@jackwener/opencli 1.7.14 → 1.7.16

package/clis/twitter/like.test.js

@@ -0,0 +1,73 @@
+import { describe, expect, it } from 'vitest';
+import { ArgumentError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { getRegistry } from '@jackwener/opencli/registry';
+import './like.js';
+import { createPageMock } from '../test-utils.js';
+
+describe('twitter like command', () => {
+    it('navigates to the tweet URL and reports success when the like script confirms', async () => {
+        const cmd = getRegistry().get('twitter/like');
+        expect(cmd?.func).toBeTypeOf('function');
+        const page = createPageMock([
+            { ok: true, message: 'Tweet successfully liked.' },
+        ]);
+        const result = await cmd.func(page, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        });
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/alice/status/2040254679301718161');
+        expect(page.wait).toHaveBeenNthCalledWith(1, { selector: '[data-testid="primaryColumn"]' });
+        expect(page.wait).toHaveBeenNthCalledWith(2, 2);
+        const script = page.evaluate.mock.calls[0][0];
+        // Idempotency: looks for the unlike button (already-liked path) before clicking.
+        expect(script).toContain("targetArticle?.querySelector('[data-testid=\"like\"]')");
+        expect(script).toContain("targetArticle?.querySelector('[data-testid=\"unlike\"]')");
+        expect(script).toContain('likeBtn.click()');
+        // Article scoping comes from the shared helper (buildTwitterArticleScopeSource):
+        // emits __twHasLinkToTarget + __twGetStatusIdFromHref + the anchored
+        // tweet-path regex. JSDOM-level coverage lives in shared.test.js.
+        expect(script).toContain('__twHasLinkToTarget');
+        expect(script).toContain('__twGetStatusIdFromHref');
+        expect(script).toContain("document.querySelectorAll('article')");
+        expect(result).toEqual([
+            { status: 'success', message: 'Tweet successfully liked.' },
+        ]);
+    });
+
+    it('returns a failed row without re-waiting when the like script reports a UI mismatch', async () => {
+        const cmd = getRegistry().get('twitter/like');
+        const page = createPageMock([
+            {
+                ok: false,
+                message: 'Could not find the Like button on this tweet after waiting 10 seconds. Are you logged in?',
+            },
+        ]);
+        const result = await cmd.func(page, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        });
+        expect(result).toEqual([
+            {
+                status: 'failed',
+                message: 'Could not find the Like button on this tweet after waiting 10 seconds. Are you logged in?',
+            },
+        ]);
+        // Only the primaryColumn wait should run when ok is false.
+        expect(page.wait).toHaveBeenCalledTimes(1);
+    });
+
+    it('throws CommandExecutionError when no page is provided', async () => {
+        const cmd = getRegistry().get('twitter/like');
+        await expect(cmd.func(undefined, {
+            url: 'https://x.com/alice/status/2040254679301718161',
+        })).rejects.toThrow(CommandExecutionError);
+    });
+
+    it('rejects invalid tweet URLs before navigation', async () => {
+        const cmd = getRegistry().get('twitter/like');
+        const page = createPageMock([]);
+        await expect(cmd.func(page, {
+            url: 'https://x.com/alice/status/2040254679301718161/photo/1',
+        })).rejects.toThrow(ArgumentError);
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+});

package/clis/twitter/likes.js

@@ -1,7 +1,7 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { resolveTwitterQueryId, sanitizeQueryId, extractMedia } from './shared.js';
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
+import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 const LIKES_QUERY_ID = 'RozQdCp4CilQzrcuU0NY5w';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
 const FEATURES = {
@@ -138,23 +138,22 @@ cli({
     site: 'twitter',
     name: 'likes',
     access: 'read',
-    description: 'Fetch liked tweets of a Twitter user',
+    description: 'Fetch liked tweets of a Twitter user (defaults to the logged-in user when no username is given)',
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'username', type: 'string', positional: true, help: 'Twitter screen name (without @). Defaults to logged-in user.' },
-        { name: 'limit', type: 'int', default: 20 },
+        { name: 'username', type: 'string', positional: true, help: 'Twitter screen name (with or without @). Defaults to the logged-in user when omitted.' },
+        { name: 'limit', type: 'int', default: 20, help: 'Maximum number of liked tweets to return (default 20).' },
+        { name: 'top-by-engagement', type: 'int', default: 0, help: 'When set to N>0, re-rank the liked tweets by weighted engagement (likes×1 + retweets×3 + replies×2 + bookmarks×5 + log10(views+1)×0.5) and return the top N. Default 0 keeps the API\'s native (recency) ordering.' },
     ],
     columns: ['id', 'author', 'name', 'text', 'likes', 'retweets', 'created_at', 'url', 'has_media', 'media_urls'],
     func: async (page, kwargs) => {
         const limit = kwargs.limit || 20;
         let username = (kwargs.username || '').replace(/^@/, '');
-        await page.goto('https://x.com');
-        await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-      return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-    }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         // If no username provided, detect the logged-in user
@@ -170,7 +169,7 @@ cli({
         const likesQueryId = await resolveTwitterQueryId(page, 'Likes', LIKES_QUERY_ID);
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
@@ -208,7 +207,8 @@ cli({
                 break;
             cursor = nextCursor;
         }
-        return allTweets.slice(0, limit);
+        const trimmed = allTweets.slice(0, limit);
+        return applyTopByEngagement(trimmed, kwargs['top-by-engagement']);
     },
 });
 export const __test__ = {

package/clis/twitter/list-add.js

@@ -2,8 +2,8 @@ import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { resolveTwitterQueryId } from './shared.js';
 import { parseListsManagement } from './lists.js';
+import { TWITTER_BEARER_TOKEN } from './utils.js';
 
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
 const LISTS_MANAGEMENT_QUERY_ID = '78UbkyXwXBD98IgUWXOy9g';
 
@@ -71,8 +71,8 @@ cli({
     strategy: Strategy.UI,
     browser: true,
     args: [
-        { name: 'listId', positional: true, type: 'string', required: true },
-        { name: 'username', positional: true, type: 'string', required: true },
+        { name: 'listId', positional: true, type: 'string', required: true, help: 'Numeric ID of the list you own (e.g. from `opencli twitter lists`)' },
+        { name: 'username', positional: true, type: 'string', required: true, help: 'Twitter/X handle to add (with or without @)' },
     ],
     columns: ['listId', 'username', 'userId', 'status', 'message'],
     func: async (page, kwargs) => {
@@ -84,17 +84,18 @@ cli({
         if (!username) {
             throw new CommandExecutionError('Username is required');
         }
+        // Strategy.UI does not get a domain URL pre-nav from the framework.
+        // This page context is load-bearing for pre-target GraphQL calls below.
         await page.goto('https://x.com');
         await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-            return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-        }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0) throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
 
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
 
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',

package/clis/twitter/list-add.test.js

@@ -1,4 +1,4 @@
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
 import { getRegistry } from '@jackwener/opencli/registry';
 import './list-add.js';
 
@@ -12,4 +12,26 @@ describe('twitter list-add registration', () => {
         expect(listIdArg?.required).toBe(true);
         expect(listIdArg?.positional).toBe(true);
     });
+
+    it('keeps the x.com root navigation before pre-target GraphQL calls', async () => {
+        const cmd = getRegistry().get('twitter/list-add');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            getCookies: vi.fn().mockResolvedValue([{ name: 'ct0', value: 'token' }]),
+            evaluate: vi.fn()
+                .mockResolvedValueOnce(null) // UserByScreenName queryId fallback
+                .mockResolvedValueOnce('user-1')
+                .mockResolvedValueOnce(null) // ListsManagement queryId fallback
+                .mockResolvedValueOnce({}),
+        };
+
+        await expect(cmd.func(page, { listId: '123', username: 'alice' }))
+            .rejects
+            .toThrow(/List 123 not found/);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com');
+        expect(page.goto).toHaveBeenCalledTimes(1);
+        expect(page.wait).toHaveBeenCalledWith(3);
+        expect(page.getCookies).toHaveBeenCalledWith({ url: 'https://x.com' });
+    });
 });

package/clis/twitter/list-remove.js

@@ -2,8 +2,8 @@ import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { resolveTwitterQueryId } from './shared.js';
 import { parseListsManagement } from './lists.js';
+import { TWITTER_BEARER_TOKEN } from './utils.js';
 
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
 const LISTS_MANAGEMENT_QUERY_ID = '78UbkyXwXBD98IgUWXOy9g';
 
@@ -80,8 +80,8 @@ cli({
     strategy: Strategy.UI,
     browser: true,
     args: [
-        { name: 'listId', positional: true, type: 'string', required: true },
-        { name: 'username', positional: true, type: 'string', required: true },
+        { name: 'listId', positional: true, type: 'string', required: true, help: 'Numeric ID of the list you own (e.g. from `opencli twitter lists`)' },
+        { name: 'username', positional: true, type: 'string', required: true, help: 'Twitter/X handle to remove (with or without @)' },
     ],
     columns: ['listId', 'username', 'userId', 'status', 'message'],
     func: async (page, kwargs) => {
@@ -92,16 +92,17 @@ cli({
         }
         if (!username) throw new CommandExecutionError('Username is required');
 
+        // Strategy.UI does not get a domain URL pre-nav from the framework.
+        // This page context is load-bearing for pre-target GraphQL calls below.
         await page.goto('https://x.com');
         await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-            return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-        }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0) throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
 
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',

package/clis/twitter/list-remove.test.js

@@ -1,4 +1,4 @@
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
 import { getRegistry } from '@jackwener/opencli/registry';
 import './list-remove.js';
 
@@ -11,4 +11,26 @@ describe('twitter list-remove registration', () => {
         expect(listIdArg).toBeTruthy();
         expect(listIdArg?.required).toBe(true);
     });
+
+    it('keeps the x.com root navigation before pre-target GraphQL calls', async () => {
+        const cmd = getRegistry().get('twitter/list-remove');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            getCookies: vi.fn().mockResolvedValue([{ name: 'ct0', value: 'token' }]),
+            evaluate: vi.fn()
+                .mockResolvedValueOnce(null) // UserByScreenName queryId fallback
+                .mockResolvedValueOnce('user-1')
+                .mockResolvedValueOnce(null) // ListsManagement queryId fallback
+                .mockResolvedValueOnce({}),
+        };
+
+        await expect(cmd.func(page, { listId: '123', username: 'alice' }))
+            .rejects
+            .toThrow(/List 123 not found/);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com');
+        expect(page.goto).toHaveBeenCalledTimes(1);
+        expect(page.wait).toHaveBeenCalledWith(3);
+        expect(page.getCookies).toHaveBeenCalledWith({ url: 'https://x.com' });
+    });
 });

package/clis/twitter/list-tweets.js

@@ -1,7 +1,7 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const LIST_TWEETS_QUERY_ID = 'RlZzktZY_9wJynoepm8ZsA';
 const OPERATION_NAME = 'ListLatestTweetsTimeline';
 
@@ -112,9 +112,11 @@ cli({
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'listId', positional: true, type: 'string', required: true },
+        { name: 'listId', positional: true, type: 'string', required: true, help: 'Numeric ID of a Twitter/X list (e.g. from `opencli twitter lists`)' },
         { name: 'limit', type: 'int', default: 50 },
+        { name: 'top-by-engagement', type: 'int', default: 0, help: 'When set to N>0, re-rank the list timeline by weighted engagement (likes×1 + retweets×3 + replies×2 + bookmarks×5 + log10(views+1)×0.5) and return the top N. Default 0 keeps the list\'s native (recency) ordering.' },
     ],
     columns: ['id', 'author', 'text', 'likes', 'retweets', 'replies', 'created_at', 'url'],
     func: async (page, kwargs) => {
@@ -123,11 +125,8 @@ cli({
             throw new CommandExecutionError(`Invalid listId: ${JSON.stringify(kwargs.listId)}. Expected a numeric ID (see \`opencli twitter lists\`).`);
         }
         const limit = kwargs.limit || 50;
-        await page.goto('https://x.com');
-        await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-            return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-        }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         const queryId = await page.evaluate(`async () => {
@@ -155,7 +154,7 @@ cli({
             return null;
         }`) || LIST_TWEETS_QUERY_ID;
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
@@ -181,6 +180,7 @@ cli({
                 break;
             cursor = nextCursor;
         }
-        return allTweets.slice(0, limit);
+        const trimmed = allTweets.slice(0, limit);
+        return applyTopByEngagement(trimmed, kwargs['top-by-engagement']);
     },
 });

package/clis/twitter/lists.js

@@ -1,7 +1,7 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { TWITTER_BEARER_TOKEN } from './utils.js';
 
-const BEARER_TOKEN = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
 const LISTS_QUERY_ID = '78UbkyXwXBD98IgUWXOy9g';
 const OPERATION_NAME = 'ListsManagementPageTimeline';
 
@@ -92,17 +92,15 @@ export const command = cli({
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'limit', type: 'int', default: 50 },
+        { name: 'limit', type: 'int', default: 50, help: 'Maximum number of lists to return (default 50).' },
     ],
     columns: ['id', 'name', 'members', 'followers', 'mode'],
     func: async (page, kwargs) => {
         const limit = kwargs.limit || 50;
-        await page.goto('https://x.com');
-        await page.wait(3);
-        const ct0 = await page.evaluate(`() => {
-            return document.cookie.split(';').map(c => c.trim()).find(c => c.startsWith('ct0='))?.split('=')[1] || null;
-        }`);
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         const queryId = await page.evaluate(`async () => {
@@ -130,7 +128,7 @@ export const command = cli({
             return null;
         }`) || LISTS_QUERY_ID;
         const headers = JSON.stringify({
-            'Authorization': `Bearer ${decodeURIComponent(BEARER_TOKEN)}`,
+            'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',

package/clis/twitter/notifications.js

@@ -4,12 +4,13 @@ cli({
     site: 'twitter',
     name: 'notifications',
     access: 'read',
-    description: 'Get Twitter/X notifications',
+    description: 'Get your Twitter/X notifications (the logged-in user\'s likes/replies/follows feed, newest first)',
     domain: 'x.com',
     strategy: Strategy.INTERCEPT,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'limit', type: 'int', default: 20 },
+        { name: 'limit', type: 'int', default: 20, help: 'Maximum number of notifications to return (default 20).' },
     ],
     columns: ['id', 'action', 'author', 'text', 'url'],
     func: async (page, kwargs) => {

package/clis/twitter/profile.js

@@ -1,17 +1,19 @@
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { resolveTwitterQueryId } from './shared.js';
+import { TWITTER_BEARER_TOKEN } from './utils.js';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
 cli({
     site: 'twitter',
     name: 'profile',
     access: 'read',
-    description: 'Fetch a Twitter user profile (bio, stats, etc.)',
+    description: 'Fetch a Twitter user profile — bio, stats, etc. (defaults to the logged-in user when no username is given)',
     domain: 'x.com',
     strategy: Strategy.COOKIE,
     browser: true,
+    browserSession: { reuse: 'site' },
     args: [
-        { name: 'username', type: 'string', positional: true, help: 'Twitter screen name (without @). Defaults to logged-in user.' },
+        { name: 'username', type: 'string', positional: true, help: 'Twitter screen name (with or without @). Defaults to the logged-in user when omitted.' },
     ],
     columns: ['screen_name', 'name', 'bio', 'location', 'url', 'followers', 'following', 'tweets', 'likes', 'verified', 'created_at'],
     func: async (page, kwargs) => {
@@ -31,14 +33,18 @@ cli({
         // Navigate directly to the user's profile page (gives us cookie context)
         await page.goto(`https://x.com/${username}`);
         await page.wait(3);
+        // Read CSRF token directly from the cookie store via CDP — zero page.evaluate round-trip
+        const cookies = await page.getCookies({ url: 'https://x.com' });
+        const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
+        if (!ct0)
+            throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
         const queryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
         const result = await page.evaluate(`
       async () => {
         const screenName = "${username}";
-        const ct0 = document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('ct0='))?.split('=')[1];
-        if (!ct0) return {error: 'No ct0 cookie — not logged into x.com'};
+        const ct0 = ${JSON.stringify(ct0)};
 
-        const bearer = 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs%3D1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA';
+        const bearer = ${JSON.stringify(TWITTER_BEARER_TOKEN)};
         const headers = {
           'Authorization': 'Bearer ' + decodeURIComponent(bearer),
           'X-Csrf-Token': ct0,
@@ -95,8 +101,6 @@ cli({
       }
     `);
         if (result?.error) {
-            if (String(result.error).includes('No ct0 cookie'))
-                throw new AuthRequiredError('x.com', result.error);
             throw new CommandExecutionError(result.error + (result.hint ? ` (${result.hint})` : ''));
         }
         return result || [];

package/clis/twitter/quote.js

@@ -1,10 +1,13 @@
+import * as fs from 'node:fs';
 import { CommandExecutionError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
-import { parseTweetUrl } from './shared.js';
-
-function extractTweetId(url) {
-    return parseTweetUrl(url).id;
-}
+import { parseTweetUrl, buildTwitterArticleScopeSource } from './shared.js';
+import {
+    COMPOSER_FILE_INPUT_SELECTOR,
+    attachComposerImage,
+    downloadRemoteImage,
+    resolveImagePath,
+} from './utils.js';
 
 function buildQuoteComposerUrl(url) {
     // Twitter/X quote-tweet compose URL: the `url` param attaches the source
@@ -17,15 +20,8 @@ function buildQuoteComposerUrl(url) {
 async function submitQuote(page, text, tweetId) {
     return page.evaluate(`(async () => {
         try {
+            ${buildTwitterArticleScopeSource(tweetId)}
             const visible = (el) => !!el && (el.offsetParent !== null || el.getClientRects().length > 0);
-            const getStatusId = (href) => {
-                try {
-                    const match = new URL(href, window.location.origin).pathname.match(/^\\/(?:[^/]+|i)\\/status\\/(\\d+)\\/?$/);
-                    return match?.[1] || null;
-                } catch {
-                    return null;
-                }
-            };
             const boxes = Array.from(document.querySelectorAll('[data-testid="tweetTextarea_0"]'));
             const box = boxes.find(visible) || boxes[0];
             if (!box) {
@@ -34,7 +30,6 @@ async function submitQuote(page, text, tweetId) {
 
             box.focus();
             const textToInsert = ${JSON.stringify(text)};
-            const tweetId = ${JSON.stringify(tweetId)};
             // execCommand('insertText') is more reliable with Twitter's Draft.js editor.
             if (!document.execCommand('insertText', false, textToInsert)) {
                 // Fallback to paste event if execCommand fails.
@@ -49,13 +44,16 @@ async function submitQuote(page, text, tweetId) {
 
             await new Promise(r => setTimeout(r, 1000));
 
-            // Confirm the quoted card is rendered before submitting; otherwise we may
-            // accidentally post a plain tweet without the quote attachment.
+            // Confirm the quoted card is rendered before submitting; otherwise
+            // we may accidentally post a plain tweet without the quote
+            // attachment. The compose page does not wrap the card in an
+            // <article>, so we probe the document for any link whose path
+            // exactly matches the requested status id (uses __twHasLinkToTarget
+            // from buildTwitterArticleScopeSource).
             let cardAttempts = 0;
             let hasQuoteCard = false;
             while (cardAttempts < 20) {
-                hasQuoteCard = Array.from(document.querySelectorAll('a[href*="/status/"]'))
-                    .some((link) => getStatusId(link.href) === tweetId);
+                hasQuoteCard = __twHasLinkToTarget(document);
                 if (hasQuoteCard) break;
                 await new Promise(r => setTimeout(r, 250));
                 cardAttempts++;
@@ -102,38 +100,68 @@ cli({
     site: 'twitter',
     name: 'quote',
     access: 'write',
-    description: 'Quote-tweet a specific tweet with your own text',
+    description: 'Quote-tweet a specific tweet with your own text, optionally with a local or remote image',
     domain: 'x.com',
     strategy: Strategy.UI,
     browser: true,
     args: [
         { name: 'url', type: 'string', required: true, positional: true, help: 'The URL of the tweet to quote' },
         { name: 'text', type: 'string', required: true, positional: true, help: 'The text content of your quote' },
+        { name: 'image', help: 'Optional local image path to attach to the quote tweet' },
+        { name: 'image-url', help: 'Optional remote image URL to download and attach to the quote tweet' },
     ],
     columns: ['status', 'message', 'text'],
     func: async (page, kwargs) => {
         if (!page)
             throw new CommandExecutionError('Browser session required for twitter quote');
+        if (kwargs.image && kwargs['image-url']) {
+            throw new CommandExecutionError('Use either --image or --image-url, not both.');
+        }
 
-        // Dedicated composer is more reliable than the inline quote-tweet button.
+        // Validate URL (typed ArgumentError on malformed/off-domain inputs)
+        // before any browser interaction or remote image download.
         const target = parseTweetUrl(kwargs.url);
-        await page.goto(`https://x.com/compose/post?url=${encodeURIComponent(target.url)}`, { waitUntil: 'load', settleMs: 2500 });
-        await page.wait({ selector: '[data-testid="tweetTextarea_0"]', timeout: 15 });
 
-        const result = await submitQuote(page, kwargs.text, target.id);
-        if (result.ok) {
-            // Wait for network submission to complete
-            await page.wait(3);
+        let localImagePath;
+        let cleanupDir;
+        try {
+            if (kwargs.image) {
+                localImagePath = resolveImagePath(kwargs.image);
+            } else if (kwargs['image-url']) {
+                const downloaded = await downloadRemoteImage(kwargs['image-url']);
+                localImagePath = downloaded.absPath;
+                cleanupDir = downloaded.cleanupDir;
+            }
+
+            // Dedicated composer is more reliable than the inline quote-tweet button.
+            await page.goto(`https://x.com/compose/post?url=${encodeURIComponent(target.url)}`, { waitUntil: 'load', settleMs: 2500 });
+            await page.wait({ selector: '[data-testid="tweetTextarea_0"]', timeout: 15 });
+
+            if (localImagePath) {
+                await page.wait({ selector: COMPOSER_FILE_INPUT_SELECTOR, timeout: 20 });
+                await attachComposerImage(page, localImagePath);
+            }
+
+            const result = await submitQuote(page, kwargs.text, target.id);
+            if (result.ok) {
+                // Wait for network submission to complete
+                await page.wait(3);
+            }
+            return [{
+                    status: result.ok ? 'success' : 'failed',
+                    message: result.message,
+                    text: kwargs.text,
+                    ...(kwargs.image ? { image: kwargs.image } : {}),
+                    ...(kwargs['image-url'] ? { 'image-url': kwargs['image-url'] } : {}),
+                }];
+        } finally {
+            if (cleanupDir) {
+                fs.rmSync(cleanupDir, { recursive: true, force: true });
+            }
         }
-        return [{
-                status: result.ok ? 'success' : 'failed',
-                message: result.message,
-                text: kwargs.text,
-            }];
     }
 });
 
 export const __test__ = {
     buildQuoteComposerUrl,
-    extractTweetId,
 };