@mkterswingman/5mghost-wonder 0.0.10 → 0.0.13

package/dist/wecom/browser.js

@@ -13,7 +13,9 @@ const LOGIN_URL = "https://doc.weixin.qq.com";
 const LOGIN_TIMEOUT_MS = 3 * 60 * 1000;
 const COOKIE_POLL_INTERVAL_MS = 2000;
 const CDP_CALL_TIMEOUT_MS = 5000;
-const MIN_KEY_COOKIES_REQUIRED = 3;
+const PROFILE_FLUSH_DELAY_MS = 1500;
+const GRACEFUL_BROWSER_CLOSE_TIMEOUT_MS = 5000;
+const SIGTERM_BROWSER_CLOSE_TIMEOUT_MS = 3000;
 const KEY_COOKIES = [
     "TOK",
     "wedrive_sid",
@@ -47,7 +49,7 @@ function assertLocalhostUrl(url) {
 }
 /**
  * Spawn Chrome → connect via CDP WebSocket → poll Storage.getCookies until
- * ≥ MIN_KEY_COOKIES_REQUIRED key cookies are present → return Record<string,string>.
+ * all key cookies are present → return Record<string,string>.
  */
 export async function collectWecomCookiesViaBrowser(options) {
     const timeoutMs = options.timeoutMs ?? LOGIN_TIMEOUT_MS;
@@ -83,14 +85,24 @@ export async function collectWecomCookiesViaBrowser(options) {
             const startedAt = Date.now();
             while (Date.now() - startedAt < timeoutMs) {
                 const cookies = await readWecomCookies(socket);
-                if (cookies !== null)
+                if (cookies !== null) {
+                    // Give Chrome a short window to flush cookie/profile state before
+                    // shutdown. Returning immediately made the exported cookies valid
+                    // while the dedicated browser profile could remain effectively
+                    // logged out on the next refresh.
+                    if (child)
+                        await delay(PROFILE_FLUSH_DELAY_MS);
                     return cookies;
+                }
                 await delay(COOKIE_POLL_INTERVAL_MS);
             }
             throw new Error(`Timed out waiting for WeCom login after ${Math.round(timeoutMs / 1000)}s. ` +
                 "Sign in to WeCom in the opened browser, then rerun `wonder wecom cookie`.");
         }
         finally {
+            if (child) {
+                await closeBrowserGracefully(socket, child);
+            }
             socket.close();
         }
     }
@@ -291,14 +303,14 @@ function isTrustedDomain(domain) {
 }
 /**
  * Poll CDP for WeCom cookies. Returns Record<string,string> when
- * MIN_KEY_COOKIES_REQUIRED are present, null otherwise.
+ * all key cookies are present, null otherwise.
  */
 async function readWecomCookies(socket) {
     const payload = await sendCdpCommand(socket, "Storage.getCookies");
     const trusted = (payload.cookies ?? []).filter((c) => isTrustedDomain(c.domain));
     const cookieNames = new Set(trusted.map((c) => c.name));
-    const presentKeys = KEY_COOKIES.filter((k) => cookieNames.has(k));
-    if (presentKeys.length < MIN_KEY_COOKIES_REQUIRED)
+    const missingKeys = KEY_COOKIES.filter((k) => !cookieNames.has(k));
+    if (missingKeys.length > 0)
         return null;
     // Build Record; later entries overwrite earlier ones for the same name.
     const result = {};
@@ -327,7 +339,9 @@ async function terminateBrowserProcess(child) {
     else {
         child.kill();
     }
-    await delay(500);
+    const exitedAfterSigterm = await waitForBrowserExit(child, SIGTERM_BROWSER_CLOSE_TIMEOUT_MS);
+    if (exitedAfterSigterm)
+        return;
     if (child.exitCode === null) {
         try {
             if (process.platform !== "win32" && child.pid) {
@@ -342,3 +356,31 @@ async function terminateBrowserProcess(child) {
         }
     }
 }
+async function closeBrowserGracefully(socket, child) {
+    if (child.exitCode !== null)
+        return;
+    try {
+        await sendCdpCommand(socket, "Browser.close");
+    }
+    catch {
+        // Browser.close can close the websocket before the response arrives. The
+        // process exit is the authoritative signal here.
+    }
+    await waitForBrowserExit(child, GRACEFUL_BROWSER_CLOSE_TIMEOUT_MS);
+}
+function waitForBrowserExit(child, timeoutMs) {
+    if (child.exitCode !== null || child.signalCode !== null) {
+        return Promise.resolve(true);
+    }
+    return new Promise((resolve) => {
+        const timer = setTimeout(() => {
+            child.removeListener("exit", onExit);
+            resolve(false);
+        }, timeoutMs);
+        const onExit = () => {
+            clearTimeout(timer);
+            resolve(true);
+        };
+        child.once("exit", onExit);
+    });
+}

package/dist/wecom/cookies.js

@@ -3,6 +3,14 @@
 // Storage: ~/.wonder/cookies.json  (atomic write via tmp+rename, chmod 600)
 import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync, } from "node:fs";
 import { dirname } from "node:path";
+const REQUIRED_COOKIES_FOR_VALIDATION = [
+    "TOK",
+    "wedrive_sid",
+    "uid",
+    "uid_key",
+    "wedrive_ticket",
+    "wedrive_skey",
+];
 // ---------------------------------------------------------------------------
 // Atomic write helper
 // ---------------------------------------------------------------------------
@@ -68,6 +76,9 @@ export function removeCookies(cookiesPath) {
  * - Network error → conservatively return true (avoid false "expired" on offline)
  */
 export async function validateCookies(cookies) {
+    const missingRequired = REQUIRED_COOKIES_FOR_VALIDATION.some((name) => !cookies[name]);
+    if (missingRequired)
+        return false;
     // W-02: strip `;` and `\n` from cookie values to prevent header injection.
     const cookieHeader = Object.entries(cookies)
         .map(([k, v]) => `${k}=${String(v).replace(/[;\n]/g, "")}`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mkterswingman/5mghost-wonder",
-  "version": "0.0.10",
+  "version": "0.0.13",
   "description": "企微文档读取 CLI — WeCom document reader",
   "type": "module",
   "engines": {
@@ -25,7 +25,7 @@
   "scripts": {
     "build": "rm -rf dist && tsc && chmod +x dist/cli.js",
     "typecheck": "tsc --noEmit",
-    "test": "node dist/wecom/url.test.js && node --test tests/sheet-parity.test.mjs && node --test tests/export-sanitize.test.mjs && node --test tests/format.test.mjs",
+    "test": "node dist/wecom/url.test.js && node --test tests/sheet-parity.test.mjs && node --test tests/export-sanitize.test.mjs && node --test tests/format.test.mjs && node --test tests/cookies-validation.test.mjs",
     "smoke": "npm run build && node dist/cli.js help > /dev/null",
     "postinstall": "node scripts/postinstall.mjs"
   },

package/skills/setup-5mghost-wonder/SKILL.md

@@ -7,9 +7,9 @@ description: Use this skill when the user wants to install or set up wonder, say
 
 ## Skill version
 
-This skill matches **wonder 0.0.10**.
+This skill matches **wonder 0.0.13**.
 
-Once the CLI is installed in Step 1, run `wonder --version`. If the output does not equal `0.0.10`, the CLI on disk has drifted from the skill text loaded in this session. Ask the user to run `/update-5mghost-wonder`, then **start a fresh AI session** (`/exit` and re-enter, or open a new chat) — skill text already loaded into a running session does not refresh after `wonder update`, even though the file on disk has been replaced.
+Once the CLI is installed in Step 1, run `wonder --version`. If the output does not equal `0.0.13`, the CLI on disk has drifted from the skill text loaded in this session. Ask the user to run `/update-5mghost-wonder`, then **start a fresh AI session** (`/exit` and re-enter, or open a new chat) — skill text already loaded into a running session does not refresh after `wonder update`, even though the file on disk has been replaced.
 
 After a successful first install, also remind the user to start a fresh AI session before invoking `/use-5mghost-wonder` for the first time. The skill files were just written to disk; the current session never loaded them.
 
@@ -79,18 +79,27 @@ Check current cookie status:
 wonder wecom status
 ```
 
-If expired or missing, run:
+If the cookie is expired, missing, invalid, or the check gets 401/403, do not
+give the user a manual cookie-export path. Ask the user whether now is a
+convenient time to open the browser for WeCom login. If they confirm, run the
+CLI yourself:
 
 ```bash
 wonder wecom cookie
 ```
 
-This launches the local Chrome/Edge browser via CDP and blocks until the user scans the QR code in WeCom mobile (or the CDP wait times out). When the command returns, verify:
+This is expected to launch the local Chrome/Edge browser login page via CDP and
+block until the user logs in or scans the QR code in WeCom mobile. When the
+command returns, verify:
 
 ```bash
 wonder wecom status
 ```
 
+Never ask the user to install Cookie-Editor, export JSON, paste a cookie
+string, run `wonder wecom cookie` themselves, or use `wonder wecom set-cookie`
+unless the user explicitly asks for a manual/dev/CI cookie path.
+
 ---
 
 ## Step 4 — Detect and install docx skill (for the AI you are running in)

package/skills/update-5mghost-wonder/SKILL.md

@@ -7,7 +7,7 @@ description: Use this skill when the user wants to update or upgrade wonder, say
 
 ## Skill version
 
-This skill matches **wonder 0.0.10**.
+This skill matches **wonder 0.0.13**.
 
 ---
 

package/skills/use-5mghost-wonder/SKILL.md

@@ -7,9 +7,9 @@ description: Use this skill when the user shares a URL containing "doc.weixin.qq
 
 ## Skill version
 
-This skill matches **wonder 0.0.10**.
+This skill matches **wonder 0.0.13**.
 
-In the Session Initialization step below, after running `wonder --version`, compare the output to `0.0.10`. If they differ, the loaded skill text and the CLI on disk are out of sync. Stop, tell the user to run `/update-5mghost-wonder`, and then **start a fresh AI session** (`/exit` and re-enter, or open a new chat) before trying again. `wonder update` rewrites the skill files on disk, but skill text already loaded into the current session does not auto-refresh.
+In the Session Initialization step below, after running `wonder --version`, compare the output to `0.0.13`. If they differ, the loaded skill text and the CLI on disk are out of sync. Stop, tell the user to run `/update-5mghost-wonder`, and then **start a fresh AI session** (`/exit` and re-enter, or open a new chat) before trying again. `wonder update` rewrites the skill files on disk, but skill text already loaded into the current session does not auto-refresh.
 
 ## Session Initialization (first use only per session)
 
@@ -19,26 +19,36 @@ The **first time** you encounter a WeCom document URL in a session, run these ch
 # 1. Check for updates
 wonder update
 
-# 2. Confirm the CLI version matches this skill's expected version (0.0.10)
+# 2. Confirm the CLI version matches this skill's expected version (0.0.13)
 wonder --version
 
 # 3. Check WeCom cookie status
 wonder wecom status
 ```
 
-If `wonder wecom status` reports that the cookie is expired or missing:
+## Cookie refresh behavior
+
+If `wonder wecom status`, `wonder read <url>`, or any WeCom request reports
+that the cookie is expired, missing, invalid, or got 401/403, do not give the
+user a manual cookie-export path. Ask the user whether now is a convenient time
+to open the browser for WeCom login. If they confirm, run the CLI yourself:
 
 ```bash
 wonder wecom cookie
 ```
 
-Wait for the user to complete the QR code scan in the browser, then verify:
+`wonder wecom cookie` is expected to launch the local browser login page. Wait
+for the user to complete the browser login or QR scan, then verify:
 
 ```bash
 wonder wecom status
 ```
 
-Proceed only after cookie is valid.
+Proceed only after the cookie is valid, then retry the original `wonder read`
+command. Never ask the user to install Cookie-Editor, export JSON, paste a
+cookie string, run `wonder wecom cookie` themselves, or use
+`wonder wecom set-cookie` unless the user explicitly asks for a manual/dev/CI
+cookie path.
 
 ---