refactor(cses): store API token in cookies, not git credential

Problem: the CSES API token was packed into the git credential
password field using a tab separator. This leaked session state
into the credential layer and broke with helpers that don't
differentiate by path (e.g. `cache`).

Solution: store the CSES token via `save_platform_cookies`/
`load_platform_cookies`, the same mechanism every other platform
uses for session state. Remove all token logic from
`git_credential.lua`. Git credential now stores only
`{username, password}` uniformly for all platforms.

lua/cp/git_credential.lua

@@ -1,7 +1,6 @@
 ---@class cp.Credentials
 ---@field username string
 ---@field password string
----@field token? string
 
 local M = {}
 
@@ -57,32 +56,6 @@ local function _parse_output(stdout)
   return result
 end
 
-local CSES_TOKEN_SEP = '\t'
-
----@param platform string
----@param password string
----@return string, string?
-local function _decode_password(platform, password)
-  if platform ~= 'cses' then
-    return password, nil
-  end
-  local pw, token = password:match('^(.-)' .. CSES_TOKEN_SEP .. '(.+)$')
-  if pw then
-    return pw, token
-  end
-  return password, nil
-end
-
----@param password string
----@param token? string
----@return string
-local function _encode_password(password, token)
-  if token then
-    return password .. CSES_TOKEN_SEP .. token
-  end
-  return password
-end
-
 ---@param platform string
 ---@return cp.Credentials?
 function M.get(platform)
@@ -104,13 +77,7 @@ function M.get(platform)
     return nil
   end
 
-  local password, token = _decode_password(platform, parsed.password)
+  return { username = parsed.username, password = parsed.password }
-  local creds = { username = parsed.username, password = password }
-  if token then
-    creds.token = token
-  end
-
-  return creds
 end
 
 ---@param platform string
@@ -121,8 +88,7 @@ function M.store(platform, creds)
     return
   end
 
-  local stored_password = _encode_password(creds.password, creds.token)
+  local input = _build_input(host, { username = creds.username, password = creds.password })
-  local input = _build_input(host, { username = creds.username, password = stored_password })
   vim.system({ 'git', 'credential', 'approve' }, { stdin = input, text = true }):wait()
 end
 
@@ -134,8 +100,7 @@ function M.reject(platform, creds)
     return
   end
 
-  local stored_password = _encode_password(creds.password, creds.token)
+  local input = _build_input(host, { username = creds.username, password = creds.password })
-  local input = _build_input(host, { username = creds.username, password = stored_password })
   vim.system({ 'git', 'credential', 'reject' }, { stdin = input, text = true }):wait()
 end
 

scrapers/cses.py

@@ -8,7 +8,7 @@ from typing import Any
 
 import httpx
 
-from .base import BaseScraper, extract_precision
+from .base import BaseScraper, extract_precision, load_platform_cookies, save_platform_cookies
 from .timeouts import HTTP_TIMEOUT
 from .models import (
     ContestListResult,
@@ -248,35 +248,20 @@ class CSESScraper(BaseScraper):
         if not username or not password:
             return self._login_error("Missing username or password")
 
-        token = credentials.get("token")
+        token = load_platform_cookies("cses")
         async with httpx.AsyncClient(follow_redirects=True) as client:
             if token:
                 print(json.dumps({"status": "checking_login"}), flush=True)
                 if await self._check_token(client, token):
-                    return LoginResult(
+                    return LoginResult(success=True, error="")
-                        success=True,
-                        error="",
-                        credentials={
-                            "username": username,
-                            "password": password,
-                            "token": token,
-                        },
-                    )
 
             print(json.dumps({"status": "logging_in"}), flush=True)
             token = await self._web_login(client, username, password)
             if not token:
                 return self._login_error("bad_credentials")
 
-            return LoginResult(
+            save_platform_cookies("cses", token)
-                success=True,
+            return LoginResult(success=True, error="")
-                error="",
-                credentials={
-                    "username": username,
-                    "password": password,
-                    "token": token,
-                },
-            )
 
     async def stream_tests_for_category_async(self, category_id: str) -> None:
         async with httpx.AsyncClient(
@@ -423,7 +408,7 @@ class CSESScraper(BaseScraper):
             return self._submit_error("Missing credentials. Use :CP login cses")
 
         async with httpx.AsyncClient(follow_redirects=True) as client:
-            token = credentials.get("token")
+            token = load_platform_cookies("cses")
 
             if token:
                 print(json.dumps({"status": "checking_login"}), flush=True)
@@ -435,18 +420,7 @@ class CSESScraper(BaseScraper):
                 token = await self._web_login(client, username, password)
                 if not token:
                     return self._submit_error("bad_credentials")
-                print(
+                save_platform_cookies("cses", token)
-                    json.dumps(
-                        {
-                            "credentials": {
-                                "username": username,
-                                "password": password,
-                                "token": token,
-                            }
-                        }
-                    ),
-                    flush=True,
-                )
 
             print(json.dumps({"status": "submitting"}), flush=True)