@vibecodr/cli 1.0.13 → 1.0.15

package/docs/VALIDATION-MATRIX.md

@@ -11,7 +11,7 @@ artifacts and tests.
 | CLI login and auth diagnostics | `vibecodr login`, `vibecodr auth status`, `vibecodr auth diagnose`, `vibecodr auth export-agent-env`, safe generic credential file/stdin forms | tests verify browser/device auth starts when no credential is provided, `start` recovers from unreadable stored approval state by opening the normal browser login path, cost-bearing browser commands treat unreadable stored approval as missing auth instead of failing on credential storage shape, the private device code is never printed or stored, approval metadata points to `/settings/vc-tools/approve`, `--no-input` refuses interactive login without network calls, direct token grant caching, generic credential classification for Clerk OAuth/API-key exchange through Vibecodr Auth, durable API-key/OAuth local storage, expired grant refresh from stored API keys, file/stdin credential paths, one-off env credential auth without persistence, status reporting for active credential sources without exposing internal profiles, ambiguous credential denial, redaction, optional API verification, explicit file-store test mode, friendly expired-login errors, isolated config warnings, strict-permission agent credential-file export without printing the secret, and no stored-token forwarding to insecure local API URLs unless explicitly allowed |
 | Remote agent connection setup | `vibecodr agent connect`, advanced `vibecodr connect` | tests verify Streamable HTTP metadata, agent-native tool names, no token leakage, and refusal to write bare named-client configs for `tools.vibecodr.space/mcp` until a supported `vc_tools` client auth flow is proven |
 | Remote MCP tool server | `/mcp` in `src/hosted/worker.ts` | tests verify protected-resource discovery, Bearer `WWW-Authenticate` challenge metadata, MCP `initialize`, `tools/list`, and `tools/call` JSON-RPC contract flow with agent-native `browser.*`, `computer.*`, `work.*`, `proof.*`, and `usage.status` tool names mapped to hosted canonical capabilities |
-| Browser render/screenshot/markdown/PDF tests, crawl, snapshot, and paid agent tasks | `vibecodr browser *`, advanced `vibecodr tools test browser.*` | tests verify capability aliases including `browser.snapshot`, canonical browser and crawl payloads, default submit/wait behavior, artifact handles and ready-to-run proof commands in completed output, `--local` default proof saving, `--out` destination proof saving, Creator `browser.agent_task` acceptance up to 20 minutes, Pro acceptance up to 1 hour, Free denial, Quick Actions staying short, HTTPS-only validation, localhost/private/internal denial with safe-next-action messaging, URL credential denial, direct cookie/header/storage-state auth material denial, IPv4/IPv6 private, link-local, mapped, NAT64, and 6to4 denial, hosted unsafe redirect-chain denial before cost-bearing dispatch, and Workflow dispatch for paid browser agent tasks |
+| Browser render/screenshot/markdown/PDF tests, crawl, snapshot, paid agent tasks, and live Agent Browser sessions | `vibecodr browser *`, `vibecodr browser session *`, advanced `vibecodr tools test browser.*`, `/v1/browser/sessions`, MCP `browser.session.*` tools | tests verify capability aliases including `browser.snapshot`, canonical browser/crawl/session payloads, default submit/wait behavior, artifact handles and ready-to-run proof commands in completed output, `--local` default proof saving, `--out` destination proof saving, Creator `browser.agent_task` acceptance up to 20 minutes, Pro acceptance up to 1 hour, Free denial, Quick Actions staying short, real Agent Browser open/observe/action/close behavior through Cloudflare Browser Run session reuse, fresh screenshot proof on observe/action, token-gated human auth handoff URLs into the main Vibecodr route when configured, token-gated Worker JSON for that route, handoff completion/revocation state, paused agent controls during human control, provider session/token redaction from normal job/API output, browser-minute usage on close, HTTPS-only validation, localhost/private/internal denial with safe-next-action messaging, URL credential denial, direct cookie/header/storage-state auth material denial, IPv4/IPv6 private, link-local, mapped, NAT64, and 6to4 denial, hosted unsafe redirect-chain denial before cost-bearing dispatch, and Workflow dispatch for paid browser agent tasks |
 | Agent Computer run/tests | `vibecodr computer run/test`, advanced `vibecodr tools test sandbox.*`, hosted Sandbox SDK queue execution | tests verify no local shell execution, bounded command payload, default submit/wait behavior, artifact handles and ready-to-run proof commands in completed output, `--local` default proof saving, `--out` destination proof saving, public HTTP(S) package/docs egress by default for paid Agent Computer jobs, explicit `--network public`/`--network off` payloads, no private-network opt-in flag, no per-command host allowlist requirement, Cloudflare host policy plus hosted outbound handler denial for private/local/internal destinations and private-resolving DNS, per-command Sandbox SDK timeout forwarding, timeout/fork-storm failure cleanup through sandbox teardown, minimal sandbox env injection, stdout/stderr truncation, sandbox-returned files/output-file paths ignored in favor of one fixed transcript artifact, artifact storage accounting, and sandbox-minute metering |
 | Proof store/read/save/delete | `vibecodr proof list/show/save/delete`, advanced `vibecodr artifacts list/get/pull/create/delete` | tests verify metadata shape, bounded list limits, safe filenames, overwrite guard, explicit in-workspace pull file targets, automatic proof saving from browser/computer aliases and `work follow --local`/`--out`, explicit confirmation before delete, actor-scoped hosted deletion of D1 shelf rows plus R2 bytes, hosted plan-owned upload caps, hard total artifact storage caps, R2 cleanup after D1 reservation races, workspace-bounded upload/download paths, and symlink/junction escape denial |
 | Work status/cancel/list | `vibecodr work list/show/follow/cancel`, advanced `vibecodr jobs list/status/cancel` | tests verify list limit propagation, ID validation, alias routing, real follow polling until terminal status, optional terminal proof saving, queued fairness-delay metadata in status output, and `--yes` on cancellation |
@@ -32,9 +32,9 @@ artifacts and tests.
 | Browser Run timeout mapping | `src/hosted/worker.ts` Quick Action payload builders and Browser Session navigation | hosted tests verify Quick Action `goToOptions.timeout` clamps to 60s, non-PDF Quick Actions stay on a minimal provider-compatible payload without top-level `actionTimeout`, PDF keeps its documented `pdfOptions.timeout`, dynamic public-page navigation uses Cloudflare's recommended `networkidle2` default instead of the stricter `networkidle0`, Browser Sessions launch with bounded `keep_alive`, and Browser Session large-page navigation timeout failures close the browser, mark the job failed, and do not write artifacts or browser-minute usage |
 | Browser Run crawl provider path | `browser.crawl_site`, hosted `/crawl` Quick Action integration | CLI tests verify `browser.crawl` payloads; hosted tests verify crawl start, result fetch, artifact storage, browser-minute usage, and crawl-page usage |
 | Browser Run provider retry/defer | `src/hosted/worker.ts` queue failure handling | hosted tests verify provider 429 responses return jobs to queued/retryable state and do not mark them failed on first rate-limit pressure |
-| Human-use security hardening | CLI and hosted Worker trust-boundary controls | tests verify insecure local API opt-in, workspace-bounded artifacts including symlink/junction denial, scoped Vibecodr CLI grants with per-tool capability scopes, actor-scoped live job/artifact/usage/audit SQL, DNS address-record and redirect-chain enforcement with denial metrics, authenticated-browser material denial, Browser Run Quick Action routing and metered time, crawl metering, paid sandbox public HTTP(S) egress with private/local/internal denial, quota denial metrics, pre-execution and during-execution cancellation guards, hard artifact storage caps, D1/R2 artifact write cleanup, explicit artifact deletion cleanup, and retention-backed artifact expiry |
+| Human-use security hardening | CLI and hosted Worker trust-boundary controls | tests verify insecure local API opt-in, workspace-bounded artifacts including symlink/junction denial, scoped Vibecodr CLI grants with per-tool capability scopes, actor-scoped live job/artifact/usage/audit SQL, DNS address-record and redirect-chain enforcement with denial metrics, authenticated-browser material denial, token-hashed Agent Browser handoff with no raw cookie/header/storage-state lane, Browser Run Quick Action routing and metered time, crawl metering, paid sandbox public HTTP(S) egress with private/local/internal denial, quota denial metrics, pre-execution and during-execution cancellation guards, hard artifact storage caps, D1/R2 artifact write cleanup, explicit artifact deletion cleanup, and retention-backed artifact expiry |
 | Hosted API/MCP scaffold | `src/hosted/worker.ts`, `wrangler.jsonc`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | `npm run check:worker` and `test/hosted-worker.test.ts` verify health, auth fail-closed behavior, OAuth discovery routes that do not emit `auth.failed`, auth-failure audit metrics, user-safe public readiness, protected inspection/dashboard routes, scoped CLI grants, capability-scope denial, MCP protected-resource metadata, MCP auth challenge headers, MCP metadata, MCP tool flow, dashboard contract, actor-scoped live acceptance, atomic quota reservation including sandbox seconds and parallel race conflict handling, queued-ahead metadata without interactive fairness delay, Workflow-owned paid agent browser dispatch without a Queue binding, Queue rejection for Browser Agent execution, Browser Run Quick Action hard-cap deferral, Browser Session hard-cap deferral, Sandbox hard-cap deferral, provider retry/defer handling, Browser Run large-page timeout bounds, failed-job DLQ retry-boundary behavior without provider re-execution, exhausted failed-job loop prevention, scheduled Queue/DLQ/artifact-storage/retention-cleanup/execution-health/auth-failure/Cloudflare-spend alerting, unexpected hosted 500 alerting, crawl artifacts, scheduled QA config/create/list/run-now enqueue/cron enqueue, sandbox execution timeout/env/output/teardown behavior, sandbox timeout/fork-storm failure cleanup, sandbox-returned file/path suppression, sandbox reservation reconciliation, unsafe redirect rejection before cost-bearing dispatch, D1-backed operator alert dedupe, and contract-mode tool acceptance |
-| Live Cloudflare provider | `src/hosted/worker.ts`, `wrangler.jsonc`, `Dockerfile`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | hosted-required for live releases: apply all migrations, set Browser Run Quick Actions secrets and `BROWSER_AGENT_WORKFLOW`, deploy, then smoke health, authenticated login, real Quick Action browser job, real scheduled QA create/list/run-now enqueue/job-readback/monthly-cap denial plus natural cron-tick readback at a real trigger time, real Creator browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real Pro browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real crawl job, real Creator `standard-1` sandbox job capped at 10 minutes, real Pro `standard-2` sandbox job capped at 30 minutes, R2 artifact download, actor-scoped user-safe usage, crawl-page usage, sandbox-second quota denial, operator-alert dedupe/readback on operator surfaces, COGS dashboard readback, and audit rows against `https://tools.vibecodr.space` |
+| Live Cloudflare provider | `src/hosted/worker.ts`, `wrangler.jsonc`, `Dockerfile`, `migrations/0001_live_schema.sql`, `migrations/0002_actor_scope.sql`, `migrations/0003_quota_reservations.sql`, `migrations/0004_sandbox_quota_reservations.sql`, `migrations/0005_operator_alert_dedupe.sql`, `migrations/0006_scheduled_qa.sql`, `migrations/0007_job_queue_metadata.sql` | hosted-required for live releases: apply all migrations, set Browser Run Quick Actions secrets and `BROWSER_AGENT_WORKFLOW`, deploy, then smoke health, authenticated login, real Quick Action browser job, real Agent Browser open/auth handoff/complete/revoke/close loop through Cloudflare Live View, real scheduled QA create/list/run-now enqueue/job-readback/monthly-cap denial plus natural cron-tick readback at a real trigger time, real Creator browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real Pro browser agent-task job through `BROWSER_AGENT_WORKFLOW`/`BROWSER`, real crawl job, real Creator `standard-1` sandbox job capped at 10 minutes, real Pro `standard-2` sandbox job capped at 30 minutes, R2 artifact download, actor-scoped user-safe usage, crawl-page usage, sandbox-second quota denial, operator-alert dedupe/readback on operator surfaces, COGS dashboard readback, and audit rows against `https://tools.vibecodr.space` |
 | Cloudflare dynamic primitive fit | `docs/CLOUDFLARE-PRIMITIVE-FIT.md`, `docs/API-CONTRACT.md`, `wrangler.jsonc` | docs verify Cloudflare Workflows are the v1 durable `browser.agent_task` lane; Dynamic Workers/Facets/Dynamic Workflows remain future supervised dynamic-code capabilities, not replacements for v1 Browser Run Quick Actions, Sandbox SDK, D1, R2, Queue/DLQ, or platform-owned quota/audit/billing authority |
 | Production-grade packaging | build, typecheck, test, explicit npm exports, CLI-only runtime dependencies, pack verifier, CI | `npm run verify`; pack verifier rejects `docs/`, hosted Worker source, migrations, deployment config, tests, scripts, and Cloudflare primitive runtime dependencies from the public npm artifact |
 | Inspectable goal coverage | `vibecodr inspect`, `src/legacy/core/goal-coverage.ts` | `npm run verify:release` and `test/legacy/cli.behavior.test.ts` verify coverage output |

package/docs/commands.md

@@ -115,10 +115,23 @@ Prints (`--print`) the MCP connection details for the hosted Agent Computer. The
 - `browser pdf <https-url> [--local|--out ./proof] [--no-wait] [--details]`
 - `browser crawl <https-url> [--max-pages n] [--max-depth n] [--local|--out ./proof]`
 - `browser snapshot <https-url> [--local|--out ./proof]`
-- advanced compatibility: `browser ask <https-url> --note <text> [--local|--out ./proof]`
+- `browser notes <https-url> --note <text> [--local|--out ./proof]`
+- `browser session open <https-url> [--timeout-ms <ms>] [--idle-timeout-ms <ms>]`
+- `browser session observe <sessionId>`
+- `browser session goto <sessionId> <https-url>`
+- `browser session click <sessionId> --selector <css>`
+- `browser session type <sessionId> --selector <css> --text <text>`
+- `browser session scroll <sessionId> [--delta-y 800]`
+- `browser session wait <sessionId> [--ms 1000]`
+- `browser session live <sessionId> [--no-open] [--debug|--view devtools]`
+- `browser session auth <sessionId> [--no-open] [--debug|--view devtools]`
+- `browser session auth-status <sessionId>`
+- `browser session auth-complete <sessionId>`
+- `browser session auth-revoke <sessionId>`
+- `browser session close <sessionId>`
 
 Public HTTPS URLs only. Localhost, private network ranges, URL credentials, and internal hostnames are blocked before any hosted work is submitted. `--no-wait` returns immediately with a `jobId` you can follow via `vibecodr work follow`. `--details` includes capability metadata in the response.
-Use `--local` to save the completed output into `./vibecodr-proof` automatically, or `--out` when you want to choose the destination. `browser snapshot` captures page state; it does not prompt an agent or model. The old `browser ask` compatibility form only saves your note with the snapshot; it is not a chat answerer.
+Use `--local` to save completed one-shot outputs into `./vibecodr-proof` automatically, or `--out` when you want to choose the destination. Automatic output saves are workspace-bounded; if `--out` points outside the current workspace, Vibecodr writes to `./.vibecodr/browser-artifacts/<run>` instead and returns a warning. `browser snapshot` captures page state; it does not prompt an agent or model. `browser notes` saves your note with the snapshot. `browser session` opens a hosted Agent Browser that the agent can observe and control until it is closed or idle; each observe/action returns fresh screenshot proof. `browser session live` opens the watch page without pausing the agent. `browser session auth` opens the same live page with human control already active for login, MFA, CAPTCHA, or another human-only step before handing the same hosted browser back. The live page lets the owner watch, take over, give back, or end the browser. It defaults to the plain browser tab; add `--debug` or `--view devtools` only when an agent/developer needs the inspector panel.
 
 ## Hosted computer (H)
 

package/docs/legacy/COMPLETION-AUDIT.md

@@ -504,7 +504,7 @@ is captured.
 
 - `vc-tools-finetune.md` now captures the combined founder/agent critique for
   the v1 surface: split human/agent/operator contracts, remove default
-  operator/roadmap metadata, make proof saving automatic, make `browser ask`
+  operator/roadmap metadata, make proof saving automatic, make the note helper
   honest as a snapshot lane, improve safety denials, and add a first-success
   `try` command.
 - The default hosted/user surfaces now filter internal and operator metadata:
@@ -519,8 +519,8 @@ is captured.
   until terminal and can save terminal proof. `vc-tools try` verifies auth,
   hosted API, public Browser work, hosted computer work, proof saving, and
   usage readback. `browser snapshot` is the honest name for the
-  `browser.agent_task` snapshot lane; `browser ask` remains a compatibility
-  alias with explicit copy that it is not a separate chat answerer.
+  `browser.agent_task` snapshot lane; the previous command spelling remains a
+  compatibility alias with explicit copy that it saves a note with the snapshot.
 - Local verification passed on 2026-05-17 with `npm run verify`, including CLI
   and Worker type checks, full tests, build, package artifact verification,
   goal coverage, and release-readiness gate. Focused checks also passed for

package/docs/legacy/vc-tools-finetune.md

@@ -552,7 +552,7 @@ consented private-network connector.
 ```text
 Blocked for safety: browser calls cannot include cookies, credentials, auth
 headers, storage state, or secrets. Use a public page, or connect an
-authenticated browsing session when that beta is available.
+Agent Browser live session when a human needs to sign in.
 ```
 
 Acceptance tests:
@@ -979,4 +979,3 @@ required.
   `--dry-run` to plan without writing.
 - `vc-tools dashboard` opens the dashboard URL in the local browser unless
   `--no-open`, `--json`, `--quiet`, or `--no-input` is set.
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodr/cli",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "The official Vibecodr CLI: hosted browser, hosted computer, capsule uploads, Pulse operations, and agent-client MCP setup under one command.",
   "license": "Apache-2.0",
   "type": "module",