doordash-cli 0.3.3 → 0.4.1

package/CHANGELOG.md

@@ -9,6 +9,18 @@ All notable changes to `doordash-cli` will be documented in this file.
 
 See [docs/releasing.md](docs/releasing.md) for the maintainer release flow.
 
+## [0.4.1](https://github.com/LatencyTDH/doordash-cli/compare/v0.4.0...v0.4.1) (2026-04-10)
+
+### Bug Fixes
+
+* bound auth-check and restore login completion flow ([#39](https://github.com/LatencyTDH/doordash-cli/issues/39)) ([5166944](https://github.com/LatencyTDH/doordash-cli/commit/51669444dc124e39ece719624c997ab9f46acd93))
+
+## [0.4.0](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.3...v0.4.0) (2026-04-10)
+
+### Features
+
+* reuse attached browser sessions for login bootstrap ([#38](https://github.com/LatencyTDH/doordash-cli/issues/38)) ([dc9410d](https://github.com/LatencyTDH/doordash-cli/commit/dc9410ddce1e72b2dce6b772787c8fb0dfa9683a))
+
 ## [0.3.3](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.2...v0.3.3) (2026-04-09)
 
 ## [0.3.2](https://github.com/LatencyTDH/doordash-cli/compare/v0.3.1...v0.3.2) (2026-04-09)

package/README.md

@@ -9,6 +9,7 @@ It stops before checkout.
 ## Highlights
 
 - **Cart-safe by design** — browse, inspect existing orders, and manage a cart; no checkout, payment, or order mutation.
+- **Browser-first login** — `dd-cli login` reuses saved local auth or an attachable signed-in browser session when possible, and otherwise opens a temporary login window.
 - **Direct API first** — auth, discovery, existing-order, and cart commands use DoorDash consumer-web GraphQL/HTTP rather than DOM clicking.
 - **JSON-friendly** — every command prints structured output.
 - **Fail-closed** — unsupported commands, flags, or unsafe payload shapes are rejected.
@@ -44,9 +45,9 @@ If you prefer to run from a checkout without linking:
 npm run cli -- --help
 ```
 
-### Browser prerequisite
+### Optional runtime bootstrap
 
-If you plan to sign in with `login`, install Playwright's Chromium build once:
+If your environment does not already have Playwright's bundled Chromium runtime installed, install it once:
 
 ```bash
 doordash-cli install-browser
@@ -54,6 +55,8 @@ doordash-cli install-browser
 npm run install:browser
 ```
 
+That runtime is used when the CLI needs a local browser, including the temporary login window fallback.
+
 ## First run
 
 ```bash
@@ -65,7 +68,15 @@ doordash-cli search --query sushi
 
 If you are running from a checkout without `npm link`, replace `doordash-cli` with `npm run cli --`.
 
-If you already have a compatible signed-in DoorDash managed-browser session available, `auth-check` may quietly reuse it instead of asking you to sign in again. Routine direct commands stay quiet; use `login` when you want explicit browser interaction.
+## Login and session reuse
+
+`login` reuses saved local auth when it is still valid. Otherwise it tries to import a discoverable attachable signed-in browser session. A merely-open Chrome/Brave window is not automatically reusable unless the CLI can actually attach to it. If no attachable session is available, it opens a temporary Chromium login window and saves the session there. If authentication still is not established, `login` exits non-zero.
+
+`auth-check` reports whether the saved state appears logged in and can quietly import a discoverable attachable signed-in browser session unless `logout` disabled that auto-reuse.
+
+`logout` clears persisted cookies and stored browser state, then keeps passive browser-session reuse disabled until your next explicit `dd-cli login` attempt.
+
+If `login` opens a temporary Chromium window, the CLI now keeps checking automatically and also tells you that you can press Enter to force an immediate recheck once the page already shows you are signed in. That restores the old effective manual-completion path without giving up automatic completion when it works. If you expect reuse from another browser instead, make sure it exposes an attachable browser automation session the CLI can actually import; a merely-open browser window is not enough today, even if it is already your main browser.
 
 ## Command surface
 

package/dist/cli.d.ts

@@ -6,6 +6,7 @@ export declare function parseArgv(argv: string[]): {
     command?: string;
     flags: Record<string, string>;
 };
+export declare function commandExitCode(command: string, result: unknown): number;
 export declare function main(argv?: string[]): Promise<void>;
 export declare function runCli(argv?: string[]): Promise<void>;
 export declare function isDirectExecution(argv1?: string | undefined, metaUrl?: string): boolean;

package/dist/cli.js

@@ -40,15 +40,15 @@ export function usage() {
         "  - Run with no arguments to show this help.",
         "  - Common Unicode long dashes are normalized for flags, so —help / –help work too.",
         "  - Installed command names are lowercase only: dd-cli and doordash-cli.",
-        "  - install-browser downloads the matching Playwright Chromium build used by this package.",
+        "  - install-browser downloads the bundled Playwright Chromium runtime used when the CLI needs a local browser.",
         "  - Manual pages ship with the project: man dd-cli or man doordash-cli.",
-        "  - Direct GraphQL/HTTP is the default path for auth-check, set-address, search, menu, item, orders, order, cart, add-to-cart, and update-cart.",
-        "  - login launches Chromium for a one-time manual sign-in flow and saves reusable state for later direct API calls.",
-        "  - auth-check can quietly reuse an already-signed-in compatible managed-browser DoorDash session when one is available; use login for explicit browser interaction.",
-        "  - set-address now uses DoorDash autocomplete/get-or-create plus addConsumerAddressV2 for brand-new address enrollment when needed.",
+        "  - login reuses saved local auth when possible, otherwise imports an attachable signed-in browser session or opens a temporary Chromium login window.",
+        "  - login auto-detects completion when it can; in the temporary-browser fallback you can also press Enter to force an immediate recheck once the page shows you are signed in.",
+        "  - login exits non-zero if authentication is still not established.",
+        "  - auth-check reports saved-session status and can quietly reuse/import an attachable signed-in browser session unless logout disabled that auto-reuse.",
+        "  - logout clears saved session files and keeps passive browser-session reuse off until the next explicit login attempt.",
         "  - configurable items require explicit --options-json selections.",
-        '  - standalone recommended add-ons that open a nested cursor step are supported via children, e.g. [{"groupId":"recommended_option_546935995","optionId":"546936011","children":[{"groupId":"780057412","optionId":"4702669757"}]}].',
-        "  - other non-recommended nested cursor trees still fail closed until DoorDash exposes a directly provable transport.",
+        "  - unsupported option trees fail closed.",
         "",
         "Out-of-scope commands remain intentionally unsupported:",
         "  checkout, place-order, payment actions, order mutation/cancellation",
@@ -125,6 +125,15 @@ export function parseArgv(argv) {
     }
     return { command, flags };
 }
+export function commandExitCode(command, result) {
+    if (command === "login" && typeof result === "object" && result !== null) {
+        const authResult = result;
+        if (authResult.success === false || authResult.isLoggedIn === false) {
+            return 1;
+        }
+    }
+    return 0;
+}
 export async function main(argv = process.argv.slice(2)) {
     const { command, flags } = parseArgv(argv);
     if (flags.version === "true") {
@@ -141,7 +150,7 @@ export async function main(argv = process.argv.slice(2)) {
     try {
         const result = await lib.runCommand(safeCommand, flags);
         console.log(JSON.stringify(result, null, 2));
-        process.exitCode = 0;
+        process.exitCode = commandExitCode(safeCommand, result);
     }
     finally {
         await lib.shutdown();

package/dist/cli.test.js

@@ -1,18 +1,19 @@
 import test from "node:test";
 import assert from "node:assert/strict";
-import { chmodSync, readFileSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { mkdtemp, rm, symlink } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { spawnSync } from "node:child_process";
 import { SAFE_COMMANDS, assertAllowedFlags, assertSafeCommand } from "./lib.js";
-import { parseArgv, version } from "./cli.js";
+import { commandExitCode, parseArgv, version } from "./cli.js";
 const distDir = dirname(fileURLToPath(import.meta.url));
 const binPath = join(distDir, "bin.js");
-function runCli(args) {
+function runCli(args, env) {
     return spawnSync(process.execPath, [binPath, ...args], {
         encoding: "utf8",
+        env: env ? { ...process.env, ...env } : process.env,
     });
 }
 async function runLinkedCli(linkName, args) {
@@ -112,9 +113,15 @@ test("help output shows the direct read-only/cart-safe command surface", () => {
     assert.match(result.stdout, /options-json/);
     assert.match(result.stdout, /--version, -v/);
     assert.match(result.stdout, /man dd-cli/);
+    assert.match(result.stdout, /login reuses saved local auth when possible, otherwise imports an attachable signed-in browser session or opens a temporary Chromium login window\./);
+    assert.match(result.stdout, /login auto-detects completion when it can; in the temporary-browser fallback you can also press Enter to force an immediate recheck once the page shows you are signed in\./);
+    assert.match(result.stdout, /login exits non-zero if authentication is still not established\./);
+    assert.match(result.stdout, /auth-check reports saved-session status and can quietly reuse\/import an attachable signed-in browser session unless logout disabled that auto-reuse\./);
+    assert.match(result.stdout, /logout clears saved session files and keeps passive browser-session reuse off until the next explicit login attempt\./);
     assert.match(result.stdout, /Out-of-scope commands remain intentionally unsupported/);
     assert.doesNotMatch(result.stdout, /auth-bootstrap/);
     assert.doesNotMatch(result.stdout, /auth-clear/);
+    assert.match(result.stdout, /temporary Chromium login window/i);
     assert.doesNotMatch(result.stdout, /Dd-cli/);
 });
 test("repository ships man pages for the supported lowercase command names", () => {
@@ -124,6 +131,9 @@ test("repository ships man pages for the supported lowercase command names", ()
     assert.match(readFileSync(ddManPath, "utf8"), /\.B login/);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-bootstrap/);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-clear/);
+    assert.match(readFileSync(ddManPath, "utf8"), /passive\s+browser-session reuse stays disabled until the next explicit/i);
+    assert.match(readFileSync(ddManPath, "utf8"), /merely-open Chrome\/Brave window is not\s+automatically reusable/i);
+    assert.match(readFileSync(ddManPath, "utf8"), /temporary Chromium.*window/i);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /Dd-cli/);
     assert.equal(readFileSync(aliasManPath, "utf8").trim(), ".so man1/dd-cli.1");
 });
@@ -159,6 +169,36 @@ test("legacy auth command invocations point users to login/logout", () => {
     assert.match(logoutRename.stderr, /Unsupported command: auth-clear/);
     assert.match(logoutRename.stderr, /renamed it to logout/);
 });
+test("commandExitCode treats failed login results as non-zero without changing read-only auth-check semantics", () => {
+    assert.equal(commandExitCode("login", { success: false, isLoggedIn: false }), 1);
+    assert.equal(commandExitCode("login", { success: true, isLoggedIn: true }), 0);
+    assert.equal(commandExitCode("auth-check", { success: true, isLoggedIn: false }), 0);
+});
+test("logout clears persisted session artifacts in the active home directory", async () => {
+    const tempHome = await mkdtemp(join(tmpdir(), "doordash-cli-home-"));
+    const sessionDir = join(tempHome, ".config", "striderlabs-mcp-doordash");
+    const cookiesPath = join(sessionDir, "cookies.json");
+    const storageStatePath = join(sessionDir, "storage-state.json");
+    const browserImportBlockPath = join(sessionDir, "browser-import-blocked");
+    mkdirSync(sessionDir, { recursive: true });
+    writeFileSync(cookiesPath, JSON.stringify([{ name: "session", domain: ".doordash.com" }]));
+    writeFileSync(storageStatePath, JSON.stringify({ cookies: [], origins: [] }));
+    try {
+        const result = runCli(["logout"], { HOME: tempHome });
+        assert.equal(result.status, 0);
+        assert.equal(existsSync(cookiesPath), false);
+        assert.equal(existsSync(storageStatePath), false);
+        assert.equal(existsSync(browserImportBlockPath), true);
+        const parsed = JSON.parse(result.stdout);
+        assert.equal(parsed.success, true);
+        assert.equal(parsed.cookiesPath, cookiesPath);
+        assert.equal(parsed.storageStatePath, storageStatePath);
+        assert.match(parsed.message, /disabled until the next `dd-cli login`/);
+    }
+    finally {
+        await rm(tempHome, { recursive: true, force: true });
+    }
+});
 test("blocked commands fail immediately", () => {
     const result = runCli(["checkout"]);
     assert.equal(result.status, 1);

package/dist/direct-api.d.ts

@@ -15,8 +15,24 @@ export type AuthResult = {
     cookiesPath: string;
     storageStatePath: string;
 };
-export type AuthBootstrapResult = AuthResult & {
+export type AuthBootstrapResult = (AuthResult & {
+    success: true;
+    isLoggedIn: true;
+    message: string;
+}) | (Omit<AuthResult, "success" | "isLoggedIn"> & {
+    success: false;
+    isLoggedIn: false;
     message: string;
+});
+type ManagedBrowserLoginResult = {
+    status: "completed";
+    completion: "automatic" | "manual";
+    auth: AuthResult;
+} | {
+    status: "timed-out";
+    auth: AuthResult;
+} | {
+    status: "launch-failed";
 };
 export type SearchRestaurantResult = {
     id: string;
@@ -456,7 +472,35 @@ type GeoAddressResponse = {
         lng?: number | null;
     } | null;
 };
+type BootstrapAuthSessionDeps = {
+    clearBlockedBrowserImport: () => Promise<void>;
+    checkPersistedAuth: () => Promise<AuthResult | null>;
+    importBrowserSessionIfAvailable: () => Promise<boolean>;
+    markBrowserImportAttempted: () => void;
+    getAttachedBrowserCdpCandidates: () => Promise<string[]>;
+    getReachableCdpCandidates: (candidates: string[]) => Promise<string[]>;
+    describeDesktopBrowserReuseGap: () => Promise<string | null>;
+    openUrlInAttachedBrowser: (input: {
+        cdpUrl: string;
+        targetUrl: string;
+    }) => Promise<boolean>;
+    openUrlInDefaultBrowser: (targetUrl: string) => Promise<boolean>;
+    waitForAttachedBrowserSessionImport: (input: {
+        timeoutMs: number;
+        pollIntervalMs: number;
+    }) => Promise<boolean>;
+    waitForManagedBrowserLogin: (input: {
+        targetUrl: string;
+        timeoutMs: number;
+        pollIntervalMs: number;
+        log: (message: string) => void;
+    }) => Promise<ManagedBrowserLoginResult>;
+    canPromptForManagedBrowserConfirmation: () => boolean;
+    checkAuthDirect: () => Promise<AuthResult>;
+    log: (message: string) => void;
+};
 export declare function checkAuthDirect(): Promise<AuthResult>;
+export declare function bootstrapAuthSessionWithDeps(deps: BootstrapAuthSessionDeps): Promise<AuthBootstrapResult>;
 export declare function bootstrapAuthSession(): Promise<AuthBootstrapResult>;
 export declare function clearStoredSession(): Promise<{
     success: true;
@@ -522,12 +566,19 @@ export declare function resolveAvailableAddressMatch(input: {
     printableAddress: string | null;
     source: SetAddressResult["matchedAddressSource"];
 } | null;
-export declare function isDoorDashUrl(value: string): boolean;
-export declare function hasDoorDashCookies(cookies: ReadonlyArray<Pick<Cookie, "domain">>): boolean;
-export declare function selectManagedBrowserImportMode(input: {
+export declare function selectAttachedBrowserImportMode(input: {
     pageUrls: readonly string[];
     cookies: ReadonlyArray<Pick<Cookie, "domain">>;
 }): "page" | "cookies" | "skip";
+export declare function resolveAttachedBrowserCdpCandidates(env: NodeJS.ProcessEnv, configCandidates?: string[]): string[];
+export declare function resolveSystemBrowserOpenCommand(targetUrl: string, targetPlatform?: NodeJS.Platform): {
+    command: string;
+    args: string[];
+} | null;
+export declare function summarizeDesktopBrowserReuseGap(input: {
+    processCommands: readonly string[];
+    hasAnyDevToolsActivePort: boolean;
+}): string | null;
 export declare function parseSearchRestaurants(body: unknown[]): SearchRestaurantResult[];
 export declare function parseSearchRestaurantRow(entry: unknown): SearchRestaurantResult | null;
 export declare function parseExistingOrderLifecycleStatus(orderRoot: unknown): ExistingOrderLifecycleStatus;