Skip to content

PointsPath: headed Playwright login + --from-chrome import#6

Merged
ak2k merged 2 commits into
mainfrom
worktree-work-k93b-pp-browser-login
May 15, 2026
Merged

PointsPath: headed Playwright login + --from-chrome import#6
ak2k merged 2 commits into
mainfrom
worktree-work-k93b-pp-browser-login

Conversation

@ak2k

@ak2k ak2k commented May 15, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the auth-rotation race that's been derailing PP work this session. Today's only login path is --tokens-file ~/Downloads/pp_tokens.json — manually captured JSON. This PR adds two new modes that share the same underlying Supabase-cookie reassembly:

Mode Mechanism When to use
default (no flag) Playwright headed Chromium → user logs in normally → CLI captures the resulting session Recommended. Independent server-side Supabase session — Chrome PP can stay open elsewhere; neither side races the other's refresh chain.
--from-chrome rookiepy reads cookies from a local Chrome profile Quicker (no re-login) but the CLI inherits Chrome's refresh chain. Supabase rotates single-use → eventual race. Use one-shot.
--tokens-file PATH JSON import (existing) Bring your own session JSON, e.g. captured via CDP.

Pattern is modeled on real precedents in the broader skill ecosystem:

  • krisp-cli does OAuth PKCE — CLI owns its own token chain, separate from any web session
  • pplx does auth import --browser X via rookiepy

PP doesn't expose OAuth, so we get the same "independent token chain" property via Playwright-driven login instead.

Implementation

Shared tokens_from_supabase_cookies() in pp/auth.py funnels all three modes. Reassembles sb-<ref>-auth-token.0/.1 cookies, handles raw JSON and base64- prefix, ignores the -code-verifier PKCE cookie, falls back to JWT exp claim when payload lacks expires_at.

Three modes are mutually exclusive; multiple → typer.BadParameter. Missing playwright import → clear install instructions pointing to the browser-login optional extra.

rookiepy is a regular dep (small package, useful surface). playwright is an optional extra (flight-cli[browser-login]) — the package itself is small, but playwright install chromium is ~150MB and non-PP users shouldn't pay that.

Closes work-k93b.

Test plan

  • make check (ruff lint + format + basedpyright strict + pytest) — all green
  • 76/76 tests pass (69 existing + 7 new in tests/pp/test_auth_login.py)
  • New tests cover: split .0+.1 cookies, raw JSON payload, single unsplit cookie, PKCE verifier ignored, no-cookies error path, JWT-exp expiry fallback, rookiepy plumbing scoped to pointspath.com
  • flight auth pp login --help renders all three modes cleanly
  • No live Playwright run in CI — the headed flow is genuinely interactive and not unit-testable; the shared cookie-reassembly logic it depends on IS pinned

ak2k added 2 commits May 15, 2026 09:17
Solves the auth-rotation race that's been derailing PP work all session.

Until now the only login path was --tokens-file pointing at a manually-
captured JSON of Supabase cookies. Two new modes that share the same
underlying cookie-reassembly logic:

  default (no flag)  — Playwright headed Chromium. User logs in normally;
                       CLI captures the resulting Supabase session. This is
                       the recommended path: independent server-side
                       session, so Chrome PP can stay logged in elsewhere
                       and neither side races the other's refresh chain.
                       Optional extra: `flight-cli[browser-login]`.

  --from-chrome      — rookiepy reads cookies from a local Chrome profile.
                       Quicker (no re-login) but the CLI inherits Chrome's
                       refresh chain. Supabase rotates single-use, so a
                       refresh on one side eventually invalidates the
                       other. Convenience for one-shot use; the default is
                       the right pick for stability.

Mode shape modeled on krisp-cli (OAuth PKCE — CLI owns its token chain)
and pplx (`auth import --browser X` via rookiepy). Both established
precedents for CLI auth in the broader skill ecosystem.

Shared `tokens_from_supabase_cookies()` helper in pp/auth.py funnels
all three paths. Reassembles `sb-<ref>-auth-token.0/.1` cookies,
handles raw JSON and `base64-` prefix, ignores the `-code-verifier`
PKCE cookie, falls back to JWT `exp` claim when payload lacks
`expires_at`. Seven new unit tests pin the behavior with synthetic
cookies + a fake rookiepy.

Three modes are mutually exclusive; supplying more than one is a clean
typer.BadParameter exit. Missing playwright import → clear "install
with X" error pointing to the optional extra.

Closes work-k93b.
…g install

The previous setup section pushed users toward
`uv pip install -e '.[browser-login]'` — which mutates flight-cli's
project venv just to add an interactive-login dep. Most users would
rather inject playwright at run-time and leave the venv alone.

New pattern (recommended):

  # One-time, global (browser cached at ~/Library/Caches/ms-playwright):
  uvx --from playwright playwright install chromium

  # Per-invocation, ephemeral:
  uv run --with playwright flight auth pp login

The optional extra is still defined for users who DO want playwright
resident, but it's no longer the primary path. Updated `--help`
docstring, README, and the missing-playwright ImportError message.
@ak2k ak2k merged commit ae06bc4 into main May 15, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant