Automate Stanford admin tasks (Axess, Grant ED, ASSU, class registration)

[brando90]

Goal

Automate routine Stanford administrative tasks so they can be triggered from Claude Code or a script, without manually opening a browser and clicking through forms.

Target services:

• Axess (axess.sierracedar.com) — class registration, enrollment, transcript
• Grant ED (grante-d.stanford.edu) — grant/funding management
• VSO / ASSU — student org admin
• Stanford Who (stanfordwho.stanford.edu) — directory lookups
• MyAdvisor / OASIS — advising, requirements

Architecture Options

Option A: Browser Automation with Persistent Session (Recommended)

Use Playwright (or Selenium) to drive a real browser that handles Stanford SSO + Duo 2FA.

┌─────────────┐     ┌──────────────┐     ┌─────────────────┐
│ Claude Code  │────▶│  Python API  │────▶│  Playwright      │
│ or CLI       │     │  (uutils)    │     │  (headless/head) │
└─────────────┘     └──────────────┘     └─────┬───────────┘
                                               │
                                     ┌─────────▼──────────┐
                                     │ Stanford SSO Login  │
                                     │ (login.stanford.edu)│
                                     │ + Duo 2FA push      │
                                     └─────────┬──────────┘
                                               │
                                     ┌─────────▼──────────┐
                                     │ Axess / Grant ED /  │
                                     │ ASSU / etc.         │
                                     └────────────────────┘

Pros: Works with any Stanford service, handles JavaScript-heavy UIs
Cons: Requires Duo 2FA approval once per session, fragile to UI changes

Session persistence strategy:

• Save browser cookies/state to ~/.stanford_session/ after login
• Reuse session until it expires (~8-12 hours for Stanford SSO)
• Only re-auth when session is stale (detect login redirect)
• Keep Mac awake or use caffeinate / tmux for long-running sessions

Option B: Kerberos + API Endpoints (Limited)

Some Stanford services expose APIs or use Kerberos auth:

• kinit brando9@stanford.edu for Kerberos ticket
• Use tickets to access services that support Kerberos (limited set)
• Won't work for Axess or most web-only services

Verdict: Only works for a subset of services. Not sufficient alone.

Option C: Hybrid (Recommended Implementation)

1. One-time browser login with Duo 2FA → save session state
2. Reuse session for all subsequent API/scrape calls until expiry
3. Fall back to re-auth with Duo push when session expires
4. Keep alive via periodic heartbeat request in tmux/background

Implementation Plan

Phase 1: Stanford SSO Auth Module

• py_src/uutils/stanford_auth.py — handles login.stanford.edu SSO + Duo
• Playwright-based login flow: username → password → Duo push → capture cookies
• Session persistence: save/load cookies from ~/.stanford_session/cookies.json
• Session health check: is_session_valid() pings a Stanford service
• Password from ~/keys/stanford_password.txt (chmod 600)

Phase 2: Axess Automation

• py_src/uutils/stanford_axess.py — class search, enrollment, drop
• search_classes(term, subject, course_num) → list of sections
• enroll(class_id) → enrollment confirmation
• get_schedule() → current enrolled classes
• get_transcript() → unofficial transcript

Phase 3: Grant ED & Admin

• py_src/uutils/stanford_grante_d.py — grant/funding tasks
• py_src/uutils/stanford_admin.py — VSO/ASSU, directory, etc.

Phase 4: Keep-Alive Daemon

• Background script (tmux or launchd) that refreshes the session periodically
• scripts/stanford_session_keepalive.py — runs every 30 min, pings Stanford SSO
• macOS LaunchAgent plist for auto-start on login

Key Decisions Needed

1. Duo 2FA flow: Can we use "Remember me for 30 days" + saved cookies, or do we need a push every time?
2. Headless vs headed: Headless is faster but Stanford may block it (Cloudflare/bot detection). May need headed browser on first login.
3. Always-on requirement: Session expires after ~8-12 hours. Options:
   • Keep Mac awake with caffeinate -d in tmux
   • Use a cloud VM (but then need to forward Duo pushes)
   • Accept re-auth every morning (one Duo push per day)
4. Fragility: Stanford UI changes could break scrapers. Consider adding CI tests that verify selectors.

Security Notes

• Stanford password stored at ~/keys/stanford_password.txt (chmod 600, gitignored)
• Session cookies stored at ~/.stanford_session/ (chmod 700)
• Never commit credentials or session state
• Duo 2FA remains as second factor — can't be bypassed

Dependencies

playwright

References

• Stanford SSO docs: https://uit.stanford.edu/service/authentication
• Duo 2FA: https://uit.stanford.edu/service/authentication/twostep
• Axess: https://axess.sierracedar.com
• Playwright: https://playwright.dev/python/

[doublechen973-sys]

Your hybrid plan maps cleanly onto browser-act stealth profiles: browser-act browser create stanford --mode normal persists cookies/localStorage across launches, so Duo 2FA only fires on the first --headed login and on SSO expiry (~8-12h). Subsequent scripted calls are headless but reuse the profile. Install npx skills add browser-act/skills --skill browser-act; profile flags in https://github.com/browser-act/skills/blob/main/browser-act/SKILL.md. Saves writing your own cookie-storage layer, and stealth fingerprinting is insurance if Stanford tightens detection on Axess later.