docs(agents): how to drive agent-browser through the auth wall

[buremba]

Summary

Adds a "Browser-driven verification (authenticated)" runbook to AGENTS.md after burning a couple of hours during PR #485 reproducing this end-to-end.

Covers:

• Targets. Local dev backend (Tailscale: `https://buraks-macbook-pro-1.brill-kanyu.ts.net:8443\`) vs prod (`https://app.lobu.ai\`).
• Secret sourcing. `.env` for local; `kubectl exec ... -- printenv BETTER_AUTH_SECRET` for prod.
• Session token. SQL `SELECT FROM session`.
• Cookie signing. HMAC-SHA256 + base64 + URL-encode. (base64url does not validate — that was the trap.)
• Cookie name rule. `__Secure-better-auth.session_token` whenever baseURL is `https://`.
• agent-browser flow. `open` → `eval` set cookie → navigate → `wait --text` → `snapshot -i` → `click @ref` → `screenshot`.
• Footgun. Don't `git switch` while a dev server is running — sibling worktrees can hide files the import graph still references.

Test plan

• Doc-only change. Verified the recipe end-to-end on prod against `/buremba/watchers/218` to validate PR fix(list_watchers): cap pending-content total at 1000 rows #488 — Edit sheet rendered with prefilled prompt + schema fields.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!