libretto 0.6.24 → 0.6.26

package/src/cli/commands/browser.ts

@@ -21,6 +21,7 @@ import {
 import { warnIfLibrettoVersionsDiffer } from "../core/skill-version.js";
 import { SimpleCLI } from "affordance";
 import {
+  type SessionContext,
   sessionOption,
   withAutoSession,
   withExperiments,
@@ -80,7 +81,7 @@ export const openInput = SimpleCLI.input({
     }),
     authProfile: SimpleCLI.option(z.string().optional(), {
       name: "auth-profile",
-      help: "Override the domain used for auth profile lookup (e.g. use login.example.com's profile when opening app.example.com)",
+      help: "Named auth profile to load before opening the browser",
     }),
     viewport: SimpleCLI.option(z.string().optional(), {
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)",
@@ -105,7 +106,7 @@ export const openCommand = SimpleCLI.command({
 })
   .input(openInput)
   .use(withAutoSession())
-  .use(withExperiments())
+  .use(withExperiments<SessionContext>())
   .handle(async ({ input, ctx }) => {
     warnIfLibrettoVersionsDiffer();
     assertSessionAvailableForStart(ctx.session, ctx.logger);
@@ -119,10 +120,15 @@ export const openCommand = SimpleCLI.command({
           input.readOnly,
           input.writeAccess,
         ),
-        authProfileDomain: input.authProfile,
+        authProfileName: input.authProfile,
         experiments: ctx.experiments,
       });
     } else {
+      if (input.authProfile) {
+        throw new Error(
+          "--auth-profile is only supported for local browser sessions. Hosted provider sessions use workflow-declared authProfile settings.",
+        );
+      }
       await runOpenWithProvider(
         input.url,
         providerName,
@@ -166,7 +172,7 @@ export const connectCommand = SimpleCLI.command({
 })
   .input(connectInput)
   .use(withAutoSession())
-  .use(withExperiments())
+  .use(withExperiments<SessionContext>())
   .handle(async ({ input, ctx }) => {
     warnIfLibrettoVersionsDiffer();
     await runConnectWithLogger(
@@ -180,17 +186,17 @@ export const connectCommand = SimpleCLI.command({
 
 export const saveInput = SimpleCLI.input({
   positionals: [
-    SimpleCLI.positional("urlOrDomain", z.string().optional(), {
-      help: "URL or domain to save",
+    SimpleCLI.positional("profileName", z.string(), {
+      help: "Profile name to save",
     }),
   ],
   named: {
     session: sessionOption(),
+    sites: SimpleCLI.option(z.string(), {
+      help: "Comma-separated sites whose auth state should be saved",
+    }),
   },
-}).refine(
-  (input) => Boolean(input.urlOrDomain),
-  `Usage: libretto save <url|domain> --session <name>`,
-);
+});
 
 export const saveCommand = SimpleCLI.command({
   description: "Save current browser session",
@@ -198,7 +204,9 @@ export const saveCommand = SimpleCLI.command({
   .input(saveInput)
   .use(withRequiredSession())
   .handle(async ({ input, ctx }) => {
-    await runSave(input.urlOrDomain!, ctx.session, ctx.logger);
+    await runSave(input.profileName, ctx.session, ctx.logger, {
+      sites: input.sites,
+    });
   });
 
 export const pagesInput = SimpleCLI.input({

package/src/cli/commands/cloud-credentials.ts

@@ -0,0 +1,82 @@
+import { SimpleCLI } from "affordance";
+import { orpcCall, resolveApiUrl } from "../core/auth-fetch.js";
+
+const CLOUD_CREDENTIAL_ENV_PREFIX = "LIBRETTO_CLOUD_";
+
+type UpsertCredentialResponse = {
+  success: true;
+  credential_id: string;
+  overwritten: boolean;
+  message: string;
+};
+
+function requireApiKeyCredential() {
+  const apiKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (!apiKey) {
+    throw new Error(
+      "LIBRETTO_API_KEY is required to manage Libretto Cloud credentials. Issue one with `libretto cloud auth api-key issue --label <label>`.",
+    );
+  }
+  return {
+    apiUrl: resolveApiUrl(null),
+    credential: { source: "env-api-key" as const, apiKey },
+  };
+}
+
+function parseEnvCredentials(prefix: string): Array<{ name: string; value: string }> {
+  const credentials: Record<string, string> = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (!key.startsWith(prefix) || value === undefined) continue;
+    if (value.trim().length === 0) continue;
+    const fieldName = key.slice(prefix.length).toLowerCase();
+    if (!fieldName || fieldName === "api_key") continue;
+    credentials[fieldName] = value;
+  }
+  return Object.entries(credentials)
+    .map(([name, value]) => ({ name, value }))
+    .sort((left, right) => left.name.localeCompare(right.name));
+}
+
+export const pushCredentialCommand = SimpleCLI.command({
+  description: "Push LIBRETTO_CLOUD-prefixed env credentials to Libretto Cloud",
+})
+  .input(SimpleCLI.input({
+    positionals: [],
+    named: {},
+  }))
+  .handle(async () => {
+    const credentials = parseEnvCredentials(CLOUD_CREDENTIAL_ENV_PREFIX);
+    if (credentials.length === 0) {
+      throw new Error(
+        `No non-empty env vars found with prefix ${CLOUD_CREDENTIAL_ENV_PREFIX}.`,
+      );
+    }
+    const { apiUrl, credential } = requireApiKeyCredential();
+    let created = 0;
+    let updated = 0;
+    for (const item of credentials) {
+      const response = await orpcCall<UpsertCredentialResponse>({
+        apiUrl,
+        path: "/v1/credentials/upsert",
+        input: item,
+        credential,
+      });
+      if (response.overwritten) {
+        updated += 1;
+        console.log(`Updated cloud credential: ${item.name}`);
+      } else {
+        created += 1;
+        console.log(`Created cloud credential: ${item.name}`);
+      }
+    }
+    console.log(
+      `Pushed ${credentials.length} cloud ${credentials.length === 1 ? "credential" : "credentials"} (${created} created, ${updated} updated).`,
+    );
+  });
+
+export const cloudCredentialCommands = SimpleCLI.group({
+  description: "Manage hosted credentials",
+  routes: {
+    push: pushCredentialCommand,
+  },
+});

package/src/cli/commands/deploy.ts

@@ -4,7 +4,10 @@ import {
   orpcCall,
   resolveApiUrl,
 } from "../core/auth-fetch.js";
-import { buildHostedDeployTarball } from "../core/deploy-artifact.js";
+import {
+  buildHostedDeployTarball,
+  type WorkflowDeployMetadata,
+} from "../core/deploy-artifact.js";
 import { readAuthState } from "../core/auth-storage.js";
 import { SimpleCLI } from "affordance";
 
@@ -19,6 +22,13 @@ type DeploymentResponse = {
   };
 };
 
+type EnsureProfileResponse = {
+  success: true;
+  profile_id: string;
+  name: string;
+  created: boolean;
+};
+
 function generateDeploymentName(): string {
   return `deploy-${Date.now().toString(36)}-${randomBytes(4).toString("hex")}`;
 }
@@ -111,6 +121,33 @@ async function pollDeployment(
   return deployment;
 }
 
+async function ensureWorkflowAuthProfiles(args: {
+  apiUrl: string;
+  credential: { source: "env-api-key"; apiKey: string };
+  workflows: readonly WorkflowDeployMetadata[];
+}): Promise<void> {
+  const profileNames = [
+    ...new Set(
+      args.workflows
+        .map((workflow) => workflow.authProfileName?.trim())
+        .filter((name): name is string => Boolean(name)),
+    ),
+  ];
+  if (profileNames.length === 0) return;
+
+  console.log(
+    `Ensuring cloud auth ${profileNames.length === 1 ? "profile" : "profiles"}: ${profileNames.join(", ")}`,
+  );
+  for (const name of profileNames) {
+    await orpcCall<EnsureProfileResponse>({
+      apiUrl: args.apiUrl,
+      path: "/v1/browserProfiles/ensure",
+      input: { name },
+      credential: args.credential,
+    });
+  }
+}
+
 export const deployInput = SimpleCLI.input({
   positionals: [
     SimpleCLI.positional("sourceDir", z.string().default("."), {
@@ -159,13 +196,15 @@ export const deployCommand = SimpleCLI.command({
     // a minimal manifest. Bundled code is embedded in the generated files;
     // external packages are listed in the manifest for installation.
     console.log("Bundling hosted deployment artifact...");
-    const { entryPoint, source } = await buildHostedDeployTarball({
+    const { entryPoint, source, workflows } = await buildHostedDeployTarball({
       additionalExternals: input.external,
       deploymentName,
       entryPoint: input.entryPoint,
       sourceDir: input.sourceDir,
     });
 
+    await ensureWorkflowAuthProfiles({ apiUrl, credential, workflows });
+
     const createPayload: Record<string, unknown> = {
       source,
       entry_point: entryPoint,

package/src/cli/commands/execution.ts

@@ -6,10 +6,6 @@ import type { LoggerApi } from "../../shared/logger/index.js";
 import {
   connect,
   disconnectBrowser,
-  getProfilePath,
-  hasProfile,
-  normalizeDomain,
-  normalizeUrl,
   runClose,
   resolveViewport,
 } from "../core/browser.js";
@@ -32,7 +28,9 @@ import {
   getProviderStartupTimeoutMs,
   resolveProviderName,
 } from "../core/providers/index.js";
-import { getAbsoluteIntegrationPath } from "../core/workflow-runtime.js";
+import {
+  getAbsoluteIntegrationPath,
+} from "../core/workflow-runtime.js";
 import {
   compileExecFunction,
   stripEmptyCatchHandlers,
@@ -48,12 +46,13 @@ import {
   readActionLog,
   readNetworkLog,
   wrapPageForActionLogging,
-} from "../core/telemetry.js";
+} from "../core/session-logs.js";
 import type { SessionAccessMode } from "../../shared/state/index.js";
 import type { Experiments } from "../core/experiments.js";
 import { SimpleCLI } from "affordance";
 import {
   pageOption,
+  type SessionContext,
   sessionOption,
   withAutoSession,
   withExperiments,
@@ -68,7 +67,6 @@ type RunIntegrationCommandRequest = {
   visualize: boolean;
   viewport?: { width: number; height: number };
   accessMode: SessionAccessMode;
-  authProfileDomain?: string;
   providerName?: string;
   stayOpenOnSuccess: boolean;
   tsconfigPath?: string;
@@ -564,22 +562,6 @@ async function runIntegrationFromFile(
   const absoluteIntegrationPath = getAbsoluteIntegrationPath(
     args.integrationPath,
   );
-  if (args.authProfileDomain) {
-    const normalizedDomain = normalizeDomain(normalizeUrl(args.authProfileDomain));
-    if (!hasProfile(normalizedDomain)) {
-      const profilePath = getProfilePath(normalizedDomain);
-      throw new Error(
-        [
-          `Local auth profile not found for domain "${normalizedDomain}".`,
-          `Expected profile file: ${profilePath}`,
-          "To create it:",
-          `  1. libretto open https://${normalizedDomain} --headed --session ${args.session}`,
-          "  2. Log in manually in the browser window.",
-          `  3. libretto save ${normalizedDomain} --session ${args.session}`,
-        ].join("\n"),
-      );
-    }
-  }
 
   const runLogPath = logFileForSession(args.session);
   const workflowOutcome = createDeferred<WorkflowOutcome>();
@@ -594,7 +576,10 @@ async function runIntegrationFromFile(
       session: args.session,
       experiments: args.experiments,
       browser: args.providerName
-        ? { kind: "provider", providerName: args.providerName }
+        ? {
+            kind: "provider",
+            providerName: args.providerName,
+          }
         : {
             kind: "launch",
             headed: !args.headless,
@@ -606,7 +591,6 @@ async function runIntegrationFromFile(
         visualize: args.visualize,
         stayOpenOnSuccess: args.stayOpenOnSuccess,
         tsconfigPath: args.tsconfigPath,
-        authProfileDomain: args.authProfileDomain,
       },
     },
     logger,
@@ -809,10 +793,6 @@ export const runInput = SimpleCLI.input({
       name: "stay-open-on-success",
       help: "Keep the browser session open after the workflow completes successfully",
     }),
-    authProfile: SimpleCLI.option(z.string().optional(), {
-      name: "auth-profile",
-      help: "Domain for local auth profile (e.g. apps.example.com)",
-    }),
     viewport: SimpleCLI.option(z.string().optional(), {
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)",
     }),
@@ -865,7 +845,7 @@ export const runCommand = SimpleCLI.command({
 })
   .input(runInput)
   .use(withAutoSession())
-  .use(withExperiments())
+  .use(withExperiments<SessionContext>())
   .handle(async ({ input, ctx }) => {
     warnIfLibrettoVersionsDiffer();
     await stopExistingFailedRunSession(ctx.session, ctx.logger);
@@ -903,7 +883,6 @@ export const runCommand = SimpleCLI.command({
         tsconfigPath: input.tsconfig,
         headless: daemonProviderName ? true : (headlessMode ?? false),
         visualize,
-        authProfileDomain: input.authProfile,
         viewport,
         accessMode: input.readOnly ? "read-only" : input.writeAccess ? "write-access" : (readLibrettoConfig().sessionMode ?? "write-access"),
         providerName: daemonProviderName,

package/src/cli/commands/import-chrome-profiles.ts

@@ -0,0 +1,46 @@
+import { z } from "zod";
+import { SimpleCLI } from "affordance";
+import { createLoggerForSession } from "../core/context.js";
+import { runFetchChromeProfile } from "../core/browser.js";
+import { promptConfirm } from "../core/prompt.js";
+
+export const importChromeProfilesCommand = SimpleCLI.command({
+  description: "Fetch scoped auth state from a Chrome CDP session into a local profile",
+})
+  .input(SimpleCLI.input({
+    positionals: [
+      SimpleCLI.positional("profileName", z.string(), {
+        help: "Profile name to save",
+      }),
+    ],
+    named: {
+      cdpUrl: SimpleCLI.option(z.string(), {
+        name: "cdp-url",
+        help: "Chrome DevTools Protocol endpoint for the Chrome instance",
+      }),
+      sites: SimpleCLI.option(z.string(), {
+        help: "Comma-separated sites whose auth state should be imported",
+      }),
+      yes: SimpleCLI.flag({
+        help: "Skip confirmation before attaching to and disconnecting from Chrome",
+      }),
+    },
+  }))
+  .handle(async ({ input }) => {
+    const logger = createLoggerForSession(`profile-fetch-${Date.now()}`);
+    try {
+      if (!input.yes) {
+        const confirmed = await promptConfirm(
+          "Importing from an existing Chrome CDP session may cause that Chrome window to close or relaunch when Libretto disconnects. Continue?",
+        );
+        if (!confirmed) {
+          throw new Error("Aborted Chrome profile import.");
+        }
+      }
+      await runFetchChromeProfile(input.profileName, input.cdpUrl, logger, {
+        sites: input.sites,
+      });
+    } finally {
+      await logger.close();
+    }
+  });

package/src/cli/commands/profiles.ts

@@ -0,0 +1,90 @@
+import { z } from "zod";
+import { SimpleCLI } from "affordance";
+import { orpcCall, resolveApiUrl } from "../core/auth-fetch.js";
+import { normalizeProfileName } from "../core/profiles.js";
+
+type ListProfilesResponse = {
+  profiles: Array<{
+    profile_id: string;
+    name: string;
+    providers: string[];
+    updated_at: string;
+  }>;
+};
+
+type DeleteProfileResponse = {
+  success: boolean;
+  deleted_count: number;
+};
+
+function requireApiKeyCredential() {
+  const apiKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (!apiKey) {
+    throw new Error(
+      "LIBRETTO_API_KEY is required to manage Libretto Cloud profiles. Issue one with `libretto cloud auth api-key issue --label <label>`.",
+    );
+  }
+  return {
+    apiUrl: resolveApiUrl(null),
+    credential: { source: "env-api-key" as const, apiKey },
+  };
+}
+
+export const listProfilesCommand = SimpleCLI.command({
+  description: "List Libretto Cloud auth profiles",
+})
+  .input(SimpleCLI.input({ positionals: [], named: {} }))
+  .handle(async () => {
+    const { apiUrl, credential } = requireApiKeyCredential();
+    const response = await orpcCall<ListProfilesResponse>({
+      apiUrl,
+      path: "/v1/browserProfiles/list",
+      input: {},
+      credential,
+    });
+    if (response.profiles.length === 0) {
+      console.log("No cloud profiles found.");
+      return;
+    }
+    for (const profile of response.profiles) {
+      const providers = profile.providers.length
+        ? ` (${profile.providers.join(", ")})`
+        : "";
+      console.log(`${profile.name}${providers}`);
+    }
+  });
+
+export const deleteProfileCommand = SimpleCLI.command({
+  description: "Delete a Libretto Cloud auth profile",
+})
+  .input(SimpleCLI.input({
+    positionals: [
+      SimpleCLI.positional("profileName", z.string(), {
+        help: "Cloud profile name to delete",
+      }),
+    ],
+    named: {},
+  }))
+  .handle(async ({ input }) => {
+    const profileName = normalizeProfileName(input.profileName);
+    const { apiUrl, credential } = requireApiKeyCredential();
+    const response = await orpcCall<DeleteProfileResponse>({
+      apiUrl,
+      path: "/v1/browserProfiles/delete",
+      input: { name: profileName },
+      credential,
+    });
+    if (!response.success || response.deleted_count === 0) {
+      console.log(`No cloud profile found for ${profileName}.`);
+      return;
+    }
+    console.log(`Deleted cloud profile: ${profileName}`);
+  });
+
+export const profileCommands = SimpleCLI.group({
+  description: "Manage hosted browser auth profiles",
+  routes: {
+    list: listProfilesCommand,
+    delete: deleteProfileCommand,
+  },
+});

package/src/cli/commands/shared.ts

@@ -11,7 +11,6 @@ import {
 } from "../core/session.js";
 import {
   SimpleCLI,
-  type SimpleCLIMiddlewareArgs,
   type SimpleCLIContext,
   type SimpleCLIMiddleware,
 } from "affordance";
@@ -41,13 +40,10 @@ export type ExperimentsContext = {
   experiments: Experiments;
 };
 
-export function withExperiments() {
-  return async <TInput, TContext extends SimpleCLIContext>({
-    ctx,
-  }: SimpleCLIMiddlewareArgs<
-    TInput,
-    TContext
-  >): Promise<TContext & ExperimentsContext> => ({
+export function withExperiments<
+  TContext extends SimpleCLIContext,
+>(): SimpleCLIMiddleware<unknown, TContext, TContext & ExperimentsContext> {
+  return async ({ ctx }) => ({
     ...ctx,
     experiments: resolveExperiments(),
   });