wpstime-punchclock

# WPS Time / NetTime Punchclock

Run the bundled Playwright script to log into WPS Time NetTime using macOS Keychain credentials, perform the requested punch action (or status check), take a screenshot, and report results.

## Inputs → actions
Map user intent to the script `--action`:

### Setup / credentials
- setup punchclock / configure punchclock / set up time clock → run setup flow

### Punch actions
- clock in → `clock-in`
- clock out → `clock-out`
- start break → `start-break`
- end break → `end-break` (implemented as `Clock In (end break)` in script)
- start lunch → `start-lunch`
- end lunch → `end-lunch` (implemented as `Clock In (end lunch)` in script)
- status / check status → `status`

## First-time setup (per machine / per user)

### Option A (recommended): local terminal setup (password never enters chat logs)
Run the interactive setup script to store credentials in **macOS Keychain**:

```bash
cd {baseDir}/scripts
node ./setup.mjs
```

This stores credentials locally under Keychain services:
- `wpstime-punchclock.company` (secret = company/common id)
- `wpstime-punchclock` (account = username, secret = password)

### Option B: chat wizard setup (includes password; higher risk)
Only use if the user explicitly asks for chat-based setup and accepts that the password will appear in chat history/logs.

Workflow:
1) Warn clearly:
   - the password will be sent via chat and may be stored by the chat platform + gateway logs.
   - recommend Option A instead.
2) If they still confirm, collect 3 fields in separate turns:
   - companyId
   - username
   - password
3) Store into macOS Keychain on the SAME machine running the gateway using `security add-generic-password -U`:

```bash
security add-generic-password -U -s "wpstime-punchclock.company" -a "company" -w "<companyId>"
security add-generic-password -U -s "wpstime-punchclock" -a "<username>" -w "<password>"
```

4) Never echo the password back. After storing, run `status` to verify login works.

## Workflow...