@jackwener/opencli 1.7.18 → 1.7.20

package/clis/twitter/followers.js

@@ -1,5 +1,6 @@
 import { ArgumentError, AuthRequiredError, selectorError, EmptyResultError } from '@jackwener/opencli/errors';
 import { cli, Strategy } from '@jackwener/opencli/registry';
+import { normalizeTwitterScreenName, unwrapBrowserResult } from './shared.js';
 
 /**
  * Extract follower rows from Twitter/X follower-list SPA cells.
@@ -72,7 +73,7 @@ async function extractFollowersFromDOM(page) {
 }
 
 function normalizeScreenName(value) {
-    return String(value ?? '').trim().replace(/^\/+/, '').replace(/^@+/, '');
+    return normalizeTwitterScreenName(value);
 }
 
 cli({
@@ -103,18 +104,27 @@ cli({
             throw new ArgumentError('limit must be a positive integer');
         }
 
-        let targetUser = normalizeScreenName(kwargs.user);
+        const rawUser = String(kwargs.user ?? '').trim();
+        let targetUser = normalizeScreenName(rawUser);
+        if (rawUser && !targetUser) {
+            throw new ArgumentError('twitter followers user must be a valid Twitter/X handle', 'Example: opencli twitter followers @elonmusk --limit 100');
+        }
         if (!targetUser) {
             await page.goto('https://x.com/home');
             await page.wait({ selector: '[data-testid="primaryColumn"]' });
-            const href = await page.evaluate(`() => {
+            // Bridge wraps primitive page.evaluate returns as { session, data:<value> };
+            // unwrap so the href string is usable downstream.
+            const href = unwrapBrowserResult(await page.evaluate(`() => {
                 const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
                 return link ? link.getAttribute('href') : null;
-            }`);
-            if (!href) {
+            }`));
+            if (!href || typeof href !== 'string') {
                 throw new AuthRequiredError('x.com', 'Could not find logged-in user profile link. Are you logged in?');
             }
             targetUser = normalizeScreenName(href);
+            if (!targetUser) {
+                throw new AuthRequiredError('x.com', 'Could not find logged-in user profile link. Are you logged in?');
+            }
         }
         if (!targetUser) {
             throw new ArgumentError('twitter followers user cannot be empty', 'Example: opencli twitter followers @elonmusk --limit 100');
@@ -173,3 +183,8 @@ cli({
         return allFollowers.slice(0, limit);
     }
 });
+
+export const __test__ = {
+    extractFollowersFromDOM,
+    normalizeScreenName,
+};

package/clis/twitter/followers.test.js

@@ -0,0 +1,44 @@
+import { describe, expect, it, vi } from 'vitest';
+import { getRegistry } from '@jackwener/opencli/registry';
+import { ArgumentError, AuthRequiredError } from '@jackwener/opencli/errors';
+import { __test__ } from './followers.js';
+
+describe('twitter followers command', () => {
+    it('normalizes exact profile handles and rejects route-like hrefs', () => {
+        expect(__test__.normalizeScreenName('@viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('/viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('https://x.com/viewer')).toBe('viewer');
+        expect(__test__.normalizeScreenName('/home')).toBe('');
+        expect(__test__.normalizeScreenName('/viewer/extra')).toBe('');
+    });
+
+    it('rejects invalid explicit users before navigation', async () => {
+        const command = getRegistry().get('twitter/followers');
+        const page = {
+            goto: vi.fn(),
+            wait: vi.fn(),
+            evaluate: vi.fn(),
+        };
+
+        await expect(command.func(page, { user: 'viewer/extra', limit: 10 })).rejects.toBeInstanceOf(ArgumentError);
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.wait).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+
+    it('rejects non-profile AppTabBar hrefs instead of navigating to route followers', async () => {
+        const command = getRegistry().get('twitter/followers');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            evaluate: vi.fn(async (script) => {
+                if (String(script).includes('AppTabBar_Profile_Link')) return '/home';
+                throw new Error(`Unexpected evaluate: ${String(script).slice(0, 80)}`);
+            }),
+        };
+
+        await expect(command.func(page, { limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/home');
+        expect(page.goto).not.toHaveBeenCalledWith('https://x.com/home/followers');
+    });
+});

package/clis/twitter/following.js

@@ -1,10 +1,11 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
 import { ArgumentError, AuthRequiredError, CommandExecutionError, EmptyResultError } from '@jackwener/opencli/errors';
-import { resolveTwitterQueryId, sanitizeQueryId } from './shared.js';
+import { normalizeTwitterScreenName, resolveTwitterQueryId, sanitizeQueryId, unwrapBrowserResult } from './shared.js';
 import { TWITTER_BEARER_TOKEN } from './utils.js';
 
 const FOLLOWING_QUERY_ID = 'zx6e-TLzRkeDO_a7p4b3JQ';  // Following fallback
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
+const MAX_PAGINATION_PAGES = 100;
 
 const FEATURES = {
     rweb_video_screen_enabled: false,
@@ -128,7 +129,7 @@ function parseFollowing(data) {
 }
 
 function normalizeScreenName(value) {
-    return String(value || '').trim().replace(/^\/+/, '').replace(/^@+/, '');
+    return normalizeTwitterScreenName(value);
 }
 
 cli({
@@ -156,7 +157,11 @@ cli({
         if (!Number.isInteger(limit) || limit <= 0) {
             throw new ArgumentError('twitter following --limit must be a positive integer', 'Example: opencli twitter following @elonmusk --limit 200');
         }
-        let targetUser = normalizeScreenName(kwargs.user);
+        const rawUser = String(kwargs.user ?? '').trim();
+        let targetUser = normalizeScreenName(rawUser);
+        if (rawUser && !targetUser) {
+            throw new ArgumentError('twitter following user must be a valid Twitter/X handle', 'Example: opencli twitter following @elonmusk --limit 200');
+        }
 
         const cookies = await page.getCookies({ url: 'https://x.com' });
         const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
@@ -164,13 +169,25 @@ cli({
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
 
         if (!targetUser) {
-            const href = await page.evaluate(`() => {
-                const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
-                return link ? link.getAttribute('href') : null;
-            }`);
-            if (!href)
+            // Force a navigation to the home surface so the AppTabBar sidebar
+            // is rendered; the framework pre-nav lands on bare x.com which
+            // does not always expose AppTabBar_Profile_Link.
+            await page.goto('https://x.com/home');
+            await page.wait({ selector: '[data-testid="primaryColumn"]' });
+            // Bridge wraps primitive page.evaluate returns as { session, data:<value> };
+            // unwrap so the href string is usable downstream.
+            // NOTE: the function-literal form `() => ...` silently drops
+            // primitive return values through the bridge — only the template
+            // string form preserves the `data` field.
+            const href = unwrapBrowserResult(await page.evaluate(`() => {
+        const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
+        return link ? link.getAttribute('href') : null;
+      }`));
+            if (!href || typeof href !== 'string')
+                throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
+            targetUser = normalizeScreenName(href);
+            if (!targetUser)
                 throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
-            targetUser = normalizeScreenName(href.replace('/', ''));
         }
         if (!targetUser) {
             throw new ArgumentError('twitter following user cannot be empty', 'Example: opencli twitter following @elonmusk --limit 200');
@@ -178,21 +195,20 @@ cli({
 
         const followingQueryId = await resolveTwitterQueryId(page, 'Following', FOLLOWING_QUERY_ID);
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
-        const headers = JSON.stringify({
+        const headers = {
             'Authorization': `Bearer ${decodeURIComponent(TWITTER_BEARER_TOKEN)}`,
             'X-Csrf-Token': ct0,
             'X-Twitter-Auth-Type': 'OAuth2Session',
             'X-Twitter-Active-User': 'yes',
-        });
+        };
 
         // Get userId from screen_name
-        const userLookup = await page.evaluate(`async () => {
-            const url = ${JSON.stringify(buildUserByScreenNameUrl(userByScreenNameQueryId, targetUser))};
-            const resp = await fetch(url, { headers: ${headers}, credentials: 'include' });
+        const userLookup = unwrapBrowserResult(await page.evaluate(async (url, headers) => {
+            const resp = await fetch(url, { headers, credentials: 'include' });
             if (!resp.ok) return { error: resp.status };
             const d = await resp.json();
             return { userId: d.data?.user?.result?.rest_id || null };
-        }`);
+        }, buildUserByScreenNameUrl(userByScreenNameQueryId, targetUser), headers));
         if (userLookup?.error === 401 || userLookup?.error === 403) {
             throw new AuthRequiredError('x.com', `Twitter user lookup failed (HTTP ${userLookup.error})`);
         }
@@ -207,14 +223,14 @@ cli({
         const seen = new Set();
         let cursor = null;
 
-        const maxPages = Math.ceil(limit / 50) + 2;
-        for (let i = 0; i < maxPages && allUsers.length < limit; i++) {
+        // Runaway guard only; --limit and cursor exhaustion control normal pagination.
+        for (let i = 0; i < MAX_PAGINATION_PAGES && allUsers.length < limit; i++) {
             const fetchCount = Math.min(50, limit - allUsers.length + 10);
             const apiUrl = buildFollowingUrl(followingQueryId, userId, fetchCount, cursor);
-            const data = await page.evaluate(`async () => {
-                const r = await fetch("${apiUrl}", { headers: ${headers}, credentials: 'include' });
+            const data = unwrapBrowserResult(await page.evaluate(async (url, headers) => {
+                const r = await fetch(url, { headers, credentials: 'include' });
                 return r.ok ? await r.json() : { error: r.status };
-            }`);
+            }, apiUrl, headers));
             if (data?.error) {
                 if (data.error === 401 || data.error === 403)
                     throw new AuthRequiredError('x.com', `Twitter following request failed (HTTP ${data.error})`);

package/clis/twitter/following.test.js

@@ -157,6 +157,8 @@ describe('twitter following helpers', () => {
         expect(__test__.normalizeScreenName('@elonmusk')).toBe('elonmusk');
         expect(__test__.normalizeScreenName('/elonmusk')).toBe('elonmusk');
         expect(__test__.normalizeScreenName('  @@alice  ')).toBe('alice');
+        expect(__test__.normalizeScreenName('/home')).toBe('');
+        expect(__test__.normalizeScreenName('/elonmusk/extra')).toBe('');
     });
 });
 
@@ -201,16 +203,28 @@ function followingPayload(users, cursor) {
     };
 }
 
-function createFollowingPage(followingResponses, { ct0 = 'token', userLookup = { userId: '42' } } = {}) {
+function bridgeEnvelope(data) {
+    return { session: 'site:twitter', data };
+}
+
+function createFollowingPage(followingResponses, { ct0 = 'token', userLookup = { userId: '42' }, envelope = false } = {}) {
     const page = {
         goto: vi.fn().mockResolvedValue(undefined),
         wait: vi.fn().mockResolvedValue(undefined),
         getCookies: vi.fn(async () => (ct0 ? [{ name: 'ct0', value: ct0 }] : [])),
-        evaluate: vi.fn(async (script) => {
+        evaluate: vi.fn(async (script, ...args) => {
+            const wrap = (value) => envelope ? bridgeEnvelope(value) : value;
+            if (typeof script === 'function') {
+                const haystack = [script.toString(), ...args.map((arg) => String(arg))].join('\n');
+                if (haystack.includes('/UserByScreenName')) return wrap(userLookup);
+                if (haystack.includes('/Following')) return wrap(followingResponses.shift() || followingPayload([], null));
+                if (haystack.includes('AppTabBar_Profile_Link')) return wrap('/viewer');
+                throw new Error(`Unexpected evaluate function: ${haystack.slice(0, 80)}`);
+            }
             if (script.includes('operationName')) return null;
-            if (script.includes('/UserByScreenName')) return userLookup;
-            if (script.includes('/Following')) return followingResponses.shift() || followingPayload([], null);
-            if (script.includes('AppTabBar_Profile_Link')) return '/viewer';
+            if (script.includes('/UserByScreenName')) return wrap(userLookup);
+            if (script.includes('/Following')) return wrap(followingResponses.shift() || followingPayload([], null));
+            if (script.includes('AppTabBar_Profile_Link')) return wrap('/viewer');
             throw new Error(`Unexpected evaluate script: ${script.slice(0, 80)}`);
         }),
     };
@@ -229,12 +243,13 @@ describe('twitter following command', () => {
 
         expect(rows.map((row) => row.screen_name)).toEqual(['alice', 'bob', 'carol']);
         expect(page.getCookies).toHaveBeenCalledWith({ url: 'https://x.com' });
-        const userLookupScript = page.evaluate.mock.calls.find(([script]) => script.includes('/UserByScreenName'))?.[0] || '';
+        const callText = (call) => call.map((part) => typeof part === 'function' ? part.toString() : String(part)).join('\n');
+        const userLookupScript = callText(page.evaluate.mock.calls.find((call) => callText(call).includes('/UserByScreenName')) || []);
         expect(decodeURIComponent(userLookupScript)).toContain('"screen_name":"elonmusk"');
         expect(decodeURIComponent(userLookupScript)).not.toContain('"screen_name":"@elonmusk"');
-        const followingCalls = page.evaluate.mock.calls.filter(([script]) => script.includes('/Following'));
+        const followingCalls = page.evaluate.mock.calls.filter((call) => callText(call).includes('/Following'));
         expect(followingCalls).toHaveLength(2);
-        expect(decodeURIComponent(followingCalls[1][0])).toContain('"cursor":"cursor-1"');
+        expect(decodeURIComponent(callText(followingCalls[1]))).toContain('"cursor":"cursor-1"');
     });
 
     it('rejects invalid limits before navigating', async () => {
@@ -245,6 +260,29 @@ describe('twitter following command', () => {
         expect(page.goto).not.toHaveBeenCalled();
     });
 
+    it('rejects invalid explicit users before cookies or navigation', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([]);
+
+        await expect(command.func(page, { user: 'elonmusk/extra', limit: 10 })).rejects.toBeInstanceOf(ArgumentError);
+        expect(page.getCookies).not.toHaveBeenCalled();
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+
+    it('rejects route-like AppTabBar hrefs as AuthRequiredError', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([]);
+        page.evaluate.mockImplementation(async (script, ...args) => {
+            const haystack = [typeof script === 'function' ? script.toString() : String(script), ...args.map((arg) => String(arg))].join('\n');
+            if (haystack.includes('AppTabBar_Profile_Link')) return '/home';
+            throw new Error(`Unexpected evaluate: ${haystack.slice(0, 80)}`);
+        });
+
+        await expect(command.func(page, { limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/home');
+    });
+
     it('maps first-page auth failures to AuthRequiredError', async () => {
         const command = getRegistry().get('twitter/following');
         const page = createFollowingPage([{ error: 401 }]);
@@ -269,6 +307,20 @@ describe('twitter following command', () => {
         await expect(command.func(page, { user: 'elonmusk', limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
     });
 
+    it('unwraps Browser Bridge envelopes for user lookup and following payloads', async () => {
+        const command = getRegistry().get('twitter/following');
+        const page = createFollowingPage([followingPayload(['alice'], null)], { envelope: true });
+
+        const rows = await command.func(page, { user: 'elonmusk', limit: 10 });
+
+        expect(rows.map((row) => row.screen_name)).toEqual(['alice']);
+        const callText = (call) => call.map((part) => typeof part === 'function' ? part.toString() : String(part)).join('\n');
+        const followingCall = page.evaluate.mock.calls.find((call) => callText(call).includes('/Following')) || [];
+        const followingUrl = String(followingCall[1] || '');
+        expect(decodeURIComponent(followingUrl)).toContain('"userId":"42"');
+        expect(decodeURIComponent(followingUrl)).not.toContain('[object Object]');
+    });
+
     it('fails fast when the following timeline is empty', async () => {
         const command = getRegistry().get('twitter/following');
         const page = createFollowingPage([followingPayload([], null)]);

package/clis/twitter/likes.js

@@ -1,9 +1,10 @@
 import { cli, Strategy } from '@jackwener/opencli/registry';
-import { AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
-import { resolveTwitterQueryId, sanitizeQueryId, extractMedia } from './shared.js';
+import { ArgumentError, AuthRequiredError, CommandExecutionError } from '@jackwener/opencli/errors';
+import { normalizeTwitterScreenName, resolveTwitterQueryId, sanitizeQueryId, extractMedia, unwrapBrowserResult } from './shared.js';
 import { TWITTER_BEARER_TOKEN, applyTopByEngagement } from './utils.js';
 const LIKES_QUERY_ID = 'RozQdCp4CilQzrcuU0NY5w';
 const USER_BY_SCREEN_NAME_QUERY_ID = 'qRednkZG-rn1P6b48NINmQ';
+const MAX_PAGINATION_PAGES = 100;
 const FEATURES = {
     rweb_video_screen_enabled: false,
     profile_label_improvements_pcf_label_in_post_enabled: true,
@@ -151,20 +152,33 @@ cli({
     columns: ['id', 'author', 'name', 'text', 'likes', 'retweets', 'created_at', 'url', 'has_media', 'media_urls'],
     func: async (page, kwargs) => {
         const limit = kwargs.limit || 20;
-        let username = (kwargs.username || '').replace(/^@/, '');
+        const rawUsername = String(kwargs.username ?? '').trim();
+        let username = normalizeTwitterScreenName(rawUsername);
+        if (rawUsername && !username) {
+            throw new ArgumentError('twitter likes username must be a valid Twitter/X handle', 'Example: opencli twitter likes @jack --limit 20');
+        }
         const cookies = await page.getCookies({ url: 'https://x.com' });
         const ct0 = cookies.find((c) => c.name === 'ct0')?.value || null;
         if (!ct0)
             throw new AuthRequiredError('x.com', 'Not logged into x.com (no ct0 cookie)');
-        // If no username provided, detect the logged-in user
+        // If no username provided, detect the logged-in user.
+        // Bridge wraps primitive page.evaluate returns as { session, data:<value> };
+        // unwrap so the href string is usable downstream.
         if (!username) {
-            const href = await page.evaluate(`() => {
+            // Force a navigation to the home surface so the AppTabBar sidebar
+            // is rendered; the framework pre-nav lands on bare x.com which
+            // does not always expose AppTabBar_Profile_Link.
+            await page.goto('https://x.com/home');
+            await page.wait({ selector: '[data-testid="primaryColumn"]' });
+            const href = unwrapBrowserResult(await page.evaluate(`() => {
         const link = document.querySelector('a[data-testid="AppTabBar_Profile_Link"]');
         return link ? link.getAttribute('href') : null;
-      }`);
-            if (!href)
+      }`));
+            if (!href || typeof href !== 'string')
+                throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
+            username = normalizeTwitterScreenName(href);
+            if (!username)
                 throw new AuthRequiredError('x.com', 'Could not detect logged-in user. Are you logged in?');
-            username = href.replace('/', '');
         }
         const likesQueryId = await resolveTwitterQueryId(page, 'Likes', LIKES_QUERY_ID);
         const userByScreenNameQueryId = await resolveTwitterQueryId(page, 'UserByScreenName', USER_BY_SCREEN_NAME_QUERY_ID);
@@ -175,27 +189,28 @@ cli({
             'X-Twitter-Active-User': 'yes',
         });
         // Get userId from screen_name
-        const userId = await page.evaluate(`async () => {
+        const userId = unwrapBrowserResult(await page.evaluate(`async () => {
       const screenName = ${JSON.stringify(username)};
       const url = ${JSON.stringify(buildUserByScreenNameUrl(userByScreenNameQueryId, username))};
       const resp = await fetch(url, { headers: ${headers}, credentials: 'include' });
       if (!resp.ok) return null;
       const d = await resp.json();
       return d.data?.user?.result?.rest_id || null;
-    }`);
+    }`));
         if (!userId) {
             throw new CommandExecutionError(`Could not find user @${username}`);
         }
         const allTweets = [];
         const seen = new Set();
         let cursor = null;
-        for (let i = 0; i < 5 && allTweets.length < limit; i++) {
+        // Runaway guard only; --limit and cursor exhaustion control normal pagination.
+        for (let i = 0; i < MAX_PAGINATION_PAGES && allTweets.length < limit; i++) {
             const fetchCount = Math.min(100, limit - allTweets.length + 10);
             const apiUrl = buildLikesUrl(likesQueryId, userId, fetchCount, cursor);
-            const data = await page.evaluate(`async () => {
+            const data = unwrapBrowserResult(await page.evaluate(`async () => {
         const r = await fetch("${apiUrl}", { headers: ${headers}, credentials: 'include' });
         return r.ok ? await r.json() : { error: r.status };
-      }`);
+      }`));
             if (data?.error) {
                 if (allTweets.length === 0)
                     throw new CommandExecutionError(`HTTP ${data.error}: Failed to fetch likes. queryId may have expired.`);

package/clis/twitter/likes.test.js

@@ -1,5 +1,50 @@
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
+import { getRegistry } from '@jackwener/opencli/registry';
+import { ArgumentError, AuthRequiredError } from '@jackwener/opencli/errors';
 import { __test__ } from './likes.js';
+
+function likesPayload() {
+    return {
+        data: {
+            user: {
+                result: {
+                    timeline_v2: {
+                        timeline: {
+                            instructions: [{
+                                entries: [{
+                                    entryId: 'tweet-1',
+                                    content: {
+                                        itemContent: {
+                                            tweet_results: {
+                                                result: {
+                                                    rest_id: '1',
+                                                    legacy: {
+                                                        full_text: 'liked post',
+                                                        favorite_count: 7,
+                                                        retweet_count: 2,
+                                                        created_at: 'now',
+                                                    },
+                                                    core: {
+                                                        user_results: {
+                                                            result: {
+                                                                legacy: { screen_name: 'alice', name: 'Alice' },
+                                                            },
+                                                        },
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    },
+                                }],
+                            }],
+                        },
+                    },
+                },
+            },
+        },
+    };
+}
+
 describe('twitter likes helpers', () => {
     it('falls back when queryId contains unsafe characters', () => {
         expect(__test__.sanitizeQueryId('safe_Query-123', 'fallback')).toBe('safe_Query-123');
@@ -83,3 +128,68 @@ describe('twitter likes helpers', () => {
         });
     });
 });
+
+describe('twitter likes command', () => {
+    it('rejects invalid explicit username before cookies or navigation', async () => {
+        const command = getRegistry().get('twitter/likes');
+        const page = {
+            goto: vi.fn(),
+            wait: vi.fn(),
+            getCookies: vi.fn(),
+            evaluate: vi.fn(),
+        };
+
+        await expect(command.func(page, { username: 'viewer/extra', limit: 10 })).rejects.toBeInstanceOf(ArgumentError);
+        expect(page.getCookies).not.toHaveBeenCalled();
+        expect(page.goto).not.toHaveBeenCalled();
+        expect(page.evaluate).not.toHaveBeenCalled();
+    });
+
+    it('rejects route-like AppTabBar hrefs as AuthRequiredError', async () => {
+        const command = getRegistry().get('twitter/likes');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            getCookies: vi.fn(async () => [{ name: 'ct0', value: 'token' }]),
+            evaluate: vi.fn(async (script) => {
+                if (String(script).includes('AppTabBar_Profile_Link')) return '/home';
+                throw new Error(`Unexpected evaluate: ${String(script).slice(0, 80)}`);
+            }),
+        };
+
+        await expect(command.func(page, { limit: 10 })).rejects.toBeInstanceOf(AuthRequiredError);
+        expect(page.goto).toHaveBeenCalledWith('https://x.com/home');
+        expect(page.evaluate).toHaveBeenCalledTimes(1);
+    });
+
+    it('unwraps Browser Bridge envelopes for default-self user lookup and likes payload', async () => {
+        const command = getRegistry().get('twitter/likes');
+        const page = {
+            goto: vi.fn().mockResolvedValue(undefined),
+            wait: vi.fn().mockResolvedValue(undefined),
+            getCookies: vi.fn(async () => [{ name: 'ct0', value: 'token' }]),
+            evaluate: vi.fn(async (script) => {
+                const text = String(script);
+                if (text.includes('AppTabBar_Profile_Link')) {
+                    return { session: 'site:twitter', data: '/viewer' };
+                }
+                if (text.includes('operationName')) return null;
+                if (text.includes('/UserByScreenName')) {
+                    return { session: 'site:twitter', data: '42' };
+                }
+                if (text.includes('/Likes')) {
+                    return { session: 'site:twitter', data: likesPayload() };
+                }
+                throw new Error(`Unexpected evaluate: ${text.slice(0, 80)}`);
+            }),
+        };
+
+        const rows = await command.func(page, { limit: 1 });
+
+        expect(rows).toHaveLength(1);
+        expect(rows[0]).toMatchObject({ id: '1', author: 'alice', text: 'liked post' });
+        const likesCall = page.evaluate.mock.calls.find(([script]) => String(script).includes('/Likes')) || [];
+        expect(decodeURIComponent(String(likesCall[0]))).toContain('"userId":"42"');
+        expect(decodeURIComponent(String(likesCall[0]))).not.toContain('[object Object]');
+    });
+});