libretto 0.6.16 → 0.6.17

package/dist/shared/html-search/search-html.js

@@ -0,0 +1,46 @@
+import { condenseDom } from "../condense-dom/condense-dom.js";
+const DEFAULT_CONTEXT_LINES = 4;
+const DEFAULT_MATCH_LIMIT = 8;
+function formatHtmlForSearch(html) {
+  const condensed = condenseDom(html).html;
+  const separated = condensed.replace(/>\s+</g, ">\n<").replace(/(<[^/!][^>]*>)([^<\n][\s\S]*?)(<\/[^>]+>)/g, "$1\n$2\n$3");
+  const lines = separated.split("\n").map((line) => line.trim()).filter((line) => line.length > 0);
+  let indent = 0;
+  return lines.map((line) => {
+    if (/^<\//.test(line)) indent = Math.max(0, indent - 1);
+    const formatted = `${"  ".repeat(indent)}${line}`;
+    if (isOpeningTag(line)) indent += 1;
+    return formatted;
+  }).join("\n");
+}
+function searchFormattedHtml(formattedHtml, pattern, contextLines = DEFAULT_CONTEXT_LINES, matchLimit = DEFAULT_MATCH_LIMIT) {
+  const regex = new RegExp(pattern);
+  const lines = formattedHtml.split("\n");
+  const matchingIndexes = lines.map((line, index) => regex.test(line) ? index : -1).filter((index) => index >= 0).slice(0, matchLimit);
+  const matches = [];
+  for (const matchingIndex of matchingIndexes) {
+    const startLine = Math.max(0, matchingIndex - contextLines);
+    const endLine = Math.min(lines.length - 1, matchingIndex + contextLines);
+    const previous = matches.at(-1);
+    if (previous && startLine <= previous.endLine) {
+      previous.endLine = Math.max(previous.endLine, endLine + 1);
+      previous.lines = lines.slice(previous.startLine - 1, previous.endLine);
+      continue;
+    }
+    matches.push({
+      startLine: startLine + 1,
+      endLine: endLine + 1,
+      lines: lines.slice(startLine, endLine + 1)
+    });
+  }
+  return matches;
+}
+function isOpeningTag(line) {
+  return /^<[^/!?][^>]*>$/.test(line) && !/\/>$/.test(line) && !/^<(area|base|br|col|embed|hr|img|input|link|meta|param|source|track|wbr)\b/i.test(
+    line
+  ) && !/^<[^>]+>.*<\/[^>]+>$/.test(line);
+}
+export {
+  formatHtmlForSearch,
+  searchFormattedHtml
+};

package/dist/shared/html-search/search-html.spec.d.ts

@@ -0,0 +1,2 @@
+
+export {  }

package/dist/shared/html-search/search-html.spec.js

@@ -0,0 +1,57 @@
+import { describe, expect, test } from "vitest";
+import { formatHtmlForSearch, searchFormattedHtml } from "./search-html.js";
+describe("HTML search", () => {
+  test("formats condensed HTML before searching", () => {
+    const formatted = formatHtmlForSearch(
+      '<!doctype html><html><body><main><p data-testid="target">Needle</p></main></body></html>'
+    );
+    expect(formatted).toContain('<p data-testid="target">');
+    expect(formatted).toContain("Needle");
+  });
+  test("returns merged matching regions with context", () => {
+    const formatted = [
+      "<html>",
+      "<body>",
+      "<main>",
+      "<section>",
+      "<h1>Heading</h1>",
+      '<p class="target">Needle</p>',
+      "<p>More content</p>",
+      "</section>",
+      "</main>",
+      "</body>",
+      "</html>"
+    ].join("\n");
+    const matches = searchFormattedHtml(formatted, "Needle", 2);
+    expect(matches).toEqual([
+      {
+        startLine: 4,
+        endLine: 8,
+        lines: [
+          "<section>",
+          "<h1>Heading</h1>",
+          '<p class="target">Needle</p>',
+          "<p>More content</p>",
+          "</section>"
+        ]
+      }
+    ]);
+  });
+  test("limits matching regions before adding context", () => {
+    const formatted = Array.from(
+      { length: 12 },
+      (_value, index) => `<p>Needle ${index}</p>`
+    ).join("\n");
+    const matches = searchFormattedHtml(formatted, "Needle", 0, 8);
+    expect(matches).toEqual([
+      {
+        startLine: 1,
+        endLine: 8,
+        lines: Array.from(
+          { length: 8 },
+          (_value, index) => `<p>Needle ${index}</p>`
+        )
+      }
+    ]);
+  });
+});

package/docs/releasing.md

@@ -47,7 +47,7 @@ The workflow needs `contents: write` to create the GitHub release and tag, and `
 
 After trusted publishing is working, remove any old npm publish token from the repo secrets. npm recommends restricting token-based publishing after the migration.
 
-GitHub release notes are auto-generated from merged pull requests. The release note categories live in `.github/release.yml`, so PR labels control where entries show up in the changelog.
+GitHub release notes are generated by `packages/libretto/scripts/generate-changelog.ts`. The script finds the previous release, compares that tag to the release commit, and passes only the merged PRs in that range to the release notes agent.
 
 ## Prepare a release PR
 
@@ -101,15 +101,9 @@ There is no baseline comparison gate yet. Add one only after the eval records an
 
 The GitHub Releases page is the changelog for this repo.
 
-When the workflow runs `gh release create ... --generate-notes`, GitHub builds the release notes from the merged PRs since the previous release. `.github/release.yml` groups PRs into sections such as Features, Fixes, and Documentation.
+When the workflow runs `pnpm generate-changelog vX.Y.Z`, the script finds the previous GitHub release, compares that tag to the release commit, and extracts PR numbers from the compare commits. The release notes agent can inspect only those PRs with `gh pr view` and `gh pr diff`.
 
-Today the categories map directly to labels that already exist in the repo:
-
-- `enhancement` -> Features
-- `bug` -> Fixes
-- `documentation` -> Documentation
-
-To keep release notes readable, use clear PR titles and apply one of those labels before merging. If a PR should not appear in the changelog, add the `skip-changelog` label.
+To keep release notes readable, use clear PR titles and descriptions before merging. If a PR should not appear in the changelog, add the `skip-changelog` label.
 
 ## Notes
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "libretto",
-  "version": "0.6.16",
+  "version": "0.6.17",
   "description": "AI-powered browser automation library and CLI built on Playwright",
   "license": "MIT",
   "homepage": "https://libretto.sh",
@@ -85,7 +85,7 @@
     "vitest": "^4.1.5"
   },
   "dependencies": {
-    "affordance": "^0.1.0",
+    "affordance": "workspace:^",
     "ai": "^6.0.116",
     "esbuild": "^0.27.0",
     "playwright": "^1.58.2",

package/scripts/generate-changelog.ts

@@ -15,8 +15,195 @@ if (!process.env.ANTHROPIC_API_KEY) {
   process.exit(1);
 }
 
-const ALLOWED_GH_SUBCOMMANDS = new Set(["pr", "release", "repo", "issue"]);
-const ALLOWED_ACTIONS = new Set(["list", "view", "diff", "status", "checks"]);
+const ALLOWED_GH_SUBCOMMANDS = new Set(["pr"]);
+const ALLOWED_ACTIONS = new Set(["view", "diff"]);
+const SQUASH_MERGE_PR_NUMBER_PATTERN = /\(#(?<number>\d+)\)\s*$/;
+const MERGE_COMMIT_PR_NUMBER_PATTERN = /^Merge pull request #(?<number>\d+) /;
+
+interface GitHubRelease {
+  tagName: string;
+  isDraft?: boolean;
+  publishedAt?: string;
+}
+
+interface CompareCommit {
+  commit: {
+    message: string;
+  };
+}
+
+interface CompareResponse {
+  commits: CompareCommit[];
+}
+
+interface PullRequestLabel {
+  name: string;
+}
+
+interface PullRequestFile {
+  path: string;
+}
+
+interface PullRequestDetails {
+  number: number;
+  title: string;
+  body?: string | null;
+  mergedAt?: string | null;
+  url: string;
+  labels: PullRequestLabel[];
+  files: PullRequestFile[];
+}
+
+interface ReleaseContext {
+  previousTag: string;
+  currentRef: string;
+  pullRequests: PullRequestDetails[];
+}
+
+function runGh(args: string[]): string {
+  return execFileSync("gh", args, {
+    encoding: "utf8",
+    timeout: 300_000,
+    maxBuffer: 1024 * 1024,
+  });
+}
+
+function runGit(args: string[]): string {
+  return execFileSync("git", args, {
+    encoding: "utf8",
+    timeout: 300_000,
+    maxBuffer: 1024 * 1024,
+  }).trim();
+}
+
+function parseJson<T>(json: string): T {
+  return JSON.parse(json) as T;
+}
+
+function getRepoNameWithOwner(): string {
+  if (process.env.GITHUB_REPOSITORY) {
+    return process.env.GITHUB_REPOSITORY;
+  }
+
+  return runGh(["repo", "view", "--json", "nameWithOwner", "-q", ".nameWithOwner"]).trim();
+}
+
+function getPreviousReleaseTag(currentTag: string): string {
+  const releases = parseJson<GitHubRelease[]>(
+    runGh(["release", "list", "--limit", "50", "--json", "tagName,isDraft,publishedAt"]),
+  ).filter((release) => !release.isDraft);
+
+  const currentIndex = releases.findIndex((release) => release.tagName === currentTag);
+  if (currentIndex >= 0) {
+    const previousRelease = releases[currentIndex + 1];
+    if (previousRelease) {
+      return previousRelease.tagName;
+    }
+  }
+
+  const previousRelease = releases.find((release) => release.tagName !== currentTag);
+  if (previousRelease) {
+    return previousRelease.tagName;
+  }
+
+  throw new Error(`Could not find a previous GitHub release before ${currentTag}.`);
+}
+
+function getCurrentRef(currentTag: string): string {
+  try {
+    const release = parseJson<{ targetCommitish: string }>(
+      runGh(["release", "view", currentTag, "--json", "targetCommitish"]),
+    );
+    if (release.targetCommitish) {
+      return release.targetCommitish;
+    }
+  } catch {
+    // The release does not exist yet when this runs in the release workflow.
+  }
+
+  if (process.env.GITHUB_SHA) {
+    return process.env.GITHUB_SHA;
+  }
+
+  return runGit(["rev-parse", "HEAD"]);
+}
+
+function collectMergedPullRequestNumbers(repoNameWithOwner: string, previousTag: string, currentRef: string): number[] {
+  const compare = parseJson<CompareResponse>(
+    runGh(["api", `repos/${repoNameWithOwner}/compare/${previousTag}...${currentRef}`]),
+  );
+  const numbers: number[] = [];
+  const seen = new Set<number>();
+
+  for (const compareCommit of compare.commits) {
+    const firstLine = compareCommit.commit.message.split("\n", 1)[0] ?? "";
+    const match = SQUASH_MERGE_PR_NUMBER_PATTERN.exec(firstLine) ?? MERGE_COMMIT_PR_NUMBER_PATTERN.exec(firstLine);
+    if (!match?.groups?.number) {
+      continue;
+    }
+
+    const number = Number(match.groups.number);
+    if (!seen.has(number)) {
+      seen.add(number);
+      numbers.push(number);
+    }
+  }
+
+  return numbers;
+}
+
+function getPullRequestDetails(number: number): PullRequestDetails {
+  return parseJson<PullRequestDetails>(
+    runGh([
+      "pr",
+      "view",
+      String(number),
+      "--json",
+      "number,title,body,mergedAt,url,labels,files",
+    ]),
+  );
+}
+
+function shouldIncludePullRequest(pr: PullRequestDetails): boolean {
+  const labelNames = new Set(pr.labels.map((label) => label.name));
+  if (labelNames.has("release") || labelNames.has("skip-changelog")) {
+    return false;
+  }
+
+  return !pr.title.toLowerCase().startsWith("release:");
+}
+
+function buildReleaseContext(currentTag: string): ReleaseContext {
+  const repoNameWithOwner = getRepoNameWithOwner();
+  const previousTag = getPreviousReleaseTag(currentTag);
+  const currentRef = getCurrentRef(currentTag);
+  const pullRequests = collectMergedPullRequestNumbers(repoNameWithOwner, previousTag, currentRef)
+    .map((number) => getPullRequestDetails(number))
+    .filter(shouldIncludePullRequest);
+
+  if (pullRequests.length === 0) {
+    throw new Error(`No changelog-eligible PRs found in ${previousTag}...${currentRef}.`);
+  }
+
+  return { previousTag, currentRef, pullRequests };
+}
+
+const releaseContext = buildReleaseContext(tag);
+const allowedPullRequestNumbers = new Set(releaseContext.pullRequests.map((pr) => String(pr.number)));
+const pullRequestSummary = releaseContext.pullRequests
+  .map((pr) => {
+    const labels = pr.labels.map((label) => label.name).join(", ") || "none";
+    const files = pr.files.map((file) => file.path).join(", ") || "none";
+    return [
+      `PR #${pr.number}: ${pr.title}`,
+      `Merged at: ${pr.mergedAt ?? "unknown"}`,
+      `Labels: ${labels}`,
+      `Files: ${files}`,
+      `Body:\n${pr.body?.trim() || "(empty)"}`,
+    ].join("\n");
+  })
+  .join("\n\n");
+
 const GhToolParamsSchema = Type.Object({
   args: Type.String({ description: "Arguments to pass to gh (without the leading 'gh')" }),
 });
@@ -28,9 +215,9 @@ const ghTool: AgentTool = {
   label: "GitHub CLI",
   description: [
     "Run a read-only GitHub CLI command. The arguments are passed directly to `gh`.",
-    "Examples: 'release list --limit 5', 'pr list --state merged --json number,title',",
+    "Examples:",
     "'pr view 128 --json title,body,files', 'pr diff 128'.",
-    "Only read operations are allowed (list, view, diff, etc.). Mutating commands will be rejected.",
+    "Only the release PRs precomputed by the changelog harness can be inspected.",
   ].join(" "),
   parameters: GhToolParamsSchema,
   execute: async (_toolCallId: string, rawParams: unknown) => {
@@ -48,12 +235,16 @@ const ghTool: AgentTool = {
       throw new Error(`Action '${action}' is not allowed. Allowed: ${[...ALLOWED_ACTIONS].join(", ")}`);
     }
 
+    if (subcommand === "pr" && (action === "view" || action === "diff")) {
+      const number = parts[2];
+      if (!number || !allowedPullRequestNumbers.has(number)) {
+        throw new Error(
+          `PR #${number ?? "(missing)"} is outside the ${releaseContext.previousTag}...${releaseContext.currentRef} release range.`,
+        );
+      }
+    }
     try {
-      const output = execFileSync("gh", parts, {
-        encoding: "utf8",
-        timeout: 300_000,
-        maxBuffer: 1024 * 1024,
-      });
+      const output = runGh(parts);
       return { content: [{ type: "text", text: output }], details: {} };
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -67,10 +258,14 @@ const agent = new Agent({
     systemPrompt: [
       `Generate release notes for the ${tag} release of Libretto.`,
       "",
-      "Use the gh tool to explore what changed since the previous release.",
+      `The release range is ${releaseContext.previousTag}...${releaseContext.currentRef}.`,
+      "The changelog harness has already found the merged PRs in that exact range.",
+      "Only write about the PRs listed below. Do not mention open PRs, branches, issues, or other work outside this list.",
+      "",
+      pullRequestSummary,
+      "",
+      "Use the gh tool to inspect the listed PRs before writing notes.",
       "Useful queries:",
-      "- 'release list --limit 5' to find the previous release tag",
-      "- 'pr list --state merged --limit 50 --json number,title,body,labels' to find merged PRs",
       "- 'pr diff NUMBER' to see the full diff of a PR (base to head, not individual commits)",
       "- 'pr view NUMBER --json title,body,files' to see PR details",
       "",

package/skills/libretto/SKILL.md

@@ -4,7 +4,7 @@ description: "Browser automation CLI for building, maintaining, and running brow
 license: MIT
 metadata:
   author: saffron-health
-  version: "0.6.16"
+  version: "0.6.17"
 ---
 
 ## How Libretto Works
@@ -25,14 +25,17 @@ Full documentation is published at [libretto.sh](https://libretto.sh). Available
 - CLI reference: [open and connect](https://libretto.sh/docs/reference/cli/open-and-connect), [sessions](https://libretto.sh/docs/reference/cli/sessions), [profiles](https://libretto.sh/docs/reference/cli/profiles), [snapshot](https://libretto.sh/docs/reference/cli/snapshot), [exec](https://libretto.sh/docs/reference/cli/exec), [run and resume](https://libretto.sh/docs/reference/cli/run-and-resume), [session logs](https://libretto.sh/docs/reference/cli/session-logs), [pages](https://libretto.sh/docs/reference/cli/pages)
 - Library API: [workflow](https://libretto.sh/docs/reference/runtime/workflow), [AI extraction](https://libretto.sh/docs/reference/runtime/ai-extraction), [network requests](https://libretto.sh/docs/reference/runtime/network-requests), [file downloads](https://libretto.sh/docs/reference/runtime/file-downloads)
 - Libretto Cloud Hosting: [overview](https://libretto.sh/docs/libretto-cloud-hosting/overview), [authentication](https://libretto.sh/docs/libretto-cloud-hosting/authentication), [deployments](https://libretto.sh/docs/libretto-cloud-hosting/deployments)
-- Alternative providers: [overview](https://libretto.sh/docs/alternative-providers/overview), [Kernel](https://libretto.sh/docs/alternative-providers/kernel), [Browserbase](https://libretto.sh/docs/alternative-providers/browserbase), [GCP](https://libretto.sh/docs/alternative-providers/gcp), [AWS](https://libretto.sh/docs/alternative-providers/aws)
+- Alternative providers: [overview](https://libretto.sh/docs/alternative-providers/overview), [Kernel](https://libretto.sh/docs/alternative-providers/kernel), [Browserbase](https://libretto.sh/docs/alternative-providers/browserbase), [Steel](https://libretto.sh/docs/alternative-providers/steel), [GCP](https://libretto.sh/docs/alternative-providers/gcp), [AWS](https://libretto.sh/docs/alternative-providers/aws)
 
 ## Default Integration Approach
 
-- Use Playwright for navigation and other non-fetch browser behavior, including document and asset loads.
-- Prefer browser-context `fetch()` for data extraction and form submission when the target is a real site fetch/XHR endpoint and `references/site-security-review.md` says the path is safe and workable.
-- Use passive interception when the UI already triggers useful fetch/XHR requests or active fetch is risky.
-- Fall back to Playwright UI automation when fetch is ruled out, the request path is not workable, or the user explicitly asks for Playwright/UI automation.
+1. Call the site's fetch/XHR endpoints via browser-context `fetch()`.
+2. If `references/site-security-review.md` (assess only once per site) rules `fetch()` unsafe, passively capture responses with `page.on('response', ...)`
+3. Fall back to Playwright UI automation.
+
+Mix strategies freely across steps on a site.
+
+Prefer to enter sites at a user-facing URL (homepage, login, etc.) on the first navigation — deep URLs on a cold session are commonly blocked by edge bot protection.
 
 ## Setup
 
@@ -67,9 +70,9 @@ Full documentation is published at [libretto.sh](https://libretto.sh). Available
 - Pass `--read-only` when you want the session locked for inspection from the moment it is created.
 
 ```bash
-libretto open https://example.com --headed
-libretto open https://example.com --headless --read-only --session readonly-example
-libretto open https://example.com --headless --session debug-example
+npx libretto open https://example.com
+npx libretto open https://example.com --read-only --session readonly-example
+npx libretto open https://example.com --session debug-example
 ```
 
 ### `connect`
@@ -141,9 +144,8 @@ libretto exec --session debug-example --page <page-id> "await page.url()"
 
 ### `run`
 
-- Use `run` to verify a workflow file after creating it or editing it. Use the same headed or headless mode for validation that the workflow run is already using.
+- Use `run` to verify a workflow file after creating it or editing it. Use the same headed or headless mode for validation that the workflow run is already using. Plain `run` defaults to headed mode.
 - Workflows define their input shape with a Zod schema (see `references/code-generation-rules.md`). `run` validates `--params` against that schema before calling the handler and prints a clear field-by-field error if the input doesn't match.
-- Plain `run` defaults to headed mode. Do not use `--headless` unless the user asks for headless mode or the existing workflow run already uses it.
 - Successful runs close the browser by default. Pass `--stay-open-on-success` when you need to inspect the completed state with `pages`, `snapshot`, or `exec`.
 - Pass `--read-only` if the preserved session should come back locked for follow-up terminal inspection after the workflow run.
 - If the workflow fails, Libretto keeps the browser open. Inspect the failed state with `snapshot` and `exec` before editing code.
@@ -195,7 +197,7 @@ Session logs are JSONL files at `.libretto/sessions/<session>/`:
 
 - CLI logs are in `.libretto/sessions/<session>/logs.jsonl`.
 - Action logs are in `.libretto/sessions/<session>/actions.jsonl`.
-- Network logs are in `.libretto/sessions/<session>/network.jsonl`.
+- Network logs are in `.libretto/sessions/<session>/network.jsonl` and their corresponding raw request/response bodies are in `.libretto/sessions/<session>/raw-network/`.
 
 Use `jq` to query jsonl logs directly — for any filtering, slicing, or inspection task.
 
@@ -203,8 +205,11 @@ Use `jq` to query jsonl logs directly — for any filtering, slicing, or inspect
 # Last 20 action entries
 tail -n 20 .libretto/sessions/<session>/actions.jsonl | jq .
 
-# POST requests only
-jq 'select(.method == "POST")' .libretto/sessions/<session>/network.jsonl
+# POST requests with captured response previews
+jq 'select(.method == "POST" and .responseBodyPreview != null) | {id, resourceType, status, contentType, url, requestBodyPreview, responseBodyPreview, responseBodyPath}' .libretto/sessions/<session>/network.jsonl
+
+# Read a saved response sidecar
+gunzip -c .libretto/sessions/<session>/raw-network/000001.response.json.gz | jq .
 ```
 
 ### Action log (`actions.jsonl`)
@@ -215,7 +220,9 @@ Read `references/action-logs.md` for full field descriptions and user-vs-agent e
 
 ### Network log (`network.jsonl`)
 
-Key fields: `ts` (ISO timestamp), `method` (HTTP method, e.g. `GET`, `POST`), `url` (request URL), `status` (HTTP status code), `contentType` (response content type), `responseBody` (response body string, may be null).
+Libretto logs useful `document`, `xhr`, `fetch`, and non-noisy mutating requests; obvious static/media/tracking noise is skipped.
+
+Key fields: `id` (incrementing request id), `ts` (ISO timestamp), `pageId` (page target id), `method` (HTTP method, e.g. `GET`, `POST`), `url` (request URL), `resourceType` (browser resource type, e.g. `document`, `xhr`, `fetch`), `status` (HTTP status code, or null for failed requests), `statusText` (HTTP status text), `contentType` (response content type), `requestHeaders` (request headers), `responseHeaders` (response headers), `requestBodyPreview` (inline request body preview), `requestBodyPath` (gzipped full request body sidecar path), `requestBodyBytes` (request body byte size), `requestBodyTruncated` (true when the request body exceeded the save limit), `requestBodyOmittedReason` (why the request body was not captured), `responseBodyPreview` (inline response body preview), `responseBodyPath` (gzipped full response body sidecar path), `responseBodyBytes` (response body byte size), `responseBodyTruncated` (true when the response body exceeded the save limit), `responseBodyOmittedReason` (why the response body was not captured), and `errorText` (request failure or body read error).
 
 ## Examples
 

package/skills/libretto/references/code-generation-rules.md

@@ -6,7 +6,7 @@ Follow the user's existing codebase conventions, abstractions, and patterns when
 
 ## Workflow File Structure
 
-Generated files must default-export a `workflow()` instance so they can be run via `npx libretto run <file>`. Workflows declare their input and output shapes as Zod schemas, which both type the handler and validate runtime input.
+Generated files must default-export a `workflow()` instance so they can be run via `libretto run <file>`. Workflows declare their input and output shapes as Zod schemas, which both type the handler and validate runtime input.
 
 Add `zod` (`^4.0.0`) to the workflow's `package.json` dependencies. Then import `workflow` from `"libretto"` and `z` from `"zod"`:
 
@@ -42,7 +42,7 @@ Key points:
 
 - `workflow(name, { input, output }, handler)` takes a unique workflow name, a pair of Zod schemas describing input and output, and the async handler. The handler's `input` parameter is inferred from the input schema — do not redeclare it with a separate `type Input = ...`.
 - At run time, Libretto validates `input` against `inputSchema` before calling the handler. Invalid input throws a clear error listing each failing field; the workflow handler never sees malformed input.
-- `npx libretto run ./file.ts` executes the file's default-exported workflow, so always use `export default workflow(...)`.
+- `libretto run ./file.ts` executes the file's default-exported workflow, so always use `export default workflow(...)`.
 - `ctx` provides `session` and `page`. Use `console.log`/`console.warn`/`console.error` for logging — the runtime wraps these with structured metadata automatically.
 - `input` comes from `--params '{"query":"foo"}'` or `--params-file params.json` on the CLI, then gets parsed through `inputSchema`.
 - Use `await pause(ctx.session)` (or `await pause(session)`) to pause the workflow for debugging. It is a no-op in production.

package/skills/libretto/references/configuration-file-reference.md

@@ -6,7 +6,7 @@ Use this reference when you need to inspect or change workspace configuration fo
 
 - You want to understand where Libretto stores workspace-level settings.
 - You want a persistent default viewport for `open` or `run`.
-- You want a persistent default browser provider, such as Kernel or Browserbase.
+- You want a persistent default browser provider, such as Kernel, Browserbase, or Steel.
 
 ## File Location
 
@@ -18,7 +18,7 @@ Libretto reads workspace config from `.libretto/config.json`.
 
 ## Supported Settings
 
-- `provider` is an optional top-level setting used by `open` and `run` when you do not pass `--provider` and do not set `LIBRETTO_PROVIDER`. Must be `"local"`, `"kernel"`, `"browserbase"`, or `"libretto-cloud"`.
+- `provider` is an optional top-level setting used by `open` and `run` when you do not pass `--provider` and do not set `LIBRETTO_PROVIDER`. Must be `"local"`, `"kernel"`, `"browserbase"`, `"steel"`, or `"libretto-cloud"`.
 - Provider precedence is: CLI `--provider`, then `LIBRETTO_PROVIDER`, then `.libretto/config.json`, then `"local"`.
 - Provider credentials belong in the repo root `.env` file, which Libretto loads automatically before running CLI commands.
 - `viewport` is an optional top-level setting used by `open` and `run` when you do not pass `--viewport`.
@@ -46,6 +46,7 @@ libretto setup                                         # first-time onboarding
 libretto status                                        # inspect open sessions
 libretto open https://example.com --provider kernel
 libretto run ./integration.ts --provider browserbase
+libretto open https://example.com --provider steel
 libretto open https://example.com --viewport 1440x900
 libretto run ./integration.ts --viewport 1440x900
 ```

package/skills/libretto-readonly/SKILL.md

@@ -4,7 +4,7 @@ description: "Read-only Libretto workflow for diagnosing live browser state with
 license: MIT
 metadata:
   author: saffron-health
-  version: "0.6.16"
+  version: "0.6.17"
 ---
 
 ## How Libretto Read-Only Works

package/src/cli/cli.ts

@@ -1,16 +1,13 @@
 import { ensureLibrettoSetup } from "./core/context.js";
 import { createCLIApp } from "./router.js";
-import { warnIfInstalledSkillOutOfDate } from "./core/skill-version.js";
+import {
+  readCurrentCliVersion,
+  warnIfInstalledSkillOutOfDate,
+} from "./core/skill-version.js";
 import { loadEnv } from "../shared/env/load-env.js";
 
-function renderUsage(app: ReturnType<typeof createCLIApp>): string {
-  return `${app.renderHelp()}
-
-Options:
-  --session <name>        Use a named session (auto-generated for open/run if omitted)
-
-Docs (agent-friendly): https://libretto.sh/docs
-`;
+function renderVersion(): string {
+  return readCurrentCliVersion();
 }
 
 function printSetupAudit(): void {
@@ -35,10 +32,25 @@ function warnIfPackageManagerExec(): void {
 
 function isRootHelpRequest(rawArgs: readonly string[]): boolean {
   if (rawArgs.length === 0) return true;
-  if (rawArgs[0] === "--help" || rawArgs[0] === "-h") return true;
   return rawArgs[0] === "help" && rawArgs.length === 1;
 }
 
+function isVersionRequest(rawArgs: readonly string[]): boolean {
+  if (rawArgs.length !== 1) return false;
+  return rawArgs[0] === "--version" || rawArgs[0] === "-v";
+}
+
+function hasRootHelp(
+  message: string,
+  app: ReturnType<typeof createCLIApp>,
+): boolean {
+  return message.endsWith(app.renderHelp());
+}
+
+function hasScopedHelp(message: string): boolean {
+  return message.includes("\nUsage: ");
+}
+
 export async function runLibrettoCLI(): Promise<void> {
   const rawArgs = process.argv.slice(2);
   let exitCode = 0;
@@ -48,8 +60,13 @@ export async function runLibrettoCLI(): Promise<void> {
   const app = createCLIApp();
 
   try {
+    if (isVersionRequest(rawArgs)) {
+      console.log(renderVersion());
+      return;
+    }
+
     if (isRootHelpRequest(rawArgs)) {
-      console.log(renderUsage(app));
+      console.log(app.renderHelp());
       printSetupAudit();
       return;
     }
@@ -61,8 +78,16 @@ export async function runLibrettoCLI(): Promise<void> {
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     if (message.startsWith("Unknown command: ")) {
-      console.error(`${message}\n`);
-      console.log(renderUsage(app));
+      if (hasRootHelp(message, app)) {
+        const summary = message.split("\n", 1)[0] ?? message;
+        console.error(`${summary}\n`);
+        console.log(app.renderHelp());
+      } else if (hasScopedHelp(message)) {
+        console.error(message);
+      } else {
+        console.error(`${message}\n`);
+        console.log(app.renderHelp());
+      }
     } else {
       console.error(message);
     }

package/src/cli/commands/browser.ts

@@ -86,7 +86,7 @@ export const openInput = SimpleCLI.input({
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)",
     }),
     provider: SimpleCLI.option(z.string().optional(), {
-      help: "Browser provider (local, kernel, browserbase)",
+      help: "Browser provider (local, kernel, browserbase, steel)",
       aliases: ["-p"],
     }),
   },
@@ -101,8 +101,7 @@ export const openInput = SimpleCLI.input({
   );
 
 export const openCommand = SimpleCLI.command({
-  description:
-    "Launch browser and open URL (headed by default). Automatically loads a saved auth profile for the URL's domain if one exists.",
+  description: "Launch browser and open URL",
 })
   .input(openInput)
   .use(withAutoSession())