npm - @jackwener/opencli - Versions diffs - 1.3.3 → 1.4.0 - Mend

@jackwener/opencli 1.3.3 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (496) hide show

package/.github/pull_request_template.md +3 -1
package/.github/workflows/build-extension.yml +7 -1
package/.github/workflows/ci.yml +29 -3
package/.github/workflows/docs.yml +1 -1
package/.github/workflows/e2e-headed.yml +20 -0
package/.github/workflows/release.yml +1 -1
package/.github/workflows/security.yml +0 -3
package/CHANGELOG.md +55 -0
package/CONTRIBUTING.md +6 -3
package/README.md +30 -3
package/README.zh-CN.md +30 -3
package/SKILL.md +7 -1
package/TESTING.md +1 -0
package/chatwise-opencli.ps1 +82 -0
package/dist/analysis.d.ts +38 -0
package/dist/analysis.js +166 -0
package/dist/browser/cdp.d.ts +0 -4
package/dist/browser/cdp.js +53 -41
package/dist/browser/cdp.test.d.ts +1 -0
package/dist/browser/cdp.test.js +52 -0
package/dist/browser/dom-snapshot.d.ts +2 -2
package/dist/browser/dom-snapshot.js +54 -1
package/dist/browser/dom-snapshot.test.js +36 -0
package/dist/browser/index.d.ts +2 -2
package/dist/browser/index.js +1 -1
package/dist/browser/mcp.d.ts +0 -2
package/dist/browser/mcp.js +2 -3
package/dist/browser/page.d.ts +4 -3
package/dist/browser/page.js +34 -37
package/dist/browser/stealth.d.ts +0 -2
package/dist/browser/stealth.js +24 -9
package/dist/browser.test.js +2 -2
package/dist/build-manifest.js +15 -9
package/dist/build-manifest.test.js +12 -0
package/dist/cascade.js +4 -2
package/dist/cli-manifest.json +639 -258
package/dist/cli.js +57 -29
package/dist/clis/_shared/desktop-commands.d.ts +22 -0
package/dist/clis/_shared/desktop-commands.js +108 -0
package/dist/clis/antigravity/serve.js +5 -2
package/dist/clis/arxiv/search.js +1 -1
package/dist/clis/bilibili/dynamic.test.d.ts +1 -0
package/dist/clis/bilibili/dynamic.test.js +68 -0
package/dist/clis/bilibili/favorite.js +4 -2
package/dist/clis/bilibili/following.js +3 -2
package/dist/clis/bilibili/subtitle.js +8 -7
package/dist/clis/bilibili/utils.js +2 -2
package/dist/clis/boss/batchgreet.js +1 -1
package/dist/clis/boss/chatlist.js +1 -1
package/dist/clis/boss/chatmsg.js +1 -1
package/dist/clis/boss/detail.js +1 -1
package/dist/clis/boss/exchange.js +1 -1
package/dist/clis/boss/greet.js +1 -1
package/dist/clis/boss/invite.js +1 -1
package/dist/clis/boss/joblist.js +1 -1
package/dist/clis/boss/mark.js +4 -3
package/dist/clis/boss/recommend.js +1 -1
package/dist/clis/boss/resume.js +1 -1
package/dist/clis/boss/search.js +1 -1
package/dist/clis/boss/send.js +5 -4
package/dist/clis/boss/stats.js +1 -1
package/dist/clis/chatgpt/ask.js +4 -0
package/dist/clis/chatgpt/new.js +5 -1
package/dist/clis/chatgpt/read.js +5 -1
package/dist/clis/chatgpt/send.js +2 -1
package/dist/clis/chatgpt/status.js +5 -1
package/dist/clis/chatwise/ask.js +8 -2
package/dist/clis/chatwise/export.js +2 -0
package/dist/clis/chatwise/history.js +2 -0
package/dist/clis/chatwise/model.js +8 -3
package/dist/clis/chatwise/new.js +3 -18
package/dist/clis/chatwise/read.js +2 -0
package/dist/clis/chatwise/screenshot.js +3 -27
package/dist/clis/chatwise/send.js +8 -2
package/dist/clis/chatwise/shared.d.ts +2 -0
package/dist/clis/chatwise/shared.js +6 -0
package/dist/clis/chatwise/status.js +3 -22
package/dist/clis/codex/ask.js +6 -2
package/dist/clis/codex/dump.js +2 -25
package/dist/clis/codex/new.js +2 -25
package/dist/clis/codex/screenshot.js +2 -27
package/dist/clis/codex/send.js +6 -4
package/dist/clis/codex/status.js +2 -22
package/dist/clis/cursor/ask.js +2 -1
package/dist/clis/cursor/composer.js +2 -1
package/dist/clis/cursor/dump.js +2 -25
package/dist/clis/cursor/new.js +2 -18
package/dist/clis/cursor/read.js +2 -1
package/dist/clis/cursor/screenshot.js +1 -30
package/dist/clis/cursor/send.js +2 -1
package/dist/clis/cursor/status.js +2 -21
package/dist/clis/dictionary/examples.yaml +25 -0
package/dist/clis/dictionary/search.yaml +27 -0
package/dist/clis/dictionary/synonyms.yaml +25 -0
package/dist/clis/douban/book-hot.js +1 -1
package/dist/clis/douban/movie-hot.js +1 -1
package/dist/clis/douban/search.js +1 -1
package/dist/clis/douban/utils.d.ts +4 -1
package/dist/clis/douban/utils.js +156 -1
package/dist/clis/doubao/ask.js +1 -1
package/dist/clis/doubao/new.js +1 -1
package/dist/clis/doubao/read.js +1 -1
package/dist/clis/doubao/send.js +1 -1
package/dist/clis/doubao/status.js +1 -1
package/dist/clis/doubao-app/ask.js +1 -1
package/dist/clis/doubao-app/new.js +1 -1
package/dist/clis/doubao-app/read.js +1 -1
package/dist/clis/doubao-app/send.js +1 -1
package/dist/clis/grok/ask.d.ts +4 -0
package/dist/clis/grok/ask.js +28 -10
package/dist/clis/grok/ask.test.js +18 -0
package/dist/clis/jd/item.d.ts +1 -0
package/dist/clis/jd/item.js +96 -0
package/dist/clis/jd/item.test.d.ts +1 -0
package/dist/clis/jd/item.test.js +28 -0
package/dist/clis/jike/feed.js +1 -1
package/dist/clis/jike/search.js +1 -1
package/dist/clis/linkedin/search.js +5 -4
package/dist/clis/linkedin/timeline.d.ts +21 -0
package/dist/clis/linkedin/timeline.js +503 -0
package/dist/clis/linkedin/timeline.test.d.ts +1 -0
package/dist/clis/linkedin/timeline.test.js +81 -0
package/dist/clis/medium/feed.js +1 -1
package/dist/clis/medium/search.js +1 -1
package/dist/clis/medium/user.js +1 -1
package/dist/clis/medium/{shared.js → utils.js} +2 -1
package/dist/clis/pixiv/detail.yaml +49 -0
package/dist/clis/pixiv/download.d.ts +7 -0
package/dist/clis/pixiv/download.js +78 -0
package/dist/clis/pixiv/download.test.d.ts +1 -0
package/dist/clis/pixiv/download.test.js +87 -0
package/dist/clis/pixiv/illusts.d.ts +8 -0
package/dist/clis/pixiv/illusts.js +65 -0
package/dist/clis/pixiv/illusts.test.d.ts +1 -0
package/dist/clis/pixiv/illusts.test.js +99 -0
package/dist/clis/pixiv/ranking.yaml +53 -0
package/dist/clis/pixiv/search.d.ts +6 -0
package/dist/clis/pixiv/search.js +43 -0
package/dist/clis/pixiv/search.test.d.ts +1 -0
package/dist/clis/pixiv/search.test.js +83 -0
package/dist/clis/pixiv/test-utils.d.ts +12 -0
package/dist/clis/pixiv/test-utils.js +23 -0
package/dist/clis/pixiv/user.yaml +46 -0
package/dist/clis/pixiv/utils.d.ts +27 -0
package/dist/clis/pixiv/utils.js +49 -0
package/dist/clis/reddit/comment.js +2 -1
package/dist/clis/reddit/read.js +4 -3
package/dist/clis/reddit/read.test.d.ts +1 -0
package/dist/clis/reddit/read.test.js +28 -0
package/dist/clis/reddit/save.js +2 -1
package/dist/clis/reddit/saved.js +7 -3
package/dist/clis/reddit/subscribe.js +2 -1
package/dist/clis/reddit/upvote.js +2 -1
package/dist/clis/reddit/upvoted.js +7 -3
package/dist/clis/sinablog/article.js +1 -1
package/dist/clis/sinablog/hot.js +1 -1
package/dist/clis/sinablog/user.js +1 -1
package/dist/clis/substack/feed.js +1 -1
package/dist/clis/substack/publication.js +1 -1
package/dist/clis/substack/search.js +3 -2
package/dist/clis/substack/{shared.js → utils.js} +3 -2
package/dist/clis/tiktok/search.yaml +2 -1
package/dist/clis/twitter/accept.js +2 -1
package/dist/clis/twitter/article.js +4 -1
package/dist/clis/twitter/block.js +2 -1
package/dist/clis/twitter/bookmark.js +2 -1
package/dist/clis/twitter/bookmarks.js +3 -2
package/dist/clis/twitter/delete.js +2 -1
package/dist/clis/twitter/follow.js +2 -1
package/dist/clis/twitter/followers.js +3 -2
package/dist/clis/twitter/following.js +3 -2
package/dist/clis/twitter/hide-reply.js +2 -1
package/dist/clis/twitter/like.js +2 -1
package/dist/clis/twitter/notifications.js +2 -1
package/dist/clis/twitter/post.js +2 -1
package/dist/clis/twitter/profile.js +5 -2
package/dist/clis/twitter/reply-dm.js +2 -1
package/dist/clis/twitter/reply.js +2 -1
package/dist/clis/twitter/search.js +30 -13
package/dist/clis/twitter/search.test.d.ts +1 -0
package/dist/clis/twitter/search.test.js +104 -0
package/dist/clis/twitter/thread.js +2 -2
package/dist/clis/twitter/timeline.js +3 -2
package/dist/clis/twitter/trending.js +3 -2
package/dist/clis/twitter/unblock.js +2 -1
package/dist/clis/twitter/unbookmark.js +2 -1
package/dist/clis/twitter/unfollow.js +2 -1
package/dist/clis/v2ex/daily.js +3 -2
package/dist/clis/v2ex/me.js +3 -2
package/dist/clis/v2ex/notifications.js +4 -4
package/dist/clis/web/read.d.ts +16 -0
package/dist/clis/web/read.js +202 -0
package/dist/clis/xueqiu/danjuan-utils.d.ts +55 -0
package/dist/clis/xueqiu/danjuan-utils.js +126 -0
package/dist/clis/xueqiu/danjuan-utils.test.d.ts +1 -0
package/dist/clis/xueqiu/danjuan-utils.test.js +41 -0
package/dist/clis/xueqiu/fund-holdings.d.ts +1 -0
package/dist/clis/xueqiu/fund-holdings.js +28 -0
package/dist/clis/xueqiu/fund-snapshot.d.ts +1 -0
package/dist/clis/xueqiu/fund-snapshot.js +25 -0
package/dist/clis/youtube/transcript.js +5 -4
package/dist/clis/youtube/video.js +3 -2
package/dist/daemon.js +7 -3
package/dist/discovery.js +11 -10
package/dist/doctor.js +2 -1
package/dist/download/index.d.ts +4 -12
package/dist/download/index.js +33 -12
package/dist/download/index.test.js +79 -2
package/dist/download/media-download.js +4 -2
package/dist/engine.test.js +76 -4
package/dist/execution.d.ts +1 -9
package/dist/execution.js +56 -46
package/dist/explore.js +12 -111
package/dist/external-clis.yaml +0 -8
package/dist/external.js +7 -5
package/dist/external.test.js +4 -0
package/dist/generate.d.ts +0 -9
package/dist/generate.js +4 -20
package/dist/hooks.d.ts +46 -0
package/dist/hooks.js +56 -0
package/dist/hooks.test.d.ts +4 -0
package/dist/hooks.test.js +92 -0
package/dist/interceptor.js +70 -23
package/dist/main.js +2 -0
package/dist/output.js +12 -6
package/dist/pipeline/executor.js +1 -1
package/dist/pipeline/steps/browser.js +1 -3
package/dist/pipeline/steps/download.js +42 -26
package/dist/pipeline/steps/download.test.d.ts +1 -0
package/dist/pipeline/steps/download.test.js +101 -0
package/dist/pipeline/steps/fetch.js +40 -22
package/dist/pipeline/steps/fetch.test.d.ts +1 -0
package/dist/pipeline/steps/fetch.test.js +123 -0
package/dist/pipeline/steps/transform.js +2 -6
package/dist/pipeline/template.js +66 -52
package/dist/pipeline/template.test.js +28 -0
package/dist/pipeline/transform.test.js +18 -0
package/dist/plugin.d.ts +40 -1
package/dist/plugin.js +214 -17
package/dist/plugin.test.d.ts +1 -1
package/dist/plugin.test.js +219 -3
package/dist/record.js +6 -98
package/dist/registry-api.d.ts +2 -0
package/dist/registry-api.js +1 -0
package/dist/registry.d.ts +5 -2
package/dist/registry.js +1 -2
package/dist/runtime.d.ts +0 -1
package/dist/runtime.js +14 -4
package/dist/snapshotFormatter.d.ts +7 -14
package/dist/snapshotFormatter.js +38 -78
package/dist/utils.d.ts +9 -0
package/dist/utils.js +29 -0
package/dist/validate.js +3 -5
package/dist/yaml-schema.d.ts +26 -0
package/dist/yaml-schema.js +5 -0
package/docs/.vitepress/config.mts +3 -0
package/docs/adapters/browser/dictionary.md +27 -0
package/docs/adapters/browser/jd.md +27 -0
package/docs/adapters/browser/linkedin.md +6 -0
package/docs/adapters/browser/pixiv.md +92 -0
package/docs/adapters/browser/web.md +30 -0
package/docs/adapters/browser/xueqiu.md +27 -9
package/docs/adapters/index.md +3 -1
package/docs/comparison.md +125 -0
package/docs/developer/contributing.md +21 -2
package/docs/developer/testing.md +14 -8
package/docs/developer/ts-adapter.md +18 -0
package/docs/developer/yaml-adapter.md +16 -0
package/docs/guide/plugins.md +10 -0
package/docs/zh/guide/plugins.md +10 -0
package/extension/dist/background.js +519 -444
package/extension/manifest.json +1 -1
package/extension/package.json +1 -1
package/extension/src/background.test.ts +46 -1
package/extension/src/background.ts +108 -33
package/extension/src/cdp.ts +9 -9
package/package.json +3 -2
package/scripts/check-doc-coverage.sh +2 -0
package/src/analysis.ts +170 -0
package/src/browser/cdp.test.ts +66 -0
package/src/browser/cdp.ts +59 -44
package/src/browser/dom-snapshot.test.ts +42 -0
package/src/browser/dom-snapshot.ts +56 -3
package/src/browser/index.ts +2 -2
package/src/browser/mcp.ts +2 -4
package/src/browser/page.ts +34 -37
package/src/browser/stealth.ts +24 -10
package/src/browser.test.ts +2 -2
package/src/build-manifest.test.ts +14 -0
package/src/build-manifest.ts +13 -31
package/src/cascade.ts +5 -3
package/src/cli.ts +66 -34
package/src/clis/_shared/desktop-commands.ts +121 -0
package/src/clis/antigravity/serve.ts +6 -3
package/src/clis/arxiv/search.ts +1 -1
package/src/clis/bilibili/dynamic.test.ts +79 -0
package/src/clis/bilibili/favorite.ts +5 -2
package/src/clis/bilibili/following.ts +3 -2
package/src/clis/bilibili/subtitle.ts +8 -7
package/src/clis/bilibili/utils.ts +2 -2
package/src/clis/boss/batchgreet.ts +1 -1
package/src/clis/boss/chatlist.ts +1 -1
package/src/clis/boss/chatmsg.ts +1 -1
package/src/clis/boss/detail.ts +1 -1
package/src/clis/boss/exchange.ts +1 -1
package/src/clis/boss/greet.ts +1 -1
package/src/clis/boss/invite.ts +1 -1
package/src/clis/boss/joblist.ts +1 -1
package/src/clis/boss/mark.ts +4 -3
package/src/clis/boss/recommend.ts +1 -1
package/src/clis/boss/resume.ts +1 -1
package/src/clis/boss/search.ts +1 -1
package/src/clis/boss/send.ts +5 -4
package/src/clis/boss/stats.ts +1 -1
package/src/clis/chatgpt/ask.ts +5 -0
package/src/clis/chatgpt/new.ts +7 -2
package/src/clis/chatgpt/read.ts +7 -2
package/src/clis/chatgpt/send.ts +3 -2
package/src/clis/chatgpt/status.ts +6 -1
package/src/clis/chatwise/ask.ts +7 -2
package/src/clis/chatwise/export.ts +2 -0
package/src/clis/chatwise/history.ts +2 -0
package/src/clis/chatwise/model.ts +7 -3
package/src/clis/chatwise/new.ts +3 -20
package/src/clis/chatwise/read.ts +2 -0
package/src/clis/chatwise/screenshot.ts +3 -32
package/src/clis/chatwise/send.ts +7 -2
package/src/clis/chatwise/shared.ts +8 -0
package/src/clis/chatwise/status.ts +3 -24
package/src/clis/codex/ask.ts +5 -2
package/src/clis/codex/dump.ts +2 -27
package/src/clis/codex/new.ts +2 -28
package/src/clis/codex/screenshot.ts +2 -32
package/src/clis/codex/send.ts +5 -4
package/src/clis/codex/status.ts +2 -24
package/src/clis/cursor/ask.ts +2 -1
package/src/clis/cursor/composer.ts +2 -1
package/src/clis/cursor/dump.ts +2 -27
package/src/clis/cursor/new.ts +2 -20
package/src/clis/cursor/read.ts +2 -1
package/src/clis/cursor/screenshot.ts +1 -36
package/src/clis/cursor/send.ts +2 -1
package/src/clis/cursor/status.ts +2 -22
package/src/clis/dictionary/examples.yaml +25 -0
package/src/clis/dictionary/search.yaml +27 -0
package/src/clis/dictionary/synonyms.yaml +25 -0
package/src/clis/douban/book-hot.ts +1 -1
package/src/clis/douban/movie-hot.ts +1 -1
package/src/clis/douban/search.ts +1 -1
package/src/clis/douban/utils.ts +165 -1
package/src/clis/doubao/ask.ts +1 -1
package/src/clis/doubao/new.ts +1 -1
package/src/clis/doubao/read.ts +1 -1
package/src/clis/doubao/send.ts +1 -1
package/src/clis/doubao/status.ts +1 -1
package/src/clis/doubao-app/ask.ts +1 -1
package/src/clis/doubao-app/new.ts +1 -1
package/src/clis/doubao-app/read.ts +1 -1
package/src/clis/doubao-app/send.ts +1 -1
package/src/clis/grok/ask.test.ts +25 -0
package/src/clis/grok/ask.ts +25 -12
package/src/clis/jd/item.test.ts +35 -0
package/src/clis/jd/item.ts +101 -0
package/src/clis/jike/feed.ts +1 -1
package/src/clis/jike/search.ts +1 -1
package/src/clis/linkedin/search.ts +5 -4
package/src/clis/linkedin/timeline.test.ts +99 -0
package/src/clis/linkedin/timeline.ts +532 -0
package/src/clis/medium/feed.ts +1 -1
package/src/clis/medium/search.ts +1 -1
package/src/clis/medium/user.ts +1 -1
package/src/clis/medium/{shared.ts → utils.ts} +2 -1
package/src/clis/pixiv/detail.yaml +49 -0
package/src/clis/pixiv/download.test.ts +114 -0
package/src/clis/pixiv/download.ts +91 -0
package/src/clis/pixiv/illusts.test.ts +115 -0
package/src/clis/pixiv/illusts.ts +78 -0
package/src/clis/pixiv/ranking.yaml +53 -0
package/src/clis/pixiv/search.test.ts +97 -0
package/src/clis/pixiv/search.ts +53 -0
package/src/clis/pixiv/test-utils.ts +29 -0
package/src/clis/pixiv/user.yaml +46 -0
package/src/clis/pixiv/utils.ts +62 -0
package/src/clis/reddit/comment.ts +2 -1
package/src/clis/reddit/read.test.ts +34 -0
package/src/clis/reddit/read.ts +4 -3
package/src/clis/reddit/save.ts +2 -1
package/src/clis/reddit/saved.ts +6 -2
package/src/clis/reddit/subscribe.ts +2 -1
package/src/clis/reddit/upvote.ts +2 -1
package/src/clis/reddit/upvoted.ts +6 -2
package/src/clis/sinablog/article.ts +1 -1
package/src/clis/sinablog/hot.ts +1 -1
package/src/clis/sinablog/user.ts +1 -1
package/src/clis/substack/feed.ts +1 -1
package/src/clis/substack/publication.ts +1 -1
package/src/clis/substack/search.ts +3 -2
package/src/clis/substack/{shared.ts → utils.ts} +3 -2
package/src/clis/tiktok/search.yaml +2 -1
package/src/clis/twitter/accept.ts +2 -1
package/src/clis/twitter/article.ts +3 -1
package/src/clis/twitter/block.ts +2 -1
package/src/clis/twitter/bookmark.ts +2 -1
package/src/clis/twitter/bookmarks.ts +3 -2
package/src/clis/twitter/delete.ts +2 -1
package/src/clis/twitter/follow.ts +2 -1
package/src/clis/twitter/followers.ts +3 -2
package/src/clis/twitter/following.ts +3 -2
package/src/clis/twitter/hide-reply.ts +2 -1
package/src/clis/twitter/like.ts +2 -1
package/src/clis/twitter/notifications.ts +2 -1
package/src/clis/twitter/post.ts +2 -1
package/src/clis/twitter/profile.ts +4 -2
package/src/clis/twitter/reply-dm.ts +2 -1
package/src/clis/twitter/reply.ts +2 -1
package/src/clis/twitter/search.test.ts +113 -0
package/src/clis/twitter/search.ts +38 -14
package/src/clis/twitter/thread.ts +2 -2
package/src/clis/twitter/timeline.ts +3 -2
package/src/clis/twitter/trending.ts +3 -2
package/src/clis/twitter/unblock.ts +2 -1
package/src/clis/twitter/unbookmark.ts +2 -1
package/src/clis/twitter/unfollow.ts +2 -1
package/src/clis/v2ex/daily.ts +3 -2
package/src/clis/v2ex/me.ts +3 -2
package/src/clis/v2ex/notifications.ts +3 -4
package/src/clis/web/read.ts +210 -0
package/src/clis/xueqiu/danjuan-utils.test.ts +49 -0
package/src/clis/xueqiu/danjuan-utils.ts +176 -0
package/src/clis/xueqiu/fund-holdings.ts +32 -0
package/src/clis/xueqiu/fund-snapshot.ts +27 -0
package/src/clis/youtube/transcript.ts +5 -4
package/src/clis/youtube/video.ts +3 -2
package/src/daemon.ts +5 -4
package/src/discovery.ts +12 -34
package/src/doctor.ts +3 -2
package/src/download/index.test.ts +93 -2
package/src/download/index.ts +44 -23
package/src/download/media-download.ts +5 -3
package/src/engine.test.ts +84 -3
package/src/execution.ts +62 -46
package/src/explore.ts +21 -90
package/src/external-clis.yaml +0 -8
package/src/external.test.ts +9 -0
package/src/external.ts +12 -10
package/src/generate.ts +4 -41
package/src/hooks.test.ts +126 -0
package/src/hooks.ts +90 -0
package/src/interceptor.ts +73 -23
package/src/main.ts +2 -0
package/src/output.ts +14 -6
package/src/pipeline/executor.ts +1 -1
package/src/pipeline/steps/browser.ts +1 -3
package/src/pipeline/steps/download.test.ts +136 -0
package/src/pipeline/steps/download.ts +47 -34
package/src/pipeline/steps/fetch.test.ts +179 -0
package/src/pipeline/steps/fetch.ts +39 -23
package/src/pipeline/steps/transform.ts +2 -6
package/src/pipeline/template.test.ts +28 -0
package/src/pipeline/template.ts +67 -79
package/src/pipeline/transform.test.ts +20 -0
package/src/plugin.test.ts +251 -3
package/src/plugin.ts +265 -21
package/src/record.ts +12 -84
package/src/registry-api.ts +2 -0
package/src/registry.ts +7 -4
package/src/runtime.ts +14 -4
package/src/snapshotFormatter.ts +43 -121
package/src/utils.ts +39 -0
package/src/validate.ts +3 -5
package/src/yaml-schema.ts +28 -0
package/tests/e2e/browser-auth.test.ts +25 -0
package/tests/e2e/plugin-management.test.ts +137 -0
package/tests/e2e/public-commands.test.ts +34 -1
package/vitest.config.ts +19 -1
package/.github/workflows/pkg-pr-new.yml +0 -30
package/dist/clis/douban/shared.d.ts +0 -4
package/dist/clis/douban/shared.js +0 -155
package/src/clis/douban/shared.ts +0 -165
/package/dist/clis/boss/{common.d.ts → utils.d.ts} +0 -0
/package/dist/clis/boss/{common.js → utils.js} +0 -0
/package/dist/clis/doubao/{common.d.ts → utils.d.ts} +0 -0
/package/dist/clis/doubao/{common.js → utils.js} +0 -0
/package/dist/clis/doubao-app/{common.d.ts → utils.d.ts} +0 -0
/package/dist/clis/doubao-app/{common.js → utils.js} +0 -0
/package/dist/clis/jike/{shared.d.ts → utils.d.ts} +0 -0
/package/dist/clis/jike/{shared.js → utils.js} +0 -0
/package/dist/clis/medium/{shared.d.ts → utils.d.ts} +0 -0
/package/dist/clis/sinablog/{shared.d.ts → utils.d.ts} +0 -0
/package/dist/clis/sinablog/{shared.js → utils.js} +0 -0
/package/dist/clis/substack/{shared.d.ts → utils.d.ts} +0 -0
/package/src/clis/boss/{common.ts → utils.ts} +0 -0
/package/src/clis/doubao/{common.ts → utils.ts} +0 -0
/package/src/clis/doubao-app/{common.ts → utils.ts} +0 -0
/package/src/clis/jike/{shared.ts → utils.ts} +0 -0
/package/src/clis/sinablog/{shared.ts → utils.ts} +0 -0

package/dist/pipeline/steps/download.test.js ADDED Viewed

@@ -0,0 +1,101 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import * as os from 'node:os';
+import * as path from 'node:path';
+const { mockHttpDownload, mockYtdlpDownload, mockExportCookiesToNetscape } = vi.hoisted(() => ({
+    mockHttpDownload: vi.fn(),
+    mockYtdlpDownload: vi.fn(),
+    mockExportCookiesToNetscape: vi.fn(),
+}));
+vi.mock('../../download/index.js', async () => {
+    const actual = await vi.importActual('../../download/index.js');
+    return {
+        ...actual,
+        httpDownload: mockHttpDownload,
+        ytdlpDownload: mockYtdlpDownload,
+        exportCookiesToNetscape: mockExportCookiesToNetscape,
+    };
+});
+import { stepDownload } from './download.js';
+function createMockPage(getCookies) {
+    return {
+        goto: vi.fn(),
+        evaluate: vi.fn().mockResolvedValue(null),
+        getCookies,
+        snapshot: vi.fn().mockResolvedValue(''),
+        click: vi.fn(),
+        typeText: vi.fn(),
+        pressKey: vi.fn(),
+        scrollTo: vi.fn(),
+        getFormState: vi.fn().mockResolvedValue({}),
+        wait: vi.fn(),
+        tabs: vi.fn().mockResolvedValue([]),
+        closeTab: vi.fn(),
+        newTab: vi.fn(),
+        selectTab: vi.fn(),
+        networkRequests: vi.fn().mockResolvedValue([]),
+        consoleMessages: vi.fn().mockResolvedValue([]),
+        scroll: vi.fn(),
+        autoScroll: vi.fn(),
+        installInterceptor: vi.fn(),
+        getInterceptedRequests: vi.fn().mockResolvedValue([]),
+        screenshot: vi.fn().mockResolvedValue(''),
+    };
+}
+describe('stepDownload', () => {
+    beforeEach(() => {
+        mockHttpDownload.mockReset();
+        mockHttpDownload.mockResolvedValue({ success: true, size: 2 });
+        mockYtdlpDownload.mockReset();
+        mockYtdlpDownload.mockResolvedValue({ success: true, size: 2 });
+        mockExportCookiesToNetscape.mockReset();
+    });
+    it('scopes browser cookies to each direct-download target domain', async () => {
+        const page = createMockPage(vi.fn().mockImplementation(async (opts) => {
+            const domain = opts?.domain ?? 'unknown';
+            return [{ name: 'sid', value: domain, domain }];
+        }));
+        await stepDownload(page, {
+            url: '${{ item.url }}',
+            dir: path.join(os.tmpdir(), 'opencli-download-test'),
+            filename: '${{ index }}.txt',
+            progress: false,
+            concurrency: 1,
+        }, [
+            { url: 'https://a.example/file-1.txt' },
+            { url: 'https://b.example/file-2.txt' },
+        ], {});
+        expect(mockHttpDownload).toHaveBeenNthCalledWith(1, 'https://a.example/file-1.txt', path.join(os.tmpdir(), 'opencli-download-test', '0.txt'), expect.objectContaining({ cookies: 'sid=a.example' }));
+        expect(mockHttpDownload).toHaveBeenNthCalledWith(2, 'https://b.example/file-2.txt', path.join(os.tmpdir(), 'opencli-download-test', '1.txt'), expect.objectContaining({ cookies: 'sid=b.example' }));
+    });
+    it('builds yt-dlp cookies from all target domains instead of only the first item', async () => {
+        const getCookies = vi.fn().mockImplementation(async (opts) => {
+            const domain = opts?.domain ?? 'unknown';
+            return [{
+                    name: `sid-${domain}`,
+                    value: domain,
+                    domain,
+                    path: '/',
+                    secure: false,
+                    httpOnly: false,
+                }];
+        });
+        const page = createMockPage(getCookies);
+        await stepDownload(page, {
+            url: '${{ item.url }}',
+            dir: '/tmp/opencli-download-test',
+            filename: '${{ index }}.mp4',
+            progress: false,
+            concurrency: 1,
+        }, [
+            { url: 'https://www.youtube.com/watch?v=one' },
+            { url: 'https://www.bilibili.com/video/BV1xx411c7mD' },
+        ], {});
+        expect(getCookies).toHaveBeenCalledWith({ domain: 'www.youtube.com' });
+        expect(getCookies).toHaveBeenCalledWith({ domain: 'www.bilibili.com' });
+        expect(mockExportCookiesToNetscape).toHaveBeenCalledWith(expect.arrayContaining([
+            expect.objectContaining({ name: 'sid-www.youtube.com', domain: 'www.youtube.com' }),
+            expect.objectContaining({ name: 'sid-www.bilibili.com', domain: 'www.bilibili.com' }),
+        ]), expect.any(String));
+        expect(mockYtdlpDownload).toHaveBeenCalledTimes(2);
+    });
+});

package/dist/pipeline/steps/fetch.js CHANGED Viewed

@@ -1,24 +1,10 @@
 /**
  * Pipeline step: fetch — HTTP API requests.
  */
+import { CliError, getErrorMessage } from '../../errors.js';
+import { log } from '../../logger.js';
 import { render } from '../template.js';
-function isRecord(value) {
-    return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
-/** Simple async concurrency limiter */
-async function mapConcurrent(items, limit, fn) {
-    const results = new Array(items.length);
-    let index = 0;
-    async function worker() {
-        while (index < items.length) {
-            const i = index++;
-            results[i] = await fn(items[i], i);
-        }
-    }
-    const workers = Array.from({ length: Math.min(limit, items.length) }, () => worker());
-    await Promise.all(workers);
-    return results;
-}
+import { isRecord, mapConcurrent } from '../../utils.js';
 /** Single URL fetch helper */
 async function fetchSingle(page, url, method, queryParams, headers, args, data) {
     const renderedParams = {};
@@ -34,19 +20,32 @@ async function fetchSingle(page, url, method, queryParams, headers, args, data)
     }
     if (page === null) {
         const resp = await fetch(finalUrl, { method: method.toUpperCase(), headers: renderedHeaders });
+        if (!resp.ok) {
+            throw new CliError('FETCH_ERROR', `HTTP ${resp.status} ${resp.statusText} from ${finalUrl}`);
+        }
         return resp.json();
     }
     const headersJs = JSON.stringify(renderedHeaders);
     const urlJs = JSON.stringify(finalUrl);
     const methodJs = JSON.stringify(method.toUpperCase());
-    return page.evaluate(`
+    // Return error status instead of throwing inside evaluate to avoid CDP wrapper
+    // rewriting the message (CDP prepends "Evaluate error: " to thrown errors).
+    const result = await page.evaluate(`
     async () => {
       const resp = await fetch(${urlJs}, {
         method: ${methodJs}, headers: ${headersJs}, credentials: "include"
       });
+      if (!resp.ok) {
+        return { __httpError: resp.status, statusText: resp.statusText };
+      }
       return await resp.json();
     }
   `);
+    if (result && typeof result === 'object' && '__httpError' in result) {
+        const { __httpError: status, statusText } = result;
+        throw new CliError('FETCH_ERROR', `HTTP ${status} ${statusText} from ${finalUrl}`);
+    }
+    return result;
 }
 /**
  * Batch fetch: send all URLs into the browser as a single evaluate() call.
@@ -56,10 +55,11 @@ async function fetchSingle(page, url, method, queryParams, headers, args, data)
 async function fetchBatchInBrowser(page, urls, method, headers, concurrency) {
     const headersJs = JSON.stringify(headers);
     const urlsJs = JSON.stringify(urls);
+    const methodJs = JSON.stringify(method);
     return (await page.evaluate(`
     async () => {
       const urls = ${urlsJs};
-      const method = "${method}";
+      const method = ${methodJs};
       const headers = ${headersJs};
       const concurrency = ${concurrency};
@@ -71,9 +71,13 @@ async function fetchBatchInBrowser(page, urls, method, headers, concurrency) {
           const i = idx++;
           try {
             const resp = await fetch(urls[i], { method, headers, credentials: "include" });
+            if (!resp.ok) {
+              throw new Error('HTTP ' + resp.status + ' ' + resp.statusText + ' from ' + urls[i]);
+            }
             results[i] = await resp.json();
           } catch (e) {
-            results[i] = { error: e.message };
+            results[i] = { error: e instanceof Error ? e.message : String(e) };
+            // Note: getErrorMessage() is a Node.js utility — can't use it inside evaluate()
           }
         }
       }
@@ -111,12 +115,26 @@ export async function stepFetch(page, params, data, args) {
         });
         // BATCH IPC: if browser is available, batch all fetches into a single evaluate() call
         if (page !== null) {
-            return fetchBatchInBrowser(page, urls, method.toUpperCase(), renderedHeaders, concurrency);
+            const results = await fetchBatchInBrowser(page, urls, method.toUpperCase(), renderedHeaders, concurrency);
+            for (let i = 0; i < results.length; i++) {
+                const r = results[i];
+                if (r && typeof r === 'object' && 'error' in r) {
+                    log.warn(`Batch fetch failed for ${urls[i]}: ${r.error}`);
+                }
+            }
+            return results;
         }
         // Non-browser: use concurrent pool (already optimized)
         return mapConcurrent(data, concurrency, async (item, index) => {
             const itemUrl = String(render(urlTemplate, { args, data, item, index }));
-            return fetchSingle(null, itemUrl, method, queryParams, headers, args, data);
+            try {
+                return await fetchSingle(null, itemUrl, method, queryParams, headers, args, data);
+            }
+            catch (error) {
+                const message = getErrorMessage(error);
+                log.warn(`Batch fetch failed for ${itemUrl}: ${message}`);
+                return { error: message };
+            }
         });
     }
     const url = render(urlOrObj, { args, data });

package/dist/pipeline/steps/fetch.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/pipeline/steps/fetch.test.js ADDED Viewed

@@ -0,0 +1,123 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import { CliError } from '../../errors.js';
+import { stepFetch } from './fetch.js';
+afterEach(() => {
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+});
+describe('stepFetch', () => {
+    // W1 + W4: non-browser single fetch throws CliError with FETCH_ERROR code and full message
+    it('throws CliError with FETCH_ERROR code on non-ok responses without a browser session', async () => {
+        const jsonMock = vi.fn().mockResolvedValue({ error: 'rate limited' });
+        const fetchMock = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 429,
+            statusText: 'Too Many Requests',
+            json: jsonMock,
+        });
+        vi.stubGlobal('fetch', fetchMock);
+        const err = await stepFetch(null, { url: 'https://api.example.com/items' }, null, {}).catch((e) => e);
+        expect(err).toBeInstanceOf(CliError);
+        expect(err.code).toBe('FETCH_ERROR');
+        expect(err.message).toBe('HTTP 429 Too Many Requests from https://api.example.com/items');
+        expect(jsonMock).not.toHaveBeenCalled();
+    });
+    // W1 + W3: browser single fetch returns error status from evaluate, outer code throws CliError
+    it('throws CliError with FETCH_ERROR code on non-ok responses inside the browser session', async () => {
+        const jsonMock = vi.fn().mockResolvedValue({ error: 'auth required' });
+        const fetchMock = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 401,
+            statusText: 'Unauthorized',
+            json: jsonMock,
+        });
+        vi.stubGlobal('fetch', fetchMock);
+        // Simulate real CDP behavior: evaluate returns a value, errors are thrown outside
+        const page = {
+            evaluate: vi.fn(async (js) => Function(`return (${js})`)()()),
+        };
+        const err = await stepFetch(page, { url: 'https://api.example.com/items' }, null, {}).catch((e) => e);
+        expect(err).toBeInstanceOf(CliError);
+        expect(err.code).toBe('FETCH_ERROR');
+        expect(err.message).toBe('HTTP 401 Unauthorized from https://api.example.com/items');
+        expect(jsonMock).not.toHaveBeenCalled();
+    });
+    it('returns per-item HTTP errors for batch fetches without a browser session', async () => {
+        const jsonMock = vi.fn().mockResolvedValue({ error: 'upstream unavailable' });
+        const fetchMock = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 503,
+            statusText: 'Service Unavailable',
+            json: jsonMock,
+        });
+        vi.stubGlobal('fetch', fetchMock);
+        await expect(stepFetch(null, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }], {})).resolves.toEqual([
+            { error: 'HTTP 503 Service Unavailable from https://api.example.com/items/1' },
+        ]);
+        expect(jsonMock).not.toHaveBeenCalled();
+    });
+    it('returns per-item HTTP errors for batch browser fetches', async () => {
+        const jsonMock = vi.fn().mockResolvedValue({ error: 'upstream unavailable' });
+        const fetchMock = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 503,
+            statusText: 'Service Unavailable',
+            json: jsonMock,
+        });
+        vi.stubGlobal('fetch', fetchMock);
+        const page = {
+            evaluate: vi.fn(async (js) => Function(`return (${js})`)()()),
+        };
+        await expect(stepFetch(page, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }], {})).resolves.toEqual([
+            { error: 'HTTP 503 Service Unavailable from https://api.example.com/items/1' },
+        ]);
+        expect(jsonMock).not.toHaveBeenCalled();
+    });
+    it('stringifies non-Error batch browser failures consistently', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockRejectedValue('socket hang up'));
+        const page = {
+            evaluate: vi.fn(async (js) => Function(`return (${js})`)()()),
+        };
+        await expect(stepFetch(page, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }], {})).resolves.toEqual([
+            { error: 'socket hang up' },
+        ]);
+    });
+    it('stringifies non-Error batch non-browser failures consistently', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockRejectedValue('socket hang up'));
+        await expect(stepFetch(null, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }], {})).resolves.toEqual([
+            { error: 'socket hang up' },
+        ]);
+    });
+    // W2: batch item failures emit a warning log
+    it('logs a warning for each failed batch item in non-browser mode', async () => {
+        const { log } = await import('../../logger.js');
+        const warnSpy = vi.spyOn(log, 'warn');
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
+            ok: false,
+            status: 503,
+            statusText: 'Service Unavailable',
+            json: vi.fn(),
+        }));
+        await stepFetch(null, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }, { id: 2 }], {});
+        expect(warnSpy).toHaveBeenCalledTimes(2);
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('https://api.example.com/items/1'));
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('https://api.example.com/items/2'));
+    });
+    it('logs a warning for each failed batch item in browser mode', async () => {
+        const { log } = await import('../../logger.js');
+        const warnSpy = vi.spyOn(log, 'warn');
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
+            ok: false,
+            status: 502,
+            statusText: 'Bad Gateway',
+            json: vi.fn(),
+        }));
+        const page = {
+            evaluate: vi.fn(async (js) => Function(`return (${js})`)()()),
+        };
+        await stepFetch(page, { url: 'https://api.example.com/items/${{ item.id }}' }, [{ id: 1 }, { id: 2 }], {});
+        expect(warnSpy).toHaveBeenCalledTimes(2);
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('https://api.example.com/items/1'));
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('https://api.example.com/items/2'));
+    });
+});

package/dist/pipeline/steps/transform.js CHANGED Viewed

@@ -2,9 +2,7 @@
  * Pipeline steps: data transforms — select, map, filter, sort, limit.
  */
 import { render, evalExpr } from '../template.js';
-function isRecord(value) {
-    return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
+import { isRecord } from '../../utils.js';
 export async function stepSelect(_page, params, data, args) {
     const pathStr = String(render(params, { args, data }));
     if (data && typeof data === 'object') {
@@ -61,9 +59,7 @@ export async function stepSort(_page, params, data, _args) {
     return [...data].sort((a, b) => {
         const left = isRecord(a) ? a[key] : undefined;
         const right = isRecord(b) ? b[key] : undefined;
-        const va = left ?? '';
-        const vb = right ?? '';
-        const cmp = va < vb ? -1 : va > vb ? 1 : 0;
+        const cmp = String(left ?? '').localeCompare(String(right ?? ''), undefined, { numeric: true });
         return reverse ? -cmp : cmp;
     });
 }

package/dist/pipeline/template.js CHANGED Viewed

@@ -1,9 +1,8 @@
 /**
  * Pipeline template engine: ${{ ... }} expression rendering.
  */
-function isRecord(value) {
-    return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
+import vm from 'node:vm';
+import { isRecord } from '../utils.js';
 export function render(template, ctx) {
     if (typeof template !== 'string')
         return template;
@@ -29,46 +28,28 @@ export function evalExpr(expr, ctx) {
     const data = ctx.data;
     const index = ctx.index ?? 0;
     // ── Pipe filters: expr | filter1(arg) | filter2 ──
-    // Supports: default(val), join(sep), upper, lower, truncate(n), trim, replace(old,new)
-    if (expr.includes('|') && !expr.includes('||')) {
-        const segments = expr.split('|').map(s => s.trim());
-        const mainExpr = segments[0];
-        let result = resolvePath(mainExpr, { args, item, data, index });
-        for (let i = 1; i < segments.length; i++) {
-            result = applyFilter(segments[i], result);
+    // Split on single | (not ||) so "item.a || item.b | upper" works correctly.
+    const pipeSegments = expr.split(/(?<!\|)\|(?!\|)/).map(s => s.trim());
+    if (pipeSegments.length > 1) {
+        let result = evalExpr(pipeSegments[0], ctx);
+        for (let i = 1; i < pipeSegments.length; i++) {
+            result = applyFilter(pipeSegments[i], result);
         }
         return result;
     }
-    // Arithmetic: index + 1
-    const arithMatch = expr.match(/^([\w][\w.]*)\s*([+\-*/])\s*(\d+)$/);
-    if (arithMatch) {
-        const [, varName, op, numStr] = arithMatch;
-        const val = resolvePath(varName, { args, item, data, index });
-        if (val !== null && val !== undefined) {
-            const numVal = Number(val);
-            const num = Number(numStr);
-            if (!isNaN(numVal)) {
-                switch (op) {
-                    case '+': return numVal + num;
-                    case '-': return numVal - num;
-                    case '*': return numVal * num;
-                    case '/': return num !== 0 ? numVal / num : 0;
-                }
-            }
-        }
-    }
-    // JS-like fallback expression: item.tweetCount || 'N/A'
-    const orMatch = expr.match(/^(.+?)\s*\|\|\s*(.+)$/);
-    if (orMatch) {
-        const left = evalExpr(orMatch[1].trim(), ctx);
-        if (left)
-            return left;
-        const right = orMatch[2].trim();
-        return right.replace(/^['"]|['"]$/g, '');
-    }
+    // Fast path: quoted string literal — skip VM overhead
+    const strLit = expr.match(/^(['"])(.*)\1$/);
+    if (strLit)
+        return strLit[2];
+    // Fast path: numeric literal
+    if (/^\d+(\.\d+)?$/.test(expr))
+        return Number(expr);
+    // Try resolving as a simple dotted path (item.foo.bar, args.limit, index)
     const resolved = resolvePath(expr, { args, item, data, index });
     if (resolved !== null && resolved !== undefined)
         return resolved;
+    // Fallback: evaluate as JS in a sandboxed VM.
+    // Handles ||, ??, arithmetic, ternary, method calls, etc. natively.
     return evalJsExpr(expr, { args, item, data, index });
 }
 /**
@@ -87,7 +68,7 @@ function applyFilter(filterExpr, value) {
         case 'default': {
             if (value === null || value === undefined || value === '') {
                 const intVal = parseInt(filterArg, 10);
-                if (!isNaN(intVal) && String(intVal) === filterArg.trim())
+                if (!Number.isNaN(intVal) && String(intVal) === filterArg.trim())
                     return intVal;
                 return filterArg;
             }
@@ -103,7 +84,7 @@ function applyFilter(filterExpr, value) {
             return typeof value === 'string' ? value.trim() : value;
         case 'truncate': {
             const n = parseInt(filterArg, 10) || 50;
-            return typeof value === 'string' && value.length > n ? value.slice(0, n) + '...' : value;
+            return typeof value === 'string' && value.length > n ? `${value.slice(0, n)}...` : value;
         }
         case 'replace': {
             if (typeof value !== 'string')
@@ -132,6 +113,7 @@ function applyFilter(filterExpr, value) {
         case 'sanitize':
             // Remove invalid filename characters
             return typeof value === 'string'
+                // biome-ignore lint/suspicious/noControlCharactersInRegex: intentional - strips C0 control chars from filenames
                 ? value.replace(/[<>:"/\\|?*\x00-\x1f]/g, '_')
                 : value;
         case 'ext': {
@@ -196,26 +178,58 @@ export function resolvePath(pathStr, ctx) {
 }
 /**
  * Evaluate arbitrary JS expressions as a last-resort fallback.
- *
- * ⚠️  SECURITY NOTE: Uses `new Function()` to execute the expression.
- * This is acceptable here because:
- *   1. YAML adapters are authored by trusted repo contributors only.
- *   2. The expression runs in the same Node.js process (no sandbox).
- *   3. Only a curated set of globals is exposed (no require/import/process/fs).
- * If opencli ever loads untrusted third-party adapters, this MUST be replaced
- * with a proper sandboxed evaluator.
+ * Runs inside a `node:vm` sandbox with dynamic code generation disabled.
+ */
+const FORBIDDEN_EXPR_PATTERNS = /\b(constructor|__proto__|prototype|globalThis|process|require|import|eval)\b/;
+/**
+ * Deep-copy plain data to sever prototype chains, preventing sandbox escape
+ * via `args.constructor.constructor('return process')()` etc.
  */
+function sanitizeContext(obj) {
+    if (obj === null || obj === undefined)
+        return obj;
+    if (typeof obj !== 'object' && typeof obj !== 'function')
+        return obj;
+    try {
+        return JSON.parse(JSON.stringify(obj));
+    }
+    catch {
+        return {};
+    }
+}
 function evalJsExpr(expr, ctx) {
     // Guard against absurdly long expressions that could indicate injection.
     if (expr.length > 2000)
         return undefined;
-    const args = ctx.args ?? {};
-    const item = ctx.item ?? {};
-    const data = ctx.data;
+    // Block obvious sandbox escape attempts.
+    if (FORBIDDEN_EXPR_PATTERNS.test(expr))
+        return undefined;
+    const args = sanitizeContext(ctx.args ?? {});
+    const item = sanitizeContext(ctx.item ?? {});
+    const data = sanitizeContext(ctx.data);
     const index = ctx.index ?? 0;
     try {
-        const fn = new Function('args', 'item', 'data', 'index', 'encodeURIComponent', 'decodeURIComponent', 'JSON', 'Math', 'Number', 'String', 'Boolean', 'Array', 'Object', 'Date', `"use strict"; return (${expr});`);
-        return fn(args, item, data, index, encodeURIComponent, decodeURIComponent, JSON, Math, Number, String, Boolean, Array, Object, Date);
+        return vm.runInNewContext(`(${expr})`, {
+            args,
+            item,
+            data,
+            index,
+            encodeURIComponent,
+            decodeURIComponent,
+            JSON,
+            Math,
+            Number,
+            String,
+            Boolean,
+            Array,
+            Date,
+        }, {
+            timeout: 50,
+            contextCodeGeneration: {
+                strings: false,
+                wasm: false,
+            },
+        });
     }
     catch {
         return undefined;

package/dist/pipeline/template.test.js CHANGED Viewed

@@ -51,6 +51,31 @@ describe('evalExpr', () => {
     it('evaluates || with truthy left', () => {
         expect(evalExpr("item.name || 'N/A'", { item: { name: 'Alice' } })).toBe('Alice');
     });
+    it('evaluates chained || fallback (issue #303)', () => {
+        // When first two are falsy, should evaluate through to the string literal
+        expect(evalExpr("item.a || item.b || 'default'", { item: {} })).toBe('default');
+    });
+    it('evaluates chained || with middle value truthy', () => {
+        expect(evalExpr("item.a || item.b || 'default'", { item: { b: 'middle' } })).toBe('middle');
+    });
+    it('evaluates chained || with first value truthy', () => {
+        expect(evalExpr("item.a || item.b || 'default'", { item: { a: 'first', b: 'middle' } })).toBe('first');
+    });
+    it('evaluates || with 0 as falsy left (JS semantics)', () => {
+        expect(evalExpr("item.count || 'N/A'", { item: { count: 0 } })).toBe('N/A');
+    });
+    it('evaluates || with empty string as falsy left', () => {
+        expect(evalExpr("item.name || 'unknown'", { item: { name: '' } })).toBe('unknown');
+    });
+    it('evaluates || with numeric fallback returning number type', () => {
+        expect(evalExpr('item.a || 42', { item: {} })).toBe(42);
+    });
+    it('evaluates 4-way chained ||', () => {
+        expect(evalExpr("item.a || item.b || item.c || 'last'", { item: { c: 'third' } })).toBe('third');
+    });
+    it('handles || combined with pipe filter', () => {
+        expect(evalExpr("item.a || item.b | upper", { item: { b: 'hello' } })).toBe('HELLO');
+    });
     it('resolves simple path', () => {
         expect(evalExpr('item.title', { item: { title: 'Test' } })).toBe('Test');
     });
@@ -63,6 +88,9 @@ describe('evalExpr', () => {
     it('evaluates method calls on values', () => {
         expect(evalExpr("args.username.startsWith('@') ? args.username : '@' + args.username", { args: { username: 'alice' } })).toBe('@alice');
     });
+    it('rejects constructor-based sandbox escapes', () => {
+        expect(evalExpr("args['cons' + 'tructor']['constructor']('return process')()", { args: {} })).toBeUndefined();
+    });
     it('applies join filter', () => {
         expect(evalExpr('item.tags | join(,)', { item: { tags: ['a', 'b', 'c'] } })).toBe('a,b,c');
     });

package/dist/pipeline/transform.test.js CHANGED Viewed

@@ -85,6 +85,24 @@ describe('stepSort', () => {
         await stepSort(null, 'score', SAMPLE_DATA, {});
         expect(SAMPLE_DATA).toEqual(original);
     });
+    it('sorts string-encoded numbers naturally by default', async () => {
+        const data = [
+            { name: 'A', volume: '99' },
+            { name: 'B', volume: '1000' },
+            { name: 'C', volume: '250' },
+        ];
+        const result = await stepSort(null, { by: 'volume', order: 'desc' }, data, {});
+        expect(result.map((r) => r.name)).toEqual(['B', 'C', 'A']);
+    });
+    it('handles missing fields gracefully', async () => {
+        const data = [
+            { name: 'A', value: '10' },
+            { name: 'B' },
+            { name: 'C', value: '5' },
+        ];
+        const result = await stepSort(null, { by: 'value', order: 'asc' }, data, {});
+        expect(result.map((r) => r.name)).toEqual(['B', 'C', 'A']);
+    });
 });
 describe('stepLimit', () => {
     it('limits array to N items', async () => {