doordash-cli 0.4.1 → 0.4.2

package/CHANGELOG.md

@@ -9,6 +9,12 @@ All notable changes to `doordash-cli` will be documented in this file.
 
 See [docs/releasing.md](docs/releasing.md) for the maintainer release flow.
 
+## [0.4.2](https://github.com/LatencyTDH/doordash-cli/compare/v0.4.1...v0.4.2) (2026-04-10)
+
+### Bug Fixes
+
+* import signed-in linux browser profile state for login reuse ([#40](https://github.com/LatencyTDH/doordash-cli/issues/40)) ([97feddc](https://github.com/LatencyTDH/doordash-cli/commit/97feddc68ce0ebc882737dfad69d5e908f20d250))
+
 ## [0.4.1](https://github.com/LatencyTDH/doordash-cli/compare/v0.4.0...v0.4.1) (2026-04-10)
 
 ### Bug Fixes

package/README.md

@@ -9,7 +9,7 @@ It stops before checkout.
 ## Highlights
 
 - **Cart-safe by design** — browse, inspect existing orders, and manage a cart; no checkout, payment, or order mutation.
-- **Browser-first login** — `dd-cli login` reuses saved local auth or an attachable signed-in browser session when possible, and otherwise opens a temporary login window.
+- **Browser-first login** — `dd-cli login` reuses saved local auth, then same-machine Linux Brave/Chrome profile state, then attachable signed-in browser sessions when possible, and otherwise opens a temporary login window.
 - **Direct API first** — auth, discovery, existing-order, and cart commands use DoorDash consumer-web GraphQL/HTTP rather than DOM clicking.
 - **JSON-friendly** — every command prints structured output.
 - **Fail-closed** — unsupported commands, flags, or unsafe payload shapes are rejected.
@@ -70,13 +70,13 @@ If you are running from a checkout without `npm link`, replace `doordash-cli` wi
 
 ## Login and session reuse
 
-`login` reuses saved local auth when it is still valid. Otherwise it tries to import a discoverable attachable signed-in browser session. A merely-open Chrome/Brave window is not automatically reusable unless the CLI can actually attach to it. If no attachable session is available, it opens a temporary Chromium login window and saves the session there. If authentication still is not established, `login` exits non-zero.
+`login` reuses saved local auth when it is still valid. Otherwise it first tries to import signed-in same-machine Linux Brave/Chrome profile state, then falls back to a discoverable attachable signed-in browser session, and finally opens a temporary Chromium login window it can watch directly. If authentication still is not established, `login` exits non-zero.
 
-`auth-check` reports whether the saved state appears logged in and can quietly import a discoverable attachable signed-in browser session unless `logout` disabled that auto-reuse.
+`auth-check` reports whether the saved state appears logged in and can quietly import same-machine Linux Brave/Chrome profile state or a discoverable attachable signed-in browser session unless `logout` disabled that auto-reuse.
 
 `logout` clears persisted cookies and stored browser state, then keeps passive browser-session reuse disabled until your next explicit `dd-cli login` attempt.
 
-If `login` opens a temporary Chromium window, the CLI now keeps checking automatically and also tells you that you can press Enter to force an immediate recheck once the page already shows you are signed in. That restores the old effective manual-completion path without giving up automatic completion when it works. If you expect reuse from another browser instead, make sure it exposes an attachable browser automation session the CLI can actually import; a merely-open browser window is not enough today, even if it is already your main browser.
+If `login` opens a temporary Chromium window, the CLI now keeps checking automatically and also tells you that you can press Enter to force an immediate recheck once the page already shows you are signed in. That restores the old effective manual-completion path without giving up automatic completion when it works. On Linux, a signed-in local Brave or Google Chrome profile on the same machine is the preferred browser-reuse path and does not need CDP/remote debugging. If that same-machine profile import is unavailable or not signed in, the next reuse path is an attachable browser automation session.
 
 ## Command surface
 

package/dist/cli.js

@@ -42,10 +42,10 @@ export function usage() {
         "  - Installed command names are lowercase only: dd-cli and doordash-cli.",
         "  - install-browser downloads the bundled Playwright Chromium runtime used when the CLI needs a local browser.",
         "  - Manual pages ship with the project: man dd-cli or man doordash-cli.",
-        "  - login reuses saved local auth when possible, otherwise imports an attachable signed-in browser session or opens a temporary Chromium login window.",
+        "  - login reuses saved local auth when possible, otherwise first tries same-machine Linux Brave/Chrome profile import, then attachable signed-in browser sessions, then a temporary Chromium login window.",
         "  - login auto-detects completion when it can; in the temporary-browser fallback you can also press Enter to force an immediate recheck once the page shows you are signed in.",
         "  - login exits non-zero if authentication is still not established.",
-        "  - auth-check reports saved-session status and can quietly reuse/import an attachable signed-in browser session unless logout disabled that auto-reuse.",
+        "  - auth-check reports saved-session status and can quietly reuse/import same-machine Linux Brave/Chrome profile state or an attachable signed-in browser session unless logout disabled that auto-reuse.",
         "  - logout clears saved session files and keeps passive browser-session reuse off until the next explicit login attempt.",
         "  - configurable items require explicit --options-json selections.",
         "  - unsupported option trees fail closed.",

package/dist/cli.test.js

@@ -113,10 +113,10 @@ test("help output shows the direct read-only/cart-safe command surface", () => {
     assert.match(result.stdout, /options-json/);
     assert.match(result.stdout, /--version, -v/);
     assert.match(result.stdout, /man dd-cli/);
-    assert.match(result.stdout, /login reuses saved local auth when possible, otherwise imports an attachable signed-in browser session or opens a temporary Chromium login window\./);
+    assert.match(result.stdout, /login reuses saved local auth when possible, otherwise first tries same-machine Linux Brave\/Chrome profile import, then attachable signed-in browser sessions, then a temporary Chromium login window\./);
     assert.match(result.stdout, /login auto-detects completion when it can; in the temporary-browser fallback you can also press Enter to force an immediate recheck once the page shows you are signed in\./);
     assert.match(result.stdout, /login exits non-zero if authentication is still not established\./);
-    assert.match(result.stdout, /auth-check reports saved-session status and can quietly reuse\/import an attachable signed-in browser session unless logout disabled that auto-reuse\./);
+    assert.match(result.stdout, /auth-check reports saved-session status and can quietly reuse\/import same-machine Linux Brave\/Chrome profile state or an attachable signed-in browser session unless logout disabled that auto-reuse\./);
     assert.match(result.stdout, /logout clears saved session files and keeps passive browser-session reuse off until the next explicit login attempt\./);
     assert.match(result.stdout, /Out-of-scope commands remain intentionally unsupported/);
     assert.doesNotMatch(result.stdout, /auth-bootstrap/);
@@ -132,8 +132,8 @@ test("repository ships man pages for the supported lowercase command names", ()
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-bootstrap/);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /auth-clear/);
     assert.match(readFileSync(ddManPath, "utf8"), /passive\s+browser-session reuse stays disabled until the next explicit/i);
-    assert.match(readFileSync(ddManPath, "utf8"), /merely-open Chrome\/Brave window is not\s+automatically reusable/i);
-    assert.match(readFileSync(ddManPath, "utf8"), /temporary Chromium.*window/i);
+    assert.match(readFileSync(ddManPath, "utf8"), /same-machine Linux Brave\/Chrome browser profile/i);
+    assert.match(readFileSync(ddManPath, "utf8"), /temporary\s+Chromium\s+window/i);
     assert.doesNotMatch(readFileSync(ddManPath, "utf8"), /Dd-cli/);
     assert.equal(readFileSync(aliasManPath, "utf8").trim(), ".so man1/dd-cli.1");
 });

package/dist/direct-api.d.ts

@@ -570,6 +570,8 @@ export declare function selectAttachedBrowserImportMode(input: {
     pageUrls: readonly string[];
     cookies: ReadonlyArray<Pick<Cookie, "domain">>;
 }): "page" | "cookies" | "skip";
+export type BrowserSessionImportStrategy = "local-linux-chromium-profile" | "attached-browser-cdp";
+export declare function preferredBrowserSessionImportStrategies(platform: NodeJS.Platform): readonly BrowserSessionImportStrategy[];
 export declare function resolveAttachedBrowserCdpCandidates(env: NodeJS.ProcessEnv, configCandidates?: string[]): string[];
 export declare function resolveSystemBrowserOpenCommand(targetUrl: string, targetPlatform?: NodeJS.Platform): {
     command: string;

package/dist/direct-api.js

@@ -13,6 +13,165 @@ const AUTH_BOOTSTRAP_NO_DISCOVERY_GRACE_MS = 10_000;
 const ATTACHED_BROWSER_CDP_REACHABILITY_TIMEOUT_MS = 2_000;
 const ATTACHED_BROWSER_CDP_CONNECT_TIMEOUT_MS = 5_000;
 const DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36";
+const LINUX_CHROMIUM_COOKIE_IMPORT_SCRIPT = String.raw `
+import json
+import os
+import sqlite3
+import hashlib
+import sys
+
+try:
+    import secretstorage
+    from Crypto.Cipher import AES
+except Exception as exc:
+    raise SystemExit(f"missing python support for Chromium cookie import: {exc}")
+
+browser_label = os.environ.get("DD_BROWSER_LABEL", "Chromium")
+user_data_dir = os.environ.get("DD_BROWSER_USER_DATA_DIR", "")
+safe_storage_application = os.environ.get("DD_BROWSER_SAFE_STORAGE_APP", "")
+
+if not user_data_dir or not safe_storage_application:
+    raise SystemExit("missing browser metadata")
+
+
+def chromium_utc_to_unix_seconds(value):
+    if not value:
+        return -1
+    return max(-1, (int(value) / 1000000) - 11644473600)
+
+
+def samesite_to_playwright(value):
+    mapping = {
+        -1: "Lax",
+        0: "None",
+        1: "Lax",
+        2: "Strict",
+    }
+    try:
+        return mapping.get(int(value), "Lax")
+    except Exception:
+        return "Lax"
+
+
+def get_safe_storage_secret(application):
+    bus = secretstorage.dbus_init()
+    for collection in secretstorage.get_all_collections(bus):
+        for item in collection.get_all_items():
+            attrs = item.get_attributes()
+            if attrs.get("xdg:schema") == "chrome_libsecret_os_crypt_password_v2" and attrs.get("application") == application:
+                secret = item.get_secret()
+                return secret.decode("utf-8") if isinstance(secret, bytes) else str(secret)
+    return None
+
+
+def decrypt_cookie_value(encrypted_value, host_key, secret):
+    payload = encrypted_value[3:] if encrypted_value.startswith((b"v10", b"v11")) else encrypted_value
+    key = hashlib.pbkdf2_hmac("sha1", secret.encode("utf-8"), b"saltysalt", 1, dklen=16)
+    decrypted = AES.new(key, AES.MODE_CBC, b" " * 16).decrypt(payload)
+    pad = decrypted[-1]
+    if isinstance(pad, str):
+        pad = ord(pad)
+    if 1 <= pad <= 16:
+        decrypted = decrypted[:-pad]
+    host_hash = hashlib.sha256(host_key.encode("utf-8")).digest()
+    if decrypted.startswith(host_hash):
+        decrypted = decrypted[len(host_hash):]
+    return decrypted.decode("utf-8")
+
+
+def profile_names_for_user_data_dir(root):
+    local_state_path = os.path.join(root, "Local State")
+    entries = []
+    try:
+        with open(local_state_path, "r", encoding="utf-8") as handle:
+            info_cache = ((json.load(handle).get("profile") or {}).get("info_cache") or {})
+        for profile_name, info in info_cache.items():
+            if not isinstance(profile_name, str) or not profile_name.strip():
+                continue
+            active_time = 0.0
+            if isinstance(info, dict):
+                try:
+                    active_time = float(info.get("active_time") or 0)
+                except Exception:
+                    active_time = 0.0
+            entries.append((0 if profile_name == "Default" else 1, -active_time, profile_name))
+    except Exception:
+        pass
+
+    entries.sort()
+    names = [profile_name for _, _, profile_name in entries]
+    if "Default" not in names:
+        names.append("Default")
+    return names
+
+
+safe_storage_secret = get_safe_storage_secret(safe_storage_application)
+if not safe_storage_secret:
+    print("[]")
+    raise SystemExit(0)
+
+imports = []
+for profile_name in profile_names_for_user_data_dir(user_data_dir):
+    cookies_db_path = os.path.join(user_data_dir, profile_name, "Cookies")
+    if not os.path.exists(cookies_db_path):
+        continue
+
+    connection = None
+    try:
+        connection = sqlite3.connect(f"file:{cookies_db_path}?mode=ro", uri=True)
+        cursor = connection.cursor()
+        rows = cursor.execute(
+            """
+            select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly, samesite
+            from cookies
+            where host_key like '%doordash%'
+            order by host_key, name
+            """
+        ).fetchall()
+    except Exception:
+        if connection is not None:
+            connection.close()
+        continue
+
+    cookies = []
+    for host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly, samesite in rows:
+        try:
+            decrypted_value = decrypt_cookie_value(encrypted_value, host_key, safe_storage_secret)
+        except Exception:
+            continue
+        cookies.append({
+            "name": name,
+            "value": decrypted_value,
+            "domain": host_key,
+            "path": path or "/",
+            "expires": chromium_utc_to_unix_seconds(expires_utc),
+            "httpOnly": bool(is_httponly),
+            "secure": bool(is_secure),
+            "sameSite": samesite_to_playwright(samesite),
+        })
+
+    connection.close()
+    if cookies:
+        imports.append({
+            "browserLabel": browser_label,
+            "profileName": profile_name,
+            "cookies": cookies,
+        })
+
+print(json.dumps(imports))
+`;
+const LINUX_CHROMIUM_COOKIE_IMPORT_BROWSERS = [
+    {
+        browserLabel: "Brave",
+        safeStorageApplication: "brave",
+        userDataDir: join(homedir(), ".config", "BraveSoftware", "Brave-Browser"),
+    },
+    {
+        browserLabel: "Google Chrome",
+        safeStorageApplication: "chrome",
+        userDataDir: join(homedir(), ".config", "google-chrome"),
+    },
+];
 const GRAPHQL_HEADERS = {
     accept: "*/*",
     "content-type": "application/json",
@@ -1715,8 +1874,45 @@ export function selectAttachedBrowserImportMode(input) {
     }
     return "skip";
 }
+export function preferredBrowserSessionImportStrategies(platform) {
+    return platform === "linux"
+        ? ["local-linux-chromium-profile", "attached-browser-cdp"]
+        : ["attached-browser-cdp"];
+}
 async function importBrowserSessionIfAvailable() {
-    return await importBrowserSessionFromCdpCandidates(await getAttachedBrowserCdpCandidates());
+    for (const strategy of preferredBrowserSessionImportStrategies(process.platform)) {
+        if (strategy === "local-linux-chromium-profile") {
+            if (await importBrowserSessionFromLocalChromiumProfiles()) {
+                return true;
+            }
+            continue;
+        }
+        if (await importBrowserSessionFromCdpCandidates(await getAttachedBrowserCdpCandidates())) {
+            return true;
+        }
+    }
+    return false;
+}
+async function importBrowserSessionFromLocalChromiumProfiles() {
+    if (process.platform !== "linux") {
+        return false;
+    }
+    const originalArtifacts = await snapshotStoredSessionArtifacts();
+    for (const browser of LINUX_CHROMIUM_COOKIE_IMPORT_BROWSERS) {
+        const profileImports = await readLinuxChromiumCookieImports(browser);
+        for (const profileImport of profileImports) {
+            if (!hasDoorDashCookies(profileImport.cookies)) {
+                continue;
+            }
+            await writeStoredSessionArtifacts(profileImport.cookies);
+            const persistedAuth = await getPersistedAuthDirect();
+            if (persistedAuth?.isLoggedIn) {
+                return true;
+            }
+            await restoreStoredSessionArtifacts(originalArtifacts);
+        }
+    }
+    return false;
 }
 async function importBrowserSessionFromCdpCandidates(candidates) {
     for (const cdpUrl of candidates) {
@@ -1817,42 +2013,16 @@ async function getPersistedAuthDirect() {
     if (!(await hasPersistedSessionArtifacts())) {
         return null;
     }
-    let browser = null;
-    let context = null;
-    let page = null;
+    await session.close().catch(() => { });
+    session.markBrowserImportAttempted();
     try {
-        browser = await chromium.launch({
-            headless: true,
-            args: ["--disable-blink-features=AutomationControlled", "--no-sandbox", "--disable-setuid-sandbox"],
-        });
-        const storageStatePath = getStorageStatePath();
-        const hasStorage = await hasStorageState();
-        context = await browser.newContext({
-            userAgent: DEFAULT_USER_AGENT,
-            locale: "en-US",
-            viewport: { width: 1280, height: 900 },
-            ...(hasStorage ? { storageState: storageStatePath } : {}),
-        });
-        if (!hasStorage) {
-            const cookies = await readStoredCookies();
-            if (cookies.length === 0) {
-                return null;
-            }
-            await context.addCookies(cookies);
-        }
-        page = await context.newPage();
-        await page.goto(`${BASE_URL}/home`, { waitUntil: "domcontentloaded", timeout: 90_000 }).catch(() => { });
-        await page.waitForTimeout(1_000);
-        const consumerData = await fetchConsumerViaPage(page).catch(() => null);
-        return buildAuthResult(consumerData?.consumer ?? null);
+        return await checkAuthDirect();
     }
     catch {
         return null;
     }
     finally {
-        await page?.close().catch(() => { });
-        await context?.close().catch(() => { });
-        await browser?.close().catch(() => { });
+        await session.close().catch(() => { });
     }
 }
 async function validatePersistedDirectSessionArtifacts() {
@@ -2166,22 +2336,31 @@ export function summarizeDesktopBrowserReuseGap(input) {
     if (hasRemoteDebuggingSignal(input.processCommands) || input.hasAnyDevToolsActivePort) {
         return null;
     }
-    return `I can see ${browser.label} is already running on this desktop, but it is not exposing an attachable browser automation session right now. A normal open browser window is not automatically reusable; dd-cli can only import a browser session it can actually attach to.`;
+    return `I can see ${browser.label} is already running on this desktop, but dd-cli still couldn't reuse it automatically. It is not exposing an attachable browser automation session right now, and no importable signed-in DoorDash browser profile state was found.`;
 }
-async function captureCommandStdout(command, args) {
+async function captureCommandStdout(command, args, options = {}) {
     return await new Promise((resolve, reject) => {
-        const child = spawn(command, args, { stdio: ["ignore", "pipe", "ignore"] });
+        const child = spawn(command, args, {
+            env: options.env,
+            stdio: ["pipe", "pipe", "pipe"],
+        });
         const stdout = [];
+        const stderr = [];
         child.once("error", reject);
         child.stdout?.on("data", (chunk) => {
             stdout.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
         });
+        child.stderr?.on("data", (chunk) => {
+            stderr.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        });
+        child.stdin?.end(options.stdin ?? "");
         child.once("close", (code) => {
             if (code === 0) {
                 resolve(Buffer.concat(stdout).toString("utf8"));
                 return;
             }
-            reject(new Error(`${command} exited with code ${code ?? "null"}`));
+            const stderrText = Buffer.concat(stderr).toString("utf8").trim();
+            reject(new Error(`${command} exited with code ${code ?? "null"}${stderrText ? `: ${stderrText}` : ""}`));
         });
     });
 }
@@ -2870,6 +3049,89 @@ function truncate(value, length) {
 async function ensureConfigDir() {
     await mkdir(dirname(getCookiesPath()), { recursive: true });
 }
+async function snapshotStoredSessionArtifacts() {
+    const [cookiesRaw, storageStateRaw] = await Promise.all([
+        readFile(getCookiesPath(), "utf8").catch(() => null),
+        readFile(getStorageStatePath(), "utf8").catch(() => null),
+    ]);
+    return { cookiesRaw, storageStateRaw };
+}
+async function restoreStoredSessionArtifacts(snapshot) {
+    await ensureConfigDir();
+    if (snapshot.cookiesRaw === null) {
+        await rm(getCookiesPath(), { force: true }).catch(() => { });
+    }
+    else {
+        await writeFile(getCookiesPath(), snapshot.cookiesRaw);
+    }
+    if (snapshot.storageStateRaw === null) {
+        await rm(getStorageStatePath(), { force: true }).catch(() => { });
+    }
+    else {
+        await writeFile(getStorageStatePath(), snapshot.storageStateRaw);
+    }
+}
+async function writeStoredSessionArtifacts(cookies) {
+    await ensureConfigDir();
+    await writeFile(getCookiesPath(), JSON.stringify(cookies, null, 2));
+    await writeFile(getStorageStatePath(), JSON.stringify({ cookies, origins: [] }, null, 2));
+}
+async function readLinuxChromiumCookieImports(input) {
+    try {
+        const stdout = await captureCommandStdout("python3", ["-c", LINUX_CHROMIUM_COOKIE_IMPORT_SCRIPT], {
+            env: {
+                ...process.env,
+                DD_BROWSER_LABEL: input.browserLabel,
+                DD_BROWSER_SAFE_STORAGE_APP: input.safeStorageApplication,
+                DD_BROWSER_USER_DATA_DIR: input.userDataDir,
+            },
+        });
+        const parsed = JSON.parse(stdout);
+        if (!Array.isArray(parsed)) {
+            return [];
+        }
+        return parsed.flatMap((entry) => {
+            const object = asObject(entry);
+            const browserLabel = typeof object.browserLabel === "string" ? object.browserLabel.trim() : "";
+            const profileName = typeof object.profileName === "string" ? object.profileName.trim() : "";
+            if (!browserLabel || !profileName || !Array.isArray(object.cookies)) {
+                return [];
+            }
+            const cookies = object.cookies.flatMap((cookie) => {
+                const parsedCookie = asObject(cookie);
+                const name = typeof parsedCookie.name === "string" ? parsedCookie.name : "";
+                const value = typeof parsedCookie.value === "string" ? parsedCookie.value : "";
+                const domain = typeof parsedCookie.domain === "string" ? parsedCookie.domain : "";
+                const path = typeof parsedCookie.path === "string" && parsedCookie.path ? parsedCookie.path : "/";
+                const sameSiteRaw = typeof parsedCookie.sameSite === "string" ? parsedCookie.sameSite : "Lax";
+                const sameSite = sameSiteRaw === "Strict" || sameSiteRaw === "None" || sameSiteRaw === "Lax" ? sameSiteRaw : "Lax";
+                const expires = typeof parsedCookie.expires === "number" && Number.isFinite(parsedCookie.expires) ? parsedCookie.expires : -1;
+                if (!name || !domain) {
+                    return [];
+                }
+                return [
+                    {
+                        name,
+                        value,
+                        domain,
+                        path,
+                        expires,
+                        httpOnly: Boolean(parsedCookie.httpOnly),
+                        secure: Boolean(parsedCookie.secure),
+                        sameSite,
+                    },
+                ];
+            });
+            if (cookies.length === 0) {
+                return [];
+            }
+            return [{ browserLabel, profileName, cookies }];
+        });
+    }
+    catch {
+        return [];
+    }
+}
 async function hasBlockedBrowserImport() {
     try {
         await readFile(getBrowserImportBlockPath(), "utf8");

package/dist/direct-api.test.js

@@ -1,6 +1,6 @@
 import test from "node:test";
 import assert from "node:assert/strict";
-import { bootstrapAuthSessionWithDeps, buildAddConsumerAddressPayload, buildAddToCartPayload, buildUpdateCartPayload, extractExistingOrdersFromApolloCache, normalizeItemName, parseExistingOrderLifecycleStatus, parseExistingOrdersResponse, parseOptionSelectionsJson, parseSearchRestaurantRow, resolveAttachedBrowserCdpCandidates, resolveAvailableAddressMatch, resolveSystemBrowserOpenCommand, selectAttachedBrowserImportMode, summarizeDesktopBrowserReuseGap, } from "./direct-api.js";
+import { bootstrapAuthSessionWithDeps, buildAddConsumerAddressPayload, buildAddToCartPayload, buildUpdateCartPayload, extractExistingOrdersFromApolloCache, normalizeItemName, parseExistingOrderLifecycleStatus, parseExistingOrdersResponse, parseOptionSelectionsJson, parseSearchRestaurantRow, preferredBrowserSessionImportStrategies, resolveAttachedBrowserCdpCandidates, resolveAvailableAddressMatch, resolveSystemBrowserOpenCommand, selectAttachedBrowserImportMode, summarizeDesktopBrowserReuseGap, } from "./direct-api.js";
 function configurableItemDetail() {
     return {
         success: true,
@@ -181,7 +181,7 @@ test("resolveSystemBrowserOpenCommand stays generic across operating systems", (
         args: ["/c", "start", "", "https://www.doordash.com/home"],
     });
 });
-test("summarizeDesktopBrowserReuseGap explains why a merely-open Brave window is not reusable", () => {
+test("summarizeDesktopBrowserReuseGap explains why a running Brave session still was not reusable", () => {
     const message = summarizeDesktopBrowserReuseGap({
         processCommands: [
             "/bin/bash /usr/bin/brave-browser-stable",
@@ -191,8 +191,9 @@ test("summarizeDesktopBrowserReuseGap explains why a merely-open Brave window is
         hasAnyDevToolsActivePort: false,
     });
     assert.match(message ?? "", /Brave is already running on this desktop/i);
-    assert.match(message ?? "", /normal open browser window is not automatically reusable/i);
-    assert.match(message ?? "", /attach to/i);
+    assert.match(message ?? "", /couldn't reuse it automatically/i);
+    assert.match(message ?? "", /attachable browser automation session/i);
+    assert.match(message ?? "", /no importable signed-in DoorDash browser profile state was found/i);
 });
 test("summarizeDesktopBrowserReuseGap stays quiet once the browser exposes attach signals", () => {
     assert.equal(summarizeDesktopBrowserReuseGap({
@@ -204,6 +205,11 @@ test("summarizeDesktopBrowserReuseGap stays quiet once the browser exposes attac
         hasAnyDevToolsActivePort: true,
     }), null);
 });
+test("preferredBrowserSessionImportStrategies prefers same-machine linux profile imports before CDP attach", () => {
+    assert.deepEqual(preferredBrowserSessionImportStrategies("linux"), ["local-linux-chromium-profile", "attached-browser-cdp"]);
+    assert.deepEqual(preferredBrowserSessionImportStrategies("darwin"), ["attached-browser-cdp"]);
+    assert.deepEqual(preferredBrowserSessionImportStrategies("win32"), ["attached-browser-cdp"]);
+});
 test("selectAttachedBrowserImportMode treats an authenticated browser with DoorDash cookies as an immediate import candidate", () => {
     assert.equal(selectAttachedBrowserImportMode({
         pageUrls: ["https://github.com/LatencyTDH/doordash-cli/pulls"],

package/docs/examples.md

@@ -26,7 +26,7 @@ Check whether you already have reusable session state:
 doordash-cli auth-check
 ```
 
-If your saved local state is still valid, this exits immediately. Otherwise it tries to reuse a discoverable attachable signed-in browser session. A merely-open Chrome/Brave window is not automatically reusable unless the CLI can actually attach to it, so the fallback is a temporary Chromium login window the CLI can watch directly. In that temporary-browser fallback, the CLI keeps checking automatically and you can also press Enter in the terminal to force an immediate recheck once the page shows you are signed in:
+If your saved local state is still valid, this exits immediately. Otherwise it first tries to reuse same-machine Linux Brave/Chrome profile state, then a discoverable attachable signed-in browser session, and finally falls back to a temporary Chromium login window the CLI can watch directly. In that temporary-browser fallback, the CLI keeps checking automatically and you can also press Enter in the terminal to force an immediate recheck once the page shows you are signed in:
 
 ```bash
 doordash-cli login

package/docs/install.md

@@ -60,9 +60,9 @@ doordash-cli search --query sushi
 
 ## Login and session reuse
 
-`doordash-cli login` reuses saved local auth when it is still valid. Otherwise it tries to import a discoverable attachable signed-in browser session. A merely-open Chrome/Brave window is not automatically reusable unless the CLI can actually attach to it. If no attachable session is available, it opens a temporary Chromium login window and saves the session there. If authentication still is not established, `login` exits non-zero.
+`doordash-cli login` reuses saved local auth when it is still valid. Otherwise it first tries to import signed-in same-machine Linux Brave/Chrome profile state, then falls back to a discoverable attachable signed-in browser session, and finally opens a temporary Chromium login window it can watch directly. If authentication still is not established, `login` exits non-zero.
 
-`doordash-cli auth-check` can also quietly import a discoverable attachable signed-in browser session unless `doordash-cli logout` disabled that auto-reuse.
+`doordash-cli auth-check` can also quietly import same-machine Linux Brave/Chrome profile state or a discoverable attachable signed-in browser session unless `doordash-cli logout` disabled that auto-reuse.
 
 `doordash-cli logout` clears persisted cookies and stored browser state, then keeps passive browser-session reuse disabled until your next explicit `doordash-cli login` attempt.
 
@@ -70,4 +70,4 @@ doordash-cli search --query sushi
 
 Normally you should not need to think about browser plumbing. If `doordash-cli login` opens a temporary Chromium window, finish signing in there and let the CLI save the session. The CLI keeps checking automatically, and if the page already shows you are signed in but the command has not finished yet, press Enter in the terminal to force an immediate recheck.
 
-If you expected reuse from another browser instead, make sure that browser exposes an attachable browser automation session the CLI can actually import. A merely-open browser window is not enough today, even if it is already your main browser.
+On Linux, the preferred reuse path is a signed-in local Brave or Google Chrome profile on the same machine, which does not need CDP/remote debugging. If that same-machine profile import is unavailable or not signed in, the next reuse path is an attachable browser automation session.

package/man/dd-cli.1

@@ -35,20 +35,20 @@ local browser, including the temporary login-window fallback.
 .TP
 .B auth-check
 Verify whether the saved session appears authenticated. This command can also
-quietly reuse or import an already-signed-in attachable browser session when
-one is available, unless
+quietly reuse or import same-machine Linux Brave/Chrome browser profile state
+or an already-signed-in attachable browser session when one is available,
+unless
 .B logout
 explicitly disabled that auto-reuse.
 .TP
 .B login
-Reuse saved local auth when possible. Otherwise try to import a discoverable
-attachable signed-in browser session. A merely-open Chrome/Brave window is not
-automatically reusable unless the CLI can actually attach to it. If no
-attachable session is available, open a temporary Chromium login window and save
-that session there. The temporary-browser fallback auto-detects completion when
-it can, and also accepts an explicit Enter keypress in the terminal to force an
-immediate recheck once the page shows the user is signed in. If authentication
-is still not established,
+Reuse saved local auth when possible. Otherwise first try to import signed-in
+same-machine Linux Brave/Chrome browser profile state, then a discoverable
+attachable signed-in browser session, and finally open a temporary Chromium
+login window and save that session there. The temporary-browser fallback
+auto-detects completion when it can, and also accepts an explicit Enter
+keypress in the terminal to force an immediate recheck once the page shows the
+user is signed in. If authentication is still not established,
 .B login
 exits non-zero.
 .TP
@@ -215,12 +215,13 @@ passive browser-session reuse stays disabled until the next explicit
 .SH ENVIRONMENT
 .PP
 In the common case you should not need to configure browser plumbing manually.
-For attached-browser reuse, the CLI can probe compatible CDP URLs/ports and a
-few localhost defaults. A merely-open browser window is not automatically
-reusable unless the CLI can actually attach to it. If no attachable browser
-session is discoverable, login falls back to a temporary Chromium window it can
-watch directly, with an explicit Enter-to-recheck fallback in the terminal if
-automatic detection is not yet convincing. See
+On Linux, the preferred browser-reuse path is a signed-in local Brave or Google
+Chrome profile on the same machine, which does not need CDP/remote debugging.
+For attached-browser reuse, the CLI can also probe compatible CDP URLs/ports
+and a few localhost defaults. If neither same-machine profile import nor an
+attachable browser session is discoverable, login falls back to a temporary
+Chromium window it can watch directly, with an explicit Enter-to-recheck
+fallback in the terminal if automatic detection is not yet convincing. See
 .I docs/install.md
 for setup and troubleshooting.
 .SH EXIT STATUS

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "doordash-cli",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "Cart-safe DoorDash CLI with direct API support for browse, read-only existing-order, and cart workflows.",
   "type": "module",
   "main": "dist/lib.js",