On Mon, May 25, 2026 at 11:52 AM potiuk (via GitHub) <[email protected]> wrote:
> > potiuk opened a new pull request, #10: > URL: https://github.com/apache/comdev/pull/10 > > ## Summary > > - Adds an opt-in path (`PONYMAIL_AUTO_EXTRACT_COOKIE=1`) for the > ponymail-mcp `login` tool to read the `ponymail` session cookie directly > from the local Chrome cookie DB (decrypting via macOS Keychain), so users > don't have to paste from DevTools every session. Strictly opt-in, with a > loud multi-line startup warning when active and an in-page "Advanced" > section explaining the trade-off. Documented as requiring additional > sandboxing (e.g. Apache Magpie) because it grants the MCP process broad > Chrome cookie + Keychain access — far more than the MCP actually needs. > - Improves the paste-form fallback (still the default path on a bare > install): smart server-side extraction accepts any reasonable shape (raw > `ponymail=…`, full `Cookie:` header line, multi-line Request Headers paste, > bare UUID); a new `/preview` endpoint runs extraction + validates the > cookie against `/api/preferences.lua` as the user types; the Submit button > is gated on validation success. Page restructured into three numbered > steps, filter on `preferences.lua` (rather than `api/` which can vary by > deployment), with a callout explaining why some same-origin rows don't > carry the cookie (analytics like Matomo, tracking pixels, and other > `credentials: 'omit'` requests). > - Firefox and Safari paths were prototyped and removed: both browsers' > anti-tracking features (Firefox Bounce Tracking Protection 109+, Safari > ITP) hold OAuth-derived session cookies in memory only and never persist > them, so there's no file for the extractor to read. The decision is > documented in the code, README, and in-page warning. > > ## Test plan > > - [x] 43/43 unit tests pass (`npm test`): hermetic coverage for the > extraction regex (every accepted paste shape + edge cases), the opt-in > env-var gate, the cookie-extract entry point, plus the existing > restrictions + session-cache suite. > - [x] Real Chrome end-to-end: with `PONYMAIL_AUTO_EXTRACT_COOKIE=1` and > a logged-in Chrome, `login` auto-extracts, decrypts via Keychain, validates > against PonyMail, saves session, no UI shown. > - [x] Real Chrome fall-through: with opt-in on but Chrome logged out, > auto-extract returns null and the paste form opens with the **ENABLED** > badge and a context-aware status hint explaining the fall-through. > - [x] Paste form: live preview correctly cycles through `waiting → > checking → valid → invalid` for each input shape; Submit stays disabled > until validation succeeds. > - [x] Startup banner: with opt-in on, server prints a multi-line > `####`-boxed warning to stderr describing both granted capabilities (entire > Chrome cookie DB read, Keychain decrypt access). > > 🤖 Generated with [Claude Code](https://claude.com/claude-code) > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: [email protected] > > For queries about this service, please contact Infrastructure at: > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
