feat: v0.3 — refresh against live X, add browser cookie auto-import

Live testing against a real logged-in x.com session (via Chrome MCP)
surfaced four breaking changes vs v0.2 and one major DX gap. All five
fixed in this commit.

## Live API rotation (v0.2 was stale)

Every GraphQL query ID rotated, the response shape moved fields out of
`legacy` into a new `core` block, the timeline path lost its `_v2`
suffix, and the legacy `verify_credentials.json` REST endpoint is now a
404. Refreshed `endpoints.yaml` with the live IDs captured from the
April 2026 web client and made the parsers defensive across both shapes.

endpoints.yaml — query IDs captured from the live web client:
  UserByScreenName  IGgvgiOx4QZndDHuD3x9TQ  (was NimuplG1OB7Fd2btCLdBOw)
  UserByRestId      VQfQ9wwYdk6j_u2O4vt64Q  (was tD8zKvQzwY3kdx5yz6YmOw)
  UserTweets        x3B_xLqC0yZawOB7WQhaVQ  (was QWF3SzpHmykQHsQMixG0cg)
  TweetDetail       rU08O-YiXdr0IZfE7qaUMg  (was U0HTv-bAWTBYylwEMT7x5A)
  SearchTimeline    pCd62NDD9dlCDgEGgEVHMg  (was flaR-PUMshxFWZWPNpq4zA)
  Following         vWCjN9gcTJiXzzMPR5Oxzw  (was 2vUj-_Ek-UmBVDNtd8OnQA)
  BlueVerifiedFollowers  wlnE16ojgADYiHEqMzR3sw  (new: separate op)

  + refreshed features blob with the modern keys
    (hidden_profile_subscriptions_enabled, profile_label_improvements_*,
    responsive_web_grok_*, premium_content_api_read_enabled, ...)
  + variables: UserByScreenName now wants withGrokTranslatedBio instead
    of withSafetyModeUserFields; UserTweets dropped withV2Timeline

api/extract.go — defensive projection helpers
  firstString / firstInt / firstBool walk a list of paths and return
  the first non-empty match. Used everywhere a field has migrated
  between `core/*` and `legacy/*`. splitPath helper for slash-delimited
  paths.

api/profile.go — extractProfile now reads
  core/screen_name → legacy/screen_name
  core/name → legacy/name
  core/created_at → legacy/created_at
  avatar/image_url → legacy/profile_image_url_https
  privacy/protected → legacy/protected
  Plus a new GetProfileByID(userId) for the auth liveness check.

api/tweets.go — ParseTweet author projection same defensive shape.
  scrapeUserTimeline now tries data.user.result.timeline.timeline
  first, falls back to timeline_v2.timeline. Variable maps stripped
  of withV2Timeline.

api/relationships.go — ParseUserSummary same defensive shape, avatar
  bumped from _normal to _400x400 only when it points at the legacy
  URL pattern.

api/auth.go — VerifyCredentials no longer hits the dead
  /1.1/account/verify_credentials.json. Parses the user id out of the
  `twid` cookie (u%3D<id>), calls UserByRestId, returns the live user
  identity. Falls back to a UserByScreenName "twitter" probe when twid
  is missing. New parseTwidUserID + normaliseAuthError helpers.

## Browser cookie auto-import (the DX gap)

Until this commit, `x auth import` required a manual paste from
DevTools. This is exactly what Python's `browser_cookie3` and `rookiepy`
solve by reading the browser's cookie SQLite store directly from disk
and decrypting the values with the OS-specific Safe Storage key. Go has
the same primitive — `github.com/browserutils/kooky` — and now x-cli
uses it.

internal/browsercookies/ — wraps kooky in a small typed API:
  Load(ctx, browser, domain) → (*Result, error)
  FormatCookieHeader(cookies, wanted) → string
  Supports chrome | firefox | brave | edge | chromium

cmd/auth.go — three import modes:
  x auth import --from-browser chrome   # auto-decrypt from disk
  x auth import --cookie '...'          # one-shot for scripted setups
  x auth import                         # interactive paste (default)

Storage path is unchanged — keychain primary, AES-GCM file fallback,
never plaintext. The new modes are read paths, not write paths.

Per-OS notes (also in skills/x-cli/references/auth.md):
  - macOS Chrome: must be CLOSED (cookie file is locked while running).
    First run prompts for Keychain access to read the Safe Storage AES
    key. macOS Firefox: works while running.
  - Linux Chrome: needs libsecret or kwallet running, falls back to a
    hardcoded `peanuts` salt on truly headless hosts.
  - Windows: DPAPI; works while the browser is running.

## Live regression fixtures

api/testdata/userbyscreenname_jack_2026_04.json
api/testdata/usertweets_jack_2026_04.json
  Captured from the real x.com response on 2026-04-13 via Chrome MCP.
  Two new tests run the parser against them:
    TestExtractProfileLiveJackFixture
    TestParseLiveUserTweetsFixture
  These catch the next rotation early — if any field migrates again
  the test breaks with a precise error pointing at which path is dead.

## Misc

cmd/doctor.go — printf-vet fixes (Warn/Success now use %s for the
egress line so `go vet` on Go 1.24 stays clean).

.github/workflows/ci.yml — Go bumped from 1.23 to 1.24 (kooky's go.mod
requires it).

skills/x-cli/SKILL.md and references/auth.md updated with the new
flags and the modern auth flow. README updated to lead with
--from-browser. docs/comparison-xactions.md — no change needed (the
comparison was about XActions vs x-cli, which still holds).

## Tests

70+ tests, race-clean, api/ 70.9% coverage, internal/store/ 62.8%,
internal/browsercookies/ ~50% (the rest needs real browser cookie
files; FormatCookieHeader and the no-browsers error path are tested).

Author: lroolle

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
           cache: true
 
       - name: Module tidy check
@@ -71,7 +71,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.24'
           cache: true
 
       - name: Build ${{ matrix.goos }}/${{ matrix.goarch }}

README.md

@@ -41,14 +41,42 @@ make build
 
 ## Auth
 
-Log into x.com in your real browser, DevTools → Application → Cookies, copy
+Three ways to import the session:
+
+**1. Auto from a local browser (recommended)**
+
+```
+x auth import --from-browser chrome
+x auth import --from-browser firefox
+x auth import --from-browser brave
+x auth import --from-browser edge
+```
+
+x-cli reads the browser's cookie SQLite store on disk and decrypts
+the values using the per-OS Safe Storage key (macOS Keychain on Mac,
+libsecret/kwallet on Linux, DPAPI on Windows). Same mechanism Python's
+`browser_cookie3` and `rookiepy` use. Chrome must be **closed** on macOS
+because it locks the cookie file; Firefox and Linux Chrome usually work
+while open. macOS will prompt once for Keychain access on the first run.
+
+**2. Manual paste**
+
+Open x.com in your real browser, DevTools → Application → Cookies, copy
 `auth_token` and `ct0`, then:
 
 ```
 x auth import
 # paste: auth_token=...; ct0=...; twid=u%3D...
 ```
 
+**3. Scripted (CI / setup scripts)**
+
+```
+x auth import --cookie 'auth_token=...; ct0=...; twid=u%3D...'
+```
+
+(Visible in shell history — prefer `--from-browser` for normal use.)
+
 **Where the cookie lives.** x-cli tries the OS keychain first (`go-keyring`:
 Keychain on macOS, libsecret on Linux, Credential Manager on Windows). If the
 keychain is unavailable — headless boxes, containers, CI, Linux without a

api/auth.go

@@ -2,8 +2,7 @@ package api
 
 import (
 	"context"
-	"encoding/json"
-	"net/http"
+	"net/url"
 	"strings"
 )
 
@@ -60,32 +59,89 @@ func RequireAuthCookies(cookies map[string]string) error {
 	return nil
 }
 
-// VerifyCredentials hits /1.1/account/verify_credentials.json and returns the
-// user if the session is alive, or an AuthError otherwise.
+// VerifyCredentials confirms the imported session is alive and returns
+// the logged-in user.
+//
+// X removed the legacy /1.1/account/verify_credentials.json endpoint
+// (returns 404 as of April 2026). x-cli reads the `twid` cookie that
+// the user pasted, parses the numeric user id out of it, and calls
+// UserByRestId to confirm the session is alive AND fetch identity in
+// one round trip. Falls back to a UserByScreenName "twitter" probe if
+// `twid` is missing — that's the cheapest "is this cookie usable at
+// all" sanity check we have without it.
 func (c *Client) VerifyCredentials(ctx context.Context) (*User, error) {
-	url := c.endpoints.Bases.REST + "/1.1/account/verify_credentials.json"
-	resp, err := c.request(ctx, "GET", url, nil, requestOpts{authenticated: true, endpointName: "verifyCredentials"})
-	if err != nil {
-		return nil, err
+	c.sessionMu.RLock()
+	cookies := c.session.Cookies
+	twidRaw := ""
+	if cookies != nil {
+		twidRaw = cookies["twid"]
+	}
+	c.sessionMu.RUnlock()
+
+	if userID := parseTwidUserID(twidRaw); userID != "" {
+		p, err := c.GetProfileByID(ctx, userID)
+		if err != nil {
+			return nil, normaliseAuthError(err)
+		}
+		u := &User{
+			ID:       p.RestID,
+			Username: p.ScreenName,
+			Name:     p.Name,
+		}
+		c.sessionMu.Lock()
+		c.session.User = u
+		c.sessionMu.Unlock()
+		return u, nil
+	}
+
+	// No twid: probe with a known account so we still detect a dead
+	// cookie, but we cannot return identity in this branch.
+	if _, err := c.GetProfile(ctx, "twitter"); err != nil {
+		return nil, normaliseAuthError(err)
 	}
-	defer resp.Body.Close()
+	return nil, &AuthError{Msg: "session is alive but `twid` cookie missing — re-import a complete cookie string"}
+}
 
-	if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
-		return nil, &AuthError{Msg: "session invalid or expired", Status: resp.StatusCode}
+// parseTwidUserID extracts the numeric user ID from a `twid` cookie value.
+// Twitter encodes it as `u%3D<NNN>` (URL-encoded `u=NNN`).
+//
+// Examples:
+//
+//	"u%3D2017830703355072513" → "2017830703355072513"
+//	"u=2017830703355072513"   → "2017830703355072513"
+//	""                        → ""
+func parseTwidUserID(raw string) string {
+	if raw == "" {
+		return ""
+	}
+	decoded, err := url.QueryUnescape(raw)
+	if err != nil {
+		decoded = raw
+	}
+	if !strings.HasPrefix(decoded, "u=") {
+		return ""
 	}
-	if resp.StatusCode >= 400 {
-		return nil, &APIError{Endpoint: "verifyCredentials", Status: resp.StatusCode}
+	id := decoded[2:]
+	for _, r := range id {
+		if r < '0' || r > '9' {
+			return ""
+		}
 	}
+	return id
+}
 
-	var u User
-	if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
-		return nil, err
+// normaliseAuthError maps domain errors to AuthError when the underlying
+// failure looks like a session problem. NotFoundError on a self-lookup
+// almost always means the session id is no longer valid.
+func normaliseAuthError(err error) error {
+	if err == nil {
+		return nil
 	}
-	if u.ID == "" {
-		return nil, &AuthError{Msg: "verify_credentials returned empty user"}
+	switch e := err.(type) {
+	case *AuthError:
+		return e
+	case *NotFoundError:
+		return &AuthError{Msg: "session invalid or expired (self-lookup not found)"}
 	}
-	c.sessionMu.Lock()
-	c.session.User = &u
-	c.sessionMu.Unlock()
-	return &u, nil
+	return err
 }

api/client_test.go

@@ -329,16 +329,21 @@ func TestRateLimit429WithReset(t *testing.T) {
 }
 
 func TestVerifyCredentialsSuccess(t *testing.T) {
+	// Modern path: VerifyCredentials reads the `twid` cookie, parses
+	// the user ID, and calls UserByRestId. The fake server responds
+	// with a modern-shape user (core.screen_name + core.name).
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/1.1/account/verify_credentials.json" {
-			t.Errorf("path = %q", r.URL.Path)
+		if !strings.Contains(r.URL.Path, "/uid_qid/UserByRestId") {
+			t.Errorf("unexpected path %q", r.URL.Path)
 		}
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(`{"id_str":"123","screen_name":"jack","name":"Jack Dorsey"}`))
+		_, _ = w.Write([]byte(`{"data":{"user":{"result":{"__typename":"User","rest_id":"123","is_blue_verified":true,"core":{"screen_name":"jack","name":"Jack Dorsey","created_at":"Tue Mar 21 20:50:14 +0000 2006"},"legacy":{"description":"hi","followers_count":7000000}}}}}`))
 	}))
 	defer srv.Close()
 
-	c := newTestClient(t, srv.URL, nil, map[string]string{"auth_token": "x", "ct0": "y"})
+	c := newTestClient(t, srv.URL, map[string]GraphQLEndpoint{
+		"UserByRestId": {QueryID: "uid_qid", OperationName: "UserByRestId", Kind: "read", RPS: 100, Burst: 10},
+	}, map[string]string{"auth_token": "x", "ct0": "y", "twid": "u%3D123"})
 
 	u, err := c.VerifyCredentials(context.Background())
 	if err != nil {
@@ -350,23 +355,40 @@ func TestVerifyCredentialsSuccess(t *testing.T) {
 }
 
 func TestVerifyCredentialsUnauthorized(t *testing.T) {
+	// Server returns 401 on UserByRestId; VerifyCredentials must surface
+	// it as *AuthError, not a raw GraphQL error.
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(401)
 	}))
 	defer srv.Close()
 
-	c := newTestClient(t, srv.URL, nil, map[string]string{"auth_token": "bad", "ct0": "bad"})
+	c := newTestClient(t, srv.URL, map[string]GraphQLEndpoint{
+		"UserByRestId": {QueryID: "uid_qid", OperationName: "UserByRestId", Kind: "read", RPS: 100, Burst: 10},
+	}, map[string]string{"auth_token": "bad", "ct0": "bad", "twid": "u%3D123"})
 
 	_, err := c.VerifyCredentials(context.Background())
 	if err == nil {
 		t.Fatal("expected error")
 	}
-	ae, ok := err.(*AuthError)
-	if !ok {
-		t.Fatalf("want *AuthError, got %T", err)
+	if _, ok := err.(*AuthError); !ok {
+		t.Fatalf("want *AuthError, got %T: %v", err, err)
 	}
-	if ae.Status != 401 {
-		t.Errorf("AuthError.Status = %d", ae.Status)
+}
+
+func TestParseTwidUserID(t *testing.T) {
+	cases := map[string]string{
+		"u%3D2017830703355072513": "2017830703355072513",
+		"u=2017830703355072513":   "2017830703355072513",
+		"u%3D12":                  "12",
+		"":                         "",
+		"garbage":                  "",
+		"u%3Dnot-a-number":        "",
+		"u%3D":                     "",
+	}
+	for in, want := range cases {
+		if got := parseTwidUserID(in); got != want {
+			t.Errorf("parseTwidUserID(%q) = %q, want %q", in, got, want)
+		}
 	}
 }
 

api/endpoints_test.go

@@ -161,10 +161,16 @@ func TestLoadShippedEndpoints(t *testing.T) {
 	if _, ok := m.REST["friendshipsCreate"]; !ok {
 		t.Error("shipped endpoints.yaml missing friendshipsCreate")
 	}
-	if _, ok := m.REST["verifyCredentials"]; !ok {
-		t.Error("shipped endpoints.yaml missing verifyCredentials")
+	if _, ok := m.REST["friendshipsDestroy"]; !ok {
+		t.Error("shipped endpoints.yaml missing friendshipsDestroy")
 	}
 	if m.Bearer == "" {
 		t.Error("shipped endpoints.yaml has empty bearer")
 	}
+	// verifyCredentials.json was removed by X — the shipped YAML
+	// must NOT carry it any more (the auth liveness check now goes
+	// through UserByRestId).
+	if _, ok := m.REST["verifyCredentials"]; ok {
+		t.Error("shipped endpoints.yaml should no longer carry the dead verifyCredentials REST entry")
+	}
 }

api/extract.go

@@ -132,3 +132,80 @@ func copyMap(m map[string]any) map[string]any {
 	}
 	return out
 }
+
+// firstString returns the first non-empty string at any of the given
+// dot-paths in the root. This is the defensive projection helper used
+// across the parsers — Twitter has shipped at least two response shapes
+// for the same field (e.g., user.screen_name now lives at `core.screen_name`
+// but used to live at `legacy.screen_name`). Reading both keeps x-cli
+// working across the rotation.
+//
+// Each `paths` argument is a slash-delimited path like
+// "core/screen_name" or "legacy/profile_image_url_https".
+func firstString(root map[string]any, paths ...string) string {
+	for _, p := range paths {
+		keys := splitPath(p)
+		v := walkPath(root, keys...)
+		if s, ok := v.(string); ok && s != "" {
+			return s
+		}
+	}
+	return ""
+}
+
+// firstInt is the int counterpart of firstString.
+func firstInt(root map[string]any, paths ...string) int {
+	for _, p := range paths {
+		keys := splitPath(p)
+		v := walkPath(root, keys...)
+		switch x := v.(type) {
+		case float64:
+			return int(x)
+		case int:
+			return x
+		case int64:
+			return int(x)
+		case string:
+			n := 0
+			ok := len(x) > 0
+			for _, r := range x {
+				if r < '0' || r > '9' {
+					ok = false
+					break
+				}
+				n = n*10 + int(r-'0')
+			}
+			if ok {
+				return n
+			}
+		}
+	}
+	return 0
+}
+
+// firstBool returns the first true value at any of the given paths.
+func firstBool(root map[string]any, paths ...string) bool {
+	for _, p := range paths {
+		keys := splitPath(p)
+		if v, ok := walkPath(root, keys...).(bool); ok && v {
+			return true
+		}
+	}
+	return false
+}
+
+func splitPath(p string) []string {
+	if p == "" {
+		return nil
+	}
+	out := make([]string, 0, 4)
+	start := 0
+	for i := 0; i < len(p); i++ {
+		if p[i] == '/' {
+			out = append(out, p[start:i])
+			start = i + 1
+		}
+	}
+	out = append(out, p[start:])
+	return out
+}