@chainlesschain/personal-data-hub 0.4.3 → 0.4.5

package/lib/adapters/social-douyin-adb/index.js

@@ -38,13 +38,30 @@ const {
   cleanupSnapshotJson,
   SNAPSHOT_SCHEMA_VERSION,
 } = require("./snapshot-builder");
-const { collect, collectAndSync } = require("./collector");
+const {
+  collect,
+  collectAndSync,
+  collectWatchHistory,
+  collectWatchHistoryAndSync,
+} = require("./collector");
+const {
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+} = require("./watch-history-reader");
+const { AwemeDetailClient } = require("./aweme-detail-client");
 
 module.exports = {
   // Extension factory (wiring registers this on the bridge)
   createDouyinDbExtension,
   DOUYIN_DB_REMOTE_DIR,
   IM_DB_PATTERN,
+  // Watch-history (video_record.db) extension + path
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+  collectWatchHistory,
+  collectWatchHistoryAndSync,
+  // Aweme title resolver (web detail endpoint, no signing)
+  AwemeDetailClient,
   // Parser + builder (also exposed for advanced callers / tests)
   parseImDb,
   buildSnapshot,

package/lib/adapters/social-douyin-adb/watch-history-reader.js

@@ -0,0 +1,188 @@
+/**
+ * Douyin on-device watch-history reader — recovers the user's video view
+ * history from the app's local `video_record.db` (table `record_<uid>`), a
+ * plaintext SQLite DB.
+ *
+ * Why this exists (real-device 2026-06-11, device 5lhyaqu8lbwstc6x):
+ *   - Douyin's DM db is SQLCipher-encrypted (needs frida) and the web watch-
+ *     history endpoint needs X-Bogus signing — both heavy/fragile.
+ *   - But `/data/data/com.ss.android.ugc.aweme/databases/video_record.db`
+ *     stores `record_<uid> { aid, view_time_timestamp, enter_from, ... }` in
+ *     PLAINTEXT — 900 rows on the test device. This is "what/when the user
+ *     watched", the core family-guard signal, with zero signing/encryption.
+ *
+ * Emits snapshot `history` events ({kind, awemeId, capturedAt, enterFrom}) the
+ * social-douyin adapter already understands (KIND_HISTORY → BROWSE event), so
+ * normalize is reused. Title/author aren't local (would need a web lookup);
+ * the behavioral signal (which aweme, when, from which surface) is the value.
+ *
+ * Pull mirrors social-toutiao-adb/account-reader.pullAccountDbViaSu (su base64
+ * stream, MIUI-safe). DB read reuses the bilibili dual-load sqlite open.
+ */
+"use strict";
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const crypto = require("node:crypto");
+
+const {
+  _internals: { loadDatabaseClass },
+} = require("../social-bilibili-adb/chromium-cookies-reader");
+
+const DOUYIN_PACKAGE = "com.ss.android.ugc.aweme";
+const VIDEO_RECORD_DB_REMOTE_PATH =
+  "/data/data/com.ss.android.ugc.aweme/databases/video_record.db";
+
+/** seconds-or-ms epoch → ms (heuristic: > 1e12 ⇒ already ms). */
+function toEpochMs(v) {
+  const n = Number(v);
+  if (!Number.isFinite(n) || n <= 0) return null;
+  return n > 1e12 ? Math.floor(n) : Math.floor(n * 1000);
+}
+
+async function pullVideoRecordDbViaSu(adb, serial, opts = {}) {
+  const adbOpts = { serial, timeoutMs: opts.timeoutMs || 60_000 };
+  const lsOut = await adb(
+    ["shell", "su", "-c", `ls ${VIDEO_RECORD_DB_REMOTE_PATH} 2>/dev/null || echo NOT_FOUND`],
+    adbOpts,
+  );
+  const lsLine = lsOut.replace(/\r+$/gm, "").trim();
+  if (lsLine === "NOT_FOUND" || lsLine === "") {
+    const pmOut = await adb(
+      ["shell", "su", "-c", `pm list packages ${DOUYIN_PACKAGE}`],
+      adbOpts,
+    );
+    const installed = pmOut.replace(/\r/g, "").includes(`package:${DOUYIN_PACKAGE}`);
+    throw new Error(
+      installed
+        ? "DOUYIN_VIDEO_RECORD_MISSING: 抖音已安装但无 video_record.db（未观看过视频？）— " +
+          VIDEO_RECORD_DB_REMOTE_PATH +
+          " 不存在。"
+        : "DOUYIN_NOT_INSTALLED: " + VIDEO_RECORD_DB_REMOTE_PATH + " not found and package not installed.",
+    );
+  }
+  const idOut = await adb(["shell", "su", "-c", "id -u"], adbOpts);
+  const idLine = idOut.replace(/\r+$/gm, "").trim();
+  if (idLine !== "0" && !idLine.includes("uid=0")) {
+    throw new Error(
+      "DOUYIN_NO_ROOT: su not uid 0 (`" + idLine.substring(0, 60) + "`); root required to read video_record.db.",
+    );
+  }
+  const b64 = await adb(
+    ["shell", "su", "-c", `base64 ${VIDEO_RECORD_DB_REMOTE_PATH} | tr -d '\\n\\r'`],
+    { ...adbOpts, timeoutMs: opts.timeoutMs || 60_000 },
+  );
+  const b64Clean = b64.replace(/[\r\n\t ]+/g, "");
+  if (b64Clean.length === 0) {
+    throw new Error("DOUYIN_VIDEO_RECORD_EMPTY: base64 stream returned 0 bytes (su may have silently failed on MIUI).");
+  }
+  const buf = Buffer.from(b64Clean, "base64");
+  if (buf.length < 1024 || !buf.subarray(0, 15).toString("latin1").startsWith("SQLite format 3")) {
+    throw new Error("DOUYIN_VIDEO_RECORD_NOT_SQLITE: decoded file lacks `SQLite format 3` magic (" + buf.length + " bytes).");
+  }
+  const tmpFile = path.join(os.tmpdir(), `cc-douyin-vrec-${crypto.randomUUID()}.db`);
+  fs.writeFileSync(tmpFile, buf);
+  return tmpFile;
+}
+
+/**
+ * Read watch records from video_record.db. Tables are named `record_<uid>`
+ * (per-account) plus an anonymous `record_0`. Picks the numeric-uid table with
+ * the most rows (the logged-in account); records carry aid + view timestamp +
+ * enter_from surface.
+ *
+ * @returns {{uid: string|null, records: Array<{awemeId,capturedAt,enterFrom}>}}
+ */
+function readDouyinWatchHistory(dbPath, opts = {}) {
+  const Database = opts._databaseClass || loadDatabaseClass();
+  const limit = Number.isInteger(opts.limit) && opts.limit > 0 ? opts.limit : 5000;
+  const db = new Database(dbPath, { readonly: true });
+  try {
+    const tables = db
+      .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name LIKE 'record\\_%' ESCAPE '\\'")
+      .all()
+      .map((t) => t.name);
+    // Candidate uid tables: record_<digits>, uid != 0. Pick the largest.
+    let best = null;
+    for (const name of tables) {
+      const m = /^record_(\d+)$/.exec(name);
+      if (!m || m[1] === "0") continue;
+      let count = 0;
+      try {
+        count = db.prepare(`SELECT COUNT(*) c FROM "${name}"`).get().c;
+      } catch (_e) {
+        continue;
+      }
+      if (!best || count > best.count) best = { name, uid: m[1], count };
+    }
+    if (!best) return { uid: null, records: [] };
+    const cols = new Set(
+      db.prepare(`PRAGMA table_info("${best.name}")`).all().map((c) => c.name),
+    );
+    const hasEnter = cols.has("enter_from");
+    const hasTs = cols.has("view_time_timestamp");
+    const rows = db
+      .prepare(
+        `SELECT aid${hasTs ? ", view_time_timestamp" : ""}${hasEnter ? ", enter_from" : ""} ` +
+          `FROM "${best.name}"${hasTs ? " ORDER BY view_time_timestamp DESC" : ""} LIMIT ${limit}`,
+      )
+      .all();
+    const records = [];
+    for (const r of rows) {
+      const awemeId = r.aid != null ? String(r.aid) : null;
+      if (!awemeId) continue;
+      records.push({
+        awemeId,
+        capturedAt: hasTs ? toEpochMs(r.view_time_timestamp) : null,
+        enterFrom: hasEnter ? r.enter_from || null : null,
+      });
+    }
+    return { uid: best.uid, records };
+  } finally {
+    try {
+      db.close();
+    } catch (_e) {
+      /* best-effort */
+    }
+  }
+}
+
+/** Bridge handler factory: `bridge.invoke("douyin.watch-history")` → {uid, records}. */
+function createDouyinWatchExtension(factoryOpts = {}) {
+  const timeoutMs = factoryOpts.timeoutMs || 60_000;
+  const onCleanupFailed = factoryOpts.onCleanupFailed || (() => {});
+  return async function douyinWatchHandler(params, ctx) {
+    if (!ctx || typeof ctx.adb !== "function" || typeof ctx.pickDevice !== "function") {
+      throw new TypeError("douyin.watch-history extension: ctx must provide {adb, pickDevice}");
+    }
+    const serial = await ctx.pickDevice();
+    let tmpFile = null;
+    try {
+      tmpFile = await pullVideoRecordDbViaSu(ctx.adb, serial, { timeoutMs });
+      const result = readDouyinWatchHistory(tmpFile, {
+        limit: params && params.limit,
+      });
+      return { ...result, extractedAt: Date.now() };
+    } finally {
+      if (tmpFile) {
+        try {
+          fs.unlinkSync(tmpFile);
+        } catch (_e) {
+          onCleanupFailed(tmpFile);
+        }
+      }
+    }
+  };
+}
+
+module.exports = {
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+  DOUYIN_PACKAGE,
+  _internals: {
+    pullVideoRecordDbViaSu,
+    readDouyinWatchHistory,
+    toEpochMs,
+  },
+};

package/lib/adapters/social-kuaishou/index.js

@@ -54,8 +54,13 @@ const KIND_PROFILE = "profile";
 const KIND_WATCH = "watch";
 const KIND_COLLECT = "collect";
 const KIND_SEARCH = "search";
-// v0.2.1 — KIND_PROFILE added (mirrors Douyin/Toutiao); v0.3 will add watch/
-// collect/search via NS_sig3. SNAPSHOT_SCHEMA_VERSION stays at 1 — additive.
+// v0.2.1 — KIND_PROFILE added (mirrors Douyin/Toutiao). The watch/collect/
+// search producers LANDED since (verified 2026-06-11): Android
+// KuaishouLocalCollector emits all 4 kinds via the NS_sig3 WebSignBridge
+// path, KuaishouRootDbExtractor emits watch/collect/search, and the PC ADB
+// KuaishouApiClient fetches them through its injected signProvider (signed
+// GraphQL). This adapter normalizes whatever the snapshot carries.
+// SNAPSHOT_SCHEMA_VERSION stays at 1 — additive.
 const VALID_SNAPSHOT_KINDS = Object.freeze([
   KIND_PROFILE,
   KIND_WATCH,

package/lib/adapters/social-kuaishou-adb/api-client.js

@@ -119,23 +119,19 @@ class KuaishouApiClient {
       );
       return null;
     }
-    let decoded;
-    try {
-      decoded = decodeURIComponent(cpMatch[1]);
-    } catch {
-      decoded = cpMatch[1];
-    }
-    const trimmed = decoded.trimStart();
-    if (!trimmed.startsWith("{")) {
+    const jsonText = apiPhDecodeCandidates(cpMatch[1]).find((c) =>
+      c.trimStart().startsWith("{"),
+    );
+    if (!jsonText) {
       this._setLastError(
         -9,
-        "kuaishou.web.cp.api_ph 解码后非 JSON (likely base64 — v0.3 加 fallback)",
+        "kuaishou.web.cp.api_ph 解码后非 JSON (urlencoded + base64 fallback 均失败)",
       );
       return null;
     }
     let obj;
     try {
-      obj = JSON.parse(decoded);
+      obj = JSON.parse(jsonText);
     } catch (e) {
       this._setLastError(-3, "parse: " + (e.message || String(e)));
       return null;
@@ -359,20 +355,43 @@ function extractPhotoList(feeds, limit, build) {
   return out;
 }
 
-function extractEmbeddedUid(cpRaw) {
+/**
+ * api_ph payload decode chain (v0.3): newer Kuaishou builds write the
+ * `kuaishou.web.cp.api_ph` cookie as base64(JSON) instead of urlencoded
+ * JSON. Yields the URI-decoded string first; when that doesn't look like
+ * JSON but matches the base64 charset (std or url-safe), also yields the
+ * base64-decoded form — gated on the result starting with `{` so lenient
+ * Buffer decoding of arbitrary text can't surface garbage.
+ */
+function apiPhDecodeCandidates(cpRaw) {
   let decoded;
   try {
     decoded = decodeURIComponent(cpRaw);
   } catch {
     decoded = cpRaw;
   }
-  for (const pat of [
-    /"?user_id"?\s*:\s*"?(\d+)"?/,
-    /"?uid"?\s*:\s*"?(\d+)"?/,
-    /"?userId"?\s*:\s*"?(\d+)"?/,
-  ]) {
-    const m = pat.exec(decoded);
-    if (m && m[1] && m[1] !== "0") return m[1];
+  const out = [decoded];
+  const trimmed = decoded.trim();
+  if (!trimmed.startsWith("{") && /^[A-Za-z0-9+/\-_]+={0,2}$/.test(trimmed)) {
+    const b64 = Buffer.from(
+      trimmed.replace(/-/g, "+").replace(/_/g, "/"),
+      "base64",
+    ).toString("utf-8");
+    if (b64.trimStart().startsWith("{")) out.push(b64);
+  }
+  return out;
+}
+
+function extractEmbeddedUid(cpRaw) {
+  for (const decoded of apiPhDecodeCandidates(cpRaw)) {
+    for (const pat of [
+      /"?user_id"?\s*:\s*"?(\d+)"?/,
+      /"?uid"?\s*:\s*"?(\d+)"?/,
+      /"?userId"?\s*:\s*"?(\d+)"?/,
+    ]) {
+      const m = pat.exec(decoded);
+      if (m && m[1] && m[1] !== "0") return m[1];
+    }
   }
   return null;
 }
@@ -393,5 +412,6 @@ module.exports = {
     normalizeMs,
     extractPhotoList,
     extractEmbeddedUid,
+    apiPhDecodeCandidates,
   },
 };

package/lib/adapters/social-kuaishou-adb/cookies-extension.js

@@ -34,6 +34,9 @@ const crypto = require("node:crypto");
 const {
   readChromiumCookies,
 } = require("../social-bilibili-adb/chromium-cookies-reader");
+const {
+  _internals: { apiPhDecodeCandidates },
+} = require("./api-client");
 
 const KUAISHOU_COOKIES_REMOTE_PATH =
   "/data/data/com.smile.gifmaker/app_webview/Default/Cookies";
@@ -137,22 +140,20 @@ function pickUidFromCookieMap(byName) {
   }
   const cpRaw = byName.get("kuaishou.web.cp.api_ph")?.value;
   if (cpRaw) {
-    let decoded;
-    try {
-      decoded = decodeURIComponent(cpRaw);
-    } catch {
-      decoded = cpRaw;
-    }
     // Try nested user_id / uid / userId regex (don't require strict JSON
-    // — api_ph format isn't documented and varies)
-    for (const pat of [
-      /"?user_id"?\s*:\s*"?(\d+)"?/,
-      /"?uid"?\s*:\s*"?(\d+)"?/,
-      /"?userId"?\s*:\s*"?(\d+)"?/,
-    ]) {
-      const m = pat.exec(decoded);
-      if (m && m[1] && m[1] !== "0") {
-        return m[1];
+    // — api_ph format isn't documented and varies). v0.3: candidates
+    // include the base64-decoded form for newer Kuaishou builds that
+    // write api_ph as base64(JSON).
+    for (const decoded of apiPhDecodeCandidates(cpRaw)) {
+      for (const pat of [
+        /"?user_id"?\s*:\s*"?(\d+)"?/,
+        /"?uid"?\s*:\s*"?(\d+)"?/,
+        /"?userId"?\s*:\s*"?(\d+)"?/,
+      ]) {
+        const m = pat.exec(decoded);
+        if (m && m[1] && m[1] !== "0") {
+          return m[1];
+        }
       }
     }
   }

package/lib/adapters/social-toutiao/index.js

@@ -57,10 +57,14 @@ const KIND_PROFILE = "profile";
 const KIND_READ = "read";
 const KIND_COLLECTION = "collection";
 const KIND_SEARCH = "search";
-// v0.2.1 — KIND_PROFILE added (mirrors Douyin); v0.3 will add read/collection
-// /search once _signature path is wired. SNAPSHOT_SCHEMA_VERSION stays at 1:
-// old (events-only) snapshots remain compatible; new profile events are an
-// additive extension.
+// v0.2.1 — KIND_PROFILE added (mirrors Douyin). The read/collection/search
+// producers LANDED since (verified 2026-06-11): Android ToutiaoLocalCollector
+// emits all 4 kinds via the _signature WebSignBridge path, ToutiaoRootDbExtractor
+// emits read/collection/search, and the PC ADB ToutiaoApiClient fetches
+// feed/collection/search through its injected signProvider. This adapter
+// normalizes whatever the snapshot carries. SNAPSHOT_SCHEMA_VERSION stays
+// at 1: old (events-only) snapshots remain compatible; profile events are
+// an additive extension.
 const VALID_SNAPSHOT_KINDS = Object.freeze([
   KIND_PROFILE,
   KIND_READ,

package/lib/adapters/social-toutiao-adb/account-reader.js

@@ -0,0 +1,179 @@
+/**
+ * Toutiao on-device account reader — recovers the numeric uid + nickname from
+ * the app's local `account_db` (table `login_info`), a plaintext SQLite DB.
+ *
+ * Why this exists (real-device 2026-06-11, device 5lhyaqu8lbwstc6x):
+ *   - The web profile endpoint `passport/account/info/v2` returns error_code 16
+ *     "该应用无权限" even when fully logged in — so it can't supply the uid.
+ *   - The www.toutiao.com WebView cookie jar carries NO numeric uid cookie
+ *     (only hashed `uid_tt`/`sid_tt`; no passport_uid/multi_sids/__ac_uid).
+ *   - But `/data/data/com.ss.android.article.news/databases/account_db` stores
+ *     `login_info { uid, screen_name, sec_uid, ... }` in PLAINTEXT sqlite.
+ * Reading it gives the uid that the signed collection/search endpoints need,
+ * with no permission/signature/cookie-drift fragility.
+ *
+ * Pull mechanism mirrors cookies-extension.pullCookiesViaSu (su base64 stream,
+ * MIUI-safe). DB read reuses the bilibili chromium-cookies-reader dual-load
+ * (bs3mc ABI 140 under Electron / better-sqlite3 under Node test).
+ */
+"use strict";
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const crypto = require("node:crypto");
+
+const {
+  _internals: { loadDatabaseClass },
+} = require("../social-bilibili-adb/chromium-cookies-reader");
+
+const TOUTIAO_PACKAGE = "com.ss.android.article.news";
+const ACCOUNT_DB_REMOTE_PATH =
+  "/data/data/com.ss.android.article.news/databases/account_db";
+
+/**
+ * Pull the account_db sqlite via `su base64` into a host tmp file.
+ * @param {(args: string[], opts?: object) => Promise<string>} adb
+ * @param {string} serial
+ * @param {{timeoutMs?: number}} [opts]
+ * @returns {Promise<string>} tmp file path (caller deletes)
+ */
+async function pullAccountDbViaSu(adb, serial, opts = {}) {
+  const adbOpts = { serial, timeoutMs: opts.timeoutMs || 60_000 };
+  const lsOut = await adb(
+    ["shell", "su", "-c", `ls ${ACCOUNT_DB_REMOTE_PATH} 2>/dev/null || echo NOT_FOUND`],
+    adbOpts,
+  );
+  const lsLine = lsOut.replace(/\r+$/gm, "").trim();
+  if (lsLine === "NOT_FOUND" || lsLine === "") {
+    const pmOut = await adb(
+      ["shell", "su", "-c", `pm list packages ${TOUTIAO_PACKAGE}`],
+      adbOpts,
+    );
+    const installed = pmOut.replace(/\r/g, "").includes(`package:${TOUTIAO_PACKAGE}`);
+    throw new Error(
+      installed
+        ? "TOUTIAO_ACCOUNT_DB_MISSING: 今日头条已安装但无 account_db（未登录账号？）— " +
+          ACCOUNT_DB_REMOTE_PATH +
+          " 不存在。"
+        : "TOUTIAO_NOT_INSTALLED: " +
+          ACCOUNT_DB_REMOTE_PATH +
+          " not found and package not installed.",
+    );
+  }
+  const idOut = await adb(["shell", "su", "-c", "id -u"], adbOpts);
+  const idLine = idOut.replace(/\r+$/gm, "").trim();
+  if (idLine !== "0" && !idLine.includes("uid=0")) {
+    throw new Error(
+      "TOUTIAO_NO_ROOT: su not uid 0 (`" + idLine.substring(0, 60) + "`); root required to read account_db.",
+    );
+  }
+  const b64 = await adb(
+    ["shell", "su", "-c", `base64 ${ACCOUNT_DB_REMOTE_PATH} | tr -d '\\n\\r'`],
+    { ...adbOpts, timeoutMs: opts.timeoutMs || 60_000 },
+  );
+  const b64Clean = b64.replace(/[\r\n\t ]+/g, "");
+  if (b64Clean.length === 0) {
+    throw new Error("TOUTIAO_ACCOUNT_DB_EMPTY: base64 stream returned 0 bytes (su may have silently failed on MIUI).");
+  }
+  const buf = Buffer.from(b64Clean, "base64");
+  if (buf.length < 1024 || !buf.subarray(0, 15).toString("latin1").startsWith("SQLite format 3")) {
+    throw new Error("TOUTIAO_ACCOUNT_DB_NOT_SQLITE: decoded file lacks `SQLite format 3` magic (" + buf.length + " bytes).");
+  }
+  const tmpFile = path.join(os.tmpdir(), `cc-toutiao-account-${crypto.randomUUID()}.db`);
+  fs.writeFileSync(tmpFile, buf);
+  return tmpFile;
+}
+
+/**
+ * Read the best login_info row from a pulled account_db.
+ * @param {string} dbPath
+ * @param {{_databaseClass?: any}} [opts]
+ * @returns {{uid: string, nickname: string|null, secUid: string|null}|null}
+ */
+function readToutiaoAccount(dbPath, opts = {}) {
+  const Database = opts._databaseClass || loadDatabaseClass();
+  const db = new Database(dbPath, { readonly: true });
+  try {
+    let info;
+    try {
+      info = db.prepare("PRAGMA table_info(login_info)").all();
+    } catch (_e) {
+      return null;
+    }
+    if (!Array.isArray(info) || info.length === 0) return null;
+    const cols = new Set(info.map((c) => c.name));
+    if (!cols.has("uid")) return null;
+    const hasTime = cols.has("time");
+    // Prefer the most-recently-written numeric-uid row (multi-account safe).
+    const rows = db
+      .prepare(
+        `SELECT * FROM login_info${hasTime ? " ORDER BY time DESC" : ""}`,
+      )
+      .all();
+    for (const r of rows) {
+      const uid = r.uid != null ? String(r.uid) : "";
+      if (/^\d+$/.test(uid) && uid !== "0") {
+        return {
+          uid,
+          nickname:
+            (r.screen_name && String(r.screen_name)) ||
+            (r.platform_screen_name && String(r.platform_screen_name)) ||
+            null,
+          secUid: r.sec_uid ? String(r.sec_uid) : null,
+        };
+      }
+    }
+    return null;
+  } finally {
+    try {
+      db.close();
+    } catch (_e) {
+      /* best-effort */
+    }
+  }
+}
+
+/**
+ * Bridge handler factory: `bridge.invoke("toutiao.account")` → account or
+ * throws. Mirrors createToutiaoCookiesExtension's ctx contract.
+ */
+function createToutiaoAccountExtension(factoryOpts = {}) {
+  const timeoutMs = factoryOpts.timeoutMs || 60_000;
+  const onCleanupFailed = factoryOpts.onCleanupFailed || (() => {});
+  return async function toutiaoAccountHandler(_params, ctx) {
+    if (!ctx || typeof ctx.adb !== "function" || typeof ctx.pickDevice !== "function") {
+      throw new TypeError("toutiao.account extension: ctx must provide {adb, pickDevice}");
+    }
+    const serial = await ctx.pickDevice();
+    let tmpFile = null;
+    try {
+      tmpFile = await pullAccountDbViaSu(ctx.adb, serial, { timeoutMs });
+      const account = readToutiaoAccount(tmpFile);
+      if (!account) {
+        throw new Error(
+          "TOUTIAO_ACCOUNT_DB_NO_UID: login_info has no numeric-uid row (logged out?).",
+        );
+      }
+      return { ...account, extractedAt: Date.now() };
+    } finally {
+      if (tmpFile) {
+        try {
+          fs.unlinkSync(tmpFile);
+        } catch (_e) {
+          onCleanupFailed(tmpFile);
+        }
+      }
+    }
+  };
+}
+
+module.exports = {
+  createToutiaoAccountExtension,
+  ACCOUNT_DB_REMOTE_PATH,
+  TOUTIAO_PACKAGE,
+  _internals: {
+    pullAccountDbViaSu,
+    readToutiaoAccount,
+  },
+};

package/lib/adapters/social-toutiao-adb/api-client.js

@@ -154,6 +154,17 @@ class ToutiaoApiClient {
         this._setLastError(-3, "parse: " + (e.message || String(e)));
         return null;
       }
+      // Toutiao web endpoints signal failure via `err_no != 0` + `message`
+      // while still returning HTTP 200 and an empty `data:[]` — without this
+      // check that error is silently masked as "0 results" (real-device
+      // 2026-06-11: tab_comments → {err_no:1,"message":"params illegal"}).
+      if (typeof obj.err_no === "number" && obj.err_no !== 0) {
+        this._setLastError(
+          obj.err_no,
+          String(obj.message || obj.err_tips || `err_no=${obj.err_no}`),
+        );
+        return null;
+      }
       this._clearLastError();
       return obj;
     } catch (e) {
@@ -180,27 +191,40 @@ class ToutiaoApiClient {
     url.searchParams.set("aid", AID_TOUTIAO_WEB);
     const obj = await this._doGetJson(url, cookie, false, "profile");
     if (!obj) return null;
+    // Two envelope shapes seen in the wild (real-device 2026-06-11):
+    //   legacy:      { status_code: 0, data: {...} }
+    //   passport v2: { message: "success", data: {...} }
+    //                { message: "error", data: { error_code, description } }
+    // The old code only understood status_code and mis-reported the v2
+    // envelope as "missing status_code" — masking the real error (e.g.
+    // error_code 16 "该应用无权限"). Parse both, surface the specific error.
     const statusCode =
       typeof obj.status_code === "number" ? obj.status_code : null;
-    if (statusCode == null) {
-      this._setLastError(
-        -5,
-        `passport/info/v2 missing status_code (keys=[${Object.keys(obj).join(",")}])`,
-      );
-      return null;
-    }
-    if (statusCode !== 0) {
-      const msg =
-        obj.status_msg ||
-        obj.message ||
-        obj.error_description ||
-        `status_code=${statusCode}`;
-      this._setLastError(statusCode, String(msg));
+    const message = typeof obj.message === "string" ? obj.message : null;
+    const data = obj.data && typeof obj.data === "object" ? obj.data : null;
+    const ok = statusCode === 0 || (statusCode == null && message === "success");
+    if (!ok) {
+      if (data && Number.isFinite(data.error_code)) {
+        // passport v2 error envelope — the actionable code + 中文 description.
+        this._setLastError(
+          data.error_code,
+          String(data.description || data.error_description || `error_code=${data.error_code}`),
+        );
+      } else if (statusCode != null) {
+        this._setLastError(
+          statusCode,
+          String(obj.status_msg || message || obj.error_description || `status_code=${statusCode}`),
+        );
+      } else {
+        this._setLastError(
+          -5,
+          `passport/info/v2 unrecognized envelope (message=${message}, keys=[${Object.keys(obj).join(",")}])`,
+        );
+      }
       return null;
     }
-    const data = obj.data;
-    if (!data || typeof data !== "object") {
-      this._setLastError(-6, "status_code=0 but no `data` object");
+    if (!data) {
+      this._setLastError(-6, "profile ok but no `data` object");
       return null;
     }
     const rawUid =