@jackwener/opencli 1.7.18 → 1.7.19

package/clis/reddit/whoami.js

@@ -0,0 +1,84 @@
+import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { cli, Strategy } from '@jackwener/opencli/registry';
+
+cli({
+    site: 'reddit',
+    name: 'whoami',
+    access: 'read',
+    description: 'Show the currently logged-in Reddit user',
+    domain: 'reddit.com',
+    strategy: Strategy.COOKIE,
+    browser: true,
+    siteSession: 'persistent',
+    args: [],
+    columns: ['field', 'value'],
+    func: async (page) => {
+        await page.goto('https://www.reddit.com');
+        // Probe identity via /api/me.json. Reddit returns 200 with an empty
+        // body for stale anonymous sessions, so 401/403 alone is not a
+        // sufficient logged-out signal — we also verify `data.name` exists
+        // (two-pronged auth detection from PR #1428).
+        //
+        // Intermediate object keys deliberately avoid `field` / `value` to
+        // sidestep the silent-column-drop audit (columns are ['field',
+        // 'value']) — see PR #1329 sediment "中间解析对象 key 不能跟 columns
+        // 任一项重叠".
+        const result = await page.evaluate(`(async () => {
+      try {
+        const res = await fetch('/api/me.json?raw_json=1', { credentials: 'include' });
+        if (res.status === 401 || res.status === 403) {
+          return { kind: 'auth', detail: 'Reddit /api/me.json returned HTTP ' + res.status };
+        }
+        if (!res.ok) {
+          return { kind: 'http', httpStatus: res.status, where: '/api/me.json' };
+        }
+        const d = await res.json();
+        const me = d?.data;
+        if (!me?.name) {
+          return { kind: 'auth', detail: 'Not logged in to reddit.com (no identity in /api/me.json)' };
+        }
+        return { kind: 'ok', identity: me };
+      } catch (e) {
+        return { kind: 'exception', detail: String(e && e.message || e) };
+      }
+    })()`);
+
+        if (result?.kind === 'auth') {
+            throw new AuthRequiredError('reddit.com', result.detail);
+        }
+        if (result?.kind === 'http') {
+            throw new CommandExecutionError(`HTTP ${result.httpStatus} from ${result.where}`);
+        }
+        if (result?.kind === 'exception') {
+            throw new CommandExecutionError(`whoami failed: ${result.detail}`);
+        }
+        if (result?.kind !== 'ok') {
+            throw new CommandExecutionError(`Unexpected result from reddit whoami: ${JSON.stringify(result)}`);
+        }
+
+        const u = result.identity;
+        const created = u.created_utc
+            ? new Date(u.created_utc * 1000).toISOString().split('T')[0]
+            : null;
+        const linkKarma = typeof u.link_karma === 'number' ? u.link_karma : null;
+        const commentKarma = typeof u.comment_karma === 'number' ? u.comment_karma : null;
+        const totalKarma = typeof u.total_karma === 'number'
+            ? u.total_karma
+            : (linkKarma != null && commentKarma != null ? linkKarma + commentKarma : null);
+        const inboxCount = typeof u.inbox_count === 'number' ? u.inbox_count : null;
+
+        return [
+            { field: 'Username', value: 'u/' + u.name },
+            { field: 'ID', value: u.id ? 't2_' + u.id : null },
+            { field: 'Post Karma', value: linkKarma != null ? String(linkKarma) : null },
+            { field: 'Comment Karma', value: commentKarma != null ? String(commentKarma) : null },
+            { field: 'Total Karma', value: totalKarma != null ? String(totalKarma) : null },
+            { field: 'Account Created', value: created },
+            { field: 'Gold', value: u.is_gold ? 'Yes' : 'No' },
+            { field: 'Mod', value: u.is_mod ? 'Yes' : 'No' },
+            { field: 'Verified Email', value: u.has_verified_email ? 'Yes' : 'No' },
+            { field: 'Has Mail', value: u.has_mail ? 'Yes' : 'No' },
+            { field: 'Inbox Count', value: inboxCount != null ? String(inboxCount) : null },
+        ];
+    },
+});

package/clis/reddit/whoami.test.js

@@ -0,0 +1,105 @@
+import { describe, expect, it, vi } from 'vitest';
+import { getRegistry } from '@jackwener/opencli/registry';
+import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
+import './whoami.js';
+
+function makePage(result) {
+    return {
+        goto: vi.fn().mockResolvedValue(undefined),
+        evaluate: vi.fn().mockResolvedValue(result),
+    };
+}
+
+describe('reddit whoami command', () => {
+    const command = getRegistry().get('reddit/whoami');
+
+    it('registers with the expected shape', () => {
+        expect(command).toBeDefined();
+        expect(command.access).toBe('read');
+        expect(command.browser).toBe(true);
+        expect(command.columns).toEqual(['field', 'value']);
+        expect(command.args).toEqual([]);
+    });
+
+    it('throws AuthRequiredError on 401/403 from /api/me.json', async () => {
+        const page = makePage({ kind: 'auth', detail: 'Reddit /api/me.json returned HTTP 401' });
+        await expect(command.func(page, {})).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://www.reddit.com');
+    });
+
+    it('throws AuthRequiredError on 200 with missing data.name (stale anon session)', async () => {
+        const page = makePage({ kind: 'auth', detail: 'Not logged in to reddit.com (no identity in /api/me.json)' });
+        await expect(command.func(page, {})).rejects.toBeInstanceOf(AuthRequiredError);
+    });
+
+    it('throws CommandExecutionError on HTTP / exception failure modes', async () => {
+        await expect(command.func(makePage({ kind: 'http', httpStatus: 500, where: '/api/me.json' }), {}))
+            .rejects.toBeInstanceOf(CommandExecutionError);
+        await expect(command.func(makePage({ kind: 'exception', detail: 'bad json' }), {}))
+            .rejects.toBeInstanceOf(CommandExecutionError);
+    });
+
+    it('maps a full identity payload into the field/value rows', async () => {
+        const identity = {
+            name: 'alice',
+            id: 'abcdef',
+            link_karma: 1234,
+            comment_karma: 5678,
+            total_karma: 6912,
+            created_utc: 1577836800, // 2020-01-01
+            is_gold: true,
+            is_mod: false,
+            has_verified_email: true,
+            has_mail: false,
+            inbox_count: 0,
+        };
+        const page = makePage({ kind: 'ok', identity });
+        const rows = await command.func(page, {});
+
+        const byField = Object.fromEntries(rows.map((r) => [r.field, r.value]));
+        expect(byField.Username).toBe('u/alice');
+        expect(byField.ID).toBe('t2_abcdef');
+        expect(byField['Post Karma']).toBe('1234');
+        expect(byField['Comment Karma']).toBe('5678');
+        expect(byField['Total Karma']).toBe('6912');
+        expect(byField['Account Created']).toBe('2020-01-01');
+        expect(byField.Gold).toBe('Yes');
+        expect(byField.Mod).toBe('No');
+        expect(byField['Verified Email']).toBe('Yes');
+        expect(byField['Has Mail']).toBe('No');
+        expect(byField['Inbox Count']).toBe('0');
+
+        // Row shape must match the declared columns exactly so the
+        // silent-column-drop audit can't be triggered.
+        for (const row of rows) {
+            expect(Object.keys(row).sort()).toEqual(['field', 'value']);
+        }
+    });
+
+    it('falls back to null for missing numeric karma fields rather than 0 sentinels', async () => {
+        const identity = {
+            name: 'bob',
+            id: 'xyz',
+            created_utc: null,
+            is_gold: false,
+            is_mod: false,
+            has_verified_email: false,
+            has_mail: false,
+        };
+        const page = makePage({ kind: 'ok', identity });
+        const rows = await command.func(page, {});
+        const byField = Object.fromEntries(rows.map((r) => [r.field, r.value]));
+        expect(byField['Post Karma']).toBeNull();
+        expect(byField['Comment Karma']).toBeNull();
+        expect(byField['Total Karma']).toBeNull();
+        expect(byField['Account Created']).toBeNull();
+        expect(byField['Inbox Count']).toBeNull();
+    });
+
+    it('does not throw on `data.name` present even if optional booleans are missing', async () => {
+        const identity = { name: 'carol', id: 'i1' };
+        const page = makePage({ kind: 'ok', identity });
+        const rows = await command.func(page, {});
+        expect(rows[0]).toEqual({ field: 'Username', value: 'u/carol' });
+    });
+});

package/clis/rednote/search.js

@@ -7,7 +7,7 @@
  */
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { ArgumentError, AuthRequiredError } from '@jackwener/opencli/errors';
-import { buildSearchExtractJs, noteIdToDate } from '../xiaohongshu/search.js';
+import { buildScrollUntilJs, buildSearchExtractJs, noteIdToDate } from '../xiaohongshu/search.js';
 
 function parseLimit(raw) {
     const parsed = Number(raw);
@@ -82,7 +82,11 @@ cli({
         if (waitResult === 'login_wall') {
             throw new AuthRequiredError('www.rednote.com', 'Rednote search results are blocked behind a login wall');
         }
-        await page.autoScroll({ times: 2 });
+        // Scroll until enough rows are rendered or the lazy-load plateaus.
+        // Same fix as xiaohongshu/search (#1471): the previous fixed
+        // `autoScroll({ times: 2 })` capped extraction at ~13 notes regardless
+        // of `--limit`.
+        await page.evaluate(buildScrollUntilJs(limit));
         const payload = await page.evaluate(buildSearchExtractJs('www.rednote.com'));
         const data = Array.isArray(payload) ? payload : [];
         return data

package/clis/twitter/bookmark-folder.js

@@ -11,6 +11,7 @@ import { resolveTwitterQueryId } from './shared.js';
 const OPERATION_NAME = 'BookmarkFolderTimeline';
 const FALLBACK_QUERY_ID = '13H7EUATwethsj_jZ6QQAQ';
 const FOLDER_ID_PATTERN = /^[A-Za-z0-9_-]+$/;
+const MAX_PAGINATION_PAGES = 100;
 
 const FEATURES = {
     rweb_video_screen_enabled: false,
@@ -158,7 +159,8 @@ cli({
         const allTweets = [];
         const seen = new Set();
         let cursor = null;
-        for (let i = 0; i < 5 && allTweets.length < limit; i++) {
+        // Runaway guard only; --limit and cursor exhaustion control normal pagination.
+        for (let i = 0; i < MAX_PAGINATION_PAGES && allTweets.length < limit; i++) {
             const fetchCount = Math.min(100, limit - allTweets.length + 10);
             const apiUrl = buildFolderTimelineUrl(queryId, folderId, fetchCount, cursor);
             const data = await page.evaluate(`async () => {

package/clis/twitter/bookmarks.js

@@ -2,6 +2,7 @@ import { cli, Strategy } from '@jackwener/opencli/registry';
 import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
 import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 const BOOKMARKS_QUERY_ID = 'Fy0QMy4q_aZCpkO0PnyLYw';
+const MAX_PAGINATION_PAGES = 100;
 const FEATURES = {
     rweb_video_screen_enabled: false,
     profile_label_improvements_pcf_label_in_post_enabled: true,
@@ -150,7 +151,8 @@ cli({
         const allTweets = [];
         const seen = new Set();
         let cursor = null;
-        for (let i = 0; i < 5 && allTweets.length < limit; i++) {
+        // Runaway guard only; --limit and cursor exhaustion control normal pagination.
+        for (let i = 0; i < MAX_PAGINATION_PAGES && allTweets.length < limit; i++) {
             const fetchCount = Math.min(100, limit - allTweets.length + 10);
             const apiUrl = buildBookmarksUrl(fetchCount, cursor).replace(BOOKMARKS_QUERY_ID, queryId);
             const data = await page.evaluate(`async () => {

package/clis/twitter/followers.js

@@ -1,5 +1,6 @@
 import { ArgumentError, AuthRequiredError, selectorError, EmptyResultError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
+import { normalizeTwitterScreenName, unwrapBrowserResult } from './shared.js';
 
 /**
  * Extract follower rows from Twitter/X follower-list SPA cells.
@@ -72,7 +73,7 @@ async function extractFollowersFromDOM(page) {
 }
 
 function normalizeScreenName(value) {
-    return String(value ?? '').trim().replace(/^\/+/, '').replace(/^@+/, '');
+    return normalizeTwitterScreenName(value);
 }
 
 cli({
@@ -103,18 +104,27 @@ cli({
             throw new ArgumentError('limit must be a positive integer');
         }
 
-        let targetUser = normalizeScreenName(kwargs.user);
+        const rawUser = String(kwargs.user ?? '').trim();
+        let targetUser = normalizeScreenName(rawUser);
+        if (rawUser && !targetUser) {
+            throw new ArgumentError('twitter followers user must be a valid Twitter/X handle', 'Example: opencli twitter followers @elonmusk --limit 100');
+        }
         if (!targetUser) {
             await page.goto('https://x.com/home');
             await page.wait({ selector: '[data-testid="primaryColumn"]' });
-            const href = await page.evaluate(`() => {
+            // Bridge wraps primitive page.evaluate returns as { session, data:<value> };
+            // unwrap so the href string is usable downstream.
+            const href = unwrapBrowserResult(await page.evaluate(`() => {
                 const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
                 return link ? link.getAttribute('href') : null;
-            }`);
-            if (!href) {
+            }`));
+            if (!href || typeof href !== 'string') {
                 throw new AuthRequiredError('x.com', 'Could not find logged-in user profile link. Are you logged in?');
             }
             targetUser = normalizeScreenName(href);
+            if (!targetUser) {
+                throw new AuthRequiredError('x.com', 'Could not find logged-in user profile link. Are you logged in?');
+            }
         }
         if (!targetUser) {
             throw new ArgumentError('twitter followers user cannot be empty', 'Example: opencli twitter followers @elonmusk --limit 100');
@@ -173,3 +183,8 @@ cli({
         return allFollowers.slice(0, limit);
     }
 });
+
+export const __test__ = {
+    extractFollowersFromDOM,
+    normalizeScreenName,
+};

package/clis/twitter/followers.test.js

@@ -0,0 +1,44 @@
+import { describe, expect, it, vi } from 'vitest';
+import { getRegistry } from '@jackwener/opencli/registry';
+import { ArgumentError, AuthRequiredError } from '@jackwener/opencli/errors';
+import { __test__ } from './followers.js';
+
+describe('twitter followers command', () => {
+    it('normalizes exact profile handles and rejects route-like hrefs', () => {
+        expect(__test__.normalizeScreenName('@viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('/viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('https://x.com/viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('/home')).toBe('');
+        expect(__test__.normalizeScreenName('/viewer/extra')).toBe('');
+    });
+
+    it('rejects invalid explicit users before navigation', async () => {
+        const command = getRegistry().get('twitter/followers');
+        const page = {
+            goto: vi.fn(),
+            wait: vi.fn(),
+            evaluate: vi.fn(),
+        };
+
+        await expect(command.func(page, { user: 'viewer/extra', limit: 10 })).rejects.toBeInstanceOf(ArgumentError);
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.wait).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+
+    it('rejects non-profile AppTabBar hrefs instead of navigating to route followers', async () => {
+        const command = getRegistry().get('twitter/followers');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            evaluate: vi.fn(async (script) => {
+                if (String(script).includes('AppTabBar_Profile_Link')) return '/home';
+                throw new Error(`Unexpected evaluate: ${String(script).slice(0, 80)}`);
+            }),
+        };
+
+        await expect(command.func(page, { limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/home');
+        expect(page.goto).not.toHaveBeenCalledWith('https://x.com/home/followers');
+    });
+});

package/clis/twitter/following.js

@@ -1,10 +1,11 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { ArgumentError, AuthRequiredError, CommandExecutionError, EmptyResultError } from '@jackwener/opencli/errors';
-import { resolveTwitterQueryId, sanitizeQueryId } from './shared.js';
+import { normalizeTwitterScreenName, resolveTwitterQueryId, sanitizeQueryId, unwrapBrowserResult } from './shared.js';
 import { TWITTER_BEARER_TOKEN } from './utils.js';
 
 const FOLLOWING_QUERY_ID = 'zx6e-TLzRkeDO_a7p4b3JQ';  // Following fallback
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
+const MAX_PAGINATION_PAGES = 100;
 
 const FEATURES = {
     rweb_video_screen_enabled: false,
@@ -128,7 +129,7 @@ function parseFollowing(data) {
 }
 
 function normalizeScreenName(value) {
-    return String(value || '').trim().replace(/^\/+/, '').replace(/^@+/, '');
+    return normalizeTwitterScreenName(value);
 }
 
 cli({
@@ -156,7 +157,11 @@ cli({
         if (!Number.isInteger(limit) || limit <= 0) {
             throw new ArgumentError('twitter following --limit must be a positive integer', 'Example: opencli twitter following @elonmusk --limit 200');
         }
-        let targetUser = normalizeScreenName(kwargs.user);
+        const rawUser = String(kwargs.user ?? '').trim();
+        let targetUser = normalizeScreenName(rawUser);
+        if (rawUser && !targetUser) {
+            throw new ArgumentError('twitter following user must be a valid Twitter/X handle', 'Example: opencli twitter following @elonmusk --limit 200');
+        }
 
         const cookies = await page.getCookies({ url: 'https://x.com' });
         const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
@@ -164,13 +169,25 @@ cli({
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
 
         if (!targetUser) {
-            const href = await page.evaluate(`() => {
-                const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
-                return link ? link.getAttribute('href') : null;
-            }`);
-            if (!href)
+            // Force a navigation to the home surface so the AppTabBar sidebar
+            // is rendered; the framework pre-nav lands on bare x.com which
+            // does not always expose AppTabBar_Profile_Link.
+            await page.goto('https://x.com/home');
+            await page.wait({ selector: '[data-testid="primaryColumn"]' });
+            // Bridge wraps primitive page.evaluate returns as { session, data:<value> };
+            // unwrap so the href string is usable downstream.
+            // NOTE: the function-literal form `() => ...` silently drops
+            // primitive return values through the bridge — only the template
+            // string form preserves the `data` field.
+            const href = unwrapBrowserResult(await page.evaluate(`() => {
+        const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
+        return link ? link.getAttribute('href') : null;
+      }`));
+            if (!href || typeof href !== 'string')
+                throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
+            targetUser = normalizeScreenName(href);
+            if (!targetUser)
                 throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
-            targetUser = normalizeScreenName(href.replace('/', ''));
         }
         if (!targetUser) {
             throw new ArgumentError('twitter following user cannot be empty', 'Example: opencli twitter following @elonmusk --limit 200');
@@ -178,21 +195,20 @@ cli({
 
         const followingQueryId = await resolveTwitterQueryId(page, 'Following', FOLLOWING_QUERY_ID);
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
-        const headers = JSON.stringify({
+        const headers = {
             'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
-        });
+        };
 
         // Get userId from screen_name
-        const userLookup = await page.evaluate(`async () => {
-            const url = ${JSON.stringify(buildUserByScreenNameUrl(userByScreenNameQueryId, targetUser))};
-            const resp = await fetch(url, { headers: ${headers}, credentials: 'include' });
+        const userLookup = unwrapBrowserResult(await page.evaluate(async (url, headers) => {
+            const resp = await fetch(url, { headers, credentials: 'include' });
             if (!resp.ok) return { error: resp.status };
             const d = await resp.json();
             return { userId: d.data?.user?.result?.rest_id || null };
-        }`);
+        }, buildUserByScreenNameUrl(userByScreenNameQueryId, targetUser), headers));
         if (userLookup?.error === 401 || userLookup?.error === 403) {
             throw new AuthRequiredError('x.com', `Twitter user lookup failed (HTTP ${userLookup.error})`);
         }
@@ -207,14 +223,14 @@ cli({
         const seen = new Set();
         let cursor = null;
 
-        const maxPages = Math.ceil(limit / 50) + 2;
-        for (let i = 0; i < maxPages && allUsers.length < limit; i++) {
+        // Runaway guard only; --limit and cursor exhaustion control normal pagination.
+        for (let i = 0; i < MAX_PAGINATION_PAGES && allUsers.length < limit; i++) {
             const fetchCount = Math.min(50, limit - allUsers.length + 10);
             const apiUrl = buildFollowingUrl(followingQueryId, userId, fetchCount, cursor);
-            const data = await page.evaluate(`async () => {
-                const r = await fetch("${apiUrl}", { headers: ${headers}, credentials: 'include' });
+            const data = unwrapBrowserResult(await page.evaluate(async (url, headers) => {
+                const r = await fetch(url, { headers, credentials: 'include' });
                 return r.ok ? await r.json() : { error: r.status };
-            }`);
+            }, apiUrl, headers));
             if (data?.error) {
                 if (data.error === 401 || data.error === 403)
                     throw new AuthRequiredError('x.com', `Twitter following request failed (HTTP ${data.error})`);

package/clis/twitter/following.test.js

@@ -157,6 +157,8 @@ describe('twitter following helpers', () => {
         expect(__test__.normalizeScreenName('@elonmusk')).toBe('elonmusk');
         expect(__test__.normalizeScreenName('/elonmusk')).toBe('elonmusk');
         expect(__test__.normalizeScreenName('  @@alice  ')).toBe('alice');
+        expect(__test__.normalizeScreenName('/home')).toBe('');
+        expect(__test__.normalizeScreenName('/elonmusk/extra')).toBe('');
     });
 });
 
@@ -201,16 +203,28 @@ function followingPayload(users, cursor) {
     };
 }
 
-function createFollowingPage(followingResponses, { ct0 = 'token', userLookup = { userId: '42' } } = {}) {
+function bridgeEnvelope(data) {
+    return { session: 'site:twitter', data };
+}
+
+function createFollowingPage(followingResponses, { ct0 = 'token', userLookup = { userId: '42' }, envelope = false } = {}) {
     const page = {
         goto: vi.fn().mockResolvedValue(undefined),
         wait: vi.fn().mockResolvedValue(undefined),
         getCookies: vi.fn(async () => (ct0 ? [{ name: 'ct0', value: ct0 }] : [])),
-        evaluate: vi.fn(async (script) => {
+        evaluate: vi.fn(async (script, ...args) => {
+            const wrap = (value) => envelope ? bridgeEnvelope(value) : value;
+            if (typeof script === 'function') {
+                const haystack = [script.toString(), ...args.map((arg) => String(arg))].join('\n');
+                if (haystack.includes('/UserByScreenName')) return wrap(userLookup);
+                if (haystack.includes('/Following')) return wrap(followingResponses.shift() || followingPayload([], null));
+                if (haystack.includes('AppTabBar_Profile_Link')) return wrap('/viewer');
+                throw new Error(`Unexpected evaluate function: ${haystack.slice(0, 80)}`);
+            }
             if (script.includes('operationName')) return null;
-            if (script.includes('/UserByScreenName')) return userLookup;
-            if (script.includes('/Following')) return followingResponses.shift() || followingPayload([], null);
-            if (script.includes('AppTabBar_Profile_Link')) return '/viewer';
+            if (script.includes('/UserByScreenName')) return wrap(userLookup);
+            if (script.includes('/Following')) return wrap(followingResponses.shift() || followingPayload([], null));
+            if (script.includes('AppTabBar_Profile_Link')) return wrap('/viewer');
             throw new Error(`Unexpected evaluate script: ${script.slice(0, 80)}`);
         }),
     };
@@ -229,12 +243,13 @@ describe('twitter following command', () => {
 
         expect(rows.map((row) => row.screen_name)).toEqual(['alice', 'bob', 'carol']);
         expect(page.getCookies).toHaveBeenCalledWith({ url: 'https://x.com' });
-        const userLookupScript = page.evaluate.mock.calls.find(([script]) => script.includes('/UserByScreenName'))?.[0] || '';
+        const callText = (call) => call.map((part) => typeof part === 'function' ? part.toString() : String(part)).join('\n');
+        const userLookupScript = callText(page.evaluate.mock.calls.find((call) => callText(call).includes('/UserByScreenName')) || []);
         expect(decodeURIComponent(userLookupScript)).toContain('"screen_name":"elonmusk"');
         expect(decodeURIComponent(userLookupScript)).not.toContain('"screen_name":"@elonmusk"');
-        const followingCalls = page.evaluate.mock.calls.filter(([script]) => script.includes('/Following'));
+        const followingCalls = page.evaluate.mock.calls.filter((call) => callText(call).includes('/Following'));
         expect(followingCalls).toHaveLength(2);
-        expect(decodeURIComponent(followingCalls[1][0])).toContain('"cursor":"cursor-1"');
+        expect(decodeURIComponent(callText(followingCalls[1]))).toContain('"cursor":"cursor-1"');
     });
 
     it('rejects invalid limits before navigating', async () => {
@@ -245,6 +260,29 @@ describe('twitter following command', () => {
         expect(page.goto).not.toHaveBeenCalled();
     });
 
+    it('rejects invalid explicit users before cookies or navigation', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([]);
+
+        await expect(command.func(page, { user: 'elonmusk/extra', limit: 10 })).rejects.toBeInstanceOf(ArgumentError);
+        expect(page.getCookies).not.toHaveBeenCalled();
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+
+    it('rejects route-like AppTabBar hrefs as AuthRequiredError', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([]);
+        page.evaluate.mockImplementation(async (script, ...args) => {
+            const haystack = [typeof script === 'function' ? script.toString() : String(script), ...args.map((arg) => String(arg))].join('\n');
+            if (haystack.includes('AppTabBar_Profile_Link')) return '/home';
+            throw new Error(`Unexpected evaluate: ${haystack.slice(0, 80)}`);
+        });
+
+        await expect(command.func(page, { limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/home');
+    });
+
     it('maps first-page auth failures to AuthRequiredError', async () => {
         const command = getRegistry().get('twitter/following');
         const page = createFollowingPage([{ error: 401 }]);
@@ -269,6 +307,20 @@ describe('twitter following command', () => {
         await expect(command.func(page, { user: 'elonmusk', limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
     });
 
+    it('unwraps Browser Bridge envelopes for user lookup and following payloads', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([followingPayload(['alice'], null)], { envelope: true });
+
+        const rows = await command.func(page, { user: 'elonmusk', limit: 10 });
+
+        expect(rows.map((row) => row.screen_name)).toEqual(['alice']);
+        const callText = (call) => call.map((part) => typeof part === 'function' ? part.toString() : String(part)).join('\n');
+        const followingCall = page.evaluate.mock.calls.find((call) => callText(call).includes('/Following')) || [];
+        const followingUrl = String(followingCall[1] || '');
+        expect(decodeURIComponent(followingUrl)).toContain('"userId":"42"');
+        expect(decodeURIComponent(followingUrl)).not.toContain('[object Object]');
+    });
+
     it('fails fast when the following timeline is empty', async () => {
         const command = getRegistry().get('twitter/following');
         const page = createFollowingPage([followingPayload([], null)]);