weread/book: AUTH_REQUIRED due to using i.weread.qq.com private API instead of same-origin web API

[lw-yang]

Problem

opencli weread book <bookId> always fails with AUTH_REQUIRED even when the user is logged in to weread.qq.com in Chrome.

$ opencli weread book 855812
ok: false
error:
  code: AUTH_REQUIRED
  message: Not logged in to WeRead
  help: Please log in to weread.qq.com in Chrome first

Root Cause

book.js calls fetchPrivateApi(page, '/book/info', { bookId }) which sends the request to https://i.weread.qq.com/book/info. However, WeRead's auth cookie (wr_skey) is a host-only cookie bound to weread.qq.com — it is NOT sent to the subdomain i.weread.qq.com.

Verified by testing directly in the browser:

// Same-origin — works ✓
fetch('https://weread.qq.com/web/book/info?bookId=855812', {credentials:'include'})
// → {title: "人类简史：从动物到上帝", author: "尤瓦尔·赫拉利", ...}

// Cross-origin private API — fails ✗
fetch('https://i.weread.qq.com/book/info?bookId=855812', {credentials:'include'})
// → {errcode: -2012}

This confirms the issue is not with the Browser Bridge extension's cookie extraction — the browser itself cannot authenticate to i.weread.qq.com with the web login session.

Why ai-outline works

ai-outline.js uses postWebApiWithCookies(page, '/book/chapterInfos', ...) which hits the same-origin https://weread.qq.com/web/book/chapterInfos endpoint — this correctly receives the auth cookies.

Fix

Replace fetchPrivateApi calls with same-origin web API equivalents (https://weread.qq.com/web/book/info). The same endpoint exists at both domains and returns identical data.

Affected commands

Any command using fetchPrivateApi will have this issue:

• weread/book
• weread/highlights
• weread/notes
• weread/shelf (partially — falls back to localStorage cache)

Environment

• opencli: v1.8.0
• Browser Bridge extension: v1.0.15
• Chrome: 147
• macOS