feat(auth): make auto-detect the default for x auth import

lroolle · lroolle · commit 8a1941838373 · 2026-04-13T03:50:45.000-07:00
Previously you had to pass --from-browser chrome to get the browser
cookie auto-import. That was hidden UX. The right default is: just
work.

`x auth import` (no flags) now:

  1. Scans every local browser cookie store (Chrome, Firefox, Brave,
     Edge, Chromium) via kooky.
  2. Decrypts the values using the per-OS Safe Storage key.
  3. Takes the first browser that has an x.com session.
  4. Saves to keychain and runs verify (twid → UserByRestId).

If no browser has a logged-in x.com session — headless container,
fresh machine, all browsers locked — x-cli SOFT-FAILS to an
interactive paste prompt with a single info line. No error, no
choice menu, no "now try this with --from-browser".

Override flags exist but are explicit:

  --from-browser &lt;name&gt;   pin a specific browser instead of auto
  --paste                 skip auto-detect, prompt
  --cookie '...'          one-shot for scripted setups

cmd/auth.go: rewrote acquireCookieString in priority order
  --cookie | --paste | --from-browser | (default = auto+fallback).
  New readBrowserCookies helper with a softMiss flag so the default
  path can swallow "no cookies found" errors and fall through.
  promptCookiePaste extracted for clarity.

README.md and skills/x-cli/{SKILL.md,references/auth.md} updated to
lead with the bare `x auth import` and demote --from-browser to an
override for edge cases.
diff --git a/README.md b/README.md
@@ -41,42 +41,40 @@ make build
 
 ## Auth
 
-Three ways to import the session:
-
-**1. Auto from a local browser (recommended)**
-
 ```
-x auth import --from-browser chrome
-x auth import --from-browser firefox
-x auth import --from-browser brave
-x auth import --from-browser edge
+x auth import
 ```
 
-x-cli reads the browser's cookie SQLite store on disk and decrypts
-the values using the per-OS Safe Storage key (macOS Keychain on Mac,
-libsecret/kwallet on Linux, DPAPI on Windows). Same mechanism Python's
-`browser_cookie3` and `rookiepy` use. Chrome must be **closed** on macOS
-because it locks the cookie file; Firefox and Linux Chrome usually work
-while open. macOS will prompt once for Keychain access on the first run.
+That's it. `x auth import` auto-detects a logged-in x.com session in
+any local browser (Chrome, Firefox, Brave, Edge, Chromium), reads the
+cookie store directly from disk, and decrypts the values using the
+per-OS Safe Storage key (macOS Keychain on Mac, libsecret/kwallet on
+Linux, DPAPI on Windows). Same mechanism Python's `browser_cookie3` and
+`rookiepy` use. No flags, no DevTools paste.
 
-**2. Manual paste**
+If auto-detect finds nothing (headless container, fresh machine, all
+browsers closed and locked), x-cli falls through to an interactive
+paste prompt automatically — open x.com → DevTools → Application →
+Cookies → copy `auth_token` + `ct0` → paste at the prompt.
 
-Open x.com in your real browser, DevTools → Application → Cookies, copy
-`auth_token` and `ct0`, then:
+**Per-OS notes:**
 
-```
-x auth import
-# paste: auth_token=...; ct0=...; twid=u%3D...
-```
+- macOS prompts once for Keychain access on the first run so we can
+  read the Chrome Safe Storage AES key. The system dialog says "x
+  wants to access key 'Chrome' in your keychain" — that's normal.
+- Chrome must be **closed** on macOS because it holds an exclusive
+  lock on the cookie file while running. Firefox is fine while open.
+- Linux Chrome needs `libsecret` or `kwallet` running.
+- Windows uses DPAPI; works with the browser running.
 
-**3. Scripted (CI / setup scripts)**
+**Override only if you need to:**
 
 ```
-x auth import --cookie 'auth_token=...; ct0=...; twid=u%3D...'
+x auth import --from-browser chrome      # pin a specific browser
+x auth import --paste                    # force the paste prompt
+x auth import --cookie 'auth_token=...'  # scripted setups
 ```
 
-(Visible in shell history — prefer `--from-browser` for normal use.)
-
 **Where the cookie lives.** x-cli tries the OS keychain first (`go-keyring`:
 Keychain on macOS, libsecret on Linux, Credential Manager on Windows). If the
 keychain is unavailable — headless boxes, containers, CI, Linux without a
diff --git a/cmd/auth.go b/cmd/auth.go
@@ -18,6 +18,7 @@ import (
 var (
 	authFromBrowser string
 	authCookieFlag  string
+	authForcePaste  bool
 )
 
 var authCmd = &cobra.Command{
@@ -27,41 +28,33 @@ var authCmd = &cobra.Command{
 
 var authImportCmd = &cobra.Command{
 	Use:   "import",
-	Short: "Import session cookies from your browser",
+	Short: "Import session cookies from your browser (auto)",
 	Long: `Import the auth_token and ct0 cookies from an X session.
 
-Three import modes:
+By default, `+"`x auth import`"+` auto-detects: it scans every local
+browser's cookie store on disk (Chrome, Firefox, Brave, Edge, Chromium),
+decrypts the encrypted values with the per-OS Safe Storage key, and
+uses whichever browser has a live x.com session. No flags, no paste.
 
-  1. Auto from a local browser  (no manual paste — recommended)
+Override only if you need to:
 
-       x auth import --from-browser chrome
-       x auth import --from-browser firefox
-       x auth import --from-browser brave
-       x auth import --from-browser edge
+  --from-browser chrome    pin a specific browser instead of auto
+  --cookie 'auth_token=...; ct0=...'    one-shot from a flag (scripted)
+  --paste                  force the interactive paste prompt
 
-     Reads the cookie store directly from disk and decrypts the values
-     using the browser's per-OS Safe Storage key. macOS may prompt
-     once for Keychain access. Chrome must be CLOSED on macOS — it
-     locks the cookie file while running. Firefox usually works while
-     open.
+Notes:
 
-  2. One-shot from a flag  (scripted setups)
+  - macOS prompts once for Keychain access on the first run so we can
+    read the Chrome Safe Storage AES key. The system dialog says "x
+    wants to access key 'Chrome' in your keychain" — that's normal.
+  - Chrome must be CLOSED on macOS because it holds an exclusive lock
+    on the cookie file while running. Firefox is fine while open.
+  - If auto-detect finds no x.com session in any browser (typical in a
+    headless container or fresh machine), x-cli falls back to the
+    interactive paste prompt automatically.
 
-       x auth import --cookie 'auth_token=...; ct0=...; twid=u%3D...'
-
-     Pass the full cookie header on the command line. Visible in
-     shell history; prefer --from-browser or stdin paste for normal use.
-
-  3. Interactive paste  (default — works everywhere)
-
-       x auth import
-       # paste at the prompt: auth_token=...; ct0=...; twid=u%3D...
-
-     Open x.com in your real browser, DevTools → Application → Cookies
-     → https://x.com, copy auth_token + ct0, paste here.
-
-In all three modes, x-cli stores the cookies in your OS keychain via
-go-keyring. They are never written to disk in plaintext.`,
+x-cli stores cookies in your OS keychain via go-keyring. They are
+never written to disk in plaintext.`,
 	RunE: runAuthImport,
 }
 
@@ -79,9 +72,11 @@ var authLogoutCmd = &cobra.Command{
 
 func init() {
 	authImportCmd.Flags().StringVar(&authFromBrowser, "from-browser", "",
-		"read cookies directly from a local browser: chrome | firefox | brave | edge | chromium")
+		"pin to a specific browser: chrome | firefox | brave | edge | chromium")
 	authImportCmd.Flags().StringVar(&authCookieFlag, "cookie", "",
-		"non-interactive: pass the full cookie header as a flag (visible in shell history)")
+		"non-interactive: pass the full cookie header (visible in shell history)")
+	authImportCmd.Flags().BoolVar(&authForcePaste, "paste", false,
+		"skip auto-detect and prompt for an interactive paste")
 
 	authCmd.AddCommand(authImportCmd)
 	authCmd.AddCommand(authStatusCmd)
@@ -151,32 +146,77 @@ func runAuthImport(cmd *cobra.Command, _ []string) error {
 	return nil
 }
 
-// acquireCookieString returns the cookie header string from one of the
-// three import modes (--from-browser, --cookie, interactive paste).
-// The three modes are mutually exclusive and checked in priority order.
+// acquireCookieString resolves the cookie string in priority order:
+//
+//  1. --cookie '...'                  (explicit one-shot)
+//  2. --from-browser <name>           (explicit browser pin)
+//  3. --paste                         (explicit interactive paste)
+//  4. (default) auto-scan all browsers, fall through to paste if empty
+//
+// The default mode is the only one that can SOFT-FAIL: if no browser
+// has an x.com session, we silently drop to the paste prompt without
+// error. Explicit modes hard-fail on their own terms.
 func acquireCookieString() (string, error) {
 	switch {
+	case authCookieFlag != "":
+		return strings.TrimSpace(authCookieFlag), nil
+
+	case authForcePaste:
+		return promptCookiePaste()
+
 	case authFromBrowser != "":
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-		defer cancel()
-		res, err := browsercookies.Load(ctx, authFromBrowser, "x.com")
-		if err != nil {
-			return "", fmt.Errorf("--from-browser %s: %w", authFromBrowser, err)
+		raw, _, err := readBrowserCookies(authFromBrowser, false)
+		return raw, err
+
+	default:
+		// Auto-detect: any browser. Falls through to paste on miss.
+		raw, source, err := readBrowserCookies("", true)
+		if err == nil && raw != "" {
+			cmdutil.Success("auto-detected x.com session in %s", source)
+			return raw, nil
 		}
-		raw := browsercookies.FormatCookieHeader(res.Cookies, cookieNamesWanted)
-		if raw == "" {
-			return "", fmt.Errorf("--from-browser %s: required cookies (auth_token, ct0) not found", authFromBrowser)
+		if err != nil {
+			cmdutil.Warn("auto-detect: %v", err)
 		}
-		cmdutil.Info("loaded %d x.com cookie(s) from %s (%s)",
-			countCookies(res.Cookies, cookieNamesWanted), res.Browser, res.Source)
-		return raw, nil
+		cmdutil.Info("falling back to interactive paste (use --from-browser to pin a specific browser)")
+		return promptCookiePaste()
+	}
+}
 
-	case authCookieFlag != "":
-		return strings.TrimSpace(authCookieFlag), nil
+// readBrowserCookies runs kooky against the named browser (or all
+// browsers when name == ""). On success returns the formatted cookie
+// header and a friendly source description. On no-cookies-found returns
+// an empty string and a non-nil error if `hardError` is false (caller
+// will treat as soft miss); when `hardError` is true the error is
+// surfaced verbatim.
+func readBrowserCookies(browser string, softMiss bool) (cookieHeader, source string, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
 
-	default:
-		return cmdutil.ReadSecret("Paste cookie header (auth_token=...; ct0=...): ")
+	res, err := browsercookies.Load(ctx, browser, "x.com")
+	if err != nil {
+		if softMiss {
+			return "", "", err
+		}
+		if browser != "" {
+			return "", "", fmt.Errorf("--from-browser %s: %w", browser, err)
+		}
+		return "", "", err
 	}
+
+	raw := browsercookies.FormatCookieHeader(res.Cookies, cookieNamesWanted)
+	if raw == "" {
+		miss := fmt.Errorf("required cookies (auth_token, ct0) not in %s store — are you logged in?", res.Browser)
+		if softMiss {
+			return "", "", miss
+		}
+		return "", "", miss
+	}
+	return raw, fmt.Sprintf("%s (%s)", res.Browser, res.Source), nil
+}
+
+func promptCookiePaste() (string, error) {
+	return cmdutil.ReadSecret("Paste cookie header (auth_token=...; ct0=...): ")
 }
 
 // countCookies returns how many of the wanted names are present in the
diff --git a/skills/x-cli/SKILL.md b/skills/x-cli/SKILL.md
@@ -14,7 +14,7 @@ description: >
 ```
 x
 ├── auth
-│   ├── import                            # --from-browser chrome|firefox|brave|edge | --cookie '...' | interactive paste
+│   ├── import                            # auto-detect any local browser (default); --from-browser, --paste, --cookie override
 │   ├── status                            # twid → UserByRestId self-lookup
 │   └── logout                            # remove stored session
 ├── doctor                                # endpoints, session, egress IP, ASN check
@@ -52,18 +52,13 @@ reports a cloud ASN for your egress IP, do not run `x grow` — your session
 normally logs in from residential and X will flag that asymmetry.
 
 ```bash
-# Easiest: auto-read from a local browser (Chrome must be closed on macOS)
-x auth import --from-browser chrome
-x auth import --from-browser firefox      # works while Firefox is running
-x auth import --from-browser brave
+x auth import        # auto-detect any local browser, fall through to paste on miss
+x doctor             # expect: endpoints ok, session ok, egress not-cloud
 
-# Or: paste the cookie header manually
-x auth import           # prompts; paste: auth_token=...; ct0=...; twid=u%3D...
-
-# Or: scripted setups
+# Override only if you need to pin or script:
+x auth import --from-browser firefox
+x auth import --paste
 x auth import --cookie 'auth_token=...; ct0=...; twid=u%3D...'
-
-x doctor                # expect: endpoints ok, session ok, egress not-cloud
 ```
 
 ## Read-only scraping
diff --git a/skills/x-cli/references/auth.md b/skills/x-cli/references/auth.md
@@ -18,23 +18,20 @@ for sanity checks but not required for the request to succeed.
 
 ## Import flow
 
-Three modes, in order of how quickly you can get going:
-
-### 1. Auto from a local browser (recommended)
-
 ```
-x auth import --from-browser chrome     # must be closed on macOS
-x auth import --from-browser firefox    # works while running
-x auth import --from-browser brave
-x auth import --from-browser edge
-x auth import --from-browser chromium
+x auth import
 ```
 
-x-cli reads the browser's cookie SQLite store on disk and decrypts the
-encrypted values using the OS-specific Safe Storage key. This is exactly
-what Python's `browser_cookie3` / `rookiepy` libraries do, ported to Go
-via `github.com/browserutils/kooky`. You log in once in a real browser;
-x-cli uses the live session.
+That's the whole flow. `x auth import` auto-detects a logged-in x.com
+session in **any** local browser, reads the cookie SQLite store on
+disk, and decrypts the encrypted values using the OS-specific Safe
+Storage key. Same primitive Python's `browser_cookie3` / `rookiepy`
+expose, ported to Go via `github.com/browserutils/kooky`.
+
+Default behaviour: scan Chrome → Firefox → Brave → Edge → Chromium,
+take the first one that has an x.com session, save to keychain, done.
+If nothing is found (headless container, fresh machine, all browsers
+locked), x-cli silently drops to an interactive paste prompt.
 
 Per-OS notes:
 
@@ -43,27 +40,23 @@ Per-OS notes:
   for Chrome's Safe Storage lives in your keychain. **Chrome must be
   closed** because it holds an exclusive lock on the cookie file.
   Firefox is fine while running.
-- **Linux**: needs `libsecret` or `kwallet` running for Chrome family.
-  Falls back to a hardcoded "peanuts" salt on truly headless hosts.
-  Firefox needs no daemon.
+- **Linux**: needs `libsecret` or `kwallet` running for the Chrome
+  family. Falls back to a hardcoded `peanuts` salt on truly headless
+  hosts. Firefox needs no daemon.
 - **Windows**: uses DPAPI; works while the browser is running.
 
-### 2. Manual paste (works everywhere, including headless containers)
-
-1. Log into x.com in a real browser on a machine you normally use.
-2. DevTools → Application → Cookies → `https://x.com`
-3. Copy the values for `auth_token` and `ct0`.
-4. `x auth import`  → paste `auth_token=...; ct0=...; twid=u%3D...`
-5. `x auth status` should print `session ok — @yourhandle`.
+### Override modes
 
-### 3. Scripted (`--cookie`)
+Use these only when auto-detect is wrong for your case:
 
 ```
-x auth import --cookie 'auth_token=...; ct0=...; twid=u%3D...'
+x auth import --from-browser firefox      # pin a specific browser
+x auth import --paste                     # skip auto-detect, prompt
+x auth import --cookie 'auth_token=...'   # scripted bootstrap
 ```
 
-The cookie ends up in your shell history — prefer one of the other
-modes for normal use. Useful for CI bootstrap scripts.
+`--cookie` ends up in shell history — prefer `--from-browser` or the
+default for normal use.
 
 ### What happens after import
 
