doordash-cli 0.3.2 → 0.4.0

package/CHANGELOG.md

@@ -9,8 +9,27 @@ All notable changes to `doordash-cli` will be documented in this file.
 
 See [docs/releasing.md](docs/releasing.md) for the maintainer release flow.
 
+## [0.4.0](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.3...v0.4.0) (2026-04-10)
+
+### Features
+
+* reuse attached browser sessions for login bootstrap ([#38](https://github.com/LatencyTDH/doordash-cli/issues/38)) ([dc9410d](https://github.com/LatencyTDH/doordash-cli/commit/dc9410ddce1e72b2dce6b772787c8fb0dfa9683a))
+
+## [0.3.3](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.2...v0.3.3) (2026-04-09)
+
 ## [0.3.2](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.1...v0.3.2) (2026-04-09)
 
+### Dependencies
+
+* **deps:** bump @hono/node-server from 1.19.11 to 1.19.13 ([#34](https://github.com/LatencyTDH/doordash-cli/issues/34)) ([60ae01d](https://github.com/LatencyTDH/doordash-cli/commit/60ae01d00e06dc8490cf495013a476fb6aef4964))
+* **deps:** bump basic-ftp from 5.2.0 to 5.2.1 ([#35](https://github.com/LatencyTDH/doordash-cli/issues/35)) ([8796dfd](https://github.com/LatencyTDH/doordash-cli/commit/8796dfda69c2615048601858e4617c36e864d1ce))
+* **deps:** bump defu from 6.1.4 to 6.1.6 ([#32](https://github.com/LatencyTDH/doordash-cli/issues/32)) ([b1746bc](https://github.com/LatencyTDH/doordash-cli/commit/b1746bc51521f95d373f83ea6cb649e3722bf4b2))
+* **deps-dev:** bump handlebars from 4.7.8 to 4.7.9 ([#30](https://github.com/LatencyTDH/doordash-cli/issues/30)) ([0eb650e](https://github.com/LatencyTDH/doordash-cli/commit/0eb650e654b1feff2e764bf9204a0e52db7903fd))
+* **deps:** bump hono from 4.12.7 to 4.12.12 ([#33](https://github.com/LatencyTDH/doordash-cli/issues/33)) ([21fa857](https://github.com/LatencyTDH/doordash-cli/commit/21fa8570945909f26669746c73d9279a0931f096))
+* **deps:** bump lodash from 4.17.23 to 4.18.1 ([#36](https://github.com/LatencyTDH/doordash-cli/issues/36)) ([82b3fd2](https://github.com/LatencyTDH/doordash-cli/commit/82b3fd27f41a44eab33332c8b12f2da48d098713))
+* **deps:** bump path-to-regexp from 8.3.0 to 8.4.0 ([#31](https://github.com/LatencyTDH/doordash-cli/issues/31)) ([b07d074](https://github.com/LatencyTDH/doordash-cli/commit/b07d07443cc8614baf4fbe0fe4b703456329cd67))
+* **deps:** bump picomatch from 4.0.3 to 4.0.4 ([#29](https://github.com/LatencyTDH/doordash-cli/issues/29)) ([2c95440](https://github.com/LatencyTDH/doordash-cli/commit/2c95440c4830471ea24690faed29c556f56d2461))
+
 ## [0.3.1](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.0...v0.3.1) (2026-03-11)
 
 ### Bug Fixes

package/README.md

@@ -9,6 +9,7 @@ It stops before checkout.
 ## Highlights
 
 - **Cart-safe by design** — browse, inspect existing orders, and manage a cart; no checkout, payment, or order mutation.
+- **Browser-first login** — `dd-cli login` reuses saved local auth or a discoverable signed-in browser session when possible, and otherwise opens a temporary login window.
 - **Direct API first** — auth, discovery, existing-order, and cart commands use DoorDash consumer-web GraphQL/HTTP rather than DOM clicking.
 - **JSON-friendly** — every command prints structured output.
 - **Fail-closed** — unsupported commands, flags, or unsafe payload shapes are rejected.
@@ -44,9 +45,9 @@ If you prefer to run from a checkout without linking:
 npm run cli -- --help
 ```
 
-### Browser prerequisite
+### Optional runtime bootstrap
 
-If you plan to sign in with `login`, install Playwright's Chromium build once:
+If your environment does not already have Playwright's bundled Chromium runtime installed, install it once:
 
 ```bash
 doordash-cli install-browser
@@ -54,6 +55,8 @@ doordash-cli install-browser
 npm run install:browser
 ```
 
+That runtime is used when the CLI needs a local browser, including the temporary login window fallback.
+
 ## First run
 
 ```bash
@@ -65,7 +68,15 @@ doordash-cli search --query sushi
 
 If you are running from a checkout without `npm link`, replace `doordash-cli` with `npm run cli --`.
 
-If you already have a compatible signed-in DoorDash managed-browser session available, `auth-check` may quietly reuse it instead of asking you to sign in again. Routine direct commands stay quiet; use `login` when you want explicit browser interaction.
+## Login and session reuse
+
+`login` reuses saved local auth when it is still valid. Otherwise it tries to import a discoverable signed-in browser session. If neither is available, it opens a temporary Chromium login window and saves the session there. If authentication still is not established, `login` exits non-zero.
+
+`auth-check` reports whether the saved state appears logged in and can quietly import a discoverable signed-in browser session unless `logout` disabled that auto-reuse.
+
+`logout` clears persisted cookies and stored browser state, then keeps automatic browser-session reuse disabled until you explicitly run `dd-cli login` again.
+
+If `login` opens a temporary Chromium window, finish signing in there and let the CLI save the session. If you expect reuse from another browser, make sure it exposes a compatible CDP endpoint, then rerun `dd-cli login`.
 
 ## Command surface
 

package/dist/cli.d.ts

@@ -6,6 +6,7 @@ export declare function parseArgv(argv: string[]): {
     command?: string;
     flags: Record<string, string>;
 };
+export declare function commandExitCode(command: string, result: unknown): number;
 export declare function main(argv?: string[]): Promise<void>;
 export declare function runCli(argv?: string[]): Promise<void>;
 export declare function isDirectExecution(argv1?: string | undefined, metaUrl?: string): boolean;

package/dist/cli.js

@@ -40,15 +40,14 @@ export function usage() {
         "  - Run with no arguments to show this help.",
         "  - Common Unicode long dashes are normalized for flags, so —help / –help work too.",
         "  - Installed command names are lowercase only: dd-cli and doordash-cli.",
-        "  - install-browser downloads the matching Playwright Chromium build used by this package.",
+        "  - install-browser downloads the bundled Playwright Chromium runtime used when the CLI needs a local browser.",
         "  - Manual pages ship with the project: man dd-cli or man doordash-cli.",
-        "  - Direct GraphQL/HTTP is the default path for auth-check, set-address, search, menu, item, orders, order, cart, add-to-cart, and update-cart.",
-        "  - login launches Chromium for a one-time manual sign-in flow and saves reusable state for later direct API calls.",
-        "  - auth-check can quietly reuse an already-signed-in compatible managed-browser DoorDash session when one is available; use login for explicit browser interaction.",
-        "  - set-address now uses DoorDash autocomplete/get-or-create plus addConsumerAddressV2 for brand-new address enrollment when needed.",
+        "  - login reuses saved local auth when possible, otherwise imports a signed-in browser session or opens a temporary Chromium login window.",
+        "  - login exits non-zero if authentication is still not established.",
+        "  - auth-check reports saved-session status and can quietly reuse/import a signed-in browser session unless logout disabled that auto-reuse.",
+        "  - logout clears saved session files and keeps automatic browser-session reuse off until the next login.",
         "  - configurable items require explicit --options-json selections.",
-        '  - standalone recommended add-ons that open a nested cursor step are supported via children, e.g. [{"groupId":"recommended_option_546935995","optionId":"546936011","children":[{"groupId":"780057412","optionId":"4702669757"}]}].',
-        "  - other non-recommended nested cursor trees still fail closed until DoorDash exposes a directly provable transport.",
+        "  - unsupported option trees fail closed.",
         "",
         "Out-of-scope commands remain intentionally unsupported:",
         "  checkout, place-order, payment actions, order mutation/cancellation",
@@ -125,6 +124,15 @@ export function parseArgv(argv) {
     }
     return { command, flags };
 }
+export function commandExitCode(command, result) {
+    if (command === "login" && typeof result === "object" && result !== null) {
+        const authResult = result;
+        if (authResult.success === false || authResult.isLoggedIn === false) {
+            return 1;
+        }
+    }
+    return 0;
+}
 export async function main(argv = process.argv.slice(2)) {
     const { command, flags } = parseArgv(argv);
     if (flags.version === "true") {
@@ -141,7 +149,7 @@ export async function main(argv = process.argv.slice(2)) {
     try {
         const result = await lib.runCommand(safeCommand, flags);
         console.log(JSON.stringify(result, null, 2));
-        process.exitCode = 0;
+        process.exitCode = commandExitCode(safeCommand, result);
     }
     finally {
         await lib.shutdown();

package/dist/cli.test.js

@@ -1,18 +1,19 @@
 import test from "node:test";
 import assert from "node:assert/strict";
-import { chmodSync, readFileSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { mkdtemp, rm, symlink } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { spawnSync } from "node:child_process";
 import { SAFE_COMMANDS, assertAllowedFlags, assertSafeCommand } from "./lib.js";
-import { parseArgv, version } from "./cli.js";
+import { commandExitCode, parseArgv, version } from "./cli.js";
 const distDir = dirname(fileURLToPath(import.meta.url));
 const binPath = join(distDir, "bin.js");
-function runCli(args) {
+function runCli(args, env) {
     return spawnSync(process.execPath, [binPath, ...args], {
         encoding: "utf8",
+        env: env ? { ...process.env, ...env } : process.env,
     });
 }
 async function runLinkedCli(linkName, args) {
@@ -112,9 +113,14 @@ test("help output shows the direct read-only/cart-safe command surface", () => {
     assert.match(result.stdout, /options-json/);
     assert.match(result.stdout, /--version, -v/);
     assert.match(result.stdout, /man dd-cli/);
+    assert.match(result.stdout, /login reuses saved local auth when possible, otherwise imports a signed-in browser session or opens a temporary Chromium login window\./);
+    assert.match(result.stdout, /login exits non-zero if authentication is still not established\./);
+    assert.match(result.stdout, /auth-check reports saved-session status and can quietly reuse\/import a signed-in browser session unless logout disabled that auto-reuse\./);
+    assert.match(result.stdout, /logout clears saved session files and keeps automatic browser-session reuse off until the next login\./);
     assert.match(result.stdout, /Out-of-scope commands remain intentionally unsupported/);
     assert.doesNotMatch(result.stdout, /auth-bootstrap/);
     assert.doesNotMatch(result.stdout, /auth-clear/);
+    assert.match(result.stdout, /temporary Chromium login window/i);
     assert.doesNotMatch(result.stdout, /Dd-cli/);
 });
 test("repository ships man pages for the supported lowercase command names", () => {
@@ -124,6 +130,8 @@ test("repository ships man pages for the supported lowercase command names", ()
     assert.match(readFileSync(ddManPath, "utf8"), /\.B login/);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-bootstrap/);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-clear/);
+    assert.match(readFileSync(ddManPath, "utf8"), /automatic\s+browser-session reuse stays disabled until the next explicit/i);
+    assert.match(readFileSync(ddManPath, "utf8"), /temporary Chromium.*window/i);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /Dd-cli/);
     assert.equal(readFileSync(aliasManPath, "utf8").trim(), ".so man1/dd-cli.1");
 });
@@ -159,6 +167,36 @@ test("legacy auth command invocations point users to login/logout", () => {
     assert.match(logoutRename.stderr, /Unsupported command: auth-clear/);
     assert.match(logoutRename.stderr, /renamed it to logout/);
 });
+test("commandExitCode treats failed login results as non-zero without changing read-only auth-check semantics", () => {
+    assert.equal(commandExitCode("login", { success: false, isLoggedIn: false }), 1);
+    assert.equal(commandExitCode("login", { success: true, isLoggedIn: true }), 0);
+    assert.equal(commandExitCode("auth-check", { success: true, isLoggedIn: false }), 0);
+});
+test("logout clears persisted session artifacts in the active home directory", async () => {
+    const tempHome = await mkdtemp(join(tmpdir(), "doordash-cli-home-"));
+    const sessionDir = join(tempHome, ".config", "striderlabs-mcp-doordash");
+    const cookiesPath = join(sessionDir, "cookies.json");
+    const storageStatePath = join(sessionDir, "storage-state.json");
+    const browserImportBlockPath = join(sessionDir, "browser-import-blocked");
+    mkdirSync(sessionDir, { recursive: true });
+    writeFileSync(cookiesPath, JSON.stringify([{ name: "session", domain: ".doordash.com" }]));
+    writeFileSync(storageStatePath, JSON.stringify({ cookies: [], origins: [] }));
+    try {
+        const result = runCli(["logout"], { HOME: tempHome });
+        assert.equal(result.status, 0);
+        assert.equal(existsSync(cookiesPath), false);
+        assert.equal(existsSync(storageStatePath), false);
+        assert.equal(existsSync(browserImportBlockPath), true);
+        const parsed = JSON.parse(result.stdout);
+        assert.equal(parsed.success, true);
+        assert.equal(parsed.cookiesPath, cookiesPath);
+        assert.equal(parsed.storageStatePath, storageStatePath);
+        assert.match(parsed.message, /disabled until the next `dd-cli login`/);
+    }
+    finally {
+        await rm(tempHome, { recursive: true, force: true });
+    }
+});
 test("blocked commands fail immediately", () => {
     const result = runCli(["checkout"]);
     assert.equal(result.status, 1);

package/dist/direct-api.d.ts

@@ -15,9 +15,15 @@ export type AuthResult = {
     cookiesPath: string;
     storageStatePath: string;
 };
-export type AuthBootstrapResult = AuthResult & {
+export type AuthBootstrapResult = (AuthResult & {
+    success: true;
+    isLoggedIn: true;
     message: string;
-};
+}) | (Omit<AuthResult, "success" | "isLoggedIn"> & {
+    success: false;
+    isLoggedIn: false;
+    message: string;
+});
 export type SearchRestaurantResult = {
     id: string;
     name: string;
@@ -456,7 +462,32 @@ type GeoAddressResponse = {
         lng?: number | null;
     } | null;
 };
+type BootstrapAuthSessionDeps = {
+    clearBlockedBrowserImport: () => Promise<void>;
+    checkPersistedAuth: () => Promise<AuthResult | null>;
+    importBrowserSessionIfAvailable: () => Promise<boolean>;
+    markBrowserImportAttempted: () => void;
+    getAttachedBrowserCdpCandidates: () => Promise<string[]>;
+    getReachableCdpCandidates: (candidates: string[]) => Promise<string[]>;
+    openUrlInAttachedBrowser: (input: {
+        cdpUrl: string;
+        targetUrl: string;
+    }) => Promise<boolean>;
+    openUrlInDefaultBrowser: (targetUrl: string) => Promise<boolean>;
+    waitForAttachedBrowserSessionImport: (input: {
+        timeoutMs: number;
+        pollIntervalMs: number;
+    }) => Promise<boolean>;
+    waitForManagedBrowserLogin: (input: {
+        targetUrl: string;
+        timeoutMs: number;
+        pollIntervalMs: number;
+    }) => Promise<AuthResult | null>;
+    checkAuthDirect: () => Promise<AuthResult>;
+    log: (message: string) => void;
+};
 export declare function checkAuthDirect(): Promise<AuthResult>;
+export declare function bootstrapAuthSessionWithDeps(deps: BootstrapAuthSessionDeps): Promise<AuthBootstrapResult>;
 export declare function bootstrapAuthSession(): Promise<AuthBootstrapResult>;
 export declare function clearStoredSession(): Promise<{
     success: true;
@@ -522,16 +553,18 @@ export declare function resolveAvailableAddressMatch(input: {
     printableAddress: string | null;
     source: SetAddressResult["matchedAddressSource"];
 } | null;
-export declare function isDoorDashUrl(value: string): boolean;
-export declare function hasDoorDashCookies(cookies: ReadonlyArray<Pick<Cookie, "domain">>): boolean;
-export declare function selectManagedBrowserImportMode(input: {
+export declare function selectAttachedBrowserImportMode(input: {
     pageUrls: readonly string[];
     cookies: ReadonlyArray<Pick<Cookie, "domain">>;
 }): "page" | "cookies" | "skip";
+export declare function resolveAttachedBrowserCdpCandidates(env: NodeJS.ProcessEnv, configCandidates?: string[]): string[];
+export declare function resolveSystemBrowserOpenCommand(targetUrl: string, targetPlatform?: NodeJS.Platform): {
+    command: string;
+    args: string[];
+} | null;
 export declare function parseSearchRestaurants(body: unknown[]): SearchRestaurantResult[];
 export declare function parseSearchRestaurantRow(entry: unknown): SearchRestaurantResult | null;
 export declare function parseExistingOrderLifecycleStatus(orderRoot: unknown): ExistingOrderLifecycleStatus;
 export declare function parseExistingOrdersResponse(orderRoots: unknown[]): ExistingOrderResult[];
 export declare function extractExistingOrdersFromApolloCache(cache: Record<string, unknown> | null): ExistingOrderResult[];
-export declare function getStorageStatePath(): string;
 export {};