-wasm-lib", + "version": "0.1.0" + }, "node_modules/@babel/code-frame": { "version": "7.12.11", "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.12.11.tgz", @@ -1540,8 +1544,8 @@ "dev": true }, "node_modules/compiler-wasm-lib": { - "version": "0.1.0", - "resolved": "file:../compiler-rs/compiler-wasm-lib/pkg" + "resolved": "../compiler-rs/compiler-wasm-lib/pkg", + "link": true }, "node_modules/concat-map": { "version": "0.0.1", @@ -6484,7 +6488,7 @@ "dev": true }, "compiler-wasm-lib": { - "version": "0.1.0" + "version": "file:../compiler-rs/compiler-wasm-lib/pkg" }, "concat-map": { "version": "0.0.1", diff --git a/output/schema/schema.json b/output/schema/schema.json index 7395844be7..b269f2538b 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -187017,7 +187017,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L372-L374" + "specLocation": "security/_types/Privileges.ts#L408-L410" }, { "kind": "interface", @@ -187339,6 +187339,12 @@ }, "name": "monitor_snapshot" }, + { + "availability": { + "stack": {} + }, + "name": "monitor_stats" + }, { "availability": { "stack": {} @@ -187413,7 +187419,33 @@ "name": "ClusterPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L42-L195" + "specLocation": "security/_types/Privileges.ts#L42-L199" + }, + { + "kind": "enum", + "members": [ + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "name": "monitor_enrich" + }, + { + "availability": { + "stack": { + "since": "8.17.0" + } + }, + "name": "monitor_stats" + } + ], + "name": { + "name": "ClusterPrivilegeForRemote", + "namespace": "security._types" + }, + "specLocation": "security/_types/Privileges.ts#L201-L214" }, { "kind": "interface", @@ -187534,7 +187566,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L368-L370" + "specLocation": "security/_types/Privileges.ts#L404-L406" }, { "kind": "enum", @@ -187647,7 +187679,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L324-L366" + "specLocation": "security/_types/Privileges.ts#L360-L402" }, { "kind": "interface", @@ -187729,7 +187761,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L198-L222" + "specLocation": "security/_types/Privileges.ts#L217-L241" }, { "kind": "type_alias", @@ -187743,7 +187775,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L279-L287", + "specLocation": "security/_types/Privileges.ts#L315-L323", "type": { "kind": "union_of", "items": [ @@ -187793,7 +187825,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L376-L378" + "specLocation": "security/_types/Privileges.ts#L412-L414" }, { "kind": "interface", @@ -187829,6 +187861,45 @@ }, { "kind": "interface", + "description": "The subset of cluster level privileges that can be defined for remote clusters.", + "name": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of cluster aliases to which the permissions in this entry apply.", + "name": "clusters", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Names", + "namespace": "_types" + } + } + }, + { + "description": "The cluster level privileges that owners of the role have on the remote cluster.", + "name": "privileges", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "ClusterPrivilegeForRemote", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L277-L289" + }, + { + "kind": "interface", + "description": "The subset of index level privileges that can be defined for remote clusters.", "name": { "name": "RemoteIndicesPrivileges", "namespace": "security._types" @@ -187919,7 +187990,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L225-L253" + "specLocation": "security/_types/Privileges.ts#L243-L275" }, { "kind": "interface", @@ -187944,7 +188015,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L380-L385" + "specLocation": "security/_types/Privileges.ts#L416-L421" }, { "kind": "interface", @@ -187986,6 +188057,46 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "description": "A list of indices permissions for remote clusters.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "availability": { "stack": {} @@ -188091,7 +188202,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L31-L64" + "specLocation": "security/_types/RoleDescriptor.ts#L31-L77" }, { "kind": "interface", @@ -188153,6 +188264,46 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "description": "A list of indices permissions for remote clusters.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "availability": { "stack": {} @@ -188258,7 +188409,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L66-L98" + "specLocation": "security/_types/RoleDescriptor.ts#L79-L122" }, { "kind": "interface", @@ -188436,7 +188587,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L321-L322", + "specLocation": "security/_types/Privileges.ts#L357-L358", "type": { "kind": "union_of", "items": [ @@ -188479,7 +188630,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L289-L299" + "specLocation": "security/_types/Privileges.ts#L325-L335" }, { "kind": "interface", @@ -188567,7 +188718,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L301-L319" + "specLocation": "security/_types/Privileges.ts#L337-L355" }, { "kind": "interface", @@ -188634,7 +188785,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L387-L407" + "specLocation": "security/_types/Privileges.ts#L423-L443" }, { "kind": "enum", @@ -188848,7 +188999,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L255-L277" + "specLocation": "security/_types/Privileges.ts#L291-L313" }, { "kind": "interface", @@ -191843,8 +191994,8 @@ "value": { "kind": "instance_of", "type": { - "name": "string", - "namespace": "_builtins" + "name": "ClusterPrivilege", + "namespace": "security._types" } } } @@ -191862,6 +192013,20 @@ } } } + }, + { + "name": "remote_cluster", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "ClusterPrivilegeForRemote", + "namespace": "security._types" + } + } + } } ] }, @@ -191869,7 +192034,7 @@ "name": "Response", "namespace": "security.get_builtin_privileges" }, - "specLocation": "security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts#L22-L24" + "specLocation": "security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts#L23-L25" }, { "kind": "request", @@ -192039,8 +192204,8 @@ "value": { "kind": "instance_of", "type": { - "name": "string", - "namespace": "_builtins" + "name": "ClusterPrivilege", + "namespace": "security._types" } } } @@ -192059,6 +192224,44 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "name": "metadata", "required": true, @@ -192184,7 +192387,7 @@ } } ], - "specLocation": "security/get_role/types.ts#L29-L42" + "specLocation": "security/get_role/types.ts#L29-L50" }, { "kind": "request", @@ -194650,6 +194853,26 @@ } } }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of remote cluster permissions entries.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "description": "Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.", "name": "metadata", @@ -194751,7 +194974,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L95" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L101" }, { "kind": "response", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 4e1be9944d..e107685588 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17638,7 +17638,9 @@ export interface SecurityClusterNode { name: Name } -export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_fleet_secrets' | 'read_ilm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string +export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_stats' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_fleet_secrets' | 'read_ilm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string + +export type SecurityClusterPrivilegeForRemote = 'monitor_enrich' | 'monitor_stats' export interface SecurityCreatedStatus { created: boolean @@ -17682,6 +17684,11 @@ export interface SecurityRealmInfo { type: string } +export interface SecurityRemoteClusterPrivileges { + clusters: Names + privileges: SecurityClusterPrivilegeForRemote[] +} + export interface SecurityRemoteIndicesPrivileges { clusters: Names field_security?: SecurityFieldSecurity @@ -17699,6 +17706,8 @@ export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] index?: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] global?: SecurityGlobalPrivilege[] | SecurityGlobalPrivilege applications?: SecurityApplicationPrivileges[] metadata?: Metadata @@ -17711,6 +17720,8 @@ export interface SecurityRoleDescriptorRead { cluster: SecurityClusterPrivilege[] indices: SecurityIndicesPrivileges[] index: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] global?: SecurityGlobalPrivilege[] | SecurityGlobalPrivilege applications?: SecurityApplicationPrivileges[] metadata?: Metadata @@ -18110,8 +18121,9 @@ export interface SecurityGetBuiltinPrivilegesRequest extends RequestBase { } export interface SecurityGetBuiltinPrivilegesResponse { - cluster: string[] + cluster: SecurityClusterPrivilege[] index: IndexName[] + remote_cluster: SecurityClusterPrivilegeForRemote[] } export interface SecurityGetPrivilegesRequest extends RequestBase { @@ -18128,8 +18140,10 @@ export interface SecurityGetRoleRequest extends RequestBase { export type SecurityGetRoleResponse = Record export interface SecurityGetRoleRole { - cluster: string[] + cluster: SecurityClusterPrivilege[] indices: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] metadata: Metadata run_as: string[] transient_metadata?: Record @@ -18395,6 +18409,7 @@ export interface SecurityPutRoleRequest extends RequestBase { global?: Record indices?: SecurityIndicesPrivileges[] remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] metadata?: Metadata run_as?: string[] description?: string diff --git a/package-lock.json b/package-lock.json index 8bd812f6b6..2323b099fe 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5,7 +5,7 @@ "packages": { "": { "dependencies": { - "@stoplight/spectral-cli": "^6.13.0" + "@stoplight/spectral-cli": "^6.13.1" } }, "node_modules/@asyncapi/specs": { @@ -200,9 +200,9 @@ } }, "node_modules/@stoplight/spectral-cli": { - "version": "6.13.0", - "resolved": "https://registry.npmjs.org/@stoplight/spectral-cli/-/spectral-cli-6.13.0.tgz", - "integrity": "sha512-qofxmVN4czNNJdfq0OB8Qj1ihpIhyR0IgyQpJFda9FvWWn9vJqDuIsoGKWP7xIHwv3E31q3iviDIX3Ejy9tNcg==", + "version": "6.13.1", + "resolved": "https://registry.npmjs.org/@stoplight/spectral-cli/-/spectral-cli-6.13.1.tgz", + "integrity": "sha512-v6ipX4w6wRhtbOotwdPL7RrEkP0m1OwHTIyqzVrAPi932F/zkee24jmf1CHNrTynonmfGoU6/XpeqUHtQdKDFw==", "license": "Apache-2.0", "dependencies": { "@stoplight/json": "~3.21.0", diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 14f2977557..e930b324ee 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -151,6 +151,10 @@ export enum ClusterPrivilege { * @availability stack */ monitor_snapshot, + /** + * @availability stack + */ + monitor_stats, /** * @availability stack */ @@ -194,6 +198,21 @@ export enum ClusterPrivilege { write_fleet_secrets } +/** + * The subset of cluster level privileges that can be defined for remote clusters. + * @availability stack + */ +export enum ClusterPrivilegeForRemote { + /** + * @availability stack since=8.14.0 + */ + monitor_enrich, + /** + * @availability stack since=8.17.0 + */ + monitor_stats +} + // Keep in sync with RemoteIndicesPrivileges export class IndicesPrivileges { /** @@ -221,6 +240,9 @@ export class IndicesPrivileges { allow_restricted_indices?: boolean } +/** + * The subset of index level privileges that can be defined for remote clusters. + */ // Keep in sync with IndicesPrivileges export class RemoteIndicesPrivileges { /** @@ -252,6 +274,20 @@ export class RemoteIndicesPrivileges { allow_restricted_indices?: boolean } +/** + * The subset of cluster level privileges that can be defined for remote clusters. + */ +export class RemoteClusterPrivileges { + /** + * A list of cluster aliases to which the permissions in this entry apply. + */ + clusters: Names + /** + * The cluster level privileges that owners of the role have on the remote cluster. + */ + privileges: ClusterPrivilegeForRemote[] +} + export class UserIndicesPrivileges { /** * The document fields that the owners of the role have read access to. diff --git a/specification/security/_types/RoleDescriptor.ts b/specification/security/_types/RoleDescriptor.ts index 6c8130860b..2df572e6b5 100644 --- a/specification/security/_types/RoleDescriptor.ts +++ b/specification/security/_types/RoleDescriptor.ts @@ -25,7 +25,7 @@ import { ApplicationPrivileges, ClusterPrivilege, GlobalPrivilege, - IndicesPrivileges + IndicesPrivileges, RemoteClusterPrivileges, RemoteIndicesPrivileges } from './Privileges' export class RoleDescriptor { @@ -38,6 +38,19 @@ export class RoleDescriptor { * @aliases index */ indices?: IndicesPrivileges[] + + /** + * A list of indices permissions for remote clusters. + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + + /** + * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] + /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. * @availability stack @@ -73,6 +86,17 @@ export class RoleDescriptorRead implements OverloadOf { * @aliases index */ indices: IndicesPrivileges[] + /** + * A list of indices permissions for remote clusters. + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + + /** + * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. */ diff --git a/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts b/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts index eaf9009d13..f72456f9e8 100644 --- a/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts +++ b/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts @@ -18,7 +18,8 @@ */ import { IndexName } from '@_types/common' +import {ClusterPrivilege, ClusterPrivilegeForRemote} from "@security/_types/Privileges"; export class Response { - body: { cluster: string[]; index: IndexName[] } + body: { cluster: ClusterPrivilege[]; index: IndexName[]; remote_cluster: ClusterPrivilegeForRemote[] } } diff --git a/specification/security/get_role/types.ts b/specification/security/get_role/types.ts index 1ba672b074..080de468b5 100644 --- a/specification/security/get_role/types.ts +++ b/specification/security/get_role/types.ts @@ -18,8 +18,8 @@ */ import { - ApplicationPrivileges, - IndicesPrivileges + ApplicationPrivileges, ClusterPrivilege, + IndicesPrivileges, RemoteClusterPrivileges, RemoteIndicesPrivileges } from '@security/_types/Privileges' import { RoleTemplate } from '@security/_types/RoleTemplate' import { Dictionary } from '@spec_utils/Dictionary' @@ -27,8 +27,16 @@ import { UserDefinedValue } from '@spec_utils/UserDefinedValue' import { Metadata } from '@_types/common' export class Role { - cluster: string[] + cluster: ClusterPrivilege[] indices: IndicesPrivileges[] + /** + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + /** + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] metadata: Metadata run_as: string[] transient_metadata?: Dictionary diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index e8ada073d5..ff70fdf357 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -20,7 +20,7 @@ import { ApplicationPrivileges, ClusterPrivilege, - IndicesPrivileges, + IndicesPrivileges, RemoteClusterPrivileges, RemoteIndicesPrivileges } from '@security/_types/Privileges' import { Dictionary } from '@spec_utils/Dictionary' @@ -74,6 +74,12 @@ export interface Request extends RequestBase { * */ remote_indices?: RemoteIndicesPrivileges[] + /** + * A list of remote cluster permissions entries. + * @availability stack since=8.15.0 + * + */ + remote_cluster?: RemoteClusterPrivileges[] /** * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. */