feat(login): log in by pasting browser-exported cookies (--cookies)

[SipengXie2024]

Problem

On a headless server (or any machine where the browser lives elsewhere), there's no practical way to get cookies into boss-cli:

• Browser auto-extract needs a local browser on the same machine — none on a server.
• QR login (--qrcode) is unreliable: the terminal half-block QR is often unscannable, and even when it scans, the App opens the encoded qrcode/scan?uuid=… URL as a plain webpage (shows {"msg":"timeout"}) instead of treating it as a login intent, so it never completes. The real web login QR is generated by a lazy-loaded chunk and uses a different, App-recognized format.
• BOSS_COOKIES is the only manual path, but it only accepts a k=v; k=v string — awkward to assemble by hand, and it silently drops anything that isn't that exact shape.

Meanwhile the browser on your own laptop logs in fine. The missing piece is a clean way to carry those cookies over.

What this adds

A first-class --cookies option on boss login that accepts cookies pasted straight from a browser export:

boss login --cookies -            # paste via stdin, then Ctrl-D
boss login --cookies              # opens $EDITOR to paste into
boss login --cookies dump.json    # read from a file
boss login --cookies '<blob>'     # inline value

It accepts three formats so users can paste whatever their browser hands them:

• Cookie-Editor / EditThisCookie JSON export — {"url":…, "cookies":[{"name","value"},…]} or a bare [{…}] array
• a plain {"name": "value"} JSON object
• a "key1=val1; key2=val2" Cookie header string

Parsing is factored into auth.parse_cookie_blob / credential_from_cookie_blob and reused by load_from_env, so BOSS_COOKIES now accepts JSON exports too (previously string-only). The command validates required cookies — naming the missing HttpOnly ones (__zp_stoken__, zp_at) so users know document.cookie won't cut it — and verifies against the live API before reporting success.

The Cookie-Editor route also sidesteps sites that block DevTools: the extension reads HttpOnly cookies via the browser cookie API, no F12 needed.

Tests

• parse_cookie_blob across all formats (Cookie-Editor export, bare array, plain object, header string, =-in-value, empty/malformed)
• load_from_env with a JSON export
• CLI flows for --cookies: success, stdin, missing-required-cookie, unparseable, and verify-failure-clears-credential

pytest -m "not smoke" → 124 passed. ruff check clean. Verified end to end against the live API with a real Cookie-Editor export on a headless box.

Docs

README updated: quickstart examples (EN + 中文), an Authentication "Headless / remote servers" section, and a troubleshooting entry.