## What Auto-refresh the Curogram MCP session cookie with **no manual intervention**, for the MFA-gated `agent@` service account. The account is MFA-gated, so unattended programmatic re-login can't complete OTP. The working session is a `CurogramPracticeToken` cookie harvested from a live, human-logged-in agent Chrome (CDP on :9223). This PR makes the server self-heal that session. ## Changes - `cdp-harvest.ts` — native-TS CDP cookie harvester (GET /json → find curogram tab → `Network.getAllCookies` → filter by domain). Re-implements the python reference (`.claude/skills/curogram/scripts/cdp_cookies.py`) so the server needs no python/websocket dep. Distinguishes `cdp_unreachable` / `no_curogram_tab` / `logged_out` via `HarvestError.kind`. - `session-store.ts` — atomic 0600 persist of `CUROGRAM_COOKIE` / `CUROGRAM_XSRF_TOKEN` back to the env file (other lines preserved verbatim). Never logs values. - `curogram-auth.ts` — on a 401, re-harvest from the live agent Chrome, swap the in-memory session, persist, retry once. Wired via new `reharvest` + `persist` callbacks in `authFromEnv()`. With reharvest configured a 401 self-heals instead of failing fast. - `refresh-session.ts` — standalone periodic refresher: decodes the JWT `exp` and re-harvests **before** expiry (idempotent no-op while comfortably valid). - `supervisors/run-curogram-refresh.sh` — sidecar that runs the refresher on a loop (5-min poll, 15-min skew). Logs `human re-login needed` on a logged-out Chrome and keeps polling so it self-heals. - `curogram-auth.test.ts` — covers: 401 → reharvest → retry + persist; logged-out → actionable error; static-cookie-no-reharvest → fail-fast. - `README.md` — design + the hard limitation, env knobs, and the DOB-search answer. ## ⚠️ Limitation Auto-refresh depends on the **agent Chrome staying logged into Curogram**. If that Chrome dies / its CDP port is unreachable / it's logged out, harvest can't recover — the code surfaces a distinct actionable error and the sidecar warns a human must re-login at app.curogram.com. It self-heals once a human re-logs in. ## Tests - `bun build tools/curogram-mcp/server.ts` — clean (307 modules). - `bun test tools/curogram-mcp/curogram-auth.test.ts` — 3/3 pass. - `bun test tools/mcp-config/render.test.ts` — 12/12 pass. - Live: `bun refresh-session.ts --force` harvested + persisted a fresh cookie from the real agent Chrome (env file remained 0600). No cookie values logged. ## Safety Secrets only in the 0600 env file; never logged, never committed. No patient messages sent. 🤖 Generated with [Claude Code](https://claude.com/claude-code)