potiuk opened a new pull request, #10: URL: https://github.com/apache/comdev/pull/10
## Summary - Adds an opt-in path (`PONYMAIL_AUTO_EXTRACT_COOKIE=1`) for the ponymail-mcp `login` tool to read the `ponymail` session cookie directly from the local Chrome cookie DB (decrypting via macOS Keychain), so users don't have to paste from DevTools every session. Strictly opt-in, with a loud multi-line startup warning when active and an in-page "Advanced" section explaining the trade-off. Documented as requiring additional sandboxing (e.g. Apache Magpie) because it grants the MCP process broad Chrome cookie + Keychain access — far more than the MCP actually needs. - Improves the paste-form fallback (still the default path on a bare install): smart server-side extraction accepts any reasonable shape (raw `ponymail=…`, full `Cookie:` header line, multi-line Request Headers paste, bare UUID); a new `/preview` endpoint runs extraction + validates the cookie against `/api/preferences.lua` as the user types; the Submit button is gated on validation success. Page restructured into three numbered steps, filter on `preferences.lua` (rather than `api/` which can vary by deployment), with a callout explaining why some same-origin rows don't carry the cookie (analytics like Matomo, tracking pixels, and other `credentials: 'omit'` requests). - Firefox and Safari paths were prototyped and removed: both browsers' anti-tracking features (Firefox Bounce Tracking Protection 109+, Safari ITP) hold OAuth-derived session cookies in memory only and never persist them, so there's no file for the extractor to read. The decision is documented in the code, README, and in-page warning. ## Test plan - [x] 43/43 unit tests pass (`npm test`): hermetic coverage for the extraction regex (every accepted paste shape + edge cases), the opt-in env-var gate, the cookie-extract entry point, plus the existing restrictions + session-cache suite. - [x] Real Chrome end-to-end: with `PONYMAIL_AUTO_EXTRACT_COOKIE=1` and a logged-in Chrome, `login` auto-extracts, decrypts via Keychain, validates against PonyMail, saves session, no UI shown. - [x] Real Chrome fall-through: with opt-in on but Chrome logged out, auto-extract returns null and the paste form opens with the **ENABLED** badge and a context-aware status hint explaining the fall-through. - [x] Paste form: live preview correctly cycles through `waiting → checking → valid → invalid` for each input shape; Submit stays disabled until validation succeeds. - [x] Startup banner: with opt-in on, server prints a multi-line `####`-boxed warning to stderr describing both granted capabilities (entire Chrome cookie DB read, Keychain decrypt access). 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
