doordash-cli 0.3.3 → 0.4.0

package/dist/direct-api.test.js

@@ -1,6 +1,6 @@
 import test from "node:test";
 import assert from "node:assert/strict";
-import { buildAddConsumerAddressPayload, buildAddToCartPayload, buildUpdateCartPayload, extractExistingOrdersFromApolloCache, hasDoorDashCookies, normalizeItemName, parseExistingOrderLifecycleStatus, parseExistingOrdersResponse, parseOptionSelectionsJson, parseSearchRestaurantRow, resolveAvailableAddressMatch, selectManagedBrowserImportMode, } from "./direct-api.js";
+import { bootstrapAuthSessionWithDeps, buildAddConsumerAddressPayload, buildAddToCartPayload, buildUpdateCartPayload, extractExistingOrdersFromApolloCache, normalizeItemName, parseExistingOrderLifecycleStatus, parseExistingOrdersResponse, parseOptionSelectionsJson, parseSearchRestaurantRow, resolveAttachedBrowserCdpCandidates, resolveAvailableAddressMatch, resolveSystemBrowserOpenCommand, selectAttachedBrowserImportMode, } from "./direct-api.js";
 function configurableItemDetail() {
     return {
         success: true,
@@ -144,25 +144,324 @@ test("parseSearchRestaurantRow extracts restaurant metadata from facet rows", ()
         url: "https://www.doordash.com/store/24633898/?pickup=false",
     });
 });
-test("managed browser import falls back to cookie reuse without opening a DoorDash page", () => {
-    const cookies = [{ domain: ".doordash.com" }];
-    assert.equal(hasDoorDashCookies(cookies), true);
-    assert.equal(selectManagedBrowserImportMode({ pageUrls: [], cookies }), "cookies");
+test("resolveAttachedBrowserCdpCandidates prioritizes explicit envs, compatibility envs, config, and defaults", () => {
+    const env = {
+        DOORDASH_BROWSER_CDP_URLS: "http://127.0.0.1:9555/, http://127.0.0.1:9556",
+        DOORDASH_ATTACHED_BROWSER_CDP_URL: "http://127.0.0.1:9666/",
+        DOORDASH_BROWSER_CDP_PORTS: "9333, 9334",
+        DOORDASH_BROWSER_CDP_PORT: "9444",
+        OPENCLAW_BROWSER_CDP_URL: "http://127.0.0.1:18888/",
+    };
+    const candidates = resolveAttachedBrowserCdpCandidates(env, ["http://127.0.0.1:9777"]);
+    assert.deepEqual(candidates.slice(0, 7), [
+        "http://127.0.0.1:9555",
+        "http://127.0.0.1:9556",
+        "http://127.0.0.1:9666",
+        "http://127.0.0.1:9333",
+        "http://127.0.0.1:9334",
+        "http://127.0.0.1:9444",
+        "http://127.0.0.1:18888",
+    ]);
+    assert.ok(candidates.includes("http://127.0.0.1:9777"));
+    assert.ok(candidates.includes("http://127.0.0.1:18792"));
+    assert.ok(candidates.includes("http://127.0.0.1:18800"));
+    assert.ok(candidates.includes("http://127.0.0.1:9222"));
 });
-test("managed browser import prefers an existing DoorDash page when one is already open", () => {
-    const cookies = [{ domain: ".doordash.com" }];
-    assert.equal(selectManagedBrowserImportMode({
-        pageUrls: ["https://github.com/LatencyTDH/doordash-cli/pulls", "https://www.doordash.com/home"],
-        cookies,
-    }), "page");
+test("resolveSystemBrowserOpenCommand stays generic across operating systems", () => {
+    assert.deepEqual(resolveSystemBrowserOpenCommand("https://www.doordash.com/home", "darwin"), {
+        command: "open",
+        args: ["https://www.doordash.com/home"],
+    });
+    assert.deepEqual(resolveSystemBrowserOpenCommand("https://www.doordash.com/home", "linux"), {
+        command: "xdg-open",
+        args: ["https://www.doordash.com/home"],
+    });
+    assert.deepEqual(resolveSystemBrowserOpenCommand("https://www.doordash.com/home", "win32"), {
+        command: "cmd",
+        args: ["/c", "start", "", "https://www.doordash.com/home"],
+    });
 });
-test("managed browser import skips unrelated browser contexts", () => {
-    assert.equal(hasDoorDashCookies([{ domain: ".github.com" }]), false);
-    assert.equal(selectManagedBrowserImportMode({
+test("selectAttachedBrowserImportMode treats an authenticated browser with DoorDash cookies as an immediate import candidate", () => {
+    assert.equal(selectAttachedBrowserImportMode({
+        pageUrls: ["https://github.com/LatencyTDH/doordash-cli/pulls"],
+        cookies: [{ domain: ".doordash.com" }],
+    }), "cookies");
+    assert.equal(selectAttachedBrowserImportMode({
+        pageUrls: ["https://www.doordash.com/home"],
+        cookies: [{ domain: ".github.com" }],
+    }), "page");
+    assert.equal(selectAttachedBrowserImportMode({
         pageUrls: ["https://github.com/LatencyTDH/doordash-cli"],
         cookies: [{ domain: ".github.com" }],
     }), "skip");
 });
+test("bootstrapAuthSessionWithDeps returns immediately when saved local auth is already valid", async () => {
+    const auth = {
+        success: true,
+        isLoggedIn: true,
+        email: "user@example.com",
+        firstName: "Test",
+        lastName: "User",
+        consumerId: "consumer-1",
+        marketId: "market-1",
+        defaultAddress: null,
+        cookiesPath: "/tmp/cookies.json",
+        storageStatePath: "/tmp/storage-state.json",
+    };
+    let importCalls = 0;
+    let openCalls = 0;
+    let waitCalls = 0;
+    let markCalls = 0;
+    const logs = [];
+    const result = await bootstrapAuthSessionWithDeps({
+        clearBlockedBrowserImport: async () => { },
+        checkPersistedAuth: async () => auth,
+        importBrowserSessionIfAvailable: async () => {
+            importCalls += 1;
+            return true;
+        },
+        markBrowserImportAttempted: () => {
+            markCalls += 1;
+        },
+        getAttachedBrowserCdpCandidates: async () => {
+            throw new Error("should not inspect candidates when saved auth is already valid");
+        },
+        getReachableCdpCandidates: async () => {
+            throw new Error("should not probe reachability when saved auth is already valid");
+        },
+        openUrlInAttachedBrowser: async () => {
+            throw new Error("should not try to open an attached browser when saved auth is already valid");
+        },
+        openUrlInDefaultBrowser: async () => {
+            openCalls += 1;
+            return true;
+        },
+        waitForAttachedBrowserSessionImport: async () => {
+            waitCalls += 1;
+            return true;
+        },
+        waitForManagedBrowserLogin: async () => {
+            throw new Error("should not launch a managed browser when saved auth is already valid");
+        },
+        checkAuthDirect: async () => {
+            throw new Error("should not re-check auth through the live session when saved auth is already valid");
+        },
+        log: (message) => {
+            logs.push(message);
+        },
+    });
+    assert.equal(importCalls, 0);
+    assert.equal(markCalls, 0);
+    assert.equal(openCalls, 0);
+    assert.equal(waitCalls, 0);
+    assert.equal(logs.length, 0);
+    assert.equal(result.isLoggedIn, true);
+    assert.match(result.message, /Already signed in with saved local DoorDash session state/);
+});
+test("bootstrapAuthSessionWithDeps returns immediately when an attached browser session is already authenticated", async () => {
+    const auth = {
+        success: true,
+        isLoggedIn: true,
+        email: "user@example.com",
+        firstName: "Test",
+        lastName: "User",
+        consumerId: "consumer-1",
+        marketId: "market-1",
+        defaultAddress: null,
+        cookiesPath: "/tmp/cookies.json",
+        storageStatePath: "/tmp/storage-state.json",
+    };
+    let openCalls = 0;
+    let waitCalls = 0;
+    let markCalls = 0;
+    const logs = [];
+    const result = await bootstrapAuthSessionWithDeps({
+        clearBlockedBrowserImport: async () => { },
+        checkPersistedAuth: async () => null,
+        importBrowserSessionIfAvailable: async () => true,
+        markBrowserImportAttempted: () => {
+            markCalls += 1;
+        },
+        getAttachedBrowserCdpCandidates: async () => {
+            throw new Error("should not inspect candidates on immediate browser-session import");
+        },
+        getReachableCdpCandidates: async () => {
+            throw new Error("should not probe reachability on immediate browser-session import");
+        },
+        openUrlInAttachedBrowser: async () => {
+            throw new Error("should not open a browser when immediate browser-session import succeeded");
+        },
+        openUrlInDefaultBrowser: async () => {
+            openCalls += 1;
+            return true;
+        },
+        waitForAttachedBrowserSessionImport: async () => {
+            waitCalls += 1;
+            return true;
+        },
+        waitForManagedBrowserLogin: async () => {
+            throw new Error("should not launch a managed browser when immediate browser-session import succeeded");
+        },
+        checkAuthDirect: async () => auth,
+        log: (message) => {
+            logs.push(message);
+        },
+    });
+    assert.equal(markCalls, 1);
+    assert.equal(openCalls, 0);
+    assert.equal(waitCalls, 0);
+    assert.equal(logs.length, 0);
+    assert.equal(result.isLoggedIn, true);
+    assert.match(result.message, /Imported an existing signed-in browser session/);
+});
+test("bootstrapAuthSessionWithDeps opens a watchable attached browser session before entering the full wait path", async () => {
+    const auth = {
+        success: true,
+        isLoggedIn: true,
+        email: "user@example.com",
+        firstName: "Test",
+        lastName: "User",
+        consumerId: "consumer-1",
+        marketId: "market-1",
+        defaultAddress: null,
+        cookiesPath: "/tmp/cookies.json",
+        storageStatePath: "/tmp/storage-state.json",
+    };
+    let openAttachedCalls = 0;
+    let openDefaultCalls = 0;
+    let waitCalls = 0;
+    let reachableCalls = 0;
+    let waitTimeoutMs = 0;
+    const logs = [];
+    const result = await bootstrapAuthSessionWithDeps({
+        clearBlockedBrowserImport: async () => { },
+        checkPersistedAuth: async () => null,
+        importBrowserSessionIfAvailable: async () => false,
+        markBrowserImportAttempted: () => { },
+        getAttachedBrowserCdpCandidates: async () => ["http://127.0.0.1:9222"],
+        getReachableCdpCandidates: async (candidates) => {
+            reachableCalls += 1;
+            return candidates;
+        },
+        openUrlInAttachedBrowser: async () => {
+            openAttachedCalls += 1;
+            return true;
+        },
+        openUrlInDefaultBrowser: async () => {
+            openDefaultCalls += 1;
+            return true;
+        },
+        waitForAttachedBrowserSessionImport: async (input) => {
+            waitCalls += 1;
+            waitTimeoutMs = input.timeoutMs;
+            return true;
+        },
+        waitForManagedBrowserLogin: async () => {
+            throw new Error("should not launch a managed browser when an attached browser is reachable");
+        },
+        checkAuthDirect: async () => auth,
+        log: (message) => {
+            logs.push(message);
+        },
+    });
+    assert.equal(reachableCalls, 1);
+    assert.equal(openAttachedCalls, 1);
+    assert.equal(openDefaultCalls, 0);
+    assert.equal(waitCalls, 1);
+    assert.equal(waitTimeoutMs, 180_000);
+    assert.match(logs.join("\n"), /Opened DoorDash in the reusable browser session I'm watching/);
+    assert.match(logs.join("\n"), /Detected 1 reusable browser connection/);
+    assert.match(result.message, /saved it for direct API use/);
+});
+test("bootstrapAuthSessionWithDeps falls back to a managed browser login window when no reusable browser connection is discoverable", async () => {
+    const auth = {
+        success: true,
+        isLoggedIn: true,
+        email: "user@example.com",
+        firstName: "Test",
+        lastName: "User",
+        consumerId: "consumer-1",
+        marketId: "market-1",
+        defaultAddress: null,
+        cookiesPath: "/tmp/cookies.json",
+        storageStatePath: "/tmp/storage-state.json",
+    };
+    let managedCalls = 0;
+    let attachedWaitCalls = 0;
+    const logs = [];
+    const result = await bootstrapAuthSessionWithDeps({
+        clearBlockedBrowserImport: async () => { },
+        checkPersistedAuth: async () => null,
+        importBrowserSessionIfAvailable: async () => false,
+        markBrowserImportAttempted: () => { },
+        getAttachedBrowserCdpCandidates: async () => ["http://127.0.0.1:9222"],
+        getReachableCdpCandidates: async () => [],
+        openUrlInAttachedBrowser: async () => false,
+        openUrlInDefaultBrowser: async () => true,
+        waitForAttachedBrowserSessionImport: async () => {
+            attachedWaitCalls += 1;
+            return false;
+        },
+        waitForManagedBrowserLogin: async () => {
+            managedCalls += 1;
+            return auth;
+        },
+        checkAuthDirect: async () => auth,
+        log: (message) => {
+            logs.push(message);
+        },
+    });
+    assert.equal(managedCalls, 1);
+    assert.equal(attachedWaitCalls, 0);
+    assert.match(logs.join("\n"), /temporary Chromium login window/);
+    assert.match(result.message, /temporary Chromium login window/);
+    assert.equal(result.success, true);
+    assert.equal(result.isLoggedIn, true);
+});
+test("bootstrapAuthSessionWithDeps falls back to quick troubleshooting guidance when the managed browser login window cannot launch", async () => {
+    const auth = {
+        success: true,
+        isLoggedIn: false,
+        email: null,
+        firstName: null,
+        lastName: null,
+        consumerId: null,
+        marketId: null,
+        defaultAddress: null,
+        cookiesPath: "/tmp/cookies.json",
+        storageStatePath: "/tmp/storage-state.json",
+    };
+    let attachedWaitCalls = 0;
+    let attachedWaitTimeoutMs = 0;
+    const logs = [];
+    const result = await bootstrapAuthSessionWithDeps({
+        clearBlockedBrowserImport: async () => { },
+        checkPersistedAuth: async () => null,
+        importBrowserSessionIfAvailable: async () => false,
+        markBrowserImportAttempted: () => { },
+        getAttachedBrowserCdpCandidates: async () => ["http://127.0.0.1:9222"],
+        getReachableCdpCandidates: async () => [],
+        openUrlInAttachedBrowser: async () => false,
+        openUrlInDefaultBrowser: async () => true,
+        waitForAttachedBrowserSessionImport: async (input) => {
+            attachedWaitCalls += 1;
+            attachedWaitTimeoutMs = input.timeoutMs;
+            return false;
+        },
+        waitForManagedBrowserLogin: async () => null,
+        checkAuthDirect: async () => auth,
+        log: (message) => {
+            logs.push(message);
+        },
+    });
+    assert.equal(attachedWaitCalls, 1);
+    assert.equal(attachedWaitTimeoutMs, 10_000);
+    assert.match(logs.join("\n"), /couldn't launch the temporary Chromium login window/i);
+    assert.match(logs.join("\n"), /won't keep you waiting for the full login timeout/i);
+    assert.equal(result.success, false);
+    assert.equal(result.isLoggedIn, false);
+    assert.match(result.message, /still isn't exposing a reusable browser session/);
+});
 test("parseOptionSelectionsJson parses structured recursive option selections", () => {
     assert.deepEqual(parseOptionSelectionsJson('[{"groupId":"703393388","optionId":"4716032529"},{"groupId":"recommended_option_546935995","optionId":"546936011","children":[{"groupId":"780057412","optionId":"4702669757","quantity":2}]}]'), [
         { groupId: "703393388", optionId: "4716032529" },

package/dist/session-storage.d.ts

@@ -1,3 +1,4 @@
 export declare function getSessionConfigDir(): string;
 export declare function getCookiesPath(): string;
 export declare function getStorageStatePath(): string;
+export declare function getBrowserImportBlockPath(): string;

package/dist/session-storage.js

@@ -5,6 +5,7 @@ import { join } from "node:path";
 const SESSION_CONFIG_DIR = join(homedir(), ".config", "striderlabs-mcp-doordash");
 const COOKIES_FILE = join(SESSION_CONFIG_DIR, "cookies.json");
 const STORAGE_STATE_FILE = join(SESSION_CONFIG_DIR, "storage-state.json");
+const BROWSER_IMPORT_BLOCK_FILE = join(SESSION_CONFIG_DIR, "browser-import-blocked");
 export function getSessionConfigDir() {
     return SESSION_CONFIG_DIR;
 }
@@ -14,3 +15,6 @@ export function getCookiesPath() {
 export function getStorageStatePath() {
     return STORAGE_STATE_FILE;
 }
+export function getBrowserImportBlockPath() {
+    return BROWSER_IMPORT_BLOCK_FILE;
+}

package/dist/session-storage.test.js

@@ -2,10 +2,11 @@ import test from "node:test";
 import assert from "node:assert/strict";
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { getCookiesPath, getSessionConfigDir, getStorageStatePath } from "./session-storage.js";
+import { getBrowserImportBlockPath, getCookiesPath, getSessionConfigDir, getStorageStatePath } from "./session-storage.js";
 test("session storage paths stay compatible with the historical StriderLabs location", () => {
     const configDir = join(homedir(), ".config", "striderlabs-mcp-doordash");
     assert.equal(getSessionConfigDir(), configDir);
     assert.equal(getCookiesPath(), join(configDir, "cookies.json"));
     assert.equal(getStorageStatePath(), join(configDir, "storage-state.json"));
+    assert.equal(getBrowserImportBlockPath(), join(configDir, "browser-import-blocked"));
 });

package/docs/examples.md

@@ -14,7 +14,7 @@ All commands print JSON.
 
 ## Session setup
 
-Install the matching Chromium build once if you do not already have it:
+If your environment does not already have the bundled Playwright runtime installed, install it once:
 
 ```bash
 doordash-cli install-browser
@@ -26,13 +26,13 @@ Check whether you already have reusable session state:
 doordash-cli auth-check
 ```
 
-If needed, launch Chromium for a one-time sign-in and save reusable state:
+If your saved local state is still valid, this exits immediately. Otherwise it tries to reuse a discoverable signed-in browser session, or opens a temporary Chromium login window and saves the session there:
 
 ```bash
 doordash-cli login
 ```
 
-Reset saved session state when you want a clean start:
+Reset saved session state when you want a clean logged-out start. This also disables automatic browser-session reuse until your next explicit `doordash-cli login`:
 
 ```bash
 doordash-cli logout

package/docs/install.md

@@ -31,9 +31,9 @@ npm run cli -- --help
 
 If you stay in checkout mode, replace `doordash-cli` with `npm run cli --` in the examples below.
 
-## Install the browser once
+## Install the bundled runtime if needed
 
-If you plan to sign in with `login`, install the matching Playwright Chromium build:
+If your environment does not already have Playwright's bundled Chromium runtime installed, install it once:
 
 ### Global or linked install
 
@@ -47,6 +47,8 @@ doordash-cli install-browser
 npm run install:browser
 ```
 
+That runtime is used when the CLI needs a local browser, including the temporary login window fallback.
+
 ## First run
 
 ```bash
@@ -56,8 +58,16 @@ doordash-cli set-address --address "350 5th Ave, New York, NY 10118"
 doordash-cli search --query sushi
 ```
 
-## Session reuse
+## Login and session reuse
+
+`doordash-cli login` reuses saved local auth when it is still valid. Otherwise it tries to import a discoverable signed-in browser session. If neither is available, it opens a temporary Chromium login window and saves the session there. If authentication still is not established, `login` exits non-zero.
+
+`doordash-cli auth-check` can also quietly import a discoverable signed-in browser session unless `doordash-cli logout` disabled that auto-reuse.
+
+`doordash-cli logout` clears persisted cookies and stored browser state, then keeps automatic browser-session reuse disabled until you explicitly run `doordash-cli login` again.
+
+## Browser-session troubleshooting
 
-If you already have a compatible signed-in DoorDash managed-browser session available, direct commands may quietly reuse it instead of opening or navigating a DoorDash tab.
+Normally you should not need to think about browser plumbing. If `doordash-cli login` opens a temporary Chromium window, finish signing in there and let the CLI save the session.
 
-If not, run `doordash-cli login` once to save reusable state for later commands.
+If you expected reuse from another browser instead, make sure that browser exposes a compatible CDP endpoint, then rerun `doordash-cli login`.

package/man/dd-cli.1

@@ -1,4 +1,4 @@
-.TH DD-CLI 1 "2026-03-11" "doordash-cli 0.3.0" "User Commands"
+.TH DD-CLI 1 "2026-04-10" "doordash-cli 0.3.3" "User Commands"
 .SH NAME
 dd-cli, doordash-cli \- unofficial cart-safe DoorDash CLI for browsing, read-only existing-order inspection, and cart management
 .SH SYNOPSIS
@@ -30,19 +30,27 @@ is installed as a lowercase alias.
 .SH COMMANDS
 .TP
 .B install-browser
-Install the matching Playwright Chromium build used by this package.
+Install the bundled Playwright Chromium runtime used when the CLI needs a
+local browser, including the temporary login-window fallback.
 .TP
 .B auth-check
 Verify whether the saved session appears authenticated. This command can also
-quietly reuse an already-signed-in compatible managed-browser DoorDash session
-when a usable CDP endpoint is available.
+quietly reuse or import an already-signed-in browser session when one is
+available, unless
+.B logout
+explicitly disabled that auto-reuse.
 .TP
 .B login
-Launch Chromium for a one-time manual sign-in flow, then save reusable browser
-state for later direct API calls.
+Reuse saved local auth when possible. Otherwise try to import a discoverable
+signed-in browser session, or open a temporary Chromium login window and save
+that session there. If authentication is still not established,
+.B login
+exits non-zero.
 .TP
 .B logout
-Delete stored session material used by this CLI.
+Delete stored session material used by this CLI and disable automatic
+browser-session reuse until the next explicit
+.BR login .
 .TP
 .BI "set-address --address " ADDRESS
 Resolve and persist the active delivery address. Saved addresses are reused when
@@ -152,7 +160,7 @@ dd-cli --version
 man dd-cli
 .EE
 .PP
-Install the matching browser build once:
+Install the bundled runtime once if needed:
 .PP
 .EX
 doordash-cli install-browser
@@ -195,14 +203,18 @@ The CLI persists reusable session state under the user's configuration
 directory. The exact file layout is an implementation detail and may evolve over
 time, but the saved state is reused across runs unless cleared with
 .BR logout .
+After
+.BR logout ,
+automatic browser-session reuse stays disabled until the next explicit
+.BR login .
 .SH ENVIRONMENT
-.TP
-.B DOORDASH_MANAGED_BROWSER_CDP_URL
-Preferred Chrome DevTools Protocol endpoint for importing an already-signed-in
-compatible managed-browser session.
 .PP
-The CLI may also honor additional compatible CDP endpoint environment variables
-for integration convenience.
+In the common case you should not need to configure browser plumbing manually.
+For attached-browser reuse, the CLI can probe compatible CDP URLs/ports and a
+few localhost defaults. If no reusable browser connection is discoverable,
+login falls back to a temporary Chromium window it can watch directly. See
+.I docs/install.md
+for setup and troubleshooting.
 .SH EXIT STATUS
 .TP
 .B 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "doordash-cli",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "description": "Cart-safe DoorDash CLI with direct API support for browse, read-only existing-order, and cart workflows.",
   "type": "module",
   "main": "dist/lib.js",