libretto 0.6.24 → 0.6.25

package/README.md

@@ -93,6 +93,14 @@ Run `npx libretto help` for the full list of commands.
 
 All Libretto state lives in a `.libretto/` directory at your project root. See the [configuration docs](https://libretto.sh/docs/understand-libretto/configuration) for details on config files, sessions, and profiles.
 
+## Telemetry
+
+Libretto records anonymous CLI telemetry to help understand CLI usage and help us prioritize improvements. Each resolved command can send only an install id, timestamp, command event name such as `libretto run`, and an error boolean. Libretto does not send command arguments, URLs, project paths, auth state, API keys, error messages or details, or user identity.
+
+The install id is stored in the telemetry file at `~/.libretto/telemetry.json`. The implementation lives in [`src/cli/core/telemetry.ts`](src/cli/core/telemetry.ts).
+
+To disable telemetry, set `LIBRETTO_TELEMETRY_DISABLED=1`, set `DO_NOT_TRACK=1`, run with `CI=1`, or edit `~/.libretto/telemetry.json` and set `"enabled": false`.
+
 ## Join the Community
 
 Join our Discord to connect with other developers, get help, and share what you've built:
@@ -119,7 +127,7 @@ pnpm test
 Source layout:
 
 - `src/cli/` — CLI commands
-- `src/runtime/` — browser runtime (network, recovery, downloads, extraction)
+- `src/runtime/` — browser runtime (network, recovery, downloads)
 - `src/shared/` — shared utilities (config, LLM client, logging, state)
 - `test/` — test files (`*.spec.ts`)
 - `README.template.md` — source of truth for the repo and package READMEs

package/README.template.md

@@ -91,6 +91,14 @@ Run `npx libretto help` for the full list of commands.
 
 All Libretto state lives in a `.libretto/` directory at your project root. See the [configuration docs](https://libretto.sh/docs/understand-libretto/configuration) for details on config files, sessions, and profiles.
 
+## Telemetry
+
+Libretto records anonymous CLI telemetry to help understand CLI usage and help us prioritize improvements. Each resolved command can send only an install id, timestamp, command event name such as `libretto run`, and an error boolean. Libretto does not send command arguments, URLs, project paths, auth state, API keys, error messages or details, or user identity.
+
+The install id is stored in the telemetry file at `~/.libretto/telemetry.json`. The implementation lives in [`{{LIBRETTO_PATH_PREFIX}}src/cli/core/telemetry.ts`]({{LIBRETTO_PATH_PREFIX}}src/cli/core/telemetry.ts).
+
+To disable telemetry, set `LIBRETTO_TELEMETRY_DISABLED=1`, set `DO_NOT_TRACK=1`, run with `CI=1`, or edit `~/.libretto/telemetry.json` and set `"enabled": false`.
+
 ## Join the Community
 
 Join our Discord to connect with other developers, get help, and share what you've built:
@@ -117,7 +125,7 @@ pnpm test
 Source layout:
 
 - `{{LIBRETTO_PATH_PREFIX}}src/cli/` — CLI commands
-- `{{LIBRETTO_PATH_PREFIX}}src/runtime/` — browser runtime (network, recovery, downloads, extraction)
+- `{{LIBRETTO_PATH_PREFIX}}src/runtime/` — browser runtime (network, recovery, downloads)
 - `{{LIBRETTO_PATH_PREFIX}}src/shared/` — shared utilities (config, LLM client, logging, state)
 - `{{LIBRETTO_PATH_PREFIX}}test/` — test files (`*.spec.ts`)
 - `{{LIBRETTO_PATH_PREFIX}}README.template.md` — source of truth for the repo and package READMEs

package/dist/cli/commands/browser.js

@@ -68,7 +68,7 @@ const openInput = SimpleCLI.input({
     }),
     authProfile: SimpleCLI.option(z.string().optional(), {
       name: "auth-profile",
-      help: "Override the domain used for auth profile lookup (e.g. use login.example.com's profile when opening app.example.com)"
+      help: "Named auth profile to load before opening the browser"
     }),
     viewport: SimpleCLI.option(z.string().optional(), {
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)"
@@ -100,10 +100,15 @@ const openCommand = SimpleCLI.command({
         input.readOnly,
         input.writeAccess
       ),
-      authProfileDomain: input.authProfile,
+      authProfileName: input.authProfile,
       experiments: ctx.experiments
     });
   } else {
+    if (input.authProfile) {
+      throw new Error(
+        "--auth-profile is only supported for local browser sessions. Hosted provider sessions use workflow-declared authProfile settings."
+      );
+    }
     await runOpenWithProvider(
       input.url,
       providerName,
@@ -152,21 +157,23 @@ const connectCommand = SimpleCLI.command({
 });
 const saveInput = SimpleCLI.input({
   positionals: [
-    SimpleCLI.positional("urlOrDomain", z.string().optional(), {
-      help: "URL or domain to save"
+    SimpleCLI.positional("profileName", z.string(), {
+      help: "Profile name to save"
     })
   ],
   named: {
-    session: sessionOption()
+    session: sessionOption(),
+    sites: SimpleCLI.option(z.string(), {
+      help: "Comma-separated sites whose auth state should be saved"
+    })
   }
-}).refine(
-  (input) => Boolean(input.urlOrDomain),
-  `Usage: libretto save <url|domain> --session <name>`
-);
+});
 const saveCommand = SimpleCLI.command({
   description: "Save current browser session"
 }).input(saveInput).use(withRequiredSession()).handle(async ({ input, ctx }) => {
-  await runSave(input.urlOrDomain, ctx.session, ctx.logger);
+  await runSave(input.profileName, ctx.session, ctx.logger, {
+    sites: input.sites
+  });
 });
 const pagesInput = SimpleCLI.input({
   positionals: [],

package/dist/cli/commands/cloud-credentials.js

@@ -0,0 +1,70 @@
+import { SimpleCLI } from "affordance";
+import { orpcCall, resolveApiUrl } from "../core/auth-fetch.js";
+const CLOUD_CREDENTIAL_ENV_PREFIX = "LIBRETTO_CLOUD_";
+function requireApiKeyCredential() {
+  const apiKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (!apiKey) {
+    throw new Error(
+      "LIBRETTO_API_KEY is required to manage Libretto Cloud credentials. Issue one with `libretto cloud auth api-key issue --label <label>`."
+    );
+  }
+  return {
+    apiUrl: resolveApiUrl(null),
+    credential: { source: "env-api-key", apiKey }
+  };
+}
+function parseEnvCredentials(prefix) {
+  const credentials = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (!key.startsWith(prefix) || value === void 0) continue;
+    if (value.trim().length === 0) continue;
+    const fieldName = key.slice(prefix.length).toLowerCase();
+    if (!fieldName || fieldName === "api_key") continue;
+    credentials[fieldName] = value;
+  }
+  return Object.entries(credentials).map(([name, value]) => ({ name, value })).sort((left, right) => left.name.localeCompare(right.name));
+}
+const pushCredentialCommand = SimpleCLI.command({
+  description: "Push LIBRETTO_CLOUD-prefixed env credentials to Libretto Cloud"
+}).input(SimpleCLI.input({
+  positionals: [],
+  named: {}
+})).handle(async () => {
+  const credentials = parseEnvCredentials(CLOUD_CREDENTIAL_ENV_PREFIX);
+  if (credentials.length === 0) {
+    throw new Error(
+      `No non-empty env vars found with prefix ${CLOUD_CREDENTIAL_ENV_PREFIX}.`
+    );
+  }
+  const { apiUrl, credential } = requireApiKeyCredential();
+  let created = 0;
+  let updated = 0;
+  for (const item of credentials) {
+    const response = await orpcCall({
+      apiUrl,
+      path: "/v1/credentials/upsert",
+      input: item,
+      credential
+    });
+    if (response.overwritten) {
+      updated += 1;
+      console.log(`Updated cloud credential: ${item.name}`);
+    } else {
+      created += 1;
+      console.log(`Created cloud credential: ${item.name}`);
+    }
+  }
+  console.log(
+    `Pushed ${credentials.length} cloud ${credentials.length === 1 ? "credential" : "credentials"} (${created} created, ${updated} updated).`
+  );
+});
+const cloudCredentialCommands = SimpleCLI.group({
+  description: "Manage hosted credentials",
+  routes: {
+    push: pushCredentialCommand
+  }
+});
+export {
+  cloudCredentialCommands,
+  pushCredentialCommand
+};

package/dist/cli/commands/deploy.js

@@ -4,7 +4,9 @@ import {
   orpcCall,
   resolveApiUrl
 } from "../core/auth-fetch.js";
-import { buildHostedDeployTarball } from "../core/deploy-artifact.js";
+import {
+  buildHostedDeployTarball
+} from "../core/deploy-artifact.js";
 import { readAuthState } from "../core/auth-storage.js";
 import { SimpleCLI } from "affordance";
 function generateDeploymentName() {
@@ -79,6 +81,25 @@ async function pollDeployment(apiUrl, credential, deploymentId, pollIntervalMs,
   }
   return deployment;
 }
+async function ensureWorkflowAuthProfiles(args) {
+  const profileNames = [
+    ...new Set(
+      args.workflows.map((workflow) => workflow.authProfileName?.trim()).filter((name) => Boolean(name))
+    )
+  ];
+  if (profileNames.length === 0) return;
+  console.log(
+    `Ensuring cloud auth ${profileNames.length === 1 ? "profile" : "profiles"}: ${profileNames.join(", ")}`
+  );
+  for (const name of profileNames) {
+    await orpcCall({
+      apiUrl: args.apiUrl,
+      path: "/v1/browserProfiles/ensure",
+      input: { name },
+      credential: args.credential
+    });
+  }
+}
 const deployInput = SimpleCLI.input({
   positionals: [
     SimpleCLI.positional("sourceDir", z.string().default("."), {
@@ -113,12 +134,13 @@ const deployCommand = SimpleCLI.command({
   const { apiUrl, credential } = await requireDeployApiKey();
   const deploymentName = generateDeploymentName();
   console.log("Bundling hosted deployment artifact...");
-  const { entryPoint, source } = await buildHostedDeployTarball({
+  const { entryPoint, source, workflows } = await buildHostedDeployTarball({
     additionalExternals: input.external,
     deploymentName,
     entryPoint: input.entryPoint,
     sourceDir: input.sourceDir
   });
+  await ensureWorkflowAuthProfiles({ apiUrl, credential, workflows });
   const createPayload = {
     source,
     entry_point: entryPoint

package/dist/cli/commands/execution.js

@@ -5,10 +5,6 @@ import { installInstrumentation } from "../../shared/instrumentation/index.js";
 import {
   connect,
   disconnectBrowser,
-  getProfilePath,
-  hasProfile,
-  normalizeDomain,
-  normalizeUrl,
   runClose,
   resolveViewport
 } from "../core/browser.js";
@@ -30,7 +26,9 @@ import {
   getProviderStartupTimeoutMs,
   resolveProviderName
 } from "../core/providers/index.js";
-import { getAbsoluteIntegrationPath } from "../core/workflow-runtime.js";
+import {
+  getAbsoluteIntegrationPath
+} from "../core/workflow-runtime.js";
 import {
   compileExecFunction,
   stripEmptyCatchHandlers
@@ -43,7 +41,7 @@ import {
   readActionLog,
   readNetworkLog,
   wrapPageForActionLogging
-} from "../core/telemetry.js";
+} from "../core/session-logs.js";
 import { SimpleCLI } from "affordance";
 import {
   pageOption,
@@ -417,22 +415,6 @@ async function runIntegrationFromFile(args, logger) {
   const absoluteIntegrationPath = getAbsoluteIntegrationPath(
     args.integrationPath
   );
-  if (args.authProfileDomain) {
-    const normalizedDomain = normalizeDomain(normalizeUrl(args.authProfileDomain));
-    if (!hasProfile(normalizedDomain)) {
-      const profilePath = getProfilePath(normalizedDomain);
-      throw new Error(
-        [
-          `Local auth profile not found for domain "${normalizedDomain}".`,
-          `Expected profile file: ${profilePath}`,
-          "To create it:",
-          `  1. libretto open https://${normalizedDomain} --headed --session ${args.session}`,
-          "  2. Log in manually in the browser window.",
-          `  3. libretto save ${normalizedDomain} --session ${args.session}`
-        ].join("\n")
-      );
-    }
-  }
   const runLogPath = logFileForSession(args.session);
   const workflowOutcome = createDeferred();
   const handlers = createWorkflowHandlers(workflowOutcome.resolve);
@@ -445,7 +427,10 @@ async function runIntegrationFromFile(args, logger) {
     config: {
       session: args.session,
       experiments: args.experiments,
-      browser: args.providerName ? { kind: "provider", providerName: args.providerName } : {
+      browser: args.providerName ? {
+        kind: "provider",
+        providerName: args.providerName
+      } : {
         kind: "launch",
         headed: !args.headless,
         viewport: args.viewport ?? { width: 1366, height: 768 }
@@ -455,8 +440,7 @@ async function runIntegrationFromFile(args, logger) {
         params: args.params,
         visualize: args.visualize,
         stayOpenOnSuccess: args.stayOpenOnSuccess,
-        tsconfigPath: args.tsconfigPath,
-        authProfileDomain: args.authProfileDomain
+        tsconfigPath: args.tsconfigPath
       }
     },
     logger,
@@ -644,10 +628,6 @@ const runInput = SimpleCLI.input({
       name: "stay-open-on-success",
       help: "Keep the browser session open after the workflow completes successfully"
     }),
-    authProfile: SimpleCLI.option(z.string().optional(), {
-      name: "auth-profile",
-      help: "Domain for local auth profile (e.g. apps.example.com)"
-    }),
     viewport: SimpleCLI.option(z.string().optional(), {
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)"
     }),
@@ -718,7 +698,6 @@ const runCommand = SimpleCLI.command({
       tsconfigPath: input.tsconfig,
       headless: daemonProviderName ? true : headlessMode ?? false,
       visualize,
-      authProfileDomain: input.authProfile,
       viewport,
       accessMode: input.readOnly ? "read-only" : input.writeAccess ? "write-access" : readLibrettoConfig().sessionMode ?? "write-access",
       providerName: daemonProviderName,

package/dist/cli/commands/import-chrome-profiles.js

@@ -0,0 +1,46 @@
+import { z } from "zod";
+import { SimpleCLI } from "affordance";
+import { createLoggerForSession } from "../core/context.js";
+import { runFetchChromeProfile } from "../core/browser.js";
+import { promptConfirm } from "../core/prompt.js";
+const importChromeProfilesCommand = SimpleCLI.command({
+  description: "Fetch scoped auth state from a Chrome CDP session into a local profile"
+}).input(SimpleCLI.input({
+  positionals: [
+    SimpleCLI.positional("profileName", z.string(), {
+      help: "Profile name to save"
+    })
+  ],
+  named: {
+    cdpUrl: SimpleCLI.option(z.string(), {
+      name: "cdp-url",
+      help: "Chrome DevTools Protocol endpoint for the Chrome instance"
+    }),
+    sites: SimpleCLI.option(z.string(), {
+      help: "Comma-separated sites whose auth state should be imported"
+    }),
+    yes: SimpleCLI.flag({
+      help: "Skip confirmation before attaching to and disconnecting from Chrome"
+    })
+  }
+})).handle(async ({ input }) => {
+  const logger = createLoggerForSession(`profile-fetch-${Date.now()}`);
+  try {
+    if (!input.yes) {
+      const confirmed = await promptConfirm(
+        "Importing from an existing Chrome CDP session may cause that Chrome window to close or relaunch when Libretto disconnects. Continue?"
+      );
+      if (!confirmed) {
+        throw new Error("Aborted Chrome profile import.");
+      }
+    }
+    await runFetchChromeProfile(input.profileName, input.cdpUrl, logger, {
+      sites: input.sites
+    });
+  } finally {
+    await logger.close();
+  }
+});
+export {
+  importChromeProfilesCommand
+};

package/dist/cli/commands/profiles.js

@@ -0,0 +1,71 @@
+import { z } from "zod";
+import { SimpleCLI } from "affordance";
+import { orpcCall, resolveApiUrl } from "../core/auth-fetch.js";
+import { normalizeProfileName } from "../core/profiles.js";
+function requireApiKeyCredential() {
+  const apiKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (!apiKey) {
+    throw new Error(
+      "LIBRETTO_API_KEY is required to manage Libretto Cloud profiles. Issue one with `libretto cloud auth api-key issue --label <label>`."
+    );
+  }
+  return {
+    apiUrl: resolveApiUrl(null),
+    credential: { source: "env-api-key", apiKey }
+  };
+}
+const listProfilesCommand = SimpleCLI.command({
+  description: "List Libretto Cloud auth profiles"
+}).input(SimpleCLI.input({ positionals: [], named: {} })).handle(async () => {
+  const { apiUrl, credential } = requireApiKeyCredential();
+  const response = await orpcCall({
+    apiUrl,
+    path: "/v1/browserProfiles/list",
+    input: {},
+    credential
+  });
+  if (response.profiles.length === 0) {
+    console.log("No cloud profiles found.");
+    return;
+  }
+  for (const profile of response.profiles) {
+    const providers = profile.providers.length ? ` (${profile.providers.join(", ")})` : "";
+    console.log(`${profile.name}${providers}`);
+  }
+});
+const deleteProfileCommand = SimpleCLI.command({
+  description: "Delete a Libretto Cloud auth profile"
+}).input(SimpleCLI.input({
+  positionals: [
+    SimpleCLI.positional("profileName", z.string(), {
+      help: "Cloud profile name to delete"
+    })
+  ],
+  named: {}
+})).handle(async ({ input }) => {
+  const profileName = normalizeProfileName(input.profileName);
+  const { apiUrl, credential } = requireApiKeyCredential();
+  const response = await orpcCall({
+    apiUrl,
+    path: "/v1/browserProfiles/delete",
+    input: { name: profileName },
+    credential
+  });
+  if (!response.success || response.deleted_count === 0) {
+    console.log(`No cloud profile found for ${profileName}.`);
+    return;
+  }
+  console.log(`Deleted cloud profile: ${profileName}`);
+});
+const profileCommands = SimpleCLI.group({
+  description: "Manage hosted browser auth profiles",
+  routes: {
+    list: listProfilesCommand,
+    delete: deleteProfileCommand
+  }
+});
+export {
+  deleteProfileCommand,
+  listProfilesCommand,
+  profileCommands
+};

package/dist/cli/commands/shared.js

@@ -19,9 +19,7 @@ function integerOption(help) {
   return SimpleCLI.option(z.coerce.number().int().optional(), { help });
 }
 function withExperiments() {
-  return async ({
-    ctx
-  }) => ({
+  return async ({ ctx }) => ({
     ...ctx,
     experiments: resolveExperiments()
   });