@vibetechnologies/chrome-sync 0.4.0

package/src/cli.ts

@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+/**
+ * @vibetechnologies/chrome-sync CLI
+ *
+ * Sync browser cookies from local Chrome to OpenClaw cloud browser.
+ *
+ * Usage:
+ *   chrome-sync login
+ *   chrome-sync login --token <ADMIN_SECRET>
+ *   chrome-sync push --domains google.com,github.com
+ *   chrome-sync push --profile "Profile 1"
+ *   chrome-sync profiles
+ *   chrome-sync logout
+ */
+
+import { Command } from "commander";
+import { extractStorageState } from "./extract.js";
+import { loginViaBrowser, loginWithToken, pushCookies, loadAuth, clearAuth } from "./api.js";
+
+const program = new Command();
+
+program
+  .name("chrome-sync")
+  .description(
+    "Sync browser cookies and sessions from local Chrome to OpenClaw cloud browser"
+  )
+  .version("0.4.0");
+
+program
+  .command("login")
+  .description("Authenticate with OpenClaw (opens browser)")
+  .option("--token <token>", "Use a direct API token instead of browser auth")
+  .option(
+    "--api-url <url>",
+    "OpenClaw API URL",
+    "https://console.openclaw.vibebrowser.app"
+  )
+  .action(async (opts) => {
+    try {
+      let config;
+      if (opts.token) {
+        config = await loginWithToken(opts.apiUrl, opts.token);
+      } else {
+        config = await loginViaBrowser(opts.apiUrl);
+      }
+      console.log(`✓ Authenticated as ${config.username}`);
+      if (config.subdomain) {
+        console.log(`  Tenant: ${config.subdomain}`);
+      }
+      console.log(`  API: ${config.apiUrl}`);
+    } catch (err: any) {
+      console.error(`✗ Login failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+
+program
+  .command("push")
+  .description("Extract and push cookies to cloud browser")
+  .option(
+    "--domains <domains>",
+    "Comma-separated domains to sync (omit for all cookies)"
+  )
+  .option("--profile <profile>", "Chrome profile name", "Default")
+  .option("--subdomain <subdomain>", "Target tenant subdomain")
+  .option("--dry-run", "Extract cookies but don't push", false)
+  .action(async (opts) => {
+    try {
+      // Check auth first
+      let auth = loadAuth();
+      if (!auth) {
+        console.log("Not authenticated. Starting login...\n");
+        auth = await loginViaBrowser();
+        console.log(`✓ Authenticated as ${auth.username}\n`);
+      }
+
+      const domains = opts.domains
+        ? opts.domains
+            .split(",")
+            .map((d: string) => d.trim())
+            .map((d: string) => (d.startsWith(".") ? d : `.${d}`))
+        : [];
+
+      const label = domains.length > 0 ? domains.join(", ") : "ALL";
+      console.log(
+        `Extracting cookies for: ${label} (profile: ${opts.profile})`
+      );
+
+      const storageState = await extractStorageState(domains, opts.profile);
+      console.log(`  Found ${storageState.cookies.length} cookies`);
+
+      if (storageState.cookies.length === 0) {
+        console.log("  No cookies found. Make sure you're logged into these sites in Chrome.");
+        process.exit(1);
+      }
+
+      if (opts.dryRun) {
+        console.log("\n  Dry run — cookies extracted but not pushed.");
+        console.log("  Domains covered:");
+        const domainSet = new Set(storageState.cookies.map((c) => c.domain));
+        for (const d of domainSet) {
+          const count = storageState.cookies.filter((c) => c.domain === d).length;
+          console.log(`    ${d}: ${count} cookies`);
+        }
+        return;
+      }
+
+      console.log("  Pushing to cloud browser...");
+      const result = await pushCookies(storageState, {
+        subdomain: opts.subdomain,
+      });
+
+      console.log(`✓ Injected ${result.injected} cookies into cloud browser`);
+      if (result.errors.length > 0) {
+        console.warn(`  Warnings: ${result.errors.join(", ")}`);
+      }
+    } catch (err: any) {
+      console.error(`✗ Failed: ${err.message}`);
+      process.exit(1);
+    }
+  });
+
+program
+  .command("profiles")
+  .description("List available Chrome profiles")
+  .action(() => {
+    const { getChromeProfileDir } = require("./extract.js") as typeof import("./extract.js");
+    const { readdirSync } = require("node:fs");
+    const { dirname } = require("node:path");
+    const { existsSync } = require("node:fs");
+
+    const defaultDir = getChromeProfileDir("Default");
+    const chromeDir = dirname(defaultDir);
+
+    if (!existsSync(chromeDir)) {
+      console.log("Chrome profile directory not found.");
+      return;
+    }
+
+    const profiles = readdirSync(chromeDir, { withFileTypes: true })
+      .filter(
+        (d: any) =>
+          d.isDirectory() &&
+          (d.name === "Default" || d.name.startsWith("Profile "))
+      )
+      .map((d: any) => d.name);
+
+    console.log("Available Chrome profiles:");
+    for (const p of profiles) {
+      console.log(`  ${p}`);
+    }
+  });
+
+program
+  .command("logout")
+  .description("Clear saved authentication")
+  .action(() => {
+    clearAuth();
+    console.log("✓ Logged out");
+  });
+
+program.parse();

package/src/extract.ts

@@ -0,0 +1,321 @@
+/**
+ * Chrome cookie extraction — reads and decrypts cookies from local Chrome profile.
+ *
+ * Supports: macOS (Keychain), Linux (libsecret / fallback "peanuts"), Windows (DPAPI via AES-GCM).
+ */
+
+import { execSync } from "node:child_process";
+import { copyFileSync, existsSync, mkdtempSync } from "node:fs";
+import { homedir, platform, tmpdir } from "node:os";
+import { join } from "node:path";
+import crypto from "node:crypto";
+
+export interface Cookie {
+  name: string;
+  value: string;
+  domain: string;
+  path: string;
+  expires: number;
+  httpOnly: boolean;
+  secure: boolean;
+  sameSite: "Strict" | "Lax" | "None";
+}
+
+export interface StorageState {
+  cookies: Cookie[];
+  origins: { origin: string; localStorage: { name: string; value: string }[] }[];
+}
+
+/** Get Chrome profile directory for current OS */
+export function getChromeProfileDir(profile = "Default"): string {
+  const home = homedir();
+  switch (platform()) {
+    case "darwin":
+      return join(home, "Library/Application Support/Google/Chrome", profile);
+    case "linux":
+      return join(home, ".config/google-chrome", profile);
+    case "win32":
+      return join(
+        process.env.LOCALAPPDATA || join(home, "AppData/Local"),
+        "Google/Chrome/User Data",
+        profile
+      );
+    default:
+      throw new Error(`Unsupported platform: ${platform()}`);
+  }
+}
+
+/** Get Chrome cookie DB path */
+export function getCookieDbPath(profile = "Default"): string {
+  const profileDir = getChromeProfileDir(profile);
+  // Windows stores in Network/ subfolder since Chrome 96+
+  if (platform() === "win32") {
+    const networkPath = join(profileDir, "Network", "Cookies");
+    if (existsSync(networkPath)) return networkPath;
+  }
+  return join(profileDir, "Cookies");
+}
+
+/** Get Chrome decryption key for macOS (Keychain) */
+function getMacKey(): Buffer {
+  // Allow bypassing keychain entirely via env var (useful for SSH/CI)
+  const cachedKey = process.env.CHROME_SAFE_STORAGE_KEY;
+  if (cachedKey) {
+    return crypto.pbkdf2Sync(cachedKey, "saltysalt", 1003, 16, "sha1");
+  }
+
+  let chromePassword: string;
+
+  try {
+    chromePassword = execSync(
+      "security find-generic-password -s 'Chrome Safe Storage' -w",
+      { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+    ).trim();
+  } catch {
+    // Keychain is locked (common over SSH). Try unlocking with password from env.
+    const keychainPass = process.env.KEYCHAIN_PASSWORD;
+    if (keychainPass) {
+      try {
+        execSync(
+          `security unlock-keychain -p "${keychainPass.replace(/"/g, '\\"')}" ~/Library/Keychains/login.keychain-db`,
+          { stdio: "pipe" }
+        );
+        chromePassword = execSync(
+          "security find-generic-password -s 'Chrome Safe Storage' -w",
+          { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }
+        ).trim();
+      } catch {
+        throw new Error(
+          "Cannot access macOS Keychain. The login keychain is locked.\n" +
+            "Options:\n" +
+            "  1. Run this command in a GUI terminal (not over SSH)\n" +
+            "  2. Set CHROME_SAFE_STORAGE_KEY env var (get it once: security find-generic-password -s 'Chrome Safe Storage' -w)\n" +
+            "  3. Set KEYCHAIN_PASSWORD env var to your macOS login password\n" +
+            "  4. Unlock manually: security unlock-keychain ~/Library/Keychains/login.keychain-db"
+        );
+      }
+    } else {
+      throw new Error(
+        "Cannot access macOS Keychain. The login keychain is locked.\n" +
+          "Options:\n" +
+          "  1. Run this command in a GUI terminal (not over SSH)\n" +
+          "  2. Set CHROME_SAFE_STORAGE_KEY env var (get it once: security find-generic-password -s 'Chrome Safe Storage' -w)\n" +
+          "  3. Set KEYCHAIN_PASSWORD env var to your macOS login password\n" +
+          "  4. Unlock manually: security unlock-keychain ~/Library/Keychains/login.keychain-db"
+      );
+    }
+  }
+
+  return crypto.pbkdf2Sync(chromePassword, "saltysalt", 1003, 16, "sha1");
+}
+
+/** Get Chrome decryption key for Linux (libsecret or fallback) */
+function getLinuxKey(): Buffer {
+  let password = "peanuts"; // fallback when no keyring
+
+  try {
+    // Try libsecret via secret-tool
+    password = execSync(
+      "secret-tool lookup application chrome",
+      { encoding: "utf-8" }
+    ).trim();
+  } catch {
+    // Fall back to "peanuts" — Chrome's hardcoded fallback on Linux without a keyring
+  }
+
+  return crypto.pbkdf2Sync(password, "saltysalt", 1003, 16, "sha1");
+}
+
+/** Get Chrome decryption key for Windows (from Local State) */
+function getWindowsKey(profile = "Default"): Buffer {
+  const home = homedir();
+  const localStatePath = join(
+    process.env.LOCALAPPDATA || join(home, "AppData/Local"),
+    "Google/Chrome/User Data/Local State"
+  );
+
+  const localState = JSON.parse(
+    require("node:fs").readFileSync(localStatePath, "utf-8")
+  );
+
+  const encryptedKey = Buffer.from(
+    localState.os_crypt.encrypted_key,
+    "base64"
+  );
+
+  // Remove "DPAPI" prefix (5 bytes)
+  const keyWithoutPrefix = encryptedKey.subarray(5);
+
+  // On Windows, we'd need DPAPI to decrypt — which requires native module
+  // For now, throw with guidance
+  throw new Error(
+    "Windows DPAPI decryption requires the 'win-dpapi' native module. " +
+      "Install: npm install win-dpapi"
+  );
+}
+
+/** Decrypt a single cookie value */
+function decryptCookieValue(
+  encryptedValue: Buffer,
+  key: Buffer
+): string {
+  if (!encryptedValue || encryptedValue.length === 0) return "";
+
+  // v10/v11 prefix = encrypted (macOS/Linux use AES-128-CBC)
+  const prefix = encryptedValue.subarray(0, 3).toString();
+
+  if (prefix === "v10" || prefix === "v11") {
+    if (platform() === "win32") {
+      // Windows v10 uses AES-256-GCM
+      const nonce = encryptedValue.subarray(3, 15); // 12-byte nonce
+      const ciphertext = encryptedValue.subarray(15, -16);
+      const tag = encryptedValue.subarray(-16);
+      const decipher = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([
+        decipher.update(ciphertext),
+        decipher.final(),
+      ]).toString("utf-8");
+    }
+
+    // macOS / Linux: AES-128-CBC
+    const iv = Buffer.alloc(16, " "); // 16 spaces
+    const ciphertext = encryptedValue.subarray(3);
+    const decipher = crypto.createDecipheriv("aes-128-cbc", key, iv);
+    decipher.setAutoPadding(true);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final(),
+    ]);
+    return decrypted.toString("utf-8");
+  }
+
+  // Not encrypted — return as-is
+  return encryptedValue.toString("utf-8");
+}
+
+/** Map Chrome sameSite int to Playwright string */
+function mapSameSite(value: number): "Strict" | "Lax" | "None" {
+  switch (value) {
+    case 2:
+      return "Strict";
+    case 1:
+      return "Lax";
+    default:
+      return "None";
+  }
+}
+
+/**
+ * Extract cookies from local Chrome for specific domains (or all cookies if domains is empty).
+ *
+ * @param domains - Array of domains to extract (e.g., [".google.com"]). Empty = all cookies.
+ * @param profile - Chrome profile name (default: "Default")
+ */
+export async function extractCookies(
+  domains: string[],
+  profile = "Default"
+): Promise<Cookie[]> {
+  const dbPath = getCookieDbPath(profile);
+
+  if (!existsSync(dbPath)) {
+    throw new Error(
+      `Chrome cookie database not found at: ${dbPath}\n` +
+        `Make sure Chrome is installed and the profile "${profile}" exists.`
+    );
+  }
+
+  // Copy DB to temp file to avoid lock conflicts with running Chrome
+  const tempDir = mkdtempSync(join(tmpdir(), "browser-sync-"));
+  const tempDb = join(tempDir, "Cookies");
+  copyFileSync(dbPath, tempDb);
+
+  // Also copy WAL/SHM if they exist (needed for recent writes)
+  for (const ext of ["-wal", "-shm"]) {
+    if (existsSync(dbPath + ext)) {
+      copyFileSync(dbPath + ext, tempDb + ext);
+    }
+  }
+
+  // Get decryption key
+  let key: Buffer;
+  switch (platform()) {
+    case "darwin":
+      key = getMacKey();
+      break;
+    case "linux":
+      key = getLinuxKey();
+      break;
+    case "win32":
+      key = getWindowsKey(profile);
+      break;
+    default:
+      throw new Error(`Unsupported platform: ${platform()}`);
+  }
+
+  // Query cookies — dynamic import for better-sqlite3
+  const Database = (await import("better-sqlite3")).default;
+  const db = new Database(tempDb, { readonly: true });
+
+  let query = `SELECT name, encrypted_value, host_key, path, expires_utc, is_httponly, is_secure, samesite FROM cookies`;
+
+  if (domains.length > 0) {
+    const domainClauses = domains
+      .map((d) => `host_key LIKE '%${d.replace(/'/g, "''")}'`)
+      .join(" OR ");
+    query += ` WHERE ${domainClauses}`;
+  }
+
+  const rows = db
+    .prepare(query)
+    .all() as Array<{
+    name: string;
+    encrypted_value: Buffer;
+    host_key: string;
+    path: string;
+    expires_utc: number;
+    is_httponly: number;
+    is_secure: number;
+    samesite: number;
+  }>;
+
+  db.close();
+
+  const cookies: Cookie[] = [];
+  for (const row of rows) {
+    try {
+      const value = decryptCookieValue(row.encrypted_value, key);
+      if (!value) continue;
+
+      cookies.push({
+        name: row.name,
+        value,
+        domain: row.host_key,
+        path: row.path,
+        // Chrome stores expires as microseconds since 1601-01-01; convert to Unix seconds
+        expires:
+          row.expires_utc === 0
+            ? -1
+            : Math.floor((row.expires_utc / 1000000) - 11644473600),
+        httpOnly: row.is_httponly === 1,
+        secure: row.is_secure === 1,
+        sameSite: mapSameSite(row.samesite),
+      });
+    } catch {
+      // Skip cookies that fail to decrypt (stale entries, etc.)
+    }
+  }
+
+  return cookies;
+}
+
+/**
+ * Extract cookies and format as Playwright-compatible StorageState
+ */
+export async function extractStorageState(
+  domains: string[],
+  profile = "Default"
+): Promise<StorageState> {
+  const cookies = await extractCookies(domains, profile);
+  return { cookies, origins: [] };
+}

package/src/index.ts

@@ -0,0 +1,3 @@
+export { extractCookies, extractStorageState, getChromeProfileDir, getCookieDbPath } from "./extract.js";
+export type { Cookie, StorageState } from "./extract.js";
+export { loginViaBrowser, loginWithToken, pushCookies, loadAuth, saveAuth, clearAuth } from "./api.js";

package/src/server.ts

@@ -0,0 +1,116 @@
+/**
+ * Server-side handler for browser-sync cookie injection.
+ *
+ * Receives cookies from the CLI, connects to the tenant's Chrome via CDP,
+ * and injects them using Network.setCookies.
+ *
+ * Mount at: POST /admin/api/browser-sync/cookies
+ */
+
+import type { IncomingMessage, ServerResponse } from "node:http";
+import type { StorageState } from "./extract.js";
+
+interface BrowserSyncRequest {
+  storageState: StorageState;
+  subdomain?: string;
+}
+
+/**
+ * Inject cookies into a tenant's cloud Chrome via CDP.
+ *
+ * @param cdpUrl - The Chrome DevTools Protocol WebSocket URL (e.g., ws://localhost:3000)
+ * @param cookies - Playwright-format cookies to inject
+ */
+async function injectCookiesViaCDP(
+  cdpUrl: string,
+  cookies: StorageState["cookies"]
+): Promise<{ injected: number; errors: string[] }> {
+  // Connect to Chrome via CDP WebSocket
+  const ws = await connectCDP(cdpUrl);
+  const errors: string[] = [];
+  let injected = 0;
+
+  try {
+    // Convert to CDP Network.CookieParam format
+    const cdpCookies = cookies.map((c) => ({
+      name: c.name,
+      value: c.value,
+      domain: c.domain,
+      path: c.path,
+      expires: c.expires > 0 ? c.expires : undefined,
+      httpOnly: c.httpOnly,
+      secure: c.secure,
+      sameSite: c.sameSite,
+    }));
+
+    // Inject via Network.setCookies (batch)
+    const result = await sendCDPCommand(ws, "Network.setCookies", {
+      cookies: cdpCookies,
+    });
+
+    if (result.error) {
+      errors.push(result.error.message);
+    } else {
+      injected = cdpCookies.length;
+    }
+  } finally {
+    ws.close();
+  }
+
+  return { injected, errors };
+}
+
+/** Connect to Chrome CDP endpoint */
+async function connectCDP(cdpUrl: string): Promise<WebSocket> {
+  // Get the debugger WebSocket URL from /json/version
+  const httpUrl = cdpUrl.replace("ws://", "http://").replace("wss://", "https://");
+  const versionRes = await fetch(`${httpUrl}/json/version`);
+  const version = (await versionRes.json()) as { webSocketDebuggerUrl: string };
+
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket(version.webSocketDebuggerUrl);
+    ws.onopen = () => resolve(ws);
+    ws.onerror = (err) => reject(new Error(`CDP connection failed: ${err}`));
+  });
+}
+
+/** Send a CDP command and wait for response */
+function sendCDPCommand(
+  ws: WebSocket,
+  method: string,
+  params: Record<string, unknown>
+): Promise<{ error?: { message: string }; result?: unknown }> {
+  const id = Math.floor(Math.random() * 1e9);
+
+  return new Promise((resolve) => {
+    const handler = (event: MessageEvent) => {
+      const data = JSON.parse(String(event.data));
+      if (data.id === id) {
+        ws.removeEventListener("message", handler);
+        resolve(data);
+      }
+    };
+    ws.addEventListener("message", handler);
+    ws.send(JSON.stringify({ id, method, params }));
+  });
+}
+
+/**
+ * Express/Hono-style handler for the browser-sync cookie push endpoint.
+ * Integrate with the bot's admin API router.
+ */
+export async function handleBrowserSyncPush(
+  body: BrowserSyncRequest,
+  resolveCdpUrl: (subdomain?: string) => Promise<string>
+): Promise<{ injected: number; errors: string[] }> {
+  const { storageState, subdomain } = body;
+
+  if (!storageState?.cookies?.length) {
+    return { injected: 0, errors: ["No cookies provided"] };
+  }
+
+  const cdpUrl = await resolveCdpUrl(subdomain);
+  return injectCookiesViaCDP(cdpUrl, storageState.cookies);
+}
+
+export type { BrowserSyncRequest };

package/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "declaration": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"]
+}