docs: CDP cookies design spec + fix stale command count#5
Open
drakulavich wants to merge 1 commit into
Open
Conversation
The next storage roadmap item is `cookie-*`, but the only honest implementation must include HttpOnly cookies — and those require CDP, which bowser doesn't yet plumb. Shipping a `document.cookie`-only `cookie-list` would silently omit every auth cookie on a logged-in page, exactly the misleading-partial-API trap. This commit lands the design that the next session will execute against, instead. - `docs/superpowers/specs/2026-05-14-cdp-cookies-design.md` — full design: why document.cookie is insufficient, CDP transport approach (alongside Bun.WebView), daemon ops, CLI surface for 5 cookie commands, implementation outline with file-level responsibilities, risks (stderr-scraping for debug port, dual-client CDP), and out-of-scope items reusing the same plumbing (state-save/load, tabs). - `README.md` — roadmap entry now links the spec. - `AGENTS.md` — fix stale "18 commands" to point at the README table (currently 25 entries). No code changes; `bun test` (111 pass / 10 skip) and `bun build` unchanged. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cookie-*, but the only honest implementation must include HttpOnly cookies. Those are not visible todocument.cookie, and HttpOnly is exactly where session/auth cookies live — so a JS-onlycookie-listwould silently omit the rows that matter on any logged-in page.Bun.WebViewdriver, fivecookie-*commands that treat HttpOnly as first-class data, and an implementation outline at file-level granularity.AGENTS.md— the README's command table now lists 25 rows after the localstorage/sessionstorage additions.Files changed
docs/superpowers/specs/2026-05-14-cdp-cookies-design.md— design spec.README.md— roadmap entry links the spec.AGENTS.md— replace stale count with a reference to the README table.Why this path (vs. shipping
cookie-*now)The user-facing brief explicitly called out: "avoid a misleading partial API" and "If
cookie-*is not safely feasible, choose a smaller roadmap/documentation cleanup that unblocks it, such as designing/adding the CDP path." A correct CDP implementation requires new transport infrastructure (Chrome stderr scraping to discover the debug port, a minimal WS-based CDP client, dual-client handling alongsideBun.WebView) plus e2e validation against real Chrome. That's not safely deliverable in one session — but the design is.The spec also captures next-step reuse:
state-save/state-loadandtab-*are both CDP-only and will reuse the same client introduced for cookies.Test plan
bun test— 111 pass / 10 skip (unchanged from baseline; this PR is docs-only).bun build src/cli.ts --compile --outfile dist/bowser— succeeds;./dist/bowser --helplists current commands unchanged.🤖 Generated with Claude Code