@chainlesschain/personal-data-hub 0.4.4 → 0.4.5

package/lib/adapters/social-douyin-adb/index.js

@@ -38,13 +38,30 @@ const {
   cleanupSnapshotJson,
   SNAPSHOT_SCHEMA_VERSION,
 } = require("./snapshot-builder");
-const { collect, collectAndSync } = require("./collector");
+const {
+  collect,
+  collectAndSync,
+  collectWatchHistory,
+  collectWatchHistoryAndSync,
+} = require("./collector");
+const {
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+} = require("./watch-history-reader");
+const { AwemeDetailClient } = require("./aweme-detail-client");
 
 module.exports = {
   // Extension factory (wiring registers this on the bridge)
   createDouyinDbExtension,
   DOUYIN_DB_REMOTE_DIR,
   IM_DB_PATTERN,
+  // Watch-history (video_record.db) extension + path
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+  collectWatchHistory,
+  collectWatchHistoryAndSync,
+  // Aweme title resolver (web detail endpoint, no signing)
+  AwemeDetailClient,
   // Parser + builder (also exposed for advanced callers / tests)
   parseImDb,
   buildSnapshot,

package/lib/adapters/social-douyin-adb/watch-history-reader.js

@@ -0,0 +1,188 @@
+/**
+ * Douyin on-device watch-history reader — recovers the user's video view
+ * history from the app's local `video_record.db` (table `record_<uid>`), a
+ * plaintext SQLite DB.
+ *
+ * Why this exists (real-device 2026-06-11, device 5lhyaqu8lbwstc6x):
+ *   - Douyin's DM db is SQLCipher-encrypted (needs frida) and the web watch-
+ *     history endpoint needs X-Bogus signing — both heavy/fragile.
+ *   - But `/data/data/com.ss.android.ugc.aweme/databases/video_record.db`
+ *     stores `record_<uid> { aid, view_time_timestamp, enter_from, ... }` in
+ *     PLAINTEXT — 900 rows on the test device. This is "what/when the user
+ *     watched", the core family-guard signal, with zero signing/encryption.
+ *
+ * Emits snapshot `history` events ({kind, awemeId, capturedAt, enterFrom}) the
+ * social-douyin adapter already understands (KIND_HISTORY → BROWSE event), so
+ * normalize is reused. Title/author aren't local (would need a web lookup);
+ * the behavioral signal (which aweme, when, from which surface) is the value.
+ *
+ * Pull mirrors social-toutiao-adb/account-reader.pullAccountDbViaSu (su base64
+ * stream, MIUI-safe). DB read reuses the bilibili dual-load sqlite open.
+ */
+"use strict";
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const crypto = require("node:crypto");
+
+const {
+  _internals: { loadDatabaseClass },
+} = require("../social-bilibili-adb/chromium-cookies-reader");
+
+const DOUYIN_PACKAGE = "com.ss.android.ugc.aweme";
+const VIDEO_RECORD_DB_REMOTE_PATH =
+  "/data/data/com.ss.android.ugc.aweme/databases/video_record.db";
+
+/** seconds-or-ms epoch → ms (heuristic: > 1e12 ⇒ already ms). */
+function toEpochMs(v) {
+  const n = Number(v);
+  if (!Number.isFinite(n) || n <= 0) return null;
+  return n > 1e12 ? Math.floor(n) : Math.floor(n * 1000);
+}
+
+async function pullVideoRecordDbViaSu(adb, serial, opts = {}) {
+  const adbOpts = { serial, timeoutMs: opts.timeoutMs || 60_000 };
+  const lsOut = await adb(
+    ["shell", "su", "-c", `ls ${VIDEO_RECORD_DB_REMOTE_PATH} 2>/dev/null || echo NOT_FOUND`],
+    adbOpts,
+  );
+  const lsLine = lsOut.replace(/\r+$/gm, "").trim();
+  if (lsLine === "NOT_FOUND" || lsLine === "") {
+    const pmOut = await adb(
+      ["shell", "su", "-c", `pm list packages ${DOUYIN_PACKAGE}`],
+      adbOpts,
+    );
+    const installed = pmOut.replace(/\r/g, "").includes(`package:${DOUYIN_PACKAGE}`);
+    throw new Error(
+      installed
+        ? "DOUYIN_VIDEO_RECORD_MISSING: 抖音已安装但无 video_record.db（未观看过视频？）— " +
+          VIDEO_RECORD_DB_REMOTE_PATH +
+          " 不存在。"
+        : "DOUYIN_NOT_INSTALLED: " + VIDEO_RECORD_DB_REMOTE_PATH + " not found and package not installed.",
+    );
+  }
+  const idOut = await adb(["shell", "su", "-c", "id -u"], adbOpts);
+  const idLine = idOut.replace(/\r+$/gm, "").trim();
+  if (idLine !== "0" && !idLine.includes("uid=0")) {
+    throw new Error(
+      "DOUYIN_NO_ROOT: su not uid 0 (`" + idLine.substring(0, 60) + "`); root required to read video_record.db.",
+    );
+  }
+  const b64 = await adb(
+    ["shell", "su", "-c", `base64 ${VIDEO_RECORD_DB_REMOTE_PATH} | tr -d '\\n\\r'`],
+    { ...adbOpts, timeoutMs: opts.timeoutMs || 60_000 },
+  );
+  const b64Clean = b64.replace(/[\r\n\t ]+/g, "");
+  if (b64Clean.length === 0) {
+    throw new Error("DOUYIN_VIDEO_RECORD_EMPTY: base64 stream returned 0 bytes (su may have silently failed on MIUI).");
+  }
+  const buf = Buffer.from(b64Clean, "base64");
+  if (buf.length < 1024 || !buf.subarray(0, 15).toString("latin1").startsWith("SQLite format 3")) {
+    throw new Error("DOUYIN_VIDEO_RECORD_NOT_SQLITE: decoded file lacks `SQLite format 3` magic (" + buf.length + " bytes).");
+  }
+  const tmpFile = path.join(os.tmpdir(), `cc-douyin-vrec-${crypto.randomUUID()}.db`);
+  fs.writeFileSync(tmpFile, buf);
+  return tmpFile;
+}
+
+/**
+ * Read watch records from video_record.db. Tables are named `record_<uid>`
+ * (per-account) plus an anonymous `record_0`. Picks the numeric-uid table with
+ * the most rows (the logged-in account); records carry aid + view timestamp +
+ * enter_from surface.
+ *
+ * @returns {{uid: string|null, records: Array<{awemeId,capturedAt,enterFrom}>}}
+ */
+function readDouyinWatchHistory(dbPath, opts = {}) {
+  const Database = opts._databaseClass || loadDatabaseClass();
+  const limit = Number.isInteger(opts.limit) && opts.limit > 0 ? opts.limit : 5000;
+  const db = new Database(dbPath, { readonly: true });
+  try {
+    const tables = db
+      .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name LIKE 'record\\_%' ESCAPE '\\'")
+      .all()
+      .map((t) => t.name);
+    // Candidate uid tables: record_<digits>, uid != 0. Pick the largest.
+    let best = null;
+    for (const name of tables) {
+      const m = /^record_(\d+)$/.exec(name);
+      if (!m || m[1] === "0") continue;
+      let count = 0;
+      try {
+        count = db.prepare(`SELECT COUNT(*) c FROM "${name}"`).get().c;
+      } catch (_e) {
+        continue;
+      }
+      if (!best || count > best.count) best = { name, uid: m[1], count };
+    }
+    if (!best) return { uid: null, records: [] };
+    const cols = new Set(
+      db.prepare(`PRAGMA table_info("${best.name}")`).all().map((c) => c.name),
+    );
+    const hasEnter = cols.has("enter_from");
+    const hasTs = cols.has("view_time_timestamp");
+    const rows = db
+      .prepare(
+        `SELECT aid${hasTs ? ", view_time_timestamp" : ""}${hasEnter ? ", enter_from" : ""} ` +
+          `FROM "${best.name}"${hasTs ? " ORDER BY view_time_timestamp DESC" : ""} LIMIT ${limit}`,
+      )
+      .all();
+    const records = [];
+    for (const r of rows) {
+      const awemeId = r.aid != null ? String(r.aid) : null;
+      if (!awemeId) continue;
+      records.push({
+        awemeId,
+        capturedAt: hasTs ? toEpochMs(r.view_time_timestamp) : null,
+        enterFrom: hasEnter ? r.enter_from || null : null,
+      });
+    }
+    return { uid: best.uid, records };
+  } finally {
+    try {
+      db.close();
+    } catch (_e) {
+      /* best-effort */
+    }
+  }
+}
+
+/** Bridge handler factory: `bridge.invoke("douyin.watch-history")` → {uid, records}. */
+function createDouyinWatchExtension(factoryOpts = {}) {
+  const timeoutMs = factoryOpts.timeoutMs || 60_000;
+  const onCleanupFailed = factoryOpts.onCleanupFailed || (() => {});
+  return async function douyinWatchHandler(params, ctx) {
+    if (!ctx || typeof ctx.adb !== "function" || typeof ctx.pickDevice !== "function") {
+      throw new TypeError("douyin.watch-history extension: ctx must provide {adb, pickDevice}");
+    }
+    const serial = await ctx.pickDevice();
+    let tmpFile = null;
+    try {
+      tmpFile = await pullVideoRecordDbViaSu(ctx.adb, serial, { timeoutMs });
+      const result = readDouyinWatchHistory(tmpFile, {
+        limit: params && params.limit,
+      });
+      return { ...result, extractedAt: Date.now() };
+    } finally {
+      if (tmpFile) {
+        try {
+          fs.unlinkSync(tmpFile);
+        } catch (_e) {
+          onCleanupFailed(tmpFile);
+        }
+      }
+    }
+  };
+}
+
+module.exports = {
+  createDouyinWatchExtension,
+  VIDEO_RECORD_DB_REMOTE_PATH,
+  DOUYIN_PACKAGE,
+  _internals: {
+    pullVideoRecordDbViaSu,
+    readDouyinWatchHistory,
+    toEpochMs,
+  },
+};

package/lib/adapters/social-toutiao-adb/account-reader.js

@@ -0,0 +1,179 @@
+/**
+ * Toutiao on-device account reader — recovers the numeric uid + nickname from
+ * the app's local `account_db` (table `login_info`), a plaintext SQLite DB.
+ *
+ * Why this exists (real-device 2026-06-11, device 5lhyaqu8lbwstc6x):
+ *   - The web profile endpoint `passport/account/info/v2` returns error_code 16
+ *     "该应用无权限" even when fully logged in — so it can't supply the uid.
+ *   - The www.toutiao.com WebView cookie jar carries NO numeric uid cookie
+ *     (only hashed `uid_tt`/`sid_tt`; no passport_uid/multi_sids/__ac_uid).
+ *   - But `/data/data/com.ss.android.article.news/databases/account_db` stores
+ *     `login_info { uid, screen_name, sec_uid, ... }` in PLAINTEXT sqlite.
+ * Reading it gives the uid that the signed collection/search endpoints need,
+ * with no permission/signature/cookie-drift fragility.
+ *
+ * Pull mechanism mirrors cookies-extension.pullCookiesViaSu (su base64 stream,
+ * MIUI-safe). DB read reuses the bilibili chromium-cookies-reader dual-load
+ * (bs3mc ABI 140 under Electron / better-sqlite3 under Node test).
+ */
+"use strict";
+
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const crypto = require("node:crypto");
+
+const {
+  _internals: { loadDatabaseClass },
+} = require("../social-bilibili-adb/chromium-cookies-reader");
+
+const TOUTIAO_PACKAGE = "com.ss.android.article.news";
+const ACCOUNT_DB_REMOTE_PATH =
+  "/data/data/com.ss.android.article.news/databases/account_db";
+
+/**
+ * Pull the account_db sqlite via `su base64` into a host tmp file.
+ * @param {(args: string[], opts?: object) => Promise<string>} adb
+ * @param {string} serial
+ * @param {{timeoutMs?: number}} [opts]
+ * @returns {Promise<string>} tmp file path (caller deletes)
+ */
+async function pullAccountDbViaSu(adb, serial, opts = {}) {
+  const adbOpts = { serial, timeoutMs: opts.timeoutMs || 60_000 };
+  const lsOut = await adb(
+    ["shell", "su", "-c", `ls ${ACCOUNT_DB_REMOTE_PATH} 2>/dev/null || echo NOT_FOUND`],
+    adbOpts,
+  );
+  const lsLine = lsOut.replace(/\r+$/gm, "").trim();
+  if (lsLine === "NOT_FOUND" || lsLine === "") {
+    const pmOut = await adb(
+      ["shell", "su", "-c", `pm list packages ${TOUTIAO_PACKAGE}`],
+      adbOpts,
+    );
+    const installed = pmOut.replace(/\r/g, "").includes(`package:${TOUTIAO_PACKAGE}`);
+    throw new Error(
+      installed
+        ? "TOUTIAO_ACCOUNT_DB_MISSING: 今日头条已安装但无 account_db（未登录账号？）— " +
+          ACCOUNT_DB_REMOTE_PATH +
+          " 不存在。"
+        : "TOUTIAO_NOT_INSTALLED: " +
+          ACCOUNT_DB_REMOTE_PATH +
+          " not found and package not installed.",
+    );
+  }
+  const idOut = await adb(["shell", "su", "-c", "id -u"], adbOpts);
+  const idLine = idOut.replace(/\r+$/gm, "").trim();
+  if (idLine !== "0" && !idLine.includes("uid=0")) {
+    throw new Error(
+      "TOUTIAO_NO_ROOT: su not uid 0 (`" + idLine.substring(0, 60) + "`); root required to read account_db.",
+    );
+  }
+  const b64 = await adb(
+    ["shell", "su", "-c", `base64 ${ACCOUNT_DB_REMOTE_PATH} | tr -d '\\n\\r'`],
+    { ...adbOpts, timeoutMs: opts.timeoutMs || 60_000 },
+  );
+  const b64Clean = b64.replace(/[\r\n\t ]+/g, "");
+  if (b64Clean.length === 0) {
+    throw new Error("TOUTIAO_ACCOUNT_DB_EMPTY: base64 stream returned 0 bytes (su may have silently failed on MIUI).");
+  }
+  const buf = Buffer.from(b64Clean, "base64");
+  if (buf.length < 1024 || !buf.subarray(0, 15).toString("latin1").startsWith("SQLite format 3")) {
+    throw new Error("TOUTIAO_ACCOUNT_DB_NOT_SQLITE: decoded file lacks `SQLite format 3` magic (" + buf.length + " bytes).");
+  }
+  const tmpFile = path.join(os.tmpdir(), `cc-toutiao-account-${crypto.randomUUID()}.db`);
+  fs.writeFileSync(tmpFile, buf);
+  return tmpFile;
+}
+
+/**
+ * Read the best login_info row from a pulled account_db.
+ * @param {string} dbPath
+ * @param {{_databaseClass?: any}} [opts]
+ * @returns {{uid: string, nickname: string|null, secUid: string|null}|null}
+ */
+function readToutiaoAccount(dbPath, opts = {}) {
+  const Database = opts._databaseClass || loadDatabaseClass();
+  const db = new Database(dbPath, { readonly: true });
+  try {
+    let info;
+    try {
+      info = db.prepare("PRAGMA table_info(login_info)").all();
+    } catch (_e) {
+      return null;
+    }
+    if (!Array.isArray(info) || info.length === 0) return null;
+    const cols = new Set(info.map((c) => c.name));
+    if (!cols.has("uid")) return null;
+    const hasTime = cols.has("time");
+    // Prefer the most-recently-written numeric-uid row (multi-account safe).
+    const rows = db
+      .prepare(
+        `SELECT * FROM login_info${hasTime ? " ORDER BY time DESC" : ""}`,
+      )
+      .all();
+    for (const r of rows) {
+      const uid = r.uid != null ? String(r.uid) : "";
+      if (/^\d+$/.test(uid) && uid !== "0") {
+        return {
+          uid,
+          nickname:
+            (r.screen_name && String(r.screen_name)) ||
+            (r.platform_screen_name && String(r.platform_screen_name)) ||
+            null,
+          secUid: r.sec_uid ? String(r.sec_uid) : null,
+        };
+      }
+    }
+    return null;
+  } finally {
+    try {
+      db.close();
+    } catch (_e) {
+      /* best-effort */
+    }
+  }
+}
+
+/**
+ * Bridge handler factory: `bridge.invoke("toutiao.account")` → account or
+ * throws. Mirrors createToutiaoCookiesExtension's ctx contract.
+ */
+function createToutiaoAccountExtension(factoryOpts = {}) {
+  const timeoutMs = factoryOpts.timeoutMs || 60_000;
+  const onCleanupFailed = factoryOpts.onCleanupFailed || (() => {});
+  return async function toutiaoAccountHandler(_params, ctx) {
+    if (!ctx || typeof ctx.adb !== "function" || typeof ctx.pickDevice !== "function") {
+      throw new TypeError("toutiao.account extension: ctx must provide {adb, pickDevice}");
+    }
+    const serial = await ctx.pickDevice();
+    let tmpFile = null;
+    try {
+      tmpFile = await pullAccountDbViaSu(ctx.adb, serial, { timeoutMs });
+      const account = readToutiaoAccount(tmpFile);
+      if (!account) {
+        throw new Error(
+          "TOUTIAO_ACCOUNT_DB_NO_UID: login_info has no numeric-uid row (logged out?).",
+        );
+      }
+      return { ...account, extractedAt: Date.now() };
+    } finally {
+      if (tmpFile) {
+        try {
+          fs.unlinkSync(tmpFile);
+        } catch (_e) {
+          onCleanupFailed(tmpFile);
+        }
+      }
+    }
+  };
+}
+
+module.exports = {
+  createToutiaoAccountExtension,
+  ACCOUNT_DB_REMOTE_PATH,
+  TOUTIAO_PACKAGE,
+  _internals: {
+    pullAccountDbViaSu,
+    readToutiaoAccount,
+  },
+};

package/lib/adapters/social-toutiao-adb/api-client.js

@@ -154,6 +154,17 @@ class ToutiaoApiClient {
         this._setLastError(-3, "parse: " + (e.message || String(e)));
         return null;
       }
+      // Toutiao web endpoints signal failure via `err_no != 0` + `message`
+      // while still returning HTTP 200 and an empty `data:[]` — without this
+      // check that error is silently masked as "0 results" (real-device
+      // 2026-06-11: tab_comments → {err_no:1,"message":"params illegal"}).
+      if (typeof obj.err_no === "number" && obj.err_no !== 0) {
+        this._setLastError(
+          obj.err_no,
+          String(obj.message || obj.err_tips || `err_no=${obj.err_no}`),
+        );
+        return null;
+      }
       this._clearLastError();
       return obj;
     } catch (e) {
@@ -180,27 +191,40 @@ class ToutiaoApiClient {
     url.searchParams.set("aid", AID_TOUTIAO_WEB);
     const obj = await this._doGetJson(url, cookie, false, "profile");
     if (!obj) return null;
+    // Two envelope shapes seen in the wild (real-device 2026-06-11):
+    //   legacy:      { status_code: 0, data: {...} }
+    //   passport v2: { message: "success", data: {...} }
+    //                { message: "error", data: { error_code, description } }
+    // The old code only understood status_code and mis-reported the v2
+    // envelope as "missing status_code" — masking the real error (e.g.
+    // error_code 16 "该应用无权限"). Parse both, surface the specific error.
     const statusCode =
       typeof obj.status_code === "number" ? obj.status_code : null;
-    if (statusCode == null) {
-      this._setLastError(
-        -5,
-        `passport/info/v2 missing status_code (keys=[${Object.keys(obj).join(",")}])`,
-      );
-      return null;
-    }
-    if (statusCode !== 0) {
-      const msg =
-        obj.status_msg ||
-        obj.message ||
-        obj.error_description ||
-        `status_code=${statusCode}`;
-      this._setLastError(statusCode, String(msg));
+    const message = typeof obj.message === "string" ? obj.message : null;
+    const data = obj.data && typeof obj.data === "object" ? obj.data : null;
+    const ok = statusCode === 0 || (statusCode == null && message === "success");
+    if (!ok) {
+      if (data && Number.isFinite(data.error_code)) {
+        // passport v2 error envelope — the actionable code + 中文 description.
+        this._setLastError(
+          data.error_code,
+          String(data.description || data.error_description || `error_code=${data.error_code}`),
+        );
+      } else if (statusCode != null) {
+        this._setLastError(
+          statusCode,
+          String(obj.status_msg || message || obj.error_description || `status_code=${statusCode}`),
+        );
+      } else {
+        this._setLastError(
+          -5,
+          `passport/info/v2 unrecognized envelope (message=${message}, keys=[${Object.keys(obj).join(",")}])`,
+        );
+      }
       return null;
     }
-    const data = obj.data;
-    if (!data || typeof data !== "object") {
-      this._setLastError(-6, "status_code=0 but no `data` object");
+    if (!data) {
+      this._setLastError(-6, "profile ok but no `data` object");
       return null;
     }
     const rawUid =

package/lib/adapters/social-toutiao-adb/collector.js

@@ -72,26 +72,57 @@ async function collect(bridge, opts = {}) {
 
   try {
     // fetchProfile — passport endpoint, no _signature required.
-    const profile = await client.fetchProfile(cookie);
-    if (!profile) {
-      // Cookie expired or sessionid missing — emit empty snapshot using
-      // best-effort cookie-derived uid (or sentinel if also absent).
-      const uid = cookieUid || "unknown-user";
+    let profile = await client.fetchProfile(cookie);
+    const profileFailed = !profile;
+    // Capture the profile error BEFORE the signed fetches overwrite lastError —
+    // when profile is permission-denied (real-device 2026-06-11: passport
+    // error_code 16 该应用无权限) it's the headline diagnostic, more useful than
+    // a downstream -99 short-circuit.
+    const profileErrCode = profileFailed ? client.lastErrorCode : null;
+    const profileErrMsg = profileFailed ? client.lastErrorMessage : null;
+
+    // Local account_db fallback: the web profile endpoint is often
+    // permission-denied (error_code 16) AND the WebView cookie jar carries no
+    // numeric uid — but the app's local account_db has uid+nickname in
+    // plaintext. Recover it so the signed collection/search endpoints (which
+    // need a uid) can still run. Best-effort: the bridge may not expose
+    // "toutiao.account" (older wiring) — that's fine, we fall through.
+    let profileSource = profile ? "web" : null;
+    if (profileFailed && bridge && typeof bridge.invoke === "function") {
+      try {
+        const acct = await bridge.invoke("toutiao.account");
+        if (acct && acct.uid && /^\d+$/.test(String(acct.uid))) {
+          profile = { uid: String(acct.uid), nickname: acct.nickname || null };
+          profileSource = "local-account-db";
+        }
+      } catch (_e) {
+        // account extension unavailable / logged out — keep web error.
+      }
+    }
+
+    // The signed feed endpoint is cookie-identified and collection/search can
+    // use a cookie-derived uid, so a profile failure should NOT abort the whole
+    // sync when we still have a usable uid — only bail when there is no uid at
+    // all. (Previously any profile failure returned an empty snapshot, so the
+    // SignBridge feed/collection/search were never even attempted.)
+    const effectiveUid = (profile && profile.uid) || cookieUid || null;
+    if (!effectiveUid) {
       const snapshot = buildSnapshot({
-        uid,
+        uid: "unknown-user",
         displayName: opts.displayName,
         snapshottedAt: now(),
       });
       const snapshotPath = writeSnapshotJson(snapshot, { dir: opts.stagingDir });
       return {
         snapshotPath,
-        uid: cookieUid,
+        uid: null,
         nickname: null,
         eventCounts: { profile: 0, feed: 0, collection: 0, search: 0, total: 0 },
-        lastErrorCode: client.lastErrorCode,
-        lastErrorMessage: client.lastErrorMessage,
+        lastErrorCode: profileErrCode,
+        lastErrorMessage: profileErrMsg,
         cookieDiagnostic: cookieDiagnostic || null,
         profileFetchFailed: true,
+        profileSource,
         signProviderUsed: signProvider
           ? signProvider.constructor.name
           : "none",
@@ -100,7 +131,9 @@ async function collect(bridge, opts = {}) {
       };
     }
 
-    // Parallel 3 signed endpoints — partial failure tolerated.
+    // Parallel 3 signed endpoints — partial failure tolerated. Attempted even
+    // when profile failed (as long as we have a uid), so feed can still flow
+    // through a SignBridge despite a permission-denied profile endpoint.
     const [feed, collection, search] = await Promise.all([
       client.fetchFeed(cookie, {
         limit: Number.isInteger(limits.feed) ? limits.feed : undefined,
@@ -116,9 +149,9 @@ async function collect(bridge, opts = {}) {
     ]);
 
     const snapshot = buildSnapshot({
-      uid: profile.uid,
-      displayName: opts.displayName || profile.nickname,
-      profile,
+      uid: effectiveUid,
+      displayName: opts.displayName || (profile && profile.nickname),
+      profile: profile || undefined,
       feed,
       collection,
       search,
@@ -128,19 +161,22 @@ async function collect(bridge, opts = {}) {
 
     return {
       snapshotPath,
-      uid: profile.uid,
-      nickname: profile.nickname,
+      uid: effectiveUid,
+      nickname: profile ? profile.nickname : null,
       eventCounts: {
-        profile: 1,
+        profile: profile ? 1 : 0,
         feed: feed.length,
         collection: collection.length,
         search: search.length,
         total: snapshot.events.length,
       },
-      lastErrorCode: client.lastErrorCode,
-      lastErrorMessage: client.lastErrorMessage,
+      // On profile failure surface the profile error (the headline issue), not
+      // the last signed-endpoint status.
+      lastErrorCode: profileFailed ? profileErrCode : client.lastErrorCode,
+      lastErrorMessage: profileFailed ? profileErrMsg : client.lastErrorMessage,
       cookieDiagnostic: cookieDiagnostic || null,
-      profileFetchFailed: false,
+      profileFetchFailed: profileFailed,
+      profileSource,
       signProviderUsed: signProvider ? signProvider.constructor.name : "none",
       signProviderHits: client._bridgeHits,
       signProviderFallbacks: client._fallbackHits,

package/lib/adapters/social-toutiao-adb/cookies-extension.js

@@ -41,6 +41,7 @@ const {
   readChromiumCookies,
 } = require("../social-bilibili-adb/chromium-cookies-reader");
 
+const TOUTIAO_PACKAGE = "com.ss.android.article.news";
 const TOUTIAO_COOKIES_REMOTE_PATH =
   "/data/data/com.ss.android.article.news/app_webview/Default/Cookies";
 
@@ -72,10 +73,29 @@ async function pullCookiesViaSu(adb, serial, opts) {
   );
   const lsLine = lsOut.replace(/\r+$/gm, "").trim();
   if (lsLine === "NOT_FOUND" || lsLine === "") {
+    // Distinguish "app not installed" from "installed but no webview cookie
+    // store yet" (logged out / never opened an in-app WebView). Both leave the
+    // Cookies file absent, but the user action differs — so probe pm.
+    const pmOut = await adb(
+      ["shell", "su", "-c", `pm list packages ${TOUTIAO_PACKAGE}`],
+      adbOpts,
+    );
+    const installed = pmOut
+      .replace(/\r/g, "")
+      .includes(`package:${TOUTIAO_PACKAGE}`);
+    if (installed) {
+      throw new Error(
+        "TOUTIAO_NO_WEBVIEW_COOKIES: 今日头条 App 已安装但无 WebView cookie 库 (" +
+          TOUTIAO_COOKIES_REMOTE_PATH +
+          " 不存在)。请在 App 内登录，并打开任意文章/网页（触发内置 WebView 写 cookie）后重试。注意：极速版 (.lite) 是另一个包，不支持。",
+      );
+    }
     throw new Error(
       "TOUTIAO_NOT_INSTALLED: " +
         TOUTIAO_COOKIES_REMOTE_PATH +
-        " not found. Install Toutiao App (今日头条 com.ss.android.article.news) + log in once, then retry. Note: 极速版 (.lite) uses a different package — only the standard app is supported.",
+        " not found and package " +
+        TOUTIAO_PACKAGE +
+        " is not installed. Install Toutiao App (今日头条 com.ss.android.article.news) + log in once, then retry. Note: 极速版 (.lite) uses a different package — only the standard app is supported.",
     );
   }
   const idOut = await adb(["shell", "su", "-c", "id -u"], adbOpts);

package/lib/adapters/social-toutiao-adb/index.js

@@ -34,9 +34,15 @@ const {
   SNAPSHOT_SCHEMA_VERSION,
 } = require("./snapshot-builder");
 const { collect, collectAndSync } = require("./collector");
+const {
+  createToutiaoAccountExtension,
+  ACCOUNT_DB_REMOTE_PATH,
+} = require("./account-reader");
 
 module.exports = {
   createToutiaoCookiesExtension,
+  createToutiaoAccountExtension,
+  ACCOUNT_DB_REMOTE_PATH,
   TOUTIAO_COOKIES_REMOTE_PATH,
   TOUTIAO_COOKIE_HOST_DOMAIN,
   TOUTIAO_SESSION_COOKIES,