job-pro 0.9.1 → 0.9.2

package/dist/apply.js

@@ -17,6 +17,33 @@ import { readFileSync, existsSync, statSync } from "node:fs";
 import { homedir } from "node:os";
 import { basename, join } from "node:path";
 const PROFILE_PATH = process.env.JOB_PRO_PROFILE_PATH ?? join(homedir(), ".jobpro", "profile.json");
+const SESSION_DIR = process.env.JOB_PRO_SESSION_DIR ?? join(homedir(), ".jobpro");
+/** Read a captured session for an adapter, or null if none exists. */
+export function loadSession(adapterKey) {
+    const path = join(SESSION_DIR, `${adapterKey}.session.json`);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Convert a CapturedSession into a single Cookie header string. */
+export function serializeCookieHeader(session, targetHost) {
+    const cookies = session.cookies.filter((c) => {
+        if (!targetHost)
+            return true;
+        if (!c.domain)
+            return true;
+        // RFC-style domain match: ".example.com" matches any subdomain.
+        const dom = c.domain.startsWith(".") ? c.domain.slice(1) : c.domain;
+        return targetHost === dom || targetHost.endsWith("." + dom);
+    });
+    return cookies.map((c) => `${c.name}=${c.value}`).join("; ");
+}
 const TEMPLATE = {
     first_name: "",
     last_name: "",
@@ -164,7 +191,7 @@ export function formatStaged(s) {
 function truncate(s, n) {
     return s.length > n ? s.slice(0, n - 1) + "…" : s;
 }
-export async function submitApplication(staged, target) {
+export async function submitApplication(staged, target, options = {}) {
     if (!staged.submit_endpoint) {
         return {
             ok: false,
@@ -188,16 +215,45 @@ export async function submitApplication(staged, target) {
     }
     const url = target.kind === "debug" ? target.url : staged.submit_endpoint;
     const fd = await buildMultipartForm(staged);
+    const headers = {
+        // Don't set Content-Type — fetch/undici picks the correct
+        // multipart/form-data boundary for the FormData instance.
+        Accept: "application/json, text/plain, */*",
+        "User-Agent": "job-pro/0.9 (https://github.com/HA7CH/job-pro)",
+    };
+    // Layer in captured-session headers (Cookie, X-Xsrf-Token, etc.) only
+    // when we're actually hitting the upstream endpoint. Debug echo endpoints
+    // (httpbin) don't need them and might log them, so we strip there.
+    if (target.kind === "upstream" && options.session) {
+        const targetHost = (() => {
+            try {
+                return new URL(url).hostname;
+            }
+            catch {
+                return undefined;
+            }
+        })();
+        const cookieHeader = serializeCookieHeader(options.session, targetHost);
+        if (cookieHeader)
+            headers.Cookie = cookieHeader;
+        for (const [k, v] of Object.entries(options.session.headers ?? {})) {
+            // Skip cookie — already handled. Skip content-type — let undici set
+            // the multipart boundary one. Skip authorization-bearer only if the
+            // upstream's auth model isn't cookie-based.
+            if (k === "cookie" || k === "content-type")
+                continue;
+            // Normalise to canonical casing — fetch's Headers preserves what we set.
+            headers[k] = v;
+        }
+    }
+    if (options.extraHeaders) {
+        Object.assign(headers, options.extraHeaders);
+    }
     let response;
     try {
         response = await fetch(url, {
             method: staged.submit_method ?? "POST",
-            headers: {
-                // Don't set Content-Type — fetch/undici picks the correct
-                // multipart/form-data boundary for the FormData instance.
-                Accept: "application/json, text/plain, */*",
-                "User-Agent": "job-pro/0.9 (https://github.com/HA7CH/job-pro)",
-            },
+            headers,
             body: fd,
         });
     }

package/dist/index.js

@@ -50,11 +50,11 @@ import * as geely from "./geely.js";
 import * as webank from "./webank.js";
 import * as horizonrobotics from "./horizonrobotics.js";
 import * as cambricon from "./cambricon.js";
-import { loadProfile, profileTemplate, stageApplication, submitApplication, formatStaged, } from "./apply.js";
+import { loadProfile, loadSession, profileTemplate, stageApplication, submitApplication, formatStaged, } from "./apply.js";
 import { memoryList, memoryGet, memorySet, memoryEvent, memoryClear, } from "./memory.js";
 import { writeFileSync, mkdirSync, existsSync } from "node:fs";
 import { dirname } from "node:path";
-const VERSION = "0.9.1";
+const VERSION = "0.9.2";
 const COMPANIES = [
     { key: "tencent", family: "Bespoke", source: "join.qq.com", label: "Tencent / 腾讯" },
     { key: "bytedance", family: "Bespoke", source: "jobs.bytedance.com", label: "ByteDance / 字节跳动" },
@@ -406,17 +406,10 @@ async function runCompany(adapter, company, rawArgs) {
                     `See docs/auto-apply.md for the rollout plan.`,
             }, compact);
         }
-        if (reallySubmit) {
-            return emit({
-                ok: false,
-                source: company,
-                post_id: postId,
-                message: `--really-submit is intentionally disabled until per-ATS submission flows ` +
-                    `are validated end-to-end against live boards. Use --debug-submit-to <url> ` +
-                    `to verify the multipart wire format against your own echo server (e.g. ` +
-                    `https://httpbin.org/post) without spamming the real ATS.`,
-            }, compact);
-        }
+        // Note: we DON'T early-return on reallySubmit here — we fall through
+        // to stage the application first, then re-gate before actually posting.
+        // This lets the user verify the staged payload one last time even
+        // when they pass --really-submit by accident.
         const schemaResult = await fetchSchema.call(adapter, postId);
         const sr = schemaResult;
         if (!sr.ok || !sr.schema) {
@@ -434,24 +427,80 @@ async function runCompany(adapter, company, rawArgs) {
             }, compact);
         }
         const staged = stageApplication(sr.schema, prof.profile);
-        // Mode selection: --debug-submit-to <url> overrides dry-run.
+        const session = loadSession(company);
+        // Mode selection: --debug-submit-to <url> overrides everything.
         if (debugUrl) {
             const result = await submitApplication(staged, { kind: "debug", url: debugUrl });
             return emit({ mode: "debug-submit", staged, result }, compact);
         }
+        // --really-submit: actually hit the upstream endpoint. Guarded by both
+        // an env-var attestation and (for non-anon adapters) a session.json.
+        if (reallySubmit) {
+            const understood = process.env.JOB_PRO_I_UNDERSTAND_REAL_SUBMIT === "yes";
+            if (!understood) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `--really-submit is gated by an env-var attestation. To unlock, set ` +
+                        `JOB_PRO_I_UNDERSTAND_REAL_SUBMIT=yes in your shell. This submission will ` +
+                        `POST a real application to ${staged.submit_endpoint}; doing so without a ` +
+                        `valid resume / answers is spam against the company's recruiters.`,
+                }, compact);
+            }
+            if (!staged.ready) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `${staged.unanswered_required.length} required field(s) still unanswered; refusing to submit incomplete application`,
+                }, compact);
+            }
+            // Anon adapters (Greenhouse / Lever) don't need session.json.
+            // Bespoke / Beisen / Moka / Feishu adapters do — bail with a hint
+            // pointing at the browser extension.
+            const isAnonFamily = staged.source.startsWith("boards-api.greenhouse.io/") ||
+                staged.source.startsWith("api.lever.co/");
+            if (!isAnonFamily && !session) {
+                return emit({
+                    ok: false,
+                    source: company,
+                    post_id: postId,
+                    mode: "really-submit-blocked",
+                    staged,
+                    message: `no captured session at ~/.jobpro/${company}.session.json. Install the ` +
+                        `extension/ directory in Chrome, log into the careers site, click Export, ` +
+                        `then mv ~/Downloads/jobpro/${company}.session.json ~/.jobpro/`,
+                }, compact);
+            }
+            const result = await submitApplication(staged, { kind: "upstream" }, { session });
+            return emit({ mode: "really-submit", staged, session_used: !!session, result }, compact);
+        }
         // Default: dry-run print, no network.
         if (compact) {
-            return emit({ mode: "dry-run", staged }, compact);
+            return emit({ mode: "dry-run", staged, has_session: !!session }, compact);
         }
         console.log(formatStaged(staged));
+        if (session) {
+            console.log(`\nSession captured (~/.jobpro/${company}.session.json): ${session.cookies.length} cookies + ${Object.keys(session.headers).length} auth headers.`);
+        }
         if (!staged.ready) {
             console.log(`\nFill the unanswered required fields in ${profileTemplate().path} ` +
                 `(profile.custom.<name> for unknown fields), then re-run.`);
         }
         else {
-            console.log(`\nDry-run complete. Use --debug-submit-to https://httpbin.org/post to ` +
-                `verify the multipart wire format. --really-submit will be enabled per-ATS ` +
-                `once each family's submission flow has been validated end-to-end.`);
+            const isAnon = staged.source.startsWith("boards-api.greenhouse.io/") ||
+                staged.source.startsWith("api.lever.co/");
+            console.log(`\nDry-run complete. To actually submit:\n` +
+                `  • --debug-submit-to https://httpbin.org/post  — verify wire format\n` +
+                `  • JOB_PRO_I_UNDERSTAND_REAL_SUBMIT=yes job-pro ${company} apply ${postId} --really-submit\n` +
+                (isAnon
+                    ? `  ${company} is Greenhouse/Lever (anonymous submission, no session needed).\n`
+                    : `  ${company} needs ~/.jobpro/${company}.session.json — capture via the browser extension.\n`));
         }
         void aDebug; // silence "unused" — `args` flow goes through popFlagValue
         return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "job-pro",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Query Chinese big-tech campus recruiting from your terminal. 50 companies, all 50 live. 46 via each company's own API; the 4 with no public canonical feed (Hikvision, CICC, Cainiao, WeBank) surfaced via Liepin as a clearly-labeled third-party fallback. No signup, no token, no server.",
   "homepage": "https://job.ha7ch.com",
   "repository": "https://github.com/HA7CH/job-pro",