npm - agent-messenger - Versions diffs - 2.1.0 → 2.3.0 - Mend

agent-messenger 2.1.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/.claude-plugin/plugin.json +1 -1
package/.env.template +35 -17
package/README.md +7 -7
package/bun.lock +31 -7
package/dist/package.json +5 -3
package/dist/src/platforms/channeltalk/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/channeltalk/commands/auth.js +35 -28
package/dist/src/platforms/channeltalk/commands/auth.js.map +1 -1
package/dist/src/platforms/channeltalk/ensure-auth.js +6 -6
package/dist/src/platforms/channeltalk/ensure-auth.js.map +1 -1
package/dist/src/platforms/channeltalk/token-extractor.d.ts +23 -1
package/dist/src/platforms/channeltalk/token-extractor.d.ts.map +1 -1
package/dist/src/platforms/channeltalk/token-extractor.js +299 -29
package/dist/src/platforms/channeltalk/token-extractor.js.map +1 -1
package/dist/src/platforms/discord/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/discord/commands/auth.js +57 -49
package/dist/src/platforms/discord/commands/auth.js.map +1 -1
package/dist/src/platforms/discord/ensure-auth.js +3 -3
package/dist/src/platforms/discord/ensure-auth.js.map +1 -1
package/dist/src/platforms/discord/token-extractor.d.ts +6 -1
package/dist/src/platforms/discord/token-extractor.d.ts.map +1 -1
package/dist/src/platforms/discord/token-extractor.js +167 -14
package/dist/src/platforms/discord/token-extractor.js.map +1 -1
package/dist/src/platforms/instagram/client.d.ts +2 -0
package/dist/src/platforms/instagram/client.d.ts.map +1 -1
package/dist/src/platforms/instagram/client.js +2 -2
package/dist/src/platforms/instagram/client.js.map +1 -1
package/dist/src/platforms/instagram/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/instagram/commands/auth.js +107 -14
package/dist/src/platforms/instagram/commands/auth.js.map +1 -1
package/dist/src/platforms/instagram/ensure-auth.d.ts.map +1 -1
package/dist/src/platforms/instagram/ensure-auth.js +57 -11
package/dist/src/platforms/instagram/ensure-auth.js.map +1 -1
package/dist/src/platforms/instagram/index.d.ts +1 -0
package/dist/src/platforms/instagram/index.d.ts.map +1 -1
package/dist/src/platforms/instagram/index.js +1 -0
package/dist/src/platforms/instagram/index.js.map +1 -1
package/dist/src/platforms/instagram/token-extractor.d.ts +44 -0
package/dist/src/platforms/instagram/token-extractor.d.ts.map +1 -0
package/dist/src/platforms/instagram/token-extractor.js +407 -0
package/dist/src/platforms/instagram/token-extractor.js.map +1 -0
package/dist/src/platforms/kakaotalk/client.d.ts.map +1 -1
package/dist/src/platforms/kakaotalk/client.js +2 -1
package/dist/src/platforms/kakaotalk/client.js.map +1 -1
package/dist/src/platforms/kakaotalk/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/kakaotalk/commands/auth.js +14 -13
package/dist/src/platforms/kakaotalk/commands/auth.js.map +1 -1
package/dist/src/platforms/kakaotalk/protocol/connection.d.ts.map +1 -1
package/dist/src/platforms/kakaotalk/protocol/connection.js +2 -1
package/dist/src/platforms/kakaotalk/protocol/connection.js.map +1 -1
package/dist/src/platforms/line/client.d.ts.map +1 -1
package/dist/src/platforms/line/client.js +36 -9
package/dist/src/platforms/line/client.js.map +1 -1
package/dist/src/platforms/line/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/line/commands/auth.js +6 -5
package/dist/src/platforms/line/commands/auth.js.map +1 -1
package/dist/src/platforms/slack/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/slack/commands/auth.js +11 -10
package/dist/src/platforms/slack/commands/auth.js.map +1 -1
package/dist/src/platforms/slack/token-extractor.d.ts +9 -0
package/dist/src/platforms/slack/token-extractor.d.ts.map +1 -1
package/dist/src/platforms/slack/token-extractor.js +300 -23
package/dist/src/platforms/slack/token-extractor.js.map +1 -1
package/dist/src/platforms/teams/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/teams/commands/auth.js +9 -8
package/dist/src/platforms/teams/commands/auth.js.map +1 -1
package/dist/src/platforms/teams/ensure-auth.d.ts.map +1 -1
package/dist/src/platforms/teams/ensure-auth.js +2 -1
package/dist/src/platforms/teams/ensure-auth.js.map +1 -1
package/dist/src/platforms/teams/token-extractor.d.ts +5 -0
package/dist/src/platforms/teams/token-extractor.d.ts.map +1 -1
package/dist/src/platforms/teams/token-extractor.js +161 -29
package/dist/src/platforms/teams/token-extractor.js.map +1 -1
package/dist/src/platforms/telegram/client.d.ts.map +1 -1
package/dist/src/platforms/telegram/client.js +25 -7
package/dist/src/platforms/telegram/client.js.map +1 -1
package/dist/src/platforms/telegram/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/telegram/commands/auth.js +6 -5
package/dist/src/platforms/telegram/commands/auth.js.map +1 -1
package/dist/src/platforms/webex/client.d.ts +12 -0
package/dist/src/platforms/webex/client.d.ts.map +1 -1
package/dist/src/platforms/webex/client.js +168 -1
package/dist/src/platforms/webex/client.js.map +1 -1
package/dist/src/platforms/webex/commands/auth.d.ts +4 -0
package/dist/src/platforms/webex/commands/auth.d.ts.map +1 -1
package/dist/src/platforms/webex/commands/auth.js +50 -4
package/dist/src/platforms/webex/commands/auth.js.map +1 -1
package/dist/src/platforms/webex/credential-manager.js +1 -1
package/dist/src/platforms/webex/credential-manager.js.map +1 -1
package/dist/src/platforms/webex/encryption.d.ts +10 -0
package/dist/src/platforms/webex/encryption.d.ts.map +1 -0
package/dist/src/platforms/webex/encryption.js +49 -0
package/dist/src/platforms/webex/encryption.js.map +1 -0
package/dist/src/platforms/webex/ensure-auth.d.ts.map +1 -1
package/dist/src/platforms/webex/ensure-auth.js +25 -5
package/dist/src/platforms/webex/ensure-auth.js.map +1 -1
package/dist/src/platforms/webex/index.d.ts +2 -0
package/dist/src/platforms/webex/index.d.ts.map +1 -1
package/dist/src/platforms/webex/index.js +1 -0
package/dist/src/platforms/webex/index.js.map +1 -1
package/dist/src/platforms/webex/token-extractor.d.ts +29 -0
package/dist/src/platforms/webex/token-extractor.d.ts.map +1 -0
package/dist/src/platforms/webex/token-extractor.js +393 -0
package/dist/src/platforms/webex/token-extractor.js.map +1 -0
package/dist/src/platforms/webex/types.d.ts +8 -1
package/dist/src/platforms/webex/types.d.ts.map +1 -1
package/dist/src/platforms/webex/types.js +4 -1
package/dist/src/platforms/webex/types.js.map +1 -1
package/dist/src/platforms/whatsapp/client.d.ts.map +1 -1
package/dist/src/platforms/whatsapp/client.js +6 -2
package/dist/src/platforms/whatsapp/client.js.map +1 -1
package/dist/src/shared/utils/derived-key-cache.d.ts +1 -1
package/dist/src/shared/utils/derived-key-cache.d.ts.map +1 -1
package/dist/src/shared/utils/error-handler.d.ts +1 -1
package/dist/src/shared/utils/error-handler.d.ts.map +1 -1
package/dist/src/shared/utils/error-handler.js +3 -2
package/dist/src/shared/utils/error-handler.js.map +1 -1
package/dist/src/shared/utils/stderr.d.ts +5 -0
package/dist/src/shared/utils/stderr.d.ts.map +1 -0
package/dist/src/shared/utils/stderr.js +18 -0
package/dist/src/shared/utils/stderr.js.map +1 -0
package/docs/content/docs/cli/channeltalk.mdx +7 -7
package/docs/content/docs/cli/discord.mdx +3 -3
package/docs/content/docs/cli/instagram.mdx +28 -6
package/docs/content/docs/cli/slack.mdx +2 -2
package/docs/content/docs/cli/teams.mdx +6 -4
package/docs/content/docs/cli/webex.mdx +32 -11
package/e2e/README.md +132 -8
package/e2e/channeltalk.e2e.test.ts +2 -7
package/e2e/channeltalkbot.e2e.test.ts +2 -6
package/e2e/config.ts +172 -10
package/e2e/helpers.ts +7 -0
package/e2e/instagram.e2e.test.ts +97 -0
package/e2e/kakaotalk.e2e.test.ts +74 -0
package/e2e/line.e2e.test.ts +92 -0
package/e2e/teams.e2e.test.ts +46 -1
package/e2e/telegram.e2e.test.ts +84 -0
package/e2e/webex.e2e.test.ts +190 -0
package/e2e/whatsapp.e2e.test.ts +90 -0
package/e2e/whatsappbot.e2e.test.ts +78 -0
package/package.json +5 -3
package/skills/agent-channeltalk/SKILL.md +9 -9
package/skills/agent-channeltalk/references/authentication.md +21 -18
package/skills/agent-channeltalkbot/SKILL.md +1 -1
package/skills/agent-discord/SKILL.md +5 -5
package/skills/agent-discord/references/authentication.md +8 -8
package/skills/agent-discordbot/SKILL.md +1 -1
package/skills/agent-instagram/SKILL.md +51 -9
package/skills/agent-instagram/references/authentication.md +35 -3
package/skills/agent-kakaotalk/SKILL.md +1 -1
package/skills/agent-line/SKILL.md +1 -1
package/skills/agent-slack/SKILL.md +5 -5
package/skills/agent-slack/references/authentication.md +8 -8
package/skills/agent-slackbot/SKILL.md +1 -1
package/skills/agent-teams/SKILL.md +6 -6
package/skills/agent-teams/references/authentication.md +8 -8
package/skills/agent-telegram/SKILL.md +1 -1
package/skills/agent-webex/SKILL.md +35 -15
package/skills/agent-webex/references/authentication.md +63 -9
package/skills/agent-webex/references/common-patterns.md +6 -3
package/skills/agent-whatsapp/SKILL.md +1 -1
package/skills/agent-whatsappbot/SKILL.md +1 -1
package/src/platforms/channeltalk/commands/auth.test.ts +5 -5
package/src/platforms/channeltalk/commands/auth.ts +38 -32
package/src/platforms/channeltalk/ensure-auth.test.ts +6 -6
package/src/platforms/channeltalk/ensure-auth.ts +6 -6
package/src/platforms/channeltalk/token-extractor.test.ts +182 -15
package/src/platforms/channeltalk/token-extractor.ts +344 -30
package/src/platforms/discord/commands/auth.test.ts +3 -3
package/src/platforms/discord/commands/auth.ts +58 -54
package/src/platforms/discord/ensure-auth.test.ts +3 -3
package/src/platforms/discord/ensure-auth.ts +3 -3
package/src/platforms/discord/token-extractor.test.ts +199 -27
package/src/platforms/discord/token-extractor.ts +190 -17
package/src/platforms/instagram/client.ts +2 -2
package/src/platforms/instagram/commands/auth.ts +133 -14
package/src/platforms/instagram/ensure-auth.ts +63 -12
package/src/platforms/instagram/index.ts +1 -0
package/src/platforms/instagram/token-extractor.test.ts +424 -0
package/src/platforms/instagram/token-extractor.ts +478 -0
package/src/platforms/kakaotalk/client.ts +3 -1
package/src/platforms/kakaotalk/commands/auth.ts +14 -13
package/src/platforms/kakaotalk/protocol/connection.ts +3 -1
package/src/platforms/line/client.ts +39 -14
package/src/platforms/line/commands/auth.ts +7 -6
package/src/platforms/slack/cli.test.ts +6 -5
package/src/platforms/slack/commands/auth.test.ts +11 -7
package/src/platforms/slack/commands/auth.ts +11 -10
package/src/platforms/slack/token-extractor.test.ts +98 -1
package/src/platforms/slack/token-extractor.ts +338 -26
package/src/platforms/teams/commands/auth.ts +9 -8
package/src/platforms/teams/ensure-auth.ts +3 -1
package/src/platforms/teams/token-extractor.test.ts +136 -17
package/src/platforms/teams/token-extractor.ts +182 -31
package/src/platforms/telegram/client.test.ts +134 -0
package/src/platforms/telegram/client.ts +27 -6
package/src/platforms/telegram/commands/auth.ts +6 -5
package/src/platforms/webex/client.test.ts +314 -0
package/src/platforms/webex/client.ts +231 -1
package/src/platforms/webex/commands/auth.ts +71 -4
package/src/platforms/webex/commands/member.test.ts +10 -1
package/src/platforms/webex/commands/message.test.ts +9 -5
package/src/platforms/webex/commands/snapshot.test.ts +13 -4
package/src/platforms/webex/commands/space.test.ts +12 -2
package/src/platforms/webex/credential-manager.ts +1 -1
package/src/platforms/webex/encryption.ts +53 -0
package/src/platforms/webex/ensure-auth.test.ts +4 -0
package/src/platforms/webex/ensure-auth.ts +27 -4
package/src/platforms/webex/index.ts +2 -0
package/src/platforms/webex/token-extractor.test.ts +327 -0
package/src/platforms/webex/token-extractor.ts +460 -0
package/src/platforms/webex/types.ts +8 -2
package/src/platforms/webex/typings/node-jose.d.ts +27 -0
package/src/platforms/whatsapp/client.ts +11 -7
package/src/shared/utils/derived-key-cache.ts +1 -1
package/src/shared/utils/error-handler.ts +4 -2
package/src/shared/utils/stderr.ts +22 -0

package/src/platforms/channeltalk/token-extractor.test.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { afterEach, describe, expect, test } from 'bun:test'
+import { afterEach, describe, expect, spyOn, test } from 'bun:test'
 import { createCipheriv, randomBytes } from 'node:crypto'
 import { existsSync, mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'node:fs'
 import { tmpdir } from 'node:os'
@@ -57,8 +57,47 @@ describe('ChannelTokenExtractor', () => {
     })
   })
+  describe('getBrowserCookiesPaths', () => {
+    test('returns browser cookie paths on macOS including Default profile', () => {
+      const extractor = new ChannelTokenExtractor('darwin')
+      const paths = extractor.getBrowserCookiesPaths()
+      const chromeBase = join(
+        process.env.HOME || '/tmp',
+        'Library',
+        'Application Support',
+        'Google',
+        'Chrome',
+      )
+      expect(paths).toContain(join(chromeBase, 'Default', 'Cookies'))
+      expect(paths).toContain(join(chromeBase, 'Default', 'Network', 'Cookies'))
+    })
+    test('returns browser cookie paths on Linux', () => {
+      const extractor = new ChannelTokenExtractor('linux')
+      const paths = extractor.getBrowserCookiesPaths()
+      const chromeBase = join(process.env.HOME || '/tmp', '.config', 'google-chrome')
+      expect(paths).toContain(join(chromeBase, 'Default', 'Cookies'))
+    })
+    test('returns browser cookie paths on Windows', () => {
+      const extractor = new ChannelTokenExtractor('win32')
+      const paths = extractor.getBrowserCookiesPaths()
+      const localAppData = process.env.LOCALAPPDATA || join(process.env.HOME || '/tmp', 'AppData', 'Local')
+      const chromeBase = join(localAppData, 'Google', 'Chrome', 'User Data')
+      expect(paths).toContain(join(chromeBase, 'Default', 'Cookies'))
+    })
+    test('returns empty array for unsupported platform', () => {
+      const extractor = new ChannelTokenExtractor('freebsd' as NodeJS.Platform)
+      expect(extractor.getBrowserCookiesPaths()).toEqual([])
+    })
+  })
   describe('extract', () => {
-    test('returns null when cookies path does not exist', async () => {
+    test('returns empty array when desktop cookies path does not exist', async () => {
       class MissingPathExtractor extends ChannelTokenExtractor {
         override getCookiesPath(): string | null {
           return null
@@ -67,7 +106,45 @@ describe('ChannelTokenExtractor', () => {
       const extractor = new MissingPathExtractor('darwin')
-      expect(await extractor.extract()).toBeNull()
+      expect(await extractor.extract()).toEqual([])
+    })
+    test('tries desktop app before browser profiles and collects both', async () => {
+      const extractor = new ChannelTokenExtractor('darwin')
+      const desktopSpy = spyOn(extractor as any, 'extractFromDesktopApp').mockResolvedValue({
+        accountCookie: 'desktop-account',
+        sessionCookie: 'desktop-session',
+      })
+      const browserSpy = spyOn(extractor as any, 'extractAllFromBrowserPaths').mockResolvedValue([])
+      const result = await extractor.extract()
+      expect(desktopSpy).toHaveBeenCalled()
+      expect(browserSpy).toHaveBeenCalled()
+      expect(result[0]?.accountCookie).toBe('desktop-account')
+      desktopSpy.mockRestore()
+      browserSpy.mockRestore()
+    })
+    test('includes browser profiles even when desktop extraction returns null', async () => {
+      const extractor = new ChannelTokenExtractor('darwin')
+      const desktopSpy = spyOn(extractor as any, 'extractFromDesktopApp').mockResolvedValue(null)
+      const browserSpy = spyOn(extractor as any, 'extractAllFromBrowserPaths').mockResolvedValue([{
+        accountCookie: 'browser-account',
+        sessionCookie: undefined,
+      }])
+      const result = await extractor.extract()
+      expect(desktopSpy).toHaveBeenCalled()
+      expect(browserSpy).toHaveBeenCalled()
+      expect(result[0]?.accountCookie).toBe('browser-account')
+      desktopSpy.mockRestore()
+      browserSpy.mockRestore()
     })
     test('extracts plaintext cookies from a real sqlite database', async () => {
@@ -92,10 +169,10 @@ describe('ChannelTokenExtractor', () => {
       const extractor = new TestExtractor(dbPath)
-      expect(await extractor.extract()).toEqual({
+      expect(await extractor.extract()).toEqual([{
         accountCookie: 'account-jwt',
         sessionCookie: 'session-jwt',
-      })
+      }])
     })
     test('returns token with undefined sessionCookie when only x-account is present', async () => {
@@ -119,12 +196,12 @@ describe('ChannelTokenExtractor', () => {
       const extractor = new TestExtractor(dbPath)
       const result = await extractor.extract()
-      expect(result).not.toBeNull()
-      expect(result?.accountCookie).toBe('account-jwt')
-      expect(result?.sessionCookie).toBeUndefined()
+      expect(result).not.toEqual([])
+      expect(result[0]?.accountCookie).toBe('account-jwt')
+      expect(result[0]?.sessionCookie).toBeUndefined()
     })
-    test('returns null when x-account is missing', async () => {
+    test('returns empty array when x-account is missing', async () => {
       const tempDir = mkdtempSync(join(tmpdir(), 'channel-cookie-db-'))
       tempDirs.push(tempDir)
       const dbPath = join(tempDir, 'Cookies')
@@ -144,7 +221,7 @@ describe('ChannelTokenExtractor', () => {
       const extractor = new TestExtractor(dbPath)
-      expect(await extractor.extract()).toBeNull()
+      expect(await extractor.extract()).toEqual([])
     })
     test('decrypts AES-256-GCM encrypted cookies using master key', async () => {
@@ -194,12 +271,53 @@ describe('ChannelTokenExtractor', () => {
       const result = await extractor.extract()
       // then
-      expect(result).not.toBeNull()
-      expect(result?.accountCookie).toBe('encrypted-account-jwt')
-      expect(result?.sessionCookie).toBe('encrypted-session-jwt')
+      expect(result).not.toEqual([])
+      expect(result[0]?.accountCookie).toBe('encrypted-account-jwt')
+      expect(result[0]?.sessionCookie).toBe('encrypted-session-jwt')
     })
-    test('returns null when DPAPI decryption fails', async () => {
+    test('deduplicates entries with the same accountCookie from desktop and browser', async () => {
+      const extractor = new ChannelTokenExtractor('darwin')
+      const desktopSpy = spyOn(extractor as any, 'extractFromDesktopApp').mockResolvedValue({
+        accountCookie: 'same-account-cookie',
+        sessionCookie: 'desktop-session',
+      })
+      const browserSpy = spyOn(extractor as any, 'extractAllFromBrowserPaths').mockResolvedValue([{
+        accountCookie: 'same-account-cookie',
+        sessionCookie: 'browser-session',
+      }])
+      const result = await extractor.extract()
+      expect(result).toHaveLength(1)
+      expect(result[0]?.accountCookie).toBe('same-account-cookie')
+      desktopSpy.mockRestore()
+      browserSpy.mockRestore()
+    })
+    test('returns multiple distinct accounts from desktop and browser sources', async () => {
+      const extractor = new ChannelTokenExtractor('darwin')
+      const desktopSpy = spyOn(extractor as any, 'extractFromDesktopApp').mockResolvedValue({
+        accountCookie: 'desktop-account-cookie',
+        sessionCookie: 'desktop-session',
+      })
+      const browserSpy = spyOn(extractor as any, 'extractAllFromBrowserPaths').mockResolvedValue([{
+        accountCookie: 'browser-account-cookie',
+        sessionCookie: 'browser-session',
+      }])
+      const result = await extractor.extract()
+      expect(result).toHaveLength(2)
+      expect(result.map((r) => r.accountCookie)).toContain('desktop-account-cookie')
+      expect(result.map((r) => r.accountCookie)).toContain('browser-account-cookie')
+      desktopSpy.mockRestore()
+      browserSpy.mockRestore()
+    })
+    test('returns empty array when DPAPI decryption fails', async () => {
       // given
       const masterKey = randomBytes(32)
       const encryptAccount = encryptAESGCM('account-jwt', masterKey)
@@ -238,7 +356,7 @@ describe('ChannelTokenExtractor', () => {
       const result = await extractor.extract()
       // then
-      expect(result).toBeNull()
+      expect(result).toEqual([])
     })
   })
@@ -248,6 +366,55 @@ describe('ChannelTokenExtractor', () => {
       expect(extractor.decryptDPAPI(Buffer.from('test'))).toBeNull()
     })
   })
+  describe('decryptBrowserCookie', () => {
+    test('decrypts v10-prefixed browser cookie using macOS keychain password (AES-128-CBC)', () => {
+      // given — AES-128-CBC encrypted cookie with macOS keychain-derived key
+      const { createCipheriv, pbkdf2Sync } = require('node:crypto')
+      const password = 'test-keychain-password'
+      const key = pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1')
+      const iv = Buffer.alloc(16, 0x20)
+      const plainValue = 'test-channel-account-value'
+      const cipher = createCipheriv('aes-128-cbc', key, iv)
+      const ciphertext = Buffer.concat([cipher.update(plainValue, 'utf8'), cipher.final()])
+      const encrypted = Buffer.concat([Buffer.from('v10'), ciphertext])
+      const darwinExtractor = new ChannelTokenExtractor('darwin')
+      const execSecuritySpy = spyOn(darwinExtractor as any, 'execSecurityCommand').mockReturnValue(password)
+      // when
+      const result = (darwinExtractor as any).decryptBrowserCookie(encrypted, '/fake/path/Cookies')
+      // then
+      expect(result).toBe(plainValue)
+      execSecuritySpy.mockRestore()
+    })
+    test('decrypts v10-prefixed browser cookie using Linux peanuts key (AES-128-CBC)', () => {
+      // given — AES-128-CBC encrypted cookie with Linux Chromium peanuts key
+      const { createCipheriv, pbkdf2Sync } = require('node:crypto')
+      const key = pbkdf2Sync('peanuts', 'saltysalt', 1, 16, 'sha1')
+      const iv = Buffer.alloc(16, 0x20)
+      const plainValue = 'test-channel-account-linux'
+      const cipher = createCipheriv('aes-128-cbc', key, iv)
+      const ciphertext = Buffer.concat([cipher.update(plainValue, 'utf8'), cipher.final()])
+      const encrypted = Buffer.concat([Buffer.from('v10'), ciphertext])
+      const linuxExtractor = new ChannelTokenExtractor('linux')
+      // when
+      const result = (linuxExtractor as any).decryptBrowserCookie(
+        encrypted,
+        '/home/user/.config/google-chrome/Default/Cookies',
+      )
+      // then
+      expect(result).toBe(plainValue)
+    })
+  })
 })
 function encryptAESGCM(plaintext: string, key: Buffer): Buffer {

package/src/platforms/channeltalk/token-extractor.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { createDecipheriv } from 'node:crypto'
-import { copyFileSync, existsSync, readFileSync, unlinkSync } from 'node:fs'
 import { execSync } from 'node:child_process'
+import { createDecipheriv, pbkdf2Sync } from 'node:crypto'
+import { copyFileSync, existsSync, readFileSync, readdirSync, unlinkSync } from 'node:fs'
 import { homedir, tmpdir } from 'node:os'
 import { join } from 'node:path'
@@ -8,8 +8,66 @@ import type { ExtractedChannelToken } from './types'
 type CookieRow = { name: string; value: string; encrypted_value: Uint8Array | Buffer }
+interface BrowserConfig {
+  name: string
+  darwin: string
+  linux: string
+  win32: string
+}
+interface KeychainVariant {
+  service: string
+  account: string
+}
+const BROWSERS: BrowserConfig[] = [
+  {
+    name: 'Chrome',
+    darwin: join('Google', 'Chrome'),
+    linux: 'google-chrome',
+    win32: join('Google', 'Chrome', 'User Data'),
+  },
+  {
+    name: 'Chrome Canary',
+    darwin: join('Google', 'Chrome Canary'),
+    linux: 'google-chrome-unstable',
+    win32: join('Google', 'Chrome SxS', 'User Data'),
+  },
+  {
+    name: 'Edge',
+    darwin: 'Microsoft Edge',
+    linux: 'microsoft-edge',
+    win32: join('Microsoft', 'Edge', 'User Data'),
+  },
+  {
+    name: 'Arc',
+    darwin: join('Arc', 'User Data'),
+    linux: '',
+    win32: join('Arc', 'User Data'),
+  },
+  {
+    name: 'Brave',
+    darwin: join('BraveSoftware', 'Brave-Browser'),
+    linux: join('BraveSoftware', 'Brave-Browser'),
+    win32: join('BraveSoftware', 'Brave-Browser', 'User Data'),
+  },
+  {
+    name: 'Vivaldi',
+    darwin: 'Vivaldi',
+    linux: 'vivaldi',
+    win32: join('Vivaldi', 'User Data'),
+  },
+  {
+    name: 'Chromium',
+    darwin: 'Chromium',
+    linux: 'chromium',
+    win32: join('Chromium', 'User Data'),
+  },
+]
 export class ChannelTokenExtractor {
   private platform: NodeJS.Platform
+  private cachedKey: Buffer | null = null
   constructor(platform?: NodeJS.Platform) {
     this.platform = platform ?? process.platform
@@ -67,7 +125,123 @@ export class ChannelTokenExtractor {
     return existsSync(localStatePath) ? localStatePath : null
   }
-  async extract(): Promise<ExtractedChannelToken | null> {
+  getBrowserCookiesPaths(): string[] {
+    const paths: string[] = []
+    for (const browser of BROWSERS) {
+      const browserBase = this.getBrowserBasePath(browser)
+      if (!browserBase) continue
+      const profileDirs = this.discoverProfileDirs(browserBase)
+      for (const profileDir of profileDirs) {
+        paths.push(join(profileDir, 'Cookies'))
+        paths.push(join(profileDir, 'Network', 'Cookies'))
+      }
+    }
+    return paths
+  }
+  private getBrowserBasePath(browser: BrowserConfig): string | null {
+    let relative: string
+    switch (this.platform) {
+      case 'darwin':
+        relative = browser.darwin
+        if (!relative) return null
+        return join(homedir(), 'Library', 'Application Support', relative)
+      case 'linux':
+        relative = browser.linux
+        if (!relative) return null
+        return join(homedir(), '.config', relative)
+      case 'win32':
+        relative = browser.win32
+        if (!relative) return null
+        return join(
+          process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'),
+          relative,
+        )
+      default:
+        return null
+    }
+  }
+  private discoverProfileDirs(browserBase: string): string[] {
+    const dirs: string[] = []
+    dirs.push(join(browserBase, 'Default'))
+    if (!existsSync(browserBase)) return dirs
+    try {
+      const entries = readdirSync(browserBase, { withFileTypes: true })
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue
+        if (!/^Profile \d+$/i.test(entry.name)) continue
+        dirs.push(join(browserBase, entry.name))
+      }
+    } catch {}
+    return dirs
+  }
+  private findLocalStateForCookiePath(cookiePath: string): string | null {
+    const parts = cookiePath.split(/[/\\]/)
+    for (let levels = 2; levels <= 4; levels++) {
+      if (parts.length < levels) break
+      const base = parts.slice(0, parts.length - levels).join('/')
+      const candidate = join(base, 'Local State')
+      if (existsSync(candidate)) return candidate
+    }
+    return null
+  }
+  getKeychainVariants(): KeychainVariant[] {
+    return [
+      { service: 'Chrome Safe Storage', account: 'Chrome' },
+      { service: 'Chrome Canary Safe Storage', account: 'Chrome Canary' },
+      { service: 'Microsoft Edge Safe Storage', account: 'Microsoft Edge' },
+      { service: 'Arc Safe Storage', account: 'Arc' },
+      { service: 'Brave Safe Storage', account: 'Brave' },
+      { service: 'Vivaldi Safe Storage', account: 'Vivaldi' },
+      { service: 'Chromium Safe Storage', account: 'Chromium' },
+    ]
+  }
+  async extract(): Promise<ExtractedChannelToken[]> {
+    const results: ExtractedChannelToken[] = []
+    const seenAccounts = new Set<string>()
+    const desktopResult = await this.extractFromDesktopApp()
+    if (desktopResult && !seenAccounts.has(desktopResult.accountCookie)) {
+      seenAccounts.add(desktopResult.accountCookie)
+      results.push(desktopResult)
+    }
+    for (const browserResult of await this.extractAllFromBrowserPaths()) {
+      if (!seenAccounts.has(browserResult.accountCookie)) {
+        seenAccounts.add(browserResult.accountCookie)
+        results.push(browserResult)
+      }
+    }
+    return results
+  }
+  private async extractAllFromBrowserPaths(): Promise<ExtractedChannelToken[]> {
+    const results: ExtractedChannelToken[] = []
+    const cookiePaths = this.getBrowserCookiesPaths()
+    for (const cookiePath of cookiePaths) {
+      if (!existsSync(cookiePath)) continue
+      const result = await this.extractFromBrowserCookiePath(cookiePath)
+      if (result) results.push(result)
+    }
+    return results
+  }
+  private async extractFromDesktopApp(): Promise<ExtractedChannelToken | null> {
     const cookiesPath = this.getCookiesPath()
     if (!cookiesPath) {
       return null
@@ -77,28 +251,7 @@ export class ChannelTokenExtractor {
     try {
       copyFileSync(cookiesPath, tempPath)
-      const sql = `
-        SELECT name, value, encrypted_value FROM cookies
-        WHERE name IN ('x-account', 'ch-session-1', 'ch-session')
-        AND host_key LIKE '%.channel.io%'
-      `
-      const rows: CookieRow[] = typeof globalThis.Bun !== 'undefined'
-        ? await (async () => {
-            const { Database } = await import('bun:sqlite')
-            const db = new Database(tempPath, { readonly: true })
-            const result = db.query(sql).all() as CookieRow[]
-            db.close()
-            return result
-          })()
-        : await (async () => {
-            const { createRequire } = await import('node:module')
-            const req = createRequire(import.meta.url)
-            const Database = req('better-sqlite3')
-            const db = new Database(tempPath, { readonly: true })
-            const result = db.prepare(sql).all() as CookieRow[]
-            db.close()
-            return result
-          })()
+      const rows = await this.queryCookieDB(tempPath)
       const accountCookie = this.getCookieValue(rows, 'x-account')
       const sessionCookie =
@@ -119,6 +272,73 @@ export class ChannelTokenExtractor {
     }
   }
+  private async extractFromBrowsers(): Promise<ExtractedChannelToken | null> {
+    const cookiePaths = this.getBrowserCookiesPaths()
+    for (const cookiePath of cookiePaths) {
+      if (!existsSync(cookiePath)) continue
+      const result = await this.extractFromBrowserCookiePath(cookiePath)
+      if (result) return result
+    }
+    return null
+  }
+  private async extractFromBrowserCookiePath(cookiePath: string): Promise<ExtractedChannelToken | null> {
+    const tempPath = join(tmpdir(), `channel-browser-cookies-${Date.now()}`)
+    try {
+      copyFileSync(cookiePath, tempPath)
+      const rows = await this.queryCookieDB(tempPath)
+      const accountCookie = this.getBrowserCookieValue(rows, 'x-account', cookiePath)
+      const sessionCookie =
+        this.getBrowserCookieValue(rows, 'ch-session-1', cookiePath) ??
+        this.getBrowserCookieValue(rows, 'ch-session', cookiePath)
+      return accountCookie ? { accountCookie, sessionCookie } : null
+    } catch {
+      return null
+    } finally {
+      try {
+        if (existsSync(tempPath)) {
+          unlinkSync(tempPath)
+        }
+      } catch {
+        /* temp file cleanup failure is non-critical */
+      }
+    }
+  }
+  private async queryCookieDB(dbPath: string): Promise<CookieRow[]> {
+    const sql = `
+      SELECT name, value, encrypted_value FROM cookies
+      WHERE name IN ('x-account', 'ch-session-1', 'ch-session')
+      AND host_key LIKE '%.channel.io%'
+    `
+    if (typeof globalThis.Bun !== 'undefined') {
+      return await (async () => {
+        const { Database } = await import('bun:sqlite')
+        const db = new Database(dbPath, { readonly: true })
+        const result = db.query(sql).all() as CookieRow[]
+        db.close()
+        return result
+      })()
+    }
+    return await (async () => {
+      const { createRequire } = await import('node:module')
+      const req = createRequire(import.meta.url)
+      const Database = req('better-sqlite3')
+      const db = new Database(dbPath, { readonly: true })
+      const result = db.prepare(sql).all() as CookieRow[]
+      db.close()
+      return result
+    })()
+  }
   private getCookieValue(rows: CookieRow[], name: string): string | undefined {
     const row = rows.find((r) => r.name === name)
     if (!row) return undefined
@@ -133,6 +353,20 @@ export class ChannelTokenExtractor {
     return this.decryptCookie(encrypted) ?? undefined
   }
+  private getBrowserCookieValue(rows: CookieRow[], name: string, dbPath: string): string | undefined {
+    const row = rows.find((r) => r.name === name)
+    if (!row) return undefined
+    if (row.value && row.value.length > 0) {
+      return row.value
+    }
+    const encrypted = Buffer.from(row.encrypted_value)
+    if (encrypted.length === 0) return undefined
+    return this.decryptBrowserCookie(encrypted, dbPath) ?? undefined
+  }
   private decryptCookie(encryptedValue: Buffer): string | null {
     if (!this.isEncryptedValue(encryptedValue)) {
       return encryptedValue.toString('utf8')
@@ -145,21 +379,37 @@ export class ChannelTokenExtractor {
     return null
   }
+  private decryptBrowserCookie(encryptedValue: Buffer, dbPath: string): string | null {
+    if (!this.isEncryptedValue(encryptedValue)) {
+      return encryptedValue.toString('utf8')
+    }
+    if (this.platform === 'win32') {
+      const localStatePath = this.findLocalStateForCookiePath(dbPath)
+      return this.decryptWindowsCookie(encryptedValue, localStatePath ?? undefined)
+    } else if (this.platform === 'darwin') {
+      return this.decryptMacCookie(encryptedValue)
+    } else if (this.platform === 'linux') {
+      return this.decryptLinuxCookie(encryptedValue)
+    }
+    return null
+  }
   private isEncryptedValue(value: Buffer): boolean {
     if (!value || value.length < 4) return false
     const prefix = value.subarray(0, 3).toString('utf8')
     return prefix === 'v10' || prefix === 'v11'
   }
-  private decryptWindowsCookie(encryptedData: Buffer): string | null {
+  private decryptWindowsCookie(encryptedData: Buffer, localStatePath?: string): string | null {
     try {
-      const localStatePath = this.getLocalStatePath()
-      if (!localStatePath) return null
+      const statePath = localStatePath ?? this.getLocalStatePath()
+      if (!statePath) return null
-      const localState = JSON.parse(readFileSync(localStatePath, 'utf8'))
+      const localState = JSON.parse(readFileSync(statePath, 'utf8'))
       const encryptedKey = Buffer.from(localState.os_crypt.encrypted_key, 'base64')
-      // Remove "DPAPI" prefix (5 bytes)
       const dpapiBlobKey = encryptedKey.subarray(5)
       const masterKey = this.decryptDPAPI(dpapiBlobKey)
       if (!masterKey) return null
@@ -170,6 +420,70 @@ export class ChannelTokenExtractor {
     }
   }
+  private decryptMacCookie(encryptedData: Buffer): string | null {
+    if (this.cachedKey) {
+      const decrypted = this.decryptAESCBC(encryptedData, this.cachedKey)
+      if (decrypted) return decrypted
+    }
+    for (const variant of this.getKeychainVariants()) {
+      const password = this.execSecurityCommand(variant.service, variant.account)
+      if (!password) continue
+      const key = pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1')
+      const decrypted = this.decryptAESCBC(encryptedData, key)
+      if (decrypted) {
+        this.cachedKey = key
+        return decrypted
+      }
+    }
+    return null
+  }
+  private decryptLinuxCookie(encryptedData: Buffer): string | null {
+    const key = pbkdf2Sync('peanuts', 'saltysalt', 1, 16, 'sha1')
+    return this.decryptAESCBC(encryptedData, key)
+  }
+  private execSecurityCommand(service: string, account: string): string | null {
+    try {
+      const safeService = service.replace(/"/g, '\\"')
+      const safeAccount = account.replace(/"/g, '\\"')
+      const result = execSync(
+        `security find-generic-password -s "${safeService}" -a "${safeAccount}" -w 2>/dev/null`,
+        { encoding: 'utf8' },
+      )
+      return result.trim() || null
+    } catch {
+      return null
+    }
+  }
+  private decryptAESCBC(encryptedData: Buffer, key: Buffer): string | null {
+    try {
+      const ciphertext = encryptedData.subarray(3)
+      const iv = Buffer.alloc(16, 0x20)
+      const decipher = createDecipheriv('aes-128-cbc', key, iv)
+      decipher.setAutoPadding(true)
+      const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+      // Chromium v130+ integrity hash: 32-byte non-printable prefix
+      if (decrypted.length > 32) {
+        const hasNonPrintablePrefix = decrypted.subarray(0, 32).some((b) => b < 0x20 || b > 0x7e)
+        if (hasNonPrintablePrefix) {
+          return decrypted.subarray(32).toString('utf8')
+        }
+      }
+      return decrypted.toString('utf8')
+    } catch {
+      return null
+    }
+  }
   decryptDPAPI(encryptedBlob: Buffer): Buffer | null {
     if (this.platform !== 'win32') return null
     try {