npm - @jackwener/opencli - Versions diffs - 1.7.14 → 1.7.16 - Mend

@jackwener/opencli 1.7.14 → 1.7.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/README.md +9 -6
package/README.zh-CN.md +9 -6
package/cli-manifest.json +374 -74
package/clis/bilibili/subtitle.js +1 -1
package/clis/chatgpt/ask.js +2 -1
package/clis/chatgpt/detail.js +6 -1
package/clis/chatgpt/read.js +2 -1
package/clis/chatgpt/send.js +2 -1
package/clis/chatgpt/utils.js +54 -12
package/clis/chatgpt/utils.test.js +36 -1
package/clis/claude/ask.js +22 -7
package/clis/claude/detail.js +9 -2
package/clis/claude/new.js +8 -2
package/clis/claude/read.js +2 -1
package/clis/claude/send.js +8 -3
package/clis/claude/utils.js +27 -4
package/clis/deepseek/ask.js +21 -8
package/clis/deepseek/detail.js +9 -1
package/clis/deepseek/new.js +13 -2
package/clis/deepseek/read.js +2 -1
package/clis/deepseek/utils.js +8 -1
package/clis/dianping/cityResolver.js +185 -0
package/clis/dianping/dianping.test.js +154 -0
package/clis/dianping/search.js +6 -3
package/clis/douyin/_shared/browser-fetch.js +14 -2
package/clis/douyin/_shared/browser-fetch.test.js +13 -0
package/clis/douyin/stats.js +1 -1
package/clis/douyin/update.js +1 -1
package/clis/jike/search.js +1 -1
package/clis/linkedin/search.js +8 -11
package/clis/maimai/search-talents.js +10 -6
package/clis/openreview/author.js +58 -0
package/clis/openreview/openreview.test.js +83 -1
package/clis/openreview/utils.js +14 -0
package/clis/reddit/comment.js +1 -0
package/clis/reddit/frontpage.js +1 -0
package/clis/reddit/popular.js +1 -0
package/clis/reddit/read.js +2 -0
package/clis/reddit/read.test.js +4 -0
package/clis/reddit/save.js +1 -0
package/clis/reddit/saved.js +1 -0
package/clis/reddit/search.js +2 -1
package/clis/reddit/subreddit.js +2 -1
package/clis/reddit/subscribe.js +1 -0
package/clis/reddit/upvote.js +1 -0
package/clis/reddit/upvoted.js +1 -0
package/clis/reddit/user-comments.js +2 -1
package/clis/reddit/user-posts.js +2 -1
package/clis/reddit/user.js +2 -1
package/clis/twitter/article.js +9 -5
package/clis/twitter/bookmark-folder.js +187 -0
package/clis/twitter/bookmark-folder.test.js +337 -0
package/clis/twitter/bookmark-folders.js +115 -0
package/clis/twitter/bookmark-folders.test.js +152 -0
package/clis/twitter/bookmark.js +15 -6
package/clis/twitter/bookmark.test.js +74 -0
package/clis/twitter/bookmarks.js +10 -10
package/clis/twitter/delete.js +11 -35
package/clis/twitter/delete.test.js +21 -9
package/clis/twitter/download.js +6 -5
package/clis/twitter/followers.js +10 -3
package/clis/twitter/following.js +14 -11
package/clis/twitter/following.test.js +2 -1
package/clis/twitter/hide-reply.js +24 -5
package/clis/twitter/hide-reply.test.js +76 -0
package/clis/twitter/like.js +21 -11
package/clis/twitter/like.test.js +73 -0
package/clis/twitter/likes.js +11 -11
package/clis/twitter/list-add.js +8 -7
package/clis/twitter/list-add.test.js +23 -1
package/clis/twitter/list-remove.js +8 -7
package/clis/twitter/list-remove.test.js +23 -1
package/clis/twitter/list-tweets.js +9 -9
package/clis/twitter/lists.js +6 -8
package/clis/twitter/notifications.js +3 -2
package/clis/twitter/profile.js +11 -7
package/clis/twitter/quote.js +60 -32
package/clis/twitter/quote.test.js +96 -8
package/clis/twitter/reply.js +24 -178
package/clis/twitter/reply.test.js +29 -11
package/clis/twitter/retweet.js +9 -14
package/clis/twitter/retweet.test.js +5 -1
package/clis/twitter/search.js +176 -23
package/clis/twitter/search.test.js +266 -1
package/clis/twitter/shared.js +43 -0
package/clis/twitter/shared.test.js +107 -1
package/clis/twitter/thread.js +11 -11
package/clis/twitter/timeline.js +13 -13
package/clis/twitter/trending.js +4 -4
package/clis/twitter/tweets.js +8 -9
package/clis/twitter/unbookmark.js +13 -6
package/clis/twitter/unbookmark.test.js +73 -0
package/clis/twitter/unlike.js +6 -13
package/clis/twitter/unlike.test.js +5 -2
package/clis/twitter/unretweet.js +9 -14
package/clis/twitter/unretweet.test.js +5 -1
package/clis/twitter/utils.js +286 -0
package/clis/twitter/utils.test.js +169 -0
package/clis/youtube/like.js +6 -2
package/clis/youtube/subscribe.js +6 -2
package/clis/youtube/unlike.js +6 -2
package/clis/youtube/unsubscribe.js +6 -2
package/clis/youtube/utils.js +19 -13
package/clis/youtube/utils.test.js +17 -1
package/dist/src/browser/ax-snapshot.d.ts +37 -0
package/dist/src/browser/ax-snapshot.js +217 -0
package/dist/src/browser/ax-snapshot.test.d.ts +1 -0
package/dist/src/browser/ax-snapshot.test.js +91 -0
package/dist/src/browser/base-page.d.ts +51 -0
package/dist/src/browser/base-page.js +545 -2
package/dist/src/browser/base-page.test.js +520 -4
package/dist/src/browser/bridge.d.ts +1 -0
package/dist/src/browser/bridge.js +1 -1
package/dist/src/browser/cdp-click-fixture.test.d.ts +1 -0
package/dist/src/browser/cdp-click-fixture.test.js +87 -0
package/dist/src/browser/cdp.d.ts +1 -0
package/dist/src/browser/cdp.js +5 -0
package/dist/src/browser/cdp.test.js +1 -0
package/dist/src/browser/daemon-client.d.ts +5 -3
package/dist/src/browser/daemon-client.js +6 -3
package/dist/src/browser/daemon-client.test.js +10 -0
package/dist/src/browser/find.d.ts +9 -1
package/dist/src/browser/find.js +219 -0
package/dist/src/browser/find.test.js +61 -1
package/dist/src/browser/page.d.ts +4 -2
package/dist/src/browser/page.js +18 -1
package/dist/src/browser/page.test.js +28 -0
package/dist/src/browser/target-errors.d.ts +3 -1
package/dist/src/browser/target-errors.js +2 -0
package/dist/src/browser/target-resolver.d.ts +14 -0
package/dist/src/browser/target-resolver.js +28 -0
package/dist/src/browser/visual-refs.d.ts +11 -0
package/dist/src/browser/visual-refs.js +108 -0
package/dist/src/build-manifest.d.ts +23 -0
package/dist/src/build-manifest.js +34 -0
package/dist/src/build-manifest.test.js +108 -1
package/dist/src/cli.js +630 -60
package/dist/src/cli.test.js +731 -1
package/dist/src/commanderAdapter.js +7 -0
package/dist/src/doctor.js +2 -2
package/dist/src/doctor.test.js +4 -4
package/dist/src/execution.d.ts +2 -0
package/dist/src/execution.js +31 -6
package/dist/src/execution.test.js +43 -16
package/dist/src/external-clis.yaml +24 -0
package/dist/src/help.d.ts +33 -0
package/dist/src/help.js +174 -0
package/dist/src/main.js +4 -14
package/dist/src/runtime.d.ts +3 -0
package/dist/src/runtime.js +1 -0
package/dist/src/types.d.ts +83 -1
package/package.json +1 -1
package/scripts/typed-error-lint-baseline.json +18 -18

package/clis/twitter/shared.test.js CHANGED Viewed

@@ -1,8 +1,9 @@
 import { describe, expect, it } from 'vitest';
+import { JSDOM } from 'jsdom';
 import { __test__ } from './shared.js';
 import { ArgumentError } from '@jackwener/opencli/errors';
-const { extractMedia, parseTweetUrl } = __test__;
+const { extractMedia, parseTweetUrl, buildTwitterArticleScopeSource } = __test__;
 describe('twitter parseTweetUrl', () => {
     it('accepts exact Twitter/X tweet URLs and preserves query parameters', () => {
@@ -30,6 +31,111 @@ describe('twitter parseTweetUrl', () => {
     });
 });
+describe('twitter buildTwitterArticleScopeSource', () => {
+    // JSDOM-based tests prove the returned source actually works on real DOM —
+    // mocked `evaluate` tests in adapter specs only verify the script string
+    // contains expected tokens, but cannot catch silent matching bugs (cf.
+    // dianping #1312: mocked-evaluate single tests miss in-browser logic bugs).
+    function loadHelpers(tweetId, dom) {
+        const source = buildTwitterArticleScopeSource(tweetId);
+        const probe = new Function(
+            'document',
+            'window',
+            'URL',
+            `${source}\nreturn { findTargetArticle, __twHasLinkToTarget, __twGetStatusIdFromHref };`,
+        );
+        return probe(dom.window.document, dom.window, dom.window.URL);
+    }
+    function makeDom(html) {
+        return new JSDOM(`<html><body>${html}</body></html>`, { url: 'https://x.com/alice/status/2040254679301718161' });
+    }
+    it('finds the article whose link exactly matches the requested status id', () => {
+        const dom = makeDom(`
+            <article id="a"><a href="https://x.com/alice/status/2040254679301718161">link</a></article>
+            <article id="b"><a href="https://x.com/bob/status/9999999999999999999">link</a></article>
+        `);
+        const helpers = loadHelpers('2040254679301718161', dom);
+        const article = helpers.findTargetArticle();
+        expect(article?.id).toBe('a');
+    });
+    it('rejects substring matches — tweet id 123 must not match /status/1234567', () => {
+        // This is the codex-mini0 #1400 catch (substring vulnerability):
+        // `/status/123` was accepted as a substring of `/status/1234567`.
+        const dom = makeDom('<article><a href="https://x.com/alice/status/1234567">link</a></article>');
+        const helpers = loadHelpers('123', dom);
+        expect(helpers.findTargetArticle()).toBeUndefined();
+    });
+    it('rejects path-suffix attack — /status/<id>/photo/1 must not match status <id>', () => {
+        // Same regex anchor that parseTweetUrl uses — guards against attached
+        // paths like `/photo/1` that would otherwise pass with a loose suffix.
+        const dom = makeDom('<article><a href="https://x.com/alice/status/2040254679301718161/photo/1">link</a></article>');
+        const helpers = loadHelpers('2040254679301718161', dom);
+        expect(helpers.findTargetArticle()).toBeUndefined();
+    });
+    it('rejects off-domain links even when the path has the requested status id', () => {
+        const dom = makeDom('<article><a href="https://evil.com/alice/status/2040254679301718161">link</a></article>');
+        const helpers = loadHelpers('2040254679301718161', dom);
+        expect(helpers.findTargetArticle()).toBeUndefined();
+    });
+    it('rejects host-suffix and non-https status links', () => {
+        const dom = makeDom(`
+            <article id="suffix"><a href="https://x.com.evil.com/alice/status/2040254679301718161">link</a></article>
+            <article id="http"><a href="http://x.com/alice/status/2040254679301718161">link</a></article>
+        `);
+        const helpers = loadHelpers('2040254679301718161', dom);
+        expect(helpers.findTargetArticle()).toBeUndefined();
+    });
+    it('accepts exact Twitter/X status links with query and hash suffixes', () => {
+        const dom = makeDom('<article id="ok"><a href="https://mobile.twitter.com/alice/status/2040254679301718161?s=20#fragment">link</a></article>');
+        const helpers = loadHelpers('2040254679301718161', dom);
+        expect(helpers.findTargetArticle()?.id).toBe('ok');
+    });
+    it('matches /i/status/<id> URL form', () => {
+        const dom = makeDom('<article><a href="https://x.com/i/status/2040318731105313143">link</a></article>');
+        const helpers = loadHelpers('2040318731105313143', dom);
+        expect(helpers.findTargetArticle()).toBeTruthy();
+    });
+    it('__twHasLinkToTarget reports true on any descendant <a> matching tweet id', () => {
+        // Used by quote-card guard in quote.js — the quoted tweet card is not
+        // inside an <article>, but somewhere on the compose page.
+        const dom = makeDom(`
+            <div data-testid="card.wrapper">
+                <a href="https://x.com/alice/status/2040254679301718161">quoted card</a>
+            </div>
+        `);
+        const helpers = loadHelpers('2040254679301718161', dom);
+        expect(helpers.__twHasLinkToTarget(dom.window.document)).toBe(true);
+    });
+    it('__twGetStatusIdFromHref returns null on non-status URLs', () => {
+        const dom = makeDom('');
+        const helpers = loadHelpers('123', dom);
+        expect(helpers.__twGetStatusIdFromHref('https://x.com/alice/home')).toBeNull();
+        expect(helpers.__twGetStatusIdFromHref('https://x.com/alice/status/123/photo/1')).toBeNull();
+        expect(helpers.__twGetStatusIdFromHref('https://evil.com/alice/status/123')).toBeNull();
+        expect(helpers.__twGetStatusIdFromHref('https://x.com.evil.com/alice/status/123')).toBeNull();
+        expect(helpers.__twGetStatusIdFromHref('http://x.com/alice/status/123')).toBeNull();
+        expect(helpers.__twGetStatusIdFromHref('not a url')).toBeNull();
+    });
+    it('emits the canonical regex anchor — guards future maintainers from dropping ^ or $', () => {
+        const source = buildTwitterArticleScopeSource('123');
+        // Source-level assertion complements the JSDOM behavioural tests above.
+        // If a future refactor relaxes the anchor (e.g. drops ^ or $), the
+        // JSDOM tests would still pass on benign inputs but fail on adversarial
+        // cases. This token check ensures the regex shape itself is preserved.
+        expect(source).toContain('/^\\/(?:[^/]+|i)\\/status\\/(\\d+)\\/?$/');
+    });
+});
 describe('twitter extractMedia', () => {
     it('returns false + empty list when legacy has no media', () => {
         expect(extractMedia({})).toEqual({ has_media: false, media_urls: [] });

package/clis/twitter/thread.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { extractMedia } from './shared.js';
+import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 // ── Twitter GraphQL constants ──────────────────────────────────────────
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const TWEET_DETAIL_QUERY_ID = 'nBS-WpgA6ZG0CyNHD517JQ';
 const FEATURES = {
     responsive_web_graphql_exclude_directive_enabled: true,
@@ -100,9 +100,11 @@ cli({
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'tweet-id', positional: true, type: 'string', required: true },
+        { name: 'tweet-id', positional: true, type: 'string', required: true, help: 'Tweet numeric ID (e.g. 1234567890) or full status URL' },
         { name: 'limit', type: 'int', default: 50 },
+        { name: 'top-by-engagement', type: 'int', default: 0, help: 'When set to N>0, re-rank the thread by weighted engagement (likes×1 + retweets×3 + replies×2 + bookmarks×5 + log10(views+1)×0.5) and return the top N. Default 0 keeps the conversation\'s structural ordering.' },
     ],
     columns: ['id', 'author', 'text', 'likes', 'retweets', 'url', 'has_media', 'media_urls'],
     func: async (page, kwargs) => {
@@ -110,18 +112,15 @@ cli({
         const urlMatch = tweetId.match(/\/status\/(\d+)/);
         if (urlMatch)
             tweetId = urlMatch[1];
-        // Navigate to x.com for cookie context
-        await page.goto('https://x.com');
-        await page.wait(3);
-        // Extract CSRF token — the only thing we need from the browser
-        const ct0 = await page.evaluate(`() => {
-      return document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('ct0='))?.split('=')[1] || null;
-    }`);
+        // Cookie context auto-established by framework pre-nav (Strategy.COOKIE + domain).
+        // Read CSRF token directly from the cookie store via CDP — zero page.evaluate round-trip.
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         // Build auth headers in TypeScript
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
@@ -149,6 +148,7 @@ cli({
                 break;
             cursor = nextCursor;
         }
-        return allTweets.slice(0, kwargs.limit);
+        const trimmed = allTweets.slice(0, kwargs.limit);
+        return applyTopByEngagement(trimmed, kwargs['top-by-engagement']);
     },
 });

package/clis/twitter/timeline.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { resolveTwitterQueryId, extractMedia } from './shared.js';
+import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 // ── Twitter GraphQL constants ──────────────────────────────────────────
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const HOME_TIMELINE_QUERY_ID = 'c-CzHF1LboFilMpsx4ZCrQ';
 const HOME_LATEST_TIMELINE_QUERY_ID = 'BKB7oi212Fi7kQtCBGE4zA';
 // Endpoint config: for-you uses GET HomeTimeline, following uses POST HomeLatestTimeline
@@ -137,38 +137,37 @@ cli({
     site: 'twitter',
     name: 'timeline',
     access: 'read',
-    description: 'Fetch Twitter timeline (for-you or following)',
+    description: 'Fetch the logged-in user\'s home timeline (for-you algorithmic feed by default; pass --type following for the chronological feed of accounts you follow)',
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
         {
             name: 'type',
             default: 'for-you',
             choices: ['for-you', 'following'],
-            help: 'Timeline type: for-you (algorithmic) or following (chronological)',
+            help: 'Which home-timeline feed to read. Default for-you (algorithmic). Use following for the chronological feed of accounts you follow.',
         },
-        { name: 'limit', type: 'int', default: 20 },
+        { name: 'limit', type: 'int', default: 20, help: 'Maximum number of tweets to return (default 20).' },
+        { name: 'top-by-engagement', type: 'int', default: 0, help: 'When set to N>0, re-rank the timeline by weighted engagement (likes×1 + retweets×3 + replies×2 + bookmarks×5 + log10(views+1)×0.5) and return the top N. Default 0 keeps X\'s native ordering.' },
     ],
     columns: ['id', 'author', 'text', 'likes', 'retweets', 'replies', 'views', 'created_at', 'url', 'has_media', 'media_urls'],
     func: async (page, kwargs) => {
         const limit = kwargs.limit || 20;
         const timelineType = kwargs.type === 'following' ? 'following' : 'for-you';
         const { endpoint, method, fallbackQueryId } = TIMELINE_ENDPOINTS[timelineType];
-        // Navigate to x.com for cookie context
-        await page.goto('https://x.com');
-        await page.wait(3);
-        // Extract CSRF token
-        const ct0 = await page.evaluate(`() => {
-      return document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('ct0='))?.split('=')[1] || null;
-    }`);
+        // Cookie context auto-established by framework pre-nav (Strategy.COOKIE + domain).
+        // Read CSRF token directly from the cookie store via CDP — zero page.evaluate round-trip.
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         // Dynamically resolve queryId for the selected endpoint
         const queryId = await resolveTwitterQueryId(page, endpoint, fallbackQueryId);
         // Build auth headers
         const headers = JSON.stringify({
-            Authorization: `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            Authorization: `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
@@ -196,7 +195,8 @@ cli({
                 break;
             cursor = nextCursor;
         }
-        return allTweets.slice(0, limit);
+        const trimmed = allTweets.slice(0, limit);
+        return applyTopByEngagement(trimmed, kwargs['top-by-engagement']);
     },
 });
 export const __test__ = {

package/clis/twitter/trending.js CHANGED Viewed

@@ -17,6 +17,7 @@ cli({
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
         { name: 'limit', type: 'int', default: 20, help: 'Number of trends to show' },
     ],
@@ -26,10 +27,9 @@ cli({
         // Navigate to trending page
         await page.goto('https://x.com/explore/tabs/trending');
         await page.wait(3);
-        // Verify login via CSRF cookie
-        const ct0 = await page.evaluate(`(() => {
-      return document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('ct0='))?.split('=')[1] || null;
-    })()`);
+        // Verify login via CSRF cookie (read directly from cookie store via CDP)
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         await page.wait(2);

package/clis/twitter/tweets.js CHANGED Viewed

@@ -1,8 +1,8 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError, EmptyResultError } from '@jackwener/opencli/errors';
 import { resolveTwitterQueryId, sanitizeQueryId, extractMedia } from './shared.js';
+import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const USER_TWEETS_QUERY_ID = '6fWQaBPK51aGyC_VC7t9GQ';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'IGgvgiOx4QZndDHuD3x9TQ';
@@ -149,9 +149,11 @@ cli({
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
         { name: 'username', type: 'string', positional: true, required: true, help: 'Twitter screen name (with or without @)' },
         { name: 'limit', type: 'int', default: 20, help: 'Max tweets to return' },
+        { name: 'top-by-engagement', type: 'int', default: 0, help: 'When set to N>0, re-rank the tweets by weighted engagement (likes×1 + retweets×3 + replies×2 + bookmarks×5 + log10(views+1)×0.5) and return the top N. Default 0 keeps the chronological ordering.' },
     ],
     columns: ['id', 'author', 'created_at', 'is_retweet', 'text', 'likes', 'retweets', 'replies', 'views', 'url', 'has_media', 'media_urls'],
     func: async (page, kwargs) => {
@@ -159,19 +161,15 @@ cli({
         const username = String(kwargs.username || '').replace(/^@/, '').trim();
         if (!username) throw new CommandExecutionError('username is required');
-        await page.goto('https://x.com');
-        await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-      return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-    }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0) throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         const userTweetsQueryId = await resolveTwitterQueryId(page, 'UserTweets', USER_TWEETS_QUERY_ID);
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
@@ -207,7 +205,8 @@ cli({
         }
         if (all.length === 0) throw new EmptyResultError(`@${username} has no recent tweets`, 'Account may be private or suspended');
-        return all.slice(0, limit);
+        const trimmed = all.slice(0, limit);
+        return applyTopByEngagement(trimmed, kwargs['top-by-engagement']);
     },
 });

package/clis/twitter/unbookmark.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
+import { parseTweetUrl, buildTwitterArticleScopeSource } from './shared.js';
 cli({
     site: 'twitter',
     name: 'unbookmark',
@@ -15,21 +17,25 @@ cli({
     func: async (page, kwargs) => {
         if (!page)
             throw new CommandExecutionError('Browser session required for twitter unbookmark');
-        await page.goto(kwargs.url);
+        const target = parseTweetUrl(kwargs.url);
+        await page.goto(target.url);
         await page.wait({ selector: '[data-testid="primaryColumn"]' });
         const result = await page.evaluate(`(async () => {
         try {
+            ${buildTwitterArticleScopeSource(target.id)}
             let attempts = 0;
             let removeBtn = null;
+            let targetArticle = null;
             while (attempts < 20) {
-                // Check if not bookmarked
-                const bookmarkBtn = document.querySelector('[data-testid="bookmark"]');
+                targetArticle = findTargetArticle();
+                // Check if not bookmarked (already removed)
+                const bookmarkBtn = targetArticle?.querySelector('[data-testid="bookmark"]');
                 if (bookmarkBtn) {
                     return { ok: true, message: 'Tweet is not bookmarked (already removed).' };
                 }
-                removeBtn = document.querySelector('[data-testid="removeBookmark"]');
+                removeBtn = targetArticle?.querySelector('[data-testid="removeBookmark"]') || null;
                 if (removeBtn) break;
                 await new Promise(r => setTimeout(r, 500));
@@ -37,14 +43,15 @@ cli({
             }
             if (!removeBtn) {
-                return { ok: false, message: 'Could not find Remove Bookmark button. Are you logged in?' };
+                return { ok: false, message: 'Could not find Remove Bookmark button on the requested tweet. Are you logged in?' };
             }
             removeBtn.click();
             await new Promise(r => setTimeout(r, 1000));
             // Verify
-            const verify = document.querySelector('[data-testid="bookmark"]');
+            const verifyArticle = findTargetArticle() || targetArticle;
+            const verify = verifyArticle?.querySelector('[data-testid="bookmark"]');
             if (verify) {
                 return { ok: true, message: 'Tweet successfully removed from bookmarks.' };
             } else {

package/clis/twitter/unbookmark.test.js ADDED Viewed

@@ -0,0 +1,73 @@
+import { describe, expect, it } from 'vitest';
+import { ArgumentError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { getRegistry } from '@jackwener/opencli/registry';
+import './unbookmark.js';
+import { createPageMock } from '../test-utils.js';
+describe('twitter unbookmark command', () => {
+    it('navigates to the tweet URL and reports success when the unbookmark script confirms', async () => {
+        const cmd = getRegistry().get('twitter/unbookmark');
+        expect(cmd?.func).toBeTypeOf('function');
+        const page = createPageMock([
+            { ok: true, message: 'Tweet successfully removed from bookmarks.' },
+        ]);
+        const result = await cmd.func(page, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        });
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/alice/status/2040254679301718161');
+        expect(page.wait).toHaveBeenNthCalledWith(1, { selector: '[data-testid="primaryColumn"]' });
+        expect(page.wait).toHaveBeenNthCalledWith(2, 2);
+        const script = page.evaluate.mock.calls[0][0];
+        // Idempotency probe: when already not bookmarked ([data-testid="bookmark"] present),
+        // the script returns ok:true with an "already removed" message.
+        expect(script).toContain("targetArticle?.querySelector('[data-testid=\"bookmark\"]')");
+        expect(script).toContain("targetArticle?.querySelector('[data-testid=\"removeBookmark\"]')");
+        expect(script).toContain('removeBtn.click()');
+        // Article scoping comes from the shared helper (buildTwitterArticleScopeSource):
+        // emits __twHasLinkToTarget + __twGetStatusIdFromHref + the anchored
+        // tweet-path regex. JSDOM-level coverage lives in shared.test.js.
+        expect(script).toContain('__twHasLinkToTarget');
+        expect(script).toContain('__twGetStatusIdFromHref');
+        expect(script).toContain("document.querySelectorAll('article')");
+        expect(result).toEqual([
+            { status: 'success', message: 'Tweet successfully removed from bookmarks.' },
+        ]);
+    });
+    it('returns a failed row without re-waiting when the unbookmark script reports a UI mismatch', async () => {
+        const cmd = getRegistry().get('twitter/unbookmark');
+        const page = createPageMock([
+            {
+                ok: false,
+                message: 'Could not find Remove Bookmark button on the requested tweet. Are you logged in?',
+            },
+        ]);
+        const result = await cmd.func(page, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        });
+        expect(result).toEqual([
+            {
+                status: 'failed',
+                message: 'Could not find Remove Bookmark button on the requested tweet. Are you logged in?',
+            },
+        ]);
+        expect(page.wait).toHaveBeenCalledTimes(1);
+    });
+    it('throws CommandExecutionError when no page is provided', async () => {
+        const cmd = getRegistry().get('twitter/unbookmark');
+        await expect(cmd.func(undefined, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        })).rejects.toThrow(CommandExecutionError);
+    });
+    it('rejects invalid tweet URLs before navigation', async () => {
+        const cmd = getRegistry().get('twitter/unbookmark');
+        const page = createPageMock([]);
+        await expect(cmd.func(page, {
+            url: 'http://x.com/alice/status/2040254679301718161',
+        })).rejects.toThrow(ArgumentError);
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+});

package/clis/twitter/unlike.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
-import { parseTweetUrl } from './shared.js';
+import { parseTweetUrl, buildTwitterArticleScopeSource } from './shared.js';
 cli({
     site: 'twitter',
@@ -22,18 +22,11 @@ cli({
         await page.wait({ selector: '[data-testid="primaryColumn"]' });
         const result = await page.evaluate(`(async () => {
         try {
-            const tweetId = ${JSON.stringify(target.id)};
-            const findTargetArticle = () => Array.from(document.querySelectorAll('article')).find((article) =>
-                Array.from(article.querySelectorAll('a[href*="/status/"]')).some((link) => {
-                    try {
-                        const match = new URL(link.href, window.location.origin).pathname.match(/^\/(?:[^/]+|i)\/status\/(\d+)\/?$/);
-                        return match?.[1] === tweetId;
-                    } catch {
-                        return false;
-                    }
-                })
-            );
-            // Poll for the tweet to render
+            ${buildTwitterArticleScopeSource(target.id)}
+            // Poll for the tweet to render. State probes scoped to the article
+            // matching the requested status id — bare querySelector on a
+            // conversation page would silently grab the first article (e.g.
+            // the parent tweet) and unlike the wrong one.
             let attempts = 0;
             let likeBtn = null;
             let unlikeBtn = null;

package/clis/twitter/unlike.test.js CHANGED Viewed

@@ -23,9 +23,12 @@ describe('twitter unlike command', () => {
         expect(script).toContain("targetArticle?.querySelector('[data-testid=\"like\"]')");
         expect(script).toContain("targetArticle?.querySelector('[data-testid=\"unlike\"]')");
         expect(script).toContain('unlikeBtn.click()');
+        // Article scoping comes from the shared helper (buildTwitterArticleScopeSource):
+        // emits __twHasLinkToTarget + __twGetStatusIdFromHref + the anchored
+        // tweet-path regex. JSDOM-level coverage lives in shared.test.js.
+        expect(script).toContain('__twHasLinkToTarget');
+        expect(script).toContain('__twGetStatusIdFromHref');
         expect(script).toContain("document.querySelectorAll('article')");
-        expect(script).toContain('match?.[1] === tweetId');
-        expect(script).toContain("targetArticle?.querySelector('[data-testid=\"unlike\"]')");
         expect(result).toEqual([
             { status: 'success', message: 'Tweet successfully unliked.' },
         ]);

package/clis/twitter/unretweet.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
-import { parseTweetUrl } from './shared.js';
+import { parseTweetUrl, buildTwitterArticleScopeSource } from './shared.js';
 cli({
     site: 'twitter',
@@ -22,18 +22,11 @@ cli({
         await page.wait({ selector: '[data-testid="primaryColumn"]' });
         const result = await page.evaluate(`(async () => {
         try {
-            const tweetId = ${JSON.stringify(target.id)};
-            const findTargetArticle = () => Array.from(document.querySelectorAll('article')).find((article) =>
-                Array.from(article.querySelectorAll('a[href*="/status/"]')).some((link) => {
-                    try {
-                        const match = new URL(link.href, window.location.origin).pathname.match(/^\/(?:[^/]+|i)\/status\/(\d+)\/?$/);
-                        return match?.[1] === tweetId;
-                    } catch {
-                        return false;
-                    }
-                })
-            );
-            // Poll for the tweet to render
+            ${buildTwitterArticleScopeSource(target.id)}
+            // Poll for the tweet to render. State probes scoped to the article
+            // matching the requested status id — bare querySelector on a
+            // conversation page would silently grab the first article (e.g.
+            // the parent tweet) and unretweet the wrong one.
             let attempts = 0;
             let retweetBtn = null;
             let unretweetBtn = null;
@@ -62,7 +55,9 @@ cli({
             // Step 1: click Unretweet button → opens menu
             unretweetBtn.click();
-            // Step 2: wait for the confirm menu item to appear, then click it
+            // Step 2: wait for and click the confirm menu item. The confirm
+            // popover renders at the document root, not inside the article,
+            // so this lookup is intentionally document-scoped.
             let confirmBtn = null;
             for (let i = 0; i < 20; i++) {
                 await new Promise(r => setTimeout(r, 250));

package/clis/twitter/unretweet.test.js CHANGED Viewed

@@ -24,8 +24,12 @@ describe('twitter unretweet command', () => {
         expect(script).toContain('unretweetBtn.click()');
         expect(script).toContain("document.querySelector('[data-testid=\"unretweetConfirm\"]')");
         expect(script).toContain('confirmBtn.click()');
+        // Article scoping comes from the shared helper (buildTwitterArticleScopeSource):
+        // emits __twHasLinkToTarget + __twGetStatusIdFromHref + the anchored
+        // tweet-path regex. JSDOM-level coverage lives in shared.test.js.
+        expect(script).toContain('__twHasLinkToTarget');
+        expect(script).toContain('__twGetStatusIdFromHref');
         expect(script).toContain("document.querySelectorAll('article')");
-        expect(script).toContain('match?.[1] === tweetId');
         expect(script).toContain("targetArticle?.querySelector('[data-testid=\"unretweet\"]')");
         // Idempotency probe: when already not retweeted ([data-testid="retweet"] present),
         // the script returns ok:true with an "already removed" message.