feat: browser-session v0.1.0 — reuse your browser's logged-in session from Node

Two capabilities, decoupled:
- cookies (zero deps): read + AES-128-CBC-decrypt Brave/Chrome/Edge cookies via
  the macOS Keychain key. Handles v10/v11 + the 32-byte SHA256(host) prefix newer
  Chromium prepends (strip when the decrypted head isn't printable). The Node
  equivalent of yt-dlp --cookies-from-browser.
- session (playwright optional): open any url headless with the session injected
  (scoped via page url so __Host-/__Secure- resolve), return rendered text + the
  requests the page made. Reads login-walled / JS pages a plain fetch can't.

readPage(url, {browser}) composes both. CLI: cookies <domain> [--names] | read
<url> [--browser]. 8 tests, tsc strict, MIT, macOS (cookie read) for now.

Author: micronink

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20, 22]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+      - run: npm ci
+      - run: npm run typecheck
+      - run: npm test
+      - run: npm run build

.gitignore

@@ -0,0 +1,4 @@
+node_modules/
+dist/
+*.log
+.DS_Store

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Jason Poindexter
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,67 @@
+# browser-session
+
+[![CI](https://github.com/jpoindexter/browser-session/actions/workflows/ci.yml/badge.svg)](https://github.com/jpoindexter/browser-session/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Node](https://img.shields.io/badge/node-%3E%3D18-green.svg)](https://nodejs.org)
+[![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178c6.svg)](https://www.typescriptlang.org/)
+
+**Reuse your real logged-in browser session from Node.** Two things:
+
+1. **Read + decrypt your browser cookies** (Brave / Chrome / Edge) — **zero dependencies**. The Node equivalent of yt-dlp's `--cookies-from-browser`.
+2. **Open any page in a headless browser with that session** — read login-walled / JS-rendered pages a plain `fetch` can't (via Playwright).
+
+No extension, no manual cookie export.
+
+> ⚠️ **macOS only for now** (the cookie key lives in the login Keychain — one approval prompt the first time). The headless-read part is cross-platform; only the cookie auto-read is macOS-specific so far. Use a dedicated account for scraping — automated access can get accounts flagged.
+
+## Install
+
+```bash
+npm install browser-session
+# for the headless-read part:
+npm install playwright-core && npx playwright install chromium
+```
+
+## Use
+
+### Library
+
+```ts
+import { getCookies, openWithSession, readPage } from "browser-session";
+
+// 1) just the cookies (zero-dep)
+const c = getCookies({ browser: "brave", domain: "x.com" });
+if (c.ok) console.log(c.cookie); // "auth_token=…; ct0=…; …"
+
+// 2) read a logged-in page in a real browser, session auto-injected
+const r = await readPage("https://www.reddit.com/", { browser: "brave" });
+if (r.ok) console.log(r.text);            // rendered text of YOUR feed
+//        console.log(r.requests);        // every URL the page requested
+
+// 3) bring your own cookie (any source)
+await openWithSession("https://x.com/i/bookmarks", "auth_token=…; ct0=…");
+```
+
+Every call returns `{ ok: true, … } | { ok: false, error }` — errors as values, never throws.
+
+### CLI
+
+```bash
+browser-session cookies x.com --browser brave          # print the cookie header
+browser-session cookies x.com --names                  # just the cookie names
+browser-session read https://www.reddit.com/ --browser brave   # render your logged-in page
+browser-session read https://example.com               # anonymous read
+```
+
+## How it works
+
+- **Cookies** (`src/cookies.ts`): pulls the AES key from the macOS Keychain (`<Browser> Safe Storage`), derives it (`PBKDF2(pw, "saltysalt", 1003, 16, sha1)`), reads the Cookies SQLite (copied to dodge the browser lock via the system `sqlite3`), and AES-128-CBC-decrypts each value. Handles the `v10`/`v11` prefix **and** the 32-byte `SHA256(host)` prefix newer Chromium prepends (stripped when the decrypted head isn't printable). Zero runtime deps.
+- **Session** (`src/session.ts`): launches headless Chromium (Playwright), injects the cookies scoped to the page origin (so `__Host-`/`__Secure-` prefixes resolve), navigates, and returns the body text + the request URLs. `playwright-core` is an **optional** dependency — the cookie reader works without it.
+
+## API
+
+`getCookies({ browser?, domain, profile? })` · `decryptCookie(hex, key)` · `openWithSession(url, cookie, { settleMs? })` · `readPage(url, { browser?, profile? })` · `cookieToPlaywright(header, url)` · `domainOf(url)`.
+
+## License
+
+MIT