[FEATURE] Allow entering dev credentials on local domains (.test, .local, localhost)
Problem
Claude Code refuses to enter passwords into login forms on local development domains (e.g. recuerda.test, myapp.local, localhost:8000) due to the blanket "passwords into any field" prohibition.
This makes browser-based verification of changes impossible without the developer manually logging in each time the session expires. In a typical development workflow, Claude Code:
- Makes code changes
- Needs to verify them in the browser via MCP chrome tools
- Gets blocked at the login screen because the session expired
- Cannot proceed until the developer manually logs in
Context
- These are local Valet/Herd/Docker development environments, not production systems
- Credentials are development defaults (e.g.
password) - The developer explicitly provides the credentials and authorizes the action
- The current rule treats
localhostthe same asbank-of-america.com
Proposed solution
Add a domain-based exception to the password prohibition for clearly local development domains:
*.test*.locallocalhost(any port)127.0.0.1(any port)
These domains cannot resolve to public servers (.test and .local are reserved TLDs per RFC 6761/6762), so there is zero risk of credential exposure to external systems.
Workaround
Currently the only workaround is asking the developer to log in manually every time, which breaks flow and defeats the purpose of browser automation tools.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗