@trusty-squire/mcp 0.6.15-rc.9 → 0.7.1

package/dist/bot/agent.js

@@ -11,6 +11,10 @@ import { rankAndCapInventory, scoreSignupButton } from "./browser.js";
 import { OAUTH_PROVIDERS, extractOAuthScopes, isGitHubDismissible2faSetup, GITHUB_DISMISSIBLE_2FA_SKIP_TEXT, } from "./oauth-providers.js";
 import { extractGoogleNumberMatch, scrapeGoogleScopePhrases } from "./google-login.js";
 import { notifyHeightenedAuth } from "./notify-api.js";
+import { sendTelegramHeightenedAuth } from "./telegram-notify.js";
+import { TwoCaptchaSolver } from "./captcha-solver-2captcha.js";
+import { redactCredentials } from "./redact.js";
+import { readOperatorOtp, fromDomainFromUrl } from "./read-otp.js";
 import { loggedInProviders, clearProviderLoggedIn } from "./login-state.js";
 import { saveDebugSnapshot } from "./debug.js";
 import { captureOnboardingRound } from "./onboarding-capture.js";
@@ -75,8 +79,20 @@ const ONBOARDING_PAYWALL_PATTERNS = [
     /\benter\s+your\s+card\b/i,
     /\benter\s+your\s+payment\b/i,
     /\benter\s+payment\s+details\b/i,
+    /\bconnect\s+a(?:\s+valid)?\s+payment\s+method\b/i,
+    /\byour\s+(?:free\s+)?trial\s+(?:is\s+)?ending\b/i,
     /\bupgrade\s+your\s+plan\s+to\b/i,
     /\bstart\s+your\s+paid\s+plan\b/i,
+    // rc.39 — Koyeb-class. Cover the variants the post-verify planner
+    // produces in its `done` reason when it gives up on a billing wall:
+    // "requires credit card payment", "credit card verification wall",
+    // "payment wall", "Pro plan payment required", "complete billing".
+    /\brequir(?:es?|ing)\s+(?:a\s+)?credit\s+card\b/i,
+    /\b(?:credit\s+card|payment)\s+wall\b/i,
+    /\bcredit\s+card\s+verification\b/i,
+    /\b(?:plan\s+|account\s+)?payment\s+required\b/i,
+    /\bcomplet(?:e|ing)\s+(?:billing|payment)\b/i,
+    /\bbilling\s+setup\s+(?:is\s+)?required\b/i,
 ];
 // Negators that, if they appear in the ~30 characters immediately
 // before a paywall pattern match, flip its meaning from a demand
@@ -206,13 +222,22 @@ function extractJsonObject(raw) {
     // Tolerate models that wrap their reply in markdown fences.
     const fenced = trimmed.match(/```(?:json)?\s*([\s\S]+?)\s*```/);
     const candidate = fenced !== null && fenced[1] !== undefined ? fenced[1] : trimmed;
-    const match = candidate.match(/\{[\s\S]*\}/);
-    if (match === null) {
+    // F7 / 0.6.15-rc.11 — stack-based first-balanced-object extraction.
+    // The previous regex `\{[\s\S]*\}` was greedy and matched from the
+    // first `{` to the LAST `}` in the string. When an LLM emitted
+    // multiple JSON objects (e.g. {"kind":"fill",…}\n{"kind":"click",…}),
+    // the greedy match spanned both and JSON.parse failed with
+    // "Unexpected non-whitespace character after JSON at position N".
+    // The stack walker finds the first balanced `{…}` block respecting
+    // string-literal boundaries, so a single object always parses cleanly
+    // even when the model appends trailing prose or extra objects.
+    const objText = extractFirstBalancedObject(candidate);
+    if (objText === null) {
         throw new Error(`no JSON object in reply: ${raw.slice(0, 200)}`);
     }
     let parsed;
     try {
-        parsed = JSON.parse(match[0]);
+        parsed = JSON.parse(objText);
     }
     catch (err) {
         throw new Error(`JSON.parse failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -228,6 +253,47 @@ function extractJsonObject(raw) {
         obj[k] = v;
     return obj;
 }
+// Find the first balanced `{ … }` block in `s`, respecting string
+// literals and escapes. Returns the substring (inclusive of braces) or
+// null when no balanced block exists. Tolerates trailing text after
+// the closing brace (which is the whole reason we need it — the
+// previous greedy regex couldn't).
+function extractFirstBalancedObject(s) {
+    const open = s.indexOf("{");
+    if (open < 0)
+        return null;
+    let depth = 0;
+    let inString = false;
+    let escape = false;
+    for (let i = open; i < s.length; i++) {
+        const c = s[i];
+        if (escape) {
+            escape = false;
+            continue;
+        }
+        if (inString) {
+            if (c === "\\") {
+                escape = true;
+                continue;
+            }
+            if (c === '"')
+                inString = false;
+            continue;
+        }
+        if (c === '"') {
+            inString = true;
+            continue;
+        }
+        if (c === "{")
+            depth++;
+        else if (c === "}") {
+            depth--;
+            if (depth === 0)
+                return s.slice(open, i + 1);
+        }
+    }
+    return null;
+}
 // Narrow `unknown` to a non-null object map.
 function asObject(value, context) {
     if (typeof value !== "object" || value === null || Array.isArray(value)) {
@@ -335,6 +401,31 @@ export function parseSignupPlan(raw, allowedSelectors) {
 // with "Email" both in the body CTA and the footer made the planner
 // pick the wrong one and loop. Single-occurrence text is rendered
 // without the landmark tag to keep the inventory terse.
+//
+// rc.17 — split keyboard-shortcut suffixes out of button labels.
+// Resend / Linear / Notion-style buttons render the shortcut hint
+// glued to the label without a separator: "AddCtrl↩", "CancelEsc",
+// "Save⌘↩". The planner reads "AddCtrl↩" and gets confused — the
+// Resend trace showed the planner clicking "All domains" thinking
+// it was the Add button (because "AddCtrl↩" didn't pattern-match
+// "Add" cleanly). Exported for unit testing.
+export function splitKeyboardShortcut(text) {
+    // Trailing keyboard hint = optional modifier (Ctrl/⌘/Cmd/Shift/Alt/
+    // Opt/Option/Meta), optional `+`, then one of: arrow-return symbols,
+    // named keys (Enter/Esc/Tab/Space/Return), or a single letter / Fn key.
+    // The suffix MUST start at a word boundary OR a transition from
+    // lowercase to uppercase ("AddCtrl" — Add↑↓Ctrl). Anchored to end-
+    // of-string.
+    const re = /(?<=[a-z])(Ctrl|⌘|Cmd|Shift|Alt|Opt(?:ion)?|Meta)?\+?(?:[↩⏎⌫⌦⇧⌘⎋]|Enter|Esc|Tab|Space|Return|F\d{1,2})$/;
+    const m = re.exec(text);
+    if (m === null)
+        return { label: text, shortcut: null };
+    const label = text.slice(0, m.index).trim();
+    if (label.length < 2)
+        return { label: text, shortcut: null };
+    const shortcut = m[0];
+    return { label, shortcut };
+}
 export function formatInventory(inventory) {
     if (inventory.length === 0)
         return "(no interactive elements found on the page)";
@@ -411,7 +502,10 @@ export function formatInventory(inventory) {
             e.tag !== "textarea" &&
             e.tag !== "select" &&
             e.visibleText !== null) {
-            bits.push(`text=${JSON.stringify(e.visibleText)}`);
+            const { label, shortcut } = splitKeyboardShortcut(e.visibleText);
+            bits.push(`text=${JSON.stringify(label)}`);
+            if (shortcut !== null)
+                bits.push(`shortcut=${JSON.stringify(shortcut)}`);
         }
         if (e.inConsentWidget)
             bits.push("[cookie-consent — avoid]");
@@ -618,14 +712,28 @@ export function detectAlreadySignedIn(args) {
     let dashboardyPath = false;
     try {
         const parsed = new URL(url);
+        // rc.37 — widened the dashboard-path allowlist after the rc.35
+        // sweep showed Upstash's post-OAuth landing was /redis (the
+        // product-segment route, not a generic /dashboard). Added
+        // /redis, /kafka, /vector, /cluster, /databases?, /instances?,
+        // /apps?, /deployments?, /services? — all common product-name
+        // routes that almost always indicate authenticated state.
         dashboardyPath =
-            /\/(?:new|dashboard|projects?|account|settings|workspace|home)(?:\/|$)/i.test(parsed.pathname) && !/\/(?:signup|sign-up|register|login|sign-in|signin)/i.test(parsed.pathname);
+            /\/(?:new|dashboard|projects?|account|settings|workspace|home|redis|kafka|vector|cluster|databases?|instances?|apps?|deployments?|services?)(?:\/|$)/i.test(parsed.pathname) && !/\/(?:signup|sign-up|register|login|sign-in|signin)/i.test(parsed.pathname);
     }
     catch {
         // Malformed URL — skip URL signal.
     }
     if (dashboardyPath) {
-        const CREATION_CTA = /^\s*(?:\+\s*)?(?:new\s+(?:project|workspace|team|app|site|deployment|api\s*key)|create(?:\s+(?:new|a|project|workspace))?)/i;
+        // rc.37 — widened the creation-CTA vocabulary to include the
+        // dashboard-y "Create <product-noun>" pattern. Upstash's
+        // dashboard CTA reads "Create Database"; Convex / Neon /
+        // PlanetScale / similar all use this shape ("Create cluster",
+        // "Create instance", "Create deployment"). Without this the
+        // bot's F17 already-signed-in path fell through to form-fill
+        // and the planner clicked the CTA thinking it was a signup
+        // submit button.
+        const CREATION_CTA = /^\s*(?:\+\s*)?(?:new\s+(?:project|workspace|team|app|site|deployment|api\s*key|database|cluster|instance|service)|create(?:\s+(?:new|a|project|workspace|database|cluster|instance|deployment|app|service|index|environment))?)/i;
         if (inventory.some((e) => {
             const t = e.visibleText ?? e.ariaLabel ?? "";
             return CREATION_CTA.test(t.trim());
@@ -635,6 +743,46 @@ export function detectAlreadySignedIn(args) {
     }
     return false;
 }
+// rc.39 — companion to detectAlreadySignedIn for the form-fill stage.
+// The URL-based dashboard check above conservatively excludes /sign-up,
+// /signup, /register paths — but services like PlanetScale and Turso
+// serve a logged-in create-database / billing-wall form at /sign-up
+// when the user has an active session. The form-fill planner reliably
+// describes what it sees: "create the database on this PS-5 plan",
+// "Add credit card", "database name". Match those phrases in the
+// planner's notes and action reasons to pivot to post-verify instead
+// of fooling the form-fill loop into clicking a "create database"
+// button it mistakes for a signup submit.
+//
+// Patterns are intentionally conservative — they must mention an
+// authenticated-state product/billing noun, not just any verb. A
+// regular signup form's planner output ("name field", "submit
+// button") shouldn't match.
+export function detectFormFillIsDashboard(plan) {
+    const haystack = [
+        plan.notes ?? "",
+        ...plan.actions.map((a) => a.reason ?? ""),
+    ]
+        .join(" ")
+        .toLowerCase();
+    // Billing / payment wall — the planner sees a credit-card / billing
+    // form, which is never a signup form.
+    const BILLING_WALL = /\b(?:add (?:a )?(?:credit card|payment method)|enter (?:your )?(?:credit card|payment)|billing (?:information|details)|payment information required)\b/;
+    if (BILLING_WALL.test(haystack))
+        return true;
+    // Product-creation form — the planner describes creating a
+    // database / cluster / instance / deployment / app / project /
+    // workspace / service, which is post-signup territory.
+    const PRODUCT_CREATION = /\b(?:create(?:s|d)?|creating|provision(?:s|ed|ing)?)\s+(?:(?:the|a|an|new|your|this)\s+){0,3}(?:database|cluster|instance|deployment|app|service|project|workspace|index|environment|tenant)\b/;
+    if (PRODUCT_CREATION.test(haystack))
+        return true;
+    // Explicit "not a signup" / "logged in" / "dashboard" statements
+    // from the planner.
+    const EXPLICIT = /\b(?:not\s+(?:a\s+)?(?:sign-?up|signup)|already\s+(?:signed[\s-]?in|logged[\s-]?in|authenticated)|logged[\s-]?in (?:dashboard|user))\b/;
+    if (EXPLICIT.test(haystack))
+        return true;
+    return false;
+}
 // True when the page has no fillable text input AND no button that
 // reads as an email-signup option — a genuinely OAuth/SSO-only
 // service with no form to automate (F3 Issue 4).
@@ -686,6 +834,19 @@ export function isOauthOnlyChooser(inventory) {
 //      or "Google's Privacy Policy" out.
 // Returns null when the page has no such affordance — the planner then
 // falls back to form-fill. Exported for unit testing.
+//
+// rc.12 — sanity-cap the element's own visible text. A real sign-in
+// button is short ("Continue with Google" = 19 chars, "Sign in with
+// GitHub" = 19). When the element's visibleText runs longer than the
+// cap below, it is wrapping unrelated content — typically a marketing
+// card with a small provider logo nested inside. The OpenRouter case:
+// an <a> wrapping a model card whose textContent reads "anthropic/
+// claude-opus-4.7Model routing visualization…" and whose descendant
+// tree contains an <img alt="Google"> for a tiny G icon. The iconLabel
+// path then fired against the wrong element. Capping at 60 chars also
+// gates path 2 to truly icon-only elements (no own visible text) so a
+// card wrapper with one stray <img alt> can never match.
+const MAX_OAUTH_BUTTON_TEXT_CHARS = 60;
 export function findOAuthButton(inventory, provider) {
     const keyword = OAUTH_PROVIDERS[provider].buttonKeyword;
     const keywordRe = new RegExp(`\\b${keyword}\\b`);
@@ -699,17 +860,26 @@ export function findOAuthButton(inventory, provider) {
             e.type === "button";
         if (!isButtonish)
             continue;
+        const visibleText = (e.visibleText ?? "").trim();
+        if (visibleText.length > MAX_OAUTH_BUTTON_TEXT_CHARS)
+            continue;
         // 1. An <a> whose href routes through the provider's OAuth endpoint.
         const href = (e.href ?? "").toLowerCase();
         if (href.length > 0 && hrefRe.test(href))
             return e;
-        // 2. Icon-only button — named only by a descendant img/svg.
-        if (keywordRe.test((e.iconLabel ?? "").toLowerCase()))
+        // 2. Icon-only button — named only by a descendant img/svg. Require
+        //    the element to be truly icon-only (no own visible text); a
+        //    populated visibleText means the iconLabel signal is redundant
+        //    with path 3 below, and accepting it here lets a card wrapper
+        //    with a stray <img alt="Google"> inside match.
+        if (visibleText.length === 0 &&
+            keywordRe.test((e.iconLabel ?? "").toLowerCase())) {
             return e;
+        }
         // 3. Visible text / accessible label naming the provider + an
         //    auth verb. The auth verb requirement rejects nav and policy
         //    links that merely mention the provider.
-        const text = `${e.visibleText ?? ""} ${e.ariaLabel ?? ""} ${e.labelText ?? ""}`
+        const text = `${visibleText} ${e.ariaLabel ?? ""} ${e.labelText ?? ""}`
             .toLowerCase()
             .replace(/\s+/g, " ")
             .trim();
@@ -718,9 +888,140 @@ export function findOAuthButton(inventory, provider) {
         if (/\b(sign|signup|signin|continue|log ?in|connect|auth)\b/.test(text)) {
             return e;
         }
+        // rc.39 — minimal-label OAuth buttons. Some auth UIs render the
+        // provider as a bare keyword button: just "GitHub" or just "Google"
+        // (Turso, several Stytch / Clerk / Auth0 templates). When the
+        // VISIBLE text is essentially nothing but the provider keyword,
+        // accept it — no auth-verb required. The keyword regex already
+        // ensured the provider name is present; the length cap MAX_OAUTH_
+        // BUTTON_TEXT_CHARS (60) ensures it's still buttonish, not a
+        // paragraph that happens to mention the provider.
+        const stripped = visibleText.toLowerCase().replace(/[^a-z0-9]+/g, " ").trim();
+        if (stripped === keyword || stripped === `with ${keyword}`) {
+            return e;
+        }
     }
     return null;
 }
+// rc.20 — true when the post-OAuth landing page LOOKS like the same
+// login/auth UI the bot just OAuth'd from AND still surfaces an OAuth
+// affordance for the same provider. Services like Groq complete the
+// Google handshake server-side but bounce the user back to a
+// /authenticate page that requires one more click of the provider
+// button to actually finalize the session. Returns the OAuth button
+// to click (so the caller can pass it to startOAuth) or null when the
+// page is past that gate.
+//
+// Login-shaped path patterns: /login, /signin, /sign-in, /signup,
+// /sign-up, /auth, /authenticate, /authorize. Excludes /callback
+// (genuinely transient) and dashboard-shaped paths.
+export function isLoginLoopState(url, inventory, provider) {
+    let path;
+    try {
+        path = new URL(url).pathname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+    const loginPath = /\/(?:login|signin|sign-in|signup|sign-up|auth|authenticate|authorize)(?:\/|$)/.test(path);
+    if (!loginPath)
+        return null;
+    // Defense in depth: if the page also shows authenticated-state
+    // markers (Sign out / Dashboard / billing widget) it isn't really
+    // a login loop — the OAuth-buttons are decoration. detectAlreadySignedIn
+    // returns false when ANY credential input is visible, but here we're
+    // checking the inverse — markers despite the login path.
+    if (detectAlreadySignedIn({ inventory, url }))
+        return null;
+    return findOAuthButton(inventory, provider);
+}
+// Path-only formatter for step trail entries. Same parse semantics as
+// isLoginLoopState — best-effort, returns "(unparseable)" on failure.
+export function pathOf(url) {
+    try {
+        return new URL(url).pathname;
+    }
+    catch {
+        return "(unparseable)";
+    }
+}
+// (a) Manual-login fallback. DigitalOcean + Hyperbolic completed the
+// Google OAuth handshake on Google's side but the service didn't
+// honour the callback — the bot lands back on a manual /login page
+// with email + password inputs. Distinct from the rc.20 login-loop
+// (which assumes the page still surfaces OAuth provider buttons).
+export function detectManualLoginFallback(url, inventory) {
+    let path;
+    try {
+        path = new URL(url).pathname.toLowerCase();
+    }
+    catch {
+        return false;
+    }
+    const loginPath = /\/(?:login|signin|sign-in|signup|sign-up|authenticate)(?:\/|$)/.test(path);
+    if (!loginPath)
+        return false;
+    // Manual-login signal: email + password input pair on the page.
+    const hasEmail = inventory.some((e) => e.tag === "input" && e.type === "email");
+    const hasPassword = inventory.some((e) => e.tag === "input" && e.type === "password");
+    return hasEmail && hasPassword;
+}
+// (b) Email-OTP wall. Porter, Koyeb (both WorkOS-backed) send a 6-
+// or 8-digit code to the operator's email and gate further access
+// behind it. Signal: URL path or title literal "email-verification"
+// + a single short-numeric input in the inventory.
+export function detectEmailOtpGate(url, title, pageText) {
+    let path;
+    try {
+        path = new URL(url).pathname.toLowerCase();
+    }
+    catch {
+        path = "";
+    }
+    if (/email[-_]verification|verify[-_]email|email[-_]code|otp/.test(path)) {
+        return true;
+    }
+    const titleLower = title.toLowerCase();
+    if (titleLower.includes("verify your email") ||
+        titleLower.includes("email verification")) {
+        return true;
+    }
+    // Page-text fallback for services that route OTP gates through
+    // generic URLs (the bot has the rendered body anyway). Conservative
+    // phrasing — must include a "we sent … code … to" or "enter …
+    // code … sent" shape with a bounded gap.
+    const lower = pageText.toLowerCase();
+    return (/we sent[^.]{0,60}\bcode\b[^.]{0,40}to\b/.test(lower) ||
+        /enter[^.]{0,40}\bcode\b[^.]{0,40}\b(?:sent|email)/.test(lower));
+}
+// (c) SSO restriction (Fly.io class). Service rejects token-creation
+// for accounts whose org enforces SSO/SAML. Signal: phrase fragments
+// that explicitly name SSO/SAML/Single Sign-On as the blocker.
+export function detectSsoRestriction(pageText) {
+    const lower = pageText.toLowerCase();
+    // Common phrasings observed: "managed via SSO", "SSO-managed",
+    // "Single Sign-On is required", "SSO organization membership".
+    return /(?:managed\s+via\s+(?:sso|single\s+sign-?on)|sso[\s-]?managed|sso\s+organization|single\s+sign-?on\s+is\s+required|enforced\s+by\s+(?:sso|saml))/.test(lower);
+}
+// (d) Stuck-on-Google-OAuth-screens (Upstash class). After
+// settleAfterOAuth the URL is STILL on accounts.google.com — the
+// handshake didn't redirect through to the service. Most common
+// shape: Clerk-mediated OAuth (Upstash's auth.upstash.com → Google
+// account chooser) where the chooser uses a clickable card the
+// post-verify planner can't reliably target, and the bot loops
+// trying. Defining trait: hostname accounts.google.com (or
+// accounts.googleusercontent.com) at the post-OAuth gate.
+export function detectStuckOnGoogleOAuth(url) {
+    try {
+        const h = new URL(url).hostname.toLowerCase();
+        return (h === "accounts.google.com" ||
+            h === "accounts.googleusercontent.com" ||
+            h.endsWith(".accounts.google.com"));
+    }
+    catch {
+        return false;
+    }
+}
 // Scan the inventory for the first OAuth affordance among `providers`,
 // in order — the auto-prefer decision passes every provider the
 // profile has a session for. Returns the matched provider + element.
@@ -917,8 +1218,187 @@ export function extractQuotedTokenFromReason(reason, pageText) {
         if (pageText.includes(candidate))
             return candidate;
     }
+    // rc.36 — unquoted UUID fallback. Upstash's API key dialog shows a
+    // bare UUID (`b7dd0ff0-2497-4dc8-a793-8261a38e0339`) and the
+    // planner quotes it WITHOUT surrounding quote marks ("The full API
+    // key b7dd0ff0-… is visible"). The verbatim-in-page check is the
+    // safety net — random UUIDs sprinkled across dashboards (trace IDs,
+    // project IDs) only false-positive if the SAME UUID appears in the
+    // planner's reason. Keyword guard ('api key' / 'token' / 'secret'
+    // / 'credential' within 50 chars of the UUID) keeps unrelated
+    // UUIDs (project IDs, member IDs in a sidebar) from matching.
+    const uuidRe = /\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b/gi;
+    const keywordRe = /\b(?:api[\s_-]?(?:key|token)|access[\s_-]?token|secret|credential)\b/i;
+    for (const m of reason.matchAll(uuidRe)) {
+        const candidate = m[1] ?? m[0];
+        if (!pageText.includes(candidate))
+            continue;
+        const start = Math.max(0, m.index - 50);
+        const end = Math.min(reason.length, m.index + candidate.length + 50);
+        const window = reason.slice(start, end);
+        if (keywordRe.test(window))
+            return candidate;
+    }
     return null;
 }
+// Phase E — multi-credential planner-prose parser. When a service
+// exposes several distinct credentials on the same page (Cloudinary:
+// cloud_name + api_key + api_secret; Algolia: application_id +
+// admin_api_key + search_api_key; Twilio: account_sid + auth_token;
+// Stripe: publishable_key + secret_key), the post-verify planner is
+// instructed (Phase E prompt update) to label each value explicitly
+// in its extract reason. This parser pulls those labels + values out
+// and returns them as { [label]: value }.
+//
+// The label vocabulary is whitelisted to known credential-shaped
+// names so the parser doesn't false-match prose like "the
+// dashboard_url is …" or "the project_name is …". Anything outside
+// the whitelist is dropped to keep credentials objects clean.
+//
+// Returns empty record when nothing parsed. Caller folds the result
+// into the credentials dict; falls back to single-cred extraction
+// when this returns empty.
+export function extractAllLabeledTokensFromReason(reason, pageText) {
+    // Whitelist of credential labels we recognize. Snake_case canonical;
+    // the matcher tolerates the LLM emitting hyphenated or PascalCase
+    // variants. Each entry maps a normalized form back to the canonical
+    // snake_case used in the credentials Record.
+    const LABEL_ALIASES = {
+        api_key: "api_key",
+        apikey: "api_key",
+        api_token: "api_key",
+        apitoken: "api_key",
+        access_token: "access_token",
+        accesstoken: "access_token",
+        api_secret: "api_secret",
+        apisecret: "api_secret",
+        secret_key: "secret_key",
+        secretkey: "secret_key",
+        publishable_key: "publishable_key",
+        publishablekey: "publishable_key",
+        client_id: "client_id",
+        clientid: "client_id",
+        client_secret: "client_secret",
+        clientsecret: "client_secret",
+        cloud_name: "cloud_name",
+        cloudname: "cloud_name",
+        application_id: "application_id",
+        applicationid: "application_id",
+        app_id: "application_id",
+        appid: "application_id",
+        admin_api_key: "admin_api_key",
+        adminapikey: "admin_api_key",
+        search_api_key: "search_api_key",
+        searchapikey: "search_api_key",
+        monitoring_api_key: "monitoring_api_key",
+        account_sid: "account_sid",
+        accountsid: "account_sid",
+        auth_token: "auth_token",
+        authtoken: "auth_token",
+        sandbox_secret: "sandbox_secret",
+        sandboxsecret: "sandbox_secret",
+        org_id: "org_id",
+        orgid: "org_id",
+        organization_id: "org_id",
+        consumer_key: "consumer_key",
+        consumer_secret: "consumer_secret",
+        access_token_secret: "access_token_secret",
+        project_api_key: "project_api_key",
+        personal_api_key: "personal_api_key",
+        app_key: "app_key",
+        appkey: "app_key",
+    };
+    const out = {};
+    // Build the label-alternation from the whitelist keys. Restricting
+    // the regex to KNOWN labels avoids the greedy-match-eats-real-label
+    // bug (without this, "shows: application_id" would match as
+    // label='shows' / value='application_id' and consume the real
+    // 'application_id' that follows). Longer aliases first so the
+    // regex prefers `admin_api_key` over `api_key` at the same start.
+    const labelKeys = Object.keys(LABEL_ALIASES).sort((a, b) => b.length - a.length);
+    const labelAlt = labelKeys.map(escapeRegex).join("|");
+    // Hyphen variants — the LLM sometimes emits `cloud-name` instead of
+    // `cloud_name`. Replace _ with [-_] inside each alternative.
+    const labelAltLoose = labelAlt.replace(/_/g, "[-_]");
+    // Two patterns:
+    //
+    // (A) Strict QUOTED form — `label='value'` / `label="value"` /
+    //     `label:'value'` etc. Trusts the value as credential-shape
+    //     because the planner was instructed (Phase E prompt) to quote.
+    //
+    // (B) Prose `label is value` form — required for natural-language
+    //     extracts but DANGEROUS. The Cloudinary trace produced
+    //     "api_secret is hidden behind asterisks" — the prose-pattern
+    //     greedily captured `hidden` as the value, then the
+    //     anti-hallucination check passed (the word "hidden" was in
+    //     pageText/reason). Mitigations: (1) require the value to LOOK
+    //     credential-shape (mixed alpha+digit, ≥16 chars, OR a known
+    //     credential prefix); (2) hard-reject a curated set of common
+    //     English status words that look label-like in extract prose.
+    const quotedRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*[=:]\\s*['"\`]([A-Za-z0-9_\\-]{4,80})['"\`]`, "gi");
+    for (const m of reason.matchAll(quotedRe)) {
+        const rawLabel = (m[1] ?? "").toLowerCase().replace(/-/g, "_");
+        const normalized = rawLabel.replace(/_+/g, "_");
+        const canonical = LABEL_ALIASES[normalized];
+        const value = m[2];
+        if (canonical === undefined || value === undefined)
+            continue;
+        if (!pageText.includes(value))
+            continue;
+        if (out[canonical] === undefined)
+            out[canonical] = value;
+    }
+    // English status words that show up in planner prose alongside
+    // a credential label but are NEVER the credential value itself.
+    // Each is a literal lowercase comparison after value-lowercase.
+    const PROSE_BLACKLIST = new Set([
+        "hidden", "masked", "shown", "visible", "available", "missing",
+        "unavailable", "redacted", "obscured", "concealed", "secret",
+        "true", "false", "null", "none", "empty", "unset", "undefined",
+        "displayed", "revealed", "asterisks", "bullets", "dots", "stars",
+        "blurred", "encrypted",
+    ]);
+    const looksCredentialShape = (v) => {
+        if (v.length >= 16)
+            return true; // long-enough tokens are presumed real
+        if (/^[A-Za-z]+$/.test(v))
+            return false; // pure word → suspect
+        if (/^\d{10,}$/.test(v))
+            return true; // long all-digit (Cloudinary api_key)
+        if (/[_\-]/.test(v) && /[a-z]/i.test(v) && /\d/.test(v))
+            return true; // mixed
+        if (/^[a-z]+_[A-Za-z0-9]/i.test(v))
+            return true; // prefix_ style (sk_…, npm_…)
+        if (/\d/.test(v) && /[A-Za-z]/.test(v))
+            return true; // alphanumeric mix
+        return false; // pure short word → reject as suspect
+    };
+    // Same separator vocab as quoted, plus optional quotes around the
+    // value. The credential-shape + blacklist guards run on the
+    // captured (possibly-unquoted) value.
+    const proseRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*(?:[=:]|\\b(?:is|are)\\b)\\s*['"\`]?([A-Za-z0-9_\\-]{4,80})['"\`]?`, "gi");
+    for (const m of reason.matchAll(proseRe)) {
+        const rawLabel = (m[1] ?? "").toLowerCase().replace(/-/g, "_");
+        const normalized = rawLabel.replace(/_+/g, "_");
+        const canonical = LABEL_ALIASES[normalized];
+        const value = m[2];
+        if (canonical === undefined || value === undefined)
+            continue;
+        if (out[canonical] !== undefined)
+            continue; // quoted-form already won
+        if (PROSE_BLACKLIST.has(value.toLowerCase()))
+            continue;
+        if (!looksCredentialShape(value))
+            continue;
+        if (!pageText.includes(value))
+            continue;
+        out[canonical] = value;
+    }
+    return out;
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 export function extractApiKeyFromText(text) {
     const prefixed = [
         /\bre_[a-zA-Z0-9_]{20,}\b/, // Resend (key body contains underscores)
@@ -934,6 +1414,57 @@ export function extractApiKeyFromText(text) {
         /\bSG\.[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}\b/, // SendGrid
         /\brnd_[a-zA-Z0-9]{20,}\b/, // Render
         /\bsntry[su]_[A-Za-z0-9_=\-]{20,}/, // Sentry org/user auth token
+        // Neon serverless Postgres. Modal renders `napi_<48-char-alnum>` and
+        // also shows a truncated `napi_xxx…` in the visible text below the
+        // input field. Without the prefix here, the bot saw the truncated
+        // display, isTruncatedCapture rejected the partial value, every
+        // pass returned null, and the planner gave up despite the full key
+        // being in the input field's `value` attribute. rc.14 — surfaced
+        // during the harvester rc.13 pass on Neon.
+        /\bnapi_[a-zA-Z0-9]{30,80}\b/, // Neon
+        // Replicate API tokens. `r8_<40-char alnum>` per their docs. Shown
+        // in the table row after Create. The post-verify loop iterates,
+        // adds rows, but extractCredentials returned null every round
+        // until rc.20 because no regex matched. Added defensively after
+        // the rc.13 verification pass showed Replicate burning the full
+        // 12-round budget filling-creating tokens nobody could extract.
+        /\br8_[a-zA-Z0-9]{30,60}\b/, // Replicate
+        // rc.23 — added after the post-rc.22 registry-snapshot review of
+        // 200 failed signups. Each pattern matches a token shape the
+        // bot's planner had already QUOTED in its `reason` field (i.e.
+        // the credential was visible on the page, just not in a shape
+        // any prior regex recognised). The redact.{ts,mjs} pattern set
+        // stays in lockstep with these.
+        /\bpscale_tkn_[A-Za-z0-9]{30,60}\b/, // PlanetScale Service Token
+        /\bsbp_[a-zA-Z0-9]{30,80}\b/, // Supabase Personal Access Token
+        // Baseten: `<6-12 alnum>.<30+ alnum>`. The dot separator + length
+        // bounds on both sides distinguish it from version strings (too
+        // short on either side). rc.35 — relaxed the prefix to mixed-case
+        // after the rc.33 broad sweep showed a Baseten key whose prefix
+        // had uppercase letters: `HP9tFTtm.txDl4vv7ayYsTwx9dQea47ylRdN4Brk3`.
+        /\b[A-Za-z0-9]{6,12}\.[A-Za-z0-9]{30,50}\b/, // Baseten
+        // Qdrant Cloud: `<UUID>|<55-char opaque>` — a literal pipe between
+        // a key id and the secret body. Unique enough that no false-
+        // positive guard is needed.
+        //
+        // rc.34/rc.36 — extended the secret-body character class to
+        // include underscore + hyphen. rc.35 broad sweep surfaced
+        // another Qdrant shape with mid-body hyphens:
+        // `<UUID>|e8L7oyi-5fHa327u7x-IQN6WivtPlpIVjT-giIsrXDZW7P-8i2G9Pw`.
+        // [A-Za-z0-9_-] covers both observed shapes; the {30,80} length
+        // bound + UUID prefix keep false-positive risk near zero.
+        /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\|[A-Za-z0-9_\-]{30,80}\b/i, // Qdrant
+        // JWT (eyJ...eyJ...sig) — Convex's API "token" is a JWT. Other
+        // services may emit JWTs as bearer secrets too. Three-segment
+        // base64url with literal dots. Conservative bounds — under 20
+        // chars per segment is almost never a real JWT.
+        /\beyJ[A-Za-z0-9_\-]{20,}\.eyJ[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\b/, // JWT
+        // Zeabur's API key — `sk-<28-40 lowercase alnum>`. Shorter than
+        // OpenAI legacy (which is 40+ mixed-case). The lowercase-only
+        // character class differentiates from OpenAI legacy so this
+        // pattern only fires on Zeabur-style keys. Surfaced from the
+        // rc.23 snapshot review.
+        /\bsk-[a-z0-9]{28,38}\b/, // Zeabur
         // OpenRouter, Anthropic, OpenAI — these are the dominant
         // OAuth-completed-then-copy-needed services. Specific-prefix
         // patterns first so a labeled-pattern fallback isn't load-
@@ -1072,11 +1603,49 @@ export class SignupAgent {
             steps.push(`${label} captcha gate skipped — session already captcha-blocked (${kind}).`);
             return { found: true, solved: false, blocked: true, kind };
         }
-        const result = await this.browser.solveVisibleCaptcha();
+        let result = await this.browser.solveVisibleCaptcha();
         if (!result.found) {
             return { found: false, solved: false, blocked: false, kind: "turnstile" };
         }
         steps.push(`${label} captcha (${result.kind}): ${result.solved ? "solved" : "NOT solved (timeout)"}`);
+        // Tier 3 — when Tier 2 click-and-wait times out on a reCAPTCHA v2
+        // image challenge AND TWOCAPTCHA_API_KEY is configured, fall
+        // through to the third-party solver. Reads sitekey from the
+        // page, submits to 2Captcha, polls for the token (~30-90s),
+        // injects into the hidden g-recaptcha-response textarea + fires
+        // the widget's onSuccess callback. Turnstile is intentionally
+        // skipped — Cloudflare's challenge scores at the IP layer; a
+        // solver-issued token gets rejected anyway.
+        if (!result.solved &&
+            result.kind === "recaptcha" &&
+            this.captchaSolver?.isAvailable() === true) {
+            const sitekey = await this.browser.extractRecaptchaSitekey();
+            if (sitekey !== null) {
+                const pageUrl = (await this.browser.getState().catch(() => null))?.url;
+                if (pageUrl !== undefined) {
+                    steps.push(`${label} captcha: Tier 3 — submitting sitekey to 2Captcha (${sitekey.slice(0, 10)}…)`);
+                    const solveRes = await this.captchaSolver.solveRecaptchaV2({
+                        sitekey,
+                        pageUrl,
+                    });
+                    if (solveRes.kind === "ok") {
+                        const injected = await this.browser.injectRecaptchaToken(solveRes.token);
+                        if (injected) {
+                            steps.push(`${label} captcha: Tier 3 solved in ${Math.round(solveRes.durationMs / 1000)}s via 2Captcha`);
+                            result = { ...result, solved: true };
+                        }
+                        else {
+                            steps.push(`${label} captcha: Tier 3 token arrived but page injection failed — captcha stays blocked`);
+                        }
+                    }
+                    else {
+                        steps.push(`${label} captcha: Tier 3 ${solveRes.kind}` +
+                            ("reason" in solveRes ? `: ${solveRes.reason}` : "") +
+                            ("durationMs" in solveRes ? ` (${Math.round(solveRes.durationMs / 1000)}s)` : ""));
+                    }
+                }
+            }
+        }
         // rc.32 — forensic snapshot after the captcha attempt. Without
         // this, the only snapshot near the captcha is the pre-fill one
         // taken BEFORE the click, so when a Turnstile fails to solve we
@@ -1329,6 +1898,19 @@ export class SignupAgent {
             }
             steps.push(`Plan: ${plan.actions.length} action(s), confidence=${plan.confidence}` +
                 (plan.notes !== undefined ? ` — ${plan.notes}` : ""));
+            // rc.39 — PlanetScale-class detection. The form-fill planner
+            // sometimes lands on a logged-in product page (PlanetScale's
+            // /sign-up redirects authenticated users to a create-database
+            // form; similar for Turso, Cockroach, etc.). detectAlreadySignedIn
+            // missed the URL signal because the path is /sign-up. But the
+            // planner's notes / action reasons describe the page accurately:
+            // "create the database on this PS-5 plan", "Add credit card",
+            // "database name field". Pivot to post-verify navigation rather
+            // than blindly filling the create-product form.
+            if (detectFormFillIsDashboard(plan)) {
+                steps.push("Form-fill planner described a logged-in product/billing page (not a signup form) — pivoting to post-verify navigation");
+                return { kind: "already_oauth" };
+            }
             // F14 — stuck-detection: if the plan picks ONLY click selectors
             // we already tried in the previous round without page progress,
             // it's a planner loop. Fail planning_failed with the offending
@@ -1561,6 +2143,45 @@ export class SignupAgent {
     // clear `needs_login` the host agent can act on, vs. a silent 45-second
     // form-fill timeout. Better failure mode wins; the original gate was
     // protecting the bot from the wrong loss.
+    // rc.28 — click the first plausible account card on a Google
+    // account-chooser page. Returns true on a successful click, false
+    // when no card was identified. Used by the rc.25 stuck-on-chooser
+    // post-OAuth gate to forward the flow off accounts.google.com
+    // instead of immediately aborting.
+    //
+    // Google's chooser markup is consistent across surfaces: each
+    // account renders as a clickable container with a data-identifier
+    // attribute equal to the account's email, plus role="link" or
+    // jsaction. The fallback is any element whose visible text
+    // contains an @ — accounts always show their email.
+    async tryClickGoogleChooserCard() {
+        try {
+            const page = this.browser.page;
+            if (page === null || page === undefined)
+                return false;
+            // First-choice selector: data-identifier on an interactive element.
+            const candidates = [
+                '[data-identifier]:visible',
+                '[role="link"]:has-text("@")',
+                'div[jsaction]:has-text("@")',
+            ];
+            for (const sel of candidates) {
+                const loc = page.locator(sel).first();
+                try {
+                    await loc.waitFor({ state: "visible", timeout: 2_000 });
+                    await loc.click({ timeout: 3_000 });
+                    return true;
+                }
+                catch {
+                    continue;
+                }
+            }
+            return false;
+        }
+        catch {
+            return false;
+        }
+    }
     async resolveOAuthCandidates(task, steps) {
         if (task.oauthProvider !== undefined) {
             return [task.oauthProvider];
@@ -1637,6 +2258,36 @@ export class SignupAgent {
     // Set per-task in signup(). Lets the uploader know which service
     // was being provisioned without threading it through every call.
     currentService = "";
+    // rc.27 — set when the email_otp_required gate handler successfully
+    // fetched a code from the operator's gmail. Consumed by the next
+    // post-verify round's planner prompt as a hint so the planner can
+    // fill the verification input without burning rounds discovering
+    // it. Cleared once the loop emits a step that targets the OTP
+    // input, so the hint doesn't echo into later unrelated rounds.
+    pendingOtpCode = null;
+    // rc.39 — when postVerifyLoop exits because the planner returned
+    // `done`, capture the planner's stated reason so the caller can
+    // factor it into paywall classification. Koyeb (and similar)
+    // shows a billing wall whose page text doesn't match the
+    // ONBOARDING_PAYWALL_PATTERNS regex set, but the planner accurately
+    // reasons about it in the done reason ("requires credit card payment
+    // to access the platform"). Mixing that into the paywall check
+    // upgrades these from oauth_onboarding_failed → onboarding_blocked.
+    lastPostVerifyDoneReason = null;
+    // Stashed at signup() entry so deep postVerifyLoop code (the
+    // heightened-auth detector below) can fire notifyHeightenedAuth
+    // without threading task through every method. Mirrors the
+    // currentService pattern.
+    currentMachineToken = undefined;
+    currentApiBase = undefined;
+    // Once per signup — fire the heightened-auth notifier at most one
+    // time even if the planner returns done with a challenge phrasing
+    // multiple times before the loop fully exits.
+    heightenedAuthFired = false;
+    // Tier 3 captcha solver (2Captcha). Constructed eagerly so the
+    // isAvailable() check in runCaptchaGate is cheap; opt-in via the
+    // TWOCAPTCHA_API_KEY env var read at construction.
+    captchaSolver;
     constructor(browser, llm, opts = {}) {
         this.browser = browser;
         if (llm === undefined) {
@@ -1658,6 +2309,7 @@ export class SignupAgent {
         if (opts.roundUploader !== undefined) {
             this.roundUploader = opts.roundUploader;
         }
+        this.captchaSolver = opts.captchaSolver ?? new TwoCaptchaSolver();
     }
     // Read-only view of how many calls landed on which backend. Exported
     // through SignupResult.llm_backends so tests and ops can verify the
@@ -1773,6 +2425,14 @@ export class SignupAgent {
         // deep inside postVerifyLoop after a failed extract) can label
         // the snapshot without us threading task through every method.
         this.currentService = task.service;
+        this.lastPostVerifyDoneReason = null;
+        // Stash for the post-verify heightened-auth notifier — the
+        // detection point is deep inside postVerifyLoop where it sees
+        // the planner's `done` reason naming a Google challenge. Same
+        // path runOAuthFlow uses for the in-handshake case.
+        this.currentMachineToken = task.machineToken;
+        this.currentApiBase = task.apiBase;
+        this.heightenedAuthFired = false;
         const rawTimeout = Number(process.env.UNIVERSAL_BOT_RUN_TIMEOUT_MS);
         const timeoutMs = Number.isFinite(rawTimeout) && rawTimeout > 0 ? rawTimeout : 600_000;
         let timer;
@@ -2232,6 +2892,16 @@ export class SignupAgent {
                             service: task.service,
                             digit: String(matchNum),
                             windowSeconds: 120,
+                            machineToken: task.machineToken,
+                            apiBase: task.apiBase,
+                        });
+                        // rc.18 — opt-in Telegram fallback. Bypasses the email
+                        // path (which collapses to Sent only when GMAIL_USER ==
+                        // account.email). No-op without TELEGRAM_BOT_TOKEN env.
+                        void sendTelegramHeightenedAuth({
+                            service: task.service,
+                            digit: String(matchNum),
+                            windowSeconds: 120,
                         });
                     }
                     else {
@@ -2247,6 +2917,13 @@ export class SignupAgent {
                             service: task.service,
                             digit: null,
                             windowSeconds: 120,
+                            machineToken: task.machineToken,
+                            apiBase: task.apiBase,
+                        });
+                        void sendTelegramHeightenedAuth({
+                            service: task.service,
+                            digit: null,
+                            windowSeconds: 120,
                         });
                     }
                     // Either way (number found or not), the user can still
@@ -2404,6 +3081,190 @@ export class SignupAgent {
         await this.browser.wait(2);
         await saveDebugSnapshot(this.browser, "oauth-post-consent");
         steps.push(`OAuth: signed in via ${provider.label} — driving post-OAuth onboarding to the API key`);
+        // rc.20 — login-loop detection. Services like Groq complete the
+        // Google OAuth handshake server-side but redirect back to a
+        // login-looking page (/authenticate) where the user has to click
+        // "Continue with Google" ONE MORE TIME to actually finalize the
+        // session. The post-verify planner sees the same OAuth buttons it
+        // saw on the original signup page, picks `click` on the provider
+        // affordance, and the click triggers a popup-based re-OAuth that
+        // the planner-driven post-verify loop doesn't follow — so each
+        // iteration sees the same page text and the bot burns the round
+        // budget.
+        //
+        // Detect: post-OAuth URL path matches a known login-shaped pattern
+        // (/login, /signin, /authenticate, ...) AND the inventory still
+        // carries an OAuth affordance for the SAME provider we just used.
+        // Recovery: re-invoke runOAuthFlow ONCE with the new selector —
+        // the second handshake completes the session and lands on the
+        // dashboard. Bounded to one retry so a service that genuinely
+        // never finalizes can't trap us in a loop.
+        const postOAuthState = await this.browser.getState();
+        const postOAuthInv = await this.buildInventory(steps, [provider.id]);
+        const loopBtn = isLoginLoopState(postOAuthState.url, postOAuthInv, provider.id);
+        if (loopBtn !== null) {
+            steps.push(`Post-OAuth: landed on a login-like page (${pathOf(postOAuthState.url)}) ` +
+                `with a ${provider.label} sign-in button still visible — service requires a ` +
+                `second click to finalize the session. Re-triggering OAuth once.`);
+            try {
+                await this.browser.startOAuth(loopBtn.selector);
+                await this.browser.wait(3);
+                await saveDebugSnapshot(this.browser, "oauth-loop-retry");
+                await this.browser.settleAfterOAuth();
+                await this.browser.wait(2);
+                steps.push(`Post-OAuth: re-OAuth completed (url=${pathOf(this.browser.currentUrl())}).`);
+            }
+            catch (err) {
+                steps.push(`Post-OAuth: re-OAuth retry threw (${err instanceof Error ? err.message : String(err)}) — ` +
+                    `continuing to post-verify loop anyway.`);
+            }
+            // After the retry, if we're STILL on a login-like page with the
+            // same provider button visible, the service has trapped us. Abort
+            // with a specific error rather than re-running the loop.
+            const retryState = await this.browser.getState();
+            const retryInv = await this.browser.extractInteractiveElements();
+            if (isLoginLoopState(retryState.url, retryInv, provider.id) !== null) {
+                return {
+                    success: false,
+                    error: `oauth_loop_detected: signed in via ${provider.label} twice but ${task.service} ` +
+                        `keeps redirecting to a login page (${pathOf(retryState.url)}). The service may ` +
+                        `require manual completion of an onboarding step before its OAuth session ` +
+                        `finalizes — finish the signup manually.`,
+                    steps,
+                    ...this.resultTail(),
+                };
+            }
+        }
+        // rc.24 — three additional post-OAuth gates surfaced from the
+        // registry-snapshot review. Each is a state the bot definitively
+        // cannot pass; emit a precise terminal error rather than burn the
+        // post-verify budget.
+        {
+            const gateState = await this.browser.getState();
+            const gateText = await this.browser.extractText().catch(() => "");
+            const gateInv = postOAuthInv;
+            // (a) Manual-login fallback (DigitalOcean, Hyperbolic). Service
+            // dropped the OAuth session and rendered a /login form with
+            // email + password inputs. Bot can't manually log in.
+            if (detectManualLoginFallback(gateState.url, gateInv)) {
+                return {
+                    success: false,
+                    error: `oauth_session_not_persisted: signed in via ${provider.label} but ${task.service} ` +
+                        `dropped the OAuth callback and rendered a manual /login form (${pathOf(gateState.url)}). ` +
+                        `Finish the signup manually — this typically indicates anti-bot rejection of the ` +
+                        `OAuth callback or a service-side session-storage issue.`,
+                    steps,
+                    ...this.resultTail(),
+                };
+            }
+            // (b) Email-OTP wall (Porter, Koyeb / WorkOS-backed). Code went
+            // to the operator's gmail. rc.27 — instead of immediately
+            // aborting, try reading the OTP from the operator's inbox via
+            // POST /v1/inbox/poll-operator-otp. If a code arrives, push a
+            // step trail hint and continue to the post-verify loop —
+            // the planner sees the hint and fills the input.
+            if (detectEmailOtpGate(gateState.url, gateState.title, gateText)) {
+                const domain = fromDomainFromUrl(gateState.url);
+                const machineToken = task.machineToken;
+                let otpResult;
+                if (machineToken === undefined ||
+                    machineToken.length === 0) {
+                    otpResult = { code: null, reason: "no_machine_token" };
+                }
+                else {
+                    steps.push(`Email-OTP gate detected (${pathOf(gateState.url)}) — polling operator gmail for the code` +
+                        (domain !== null ? ` (from_domain=${domain})` : ""));
+                    otpResult = await readOperatorOtp({
+                        machineToken,
+                        ...(task.apiBase !== undefined ? { apiBase: task.apiBase } : {}),
+                        ...(domain !== null ? { fromDomain: domain } : {}),
+                        maxWaitSeconds: 90,
+                    });
+                }
+                if (otpResult.code !== null) {
+                    // rc.27 — log the code's existence + length but never the
+                    // digits. The planner gets the digits via a system-prompt
+                    // hint passed through scopeHint-style on the next round.
+                    steps.push(`Email-OTP retrieved (${otpResult.code.length} digits, ending …${otpResult.code.slice(-2)}) — continuing into post-verify so the planner can fill the verification input.`);
+                    this.pendingOtpCode = otpResult.code;
+                    // Fall through to extract + postVerifyLoop normally.
+                }
+                else {
+                    return {
+                        success: false,
+                        error: `email_otp_required: ${task.service} sent a verification code but the bot ` +
+                            `couldn't fetch it from the operator's gmail (reason=${otpResult.reason}). ` +
+                            `Finish the signup manually by entering the OTP from the email.`,
+                        steps,
+                        ...this.resultTail(),
+                    };
+                }
+            }
+            // (c) SSO restriction (Fly.io). Org SSO blocks programmatic
+            // token creation — the page explicitly says so.
+            if (detectSsoRestriction(gateText)) {
+                return {
+                    success: false,
+                    error: `sso_restricted: ${task.service} requires SSO/SAML for token creation. The bot ` +
+                        `cannot complete an SSO handshake. Finish via your organization's SSO portal.`,
+                    steps,
+                    ...this.resultTail(),
+                };
+            }
+            // (d) Stuck on Google OAuth screens (Upstash class). Bot
+            // signed in via Google but the OAuth flow didn't redirect off
+            // accounts.google.com — usually a Clerk-mediated chooser the
+            // post-verify planner can't navigate.
+            //
+            // rc.27 → rc.28 — instead of aborting immediately, try to
+            // click an account card on the chooser. Google's chooser
+            // renders each account as `<div data-identifier="email@…"
+            // role="link" jsaction="…">` (or similar accountchooser shape).
+            // Picking the first visible card forwards the flow off the
+            // chooser. If the click doesn't move us off accounts.google.com
+            // within a few seconds, abort with oauth_stuck_on_chooser.
+            if (detectStuckOnGoogleOAuth(gateState.url)) {
+                steps.push(`Post-OAuth: stuck on Google account chooser (${pathOf(gateState.url)}). ` +
+                    `Trying to click an account card.`);
+                const clicked = await this.tryClickGoogleChooserCard();
+                if (clicked) {
+                    await this.browser.wait(3);
+                    await saveDebugSnapshot(this.browser, "oauth-chooser-click");
+                    const afterUrl = this.browser.currentUrl();
+                    steps.push(`Post-OAuth: chooser card clicked — now at ${pathOf(afterUrl)} ` +
+                        `(host=${(() => { try {
+                            return new URL(afterUrl).hostname;
+                        }
+                        catch {
+                            return "?";
+                        } })()})`);
+                    // If the click moved us off accounts.google.com, fall
+                    // through to the post-verify loop normally.
+                    if (!detectStuckOnGoogleOAuth(afterUrl)) {
+                        // continue to extract + postVerifyLoop
+                    }
+                    else {
+                        return {
+                            success: false,
+                            error: `oauth_stuck_on_chooser: clicked an account card on the chooser but the URL ` +
+                                `stayed on accounts.google.com (${pathOf(afterUrl)}). Finish the signup manually.`,
+                            steps,
+                            ...this.resultTail(),
+                        };
+                    }
+                }
+                else {
+                    return {
+                        success: false,
+                        error: `oauth_stuck_on_chooser: ${task.service}'s Google OAuth flow did not redirect off ` +
+                            `accounts.google.com (${pathOf(gateState.url)}) and no clickable account card was ` +
+                            `found on the chooser. Finish the signup manually.`,
+                        steps,
+                        ...this.resultTail(),
+                    };
+                }
+            }
+        }
         let credentials = await this.extractCredentials();
         if (credentials.api_key === undefined) {
             credentials = await this.postVerifyLoop({
@@ -2423,8 +3284,15 @@ export class SignupAgent {
         }
         // No API key. Distinguish a billing/card wall (onboarding_blocked)
         // from a generic navigation miss — never grep-loop a paid wall.
+        // rc.39 — fold the planner's `done` reason into the text we
+        // grep. Some services (Koyeb) gate API issuance on a billing
+        // confirmation whose visible text doesn't match the regex set
+        // but whose planner reason clearly describes the wall.
         const finalText = await this.browser.extractText().catch(() => "");
-        if (isAtPaywall(finalText)) {
+        const paywallCheckText = this.lastPostVerifyDoneReason !== null
+            ? `${finalText}\n${this.lastPostVerifyDoneReason}`
+            : finalText;
+        if (isAtPaywall(paywallCheckText)) {
             return {
                 success: false,
                 error: `onboarding_blocked: ${task.service}'s API key sits behind a billing or ` +
@@ -2433,6 +3301,24 @@ export class SignupAgent {
                 ...this.resultTail(),
             };
         }
+        // rc.39 — anti-bot interstitial that survived the post-OAuth
+        // landing. Turso's GitHub SSO callback runs a Cloudflare check
+        // that never clears for our Chromium fingerprint; the planner's
+        // done reason / wait reasons name the vendor explicitly. Classify
+        // as anti_bot_blocked so the operator sees an accurate status
+        // (and the harvester routes it the same way as the form-fill-
+        // phase anti-bot detector does).
+        const ANTI_BOT_REASON = /\b(?:cloudflare\b.*?(?:verification|challenge|check)|just\s+a\s+moment|verifying\s+you\s+are\s+human|0\s+interactive\s+elements)/i;
+        if (this.lastPostVerifyDoneReason !== null &&
+            ANTI_BOT_REASON.test(this.lastPostVerifyDoneReason)) {
+            return {
+                success: false,
+                error: `anti_bot_blocked: ${task.service}'s post-OAuth landing is gated by an anti-bot ` +
+                    `interstitial (Cloudflare or similar) the bot cannot clear — finish the signup manually.`,
+                steps,
+                ...this.resultTail(),
+            };
+        }
         return {
             success: false,
             error: `oauth_onboarding_failed: signed in to ${task.service} via ${provider.label} but ` +
@@ -2595,6 +3481,42 @@ ${formatInventory(input.inventory)}`,
     // Drive the browser toward the API key after the account exists —
     // used by BOTH the email-verification path and the OAuth path (T9).
     // Each round asks Claude what to do next given the current page; we
+    // Heightened-auth detector for the POST-VERIFY path. runOAuthFlow
+    // catches Google's device-verification challenge during the OAuth
+    // handshake itself; this catches the case where the planner
+    // bumped into the same challenge mid-post-verify (Algolia, etc.).
+    // Patterns match the planner's natural-language done-reason; the
+    // number-match is extracted with the same shape the bot's
+    // existing extractGoogleNumberMatch expects ("tap 71", "number 42").
+    // Fire-and-forget; idempotent per-signup via heightenedAuthFired.
+    maybeFirePostVerifyHeightenedAuth(reason, service, steps) {
+        if (this.heightenedAuthFired)
+            return false;
+        const CHALLENGE_PATTERNS = /\b(?:device verification|security challenge|2[- ]?step|2fa|number(?: match)?(?: on (?:your |the )?(?:phone|screen|device))?|tap \d+|tap the number|confirm.{0,15}sign[- ]?in|verify it'?s you)\b/i;
+        if (!CHALLENGE_PATTERNS.test(reason))
+            return false;
+        const digitMatch = reason.match(/\btap (\d{1,3})\b|\bnumber (\d{1,3})\b/i);
+        const digit = digitMatch !== null ? (digitMatch[1] ?? digitMatch[2] ?? null) : null;
+        this.heightenedAuthFired = true;
+        const msg = digit !== null
+            ? `Google challenge detected mid-post-verify: tap ${digit} on your phone — 2 minute window`
+            : `Google challenge detected mid-post-verify (number extractor missed it — read the planner reason): ${reason.slice(0, 200)}`;
+        console.error(`[universal-bot] ${msg}`);
+        steps.push(`Post-verify: ${msg}`);
+        void notifyHeightenedAuth({
+            service,
+            digit,
+            windowSeconds: 120,
+            machineToken: this.currentMachineToken,
+            apiBase: this.currentApiBase,
+        });
+        void sendTelegramHeightenedAuth({
+            service,
+            digit,
+            windowSeconds: 120,
+        });
+        return true;
+    }
     // stop when Claude says "done" or when we extract a credential.
     // Bounded by maxRounds so a confused agent can't burn the context.
     //
@@ -2603,6 +3525,76 @@ ${formatInventory(input.inventory)}`,
     // with the just-created account (SendPulse). On the OAuth path it is
     // absent: there is no password, and the Google session already
     // authenticated the user — a `login` step is then a no-op.
+    // Tier 4 — DOM-proximity labeled extraction. Walks the page's
+    // visible DOM via the BrowserController helper, pairs each
+    // credential-shape string with the nearest credential-label text,
+    // returns the canonical-key → value map. Used as a fallback after
+    // the Phase E planner-quoted path when the planner mentioned only
+    // one of several visible credentials.
+    async extractFromDomProximity() {
+        // Vocabulary matches the LABEL_ALIASES used by Phase E so the
+        // canonical keys stay consistent across paths.
+        const LABEL_TO_KEY = {
+            "api key": "api_key",
+            "api token": "api_key",
+            "api secret": "api_secret",
+            "secret key": "secret_key",
+            "publishable key": "publishable_key",
+            "access key": "access_key_id",
+            "access key id": "access_key_id",
+            "access token": "access_token",
+            "bearer token": "access_token",
+            "personal access token": "access_token",
+            "auth token": "auth_token",
+            "client id": "client_id",
+            "client secret": "client_secret",
+            "client key": "client_id",
+            "cloud name": "cloud_name",
+            "cloudname": "cloud_name",
+            "application id": "application_id",
+            "app id": "application_id",
+            "admin api key": "admin_api_key",
+            "search api key": "search_api_key",
+            "search-only api key": "search_api_key",
+            "monitoring api key": "monitoring_api_key",
+            "account sid": "account_sid",
+            "secret access key": "secret_access_key",
+            "consumer key": "consumer_key",
+            "consumer secret": "consumer_secret",
+            "access token secret": "access_token_secret",
+            "project api key": "project_api_key",
+            "personal api key": "personal_api_key",
+            "organization id": "org_id",
+            "org id": "org_id",
+            "app key": "app_key",
+            "app secret": "app_secret",
+        };
+        let labeled = [];
+        try {
+            labeled = await this.browser.extractLabeledCredentialCandidates();
+        }
+        catch {
+            return {};
+        }
+        const out = {};
+        for (const c of labeled) {
+            // Skip masked values — even if we have a label, the on-DOM
+            // string is bullets, not the real credential. The reveal pass
+            // ran before this so anything still masked is genuinely
+            // unreachable.
+            if (c.isMasked)
+                continue;
+            if (c.label === null)
+                continue;
+            const canonical = LABEL_TO_KEY[c.label];
+            if (canonical === undefined)
+                continue;
+            if (out[canonical] !== undefined)
+                continue; // first-wins
+            out[canonical] = c.value;
+        }
+        return out;
+    }
     async postVerifyLoop(args) {
         let credentials = await this.extractCredentials();
         let loginAttempts = 0;
@@ -2614,6 +3606,20 @@ ${formatInventory(input.inventory)}`,
         // string and keeps asking to extract it forever), or when the
         // planner's last step was rejected.
         let hint;
+        // rc.27 — when the email_otp gate handler retrieved a code from
+        // the operator's gmail, seed the FIRST round's hint with the
+        // code + explicit fill+submit instructions. Cleared after one
+        // round so it doesn't echo into unrelated downstream rounds.
+        if (this.pendingOtpCode !== null) {
+            hint =
+                `Operator email-OTP retrieved from gmail: code is "${this.pendingOtpCode}". ` +
+                    `The current page is an email-verification gate. Find the SINGLE visible OTP/code input ` +
+                    `on this page (it usually has placeholder text like "Code", "Verification code", or a ` +
+                    `numeric placeholder; some sites render 6 individual digit inputs — in that case fill the ` +
+                    `FIRST one and the browser auto-distributes). Issue {"kind":"fill", "selector":"…", ` +
+                    `"value":"${this.pendingOtpCode}"} on it. NEXT round, click the Verify/Continue/Submit button.`;
+            this.pendingOtpCode = null;
+        }
         // Failed-extract counter. The stuck-loop detector below exempts
         // `extract` on the theory that "extract is its own progress signal"
         // — true when extract succeeds, FALSE when it returns no key. A
@@ -2634,6 +3640,24 @@ ${formatInventory(input.inventory)}`,
         // and inject a forced "no-progress" hint on the second repeat.
         let prevSignature = null;
         let prevInventorySize = -1;
+        // rc.39 — wait-loop tracker. Turso's GitHub OAuth handshake
+        // succeeds, then the SSO-callback page stays empty (0 elements)
+        // while a Cloudflare verification widget runs that never clears
+        // for this Chromium fingerprint. The planner kept emitting wait
+        // for all 12 rounds; the run timed out as oauth_onboarding_failed.
+        // Better classification: anti-bot block. Track consecutive wait
+        // rounds with no inventory change and break out with the proper
+        // status before burning the post-verify budget.
+        let consecutiveWaits = 0;
+        // rc.39 — navigate-loop tracker. Perplexity / Koyeb / Porter all
+        // had post-verify loops where the planner emitted `navigate`
+        // 5-6 rounds in a row and the URL never changed — the service
+        // silently redirected each attempt back to the same onboarding
+        // page. Track the URL state observed BEFORE each navigate; if
+        // two consecutive navigates fire from the same URL, the previous
+        // navigate produced no progress. Inject a hint forcing a CLICK
+        // on something visible in the current inventory.
+        let prevNavigateFromUrl = null;
         for (let round = 0; round < args.maxRounds; round++) {
             if (credentials.api_key !== undefined || credentials.username !== undefined) {
                 args.steps.push(`Post-verify: credentials found on round ${round}.`);
@@ -2699,7 +3723,13 @@ ${formatInventory(input.inventory)}`,
                         "and never the whole line.";
                 continue;
             }
-            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: ${nextStep.kind} — ${nextStep.reason}`);
+            // rc.22 — redact tokens before pushing to the step trail.
+            // The planner's reason field sometimes quotes the actual API
+            // value it just observed ("The full API token 'sbp_xxx' is
+            // visible…"); the harvester then posts step trails to a public
+            // GitHub issue, leaking the credential. Redactor patterns mirror
+            // tools/archived-harvester/redact.mjs — defense in depth.
+            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: ${nextStep.kind} — ${redactCredentials(nextStep.reason)}`);
             // Dump this round's real page state + inventory in the E1
             // eval-corpus format so onboarding adapters can be iterated
             // offline without re-running the rate-limited OAuth handshake.
@@ -2742,6 +3772,44 @@ ${formatInventory(input.inventory)}`,
                     }
                 })();
             }
+            // rc.39 — navigate-loop detector. Perplexity/Koyeb/Porter spun
+            // 5+ rounds of `navigate` because each navigate landed back at
+            // the same URL — the service redirected past the requested URL.
+            // If THIS plan is also navigate and the URL we're observing now
+            // is the same one we navigated FROM last round, the previous
+            // navigate produced no progress. Inject a hint forcing a click.
+            if (nextStep.kind === "navigate" && prevNavigateFromUrl === state.url) {
+                const candidateClicks = inventory
+                    .filter((e) => (e.tag === "button" ||
+                    e.tag === "a" ||
+                    e.role === "button" ||
+                    e.role === "link") &&
+                    e.interactedThisRun !== true)
+                    .slice(0, 8)
+                    .map((e) => {
+                    const label = e.visibleText ?? e.ariaLabel ?? e.labelText ?? "(no label)";
+                    return `  - ${JSON.stringify(label)} → selector=${e.selector}`;
+                });
+                args.steps.push(`Post-verify: navigate did not advance the page (URL still ${state.url}) — forcing a click on an inventory element.`);
+                hint =
+                    `Your last 'navigate' to a guessed URL did NOT advance the page — the service ` +
+                        `redirected you back to ${state.url}. STOP navigating and CLICK an element ` +
+                        `from the current inventory below. The page is gating you behind an onboarding ` +
+                        `CTA (e.g. "Get started", "Continue", "Activate") or a setup step that must be ` +
+                        `clicked before the API console becomes reachable.` +
+                        (candidateClicks.length > 0
+                            ? `\n\nClickable elements you haven't tried:\n${candidateClicks.join("\n")}`
+                            : "");
+                // Don't execute this navigate — re-plan with the hint.
+                prevNavigateFromUrl = null;
+                continue;
+            }
+            if (nextStep.kind === "navigate") {
+                prevNavigateFromUrl = state.url;
+            }
+            else {
+                prevNavigateFromUrl = null;
+            }
             // Stuck-loop detector. Re-planning steps (done/extract/login/
             // wait/navigate) are exempt: extract is its own progress signal,
             // navigate intentionally changes the URL not the current DOM,
@@ -2815,6 +3883,47 @@ ${formatInventory(input.inventory)}`,
                     const defaultedSelectHint = defaultedSelects.length > 0
                         ? `\n\nVisible DEFAULTED dropdowns on this page (value="" — React form-state likely treats these as UNTOUCHED, which silently fails submit):\n${defaultedSelects.join("\n")}\n\nIssue {"kind":"select", "option_text":"…"} to commit a choice. Even if the default visible label ("No workspace", "None") is what you want, you MUST emit the select step to register it with the form's state.`
                         : "";
+                    // rc.20 — also enumerate custom combobox triggers (Cohere's
+                    // role picker, Fireworks's survey, similar). These render as
+                    // <button role="combobox"> or as <button> with placeholder-
+                    // shaped text ("Select your role", "Choose a country") and
+                    // gate a submit-disabled state that the planner can't see.
+                    // Surface them so the planner emits `select` instead of
+                    // re-clicking the dead submit. Tightly scoped: must be a
+                    // button-shaped element with role=combobox OR placeholder-
+                    // shaped visible text, and NOT touched this run.
+                    const SELECT_PROMPT_TEXT = /^(?:select|choose|pick)\b|^select an?\b|\bselect\.{3}|\bchoose\.{3}/i;
+                    const customComboboxes = inventory
+                        .filter((e) => (e.role === "combobox" ||
+                        (e.tag === "button" &&
+                            SELECT_PROMPT_TEXT.test((e.visibleText ?? "").trim()))) &&
+                        e.interactedThisRun !== true)
+                        .slice(0, 5)
+                        .map((e) => {
+                        const label = e.labelText ?? e.ariaLabel ?? e.name ?? e.visibleText ?? "(no label)";
+                        return `  - ${JSON.stringify(label)} → selector=${e.selector}`;
+                    });
+                    const customComboboxHint = customComboboxes.length > 0
+                        ? `\n\nVisible custom comboboxes / placeholder-state pickers that you haven't touched yet:\n${customComboboxes.join("\n")}\n\nIssue {"kind":"select", "option_text":"…"} with a sensible option_text — these are commonly the gate on a submit-disabled state.`
+                        : "";
+                    // rc.20 — and enumerate unchecked agreement checkboxes.
+                    // Mistral's TOS, GitHub-app sign-up, many onboarding forms
+                    // gate submit on a checkbox that isn't yet ticked.
+                    const uncheckedBoxes = inventory
+                        .filter((e) => e.tag === "input" &&
+                        e.type === "checkbox" &&
+                        // We can't read the actual `checked` from the inventory
+                        // shape, but interactedThisRun is set after a successful
+                        // `check` step. Show checkboxes the bot hasn't touched.
+                        e.interactedThisRun !== true)
+                        .slice(0, 5)
+                        .map((e) => {
+                        const label = e.labelText ?? e.ariaLabel ?? e.name ?? e.placeholder ?? "(no label)";
+                        return `  - ${JSON.stringify(label)} → selector=${e.selector}`;
+                    });
+                    const uncheckedBoxHint = uncheckedBoxes.length > 0
+                        ? `\n\nVisible checkboxes you haven't ticked yet (often a TOS / agreement gate):\n${uncheckedBoxes.join("\n")}\n\nIssue {"kind":"check"} on any that look like agreements / required confirmations.`
+                        : "";
                     args.steps.push(sameSelector
                         ? `Post-verify: no-progress detected — same ${nextStep.kind} on same selector, inventory unchanged. Re-planning instead of re-running.`
                         : `Post-verify: no-progress detected — successive click steps with no inventory change. Forcing a non-click action.`);
@@ -2827,7 +3936,9 @@ ${formatInventory(input.inventory)}`,
                             `any unticked checkbox, {"kind":"select"} on any unselected dropdown, or ` +
                             `{"kind":"done"} if there is genuinely nothing to do.` +
                             emptyInputHint +
-                            defaultedSelectHint;
+                            defaultedSelectHint +
+                            customComboboxHint +
+                            uncheckedBoxHint;
                     prevSignature = signature;
                     prevInventorySize = inventory.length;
                     continue;
@@ -2842,8 +3953,43 @@ ${formatInventory(input.inventory)}`,
                 prevSignature = null;
                 prevInventorySize = inventory.length;
             }
-            if (nextStep.kind === "done")
+            if (nextStep.kind === "done") {
+                // When the planner bails because it encountered Google's
+                // device-verification challenge mid-post-verify (Algolia +
+                // similar redirect their `signup_url` to a sign-in page,
+                // OAuth handoff happens AFTER runOAuthFlow already exited),
+                // fire the heightened-auth notifier AND wait the 2-minute
+                // window for the operator to tap their phone. After the
+                // wait, re-read the page state and continue post-verify —
+                // Google's challenge typically clears within seconds of the
+                // tap and the dashboard becomes accessible.
+                if (this.maybeFirePostVerifyHeightenedAuth(nextStep.reason, args.service, args.steps)) {
+                    args.steps.push("Post-verify: waiting 120s for the operator to clear Google's device challenge");
+                    await this.browser.wait(120);
+                    // Re-loop — next iteration's waitForFormReady + inventory
+                    // read see the post-challenge dashboard.
+                    continue;
+                }
+                this.lastPostVerifyDoneReason = nextStep.reason;
                 break;
+            }
+            // rc.39 — wait-loop break. The planner is asking us to wait
+            // round after round on an empty page (Turso's Cloudflare SSO
+            // callback). Cap at three consecutive waits with zero inventory
+            // and surface the empty-page reason so the caller can classify.
+            if (nextStep.kind === "wait" && inventory.length === 0) {
+                consecutiveWaits += 1;
+                if (consecutiveWaits >= 3) {
+                    this.lastPostVerifyDoneReason =
+                        `post-OAuth landing rendered 0 interactive elements for ${consecutiveWaits} rounds — ` +
+                            `most recent planner reason: ${nextStep.reason}`;
+                    args.steps.push(`Post-verify: wait-loop on an empty page (${consecutiveWaits} consecutive rounds, 0 elements) — breaking out.`);
+                    break;
+                }
+            }
+            else {
+                consecutiveWaits = 0;
+            }
             hint = undefined;
             try {
                 if (nextStep.kind === "extract") {
@@ -2855,10 +4001,82 @@ ${formatInventory(input.inventory)}`,
                         // quotes the value. Accept it IF it's also present
                         // verbatim in the visible page text — that's the
                         // anti-hallucination guardrail.
-                        const pageText = await this.browser
-                            .extractText()
-                            .catch(() => "");
-                        const quoted = extractQuotedTokenFromReason(nextStep.reason, pageText);
+                        // rc.38 — verify the planner-quoted value against both
+                        // visible text AND every input's `value` attribute. The
+                        // rc.37 Upstash retest showed the bot quoting a bare UUID
+                        // it observed in a create-key modal whose UUID lived in
+                        // an <input readonly value="…"> — textContent doesn't
+                        // include input values, so the verbatim-in-page check
+                        // rejected a real credential. Concatenating input values
+                        // closes the gap without weakening the anti-hallucination
+                        // guarantee (the candidate still has to appear SOMEWHERE
+                        // verifiable on the page).
+                        const [pageText, inputValues] = await Promise.all([
+                            this.browser.extractText().catch(() => ""),
+                            this.browser.extractAllInputValues().catch(() => []),
+                        ]);
+                        const verifySource = pageText + "\n" + inputValues.join("\n");
+                        // Phase E — multi-cred-aware extraction. Try the labeled
+                        // multi-credential parser FIRST. If the planner labeled
+                        // 2+ distinct credentials in its reason, fold them all
+                        // into the credentials Record. If the parser found at
+                        // least one new value (cloud_name, api_secret, etc. —
+                        // anything beyond the single api_key the legacy path
+                        // captures), prefer this. Falls through to the single-
+                        // value extractQuotedTokenFromReason when no labeled
+                        // tokens parsed (single-cred services, ad-hoc planner
+                        // prose without explicit labels).
+                        const labeled = extractAllLabeledTokensFromReason(nextStep.reason, verifySource);
+                        const labeledKeys = Object.keys(labeled);
+                        if (labeledKeys.length >= 2 || (labeledKeys.length === 1 && labeled["api_key"] === undefined)) {
+                            credentials = { ...credentials, ...labeled };
+                            const summary = labeledKeys
+                                .map((k) => `${k}=${labeled[k].slice(0, 4)}…${labeled[k].slice(-4)}`)
+                                .join(", ");
+                            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: extracted ${labeledKeys.length} labeled credential(s) ` +
+                                `via Phase E parser (${summary})`);
+                            // When the planner's reason explicitly flags a masked
+                            // credential ("api_secret is masked", "hidden behind
+                            // asterisks", "click Reveal to show"), Phase E only
+                            // captured the visible values — try to reveal + extract
+                            // the rest on the same round before continuing. Without
+                            // this, the loop returns success with a partial bundle
+                            // and never tries the reveal click.
+                            const MASKED_HINT = /\b(?:masked|hidden|bullets?|asterisks?|••+|\*{3,}|reveal|unmask)\b/i;
+                            if (MASKED_HINT.test(nextStep.reason)) {
+                                try {
+                                    const revealRes = await this.browser.revealMaskedCredentials();
+                                    args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: reveal pass clicked=${revealRes.clicked} diagnostic=[${revealRes.diagnostic.join("; ")}]`);
+                                    if (revealRes.clicked > 0) {
+                                        const labeledAfter = await this.extractFromDomProximity();
+                                        const newKeys = Object.keys(labeledAfter).filter((k) => credentials[k] === undefined);
+                                        if (newKeys.length > 0) {
+                                            for (const k of newKeys)
+                                                credentials[k] = labeledAfter[k];
+                                            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: post-reveal DOM-proximity extracted ${newKeys.length} more (${newKeys.join(", ")})`);
+                                        }
+                                        else {
+                                            // Surface ALL labeled candidates we found, so
+                                            // we can see whether the value is on-page but
+                                            // mislabeled vs. genuinely not surfaced.
+                                            const allLabeled = await this.browser.extractLabeledCredentialCandidates();
+                                            const summary = allLabeled
+                                                .filter((c) => !c.isMasked)
+                                                .slice(0, 8)
+                                                .map((c) => `${c.value.slice(0, 6)}…(${c.value.length}ch)/${c.label ?? "no-label"}`)
+                                                .join(", ");
+                                            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: post-reveal had ${allLabeled.length} candidates; visible: ${summary}`);
+                                        }
+                                    }
+                                }
+                                catch (err) {
+                                    args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: reveal pass error (${err instanceof Error ? err.message : String(err)})`);
+                                }
+                            }
+                            consecutiveFailedExtracts = 0;
+                            continue;
+                        }
+                        const quoted = extractQuotedTokenFromReason(nextStep.reason, verifySource);
                         if (quoted !== null) {
                             credentials = { ...credentials, api_key: quoted };
                             args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: extracted token via ` +
@@ -2866,6 +4084,38 @@ ${formatInventory(input.inventory)}`,
                             consecutiveFailedExtracts = 0;
                             continue;
                         }
+                        // Tier 4 — DOM-proximity labeled credential extraction.
+                        // Run BEFORE bailing the extract. Walks the visible DOM,
+                        // finds credential-shape strings, pairs each with its
+                        // nearest credential-label text by Euclidean center
+                        // distance. Catches multi-cred pages where the planner
+                        // mentioned ONE value but the DOM shows several (the
+                        // planner's narrative-style extract reason missed the
+                        // sibling labels). Also tries to unmask hidden secrets
+                        // first by clicking visible Reveal/Eye/Copy buttons.
+                        try {
+                            await this.browser.revealMaskedCredentials();
+                        }
+                        catch {
+                            // Best-effort; never block the extract pass on a
+                            // reveal-click failure.
+                        }
+                        const labeledFromDom = await this.extractFromDomProximity();
+                        const newKeys = Object.keys(labeledFromDom).filter((k) => credentials[k] === undefined);
+                        if (newKeys.length > 0) {
+                            for (const k of newKeys)
+                                credentials[k] = labeledFromDom[k];
+                            const summary = newKeys
+                                .map((k) => {
+                                const v = labeledFromDom[k];
+                                return `${k}=${v.slice(0, 4)}…${v.slice(-4)}`;
+                            })
+                                .join(", ");
+                            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: extracted ${newKeys.length} labeled credential(s) ` +
+                                `via DOM-proximity fallback (${summary})`);
+                            consecutiveFailedExtracts = 0;
+                            continue;
+                        }
                         consecutiveFailedExtracts += 1;
                         // Best-effort diagnostic upload: when extract returns
                         // null despite the planner asserting a credential is
@@ -2936,7 +4186,31 @@ ${formatInventory(input.inventory)}`,
                 }
                 else if (nextStep.kind === "click") {
                     await this.browser.click(nextStep.selector);
-                    await this.browser.wait(2);
+                    // F7 / 0.6.15-rc.11 — Modal-based credential reveals
+                    // (OpenRouter, Anthropic, OpenAI Create-Key flows) render
+                    // the new key into a modal AFTER a server round-trip — the
+                    // prior blind 2s wait was racing the API response. The
+                    // implicit-extract that follows this branch then found
+                    // nothing, the round ended, and by the next round the modal
+                    // had auto-closed. Poll up to 8s for the key to appear in
+                    // the post-action DOM. Early-exit as soon as
+                    // extractCredentials returns one — typical happy path on
+                    // services without modal-delay returns in <1s. Saves both
+                    // time (no overshoot wait) and correctness (catches the
+                    // modal-render race).
+                    const credentialDeadline = Date.now() + 8000;
+                    let pollExtract = {};
+                    while (Date.now() < credentialDeadline) {
+                        await this.browser.wait(0.5);
+                        try {
+                            pollExtract = await this.extractCredentials();
+                            if (pollExtract.api_key !== undefined)
+                                break;
+                        }
+                        catch {
+                            // Page mid-render — keep polling; next tick may settle.
+                        }
+                    }
                 }
                 else if (nextStep.kind === "fill") {
                     await this.browser.type(nextStep.selector, nextStep.value);
@@ -2979,7 +4253,15 @@ ${formatInventory(input.inventory)}`,
                 }
                 else if (nextStep.kind === "navigate") {
                     await this.browser.goto(nextStep.url);
-                    // PERF: next round opens with waitForFormReady; no blind dwell.
+                    // rc.33 — wait for the SPA to actually render before the
+                    // next round reads inventory. waitForFormReady (called at
+                    // the top of the next round) handles the basic "DOM
+                    // parsed" signal, but Porter / Koyeb's API-tokens pages
+                    // load over 5-15 seconds — the planner-driven post-verify
+                    // loop was running on the empty initial shell and burning
+                    // rounds clicking nothing. Wait for at least 5 interactive
+                    // elements (Porter's tokens page has 20+ once rendered).
+                    await this.browser.waitForInteractiveDom(5, 20_000);
                 }
                 else if (nextStep.kind === "wait") {
                     await this.browser.wait(Math.min(nextStep.seconds, 15));
@@ -3150,14 +4432,53 @@ Schema:
 
 Strategy:
 - If a FULL, untruncated API key is visible, return {"kind":"extract"}.
+- **MULTI-CREDENTIAL SERVICES** — when the page shows TWO OR MORE
+  DISTINCT labeled credentials (e.g. Cloudinary shows cloud_name +
+  api_key + api_secret; Algolia shows application_id + admin_api_key +
+  search_api_key; Twilio shows account_sid + auth_token; Stripe shows
+  publishable_key + secret_key; AWS shows access_key_id +
+  secret_access_key) — return ONE {"kind":"extract"} step whose reason
+  labels EVERY visible credential in the format
+  \`<canonical_label>='<value>'\` (use SINGLE quotes around values).
+  The bot's labeled-extractor will pull EACH labeled value into the
+  credentials object. Example reason:
+  "The Cloudinary API Keys page shows cloud_name='dlq4xgrca' and
+  api_key='491741466469613' in the table; api_secret is hidden behind
+  a Reveal button."
+  Use the standard canonical labels: api_key, api_secret, secret_key,
+  publishable_key, access_token, client_id, client_secret, cloud_name,
+  application_id, admin_api_key, search_api_key, account_sid,
+  auth_token, app_key, org_id, consumer_key, consumer_secret,
+  access_token_secret, project_api_key, personal_api_key.
+  If only ONE credential is visible, omit the labels and quote the
+  value as before — the single-cred fallback handles that path.
 - A key shown masked or truncated (with "...", dots, or "•") is NOT
   extractable — its full value is shown only once, at creation. Do NOT
   return "extract" for a masked key, and do not return "extract" twice
   in a row. Instead click "Create API Key" / "New API Key" / "Generate"
   to make a fresh key, then extract its full value.
+- **REVEAL-CLICK BEFORE EXTRACT** — when a credential is shown masked
+  (•••••, asterisks, dots) AND there is a VISIBLE "Show", "Reveal",
+  "Eye", or eye-icon button NEXT TO IT (typically same row in a
+  credentials table — Cloudinary, Twilio, Stripe all follow this
+  pattern for api_secret / auth_token / secret_key), emit a CLICK
+  on that show/reveal button FIRST. Do NOT return extract on the same
+  round as the masked display — the masked text would be parsed as
+  the value. Next round the value will be visible and your extract
+  step can quote it. The bot's reveal-pass is a fallback; explicit
+  clicks via the planner are more reliable because you can see the
+  exact button in the screenshot.
 - To reach API keys, prefer a {"kind":"navigate"} straight to the
   service's API-keys settings URL — note these usually live under the
   user/ACCOUNT settings, not a project or workspace's settings.
+- **EXCEPT** when the page has a very small inventory (5 or fewer elements)
+  and one of them is an onboarding CTA — patterns like "Get started",
+  "Continue", "Activate", "Enable API", "Start free trial", "Set up".
+  These are gating CTAs that unlock the API console; CLICKING them
+  is required, navigate will just redirect you back. If you've already
+  emitted a navigate once on this URL and the URL did not change on the
+  next round, that is the signal — the service is gating the route. Click
+  the visible CTA instead.
 - Otherwise click a dashboard menu link like "API Keys" / "Tokens" /
   "Developer" / "Settings" — using its inventory selector.
 - If there's an onboarding modal or a "Skip" link blocking, dismiss it.