job-pro 0.9.0 → 0.9.2

package/dist/apply.js

@@ -13,10 +13,37 @@
 // Fields beyond first_name / last_name / email / phone / resume are
 // passed through to whatever per-company custom question matches their
 // `name` (e.g. `linkedin_url`, `nationality`).
-import { readFileSync, existsSync } from "node:fs";
+import { readFileSync, existsSync, statSync } from "node:fs";
 import { homedir } from "node:os";
-import { join } from "node:path";
+import { basename, join } from "node:path";
 const PROFILE_PATH = process.env.JOB_PRO_PROFILE_PATH ?? join(homedir(), ".jobpro", "profile.json");
+const SESSION_DIR = process.env.JOB_PRO_SESSION_DIR ?? join(homedir(), ".jobpro");
+/** Read a captured session for an adapter, or null if none exists. */
+export function loadSession(adapterKey) {
+    const path = join(SESSION_DIR, `${adapterKey}.session.json`);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Convert a CapturedSession into a single Cookie header string. */
+export function serializeCookieHeader(session, targetHost) {
+    const cookies = session.cookies.filter((c) => {
+        if (!targetHost)
+            return true;
+        if (!c.domain)
+            return true;
+        // RFC-style domain match: ".example.com" matches any subdomain.
+        const dom = c.domain.startsWith(".") ? c.domain.slice(1) : c.domain;
+        return targetHost === dom || targetHost.endsWith("." + dom);
+    });
+    return cookies.map((c) => `${c.name}=${c.value}`).join("; ");
+}
 const TEMPLATE = {
     first_name: "",
     last_name: "",
@@ -164,3 +191,138 @@ export function formatStaged(s) {
 function truncate(s, n) {
     return s.length > n ? s.slice(0, n - 1) + "…" : s;
 }
+export async function submitApplication(staged, target, options = {}) {
+    if (!staged.submit_endpoint) {
+        return {
+            ok: false,
+            posted_to: "",
+            message: "no submit_endpoint on staged application — this adapter family doesn't expose a public submission API",
+        };
+    }
+    if (!staged.ready) {
+        return {
+            ok: false,
+            posted_to: "",
+            message: `${staged.unanswered_required.length} required field(s) still unanswered; fill them before submitting`,
+        };
+    }
+    if (target.kind === "dry-run") {
+        return {
+            ok: false,
+            posted_to: "dry-run (no network)",
+            message: "dry-run requested — no HTTP call fired",
+        };
+    }
+    const url = target.kind === "debug" ? target.url : staged.submit_endpoint;
+    const fd = await buildMultipartForm(staged);
+    const headers = {
+        // Don't set Content-Type — fetch/undici picks the correct
+        // multipart/form-data boundary for the FormData instance.
+        Accept: "application/json, text/plain, */*",
+        "User-Agent": "job-pro/0.9 (https://github.com/HA7CH/job-pro)",
+    };
+    // Layer in captured-session headers (Cookie, X-Xsrf-Token, etc.) only
+    // when we're actually hitting the upstream endpoint. Debug echo endpoints
+    // (httpbin) don't need them and might log them, so we strip there.
+    if (target.kind === "upstream" && options.session) {
+        const targetHost = (() => {
+            try {
+                return new URL(url).hostname;
+            }
+            catch {
+                return undefined;
+            }
+        })();
+        const cookieHeader = serializeCookieHeader(options.session, targetHost);
+        if (cookieHeader)
+            headers.Cookie = cookieHeader;
+        for (const [k, v] of Object.entries(options.session.headers ?? {})) {
+            // Skip cookie — already handled. Skip content-type — let undici set
+            // the multipart boundary one. Skip authorization-bearer only if the
+            // upstream's auth model isn't cookie-based.
+            if (k === "cookie" || k === "content-type")
+                continue;
+            // Normalise to canonical casing — fetch's Headers preserves what we set.
+            headers[k] = v;
+        }
+    }
+    if (options.extraHeaders) {
+        Object.assign(headers, options.extraHeaders);
+    }
+    let response;
+    try {
+        response = await fetch(url, {
+            method: staged.submit_method ?? "POST",
+            headers,
+            body: fd,
+        });
+    }
+    catch (err) {
+        return {
+            ok: false,
+            posted_to: url,
+            message: `network error: ${err instanceof Error ? err.message : String(err)}`,
+        };
+    }
+    let preview = "";
+    try {
+        preview = (await response.text()).slice(0, 4000);
+    }
+    catch {
+        /* binary response is fine */
+    }
+    return {
+        ok: response.ok,
+        status: response.status,
+        posted_to: url,
+        response_preview: preview,
+        message: response.ok
+            ? `submission accepted (HTTP ${response.status})`
+            : `upstream rejected: HTTP ${response.status} ${response.statusText}`,
+    };
+}
+async function buildMultipartForm(staged) {
+    const fd = new FormData();
+    for (const field of staged.staged) {
+        if (!field.value)
+            continue;
+        if (field.type === "input_file") {
+            // Read the file synchronously — these are resumes, KB-range PDFs.
+            // For debug endpoints we still attach the actual file so the
+            // multipart wire format matches production exactly.
+            let stat;
+            try {
+                stat = statSync(field.value);
+            }
+            catch (err) {
+                throw new Error(`could not stat resume file ${field.value}: ${err instanceof Error ? err.message : err}`);
+            }
+            if (!stat.isFile()) {
+                throw new Error(`resume path is not a file: ${field.value}`);
+            }
+            const bytes = readFileSync(field.value);
+            const filename = basename(field.value);
+            // Best-effort content type from extension; ATS-side typically
+            // re-detects from magic bytes anyway.
+            const ext = filename.toLowerCase().split(".").pop() ?? "";
+            const mime = ext === "pdf"
+                ? "application/pdf"
+                : ext === "docx"
+                    ? "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+                    : ext === "doc"
+                        ? "application/msword"
+                        : "application/octet-stream";
+            // Node 20+ has a global File constructor; for older runtimes, fall
+            // back to a Blob. We bumped engines.node >=18 — Blob is universal.
+            const FileCtor = globalThis.File;
+            const part = typeof FileCtor === "function"
+                ? new FileCtor([new Uint8Array(bytes)], filename, { type: mime })
+                : new Blob([new Uint8Array(bytes)], { type: mime });
+            fd.append(field.name, part, filename);
+        }
+        else {
+            fd.append(field.name, field.value);
+        }
+    }
+    return fd;
+}

package/dist/index.js

@@ -50,11 +50,11 @@ import * as geely from "./geely.js";
 import * as webank from "./webank.js";
 import * as horizonrobotics from "./horizonrobotics.js";
 import * as cambricon from "./cambricon.js";
-import { loadProfile, profileTemplate, stageApplication, formatStaged, } from "./apply.js";
+import { loadProfile, loadSession, profileTemplate, stageApplication, submitApplication, formatStaged, } from "./apply.js";
 import { memoryList, memoryGet, memorySet, memoryEvent, memoryClear, } from "./memory.js";
 import { writeFileSync, mkdirSync, existsSync } from "node:fs";
 import { dirname } from "node:path";
-const VERSION = "0.9.0";
+const VERSION = "0.9.2";
 const COMPANIES = [
     { key: "tencent", family: "Bespoke", source: "join.qq.com", label: "Tencent / 腾讯" },
     { key: "bytedance", family: "Bespoke", source: "jobs.bytedance.com", label: "ByteDance / 字节跳动" },
@@ -392,8 +392,9 @@ async function runCompany(adapter, company, rawArgs) {
     if (verb === "apply") {
         const postId = args[0];
         if (!postId)
-            die(`usage: job-pro ${company} apply <post_id> [--dry-run | --really-submit]`);
+            die(`usage: job-pro ${company} apply <post_id> [--dry-run | --debug-submit-to <url> | --really-submit]`);
         const reallySubmit = args.includes("--really-submit");
+        const { args: aDebug, value: debugUrl } = popFlagValue(args, "--debug-submit-to");
         const fetchSchema = adapter.fetchApplicationSchema;
         if (typeof fetchSchema !== "function") {
             return emit({
@@ -401,20 +402,14 @@ async function runCompany(adapter, company, rawArgs) {
                 source: company,
                 post_id: postId,
                 message: `apply: Phase 2 not yet wired for "${company}". Only Greenhouse + Lever ` +
-                    `boards (xpeng / weride / hoyoverse) expose an application schema today. ` +
+                    `boards (xpeng / hoyoverse / weride) expose an application schema today. ` +
                     `See docs/auto-apply.md for the rollout plan.`,
             }, compact);
         }
-        if (reallySubmit) {
-            return emit({
-                ok: false,
-                source: company,
-                post_id: postId,
-                message: `--really-submit is intentionally not implemented yet. Phase 2 ships the ` +
-                    `staging path first so you can see exactly what would be POSTed before any ` +
-                    `submission actually fires. Re-run without --really-submit for the dry-run.`,
-            }, compact);
-        }
+        // Note: we DON'T early-return on reallySubmit here — we fall through
+        // to stage the application first, then re-gate before actually posting.
+        // This lets the user verify the staged payload one last time even
+        // when they pass --really-submit by accident.
         const schemaResult = await fetchSchema.call(adapter, postId);
         const sr = schemaResult;
         if (!sr.ok || !sr.schema) {
@@ -432,18 +427,82 @@ async function runCompany(adapter, company, rawArgs) {
             }, compact);
         }
         const staged = stageApplication(sr.schema, prof.profile);
+        const session = loadSession(company);
+        // Mode selection: --debug-submit-to <url> overrides everything.
+        if (debugUrl) {
+            const result = await submitApplication(staged, { kind: "debug", url: debugUrl });
+            return emit({ mode: "debug-submit", staged, result }, compact);
+        }
+        // --really-submit: actually hit the upstream endpoint. Guarded by both
+        // an env-var attestation and (for non-anon adapters) a session.json.
+        if (reallySubmit) {
+            const understood = process.env.JOB_PRO_I_UNDERSTAND_REAL_SUBMIT === "yes";
+            if (!understood) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `--really-submit is gated by an env-var attestation. To unlock, set ` +
+                        `JOB_PRO_I_UNDERSTAND_REAL_SUBMIT=yes in your shell. This submission will ` +
+                        `POST a real application to ${staged.submit_endpoint}; doing so without a ` +
+                        `valid resume / answers is spam against the company's recruiters.`,
+                }, compact);
+            }
+            if (!staged.ready) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `${staged.unanswered_required.length} required field(s) still unanswered; refusing to submit incomplete application`,
+                }, compact);
+            }
+            // Anon adapters (Greenhouse / Lever) don't need session.json.
+            // Bespoke / Beisen / Moka / Feishu adapters do — bail with a hint
+            // pointing at the browser extension.
+            const isAnonFamily = staged.source.startsWith("boards-api.greenhouse.io/") ||
+                staged.source.startsWith("api.lever.co/");
+            if (!isAnonFamily && !session) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `no captured session at ~/.jobpro/${company}.session.json. Install the ` +
+                        `extension/ directory in Chrome, log into the careers site, click Export, ` +
+                        `then mv ~/Downloads/jobpro/${company}.session.json ~/.jobpro/`,
+                }, compact);
+            }
+            const result = await submitApplication(staged, { kind: "upstream" }, { session });
+            return emit({ mode: "really-submit", staged, session_used: !!session, result }, compact);
+        }
+        // Default: dry-run print, no network.
         if (compact) {
-            return emit({ ok: true, staged }, compact);
+            return emit({ mode: "dry-run", staged, has_session: !!session }, compact);
         }
         console.log(formatStaged(staged));
+        if (session) {
+            console.log(`\nSession captured (~/.jobpro/${company}.session.json): ${session.cookies.length} cookies + ${Object.keys(session.headers).length} auth headers.`);
+        }
         if (!staged.ready) {
             console.log(`\nFill the unanswered required fields in ${profileTemplate().path} ` +
                 `(profile.custom.<name> for unknown fields), then re-run.`);
         }
         else {
-            console.log(`\nDry-run complete. --really-submit will be enabled in a future release ` +
-                `once per-ATS submission flows have been validated against live boards.`);
+            const isAnon = staged.source.startsWith("boards-api.greenhouse.io/") ||
+                staged.source.startsWith("api.lever.co/");
+            console.log(`\nDry-run complete. To actually submit:\n` +
+                `  • --debug-submit-to https://httpbin.org/post  — verify wire format\n` +
+                `  • JOB_PRO_I_UNDERSTAND_REAL_SUBMIT=yes job-pro ${company} apply ${postId} --really-submit\n` +
+                (isAnon
+                    ? `  ${company} is Greenhouse/Lever (anonymous submission, no session needed).\n`
+                    : `  ${company} needs ~/.jobpro/${company}.session.json — capture via the browser extension.\n`));
         }
+        void aDebug; // silence "unused" — `args` flow goes through popFlagValue
         return;
     }
     if (verb === "memory") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "job-pro",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "Query Chinese big-tech campus recruiting from your terminal. 50 companies, all 50 live. 46 via each company's own API; the 4 with no public canonical feed (Hikvision, CICC, Cainiao, WeBank) surfaced via Liepin as a clearly-labeled third-party fallback. No signup, no token, no server.",
   "homepage": "https://job.ha7ch.com",
   "repository": "https://github.com/HA7CH/job-pro",