libretto 0.6.8 → 0.6.10

package/dist/cli/cli.js

@@ -2,6 +2,7 @@ import { resolveAiSetupStatus } from "./core/ai-model.js";
 import { ensureLibrettoSetup } from "./core/context.js";
 import { createCLIApp } from "./router.js";
 import { warnIfInstalledSkillOutOfDate } from "./core/skill-version.js";
+import { loadEnv } from "../shared/env/load-env.js";
 function renderUsage(app) {
   return `${app.renderHelp()}
 
@@ -43,6 +44,7 @@ function isRootHelpRequest(rawArgs) {
 async function runLibrettoCLI() {
   const rawArgs = process.argv.slice(2);
   let exitCode = 0;
+  loadEnv();
   ensureLibrettoSetup();
   const app = createCLIApp();
   try {

package/dist/cli/commands/auth.js

@@ -0,0 +1,535 @@
+import { z } from "zod";
+import { SimpleCLI } from "../framework/simple-cli.js";
+import {
+  ApiCallError,
+  betterAuthCall,
+  HOSTED_API_URL,
+  NOT_AUTHENTICATED_MESSAGE,
+  orpcCall,
+  pickCredential,
+  resolveApiUrl
+} from "../core/auth-fetch.js";
+import {
+  authStatePath,
+  clearAuthState,
+  readAuthState,
+  setCookieToCookieHeader,
+  writeAuthState
+} from "../core/auth-storage.js";
+import { prompt, promptPassword, slugify } from "../core/prompt.js";
+function isSlugTakenData(data) {
+  return !!data && typeof data === "object" && data.reason === "slug_taken";
+}
+async function getCurrentSession(apiUrl, cookie) {
+  try {
+    const { data } = await betterAuthCall({
+      apiUrl,
+      path: "/api/auth/get-session",
+      method: "GET",
+      credential: cookie ? { source: "cookie", cookie } : void 0
+    });
+    return data && typeof data === "object" && "user" in data ? data : null;
+  } catch {
+    return null;
+  }
+}
+async function pollForVerification(apiUrl, pollIntervalMs = 4e3, maxWaitMs = 10 * 60 * 1e3) {
+  const start = Date.now();
+  while (Date.now() - start < maxWaitMs) {
+    const session = await getCurrentSession(apiUrl);
+    if (session?.user.emailVerified) return true;
+    process.stdout.write(".");
+    await new Promise((r) => setTimeout(r, pollIntervalMs));
+  }
+  console.log();
+  return false;
+}
+async function persistSignupSession(apiUrl, result) {
+  const cookie = setCookieToCookieHeader(result.setCookie);
+  if (!cookie) {
+    throw new Error("Sign-up did not return a session cookie. Check the server.");
+  }
+  const next = {
+    apiUrl,
+    session: {
+      cookie,
+      userId: result.userId,
+      email: result.email,
+      expiresAt: null
+    }
+  };
+  await writeAuthState(next);
+  return next;
+}
+async function resolveActiveOrgId(apiUrl, credential) {
+  const { data: orgs } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/organization/list",
+    method: "GET",
+    credential
+  });
+  if (!Array.isArray(orgs) || orgs.length === 0) {
+    throw new Error(
+      "No organization on this account \u2014 sign up or accept an invite first."
+    );
+  }
+  return orgs[0].id;
+}
+async function issueApiKey(apiUrl, name, credential) {
+  const { data } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/api-key/create",
+    input: { name },
+    credential
+  });
+  if (!data?.key) {
+    throw new Error("API-key creation returned no raw key.");
+  }
+  return data;
+}
+const signupCommand = SimpleCLI.command({
+  description: "Create a new hosted-platform account and organization",
+  experimental: true
+}).input(SimpleCLI.input({ positionals: [], named: {} })).handle(async () => {
+  const apiUrl = HOSTED_API_URL;
+  console.log("Sign up for libretto cloud");
+  console.log();
+  console.log("Heads up: a libretto user can only belong to one organization.");
+  console.log(
+    "If your team already has a libretto org, ask a teammate for an invite instead \u2014 switching orgs later isn't supported."
+  );
+  console.log("Type 'q' at the name prompt to quit if that applies to you.");
+  console.log();
+  const name = await prompt("Your name:");
+  if (name.toLowerCase() === "q" || name.length === 0) {
+    console.log(
+      "OK \u2014 ask an existing teammate to run `libretto experimental auth invite <your-email>` and then run `libretto experimental auth accept-invite <slug> <invitation-id>` from this machine."
+    );
+    return;
+  }
+  const email = await prompt("Your email:");
+  const password = await promptPassword("Choose a password (8+ chars):");
+  const orgName = await prompt("Organization name:");
+  const defaultSlug = slugify(orgName);
+  let orgSlug = (await prompt("Organization slug:", { defaultValue: defaultSlug })).toLowerCase();
+  const debugNotificationEmail = await prompt(
+    "Alert email (for hosted workflow failures):",
+    { defaultValue: email }
+  );
+  console.log();
+  console.log("Creating account...");
+  let result;
+  while (true) {
+    try {
+      result = await orpcCall({
+        apiUrl,
+        path: "/v1/auth/signupAndCreateOrg",
+        input: {
+          name,
+          email,
+          password,
+          organizationName: orgName,
+          organizationSlug: orgSlug,
+          debugNotificationEmail
+        },
+        unauthenticated: true
+      });
+      break;
+    } catch (e) {
+      if (e instanceof ApiCallError && e.code === "CONFLICT" && isSlugTakenData(e.data)) {
+        console.log();
+        console.log(e.message);
+        orgSlug = (await prompt("Organization slug:")).toLowerCase();
+        continue;
+      }
+      throw e;
+    }
+  }
+  await persistSignupSession(apiUrl, result);
+  console.log(`Account created. Verification email sent to ${result.email}.`);
+  console.log("Click the link in the email to verify, then return here.");
+  console.log("Waiting for verification");
+  const verified = await pollForVerification(apiUrl);
+  if (!verified) {
+    console.log();
+    console.log(
+      "Timed out waiting for email verification. Click the link in the email when you're ready \u2014 your CLI session is already saved, no need to re-run signup."
+    );
+    return;
+  }
+  console.log();
+  console.log("Email verified. You're logged in.");
+  console.log(`Session saved to ${authStatePath()}`);
+  console.log();
+  console.log("To generate an API key, run:");
+  console.log("  libretto experimental auth api-key issue --label <label>");
+  console.log("Then add LIBRETTO_API_KEY=<key> to your project's .env file.");
+});
+const loginCommand = SimpleCLI.command({
+  description: "Sign in to an existing hosted-platform account",
+  experimental: true
+}).input(SimpleCLI.input({ positionals: [], named: {} })).handle(async () => {
+  const apiUrl = HOSTED_API_URL;
+  const email = await prompt("Email:");
+  const password = await promptPassword("Password:");
+  const { data, setCookie } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/sign-in/email",
+    input: { email, password },
+    unauthenticated: true
+  });
+  const cookie = setCookieToCookieHeader(setCookie);
+  if (!cookie) {
+    throw new Error("Login response did not include a session cookie.");
+  }
+  const session = await getCurrentSession(apiUrl, cookie);
+  const next = {
+    apiUrl,
+    session: {
+      cookie,
+      userId: data.user.id,
+      email: data.user.email,
+      expiresAt: session?.session.expiresAt ?? null
+    }
+  };
+  await writeAuthState(next);
+  console.log(`Logged in as ${data.user.email}.`);
+  if (!data.user.emailVerified) {
+    console.log(
+      "Heads up: your email isn't verified yet. Re-sending the verification link to your inbox \u2014 click it to finish setup."
+    );
+    try {
+      await betterAuthCall({
+        apiUrl,
+        path: "/api/auth/send-verification-email",
+        input: {
+          email: data.user.email,
+          callbackURL: `${apiUrl}/auth/verified`
+        },
+        unauthenticated: true
+      });
+      console.log(`Verification email sent to ${data.user.email}.`);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "unknown error";
+      console.log(
+        `Couldn't resend the verification email (${message}). Try again, or hit /api/auth/send-verification-email directly.`
+      );
+    }
+  }
+});
+const logoutCommand = SimpleCLI.command({
+  description: "Clear local libretto credentials",
+  experimental: true
+}).handle(async () => {
+  const state = await readAuthState();
+  if (state?.session?.cookie) {
+    try {
+      await betterAuthCall({
+        apiUrl: state.apiUrl,
+        path: "/api/auth/sign-out",
+        credential: { source: "cookie", cookie: state.session.cookie }
+      });
+    } catch {
+    }
+  }
+  await clearAuthState();
+  console.log("Logged out.");
+});
+const inviteCommand = SimpleCLI.command({
+  description: "Invite a teammate to your active organization",
+  experimental: true
+}).input(
+  SimpleCLI.input({
+    positionals: [
+      SimpleCLI.positional("email", z.string().email(), {
+        help: "Email address of the person to invite."
+      })
+    ],
+    named: {
+      role: SimpleCLI.option(
+        z.enum(["member", "admin", "owner"]).default("member"),
+        { help: "Role to assign (default: member)." }
+      )
+    }
+  })
+).handle(async ({ input }) => {
+  const state = await readAuthState();
+  const apiUrl = resolveApiUrl(state);
+  const credential = pickCredential(state);
+  if (credential.source === "none") {
+    throw new Error(NOT_AUTHENTICATED_MESSAGE);
+  }
+  const organizationId = await resolveActiveOrgId(apiUrl, credential);
+  const body = {
+    email: input.email,
+    role: input.role,
+    organizationId
+  };
+  const { data } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/organization/invite-member",
+    input: body,
+    credential
+  });
+  const { data: orgs } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/organization/list",
+    method: "GET",
+    credential
+  });
+  const org = orgs?.find((o) => o.id === data.organizationId);
+  const orgName = org?.name ?? "<your-org-name>";
+  const orgSlug = org?.slug ?? "<your-org-slug>";
+  console.log(`Invitation sent to ${data.email}.`);
+  console.log(`Invitation id: ${data.id}`);
+  console.log(`Organization:  ${orgName} (${orgSlug})`);
+  console.log(`Expires at:    ${data.expiresAt}`);
+  console.log();
+  console.log("Tell them to run:");
+  console.log(
+    `  libretto experimental auth accept-invite ${orgSlug} ${data.id}`
+  );
+});
+const acceptInviteCommand = SimpleCLI.command({
+  description: "Accept an organization invitation",
+  experimental: true
+}).input(
+  SimpleCLI.input({
+    positionals: [
+      SimpleCLI.positional(
+        "tenantSlug",
+        z.string().min(2).max(60).regex(/^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/, {
+          message: "Slug must be lowercase letters, numbers, and hyphens (no leading/trailing hyphen)."
+        }),
+        {
+          help: "Slug of the organization you're joining. Must match the org slug in the invitation email \u2014 acts as a confirmation step."
+        }
+      ),
+      SimpleCLI.positional("invitationId", z.string().min(1), {
+        help: "Invitation id from the invite email."
+      })
+    ],
+    named: {}
+  })
+).handle(async ({ input }) => {
+  const stored = await readAuthState();
+  const apiUrl = HOSTED_API_URL;
+  const credential = pickCredential(stored);
+  const expectedTenantSlug = input.tenantSlug;
+  if (credential.source !== "none") {
+    const { data: existingOrgs } = await betterAuthCall({
+      apiUrl,
+      path: "/api/auth/organization/list",
+      method: "GET",
+      credential
+    });
+    if (Array.isArray(existingOrgs) && existingOrgs.length > 0) {
+      throw new Error(
+        [
+          "You're already a member of an organization.",
+          "A libretto user can only belong to one organization at a time.",
+          "To accept this invite: log out, delete the existing account, and re-run `auth accept-invite` with a new account (or a fresh email)."
+        ].join("\n")
+      );
+    }
+    const { data: invitation } = await betterAuthCall({
+      apiUrl,
+      path: `/api/auth/organization/get-invitation?id=${encodeURIComponent(input.invitationId)}`,
+      method: "GET",
+      credential
+    });
+    if (!invitation?.organizationSlug || invitation.organizationSlug !== expectedTenantSlug) {
+      throw new Error(
+        "Organization slug doesn't match this invitation. Double-check the slug shown in the invitation email."
+      );
+    }
+    await betterAuthCall({
+      apiUrl,
+      path: "/api/auth/organization/accept-invitation",
+      input: { invitationId: input.invitationId },
+      credential
+    });
+    console.log(`Invitation accepted. You're now a member of ${invitation.organizationName}.`);
+    return;
+  }
+  console.log("Accepting invite \u2014 let's create your account.");
+  const name = await prompt("Your name:");
+  const password = await promptPassword("Choose a password (8+ chars):");
+  const result = await orpcCall({
+    apiUrl,
+    path: "/v1/auth/acceptInviteAndSignup",
+    input: {
+      invitationId: input.invitationId,
+      tenantSlug: input.tenantSlug,
+      name,
+      password
+    },
+    unauthenticated: true
+  });
+  await persistSignupSession(apiUrl, result);
+  console.log(`Account created. Verification email sent to ${result.email}.`);
+  console.log("Click the link in the email and return here.");
+  console.log("Waiting for verification");
+  const verified = await pollForVerification(apiUrl);
+  if (!verified) {
+    console.log();
+    console.log(
+      "Timed out waiting for email verification. Click the link in the email when ready \u2014 your CLI session is already saved."
+    );
+    return;
+  }
+  console.log();
+  console.log("Email verified. You're logged in and a member of the organization.");
+  console.log("To generate an API key, run:");
+  console.log("  libretto experimental auth api-key issue --label <label>");
+  console.log("Then add LIBRETTO_API_KEY=<key> to your project's .env file.");
+});
+const apiKeyIssueCommand = SimpleCLI.command({
+  description: "Issue a new API key for the active organization",
+  experimental: true
+}).input(
+  SimpleCLI.input({
+    positionals: [],
+    named: {
+      label: SimpleCLI.option(z.string(), {
+        help: "Label to identify this key (e.g. 'laptop-dev', 'github-actions')."
+      })
+    }
+  })
+).handle(async ({ input }) => {
+  const stored = await readAuthState();
+  const apiUrl = resolveApiUrl(stored);
+  const credential = pickCredential(stored);
+  if (credential.source === "none") {
+    throw new Error(NOT_AUTHENTICATED_MESSAGE);
+  }
+  const key = await issueApiKey(apiUrl, input.label, credential);
+  console.log(`API key issued (id: ${key.id}, label: ${key.name ?? input.label}).`);
+  console.log(`Key (shown once \u2014 keep it safe):`);
+  console.log(`  ${key.key}`);
+  console.log();
+  console.log("Add the following to your project's .env file:");
+  console.log(`  LIBRETTO_API_KEY=${key.key}`);
+  console.log();
+  console.log(
+    "The key is not stored on disk by the CLI \u2014 losing it means revoking + re-issuing."
+  );
+});
+const apiKeyListCommand = SimpleCLI.command({
+  description: "List API keys for the active organization",
+  experimental: true
+}).handle(async () => {
+  const stored = await readAuthState();
+  const apiUrl = resolveApiUrl(stored);
+  const credential = pickCredential(stored);
+  if (credential.source === "none") {
+    throw new Error(NOT_AUTHENTICATED_MESSAGE);
+  }
+  const { data } = await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/api-key/list",
+    method: "GET",
+    credential
+  });
+  if (!Array.isArray(data) || data.length === 0) {
+    console.log("No API keys.");
+    return;
+  }
+  for (const key of data) {
+    const enabled = key.enabled === false ? " [disabled]" : "";
+    const last = key.lastRequest ? ` last-used ${key.lastRequest}` : "";
+    console.log(
+      `${key.id}  ${key.name ?? "(unnamed)"}  ${key.start ?? key.prefix ?? ""}\u2026  created ${key.createdAt}${enabled}${last}`
+    );
+  }
+});
+const apiKeyRevokeCommand = SimpleCLI.command({
+  description: "Revoke an API key by id",
+  experimental: true
+}).input(
+  SimpleCLI.input({
+    positionals: [
+      SimpleCLI.positional("id", z.string().min(1), {
+        help: "API key id (from `auth api-key list`)."
+      })
+    ],
+    named: {}
+  })
+).handle(async ({ input }) => {
+  const stored = await readAuthState();
+  const apiUrl = resolveApiUrl(stored);
+  const credential = pickCredential(stored);
+  if (credential.source === "none") {
+    throw new Error(NOT_AUTHENTICATED_MESSAGE);
+  }
+  await betterAuthCall({
+    apiUrl,
+    path: "/api/auth/api-key/delete",
+    input: { keyId: input.id },
+    credential
+  });
+  console.log(`API key ${input.id} revoked.`);
+  console.log(
+    "If this key was in your .env, remove the LIBRETTO_API_KEY value and issue a new one with `auth api-key issue --label <label>`."
+  );
+});
+const whoamiCommand = SimpleCLI.command({
+  description: "Print the active session and credential source",
+  experimental: true
+}).handle(async () => {
+  const stored = await readAuthState();
+  const credential = pickCredential(stored);
+  const envKey = process.env.LIBRETTO_API_KEY?.trim();
+  if (credential.source === "none") {
+    console.log(
+      "Not authenticated. Run `libretto experimental auth signup`, `login`, or set LIBRETTO_API_KEY in your env."
+    );
+    return;
+  }
+  console.log(`Auth source:      ${credential.source}`);
+  console.log(`API URL:          ${HOSTED_API_URL}`);
+  console.log(
+    `LIBRETTO_API_KEY: ${envKey ? `set in env (${envKey.slice(0, 6)}\u2026)` : "not set in env"}`
+  );
+  if (stored?.session) {
+    console.log(`Session email:    ${stored.session.email}`);
+    console.log(`Session user id:  ${stored.session.userId}`);
+    if (stored.session.expiresAt) {
+      console.log(`Session expires:  ${stored.session.expiresAt}`);
+    }
+    console.log(`Session file:     ${authStatePath()}`);
+  } else {
+    console.log("Session file:     (none on disk)");
+  }
+});
+const authCommands = SimpleCLI.group({
+  description: "Hosted-platform auth commands",
+  routes: {
+    signup: signupCommand,
+    login: loginCommand,
+    logout: logoutCommand,
+    invite: inviteCommand,
+    "accept-invite": acceptInviteCommand,
+    whoami: whoamiCommand,
+    "api-key": SimpleCLI.group({
+      description: "Manage API keys",
+      routes: {
+        issue: apiKeyIssueCommand,
+        list: apiKeyListCommand,
+        revoke: apiKeyRevokeCommand
+      }
+    })
+  }
+});
+export {
+  acceptInviteCommand,
+  apiKeyIssueCommand,
+  apiKeyListCommand,
+  apiKeyRevokeCommand,
+  authCommands,
+  inviteCommand,
+  loginCommand,
+  logoutCommand,
+  signupCommand,
+  whoamiCommand
+};

package/dist/cli/commands/billing.js

@@ -0,0 +1,74 @@
+import { SimpleCLI } from "../framework/simple-cli.js";
+import {
+  NOT_AUTHENTICATED_MESSAGE,
+  orpcCall,
+  pickCredential,
+  resolveApiUrl
+} from "../core/auth-fetch.js";
+import { readAuthState } from "../core/auth-storage.js";
+const CONTACT_URL = "https://libretto.sh";
+async function requireAuth() {
+  const stored = await readAuthState();
+  const apiUrl = resolveApiUrl(stored);
+  const credential = pickCredential(stored);
+  if (credential.source === "none") {
+    throw new Error(NOT_AUTHENTICATED_MESSAGE);
+  }
+  return { apiUrl, credential };
+}
+function formatLimit(limit) {
+  return limit === null ? "\u221E" : String(limit);
+}
+const billingPortalCommand = SimpleCLI.command({
+  description: "Open the libretto plans page (current plan + switch options)",
+  experimental: true
+}).handle(async () => {
+  const { apiUrl, credential } = await requireAuth();
+  const { url } = await orpcCall({
+    apiUrl,
+    path: "/v1/billing/openPlansPage",
+    credential
+  });
+  console.log("Open this URL in your browser to choose or change your plan:");
+  console.log(`  ${url}`);
+  console.log();
+  console.log(
+    "(Shows all tiers with features, your current plan, and a Manage payment / invoices link.)"
+  );
+  console.log(
+    `For a BAA or Enterprise pricing, contact us at ${CONTACT_URL}.`
+  );
+});
+const billingStatusCommand = SimpleCLI.command({
+  description: "Print the current plan, status, and browser-hour usage",
+  experimental: true
+}).handle(async () => {
+  const { apiUrl, credential } = await requireAuth();
+  const sub = await orpcCall({
+    apiUrl,
+    path: "/v1/billing/subscription",
+    credential
+  });
+  const used = sub.browserHoursUsedThisPeriod.toFixed(2);
+  const limit = formatLimit(sub.browserHoursLimit);
+  console.log(`Plan:    ${sub.plan} (${sub.status})`);
+  console.log(`Usage:   ${used} / ${limit} browser hours this period`);
+  if (sub.currentPeriodEnd) {
+    console.log(`Period:  ends ${sub.currentPeriodEnd.slice(0, 10)}`);
+  }
+  if (sub.cancelAtPeriodEnd) {
+    console.log("Note:    cancellation scheduled at period end.");
+  }
+});
+const billingCommands = SimpleCLI.group({
+  description: "Hosted-platform subscription + usage commands",
+  routes: {
+    portal: billingPortalCommand,
+    status: billingStatusCommand
+  }
+});
+export {
+  billingCommands,
+  billingPortalCommand,
+  billingStatusCommand
+};

package/dist/cli/commands/browser.js

@@ -68,6 +68,10 @@ const openInput = SimpleCLI.input({
       name: "write-access",
       help: "Create the session in write-access mode (overrides config default)"
     }),
+    authProfile: SimpleCLI.option(z.string().optional(), {
+      name: "auth-profile",
+      help: "Override the domain used for auth profile lookup (e.g. use login.example.com's profile when opening app.example.com)"
+    }),
     viewport: SimpleCLI.option(z.string().optional(), {
       help: "Viewport size as WIDTHxHEIGHT (e.g. 1920x1080)"
     }),
@@ -78,7 +82,7 @@ const openInput = SimpleCLI.input({
   }
 }).refine(
   (input) => Boolean(input.url),
-  `Usage: libretto open <url> [--headless] [--read-only|--write-access] [--viewport WxH] [--session <name>]`
+  `Usage: libretto open <url> [--headless] [--read-only|--write-access] [--auth-profile <domain>] [--viewport WxH] [--session <name>]`
 ).refine(
   (input) => !(input.headed && input.headless),
   "Cannot pass both --headed and --headless."
@@ -87,7 +91,7 @@ const openInput = SimpleCLI.input({
   "Cannot pass both --read-only and --write-access."
 );
 const openCommand = SimpleCLI.command({
-  description: "Launch browser and open URL (headed by default)"
+  description: "Launch browser and open URL (headed by default). Automatically loads a saved auth profile for the URL's domain if one exists."
 }).input(openInput).use(withAutoSession()).handle(async ({ input, ctx }) => {
   warnIfInstalledSkillOutOfDate();
   assertSessionAvailableForStart(ctx.session, ctx.logger);
@@ -100,7 +104,8 @@ const openCommand = SimpleCLI.command({
       accessMode: resolveRequestedSessionMode(
         input.readOnly,
         input.writeAccess
-      )
+      ),
+      authProfileDomain: input.authProfile
     });
   } else {
     const provider = getCloudProviderApi(providerName);

package/dist/cli/commands/deploy.js

@@ -1,24 +1,19 @@
 import { randomBytes } from "node:crypto";
 import { z } from "zod";
+import { HOSTED_API_URL } from "../core/auth-fetch.js";
 import { buildHostedDeployTarball } from "../core/deploy-artifact.js";
 import { SimpleCLI } from "../framework/simple-cli.js";
 function generateDeploymentName() {
   return `deploy-${Date.now().toString(36)}-${randomBytes(4).toString("hex")}`;
 }
 function getConfig() {
-  const apiUrl = process.env.LIBRETTO_API_URL;
   const apiKey = process.env.LIBRETTO_API_KEY;
-  if (!apiUrl) {
-    throw new Error(
-      "LIBRETTO_API_URL environment variable is required."
-    );
-  }
   if (!apiKey) {
     throw new Error(
       "LIBRETTO_API_KEY environment variable is required."
     );
   }
-  return { apiUrl: apiUrl.replace(/\/$/, ""), apiKey };
+  return { apiUrl: HOSTED_API_URL, apiKey };
 }
 async function postJson(apiUrl, apiKey, path, input = {}) {
   return fetch(`${apiUrl}${path}`, {