libretto 0.6.28 → 0.6.30-experimental-runtime-libretto.0

package/skills/libretto/references/website-authentication.md

@@ -0,0 +1,73 @@
+# Website Authentication
+
+Use this reference when a workflow needs a logged-in website session. The Working Rules in `../SKILL.md` define the required auth workflow; this file explains how to implement sign-in logic with `librettoAuthenticate`, and how auth profiles save signed-in state for later runs.
+
+Build and verify working sign-in logic first. The sign-in code takes priority; an auth profile is added only after the sign-in logic is verified, never as a substitute for it.
+
+## Sign-In Logic
+
+Use `librettoAuthenticate` so the workflow can sign in from a fresh browser. Declare each required secret in the workflow credentials array and use those credentials inside `signIn`.
+
+```typescript
+import { librettoAuthenticate, workflow } from "libretto";
+
+export default workflow("accountWorkflow", {
+  credentials: ["portal_username", "portal_password"],
+  async handler(ctx, input) {
+    const { page } = ctx;
+
+    await page.goto("https://app.example.com/dashboard");
+
+    // Sign in when the session is not already authenticated.
+    await librettoAuthenticate(ctx, {
+      credentials: input.credentials,
+      isSignedIn: async () =>
+        await page
+          .getByRole("heading", { name: "Dashboard" })
+          .isVisible()
+          .catch(() => false),
+      signIn: async (_ctx, credentials) => {
+        await page.goto("https://app.example.com/login");
+        await page.getByLabel("Email").fill(credentials.portal_username);
+        await page.getByLabel("Password").fill(credentials.portal_password);
+        await page.getByRole("button", { name: "Sign in" }).click();
+        await page.getByRole("heading", { name: "Dashboard" }).waitFor();
+      },
+    });
+
+    // Continue with the signed-in workflow steps.
+  },
+});
+```
+
+## Auth Profiles
+
+Auth profiles save the signed-in browser state (cookies, localStorage, IndexedDB) so later runs can reuse a logged-in session instead of signing in from scratch. The sign-in logic still takes priority: do not add a profile until the `librettoAuthenticate` sign-in step has been verified from a signed-out browser with no profile present. If you add a profile first, validation passes on the saved session while the untested sign-in logic fails the first time that session expires.
+
+A profile only holds whatever a signed-in session wrote into it, so it does nothing until a run has signed in at least once. With `refresh: true`, a successful run writes updated browser state back to the profile, so a fresh sign-in repairs an expired one. Local runs load `.libretto/profiles/<name>.json`; hosted runs use the provider-native profile with the same name.
+
+Add the profile to the workflow you already verified:
+
+```typescript
+export default workflow("accountWorkflow", {
+  // Added only after the signIn step above is verified standalone.
+  authProfile: { name: "example-account", refresh: true },
+  credentials: ["portal_username", "portal_password"],
+  // ...same handler and librettoAuthenticate call as above.
+});
+```
+
+## Commands
+
+```bash
+# Save the current signed-in session as a named, site-scoped profile.
+npx libretto save example-app --session login --sites app.example.com,auth.example.com
+
+# List or delete hosted auth profile names.
+npx libretto cloud profiles list
+npx libretto cloud profiles delete example-app
+```
+
+`save` captures cookies, localStorage, and IndexedDB only for the comma-separated `--sites` list.
+
+To reuse an existing signed-in Chrome profile instead of signing in, use `npx libretto import-chrome-profiles`. Get the user's consent first, since attaching can close or relaunch their Chrome window.

package/skills/libretto-readonly/SKILL.md

@@ -4,7 +4,7 @@ description: "Read-only Libretto workflow for diagnosing live browser state with
 license: MIT
 metadata:
   author: saffron-health
-  version: "0.6.28"
+  version: "0.6.29"
 ---
 
 ## How Libretto Read-Only Works

package/src/cli/commands/execution.ts

@@ -7,6 +7,7 @@ import {
   connect,
   disconnectBrowser,
   runClose,
+  resolveWindowPosition,
   resolveViewport,
 } from "../core/browser.js";
 import { parseViewportArg } from "./browser.js";
@@ -22,7 +23,10 @@ import {
   type SessionState,
 } from "../core/session.js";
 import { warnIfLibrettoVersionsDiffer } from "../core/skill-version.js";
-import { readLibrettoConfig } from "../core/config.js";
+import {
+  readLibrettoConfig,
+  type WindowPositionConfig,
+} from "../core/config.js";
 import { renderSnapshotDiff } from "../../shared/snapshot/diff-snapshots.js";
 import {
   getProviderStartupTimeoutMs,
@@ -41,6 +45,7 @@ import {
   type DaemonExecResult,
   type DaemonToCliApi,
 } from "../core/daemon/ipc.js";
+import type { DaemonConfig } from "../core/daemon/config.js";
 import { createReadonlyExecHelpers } from "../core/readonly-exec.js";
 import {
   readActionLog,
@@ -66,6 +71,7 @@ type RunIntegrationCommandRequest = {
   headless: boolean;
   visualize: boolean;
   viewport?: { width: number; height: number };
+  windowPosition?: WindowPositionConfig;
   accessMode: SessionAccessMode;
   providerName?: string;
   stayOpenOnSuccess: boolean;
@@ -76,6 +82,29 @@ type ExecMode = "exec" | "readonly-exec";
 
 const require = moduleBuiltin.createRequire(import.meta.url);
 
+export function createRunBrowserConfig(args: {
+  providerName?: string;
+  headless: boolean;
+  viewport?: { width: number; height: number };
+  windowPosition?: WindowPositionConfig;
+}): DaemonConfig["browser"] {
+  if (args.providerName) {
+    return {
+      kind: "provider",
+      providerName: args.providerName,
+    };
+  }
+
+  return {
+    kind: "launch",
+    headed: !args.headless,
+    viewport: args.viewport ?? { width: 1366, height: 768 },
+    ...(!args.headless && args.windowPosition
+      ? { windowPosition: args.windowPosition }
+      : {}),
+  };
+}
+
 function writeDaemonExecOutput(output?: { stdout: string; stderr: string }) {
   if (output?.stdout) {
     process.stdout.write(output.stdout);
@@ -575,16 +604,7 @@ async function runIntegrationFromFile(
     config: {
       session: args.session,
       experiments: args.experiments,
-      browser: args.providerName
-        ? {
-            kind: "provider",
-            providerName: args.providerName,
-          }
-        : {
-            kind: "launch",
-            headed: !args.headless,
-            viewport: args.viewport ?? { width: 1366, height: 768 },
-      },
+      browser: createRunBrowserConfig(args),
       workflow: {
         integrationPath: absoluteIntegrationPath,
         params: args.params,
@@ -875,15 +895,21 @@ export const runCommand = SimpleCLI.command({
       console.log(`Connecting to ${providerName} browser...`);
     }
 
+    const headless = daemonProviderName ? true : (headlessMode ?? false);
+    const windowPosition = headless
+      ? undefined
+      : resolveWindowPosition(ctx.logger);
+
     await runIntegrationFromFile(
       {
         integrationPath: input.integrationFile!,
         session: ctx.session,
         params,
         tsconfigPath: input.tsconfig,
-        headless: daemonProviderName ? true : (headlessMode ?? false),
+        headless,
         visualize,
         viewport,
+        windowPosition,
         accessMode: input.readOnly ? "read-only" : input.writeAccess ? "write-access" : (readLibrettoConfig().sessionMode ?? "write-access"),
         providerName: daemonProviderName,
         stayOpenOnSuccess: input.stayOpenOnSuccess,

package/src/cli/core/browser.ts

@@ -388,7 +388,7 @@ export function resolveViewport(
   return DEFAULT_VIEWPORT;
 }
 
-function resolveWindowPosition(
+export function resolveWindowPosition(
   logger: LoggerApi,
 ): { x: number; y: number } | undefined {
   const config = readLibrettoConfig();

package/src/cli/core/daemon/daemon.ts

@@ -91,6 +91,7 @@ import {
 import { WorkflowController } from "../workflow-runner/runner.js";
 import { validateWorkflowInput } from "../../../shared/workflow/workflow.js";
 import { captureAuthProfileStorageState } from "../../../shared/workflow/auth-profile-state.js";
+import { applyWindowPosition } from "../../../shared/run/window-position.js";
 
 function isOperationalPage(page: Page): boolean {
   const url = page.url();
@@ -397,6 +398,7 @@ class BrowserDaemon {
     });
 
     const page = await context.newPage();
+    await applyWindowPosition(browser, context, page, config.windowPosition);
     page.setDefaultTimeout(30000);
     page.setDefaultNavigationTimeout(45000);
 

package/src/cli/core/deploy-artifact.ts

@@ -71,7 +71,6 @@ type BuildHostedDeployTarballArgs = {
 type CreateHostedDeployPackageArgs = BuildHostedDeployTarballArgs;
 
 const DEFAULT_RUNTIME_EXTERNALS = [
-  "libretto",
   "playwright",
   "playwright-core",
   "chromium-bidi",
@@ -580,22 +579,79 @@ function resolveDependencyVersion(
   );
 }
 
+function resolveLibrettoDependencyVersion(
+  sourceDir: string,
+  packageName: string,
+): string | null {
+  try {
+    const librettoManifestPath = require.resolve("libretto/package.json", {
+      paths: [sourceDir],
+    });
+    const version = readDependencyVersionFromManifest(
+      readPackageManifest(librettoManifestPath),
+      packageName,
+    );
+    if (version) {
+      return version;
+    }
+  } catch {
+    // Fall through to the current CLI install. Source installs are optional in
+    // tests that only exercise manifest construction.
+  }
+
+  const version = readDependencyVersionFromManifest(
+    readPackageManifest(join(CURRENT_LIBRETTO_PACKAGE_DIR, "package.json")),
+    packageName,
+  );
+  if (version) {
+    return version;
+  }
+
+  try {
+    const manifestPath = require.resolve(`${packageName}/package.json`, {
+      paths: [CURRENT_LIBRETTO_PACKAGE_DIR],
+    });
+    return readPackageManifest(manifestPath).version ?? null;
+  } catch {
+    return null;
+  }
+}
+
 function writeDeployManifest(args: {
   additionalExternals: readonly string[];
   deploymentName: string;
   librettoDependency: string;
   outputDir: string;
+  runtimeExternals: readonly string[];
   sourceDir: string;
 }): void {
+  const dependencyPackages = [
+    ...new Set([
+      ...BUILT_IN_MANIFEST_DEPENDENCIES,
+      ...args.runtimeExternals.filter((packageName) =>
+        resolveLibrettoDependencyVersion(args.sourceDir, packageName),
+      ),
+      ...args.additionalExternals,
+    ]),
+  ];
   const dependencies = Object.fromEntries(
-    [...BUILT_IN_MANIFEST_DEPENDENCIES, ...args.additionalExternals].map(
-      (packageName) => [
+    dependencyPackages.map((packageName) => {
+      const fallbackVersion =
+        packageName === "libretto"
+          ? args.librettoDependency
+          : (resolveLibrettoDependencyVersion(args.sourceDir, packageName) ??
+            undefined);
+      return [
         packageName,
         packageName === "libretto"
           ? args.librettoDependency
-          : resolveDependencyVersion(args.sourceDir, packageName),
-      ],
-    ),
+          : resolveDependencyVersion(
+              args.sourceDir,
+              packageName,
+              fallbackVersion,
+            ),
+      ];
+    }),
   );
 
   writeFileSync(
@@ -930,7 +986,7 @@ function createBootstrapSource(args: {
   // to discover workflow exports. The implementation bundle stays embedded in
   // the file, while external packages are resolved from node_modules when the
   // deployed code loads them.
-  return `import { createRequire } from "node:module";
+  return `import { createRequire, Module } from "node:module";
 import { existsSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
@@ -946,6 +1002,45 @@ const BUNDLE_FILENAME = join(
 const nativeRequire = createRequire(
   join(tmpdir(), ${JSON.stringify("libretto-deploy-bootstrap.cjs")}),
 );
+const packageRequire = createRequire(import.meta.url || __filename);
+
+function isBarePackageSpecifier(specifier) {
+  return (
+    !specifier.startsWith(".") &&
+    !specifier.startsWith("/") &&
+    !specifier.startsWith("node:") &&
+    !/^[A-Za-z]:[\\\\/]/.test(specifier)
+  );
+}
+
+function loadImplementation() {
+  const originalRequire = Module.prototype.require;
+  function patchedRequire(specifier) {
+    try {
+      return originalRequire.call(this, specifier);
+    } catch (error) {
+      if (
+        error?.code === "MODULE_NOT_FOUND" &&
+        isBarePackageSpecifier(specifier)
+      ) {
+        Module.prototype.require = originalRequire;
+        try {
+          return packageRequire(specifier);
+        } finally {
+          Module.prototype.require = patchedRequire;
+        }
+      }
+      throw error;
+    }
+  }
+  Module.prototype.require = patchedRequire;
+
+  try {
+    return nativeRequire(ensureBundleFile());
+  } finally {
+    Module.prototype.require = originalRequire;
+  }
+}
 
 function ensureBundleFile() {
   if (!existsSync(BUNDLE_FILENAME)) {
@@ -960,7 +1055,7 @@ function ensureBundleFile() {
 
 function createWorkflowProxy(workflowName, metadata) {
   const handler = async (ctx, input) => {
-    const impl = nativeRequire(ensureBundleFile());
+    const impl = loadImplementation();
     const target = getWorkflowFromModuleExports(impl, workflowName);
     if (!target || typeof target.run !== "function") {
       throw new Error(
@@ -1008,6 +1103,11 @@ async function writeBundledDeployEntrypoint(args: {
 }> {
   try {
     const unresolvedWorkspaceImports = new Map<string, string>();
+    const discoveryExternalPackages = new Set<string>([
+      ...args.externalPackages,
+      "libretto",
+    ]);
+    const unresolvedDiscoveryWorkspaceImports = new Map<string, string>();
     // The implementation bundle is CommonJS so the bootstrap can load it lazily
     // with createRequire() after workflow discovery, while external packages
     // continue to load through normal Node module resolution.
@@ -1031,6 +1131,27 @@ async function writeBundledDeployEntrypoint(args: {
       target: "node20",
       write: false,
     });
+    // Discovery intentionally keeps libretto external so the local discovery
+    // shim can observe workflow(...) calls without executing the full library.
+    const discoveryBuild = await build({
+      absWorkingDir: args.absSourceDir,
+      bundle: true,
+      entryPoints: [args.absEntryPoint],
+      external: [...discoveryExternalPackages],
+      format: "cjs",
+      outfile: "prebundled-discovery.cjs",
+      platform: "node",
+      plugins: [
+        workspaceSourcePlugin(
+          args.workspacePackages,
+          discoveryExternalPackages,
+          unresolvedDiscoveryWorkspaceImports,
+        ),
+      ],
+      splitting: false,
+      target: "node20",
+      write: false,
+    });
     const [unresolvedImport] = unresolvedWorkspaceImports;
     if (unresolvedImport) {
       const [importPath, packageDir] = unresolvedImport;
@@ -1038,6 +1159,13 @@ async function writeBundledDeployEntrypoint(args: {
         `Unable to resolve workspace import "${importPath}" from ${packageDir}.`,
       );
     }
+    const [unresolvedDiscoveryImport] = unresolvedDiscoveryWorkspaceImports;
+    if (unresolvedDiscoveryImport) {
+      const [importPath, packageDir] = unresolvedDiscoveryImport;
+      throw new Error(
+        `Unable to resolve workspace import "${importPath}" from ${packageDir}.`,
+      );
+    }
 
     const bundledImplementation = implementationBuild.outputFiles?.find(
       (file) => file.path.endsWith("prebundled.cjs"),
@@ -1047,12 +1175,18 @@ async function writeBundledDeployEntrypoint(args: {
         "Bundler did not produce a deployment implementation file.",
       );
     }
+    const bundledDiscovery = discoveryBuild.outputFiles?.find((file) =>
+      file.path.endsWith("prebundled-discovery.cjs"),
+    );
+    if (!bundledDiscovery) {
+      throw new Error("Bundler did not produce a deployment discovery file.");
+    }
 
     const workflows = discoverBundledWorkflows({
       absEntryPoint: args.absEntryPoint,
       absSourceDir: args.absSourceDir,
-      bundleBuffer: Buffer.from(bundledImplementation.contents),
-      externalPackages: args.externalPackages,
+      bundleBuffer: Buffer.from(bundledDiscovery.contents),
+      externalPackages: discoveryExternalPackages,
     });
 
     writeFileSync(
@@ -1145,6 +1279,7 @@ export async function createHostedDeployPackage(
       deploymentName: args.deploymentName,
       librettoDependency,
       outputDir,
+      runtimeExternals: [...DEFAULT_RUNTIME_EXTERNALS],
       sourceDir: absSourceDir,
     });
     writeDeployMetadata({ outputDir, workflows: workflowsWithShareableSource });

package/src/shared/run/browser.ts

@@ -13,6 +13,10 @@ import {
   SessionStateFileSchema,
 } from "../state/session-state.js";
 import { readLibrettoConfig } from "../../cli/core/config.js";
+import {
+  applyWindowPosition,
+  type WindowPosition,
+} from "./window-position.js";
 
 async function pickFreePort(): Promise<number> {
   return await new Promise((resolve, reject) => {
@@ -49,53 +53,10 @@ export type BrowserSession = {
   close: () => Promise<void>;
 };
 
-function resolveWindowPosition(): { x: number; y: number } | undefined {
+function resolveWindowPosition(): WindowPosition | undefined {
   return readLibrettoConfig().windowPosition;
 }
 
-async function applyWindowPosition(
-  browser: Browser,
-  context: BrowserContext,
-  page: Page,
-  windowPosition: { x: number; y: number } | undefined,
-): Promise<void> {
-  if (!windowPosition) {
-    return;
-  }
-
-  const requestedBounds = {
-    left: windowPosition.x,
-    top: windowPosition.y,
-    windowState: "normal" as const,
-  };
-
-  const pageCdp = await context.newCDPSession(page);
-  let browserCdp:
-    | Awaited<ReturnType<Browser["newBrowserCDPSession"]>>
-    | undefined;
-  try {
-    const targetInfo = await pageCdp.send("Target.getTargetInfo");
-    const targetId = (
-      targetInfo as { targetInfo?: { targetId?: string } }
-    ).targetInfo?.targetId;
-    browserCdp = await browser.newBrowserCDPSession();
-    const windowResult = await browserCdp.send(
-      "Browser.getWindowForTarget",
-      targetId ? { targetId } : {},
-    );
-    await browserCdp.send("Browser.setWindowBounds", {
-      windowId: windowResult.windowId,
-      bounds: requestedBounds,
-    });
-    await new Promise((resolve) => setTimeout(resolve, 250));
-  } catch {
-    // Best-effort: window positioning should not prevent browser launch.
-  } finally {
-    await pageCdp.detach().catch(() => {});
-    await browserCdp?.detach().catch(() => {});
-  }
-}
-
 export async function launchBrowser({
   sessionName,
   headless = false,

package/src/shared/run/window-position.ts

@@ -0,0 +1,49 @@
+import type { Browser, BrowserContext, Page } from "playwright";
+
+export type WindowPosition = { x: number; y: number };
+
+export async function applyWindowPosition(
+  browser: Browser,
+  context: BrowserContext,
+  page: Page,
+  windowPosition: WindowPosition | undefined,
+): Promise<void> {
+  if (!windowPosition) {
+    return;
+  }
+
+  const requestedBounds = {
+    left: windowPosition.x,
+    top: windowPosition.y,
+    windowState: "normal" as const,
+  };
+
+  let pageCdp:
+    | Awaited<ReturnType<BrowserContext["newCDPSession"]>>
+    | undefined;
+  let browserCdp:
+    | Awaited<ReturnType<Browser["newBrowserCDPSession"]>>
+    | undefined;
+  try {
+    pageCdp = await context.newCDPSession(page);
+    const targetInfo = await pageCdp.send("Target.getTargetInfo");
+    const targetId = (
+      targetInfo as { targetInfo?: { targetId?: string } }
+    ).targetInfo?.targetId;
+    browserCdp = await browser.newBrowserCDPSession();
+    const windowResult = await browserCdp.send(
+      "Browser.getWindowForTarget",
+      targetId ? { targetId } : {},
+    );
+    await browserCdp.send("Browser.setWindowBounds", {
+      windowId: windowResult.windowId,
+      bounds: requestedBounds,
+    });
+    await new Promise((resolve) => setTimeout(resolve, 250));
+  } catch {
+    // Best-effort: window positioning should not prevent browser launch.
+  } finally {
+    await pageCdp?.detach().catch(() => {});
+    await browserCdp?.detach().catch(() => {});
+  }
+}

package/src/shared/workflow/authenticate.ts

@@ -1,8 +1,8 @@
 import type { LibrettoWorkflowContext } from "./workflow.js";
 
 export type LibrettoAuthenticateOptions = {
-  validate: (ctx: LibrettoWorkflowContext) => Promise<boolean> | boolean;
-  fallback: (
+  isSignedIn: (ctx: LibrettoWorkflowContext) => Promise<boolean> | boolean;
+  signIn: (
     ctx: LibrettoWorkflowContext,
     credentials: Record<string, string>,
   ) => Promise<void> | void;
@@ -14,17 +14,17 @@ export async function librettoAuthenticate(
   ctx: LibrettoWorkflowContext,
   options: LibrettoAuthenticateOptions,
 ): Promise<{ usedProfile: boolean }> {
-  if (await options.validate(ctx)) {
+  if (await options.isSignedIn(ctx)) {
     return { usedProfile: true };
   }
 
   const credentials = normalizeCredentials(
     options.credentials ?? readCredentialsFromEnv(options.envPrefix),
   );
-  await options.fallback(ctx, credentials);
+  await options.signIn(ctx, credentials);
 
-  if (!(await options.validate(ctx))) {
-    throw new Error("Authentication fallback completed, but validation still failed.");
+  if (!(await options.isSignedIn(ctx))) {
+    throw new Error("Sign-in completed, but the session is still not signed in.");
   }
 
   return { usedProfile: false };

package/skills/libretto/references/auth-profiles.md

@@ -1,79 +0,0 @@
-# Auth Profiles
-
-Use this reference when generating or maintaining workflows that need a logged-in website session.
-
-## When to Use This
-
-- The user wants to persist authentication across runs.
-- The workflow should recover when saved login state is stale.
-
-## Workflow
-
-- Open the site in headed mode.
-- Ask the user to log in manually.
-- Save the current session as a named, site-scoped profile.
-- Run a workflow that declares the profile and includes fallback login logic.
-
-## Commands
-
-```bash
-# Save scoped auth state from the current Libretto session.
-npx libretto save example-app --session login --sites app.example.com,auth.example.com
-
-# List or delete hosted auth profile names.
-npx libretto cloud profiles list
-npx libretto cloud profiles delete example-app
-```
-
-## Workflow Definition
-
-Use `authProfile` to reuse a named login profile: local runs load
-`.libretto/profiles/<name>.json`, while hosted runs use provider-native profiles
-that `libretto cloud deploy` registers by name without uploading local files.
-Use `{ name, refresh: true }` when successful runs should persist updated
-browser state back to the profile. Pair profile use with `librettoAuthenticate`
-so stale local or hosted sessions can fall back to login with declared
-credentials before the workflow continues.
-
-```typescript
-import { librettoAuthenticate, workflow } from "libretto";
-
-export default workflow("accountWorkflow", {
-  authProfile: {
-    name: "example-account",
-    refresh: true,
-  },
-  credentials: ["username", "password"],
-  async handler(ctx, input) {
-    const { page } = ctx;
-
-    await page.goto("https://app.example.com/dashboard");
-
-    await librettoAuthenticate(ctx, {
-      credentials: input.credentials,
-      validate: async ({ page }) =>
-        await page.getByRole("heading", { name: "Dashboard" })
-          .isVisible()
-          .catch(() => false),
-      fallback: async ({ page }, credentials) => {
-        await page.goto("https://app.example.com/login");
-        await page.getByLabel("Email").fill(credentials.username);
-        await page.getByLabel("Password").fill(credentials.password);
-        await page.getByRole("button", { name: "Sign in" }).click();
-        await page.getByRole("heading", { name: "Dashboard" }).waitFor();
-      },
-    });
-
-    // Continue with the signed-in workflow steps.
-  },
-});
-```
-
-## Notes
-
-- Saving a profile captures cookies, localStorage, and IndexedDB only for the comma-separated `--sites` list.
-- If the user explicitly wants to import from Chrome, ask which Chrome/profile
-  to launch or attach to and get consent before attaching because disconnecting
-  can close or relaunch that Chrome window. Chrome may require copying the
-  selected profile to a temporary user-data directory before running
-  `npx libretto import-chrome-profiles example-app --cdp-url http://127.0.0.1:9222 --sites app.example.com`.