agent-messenger 2.10.2 → 2.11.1

package/src/platforms/teams/commands/auth.ts

@@ -1,5 +1,6 @@
 import { Command } from 'commander'
 
+import { collectBrowserProfileOption } from '@/shared/chromium'
 import { handleError } from '@/shared/utils/error-handler'
 import { formatOutput } from '@/shared/utils/output'
 import { debug } from '@/shared/utils/stderr'
@@ -9,7 +10,46 @@ import { TeamsCredentialManager } from '../credential-manager'
 import { TeamsTokenExtractor } from '../token-extractor'
 import type { TeamsAccount, TeamsAccountType, TeamsConfig } from '../types'
 
-export async function extractAction(options: { pretty?: boolean; debug?: boolean; token?: string }): Promise<void> {
+interface ValidatedTeamsToken {
+  client: TeamsClient
+  accountType: TeamsAccountType
+  authInfo: { id: string; displayName: string }
+}
+
+async function validateTokenWithProbe(
+  token: string,
+  accountType: TeamsAccountType,
+  accountTypeKnown: boolean,
+  debugLog?: (msg: string) => void,
+): Promise<ValidatedTeamsToken> {
+  const primaryTypes: TeamsAccountType[] = [accountType]
+  if (!accountTypeKnown) {
+    primaryTypes.push(accountType === 'work' ? 'personal' : 'work')
+  }
+
+  let lastError: Error | null = null
+  for (const candidateType of primaryTypes) {
+    try {
+      const client = await new TeamsClient().login({ token, accountType: candidateType })
+      const authInfo = await client.testAuth()
+      if (candidateType !== accountType) {
+        debugLog?.(`[debug] Reclassified ${accountType} → ${candidateType} via API probe`)
+      }
+      return { client, accountType: candidateType, authInfo }
+    } catch (error) {
+      lastError = error as Error
+      debugLog?.(`[debug] Probe ${candidateType} failed: ${lastError.message}`)
+    }
+  }
+  throw lastError ?? new Error('Token validation failed')
+}
+
+export async function extractAction(options: {
+  pretty?: boolean
+  debug?: boolean
+  token?: string
+  browserProfile?: string[]
+}): Promise<void> {
   try {
     if (options.token) {
       await extractManualToken(options.token, options)
@@ -17,7 +57,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
     }
 
     const debugLog = options.debug ? (msg: string) => debug(`[debug] ${msg}`) : undefined
-    const extractor = new TeamsTokenExtractor(undefined, undefined, debugLog)
+    const extractor = new TeamsTokenExtractor(undefined, undefined, debugLog, options.browserProfile)
 
     if (process.platform === 'darwin') {
       console.log('')
@@ -67,20 +107,33 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
       teams: string[]
     }> = []
 
-    for (const { token, accountType } of extracted) {
+    for (const { token, accountType: extractedType, accountTypeKnown } of extracted) {
       if (options.debug) {
-        debug(`[debug] Validating ${accountType} account token...`)
+        const label = accountTypeKnown ? extractedType : `${extractedType} (probing)`
+        debug(`[debug] Validating ${label} account token...`)
       }
 
       try {
-        const client = await new TeamsClient().login({ token, accountType })
-        const authInfo = await client.testAuth()
+        const debugLog = options.debug ? (msg: string) => debug(msg) : undefined
+        const { client, accountType, authInfo } = await validateTokenWithProbe(
+          token,
+          extractedType,
+          accountTypeKnown,
+          debugLog,
+        )
         const teams = await client.listTeams()
 
         if (options.debug) {
           debug(`[debug] ✓ ${accountType}: ${authInfo.displayName} (${teams.length} team(s))`)
         }
 
+        if (config.accounts[accountType]) {
+          if (options.debug) {
+            debug(`[debug] Skipping duplicate ${accountType} account`)
+          }
+          continue
+        }
+
         const teamMap: Record<string, { team_id: string; team_name: string }> = {}
         for (const team of teams) {
           teamMap[team.id] = { team_id: team.id, team_name: team.name }
@@ -110,7 +163,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
         const errorMessage = (error as Error).message
         const is401 = errorMessage.includes('401') || errorMessage.includes('Unauthorized')
         if (options.debug) {
-          debug(`[debug] ✗ ${accountType}: ${errorMessage}`)
+          debug(`[debug] ✗ ${extractedType}: ${errorMessage}`)
         }
         if (extracted.length === 1) {
           console.log(
@@ -380,6 +433,12 @@ export const authCommand = new Command('auth')
       .option('--pretty', 'Pretty print JSON output')
       .option('--debug', 'Show debug output for troubleshooting')
       .option('--token <token>', 'Manually provide a token (bypasses auto-extraction)')
+      .option(
+        '--browser-profile <path>',
+        'Additional Chromium profile/user-data directory to scan (repeatable, comma-separated supported)',
+        collectBrowserProfileOption,
+        [],
+      )
       .action(extractAction),
   )
   .addCommand(

package/src/platforms/teams/ensure-auth.test.ts

@@ -16,7 +16,7 @@ beforeEach(() => {
   loadConfigSpy = spyOn(TeamsCredentialManager.prototype, 'loadConfig').mockResolvedValue(null)
 
   extractSpy = spyOn(TeamsTokenExtractor.prototype, 'extract').mockResolvedValue([
-    { token: 'test-teams-token', accountType: 'work' },
+    { token: 'test-teams-token', accountType: 'work', accountTypeKnown: true },
   ])
 
   testAuthSpy = spyOn(TeamsClient.prototype, 'testAuth').mockResolvedValue({
@@ -199,8 +199,8 @@ describe('ensureTeamsAuth', () => {
   it('extracts and saves multiple accounts', async () => {
     // given
     extractSpy.mockResolvedValue([
-      { token: 'work-token', accountType: 'work' },
-      { token: 'personal-token', accountType: 'personal' },
+      { token: 'work-token', accountType: 'work', accountTypeKnown: true },
+      { token: 'personal-token', accountType: 'personal', accountTypeKnown: true },
     ])
 
     testAuthSpy
@@ -229,8 +229,8 @@ describe('ensureTeamsAuth', () => {
   it('skips failed account but saves successful ones', async () => {
     // given
     extractSpy.mockResolvedValue([
-      { token: 'work-token', accountType: 'work' },
-      { token: 'bad-token', accountType: 'personal' },
+      { token: 'work-token', accountType: 'work', accountTypeKnown: true },
+      { token: 'bad-token', accountType: 'personal', accountTypeKnown: true },
     ])
 
     testAuthSpy
@@ -248,6 +248,57 @@ describe('ensureTeamsAuth', () => {
     expect(savedConfig.accounts.personal).toBeUndefined()
   })
 
+  // Regression for #163: browser-sourced tokens arrive with accountTypeKnown=false and
+  // a guessed accountType of 'work'. If the work endpoint rejects them, we must probe
+  // the personal endpoint before giving up — otherwise personal accounts logged in via
+  // browser would always fail validation.
+  it('reclassifies browser-sourced token from work to personal when work probe fails', async () => {
+    // given: extractor returns a token guessed as work but with unknown flag
+    extractSpy.mockResolvedValue([{ token: 'browser-token', accountType: 'work', accountTypeKnown: false }])
+
+    // first testAuth call (work) fails, second (personal) succeeds
+    testAuthSpy
+      .mockRejectedValueOnce(new Error('HTTP 403'))
+      .mockResolvedValueOnce({ id: 'user-p', displayName: 'Personal User' })
+
+    listTeamsSpy.mockResolvedValueOnce([{ id: 'team-p', name: 'Personal Chat' }])
+
+    // when
+    await ensureTeamsAuth()
+
+    // then: saved under 'personal', not 'work'
+    const savedConfig = saveConfigSpy.mock.calls[0][0]
+    expect(savedConfig.accounts.personal).toBeDefined()
+    expect(savedConfig.accounts.personal.account_type).toBe('personal')
+    expect(savedConfig.accounts.personal.token).toBe('browser-token')
+    expect(savedConfig.accounts.work).toBeUndefined()
+  })
+
+  // Regression for #163: when a known-type desktop token and an unknown-type browser
+  // token are both extracted, the loop must not overwrite the desktop account's data.
+  it('does not overwrite existing account when a later token reclassifies to same type', async () => {
+    // given: desktop personal token and browser token that probes to personal
+    extractSpy.mockResolvedValue([
+      { token: 'desktop-personal-token', accountType: 'personal', accountTypeKnown: true },
+      { token: 'browser-token', accountType: 'work', accountTypeKnown: false },
+    ])
+
+    testAuthSpy
+      .mockResolvedValueOnce({ id: 'user-p', displayName: 'Desktop Personal' })
+      .mockRejectedValueOnce(new Error('HTTP 403'))
+      .mockResolvedValueOnce({ id: 'user-p', displayName: 'Browser Personal' })
+
+    listTeamsSpy.mockResolvedValueOnce([{ id: 'team-p', name: 'Personal' }])
+
+    // when
+    await ensureTeamsAuth()
+
+    // then: desktop token wins; browser token is skipped because personal already exists
+    const savedConfig = saveConfigSpy.mock.calls[0][0]
+    expect(savedConfig.accounts.personal.token).toBe('desktop-personal-token')
+    expect(savedConfig.accounts.work).toBeUndefined()
+  })
+
   it('re-extracts when token is empty string', async () => {
     // given
     loadConfigSpy.mockResolvedValue({

package/src/platforms/teams/ensure-auth.ts

@@ -3,7 +3,7 @@ import { warn } from '@/shared/utils/stderr'
 import { TeamsClient } from './client'
 import { TeamsCredentialManager } from './credential-manager'
 import { TeamsTokenExtractor } from './token-extractor'
-import type { TeamsAccount, TeamsConfig } from './types'
+import type { TeamsAccount, TeamsAccountType, TeamsConfig } from './types'
 
 export async function ensureTeamsAuth(): Promise<void> {
   try {
@@ -20,15 +20,14 @@ export async function ensureTeamsAuth(): Promise<void> {
       current_account: config?.current_account ?? null,
       accounts: { ...config?.accounts },
     }
+    const addedTypes = new Set<TeamsAccountType>()
 
-    for (const { token, accountType } of extracted) {
+    for (const { token, accountType: extractedType, accountTypeKnown } of extracted) {
       try {
-        const client = await new TeamsClient().login({
-          token,
-          accountType,
-          region: config?.accounts[accountType]?.region,
-        })
-        await client.testAuth()
+        const resolved = await resolveAccountType(token, extractedType, accountTypeKnown, config)
+        const { client, accountType } = resolved
+
+        if (addedTypes.has(accountType)) continue
 
         const teams = await client.listTeams()
         if (accountType !== 'personal' && teams.length === 0) continue
@@ -38,23 +37,24 @@ export async function ensureTeamsAuth(): Promise<void> {
           teamMap[team.id] = { team_id: team.id, team_name: team.name }
         }
 
-        const existing = newConfig.accounts[accountType]
+        const existing: TeamsAccount | undefined = newConfig.accounts[accountType]
         const account: TeamsAccount = {
           token,
           token_expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
           region: client.getRegion(),
           account_type: accountType,
           user_name: existing?.user_name,
-          current_team: existing?.current_team ?? teams[0].id,
+          current_team: existing?.current_team ?? teams[0]?.id ?? null,
           teams: teamMap,
         }
 
         newConfig.accounts[accountType] = account
+        addedTypes.add(accountType)
         if (!newConfig.current_account) {
           newConfig.current_account = accountType
         }
       } catch (error) {
-        warn(`[agent-teams] Skipping ${accountType} account: ${(error as Error).message}`)
+        warn(`[agent-teams] Skipping ${extractedType} account: ${(error as Error).message}`)
       }
     }
 
@@ -64,6 +64,34 @@ export async function ensureTeamsAuth(): Promise<void> {
   } catch {}
 }
 
+async function resolveAccountType(
+  token: string,
+  extractedType: TeamsAccountType,
+  accountTypeKnown: boolean,
+  config: TeamsConfig | null,
+): Promise<{ client: TeamsClient; accountType: TeamsAccountType }> {
+  const candidates: TeamsAccountType[] = [extractedType]
+  if (!accountTypeKnown) {
+    candidates.push(extractedType === 'work' ? 'personal' : 'work')
+  }
+
+  let lastError: Error | null = null
+  for (const candidate of candidates) {
+    try {
+      const client = await new TeamsClient().login({
+        token,
+        accountType: candidate,
+        region: config?.accounts[candidate]?.region,
+      })
+      await client.testAuth()
+      return { client, accountType: candidate }
+    } catch (error) {
+      lastError = error as Error
+    }
+  }
+  throw lastError ?? new Error('Token validation failed')
+}
+
 function hasValidToken(config: TeamsConfig): boolean {
   const key = TeamsCredentialManager.accountOverride ?? config.current_account
   if (!key) return false

package/src/platforms/teams/token-extractor.test.ts

@@ -30,15 +30,28 @@ describe('TeamsTokenExtractor', () => {
         'EBWebView',
       )
       expect(paths).toEqual([
-        { path: join(darwinEbWebView, 'WV2Profile_tfw', 'Cookies'), accountType: 'work' },
-        { path: join(darwinEbWebView, 'WV2Profile_tfw', 'Network', 'Cookies'), accountType: 'work' },
-        { path: join(darwinEbWebView, 'WV2Profile_tfl', 'Cookies'), accountType: 'personal' },
-        { path: join(darwinEbWebView, 'WV2Profile_tfl', 'Network', 'Cookies'), accountType: 'personal' },
-        { path: join(darwinEbWebView, 'Default', 'Cookies'), accountType: 'work' },
-        { path: join(darwinEbWebView, 'Default', 'Network', 'Cookies'), accountType: 'work' },
+        { path: join(darwinEbWebView, 'WV2Profile_tfw', 'Cookies'), accountType: 'work', accountTypeKnown: true },
+        {
+          path: join(darwinEbWebView, 'WV2Profile_tfw', 'Network', 'Cookies'),
+          accountType: 'work',
+          accountTypeKnown: true,
+        },
+        {
+          path: join(darwinEbWebView, 'WV2Profile_tfl', 'Cookies'),
+          accountType: 'personal',
+          accountTypeKnown: true,
+        },
+        {
+          path: join(darwinEbWebView, 'WV2Profile_tfl', 'Network', 'Cookies'),
+          accountType: 'personal',
+          accountTypeKnown: true,
+        },
+        { path: join(darwinEbWebView, 'Default', 'Cookies'), accountType: 'work', accountTypeKnown: false },
+        { path: join(darwinEbWebView, 'Default', 'Network', 'Cookies'), accountType: 'work', accountTypeKnown: false },
         {
           path: join(homedir(), 'Library', 'Application Support', 'Microsoft', 'Teams', 'Cookies'),
           accountType: 'work',
+          accountTypeKnown: false,
         },
       ])
     })
@@ -51,6 +64,7 @@ describe('TeamsTokenExtractor', () => {
         {
           path: join(homedir(), '.config', 'Microsoft', 'Microsoft Teams', 'Cookies'),
           accountType: 'work',
+          accountTypeKnown: false,
         },
       ])
     })
@@ -71,13 +85,21 @@ describe('TeamsTokenExtractor', () => {
         'EBWebView',
       )
       expect(paths).toEqual([
-        { path: join(winEbWebView, 'WV2Profile_tfw', 'Cookies'), accountType: 'work' },
-        { path: join(winEbWebView, 'WV2Profile_tfw', 'Network', 'Cookies'), accountType: 'work' },
-        { path: join(winEbWebView, 'WV2Profile_tfl', 'Cookies'), accountType: 'personal' },
-        { path: join(winEbWebView, 'WV2Profile_tfl', 'Network', 'Cookies'), accountType: 'personal' },
-        { path: join(winEbWebView, 'Default', 'Cookies'), accountType: 'work' },
-        { path: join(winEbWebView, 'Default', 'Network', 'Cookies'), accountType: 'work' },
-        { path: join(appdata, 'Microsoft', 'Teams', 'Cookies'), accountType: 'work' },
+        { path: join(winEbWebView, 'WV2Profile_tfw', 'Cookies'), accountType: 'work', accountTypeKnown: true },
+        {
+          path: join(winEbWebView, 'WV2Profile_tfw', 'Network', 'Cookies'),
+          accountType: 'work',
+          accountTypeKnown: true,
+        },
+        { path: join(winEbWebView, 'WV2Profile_tfl', 'Cookies'), accountType: 'personal', accountTypeKnown: true },
+        {
+          path: join(winEbWebView, 'WV2Profile_tfl', 'Network', 'Cookies'),
+          accountType: 'personal',
+          accountTypeKnown: true,
+        },
+        { path: join(winEbWebView, 'Default', 'Cookies'), accountType: 'work', accountTypeKnown: false },
+        { path: join(winEbWebView, 'Default', 'Network', 'Cookies'), accountType: 'work', accountTypeKnown: false },
+        { path: join(appdata, 'Microsoft', 'Teams', 'Cookies'), accountType: 'work', accountTypeKnown: false },
       ])
     })
 
@@ -96,10 +118,12 @@ describe('TeamsTokenExtractor', () => {
       expect(paths).toContainEqual({
         path: join(chromeBase, 'Default', 'Cookies'),
         accountType: 'work',
+        accountTypeKnown: false,
       })
       expect(paths).toContainEqual({
         path: join(chromeBase, 'Default', 'Network', 'Cookies'),
         accountType: 'work',
+        accountTypeKnown: false,
       })
     })
 
@@ -111,6 +135,7 @@ describe('TeamsTokenExtractor', () => {
       expect(paths).toContainEqual({
         path: join(chromeBase, 'Default', 'Cookies'),
         accountType: 'work',
+        accountTypeKnown: false,
       })
     })
 
@@ -123,6 +148,7 @@ describe('TeamsTokenExtractor', () => {
       expect(paths).toContainEqual({
         path: join(chromeBase, 'Default', 'Cookies'),
         accountType: 'work',
+        accountTypeKnown: false,
       })
     })
 
@@ -131,10 +157,14 @@ describe('TeamsTokenExtractor', () => {
       expect(unsupportedExtractor.getBrowserCookiesPaths()).toEqual([])
     })
 
-    it('all browser paths have accountType work', () => {
+    // Regression for #163: browser paths must not assert accountType confidently because
+    // Chromium profile paths don't encode work vs personal. Desktop WV2Profile_tfw/_tfl
+    // paths are authoritative; browsers must be probed at validation time.
+    it('browser paths have accountTypeKnown=false so they get probed at validation', () => {
       const darwinExtractor = new TeamsTokenExtractor('darwin')
       const paths = darwinExtractor.getBrowserCookiesPaths()
-      expect(paths.every((p) => p.accountType === 'work')).toBe(true)
+      expect(paths.length).toBeGreaterThan(0)
+      expect(paths.every((p) => p.accountTypeKnown === false)).toBe(true)
     })
   })
 
@@ -166,6 +196,7 @@ describe('TeamsTokenExtractor', () => {
         {
           path: join(homedir(), '.config', 'Microsoft', 'Microsoft Teams', 'Cookies'),
           accountType: 'work',
+          accountTypeKnown: false,
         },
       ])
       expect(paths.length).toBeGreaterThan(desktopPaths.length)
@@ -338,7 +369,7 @@ describe('TeamsTokenExtractor', () => {
 
       const linuxExtractor = new TeamsTokenExtractor('linux')
       const extractFromCookiesDBSpy = spyOn(linuxExtractor as any, 'extractFromCookiesDB').mockResolvedValue([
-        { token: mockToken, accountType: 'work' },
+        { token: mockToken, accountType: 'work', accountTypeKnown: true },
       ])
 
       const result = await linuxExtractor.extract()
@@ -382,8 +413,8 @@ describe('TeamsTokenExtractor', () => {
 
       const winExtractor = new TeamsTokenExtractor('win32')
       const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
-        { path: cookiesPath, accountType: 'personal' },
-        { path: networkCookiesPath, accountType: 'personal' },
+        { path: cookiesPath, accountType: 'personal', accountTypeKnown: true },
+        { path: networkCookiesPath, accountType: 'personal', accountTypeKnown: true },
       ])
       const tried: string[] = []
       const copyAndExtractSpy = spyOn(winExtractor as any, 'copyAndExtract').mockImplementation(async (...args) => {
@@ -398,7 +429,7 @@ describe('TeamsTokenExtractor', () => {
       // then: the Cookies path was skipped (never passed to copyAndExtract),
       // the Network/Cookies sibling was tried, and the token was returned.
       expect(tried).toEqual([networkCookiesPath])
-      expect(results).toEqual([{ token: mockToken, accountType: 'personal' }])
+      expect(results).toEqual([{ token: mockToken, accountType: 'personal', accountTypeKnown: true }])
 
       getPathsSpy.mockRestore()
       copyAndExtractSpy.mockRestore()
@@ -419,8 +450,8 @@ describe('TeamsTokenExtractor', () => {
       const firstPath = join(workDir, 'WV2Profile_tfw', 'Cookies')
       const secondPath = join(workDir, 'Default', 'Network', 'Cookies')
       const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
-        { path: firstPath, accountType: 'work' },
-        { path: secondPath, accountType: 'work' },
+        { path: firstPath, accountType: 'work', accountTypeKnown: true },
+        { path: secondPath, accountType: 'work', accountTypeKnown: true },
       ])
       mkdirSync(join(workDir, 'WV2Profile_tfw'), { recursive: true })
       mkdirSync(join(workDir, 'Default', 'Network'), { recursive: true })
@@ -436,7 +467,98 @@ describe('TeamsTokenExtractor', () => {
 
       // then: garbage was rejected, loop continued to the real token
       expect(copyAndExtractSpy).toHaveBeenCalledTimes(2)
-      expect(results).toEqual([{ token: realToken, accountType: 'work' }])
+      expect(results).toEqual([{ token: realToken, accountType: 'work', accountTypeKnown: true }])
+
+      getPathsSpy.mockRestore()
+      copyAndExtractSpy.mockRestore()
+      cleanup()
+    })
+
+    // Regression for #163: browser-sourced tokens carry accountTypeKnown=false so that
+    // the auth command can probe both endpoints. The extraction loop must preserve the
+    // flag and must not dedupe an unknown-type browser token by its guessed accountType.
+    it('propagates accountTypeKnown=false for browser-sourced tokens', async () => {
+      // given: a browser Cookies path returning a valid token, guessed as work
+      const browserPath = join(workDir, 'Chrome', 'Default', 'Cookies')
+      mkdirSync(join(workDir, 'Chrome', 'Default'), { recursive: true })
+      writeFileSync(browserPath, '')
+
+      const winExtractor = new TeamsTokenExtractor('win32')
+      const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
+        { path: browserPath, accountType: 'work', accountTypeKnown: false },
+      ])
+      const copyAndExtractSpy = spyOn(winExtractor as any, 'copyAndExtract').mockResolvedValue(mockToken)
+
+      // when
+      const results = await (winExtractor as any).extractFromCookiesDB()
+
+      // then: the flag is passed through so callers can probe
+      expect(results).toEqual([{ token: mockToken, accountType: 'work', accountTypeKnown: false }])
+
+      getPathsSpy.mockRestore()
+      copyAndExtractSpy.mockRestore()
+      cleanup()
+    })
+
+    // Regression for #163: when a desktop path (known=true) for 'work' already succeeded,
+    // a subsequent browser path (known=false) guessed as 'work' must still be explored —
+    // it might be a personal account misguessed as work. The dedup only kicks in for
+    // confidently labeled paths.
+    it('does not skip unknown-type path just because a known-type same-label succeeded', async () => {
+      const desktopPath = join(workDir, 'WV2Profile_tfw', 'Network', 'Cookies')
+      const browserPath = join(workDir, 'Chrome', 'Default', 'Cookies')
+      mkdirSync(join(workDir, 'WV2Profile_tfw', 'Network'), { recursive: true })
+      mkdirSync(join(workDir, 'Chrome', 'Default'), { recursive: true })
+      writeFileSync(desktopPath, '')
+      writeFileSync(browserPath, '')
+
+      const desktopToken = mockToken
+      const browserToken = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJicm93c2VyIn0.different_signature_here_abc'
+
+      const winExtractor = new TeamsTokenExtractor('win32')
+      const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
+        { path: desktopPath, accountType: 'work', accountTypeKnown: true },
+        { path: browserPath, accountType: 'work', accountTypeKnown: false },
+      ])
+      const copyAndExtractSpy = spyOn(winExtractor as any, 'copyAndExtract')
+        .mockResolvedValueOnce(desktopToken)
+        .mockResolvedValueOnce(browserToken)
+
+      // when
+      const results = await (winExtractor as any).extractFromCookiesDB()
+
+      // then: both tokens returned; browser token keeps accountTypeKnown=false for probing
+      expect(results).toEqual([
+        { token: desktopToken, accountType: 'work', accountTypeKnown: true },
+        { token: browserToken, accountType: 'work', accountTypeKnown: false },
+      ])
+
+      getPathsSpy.mockRestore()
+      copyAndExtractSpy.mockRestore()
+      cleanup()
+    })
+
+    it('dedupes identical tokens extracted from multiple paths', async () => {
+      const path1 = join(workDir, 'Chrome', 'Default', 'Cookies')
+      const path2 = join(workDir, 'Edge', 'Default', 'Cookies')
+      mkdirSync(join(workDir, 'Chrome', 'Default'), { recursive: true })
+      mkdirSync(join(workDir, 'Edge', 'Default'), { recursive: true })
+      writeFileSync(path1, '')
+      writeFileSync(path2, '')
+
+      const winExtractor = new TeamsTokenExtractor('win32')
+      const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
+        { path: path1, accountType: 'work', accountTypeKnown: false },
+        { path: path2, accountType: 'work', accountTypeKnown: false },
+      ])
+      const copyAndExtractSpy = spyOn(winExtractor as any, 'copyAndExtract').mockResolvedValue(mockToken)
+
+      // when
+      const results = await (winExtractor as any).extractFromCookiesDB()
+
+      // then: only one result despite two paths returning the same token
+      expect(results).toHaveLength(1)
+      expect(results[0].token).toBe(mockToken)
 
       getPathsSpy.mockRestore()
       copyAndExtractSpy.mockRestore()
@@ -454,8 +576,8 @@ describe('TeamsTokenExtractor', () => {
 
       const winExtractor = new TeamsTokenExtractor('win32')
       const getPathsSpy = spyOn(winExtractor, 'getTeamsCookiesPaths').mockReturnValue([
-        { path: workCookies, accountType: 'work' },
-        { path: workNetworkCookies, accountType: 'work' },
+        { path: workCookies, accountType: 'work', accountTypeKnown: true },
+        { path: workNetworkCookies, accountType: 'work', accountTypeKnown: true },
       ])
       const copyAndExtractSpy = spyOn(winExtractor as any, 'copyAndExtract').mockResolvedValue(mockToken)