feat(safari): multi-profile support

browser/safari/extract_download.go

@@ -9,20 +9,23 @@ import (
 	"github.com/moond4rk/hackbrowserdata/types"
 )
 
-// safariDownloads mirrors the plist structure of Safari's Downloads.plist.
 type safariDownloads struct {
 	DownloadHistory []safariDownloadEntry `plist:"DownloadHistory"`
 }
 
 type safariDownloadEntry struct {
-	URL                string  `plist:"DownloadEntryURL"`
-	Path               string  `plist:"DownloadEntryPath"`
-	TotalBytes         float64 `plist:"DownloadEntryProgressTotalToLoad"`
-	RemoveWhenDone     bool    `plist:"DownloadEntryRemoveWhenDoneKey"`
-	DownloadIdentifier string  `plist:"DownloadEntryIdentifier"`
+	URL                string `plist:"DownloadEntryURL"`
+	Path               string `plist:"DownloadEntryPath"`
+	TotalBytes         int64  `plist:"DownloadEntryProgressTotalToLoad"`
+	ProfileUUID        string `plist:"DownloadEntryProfileUUIDStringKey"`
+	RemoveWhenDone     bool   `plist:"DownloadEntryRemoveWhenDoneKey"`
+	DownloadIdentifier string `plist:"DownloadEntryIdentifier"`
 }
 
-func extractDownloads(path string) ([]types.DownloadEntry, error) {
+// extractDownloads reads Downloads.plist (shared across Safari profiles) and returns only the entries
+// owned by ownerUUID — either "DefaultProfile" or a named profile's uppercase UUID. Entries written by
+// older Safari (no ProfileUUID field) are attributed to the default profile.
+func extractDownloads(path, ownerUUID string) ([]types.DownloadEntry, error) {
 	f, err := os.Open(path)
 	if err != nil {
 		return nil, fmt.Errorf("open downloads: %w", err)
@@ -36,19 +39,30 @@ func extractDownloads(path string) ([]types.DownloadEntry, error) {
 
 	var downloads []types.DownloadEntry
 	for _, d := range dl.DownloadHistory {
+		if !ownsDownload(d.ProfileUUID, ownerUUID) {
+			continue
+		}
 		downloads = append(downloads, types.DownloadEntry{
 			URL:        d.URL,
 			TargetPath: d.Path,
-			TotalBytes: int64(d.TotalBytes),
+			TotalBytes: d.TotalBytes,
 		})
 	}
 	return downloads, nil
 }
 
-func countDownloads(path string) (int, error) {
-	downloads, err := extractDownloads(path)
+func countDownloads(path, ownerUUID string) (int, error) {
+	downloads, err := extractDownloads(path, ownerUUID)
 	if err != nil {
 		return 0, err
 	}
 	return len(downloads), nil
 }
+
+// ownsDownload treats empty ProfileUUID as DefaultProfile for backward compat with pre-profile Safari.
+func ownsDownload(entryUUID, ownerUUID string) bool {
+	if entryUUID == "" {
+		entryUUID = defaultProfileSentinel
+	}
+	return entryUUID == ownerUUID
+}

browser/safari/extract_download_test.go

@@ -20,46 +20,54 @@ func buildTestDownloadsPlist(t *testing.T, dl safariDownloads) string {
 	return path
 }
 
-func TestExtractDownloads(t *testing.T) {
+func TestExtractDownloads_DefaultProfileOnly(t *testing.T) {
+	// Mixed-owner plist: only entries tagged with DefaultProfile (or untagged, for
+	// pre-profile Safari) should surface for the default profile.
+	const namedUUID = "5604E6F5-02ED-4E40-8249-63DE7BC986C8"
 	dl := safariDownloads{
 		DownloadHistory: []safariDownloadEntry{
-			{
-				URL:        "https://example.com/file.zip",
-				Path:       "/Users/test/Downloads/file.zip",
-				TotalBytes: 1024000,
-			},
-			{
-				URL:        "https://go.dev/dl/go1.20.tar.gz",
-				Path:       "/Users/test/Downloads/go1.20.tar.gz",
-				TotalBytes: 98765432,
-			},
+			{URL: "https://a.com/a.zip", Path: "/tmp/a.zip", TotalBytes: 1024000, ProfileUUID: defaultProfileSentinel},
+			{URL: "https://b.com/b.zip", Path: "/tmp/b.zip", TotalBytes: 98765432, ProfileUUID: namedUUID},
+			{URL: "https://c.com/legacy.zip", Path: "/tmp/legacy.zip", TotalBytes: 500, ProfileUUID: ""}, // pre-profile Safari
 		},
 	}
 
 	path := buildTestDownloadsPlist(t, dl)
-	downloads, err := extractDownloads(path)
+	downloads, err := extractDownloads(path, defaultProfileSentinel)
 	require.NoError(t, err)
 	require.Len(t, downloads, 2)
+	assert.Equal(t, "https://a.com/a.zip", downloads[0].URL)
+	assert.Equal(t, "https://c.com/legacy.zip", downloads[1].URL)
+}
 
-	assert.Equal(t, "https://example.com/file.zip", downloads[0].URL)
-	assert.Equal(t, "/Users/test/Downloads/file.zip", downloads[0].TargetPath)
-	assert.Equal(t, int64(1024000), downloads[0].TotalBytes)
+func TestExtractDownloads_NamedProfileOnly(t *testing.T) {
+	const namedUUID = "5604E6F5-02ED-4E40-8249-63DE7BC986C8"
+	dl := safariDownloads{
+		DownloadHistory: []safariDownloadEntry{
+			{URL: "https://a.com/a.zip", Path: "/tmp/a.zip", TotalBytes: 100, ProfileUUID: defaultProfileSentinel},
+			{URL: "https://b.com/b.zip", Path: "/tmp/b.zip", TotalBytes: 200, ProfileUUID: namedUUID},
+		},
+	}
 
-	assert.Equal(t, "https://go.dev/dl/go1.20.tar.gz", downloads[1].URL)
-	assert.Equal(t, int64(98765432), downloads[1].TotalBytes)
+	path := buildTestDownloadsPlist(t, dl)
+	downloads, err := extractDownloads(path, namedUUID)
+	require.NoError(t, err)
+	require.Len(t, downloads, 1)
+	assert.Equal(t, "https://b.com/b.zip", downloads[0].URL)
+	assert.Equal(t, int64(200), downloads[0].TotalBytes)
 }
 
 func TestCountDownloads(t *testing.T) {
 	dl := safariDownloads{
 		DownloadHistory: []safariDownloadEntry{
-			{URL: "https://a.com/1.zip", Path: "/tmp/1.zip", TotalBytes: 100},
-			{URL: "https://b.com/2.zip", Path: "/tmp/2.zip", TotalBytes: 200},
-			{URL: "https://c.com/3.zip", Path: "/tmp/3.zip", TotalBytes: 300},
+			{URL: "https://a.com/1.zip", Path: "/tmp/1.zip", TotalBytes: 100, ProfileUUID: defaultProfileSentinel},
+			{URL: "https://b.com/2.zip", Path: "/tmp/2.zip", TotalBytes: 200, ProfileUUID: defaultProfileSentinel},
+			{URL: "https://c.com/3.zip", Path: "/tmp/3.zip", TotalBytes: 300, ProfileUUID: defaultProfileSentinel},
 		},
 	}
 
 	path := buildTestDownloadsPlist(t, dl)
-	count, err := countDownloads(path)
+	count, err := countDownloads(path, defaultProfileSentinel)
 	require.NoError(t, err)
 	assert.Equal(t, 3, count)
 }
@@ -68,7 +76,7 @@ func TestExtractDownloads_Empty(t *testing.T) {
 	dl := safariDownloads{}
 	path := buildTestDownloadsPlist(t, dl)
 
-	downloads, err := extractDownloads(path)
+	downloads, err := extractDownloads(path, defaultProfileSentinel)
 	require.NoError(t, err)
 	assert.Empty(t, downloads)
 }

browser/safari/profiles.go

@@ -0,0 +1,175 @@
+package safari
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	_ "modernc.org/sqlite"
+
+	"github.com/moond4rk/hackbrowserdata/log"
+)
+
+// profileContext tracks the uppercase (Safari/Profiles/<UUID>) and lowercase
+// (WebKit/WebsiteDataStore/<uuid>) UUID forms a named profile needs. Both empty ⇒ default profile.
+type profileContext struct {
+	name       string
+	uuidUpper  string
+	uuidLower  string
+	legacyHome string // ~/Library/Safari
+	container  string // ~/Library/Containers/com.apple.Safari/Data/Library
+}
+
+func (p profileContext) isDefault() bool { return p.uuidUpper == "" }
+
+// downloadOwnerUUID is the value Safari writes into DownloadEntryProfileUUIDStringKey
+// for downloads that belong to this profile. The default profile uses the sentinel
+// "DefaultProfile"; named profiles use their uppercase UUID.
+func (p profileContext) downloadOwnerUUID() string {
+	if p.isDefault() {
+		return defaultProfileSentinel
+	}
+	return p.uuidUpper
+}
+
+// SafariTabs.db lists profiles in bookmarks rows with subtype=2. external_uuid "DefaultProfile"
+// is the sentinel for the implicit default, which has no per-UUID directory.
+const (
+	safariTabsDBRelPath    = "Safari/SafariTabs.db"
+	safariProfileSubtype   = 2
+	defaultProfileSentinel = "DefaultProfile"
+)
+
+// Path-unsafe bytes for filenames/CSV values; Unicode letters (CJK etc.) survive.
+var unsafeNameChars = regexp.MustCompile(`[/\\:*?"<>|\x00-\x1f]+`)
+
+// Canonical 8-4-4-4-12 hex UUID — format check only, no semantic parse.
+var uuidPattern = regexp.MustCompile(`^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$`)
+
+// discoverSafariProfiles always lists the default first, then named profiles from SafariTabs.db
+// (authoritative) with a ReadDir fallback only if the DB itself is unreadable.
+func discoverSafariProfiles(legacyHome string) []profileContext {
+	container := deriveContainerRoot(legacyHome)
+
+	profiles := []profileContext{{
+		name:       "default",
+		legacyHome: legacyHome,
+		container:  container,
+	}}
+
+	named, err := readNamedProfilesFromDB(container)
+	if err != nil {
+		// Empty DB (nil, nil) is authoritative; fall back only when DB itself is unreadable.
+		named = readNamedProfilesFromDir(container)
+	}
+	for _, p := range named {
+		p.legacyHome = legacyHome
+		p.container = container
+		profiles = append(profiles, p)
+	}
+
+	disambiguateNames(profiles)
+	return profiles
+}
+
+func deriveContainerRoot(legacyHome string) string {
+	return filepath.Join(filepath.Dir(legacyHome), "Containers", "com.apple.Safari", "Data", "Library")
+}
+
+// readNamedProfilesFromDB returns (nil, err) when the DB is missing/unreadable so the caller can
+// try the ReadDir fallback; (slice, nil) — possibly empty — is authoritative.
+func readNamedProfilesFromDB(container string) ([]profileContext, error) {
+	// Read-only + immutable so we don't disturb Safari's live WAL.
+	dsn := "file:" + filepath.Join(container, safariTabsDBRelPath) + "?mode=ro&immutable=1"
+	db, err := sql.Open("sqlite", dsn)
+	if err != nil {
+		return nil, fmt.Errorf("open SafariTabs.db: %w", err)
+	}
+	defer db.Close()
+
+	// Ping forces connection; sql.Open is lazy and won't detect a missing file.
+	if err := db.Ping(); err != nil {
+		return nil, fmt.Errorf("ping SafariTabs.db: %w", err)
+	}
+
+	rows, err := db.Query(
+		`SELECT external_uuid, title FROM bookmarks WHERE subtype = ? AND external_uuid != ?`,
+		safariProfileSubtype, defaultProfileSentinel,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("query SafariTabs.db: %w", err)
+	}
+	defer rows.Close()
+
+	var out []profileContext
+	for rows.Next() {
+		var externalUUID, title sql.NullString
+		if err := rows.Scan(&externalUUID, &title); err != nil {
+			log.Debugf("safari profiles: scan row: %v", err)
+			continue
+		}
+		if !isCanonicalUUID(externalUUID.String) {
+			continue
+		}
+		out = append(out, newNamedProfile(externalUUID.String, title.String))
+	}
+	return out, nil
+}
+
+// readNamedProfilesFromDir is the fallback for missing SafariTabs.db. Names are synthesized from UUIDs.
+func readNamedProfilesFromDir(container string) []profileContext {
+	entries, err := os.ReadDir(filepath.Join(container, "Safari", "Profiles"))
+	if err != nil {
+		return nil
+	}
+
+	var out []profileContext
+	for _, e := range entries {
+		if !e.IsDir() || !isCanonicalUUID(e.Name()) {
+			continue
+		}
+		out = append(out, newNamedProfile(e.Name(), ""))
+	}
+	return out
+}
+
+func newNamedProfile(upperUUID, title string) profileContext {
+	return profileContext{
+		name:      resolveProfileName(title, upperUUID),
+		uuidUpper: upperUUID,
+		uuidLower: strings.ToLower(upperUUID),
+	}
+}
+
+func isCanonicalUUID(s string) bool { return uuidPattern.MatchString(s) }
+
+// resolveProfileName prefers the SafariTabs.db title, falling back to "profile-<uuid[:8]>".
+func resolveProfileName(title, upperUUID string) string {
+	if name := sanitizeProfileName(title); name != "" {
+		return name
+	}
+	return "profile-" + strings.ToLower(upperUUID[:8])
+}
+
+func sanitizeProfileName(name string) string {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return ""
+	}
+	return unsafeNameChars.ReplaceAllString(name, "_")
+}
+
+// disambiguateNames appends "-2", "-3", … to duplicate names, in place.
+func disambiguateNames(profiles []profileContext) {
+	occurrences := make(map[string]int, len(profiles))
+	for i := range profiles {
+		original := profiles[i].name
+		if prior := occurrences[original]; prior > 0 {
+			profiles[i].name = fmt.Sprintf("%s-%d", original, prior+1)
+		}
+		occurrences[original]++
+	}
+}