agent-messenger 2.24.0 → 2.24.1

package/skills/agent-webexbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webexbot
 description: Interact with Cisco Webex using bot tokens - send messages, reply in threads, upload and download files, look up people, read spaces, manage memberships, stream real-time events
-version: 2.24.0
+version: 2.24.1
 allowed-tools: Bash(agent-webexbot:*)
 metadata:
   openclaw:

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.24.0
+version: 2.24.1
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.24.0
+version: 2.24.1
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.24.0
+version: 2.24.1
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/channeltalk/token-extractor.test.ts

@@ -457,8 +457,8 @@ async function createCookieDatabase(
 
   const { createRequire } = await import('node:module')
   const req = createRequire(import.meta.url)
-  const Database = req('better-sqlite3')
-  const db = new Database(dbPath)
+  const { DatabaseSync } = req('node:sqlite')
+  const db = new DatabaseSync(dbPath)
   db.exec('CREATE TABLE cookies (name TEXT, value TEXT, encrypted_value BLOB, host_key TEXT)')
   const statement = db.prepare('INSERT INTO cookies (name, value, encrypted_value, host_key) VALUES (?, ?, ?, ?)')
   for (const row of rows) {

package/src/platforms/kakaotalk/token-extractor.ts

@@ -1,12 +1,11 @@
 import { execSync } from 'node:child_process'
 import { copyFileSync, existsSync, readFileSync, rmSync } from 'node:fs'
-import { createRequire } from 'node:module'
 import { homedir, tmpdir } from 'node:os'
 import { join } from 'node:path'
 
-import type { ExtractedKakaoToken } from './types'
+import { openReadonlyDatabase } from '@/shared/sqlite'
 
-const require = createRequire(import.meta.url)
+import type { ExtractedKakaoToken } from './types'
 
 export class KakaoTokenExtractor {
   private platform: NodeJS.Platform
@@ -106,23 +105,12 @@ export class KakaoTokenExtractor {
       time_stamp: number
     }
 
+    const db = openReadonlyDatabase(dbPath)
     let rows: CacheRow[]
-    if (typeof globalThis.Bun !== 'undefined') {
-      const { Database } = require('bun:sqlite')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        rows = db.query(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
-    } else {
-      const Database = require('better-sqlite3')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        rows = db.prepare(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
+    try {
+      rows = db.prepare(sql).all() as CacheRow[]
+    } finally {
+      db.close()
     }
 
     this.debug(`Found ${rows.length} cached request(s) to kakao.com`)
@@ -166,24 +154,13 @@ export class KakaoTokenExtractor {
     `
 
     type CacheRow = { request_object: Uint8Array | Buffer | null; request_key: string }
-    let authRows: CacheRow[]
 
-    if (typeof globalThis.Bun !== 'undefined') {
-      const { Database } = require('bun:sqlite')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        authRows = db.query(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
-    } else {
-      const Database = require('better-sqlite3')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        authRows = db.prepare(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
+    const db = openReadonlyDatabase(dbPath)
+    let authRows: CacheRow[]
+    try {
+      authRows = db.prepare(sql).all() as CacheRow[]
+    } finally {
+      db.close()
     }
 
     for (const row of authRows) {

package/src/platforms/slack/commands/auth.ts

@@ -8,7 +8,8 @@ import { debug } from '@/shared/utils/stderr'
 
 import { SlackClient, SlackError } from '../client'
 import { CredentialManager } from '../credential-manager'
-import { refreshCookie, tryWebTokenRefresh } from '../ensure-auth'
+import { refreshCookie, refreshKnownWorkspaceDomains, tryWebTokenRefresh } from '../ensure-auth'
+import type { RefreshResult } from '../ensure-auth'
 import { loginWithQr } from '../qr-http-login'
 import { type ExtractedWorkspace, TokenExtractor } from '../token-extractor'
 
@@ -80,6 +81,8 @@ async function extractAction(options: {
 
     const validWorkspaces = []
     const failureReasons: string[] = []
+    const resolvedTeamIds = new Set<string>()
+    const refreshCache = new Map<string, RefreshResult | null>()
     for (const ws of workspaces) {
       if (options.debug) {
         debug(`[debug] Testing credentials for ${ws.workspace_id}...`)
@@ -88,10 +91,14 @@ async function extractAction(options: {
       try {
         const client = await new SlackClient().login({ token: ws.token, cookie: ws.cookie })
         const authInfo = await client.testAuth()
+        if (!authInfo.team_id) throw new SlackError('testAuth returned empty team_id', 'invalid_auth')
         ws.workspace_id = authInfo.team_id
         ws.workspace_name = authInfo.team || ws.workspace_name
-        validWorkspaces.push(ws)
-        await credManager.setWorkspace(ws)
+        if (!resolvedTeamIds.has(ws.workspace_id)) {
+          resolvedTeamIds.add(ws.workspace_id)
+          validWorkspaces.push(ws)
+          await credManager.setWorkspace(ws)
+        }
 
         if (options.debug) {
           debug(`[debug] ✓ Valid: ${authInfo.team} (${authInfo.user})`)
@@ -112,11 +119,12 @@ async function extractAction(options: {
             : `${ws.workspace_id} (trying all known domains)`
           debug(`[debug] Attempting web token refresh for ${target}...`)
         }
-        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains)
-        if (refreshed) {
+        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains, { resolvedTeamIds, refreshCache })
+        if (refreshed && !resolvedTeamIds.has(refreshed.workspace_id)) {
           ws.token = refreshed.token
           ws.workspace_id = refreshed.workspace_id
           ws.workspace_name = refreshed.workspace_name
+          resolvedTeamIds.add(ws.workspace_id)
           validWorkspaces.push(ws)
           await credManager.setWorkspace(ws)
 
@@ -129,6 +137,26 @@ async function extractAction(options: {
       }
     }
 
+    for (const cookie of new Set(workspaces.map((ws) => ws.cookie).filter(Boolean))) {
+      const enumerated = await refreshKnownWorkspaceDomains(cookie, workspaceDomains, {
+        resolvedTeamIds,
+        refreshCache,
+      })
+      for (const result of enumerated) {
+        const ws: ExtractedWorkspace = {
+          workspace_id: result.workspace_id,
+          workspace_name: result.workspace_name,
+          token: result.token,
+          cookie,
+        }
+        validWorkspaces.push(ws)
+        await credManager.setWorkspace(ws)
+        if (options.debug) {
+          debug(`[debug] ✓ Recovered via domain enumeration: ${result.workspace_id}/${result.workspace_name}`)
+        }
+      }
+    }
+
     if (validWorkspaces.length === 0) {
       const errorMessage = getExtractionErrorMessage(failureReasons)
       console.log(

package/src/platforms/slack/ensure-auth.test.ts

@@ -2,7 +2,7 @@ import { afterEach, beforeEach, describe, expect, spyOn, it } from 'bun:test'
 
 import { SlackClient } from './client'
 import { CredentialManager } from './credential-manager'
-import { ensureSlackAuth, refreshTokenFromWeb } from './ensure-auth'
+import { ensureSlackAuth, refreshKnownWorkspaceDomains, refreshTokenFromWeb, tryWebTokenRefresh } from './ensure-auth'
 import { TokenExtractor } from './token-extractor'
 
 let getWorkspaceSpy: ReturnType<typeof spyOn>
@@ -358,8 +358,8 @@ describe('ensureSlackAuth', () => {
     )
   })
 
-  it('stops trying domains once a refresh+verify succeeds', async () => {
-    // given — exact-match domain succeeds on first attempt; the fallback domain must not be fetched
+  it('enumerates all known domains to recover every authenticatable workspace', async () => {
+    // given — one stale extracted token, but the cookie is valid for two workspaces
     extractSpy.mockResolvedValue([
       { workspace_id: 'T_TARGET', workspace_name: 'target', token: 'xoxc-stale', cookie: 'xoxd-valid' },
     ])
@@ -368,21 +368,27 @@ describe('ensureSlackAuth', () => {
       T_OTHER: 'other-domain',
     })
 
-    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://target-domain.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-target"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://other-domain.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-other"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
 
     authResponseByToken({
-      'xoxc-fresh': { team_id: 'T_TARGET', team: 'Target' },
+      'xoxc-fresh-target': { team_id: 'T_TARGET', team: 'Target' },
+      'xoxc-fresh-other': { team_id: 'T_OTHER', team: 'Other' },
     })
 
     // when
     await ensureSlackAuth()
 
-    // then — the exact-match domain is tried, fallback domain is not
-    expect(fetchSpy).toHaveBeenCalledWith(
-      'https://target-domain.slack.com/ssb/redirect',
-      expect.objectContaining({ headers: { Cookie: 'd=xoxd-valid' } }),
-    )
-    expect(fetchSpy).not.toHaveBeenCalledWith('https://other-domain.slack.com/ssb/redirect', expect.anything())
+    // then — both workspaces are recovered from the single cookie, each saved once
+    const savedIds = setWorkspaceSpy.mock.calls.map((c) => (c[0] as { workspace_id: string }).workspace_id)
+    expect(savedIds.sort()).toEqual(['T_OTHER', 'T_TARGET'])
   })
 
   it('returns failure when no known domain validates the cookie', async () => {
@@ -496,26 +502,131 @@ describe('ensureSlackAuth', () => {
     expect(refreshCalls.length).toBe(2)
   })
 
-  it('caps domain attempts at MAX_DOMAIN_ATTEMPTS', async () => {
-    // given — 20 candidate domains; only the first 16 should be attempted
-    extractSpy.mockResolvedValue([
-      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
-    ])
+  it('caps single-candidate fallback at MAX_DOMAIN_ATTEMPTS', async () => {
+    // given — 20 candidate domains; the per-token fallback only probes the first 16
     const manyDomains: Record<string, string> = {}
     for (let i = 0; i < 20; i++) manyDomains[`T_${i}`] = `dom${i}`
-    getWorkspaceDomainsSpy.mockReturnValue(manyDomains)
-
     fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
     testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
 
     // when
-    await ensureSlackAuth()
+    await tryWebTokenRefresh(
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+      manyDomains,
+    )
 
     // then — exactly 16 refresh attempts
     const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
     expect(refreshCalls.length).toBe(16)
   })
 
+  it('enumerates ALL known domains without the MAX_DOMAIN_ATTEMPTS cap', async () => {
+    // given — 20 candidate domains; enumeration must probe every one
+    const manyDomains: Record<string, string> = {}
+    for (let i = 0; i < 20; i++) manyDomains[`T_${i}`] = `dom${i}`
+    fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
+    testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
+
+    // when
+    await refreshKnownWorkspaceDomains('xoxd-valid', manyDomains)
+
+    // then — all 20 domains attempted
+    const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
+    expect(refreshCalls.length).toBe(20)
+  })
+
+  it('dedupes by verified team_id even when no context is supplied', async () => {
+    // given — two domains whose cookie verifies to the same team_id, called without a context set
+    getWorkspaceDomainsSpy.mockReturnValue({})
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://primary.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-primary"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://alias.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-alias"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
+    authResponseByToken({
+      'xoxc-fresh-primary': { team_id: 'T_SAME', team: 'Same' },
+      'xoxc-fresh-alias': { team_id: 'T_SAME', team: 'Same' },
+    })
+
+    // when
+    const results = await refreshKnownWorkspaceDomains('xoxd-valid', { T_A: 'primary', T_B: 'alias' })
+
+    // then — the duplicate team is returned only once
+    expect(results.map((r) => r.workspace_id)).toEqual(['T_SAME'])
+  })
+
+  it('recovers all workspaces from one cookie when only one token is extracted', async () => {
+    // given — extractor yields one token deduped into two entries (one with a team id, one unknown),
+    // both sharing a single cookie that is valid for five workspaces
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'T1', workspace_name: 'unknown', token: 'xoxc-shared', cookie: 'xoxd-valid' },
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-shared', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T1: 'one',
+      T2: 'two',
+      T3: 'three',
+      T4: 'four',
+      T5: 'five',
+    })
+
+    const domainToToken: Record<string, string> = {
+      one: 'xoxc-fresh-1',
+      two: 'xoxc-fresh-2',
+      three: 'xoxc-fresh-3',
+      four: 'xoxc-fresh-4',
+      five: 'xoxc-fresh-5',
+    }
+    fetchSpy.mockImplementation((url: string) => {
+      const domain = String(url).match(/https:\/\/([^.]+)\.slack\.com/)?.[1] ?? ''
+      const token = domainToToken[domain]
+      return Promise.resolve(
+        token
+          ? new Response(`<html>"api_token":"${token}"</html>`, { status: 200 })
+          : new Response('', { status: 500 }),
+      )
+    })
+    authResponseByToken({
+      'xoxc-shared': new Error('invalid_auth'),
+      'xoxc-fresh-1': { team_id: 'T1', team: 'one' },
+      'xoxc-fresh-2': { team_id: 'T2', team: 'two' },
+      'xoxc-fresh-3': { team_id: 'T3', team: 'three' },
+      'xoxc-fresh-4': { team_id: 'T4', team: 'four' },
+      'xoxc-fresh-5': { team_id: 'T5', team: 'five' },
+    })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — all five teams recovered, each saved exactly once
+    const savedIds = setWorkspaceSpy.mock.calls.map((c) => (c[0] as { workspace_id: string }).workspace_id)
+    expect(savedIds.sort()).toEqual(['T1', 'T2', 'T3', 'T4', 'T5'])
+  })
+
+  it('keeps a valid extracted token without overwriting it via enumeration', async () => {
+    // given — a single extracted token that authenticates directly
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'T1', workspace_name: 'ws1', token: 'xoxc-good', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({ T1: 'one' })
+    authResponseByToken({
+      'xoxc-good': { team_id: 'T1', team: 'ws1' },
+      'xoxc-fresh-1': { team_id: 'T1', team: 'ws1' },
+    })
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh-1"</html>', { status: 200 }))
+
+    // when
+    await ensureSlackAuth()
+
+    // then — saved once with the original valid token, not the web-refreshed one
+    expect(setWorkspaceSpy).toHaveBeenCalledTimes(1)
+    expect(setWorkspaceSpy).toHaveBeenCalledWith(expect.objectContaining({ workspace_id: 'T1', token: 'xoxc-good' }))
+  })
+
   it('skips web refresh when workspace has no cookie', async () => {
     // given — cookie is empty
     extractSpy.mockResolvedValue([

package/src/platforms/slack/ensure-auth.ts

@@ -50,6 +50,23 @@ export async function ensureSlackAuth(): Promise<void> {
       }
     }
 
+    for (const cookie of new Set(workspaces.map((ws) => ws.cookie).filter(Boolean))) {
+      const enumerated = await refreshKnownWorkspaceDomains(cookie, workspaceDomains, {
+        resolvedTeamIds,
+        refreshCache,
+      })
+      for (const result of enumerated) {
+        const ws: ExtractedWorkspace = {
+          workspace_id: result.workspace_id,
+          workspace_name: result.workspace_name,
+          token: result.token,
+          cookie,
+        }
+        await credManager.setWorkspace(ws)
+        validWorkspaces.push(ws)
+      }
+    }
+
     const config = await credManager.load()
     if (!config.current_workspace && validWorkspaces.length > 0) {
       await credManager.setCurrentWorkspace(validWorkspaces[0].workspace_id)
@@ -78,6 +95,40 @@ export type RefreshContext = {
   refreshCache?: Map<string, RefreshResult | null>
 }
 
+// A single valid Slack `d` cookie can authenticate every workspace the user is signed into.
+// Given the workspace->domain map from root-state.json, enumerate ALL known domains via web
+// refresh so that workspaces without their own extracted xoxc token are still recovered. The
+// number of recoverable workspaces must not be bounded by the number of extracted token blobs.
+export async function refreshKnownWorkspaceDomains(
+  cookie: string,
+  workspaceDomains: Record<string, string>,
+  context: RefreshContext = {},
+): Promise<RefreshResult[]> {
+  if (!cookie) return []
+
+  const resolvedTeamIds = context.resolvedTeamIds ?? new Set<string>()
+  const results: RefreshResult[] = []
+  for (const domain of Object.values(workspaceDomains)) {
+    if (!SLACK_DOMAIN_REGEX.test(domain)) continue
+
+    const cacheKey = `${cookie}\u0000${domain}`
+    let result: RefreshResult | null
+    const cached = context.refreshCache?.get(cacheKey)
+    if (cached !== undefined) {
+      result = cached
+    } else {
+      result = await refreshAndVerify(cookie, domain, domain)
+      context.refreshCache?.set(cacheKey, result)
+    }
+
+    if (!result) continue
+    if (resolvedTeamIds.has(result.workspace_id)) continue
+    resolvedTeamIds.add(result.workspace_id)
+    results.push(result)
+  }
+  return results
+}
+
 export async function tryWebTokenRefresh(
   ws: ExtractedWorkspace,
   workspaceDomains: Record<string, string>,

package/src/platforms/slack/token-extractor-node-test.ts

@@ -1,11 +1,13 @@
 import { mkdirSync, mkdtempSync, rmSync } from 'node:fs'
+import { createRequire } from 'node:module'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 
-import Database from 'better-sqlite3'
-
 import { TokenExtractor } from './token-extractor'
 
+const require = createRequire(import.meta.url)
+const { DatabaseSync } = require('node:sqlite')
+
 const tempDir = mkdtempSync(join(tmpdir(), 'token-extractor-test-'))
 const slackDir = join(tempDir, 'Slack')
 mkdirSync(slackDir)
@@ -13,7 +15,7 @@ mkdirSync(slackDir)
 const dbPath = join(slackDir, 'Cookies')
 
 try {
-  const db = new Database(dbPath)
+  const db = new DatabaseSync(dbPath)
   db.exec(`
     CREATE TABLE cookies (
       name TEXT,

package/src/platforms/slack/token-extractor.ts

@@ -1,7 +1,6 @@
 import { execSync } from 'node:child_process'
 import { createDecipheriv, pbkdf2Sync } from 'node:crypto'
 import { copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync } from 'node:fs'
-import { createRequire } from 'node:module'
 import { homedir, tmpdir } from 'node:os'
 import { join } from 'node:path'
 
@@ -16,11 +15,10 @@ import {
   getBrowserBasePath,
   getAgentBrowserProfileDirs,
 } from '@/shared/chromium'
+import { openReadonlyDatabase } from '@/shared/sqlite'
 import { DerivedKeyCache } from '@/shared/utils/derived-key-cache'
 import { lookupLinuxKeyringPassword } from '@/shared/utils/linux-keyring'
 
-const require = createRequire(import.meta.url)
-
 export interface ExtractedWorkspace {
   workspace_id: string
   workspace_name: string
@@ -872,16 +870,11 @@ export class TokenExtractor {
         encrypted_value?: Uint8Array | Buffer
       } | null
 
+      const db = openReadonlyDatabase(tempDbPath)
       let row: CookieRow
-      if (typeof globalThis.Bun !== 'undefined') {
-        const { Database } = require('bun:sqlite')
-        const db = new Database(tempDbPath, { readonly: true })
-        row = db.query(sql).get() as CookieRow
-        db.close()
-      } else {
-        const Database = require('better-sqlite3')
-        const db = new Database(tempDbPath, { readonly: true })
+      try {
         row = db.prepare(sql).get() as CookieRow
+      } finally {
         db.close()
       }
 

package/src/shared/chromium/cookie-reader-node-test.ts

@@ -0,0 +1,70 @@
+import { mkdtempSync, rmSync } from 'node:fs'
+import { createRequire } from 'node:module'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+import { ChromiumCookieReader } from '@/shared/chromium'
+
+const require = createRequire(import.meta.url)
+const { DatabaseSync } = require('node:sqlite')
+
+function fail(message: string): never {
+  console.error(message)
+  process.exit(1)
+}
+
+const tempDir = mkdtempSync(join(tmpdir(), 'cookie-reader-node-test-'))
+const dbPath = join(tempDir, 'Cookies')
+
+try {
+  const db = new DatabaseSync(dbPath)
+  db.exec('CREATE TABLE cookies (name TEXT, value TEXT, encrypted_value BLOB, host_key TEXT, last_access_utc INTEGER)')
+  const insert = db.prepare(
+    'INSERT INTO cookies (name, value, encrypted_value, host_key, last_access_utc) VALUES (?, ?, ?, ?, ?)',
+  )
+  // Chromium *_utc columns are microseconds since 1601; real values exceed
+  // Number.MAX_SAFE_INTEGER, which node:sqlite throws on when SELECTed.
+  insert.run('d', 'xoxd-newer', null, '.slack.com', 13380000000000200n)
+  insert.run('d', 'xoxd-older', null, '.slack.com', 13380000000000100n)
+  insert.run('other', 'ignored', null, '.example.com', 13380000000000300n)
+  insert.run('enc', '', Buffer.from('v10-secret-bytes'), '.slack.com', 13380000000000100n)
+  db.close()
+
+  if (typeof (globalThis as { Bun?: unknown }).Bun !== 'undefined') {
+    fail('Expected Node.js runtime (node:sqlite), but Bun was detected')
+  }
+
+  const reader = new ChromiumCookieReader()
+
+  const first = await reader.queryFirst<{ value: string }>(
+    dbPath,
+    "SELECT value FROM cookies WHERE name = 'd' AND host_key LIKE ? ORDER BY last_access_utc DESC LIMIT 1",
+    ['%slack.com%'],
+  )
+  if (first?.value !== 'xoxd-newer') fail(`queryFirst expected xoxd-newer, got ${String(first?.value)}`)
+
+  const all = await reader.queryAll<{ value: string }>(
+    dbPath,
+    "SELECT value FROM cookies WHERE name = 'd' ORDER BY last_access_utc DESC",
+  )
+  if (all.length !== 2) fail(`queryAll expected 2 rows, got ${all.length}`)
+  if (all[0]?.value !== 'xoxd-newer') fail('queryAll expected newest-first ordering')
+
+  const none = await reader.queryFirst(dbPath, "SELECT value FROM cookies WHERE host_key = 'no.match'")
+  if (none !== null) fail(`no-row queryFirst expected null, got ${String(none)}`)
+
+  // node:sqlite returns BLOBs as Uint8Array (not Buffer); Buffer.from must
+  // preserve the bytes so cookie decryption keeps working
+  const encrypted = await reader.queryFirst<{ encrypted_value?: Uint8Array }>(
+    dbPath,
+    "SELECT encrypted_value FROM cookies WHERE name = 'enc' LIMIT 1",
+  )
+  if (!(encrypted?.encrypted_value instanceof Uint8Array)) fail('encrypted_value expected Uint8Array')
+  if (Buffer.from(encrypted.encrypted_value).toString('utf8') !== 'v10-secret-bytes') {
+    fail('Buffer.from(BLOB) did not round-trip the original bytes')
+  }
+
+  console.log('ok')
+} finally {
+  rmSync(tempDir, { recursive: true })
+}

package/src/shared/chromium/cookie-reader-node.test.ts

@@ -0,0 +1,10 @@
+import { expect, it } from 'bun:test'
+import { execSync } from 'node:child_process'
+
+it('ChromiumCookieReader works in Node.js (node:sqlite)', () => {
+  const result = execSync('bun tsx src/shared/chromium/cookie-reader-node-test.ts', {
+    cwd: process.cwd(),
+    encoding: 'utf-8',
+  })
+  expect(result.trim()).toBe('ok')
+})

package/src/shared/chromium/cookie-reader.ts

@@ -1,9 +1,8 @@
 import { copyFileSync, existsSync, rmSync } from 'node:fs'
-import { createRequire } from 'node:module'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 
-const require = createRequire(import.meta.url)
+import { openReadonlyDatabase } from '@/shared/sqlite'
 
 /**
  * Reads Chromium SQLite cookie databases with Bun/Node dual-runtime support.
@@ -70,24 +69,7 @@ export class ChromiumCookieReader {
     params: unknown[] | undefined,
     mode: 'all' | 'first',
   ): T[] | T | null {
-    if (typeof globalThis.Bun !== 'undefined') {
-      const { Database } = require('bun:sqlite')
-      const db = new Database(tempPath, { readonly: true })
-
-      try {
-        const stmt = db.query(sql)
-        if (mode === 'all') {
-          return (params ? stmt.all(...params) : stmt.all()) as T[]
-        }
-
-        return (params ? stmt.get(...params) : stmt.get()) as T | null
-      } finally {
-        db.close()
-      }
-    }
-
-    const Database = require('better-sqlite3')
-    const db = new Database(tempPath, { readonly: true })
+    const db = openReadonlyDatabase(tempPath)
 
     try {
       const stmt = db.prepare(sql)
@@ -95,7 +77,8 @@ export class ChromiumCookieReader {
         return (params ? stmt.all(...params) : stmt.all()) as T[]
       }
 
-      return (params ? stmt.get(...params) : stmt.get()) as T | null
+      const row = params ? stmt.get(...params) : stmt.get()
+      return (row ?? null) as T | null
     } finally {
       db.close()
     }