@trusty-squire/mcp 0.9.16 → 0.9.17-rc.2

package/dist/bot/agent.js

@@ -10,6 +10,9 @@
 import { rankAndCapInventory, scoreSignupButton } from "./browser.js";
 import { OAUTH_PROVIDERS, extractOAuthScopes, isGitHubDismissible2faSetup, isGitHubForced2faVerification, GITHUB_DISMISSIBLE_2FA_SKIP_TEXT, } from "./oauth-providers.js";
 import { extractGoogleNumberMatch, scrapeGoogleScopePhrases } from "./google-login.js";
+import { decideOAuthStep } from "./oauth-flow.js";
+import { decideFormFillStep, FORM_FILL_BUDGETS as B_FF, initialFormFillState, } from "./form-fill.js";
+import { accumulateCandidate, hasFullHit, initialExtractionState, resolveExtraction, } from "./extraction.js";
 import { notifyHeightenedAuth } from "./notify-api.js";
 import { sendTelegramHeightenedAuth } from "./telegram-notify.js";
 import { TwoCaptchaSolver } from "./captcha-solver-2captcha.js";
@@ -18,6 +21,7 @@ import { readOperatorOtp, fromDomainFromUrl } from "./read-otp.js";
 import { loggedInProviders, clearProviderLoggedIn, markProviderLoggedIn, } from "./login-state.js";
 import { saveDebugSnapshot } from "./debug.js";
 import { captureOnboardingRound } from "./onboarding-capture.js";
+import { runNavSearch, } from "./nav-search.js";
 import { wasRecentlyPrewarmed, recordPrewarmSuccess } from "./prewarm-cache.js";
 import { pickLLMPair, } from "./llm-client.js";
 import { getDomain } from "tldts";
@@ -55,11 +59,91 @@ const VERIFICATION_EXPECTED_PATTERNS = [
     "almost there",
     "one more step",
 ];
+// A single-use verification link that lands on an "expired / already used /
+// invalid" page. MEASURED on portkey (2026-06-17): a FRESH, seconds-old
+// Firebase mode=verifyEmail oobCode rendered "Email Verification Failed — This
+// link has expired" on the bot's FIRST navigation. A single-use action link is
+// routinely burned by an upstream mail link-scanner (anti-phishing prefetch) —
+// and following a Firebase verifyEmail link COMPLETES the verification
+// server-side. So "expired" almost always means the email is ALREADY verified;
+// the right move is to log in with the signup credentials and proceed, not bail.
+// Exported for unit tests.
+const VERIFY_LINK_FAILED_PATTERNS = [
+    "link has expired",
+    "link is invalid",
+    "link is no longer valid",
+    "invalid or expired",
+    "expired or invalid",
+    "verification failed",
+    "already been used",
+    "already verified", // some apps say so outright → also "go log in"
+];
+export function verificationLinkFailed(pageText) {
+    const t = pageText.toLowerCase();
+    return VERIFY_LINK_FAILED_PATTERNS.some((p) => t.includes(p));
+}
+// Firebase email-action links carry mode=verifyEmail + oobCode + apiKey as
+// query params — even on a custom domain (portkey: app.portkey.ai/auth?…).
+// Extract them so we can confirm the verification via Firebase's REST API
+// directly: far lower latency than a browser SPA navigation (racing a short
+// oobCode TTL) and it issues the single-use code exactly ONCE (no SPA
+// double-submit). Returns null when the link isn't a Firebase verifyEmail
+// action. Exported for unit tests.
+export function parseFirebaseEmailAction(url) {
+    let u;
+    try {
+        u = new URL(url.replace(/&/g, "&"));
+    }
+    catch {
+        return null;
+    }
+    const oobCode = u.searchParams.get("oobCode");
+    const apiKey = u.searchParams.get("apiKey");
+    if (u.searchParams.get("mode") !== "verifyEmail" || oobCode === null || apiKey === null) {
+        return null;
+    }
+    if (!/^AIza[\w-]{20,}$/.test(apiKey))
+        return null; // Firebase web API key shape
+    return { apiKey, oobCode };
+}
+// Apply a Firebase email-verification oobCode via the Identity Toolkit REST API
+// — the same call the emailed link's SPA makes, issued directly so it runs the
+// instant the mail lands and only once. The apiKey is the Firebase WEB api key
+// (public by design). ok=true + the verified email on success; ok=false + the
+// Firebase error (EXPIRED_OOB_CODE / INVALID_OOB_CODE) otherwise — which itself
+// proves whether the code was alive at receipt. Exported for unit tests.
+export async function applyFirebaseEmailVerification(apiKey, oobCode) {
+    try {
+        const resp = await fetch(`https://identitytoolkit.googleapis.com/v1/accounts:update?key=${encodeURIComponent(apiKey)}`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ oobCode }),
+        });
+        const data = (await resp.json().catch(() => ({})));
+        if (resp.ok && (data.emailVerified === true || data.email !== undefined)) {
+            return { ok: true, ...(data.email !== undefined ? { email: data.email } : {}) };
+        }
+        return { ok: false, error: data.error?.message ?? `http_${resp.status}` };
+    }
+    catch (err) {
+        return { ok: false, error: err instanceof Error ? err.message : String(err) };
+    }
+}
 // Short probe when, even after a settle, the post-submit page still never
 // prompted the user to check their email AND no account-created signal
 // appeared. Legitimate verification mail almost always lands inside a
 // minute; this catches the fast case without 300s of dead air.
 const VERIFICATION_PROBE_SECONDS = 45;
+// Give-up ceiling for the "page says check your email" case (mail IS coming).
+// These poll timeouts are pure GIVE-UP BOUNDS: the inbox server long-polls and
+// early-exits the instant mail arrives, so a real email returns at ~its arrival
+// time regardless of the ceiling — the ceiling only costs wall-clock when mail
+// NEVER comes (young-domain withhold). Sized to the ARRIVAL TAIL, not the
+// average: transactional mail lands <30s typically, with a greylist retry tail
+// to ~60s, so 90s covers every real case with margin while failing a withheld
+// mail 90s sooner (was 180). Tail-sized, NOT average-sized — abandoning real
+// mail loses a signup (OF#2). Env-tunable for an A/B.
+const VERIFY_EMAIL_CEILING_SECONDS = Number.parseInt(process.env.BOT_VERIFY_EMAIL_CEILING_S ?? "120", 10);
 // Settle window before the SECOND post-submit page read. SPA signups
 // (Postmark, ElevenLabs, Browserbase, Grafana Cloud, …) swap in their
 // "check your email" confirmation screen a beat AFTER submit. Reading the
@@ -74,9 +158,11 @@ const SUBMIT_SETTLE_SECONDS = 3;
 // fresh send (Postmark, SendGrid) routinely take longer than the 45s
 // probe. Polling 120s here — rather than bailing at 45s — is the
 // difference between catching that mail and a false `verification_not_sent`.
-// Still bounded so a genuinely-silent service doesn't hold the run for the
-// full 180s expected-email timeout.
-const SUBMITTED_PROBE_FLOOR_SECONDS = 120;
+// Still bounded so a genuinely-silent service doesn't hold the run for the full
+// ceiling. Tail-sized to ~90s (arrival tail incl. a greylist retry); since the
+// long-poll early-exits on arrival, this only costs wall-clock when mail never
+// comes — failing an inconclusive no-mail run 30s sooner (was 120). Env-tunable.
+const SUBMITTED_PROBE_FLOOR_SECONDS = Number.parseInt(process.env.BOT_VERIFY_INCONCLUSIVE_CEILING_S ?? "90", 10);
 // Post-submit page text that means the submit was REJECTED, not accepted —
 // no account was created, so no verification mail is coming and even the
 // 45s probe is wasted. Lets the bot bail immediately instead of polling.
@@ -169,6 +255,74 @@ export function isAtPaywall(text) {
     }
     return false;
 }
+// A service can complete the signup form / OAuth handshake and THEN drop the
+// account into a manual-approval gate — a waiting room, a waitlist, a
+// "request access / your account is pending approval / under review" screen —
+// instead of granting a dashboard + API key. Baseten is the field example:
+// the form submits, then a "waiting_room" / account-review screen appears and
+// no key is obtainable autonomously.
+//
+// This is NOT a captcha and NOT an anti-bot block — it's a service-side human
+// gate. Left undetected, the post-verify loop exhausts its budget and the run
+// gets mislabeled (oauth_onboarding_failed / a generic no-credentials miss),
+// which is misleading and can wrongly count toward skill demotion or send us
+// chasing a non-existent code bug. We classify it as `onboarding_blocked` —
+// the same terminal, human-pile, non-demoting status the billing wall uses —
+// so the loop routes it to the manual pile and never advances the demote
+// counter.
+//
+// Tuned for PRECISION over recall: every pattern requires explicit
+// account-review / waitlist / pending-approval phrasing. A marketing tile that
+// merely mentions "early access" as a feature must not trip it, so the verbs
+// are scoped to the gate's own phrasing (you ARE on the list / access IS
+// pending / the account IS under review).
+const ACCOUNT_REVIEW_GATE_PATTERNS = [
+    /\bwaiting\s+room\b/i,
+    /\b(?:join|on|added\s+to)\s+(?:the\s+|our\s+)?waitlist\b/i,
+    /\byou'?re\s+on\s+the\s+(?:list|waitlist)\b/i,
+    /\brequest\s+(?:early\s+)?access\b/i,
+    /\baccess\s+(?:is\s+)?pending\b/i,
+    /\b(?:your\s+)?account\s+is\s+pending\b/i,
+    /\bpending\s+approval\b/i,
+    /\baccount\s+(?:is\s+)?(?:currently\s+)?under\s+review\b/i,
+    /\byour\s+account\s+is\s+being\s+reviewed\b/i,
+    /\bwe'?ll\s+email\s+you\s+when\b/i,
+    /\bawaiting\s+(?:approval|access)\b/i,
+];
+// Exported for unit testing — the post-signup heuristic that distinguishes a
+// service-side manual-approval gate (waiting room / waitlist / pending review)
+// from a normal dashboard, signup form, or captcha page. Pure over page text.
+export function isAtAccountReviewGate(text) {
+    return ACCOUNT_REVIEW_GATE_PATTERNS.some((p) => p.test(text));
+}
+// Decide whether a no-credential form-fill outcome is a manual-review gate.
+// A verification timeout is the AUTHORITATIVE cause and must win: a pending
+// "check your email / we sent a code" page can read as a review gate to
+// isAtAccountReviewGate, so without this guard a verification_not_sent gets
+// mislabeled onboarding_blocked (the anthropic regression). Only when
+// verification did NOT fail is the review-gate text trusted. Pure, testable.
+export function isOnboardingReviewGate(verificationFailed, pageText) {
+    return verificationFailed === undefined && isAtAccountReviewGate(pageText);
+}
+// Closed / invite-only registration: the service does not accept new self-serve
+// signups at all (turbopuffer: "Sign-ups are closed"). Distinct from a review
+// gate (you signed up, awaiting approval) — here NO account can be created, so
+// the run is terminally unservable and the service should be dequeued, not
+// retried or mislabeled oauth_onboarding_failed (which implies a fixable nav
+// bug). Precision-tuned: requires explicit closed/disabled/invite-only phrasing
+// scoped to sign-up/registration, so a normal page mentioning "sign up" or an
+// "invite your team" feature doesn't trip it. Pure over page text.
+const SIGNUPS_CLOSED_PATTERNS = [
+    /\bsign[\s-]?ups?\s+(?:are|is)\s+(?:currently\s+)?(?:closed|disabled|paused|not\s+(?:open|available|being\s+accepted))\b/i,
+    /\b(?:we\s+are|we're)\s+not\s+(?:currently\s+)?accepting\s+(?:new\s+)?(?:sign[\s-]?ups|registrations|users|accounts)\b/i,
+    /\bregistration\s+(?:is\s+)?(?:currently\s+)?(?:closed|disabled)\b/i,
+    /\b(?:sign[\s-]?up|registration|access)\s+is\s+(?:by\s+)?invite[\s-]?only\b/i,
+    /\binvite[\s-]?only\s+(?:beta|access|signup|registration)\b/i,
+    /\brequest\s+an\s+invite\b/i,
+];
+export function isSignupsClosed(text) {
+    return SIGNUPS_CLOSED_PATTERNS.some((p) => p.test(text));
+}
 // S3: does this post-submit page text indicate the service genuinely
 // expects the user to confirm via email? Drives whether the bot polls the
 // full verification timeout or runs only a short probe. Exported so the
@@ -197,8 +351,9 @@ export class OAuthSessionNotPersistedError extends Error {
 // 0.8.2-rc.10 — common dashboard paths that vendors host their
 // per-account API key UI at. Ordered most-specific first so a
 // fallback navigate doesn't land short of the actual page. Returned
-// as an array of path-strings; the caller composes them onto the
-// origin of the currently-stuck URL and skips any already tried.
+// as an array of path-strings; the caller composes them onto the APP
+// origin (the signup/app URL the bot navigated to), NOT the auth/IdP
+// origin it may be stuck on post-OAuth, and skips any already tried.
 //
 // Patterns harvested from Anthropic (settings/keys), Sentry
 // (settings/account/api/auth-tokens), Neon (settings#api-keys),
@@ -418,33 +573,162 @@ export function findCreateKeyAffordance(inventory) {
     candidates.sort((a, b) => b.score - a.score);
     return candidates[0].el;
 }
+// A "name your key" confirm modal frequently labels its submit button
+// generically — "Submit", "Create", "Generate", "Done" — with NO key noun, so
+// findCreateKeyAffordance can't see it (groq: the page-level "Create API Key"
+// opens a dialog whose only affirmative is a bare "Submit"). Worse, the
+// page-level create button is still in the background DOM, so a naive
+// findCreateKeyAffordance re-grabs IT and reopens the modal forever. This finds
+// the modal's affirmative submit instead. Bounded to the modal shape — a text
+// input (the name field) MUST be present — so a page-level Submit on an
+// unrelated form can't be tripped. Excludes the just-clicked create button and
+// any cancel/close control. Pure; exported for unit testing.
+const KEY_MODAL_SUBMIT_AFFIRM = /^\s*(?:submit|create(?:\s+(?:api\s+)?key)?|generate(?:\s+key)?|confirm|done|save|add(?:\s+key)?|ok)\s*$/i;
+const KEY_MODAL_NEGATIVE = /\b(?:cancel|close|back|dismiss|never\s*mind)\b/i;
+export function findKeyModalSubmit(inventory, excludeSelector) {
+    const hasNameInput = inventory.some((el) => el.tag === "input" &&
+        el.visible !== false &&
+        (el.type === null || /^(?:text|search|email)$/i.test(el.type)));
+    if (!hasNameInput)
+        return null;
+    for (const el of inventory) {
+        if (el.selector === excludeSelector)
+            continue;
+        const clickable = el.tag === "button" || el.tag === "a" || el.role === "button" || el.role === "link";
+        if (!clickable || el.visible === false)
+            continue;
+        const label = [el.visibleText, el.ariaLabel, el.title]
+            .filter((s) => s !== null && s !== undefined && s.length > 0)
+            .join(" ")
+            .trim();
+        if (label.length === 0 || label.length > 24)
+            continue;
+        if (KEY_MODAL_NEGATIVE.test(label))
+            continue;
+        if (KEY_MODAL_SUBMIT_AFFIRM.test(label))
+            return el;
+    }
+    return null;
+}
+// The name input inside a "name your key" modal — the first visible text-like
+// input. Some vendors gate the submit on a non-empty name (groq), so the mint
+// flow types one before clicking submit. Pure; exported for unit testing.
+export function findKeyNameInput(inventory) {
+    for (const el of inventory) {
+        if (el.tag !== "input" || el.visible === false)
+            continue;
+        if (el.type !== null && !/^(?:text|search|email)$/i.test(el.type))
+            continue;
+        return el;
+    }
+    return null;
+}
+// An in-DOM nav link/affordance that points AT an API-keys / tokens page.
+// Distinct from findCreateKeyAffordance (the "create key" button): this finds
+// the LINK that navigates TO the keys page, so the bot can click the real
+// target — whose href is the correct path — instead of GUESSING a URL from a
+// fixed convention list (which 404s whenever a service hosts keys at a
+// non-standard path: unify-ai's keys aren't at /keys, /api-keys, or
+// /settings/api-keys, all of which 404). A human clicks the sidebar link; so
+// should the bot. Exported, pure (operates on the inventory shape only).
+const API_KEYS_HREF = /\/(?:api[-_]?keys?|api[-_]?tokens?|access[-_]?tokens?|auth[-_]?tokens?|secret[-_]?keys?|personal[-_]?access[-_]?tokens?|developers?|keys?|tokens?)(?:[/?#]|$)/i;
+const API_KEYS_TEXT = /\b(?:api|access|secret|auth|personal\s+access)\s*(?:keys?|tokens?)\b/i;
+export function findApiKeysNavLink(inventory, alreadyClicked = new Set()) {
+    const candidates = [];
+    for (const el of inventory) {
+        const isClickable = el.tag === "a" ||
+            el.tag === "button" ||
+            el.role === "link" ||
+            el.role === "button";
+        if (!isClickable)
+            continue;
+        if (el.visible === false)
+            continue;
+        if (alreadyClicked.has(el.selector))
+            continue;
+        const href = el.href ?? "";
+        const text = [el.visibleText, el.ariaLabel, el.title, el.labelText, el.iconLabel]
+            .filter((s) => s !== null && s !== undefined)
+            .join(" ")
+            .trim();
+        // The loose href segments (keys?/tokens?/developers?) are only trusted on
+        // an actual anchor href, where they're a structured path, not free text.
+        const hrefHit = href.length > 0 && API_KEYS_HREF.test(href);
+        const textHit = API_KEYS_TEXT.test(text);
+        if (!hrefHit && !textHit)
+            continue;
+        // A "create API key" control is a different affordance (it opens a
+        // create flow / modal, it doesn't navigate to the listing). Skip it here
+        // UNLESS it's a real anchor with a keys href (then it's a nav link that
+        // merely happens to read "New API key").
+        if (CREATE_KEY_PHRASE.test(text) && !(el.tag === "a" && hrefHit))
+            continue;
+        let score = 0;
+        if (hrefHit)
+            score += 4; // a real, navigable target beats a text guess
+        if (/\bapi\s*(?:keys?|tokens?)\b/i.test(text))
+            score += 2;
+        else if (textHit)
+            score += 1;
+        if (el.tag === "a")
+            score += 1; // prefer anchors over role=button
+        if (el.inViewport === true)
+            score += 1;
+        candidates.push({ el, score });
+    }
+    if (candidates.length === 0)
+        return null;
+    candidates.sort((a, b) => b.score - a.score);
+    return candidates[0].el;
+}
 // Pick the next fallback URL to try, keyed against the origin of the
 // currently-stuck URL. The curated SERVICE_KEYS_PATHS for the run's
 // service (when its host matches the stuck origin) are tried FIRST,
 // then the generic STUCK_LOOP_FALLBACK_PATHS. Returns null when every
 // path has already been attempted. Exported for unit tests.
-export function pickStuckLoopFallbackUrl(currentUrl, alreadyTried, service) {
-    let parsed;
+export function pickStuckLoopFallbackUrl(currentUrl, alreadyTried, service, appUrl) {
+    let parsedCurrent;
     try {
-        parsed = new URL(currentUrl);
+        parsedCurrent = new URL(currentUrl);
     }
     catch {
         return null;
     }
+    // Compose key-path guesses onto the APP origin, NOT the origin of the
+    // currently-stuck URL. After OAuth the stuck URL is the identity-provider
+    // subdomain (auth.lumalabs.ai, accounts.<svc>, login.<svc>, the IdP) — which
+    // has no settings/keys pages, so "${authOrigin}/settings/keys" 404s by
+    // construction. The keys live on the app host (lumalabs.ai). `appUrl` is the
+    // signup/app URL the bot actually navigated to (this.resolvedSignupUrl), so
+    // its origin is the right host to guess against. Fall back to the stuck
+    // origin only when no usable app URL is known.
+    let composeBase = parsedCurrent;
+    if (appUrl !== undefined) {
+        try {
+            const parsedApp = new URL(appUrl);
+            if ((parsedApp.protocol === "http:" || parsedApp.protocol === "https:") &&
+                !isGoogleSearchUrl(appUrl)) {
+                composeBase = parsedApp;
+            }
+        }
+        catch {
+            // keep the stuck origin
+        }
+    }
     // about:blank / data: / chrome-error pages have an opaque origin that
     // serializes to the literal string "null" — building "${origin}${path}"
     // then yields an unnavigable "null/settings/keys". Only compose
     // fallbacks against a real http(s) origin.
-    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    if (composeBase.protocol !== "http:" && composeBase.protocol !== "https:") {
         return null;
     }
-    const origin = parsed.origin;
-    // Skip a candidate when the current URL's path ALREADY matches it
-    // (case-insensitive, trailing-slash tolerant). The planner is stuck
-    // ON the page the candidate points to — navigating to the same URL
-    // again won't break the cycle, only a different path will.
-    const currentPath = parsed.pathname.replace(/\/+$/, "").toLowerCase();
-    // Compose curated per-service paths first, but only when the stuck
+    const origin = composeBase.origin;
+    // Skip a candidate when it resolves to the exact URL we're already stuck
+    // on (full origin+path, trailing-slash/case tolerant) — re-navigating
+    // there won't break the cycle. Compared on the full URL now that the
+    // compose origin can differ from the stuck origin.
+    const currentFull = `${parsedCurrent.origin}${parsedCurrent.pathname}`.replace(/\/+$/, "").toLowerCase();
+    // Compose curated per-service paths first, but only when the COMPOSE
     // origin's host actually belongs to the named service. The slug is
     // a substring of the host for the vendors we curate (groq →
     // console.groq.com, launchdarkly → app.launchdarkly.com, …); this
@@ -454,7 +738,7 @@ export function pickStuckLoopFallbackUrl(currentUrl, alreadyTried, service) {
     const slug = service !== undefined ? serviceSlug(service) : "";
     const curated = slug !== "" &&
         SERVICE_KEYS_PATHS[slug] !== undefined &&
-        parsed.hostname.toLowerCase().includes(slug)
+        composeBase.hostname.toLowerCase().includes(slug)
         ? SERVICE_KEYS_PATHS[slug]
         : [];
     // Curated paths lead; the generic list follows. De-dup so a path that
@@ -468,7 +752,7 @@ export function pickStuckLoopFallbackUrl(currentUrl, alreadyTried, service) {
         const candidate = `${origin}${path}`;
         if (alreadyTried.has(candidate))
             continue;
-        if (candidatePath === currentPath)
+        if (`${origin}${path}`.replace(/\/+$/, "").toLowerCase() === currentFull)
             continue;
         return candidate;
     }
@@ -2506,9 +2790,13 @@ export function extractQuotedTokenFromReason(reason, pageText) {
     // `.` is in the class: many tokens are dot-separated (Zerops
     // `LhJbaP.VeODh3ZZ…`, GitLab PATs, JWTs, Slack `xox*`); excluding it
     // dropped every dotted token to null and looped to run_timeout
-    // (MEASURED 2026-06-12: zerops). The verbatim pageText.includes guard
-    // below keeps a sentence's trailing period from matching.
-    const matches = reason.matchAll(/['"`]([A-Za-z0-9_.\-]{10,80})['"`]/g);
+    // (MEASURED 2026-06-12: zerops). `+/=` are in too: some services mint
+    // BASE64-encoded keys (portkey, MEASURED 2026-06-17: `tdCwXd/8kp4…` — the
+    // `/` truncated capture to `tdCwXd` (<10) → null → 24-round loop to
+    // run_timeout despite the key being on the page). The verbatim
+    // pageText.includes guard below keeps a sentence's trailing period — or a
+    // stray path/URL fragment — from matching anything not actually on the page.
+    const matches = reason.matchAll(/['"`]([A-Za-z0-9_.+/=\-]{10,80})['"`]/g);
     for (const m of matches) {
         const candidate = m[1];
         if (candidate === undefined)
@@ -2662,7 +2950,7 @@ export function extractAllLabeledTokensFromReason(reason, pageText) {
     //     credential-shape (mixed alpha+digit, ≥16 chars, OR a known
     //     credential prefix); (2) hard-reject a curated set of common
     //     English status words that look label-like in extract prose.
-    const quotedRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*[=:]\\s*['"\`]([A-Za-z0-9_.\\-]{4,80})['"\`]`, "gi");
+    const quotedRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*[=:]\\s*['"\`]([A-Za-z0-9_.+/=\\-]{4,80})['"\`]`, "gi");
     for (const m of reason.matchAll(quotedRe)) {
         const rawLabel = (m[1] ?? "").toLowerCase().replace(/[-\s]+/g, "_");
         const normalized = rawLabel.replace(/_+/g, "_");
@@ -2710,7 +2998,7 @@ export function extractAllLabeledTokensFromReason(reason, pageText) {
     // Same separator vocab as quoted, plus optional quotes around the
     // value. The credential-shape + blacklist guards run on the
     // captured (possibly-unquoted) value.
-    const proseRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*(?:[=:]|\\b(?:is|are)\\b)\\s*['"\`]?([A-Za-z0-9_.\\-]{4,80})['"\`]?`, "gi");
+    const proseRe = new RegExp(`\\b(${labelAltLoose})\\b\\s*(?:[=:]|\\b(?:is|are)\\b)\\s*['"\`]?([A-Za-z0-9_.+/=\\-]{4,80})['"\`]?`, "gi");
     for (const m of reason.matchAll(proseRe)) {
         const rawLabel = (m[1] ?? "").toLowerCase().replace(/[-\s]+/g, "_");
         const normalized = rawLabel.replace(/_+/g, "_");
@@ -3100,6 +3388,38 @@ export function pickVerificationLinkFromHtml(bodyHtml) {
     }
     return best !== null && best.score > 0 ? best.url : null;
 }
+// Last-resort verification-link pick: a link in the email that points at the
+// SERVICE's OWN domain. MEASURED on arize (2026-06-17): the confirm email says
+// "Click the link in the email", but its confirm link is a click-tracker the
+// keyword scorers miss, and a spurious number in the body got read as a code →
+// the bot entered a code on a page with no code field and stalled. A same-
+// registrable-domain link in a signup email is almost always the confirmation,
+// so follow it when the keyword scorers came up empty. Skips obvious non-confirm
+// links (unsubscribe/preferences/privacy/terms/social). Exported for unit tests.
+export function pickServiceDomainLink(links, serviceHost) {
+    if (serviceHost === null || serviceHost.length === 0)
+        return null;
+    // Compare the last two labels so app.arize.com matches arize.com.
+    const base = (h) => h.toLowerCase().replace(/^www\./, "").split(".").slice(-2).join(".");
+    const target = base(serviceHost);
+    const SKIP = /unsubscribe|preferences|email[_-]?settings|\bmanage\b|privacy|\bterms\b|twitter|linkedin|facebook|instagram|youtube|status\.|\/help\b|\/support\b|\/docs\b/i;
+    for (const raw of links) {
+        let u;
+        try {
+            u = new URL(raw.replace(/&amp;/g, "&"));
+        }
+        catch {
+            continue;
+        }
+        if (u.protocol !== "https:" && u.protocol !== "http:")
+            continue;
+        if (SKIP.test(raw))
+            continue;
+        if (base(u.hostname) === target)
+            return u.href;
+    }
+    return null;
+}
 // Last-resort verification-CODE extraction from an email body, for the
 // passwordless "we emailed you a code" flow (axiom: "Axiom sign-in
 // verification code") when the inbox parser's parsed_codes came back empty.
@@ -3305,6 +3625,50 @@ export function isLoadingShellText(text) {
     // forever, so it is not a signal.
     return /\bconnecting\b|\bloading\b|please wait|getting things ready|initiali[sz]ing/i.test(text);
 }
+// The interactive-element count at/above which a page is "hydrated by
+// definition" — a rendered dashboard/form a user can act on — so a stray
+// "loading"/"please wait" word in its (visible) text is NOT a hydration
+// shell. WHY 5: a genuine loading shell paints zero or a handful of chrome
+// affordances (a logo link, maybe a skip-link); a real authenticated surface
+// (nav + content + an "API Keys"/"Create" affordance) clears 5 trivially.
+// Field evidence: luma-ai/unify-ai/sambanova/fireworks-ai/defang carried
+// 10–95 visible interactive elements yet were flagged a shell EVERY round —
+// any threshold from ~5 up vetoes all of them while still catching the true
+// 0-to-few-element shell (northflank). Reuses the same minElements default as
+// waitForInteractiveDom (5) so the negative gate and the positive readiness
+// wait agree on what "hydrated" means.
+export const SHELL_MAX_ELEMENTS = 5;
+// The authoritative loading-shell decision: a page is a hydration shell only
+// when loading-text is present in its VISIBLE text AND it has fewer than
+// SHELL_MAX_ELEMENTS interactive elements. Splitting the two conditions kills
+// the dominant false positive two ways at once:
+//   1. visibleText (innerText) drops hidden skeleton/RSC "loading" strings a
+//      raw textContent read picked up;
+//   2. the inventory veto makes the gate un-fireable on a hydrated page
+//      regardless of any residual stray "loading" word.
+// Pure + exported for unit tests. The text predicate stays isLoadingShellText
+// (still used where only text is on hand); this is the call-site gate where
+// both signals are available.
+export function isLoadingShell(visibleText, inventoryCount) {
+    if (inventoryCount >= SHELL_MAX_ELEMENTS)
+        return false;
+    return isLoadingShellText(visibleText);
+}
+// Thrown from postVerifyLoop when a post-OAuth/post-verify SPA presents a
+// genuine loading shell that never hydrates within the bounded budget (and a
+// navigate-to-root retry didn't unstick it). Surfaced as the terminal status
+// `spa_never_hydrated`. classifyFailure() (skill-schema failure-taxonomy)
+// has no entry for this kind, so it falls to the deliberate transient default
+// — a non-demoting outcome (a never-hydrating route is environmental/transient,
+// not skill rot), and no new exported skill-schema symbol is needed (avoids
+// the published-dep-skew trap). The leading token before ':' is what
+// classifyFailure keys on, so the message MUST start with the bare kind.
+export class SpaNeverHydratedError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SpaNeverHydratedError";
+    }
+}
 // Transient "the session is being established RIGHT NOW" copy. MEASURED on
 // groq (Stytch B2B): after the OAuth callback, /authenticate shows
 // "Logging in…" then "Creating your organization…" for ~5-7s of async
@@ -3348,6 +3712,12 @@ export class SignupAgent {
     // backends_used[i] is the .name string of the LLMClient that produced
     // the i-th reply this run.
     backendsUsed = [];
+    // Fix C4 — the model/provider the backend actually served on the most
+    // recent LLM call, captured per round. callLLM stamps these after every
+    // call; the capture sites read them when dumping a round. Undefined
+    // until the first call (or when the backend doesn't report a model).
+    lastResolvedModel;
+    lastResolvedProvider;
     llmPair;
     // Captcha encounter state for the current run. Updated by the
     // pre/post-submit/re-plan captcha gates in signup(); read by the
@@ -3355,6 +3725,21 @@ export class SignupAgent {
     // because a "blocked" outcome is more diagnostic than an earlier
     // "solved" one and we always want the failure mode in the result.
     captchaEncounter = undefined;
+    // Sticky "this run is on the email path" flag. Set when OAuth turns out to be
+    // login-only (a new identity has no account — Clerk's form_identifier_not_found)
+    // and we fall back to email signup. Without it, the dispatch loop re-runs the
+    // OAuth-first scan after the re-route and re-clicks Google → loops forever
+    // (the cartesia oauth_session_not_persisted bug). Honored by
+    // resolveOAuthCandidates; reset at the start of each signup().
+    committedToEmailPath = false;
+    // One-shot guard for the post-OAuth-callback email fallback. When a Clerk-class
+    // app completes the Google handshake but never persists a session (its callback
+    // silently fails for a brand-new identity driven through sign-IN — the cartesia
+    // root cause WITHOUT the explicit "no account" text), the bot recovers by
+    // creating the account via email instead. This flag keeps that to one attempt so
+    // a service that's genuinely OAuth-only (no email form to fall back to) fails
+    // honestly rather than re-trying forever. Reset at the start of each signup().
+    oauthEmailFallbackTried = false;
     // Invisible-captcha presence for the current run. Cloudflare Turnstile
     // and reCAPTCHA-v3 are score-based: a HIGH score passes silently with no
     // visible widget to "solve", so the visible-gate path above records
@@ -3451,6 +3836,42 @@ export class SignupAgent {
                     const minted = await this.browser.triggerInvisibleRecaptcha();
                     steps.push(`${label} captcha: invisible reCAPTCHA v3 — ${minted ? "minted score token via grecaptcha.execute()" : "badge present, token not minted (form may submit it itself)"}`);
                 }
+                else if (this.captchaSolver?.isAvailable() === true) {
+                    // INVISIBLE hCaptcha (huggingface, 2026-06-17): sitekey in the page's
+                    // JS config, NO visible widget, but the form REQUIRES an
+                    // h-captcha-response token to submit (the wired Tier 3 hCaptcha path
+                    // only fires for VISIBLE widgets). Solve via 2Captcha now and inject,
+                    // so the imminent submit carries a token instead of a silent reject.
+                    // HONEST CAVEAT: a sophisticated host (HF may run Enterprise hCaptcha)
+                    // can bind the token to the browser session and reject a solver token
+                    // regardless — in which case this surfaces the real wall instead of a
+                    // misleading "validation error".
+                    const hSitekey = await this.browser.extractHcaptchaSitekey();
+                    if (hSitekey !== null) {
+                        this.invisibleCaptcha = { kind: "hcaptcha", variant: "hcaptcha" };
+                        const pageUrl = (await this.browser.getState().catch(() => null))?.url;
+                        if (pageUrl !== undefined && this.captchaSolver !== undefined) {
+                            steps.push(`${label} captcha: invisible hCaptcha (sitekey ${hSitekey.slice(0, 10)}…) — solving via 2Captcha before submit`);
+                            const solveRes = await this.captchaSolver.solveHcaptcha({
+                                sitekey: hSitekey,
+                                pageUrl,
+                            });
+                            if (solveRes.kind === "ok") {
+                                const injected = await this.browser.injectHcaptchaToken(solveRes.token);
+                                steps.push(injected
+                                    ? `${label} captcha: invisible hCaptcha solved in ${Math.round(solveRes.durationMs / 1000)}s + token injected`
+                                    : `${label} captcha: hCaptcha token arrived but injection failed`);
+                                if (injected) {
+                                    return { found: true, solved: true, blocked: false, kind: "hcaptcha" };
+                                }
+                            }
+                            else {
+                                steps.push(`${label} captcha: invisible hCaptcha 2Captcha ${solveRes.kind}` +
+                                    ("reason" in solveRes ? `: ${solveRes.reason}` : ""));
+                            }
+                        }
+                    }
+                }
             }
             return { found: false, solved: false, blocked: false, kind: "turnstile" };
         }
@@ -3650,6 +4071,18 @@ export class SignupAgent {
     // this the scan would re-pick OAuth and loop right back into the
     // same no-account bounce. One-shot equivalent of committedToEmailPath.
     forceFormFill = false) {
+        // FORM_FILL_ENGINE (default-ON since 2026-06-15, strangler slice 3): route the
+        // whole round through the pure decideFormFillStep reducer. Flipped default-on
+        // after live validation showed the engine reaches the correct terminal on
+        // every fillable form (ipinfo full success; cohere/deepinfra/postmark each
+        // reached submit — their failures were downstream verification/extraction or
+        // already-registered, NOT the form-fill phase). The inline loop below is kept
+        // one cycle as the explicit opt-out fallback (FORM_FILL_ENGINE=0/off) and is
+        // deleted next, once a heal pass confirms no per-service regression
+        // (DESIGN-form-fill-engine.md migration step 4).
+        if (!/^(0|false|off|no)$/i.test(process.env.FORM_FILL_ENGINE ?? "")) {
+            return this.planExecuteViaEngine(task, fillValues, steps, forceFormFill);
+        }
         const MAX_ERROR_REPLANS = 2;
         // 0.8.3-rc.1 — widened from 4 to 6 so submit_disabled re-plans
         // get more attempts to identify the gating control. Mailgun's
@@ -3688,10 +4121,23 @@ export class SignupAgent {
         // F14 — selectors the planner clicked WITHOUT advancing the page.
         // Each no-progress plan records its click selectors here; the next
         // plan that picks ONLY selectors in this set is failed as stuck
-        // instead of looping. Cleared on any progress (fill action). The
-        // Railway run that motivated F14 spun the same footer "Email" link
-        // 5 times before timing out; this loop now bails after 2.
+        // instead of looping. Cleared on ANY real progress between two
+        // clicks of the same selector — a fill/select/check action OR a
+        // page change (inventory/url moved). The Railway run that motivated
+        // F14 spun the same footer "Email" link 5 times before timing out;
+        // this loop now bails after 2.
         let lastNoProgressClickSelectors = new Set();
+        // Page-state fingerprint from the END of the previous round, used to
+        // decide whether the page actually moved between rounds. A
+        // "fill field → submit → (validation error) → fix field → submit
+        // again" cycle is legitimate progress, NOT a loop: kinde's post-OAuth
+        // register form has a globally-unique "domain" field, so the first
+        // guess collides ("taken") and the bot must edit the field and
+        // re-click the SAME "Next" button. Without this, re-clicking the same
+        // selector after a genuine field edit (or any inventory/url change)
+        // false-bailed as planner_loop even though the intervening fill was
+        // real progress. (MEASURED 2026-06-13, kinde, terminal_round 3.)
+        let lastRoundPageSig = null;
         // rc.31 — once the bot has explicitly clicked an email-flow
         // button (e.g. Railway's "Log in using email" two-stage chooser),
         // stay on the email path. Without this, the auto-OAuth-first
@@ -4057,16 +4503,40 @@ export class SignupAgent {
                 steps.push("Form-fill planner described a logged-in product/billing page (not a signup form) — pivoting to post-verify navigation");
                 return { kind: "already_oauth" };
             }
+            // The page moved since the previous round if the URL changed or the
+            // set of interactive selectors changed (a field gained/lost, a
+            // validation message toggled an element, a wizard step advanced).
+            // ANY such change means whatever the planner did last round was real
+            // progress — clear the no-progress memory so a re-click of a
+            // previously-"dead" selector on the now-changed page isn't judged a
+            // loop. This is the unique-value-retry case (kinde domain field):
+            // edit field → page re-renders → re-click "Next" is legitimate.
+            const pageSig = state.url +
+                "§" +
+                inventory
+                    .map((e) => e.selector)
+                    .sort()
+                    .join("|");
+            if (lastRoundPageSig !== null && pageSig !== lastRoundPageSig) {
+                lastNoProgressClickSelectors = new Set();
+            }
+            lastRoundPageSig = pageSig;
             // F14 — stuck-detection: if the plan picks ONLY click selectors
             // we already tried in the previous round without page progress,
             // it's a planner loop. Fail planning_failed with the offending
             // selector(s) so the operator sees what stalled. Doesn't fire
             // when the plan adds at least one new selector (legitimate
-            // exploration). Doesn't fire on fill plans (forward progress).
+            // exploration). Doesn't fire on fill plans (forward progress),
+            // nor on a plan that ALSO edits a field this round (a fill/check
+            // alongside the re-click is real progress — kinde's "tick the
+            // required box + re-click Next" advances the form even though the
+            // Next selector repeats).
             const planClickSelectors = plan.actions
                 .filter((a) => a.kind === "click")
                 .map((a) => a.selector);
-            if (planClickSelectors.length > 0 &&
+            const planEditsAField = plan.actions.some((a) => a.kind === "fill" || a.kind === "check");
+            if (!planEditsAField &&
+                planClickSelectors.length > 0 &&
                 lastNoProgressClickSelectors.size > 0 &&
                 planClickSelectors.every((s) => lastNoProgressClickSelectors.has(s))) {
                 return {
@@ -4120,6 +4590,16 @@ export class SignupAgent {
             // static page won't help, so a second consecutive empty plan is
             // a dead end. (The 0.1.12 loop spun this 4x on Axiom.)
             const hadFill = plan.actions.some((a) => a.kind === "fill");
+            // A check is ALSO a field edit = real progress, even though (unlike
+            // a fill) it doesn't promote the plan to the submit path below.
+            // (The form-fill plan vocabulary is fill/check/click — `select`
+            // belongs to the post-verify loop.) Treat a check as progress for
+            // the no-progress tracker only: a plan that ticked a box advanced
+            // the form, so its click selectors must NOT be recorded as "dead"
+            // (and any prior dead record is cleared). Without this, a "click
+            // Next (no advance) → tick a required box + re-click Next" cycle
+            // false-bailed as a loop even though the check was progress.
+            const hadFieldEdit = plan.actions.some((a) => a.kind === "fill" || a.kind === "check");
             if (!hadFill) {
                 if (plan.actions.length === 0) {
                     emptyPlans += 1;
@@ -4142,8 +4622,12 @@ export class SignupAgent {
                 // F14 — record the click selectors that didn't advance the
                 // page. The next plan's stuck-detection check (above) bails
                 // if it picks the same ones again. Hint also tells the
-                // planner which selectors NOT to re-pick.
-                lastNoProgressClickSelectors = new Set(planClickSelectors);
+                // planner which selectors NOT to re-pick. A plan that ALSO made
+                // a field edit (select/check) made real progress, so clear the
+                // tracker instead of recording its clicks as dead.
+                lastNoProgressClickSelectors = hadFieldEdit
+                    ? new Set()
+                    : new Set(planClickSelectors);
                 const avoidHint = planClickSelectors.length > 0
                     ? ` AVOID these selectors — they were clicked but the page did NOT advance: ${planClickSelectors.map((s) => JSON.stringify(s)).join(", ")}.`
                     : "";
@@ -4268,8 +4752,30 @@ export class SignupAgent {
             // the next planner iteration handles SPA settle.
             await this.browser.wait(2);
             const postGate = await this.runCaptchaGate("Post-submit", steps);
-            if (postGate.blocked)
+            if (postGate.blocked) {
+                // A managed/invisible Turnstile (Clerk's Smart CAPTCHA) resolves
+                // SERVER-SIDE: the submit can succeed — account created, verification
+                // email sent — even though our client-side token poll timed out.
+                // cartesia PROVED this: it emailed a verification code AFTER the bot had
+                // bailed captcha_blocked. The ground truth of "did the submit go
+                // through" is the INBOX, not the client token. So for a POST-submit
+                // Turnstile with an inbox available, don't hard-bail: proceed to the
+                // verification step and let the inbox poll arbitrate — a code arriving
+                // proves the managed Turnstile passed (→ completes); no code surfaces
+                // an honest verification_not_sent rather than a false captcha_blocked.
+                // A genuine pre-submit gate (no inbox, or a non-Turnstile challenge)
+                // still bails captcha_blocked.
+                if (postGate.kind === "turnstile" && task.inbox !== undefined) {
+                    steps.push("Post-submit Turnstile token didn't populate — but a managed Turnstile resolves " +
+                        "server-side, so the submit may have gone through. Proceeding to verification; " +
+                        "the inbox poll arbitrates (a code = submit succeeded).");
+                    // Don't let the recorded block short-circuit later gates / the result.
+                    this.captchaEncounter = undefined;
+                    await this.captureSignupFormRounds(task.service, plan, inventory, fillValues);
+                    return { kind: "submitted" };
+                }
                 return { kind: "captcha_blocked", captchaKind: postGate.kind };
+            }
             if (postGate.found && postGate.solved) {
                 // Re-click submit so the populated token ships with the form.
                 try {
@@ -4304,6 +4810,416 @@ export class SignupAgent {
             return { kind: "submitted" };
         }
     }
+    // FORM_FILL_ENGINE path (strangler slice 3) — the same round as
+    // planExecuteWithRetry, but every DECISION goes through the pure
+    // decideFormFillStep reducer (form-fill.ts); this method owns only the I/O and
+    // the replan-hint CONTENT. Faithful to the inline loop; reuses its helpers.
+    async planExecuteViaEngine(task, fillValues, steps, forceFormFill) {
+        let state = initialFormFillState(forceFormFill);
+        let hint;
+        // Map a reducer terminal outcome to PlanExecOutcome. needs_oauth_provider_session
+        // + oauth carry provider IDs the executor holds in typed form — pass those in.
+        const toPlanExec = (outcome, typed) => {
+            switch (outcome.kind) {
+                case "oauth":
+                    return { kind: "oauth", selector: typed.oauth.selector, provider: typed.oauth.provider };
+                case "needs_oauth_provider_session":
+                    return {
+                        kind: "needs_oauth_provider_session",
+                        missingProviders: typed.missingProviders,
+                        haveSessions: typed.haveSessions,
+                    };
+                default:
+                    return outcome;
+            }
+        };
+        const oauthCandidates = await this.resolveOAuthCandidates(task, steps);
+        for (;;) {
+            await this.browser.waitForFormReady();
+            const dismissed = await this.browser.dismissConsentBanner();
+            if (dismissed !== null)
+                steps.push(`Dismissed cookie consent: "${dismissed}"`);
+            await saveDebugSnapshot(this.browser, "before-fill");
+            const [browserState, inventory] = await Promise.all([
+                this.browser.getState(),
+                this.buildInventory(steps, oauthCandidates),
+            ]);
+            // ── C1 pre_plan: gather the observation, then decide ──
+            const hasFillableInput = inventory.some((e) => e.tag === "input" &&
+                (e.type === "email" || e.type === "text" || e.type === "password" || e.type === null) &&
+                e.visible !== false);
+            const wallAlias = extractVerifyWallAlias(browserState.html);
+            const ourInboxDomain = task.email.slice(task.email.indexOf("@") + 1).toLowerCase();
+            const aliasPollable = wallAlias === null ||
+                wallAlias.slice(wallAlias.indexOf("@") + 1).toLowerCase() === ourInboxDomain;
+            const oauthButtonHitRaw = findFirstOAuthButton(inventory, oauthCandidates);
+            const offersOAuthSignup = oauthCandidates.length > 0 && oauthButtonHitRaw !== null;
+            const verifyWall = !hasFillableInput &&
+                expectsVerificationEmail(browserState.html) &&
+                aliasPollable &&
+                !offersOAuthSignup;
+            const hasCredentialInput = inventory.some((e) => e.tag === "input" && (e.type === "email" || e.type === "password" || e.type === "tel"));
+            // LAZY (parity with inline agent.ts:4823): the loading-shell check calls
+            // extractText() — an I/O read — so only compute it when the OAuth-scan
+            // branch will actually consult it (candidates present, NOT committed, and
+            // no provider button hit yet). Computing it unconditionally would fire a
+            // spurious extractText() every round and diverge from the inline path.
+            const needScanShell = oauthCandidates.length > 0 && !state.committedToEmailPath && oauthButtonHitRaw === null;
+            const oauthScanShell = needScanShell &&
+                (inventory.length <= 1 ||
+                    !hasCredentialInput ||
+                    isLoadingShellText(await this.browser.extractText().catch(() => "")));
+            const signInAdvance = findSignInAdvanceButton(inventory, oauthCandidates);
+            const antiBotVendor = inventory.length < 10 ? detectAntiBotBlock(browserState.html) : null;
+            const oauthOnly = isOauthOnlyChooser(inventory);
+            let missingProviders = [];
+            let haveSessions = [];
+            if (oauthOnly) {
+                const visibleProviders = detectOAuthProvidersInInventory(inventory);
+                haveSessions = await this.effectiveLoggedInProviders();
+                missingProviders = visibleProviders.filter((p) => !haveSessions.includes(p));
+            }
+            const preObs = {
+                checkpoint: "pre_plan",
+                hasFillableInput,
+                verifyWall,
+                codeGate: isVerificationCodeGate(inventory, browserState.html),
+                oauthCandidatesPresent: oauthCandidates.length > 0,
+                oauthButtonHit: oauthButtonHitRaw !== null
+                    ? { selector: oauthButtonHitRaw.button.selector, provider: oauthButtonHitRaw.provider }
+                    : null,
+                oauthScanShell,
+                alreadySignedIn: detectAlreadySignedIn({ inventory, url: browserState.url }),
+                signInAdvancePresent: signInAdvance !== null,
+                antiBotVendor,
+                oauthOnly,
+                oauthOnlyMissingProviders: missingProviders,
+                oauthOnlyHaveSessions: haveSessions,
+            };
+            const pre = decideFormFillStep(state, preObs);
+            state = pre.nextState;
+            const preAct = pre.action;
+            if (preAct.kind === "route_to_verification") {
+                this.pendingVerificationAlias = wallAlias;
+                steps.push(`Form: email-verification wall (no fields to fill${wallAlias !== null ? `, check ${wallAlias}` : ""}) — ` +
+                    `routing to the inbox-poll + verification-link flow.`);
+                const resend = inventory.find((e) => {
+                    if (e.tag !== "button" && e.tag !== "a")
+                        return false;
+                    const t = `${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`.toLowerCase();
+                    return /resend (?:verification )?(?:email|link)|send (?:it )?again/.test(t);
+                });
+                if (resend !== undefined) {
+                    try {
+                        await this.browser.click(resend.selector);
+                        steps.push(`Form: clicked "Resend verification email" to refresh the link.`);
+                        await this.browser.wait(2);
+                    }
+                    catch {
+                        // non-fatal
+                    }
+                }
+                return { kind: "submitted" };
+            }
+            if (preAct.kind === "terminal") {
+                if (preAct.outcome.kind === "oauth" && oauthButtonHitRaw !== null) {
+                    const label = OAUTH_PROVIDERS[oauthButtonHitRaw.provider].label;
+                    steps.push(`OAuth-first: found a ${label} sign-in affordance ` +
+                        `(${JSON.stringify(oauthButtonHitRaw.button.visibleText ?? oauthButtonHitRaw.button.ariaLabel ?? label)}) ` +
+                        `— taking the OAuth path`);
+                }
+                return toPlanExec(preAct.outcome, {
+                    oauth: oauthButtonHitRaw !== null
+                        ? { selector: oauthButtonHitRaw.button.selector, provider: oauthButtonHitRaw.provider }
+                        : undefined,
+                    missingProviders,
+                    haveSessions,
+                });
+            }
+            if (preAct.kind === "oauth_scan_wait") {
+                steps.push(`OAuth-first[engine]: no provider affordance yet — waiting for async render ` +
+                    `(retry ${state.oauthScanRetries}${oauthScanShell ? ", loading shell" : ""})`);
+                await this.browser.wait(3);
+                continue;
+            }
+            if (preAct.kind === "oauth_shell_reload") {
+                steps.push(`OAuth-first[engine]: page stuck as a loading shell — reloading once to unstick the SPA`);
+                try {
+                    await this.browser.goto(this.browser.currentUrl());
+                    await this.browser.waitForFormReady();
+                }
+                catch {
+                    // reload failed — re-loop and let the terminal handling take over
+                }
+                continue;
+            }
+            if (preAct.kind === "sign_in_advance" && signInAdvance !== null) {
+                steps.push(`OAuth-first: no provider affordance, but found a generic ` +
+                    `sign-in affordance (${JSON.stringify(signInAdvance.visibleText ?? signInAdvance.ariaLabel ?? "")}) ` +
+                    `— clicking it to advance to the real login page ` +
+                    `(${state.signInAdvanceClicks}/${B_FF.MAX_SIGN_IN_ADVANCE_CLICKS})`);
+                try {
+                    await this.browser.click(signInAdvance.selector);
+                }
+                catch (err) {
+                    steps.push(`OAuth-first[engine]: sign-in advance click failed (${err instanceof Error ? err.message : String(err)})`);
+                }
+                continue;
+            }
+            // preAct.kind === "run_planner" → fall through to the planner.
+            steps.push("Asking Claude to plan the signup form fill...");
+            let plan;
+            try {
+                plan = await this.planSignupForm({
+                    service: task.service,
+                    url: browserState.url,
+                    inventory,
+                    screenshot: browserState.screenshot,
+                    ...(hint !== undefined ? { hint } : {}),
+                });
+            }
+            catch (err) {
+                // ── C2 plan_error ──
+                const reason = err instanceof Error ? err.message : String(err);
+                const isUpstreamBlip = /\b50[234]\b/.test(reason) ||
+                    /\bupstream_(?:error|unreachable)\b/i.test(reason) ||
+                    /\bnetwork error\b/i.test(reason);
+                const pe = decideFormFillStep(state, { checkpoint: "plan_error", isUpstreamBlip, reason });
+                state = pe.nextState;
+                if (pe.action.kind === "terminal")
+                    return toPlanExec(pe.action.outcome);
+                if (pe.action.kind === "blip_retry") {
+                    steps.push(`⚠ planner request hit a transient upstream blip (${reason}) — retrying`);
+                    await this.browser.wait(2);
+                    continue;
+                }
+                // replan (selector_not_in_inventory)
+                steps.push(`⚠ plan rejected (${reason}) — re-planning`);
+                hint =
+                    "Your previous plan used a selector not in the inventory. Use ONLY selectors copied verbatim from a `selector=` field.";
+                continue;
+            }
+            steps.push(`Plan: ${plan.actions.length} action(s), confidence=${plan.confidence}` +
+                (plan.notes !== undefined ? ` — ${plan.notes}` : ""));
+            // ── C3 post_plan ──
+            const planClickSelectors = plan.actions
+                .filter((a) => a.kind === "click")
+                .map((a) => a.selector);
+            const planEditsAField = plan.actions.some((a) => a.kind === "fill" || a.kind === "check");
+            const pageSig = browserState.url + "§" + inventory.map((e) => e.selector).sort().join("|");
+            const bySelector = new Map(inventory.map((e) => [e.selector, e]));
+            const miss = await this.verifyPlan(plan, bySelector);
+            const post = decideFormFillStep(state, {
+                checkpoint: "post_plan",
+                isDashboard: detectFormFillIsDashboard(plan),
+                pageSig,
+                planClickSelectors,
+                planEditsAField,
+                verifyMiss: miss,
+                verifyMissNotCheckbox: miss !== null && miss.includes("not a checkbox"),
+            });
+            state = post.nextState;
+            if (post.action.kind === "terminal") {
+                if (post.action.outcome.kind === "planning_failed") {
+                    steps.push(`Form[engine]: post-plan → planning_failed (${post.action.outcome.reason})`);
+                }
+                return toPlanExec(post.action.outcome);
+            }
+            if (post.action.kind === "replan") {
+                if (post.action.hintKind === "drop_the_check") {
+                    steps.push(`⚠ planned selectors did not verify (${miss}) — re-planning`);
+                    hint =
+                        `These selectors did not resolve correctly: ${miss}. Pick different inventory entries.` +
+                            " If the inventory has NO input of type=checkbox, OMIT the check" +
+                            " action entirely — do not substitute a link or a button. The" +
+                            " agreement may be implicit or pre-accepted.";
+                }
+                else {
+                    steps.push(`⚠ planned selectors did not verify (${miss}) — re-planning`);
+                    hint = `These selectors did not resolve correctly: ${miss}. Pick different inventory entries.`;
+                }
+                continue;
+            }
+            // post.action.kind === "execute_plan"
+            await this.executePlan(plan, fillValues, steps, bySelector);
+            // ── C4 post_execute ──
+            const hadFill = plan.actions.some((a) => a.kind === "fill");
+            const hadFieldEdit = plan.actions.some((a) => a.kind === "fill" || a.kind === "check");
+            const clickedEmailAffordance = plan.actions.some((a) => a.kind === "click" && /\bemail\b/i.test(a.reason));
+            const wasCommitted = state.committedToEmailPath;
+            const px = decideFormFillStep(state, {
+                checkpoint: "post_execute",
+                clickedEmailAffordance,
+                planClickSelectors,
+                hadFill,
+                hadFieldEdit,
+                planActionCount: plan.actions.length,
+            });
+            state = px.nextState;
+            if (!wasCommitted && state.committedToEmailPath) {
+                steps.push("Committed to email-fill path — auto-OAuth-first scan suppressed for the rest of this signup");
+            }
+            if (px.action.kind === "terminal") {
+                steps.push(`Form[engine]: post-execute → planning_failed`);
+                return toPlanExec(px.action.outcome);
+            }
+            if (px.action.kind === "replan") {
+                const avoidHint = planClickSelectors.length > 0
+                    ? ` AVOID these selectors — they were clicked but the page did NOT advance: ${planClickSelectors.map((s) => JSON.stringify(s)).join(", ")}.`
+                    : "";
+                steps.push(plan.actions.length === 0
+                    ? "Plan found nothing to act on — re-checking once for a late render"
+                    : "Plan only revealed the page — re-planning the now-visible form");
+                hint =
+                    "The previous step revealed or advanced the page. Plan the signup form that should now be visible." +
+                        avoidHint;
+                continue;
+            }
+            // px.action.kind === "submit"
+            const agreementBoxes = await this.browser.checkRequiredAgreementBoxes();
+            if (agreementBoxes.length > 0) {
+                steps.push(`Form: checked required agreement box(es): [${agreementBoxes.join(", ")}]`);
+            }
+            // ── C4 post_submit: gather facts incrementally (the reducer's priority-order
+            // checks make an early-blocking pre-gate correct even with default tails). ──
+            const preGate = await this.runCaptchaGate("Pre-submit", steps);
+            let submitError = null;
+            let submitDisabled = false;
+            let submitTimeout = false;
+            let postGateBlocked = false;
+            let postGateKind = "";
+            let validationFailure = false;
+            if (!preGate.blocked) {
+                steps.push(`Submit → ${plan.submit_selector}`);
+                try {
+                    await this.browser.clickSubmit(plan.submit_selector);
+                }
+                catch (err) {
+                    submitError = err instanceof Error ? err.message : String(err);
+                    submitDisabled = submitError.startsWith("submit_disabled");
+                    submitTimeout = !submitDisabled && isSubmitTimeout(submitError);
+                }
+                if (submitError === null) {
+                    await this.browser.wait(2);
+                    const postGate = await this.runCaptchaGate("Post-submit", steps);
+                    postGateBlocked = postGate.blocked;
+                    postGateKind = postGate.kind;
+                    if (!postGate.blocked && postGate.found && postGate.solved) {
+                        try {
+                            await this.browser.click(plan.submit_selector);
+                            await this.browser.wait(3);
+                        }
+                        catch (err) {
+                            steps.push(`⚠ post-captcha submit retry failed: ${err instanceof Error ? err.message : String(err)}`);
+                        }
+                    }
+                    if (!postGate.blocked) {
+                        const afterText = (await this.browser.extractText()).slice(0, 4000);
+                        validationFailure = this.looksLikeValidationFailure(afterText);
+                        if (validationFailure)
+                            hint = `The previous submit produced validation errors. Visible page text: ${afterText.slice(0, 600)}`;
+                    }
+                }
+            }
+            const ps = decideFormFillStep(state, {
+                checkpoint: "post_submit",
+                preGateBlocked: preGate.blocked,
+                preGateKind: preGate.kind,
+                submitError,
+                submitDisabled,
+                submitTimeout,
+                postGateBlocked,
+                postGateKind,
+                hasInbox: task.inbox !== undefined,
+                validationFailure,
+            });
+            state = ps.nextState;
+            if (ps.action.kind === "replan") {
+                if (ps.action.hintKind === "submit_disabled") {
+                    steps.push(`⚠ ${submitError} — re-planning to satisfy it`);
+                    hint = await this.buildSubmitDisabledHint(steps);
+                }
+                else if (ps.action.hintKind === "submit_went_stale") {
+                    steps.push(`⚠ submit selector went stale — the page likely advanced; re-planning`);
+                    hint =
+                        "The submit button selected last round was no longer present when " +
+                            "we tried to click it — an earlier action probably advanced the page. " +
+                            "Re-read the now-visible form and plan the next step (pick the submit " +
+                            "button that is actually on the current screen).";
+                }
+                else {
+                    steps.push("Post-submit validation errors — re-planning");
+                    // hint already set above from afterText
+                }
+                continue;
+            }
+            if (ps.action.kind === "terminal") {
+                // Match the inline step trail: a genuine (non-disabled, non-timeout)
+                // submit error logs "submit click failed" before failing.
+                if (ps.action.outcome.kind === "submit_failed" &&
+                    submitError !== null &&
+                    !submitDisabled &&
+                    !submitTimeout) {
+                    steps.push(`⚠ submit click failed: ${submitError}`);
+                }
+                if (ps.action.outcome.kind === "submitted" && postGateBlocked && postGateKind === "turnstile") {
+                    // managed-Turnstile + inbox flip: clear the recorded block so it can't
+                    // short-circuit a later gate, and capture the form rounds.
+                    steps.push("Post-submit Turnstile token didn't populate — managed Turnstile resolves server-side; " +
+                        "proceeding to verification (the inbox poll arbitrates).");
+                    this.captchaEncounter = undefined;
+                }
+                if (ps.action.outcome.kind === "submitted") {
+                    await this.captureSignupFormRounds(task.service, plan, inventory, fillValues);
+                }
+                return toPlanExec(ps.action.outcome);
+            }
+        }
+    }
+    // The submit_disabled replan hint CONTENT (review Q2 — the executor owns this;
+    // the reducer only emits the intent). A fresh inventory snapshot lists concrete
+    // unchecked-checkbox + empty-input candidates so the planner picks one
+    // immediately. Best-effort: a snapshot failure falls back to the generic prose.
+    async buildSubmitDisabledHint(steps) {
+        let uncheckedHint = "";
+        let emptyInputHint = "";
+        try {
+            const snapshotInv = await this.buildInventory(steps, undefined, 60);
+            const unchecked = snapshotInv.filter((e) => e.tag === "input" &&
+                (e.type === "checkbox" || e.role === "checkbox") &&
+                e.checked === false &&
+                e.visible === true);
+            if (unchecked.length > 0) {
+                const lines = unchecked.slice(0, 6).map((e) => {
+                    const label = (e.labelText ?? e.ariaLabel ?? e.placeholder ?? e.name ?? "(no label)").toString().slice(0, 60);
+                    return `  - selector ${JSON.stringify(e.selector)} label=${JSON.stringify(label)}`;
+                });
+                uncheckedHint = `\nUnchecked checkboxes visible on the page:\n${lines.join("\n")}`;
+            }
+            const emptyInputs = snapshotInv.filter((e) => e.tag === "input" &&
+                e.type !== "checkbox" &&
+                e.type !== "radio" &&
+                e.type !== "hidden" &&
+                (e.value === null || e.value === "") &&
+                e.visible === true);
+            if (emptyInputs.length > 0) {
+                const lines = emptyInputs.slice(0, 6).map((e) => {
+                    const label = (e.labelText ?? e.placeholder ?? e.ariaLabel ?? e.name ?? "(no label)").toString().slice(0, 60);
+                    return `  - selector ${JSON.stringify(e.selector)} label=${JSON.stringify(label)}`;
+                });
+                emptyInputHint = `\nEmpty visible inputs (any could be the unmet required field):\n${lines.join("\n")}`;
+            }
+        }
+        catch {
+            // best-effort
+        }
+        return ("The submit button is disabled — a required field or an agreement " +
+            "was not satisfied. Issue {\"kind\":\"check\"} on an unchecked " +
+            "agreement/terms checkbox, OR {\"kind\":\"fill\"} on an empty " +
+            "required input. Do NOT click a link." +
+            uncheckedHint +
+            emptyInputHint);
+    }
     // Emit the signup-form-fill rounds (email + password + submit) into the
     // capture chain. Shares this.captureChainRound with the post-verify loop
     // so the two phases form one contiguous 0..N chain. The captured email
@@ -4329,6 +5245,11 @@ export class SignupAgent {
                     state,
                     inventory,
                     observed,
+                    // Fix C4 — the form-plan's backend (planSignupForm ran before
+                    // this synthetic preamble capture, so lastResolved* still reflect
+                    // it). These preamble rounds replay the one plan; one backend.
+                    ...(this.lastResolvedModel !== undefined ? { resolved_model: this.lastResolvedModel } : {}),
+                    ...(this.lastResolvedProvider !== undefined ? { resolved_provider: this.lastResolvedProvider } : {}),
                 });
                 this.captureChainRound += 1;
             };
@@ -4570,8 +5491,10 @@ export class SignupAgent {
         return [...new Set([...fromMarker, ...live])];
     }
     async resolveOAuthCandidates(task, steps) {
-        if (task.forceForm === true) {
-            steps.push("Force-form: OAuth-first scan suppressed — taking the email/password path");
+        if (task.forceForm === true || this.committedToEmailPath) {
+            steps.push(this.committedToEmailPath
+                ? "Committed to email path (OAuth was login-only) — OAuth-first scan suppressed"
+                : "Force-form: OAuth-first scan suppressed — taking the email/password path");
             return [];
         }
         const ordered = orderOAuthCandidates(task.oauthProvider, await this.effectiveLoggedInProviders());
@@ -4735,14 +5658,31 @@ export class SignupAgent {
             // permission scope, 5 short of the API key. Failed calls produce
             // no progress; charging them against the budget is wrong. Behave
             // like a meter: only count consumption that actually delivered.
+            // Text-only planner experiment (BOT_PLANNER_TEXT_ONLY, default-off).
+            // The DOM inventory is the authoritative action space — the planner
+            // may only pick a selector the bot supplied, so the screenshot can
+            // never expand the move set. This strips the screenshot from
+            // NAVIGATION-PLANNER calls (deterministic=true) ONLY, leaving genuine
+            // vision calls (2SV number-read, on-screen key extraction) untouched,
+            // to measure whether the image earns its latency + token cost.
+            const plannerTextOnly = args.deterministic === true &&
+                /^(1|true|on)$/i.test(process.env.BOT_PLANNER_TEXT_ONLY ?? "");
+            const userBlocks = plannerTextOnly
+                ? args.userBlocks.filter((b) => b.kind !== "image")
+                : args.userBlocks;
             const resp = await client.createMessage({
                 system: args.system,
-                user: args.userBlocks,
+                user: userBlocks,
                 max_tokens: args.maxTokens,
                 ...(args.temperature !== undefined ? { temperature: args.temperature } : {}),
+                ...(args.deterministic === true ? { deterministic: true } : {}),
             });
             this.llmCallCount += 1;
             this.backendsUsed.push(resp.backend);
+            // Fix C4 — remember the served model/provider so the capture sites
+            // can stamp this round with what actually produced the plan.
+            this.lastResolvedModel = resp.resolved_model;
+            this.lastResolvedProvider = resp.resolved_provider;
             return resp.text;
         };
         const primaryRaw = await callOne(this.llmPair.primary);
@@ -4825,6 +5765,9 @@ export class SignupAgent {
         // (Google number-match etc.). Without it, the run still works —
         // steps are just only visible in the final result.
         const steps = task.stepsSink ?? [];
+        // Fresh per-run: don't let a prior run's email-path commitment leak.
+        this.committedToEmailPath = false;
+        this.oauthEmailFallbackTried = false;
         // Stash the service name so the diagnostic uploader (called from
         // deep inside postVerifyLoop after a failed extract) can label
         // the snapshot without us threading task through every method.
@@ -5318,6 +6261,10 @@ export class SignupAgent {
                             // /signup form), fill it IN PLACE — re-navigating to task.signupUrl
                             // could bounce back to the demo. Otherwise re-navigate (the
                             // login-only / no-account case left us on a /login page).
+                            // OAuth was login-only (no account for this identity). Commit to the
+                            // email path for the rest of the run so the dispatch loop's
+                            // OAuth-first scan doesn't re-click Google and loop.
+                            this.committedToEmailPath = true;
                             const onSignupFormHtml = (await this.browser.getState().catch(() => null))?.html ?? "";
                             if (classifySignupHtml(onSignupFormHtml) === "signup") {
                                 steps.push(`OAuth recovery already on a signup form ` +
@@ -5484,7 +6431,7 @@ export class SignupAgent {
                     //     created, so transactional mail is plausibly inbound and
                     //     can outlast the 45s probe; bounded below the full timeout).
                     const verificationTimeoutSeconds = expectsEmail
-                        ? (task.verificationTimeoutSeconds ?? 180)
+                        ? (task.verificationTimeoutSeconds ?? VERIFY_EMAIL_CEILING_SECONDS)
                         : submitRejected
                             ? VERIFICATION_PROBE_SECONDS
                             : SUBMITTED_PROBE_FLOOR_SECONDS;
@@ -5500,36 +6447,108 @@ export class SignupAgent {
                             // URL-keyword scorer first; if it can't see past a click-tracker
                             // wrapper, fall back to matching the link's ANCHOR TEXT in the
                             // HTML body (amplitude's SendGrid-wrapped "Activate account").
+                            // The service's own host — for the same-domain link fallback
+                            // below. The current page IS the service (its confirm-email
+                            // wall), so its URL is the most reliable source; task.signupUrl
+                            // backs it up.
+                            let serviceHost = null;
+                            try {
+                                serviceHost = new URL((await this.browser.getState()).url).hostname;
+                            }
+                            catch {
+                                /* fall through to signupUrl */
+                            }
+                            if (serviceHost === null && task.signupUrl !== undefined) {
+                                try {
+                                    serviceHost = new URL(task.signupUrl).hostname;
+                                }
+                                catch {
+                                    /* leave null */
+                                }
+                            }
                             const verifyLink = this.pickVerificationLink(Array.from(email.parsed_links)) ??
-                                pickVerificationLinkFromHtml(email.body_html ?? "");
+                                pickVerificationLinkFromHtml(email.body_html ?? "") ??
+                                pickServiceDomainLink(Array.from(email.parsed_links), serviceHost);
                             if (verifyLink !== null) {
-                                steps.push(`Following verification link: ${verifyLink}`);
-                                await this.browser.goto(verifyLink);
-                                // PERF: a 1s settle is enough for the verify landing
-                                // page to commit cookies + render the post-verify
-                                // dashboard. Previous 3s was over-cautious.
-                                await this.browser.wait(1);
-                                await saveDebugSnapshot(this.browser, "after-verify");
-                                // Verify-link SPA bounce (MEASURED 2026-06-09: amplitude). The
-                                // emailed link is a click-tracker that redirects to
-                                // app.amplitude.com/signup?token=… — the token IS consumed
-                                // server-side, but the single-page app still renders the
-                                // "check your email" wall until the client re-fetches session
-                                // state. The post-verify loop then can't get past it. A single
-                                // reload makes the SPA re-read the now-verified session.
-                                // Bounded + guarded on the wall still showing, so a service
-                                // that verified cleanly pays nothing.
-                                try {
-                                    const afterText = await this.browser.extractText();
-                                    if (expectsVerificationEmail(afterText)) {
-                                        steps.push("Verification link landed but the page still shows the email-verify wall — reloading so the SPA re-reads the verified session.");
-                                        await this.browser.reload();
+                                // Firebase email-action link → verify via the REST API
+                                // IMMEDIATELY (clean ms-latency POST) instead of the browser
+                                // SPA, which (portkey, 2026-06-17) landed on "link expired".
+                                // This races a short oobCode TTL, issues the single-use code
+                                // once, AND diagnoses: an EXPIRED error here proves the code is
+                                // dead at receipt (mail-pipeline latency), not a browser bug.
+                                const fbAction = parseFirebaseEmailAction(verifyLink);
+                                let firebaseVerified = false;
+                                if (fbAction !== null) {
+                                    const r = await applyFirebaseEmailVerification(fbAction.apiKey, fbAction.oobCode);
+                                    firebaseVerified = r.ok;
+                                    steps.push(r.ok
+                                        ? `Verified the email directly via Firebase REST (${r.email ?? "account"} now verified) — bypassing the browser link.`
+                                        : `Firebase REST verify did not succeed (${r.error ?? "unknown"}) — oobCode appears dead at receipt; falling back to the browser link.`);
+                                }
+                                if (firebaseVerified) {
+                                    // Email verified server-side → go to the app and log in
+                                    // (two-stage aware); extraction below then reaches the key.
+                                    try {
+                                        await this.browser.goto(new URL(verifyLink).origin);
+                                        await this.browser.wait(2);
+                                        await this.loginWithCredentials(task.email, password, steps);
                                         await this.browser.wait(2);
                                     }
+                                    catch (err) {
+                                        steps.push(`Post-Firebase-verify login errored (non-fatal): ${err instanceof Error ? err.message : String(err)}`);
+                                    }
                                 }
-                                catch {
-                                    // best-effort — fall through to extraction regardless
-                                }
+                                else {
+                                    steps.push(`Following verification link: ${verifyLink}`);
+                                    await this.browser.goto(verifyLink);
+                                    // PERF: a 1s settle is enough for the verify landing
+                                    // page to commit cookies + render the post-verify
+                                    // dashboard. Previous 3s was over-cautious.
+                                    await this.browser.wait(1);
+                                    await saveDebugSnapshot(this.browser, "after-verify");
+                                    // Verify-link SPA bounce (MEASURED 2026-06-09: amplitude). The
+                                    // emailed link is a click-tracker that redirects to
+                                    // app.amplitude.com/signup?token=… — the token IS consumed
+                                    // server-side, but the single-page app still renders the
+                                    // "check your email" wall until the client re-fetches session
+                                    // state. The post-verify loop then can't get past it. A single
+                                    // reload makes the SPA re-read the now-verified session.
+                                    // Bounded + guarded on the wall still showing, so a service
+                                    // that verified cleanly pays nothing.
+                                    try {
+                                        const afterText = await this.browser.extractText();
+                                        if (expectsVerificationEmail(afterText)) {
+                                            steps.push("Verification link landed but the page still shows the email-verify wall — reloading so the SPA re-reads the verified session.");
+                                            await this.browser.reload();
+                                            await this.browser.wait(2);
+                                        }
+                                    }
+                                    catch {
+                                        // best-effort — fall through to extraction regardless
+                                    }
+                                    // Expired/used single-use verification link (portkey,
+                                    // 2026-06-17). A fresh Firebase oobCode that reads "expired" on
+                                    // first touch was consumed upstream by a mail link-scanner —
+                                    // which ALSO ran the verification server-side, so the email is
+                                    // already verified. Don't fail: log in with the signup
+                                    // credentials (the account is ready) and let the extraction +
+                                    // post-verify loop below reach the key. Generalizes to every
+                                    // single-use verify-link flow (Firebase et al.).
+                                    try {
+                                        const linkText = await this.browser.extractText();
+                                        if (verificationLinkFailed(linkText)) {
+                                            steps.push("Verification link reported expired/used — a single-use link is typically burned by an upstream mail scanner, which also completes verification server-side. Treating the email as verified and logging in with the signup credentials.");
+                                            const origin = new URL(verifyLink).origin;
+                                            await this.browser.goto(origin);
+                                            await this.browser.wait(2);
+                                            await this.loginWithCredentials(task.email, password, steps);
+                                            await this.browser.wait(2);
+                                        }
+                                    }
+                                    catch (err) {
+                                        steps.push(`Post-expiry login attempt errored (non-fatal): ${err instanceof Error ? err.message : String(err)}`);
+                                    }
+                                } // end browser-link fallback (non-Firebase path)
                                 // Try extracting first — many services drop the API key
                                 // straight onto the landing page after verification.
                                 credentials = await this.extractCredentials();
@@ -5562,7 +6581,12 @@ export class SignupAgent {
                                     credentials = await this.enterEmailVerificationCode(bodyCode, task, password, steps);
                                 }
                                 else {
-                                    steps.push("Email had no usable verification link or code.");
+                                    // Diagnostic (arize, 2026-06-17): the email arrived but
+                                    // neither scorer found a usable link and no code parsed —
+                                    // dump the candidate hrefs so the next run shows WHY (e.g. an
+                                    // image-only button, or anchor text the scorer doesn't weight).
+                                    const hrefs = email.parsed_links.slice(0, 8).join(" | ");
+                                    steps.push(`Email had no usable verification link or code. parsed_links(${email.parsed_links.length}): ${hrefs || "(none)"}`);
                                 }
                             }
                         }
@@ -5596,6 +6620,43 @@ export class SignupAgent {
                     ...this.resultTail(),
                 };
             }
+            // Before the generic no-credentials miss: a service that completed the
+            // signup form and then dropped the account into a manual-approval gate
+            // (waiting room / waitlist / pending review). Same terminal, non-demoting
+            // onboarding_blocked status the OAuth path uses — there's no key to reach
+            // until a human approves the account, so don't surface it as a generic
+            // failure (which can wrongly chase a code bug) or punish a skill for it.
+            //
+            // ONLY when verification did NOT time out. A pending email-verification
+            // page ("check your email", "we sent a code") can read as a review gate
+            // to the classifier, but the authoritative cause there is the missing
+            // mail (verification_not_sent) — anthropic mislabeled as onboarding_blocked
+            // exactly this way. If we were waiting on an email that never came, that
+            // is the failure; don't reinterpret it as a manual-review gate.
+            const reviewGateText = verificationFailed === undefined ? await this.browser.extractText().catch(() => "") : "";
+            // Closed / invite-only registration takes precedence over the review-gate
+            // and the generic miss — no account can be created, so it's terminally
+            // unservable (dequeue), not a fixable nav bug. Checked only when
+            // verification didn't time out (same reasoning as the review gate).
+            if (verificationFailed === undefined && isSignupsClosed(reviewGateText)) {
+                return {
+                    success: false,
+                    error: `signups_closed: ${task.service} is not accepting new self-serve sign-ups ` +
+                        `(closed / invite-only registration) — no account can be created. Dequeue or sign up manually once open.`,
+                    steps,
+                    ...this.resultTail(),
+                };
+            }
+            if (isOnboardingReviewGate(verificationFailed, reviewGateText)) {
+                return {
+                    success: false,
+                    error: `onboarding_blocked: ${task.service} put the account into a manual review / ` +
+                        `waitlist gate after signup — no API key is obtainable until a human approves ` +
+                        `the account. Finish the signup manually once access is granted.`,
+                    steps,
+                    ...this.resultTail(),
+                };
+            }
             return {
                 success: false,
                 error: verificationFailed ?? "Could not find credentials on page or via email",
@@ -5888,6 +6949,14 @@ export class SignupAgent {
         // complete first.
         let consentAdvanceWaits = 0;
         const MAX_CONSENT_ADVANCE_WAITS = 3;
+        // OAUTH_ENGINE (default-ON since 2026-06-15): route the CONSENT decision
+        // through the pure reducer (oauth-flow.ts, eng-reviewed) instead of the inline
+        // scope-gate branches below. Flipped after live validation drove a real Google
+        // consent screen both ways — advance_consent (opaque-scope→blind approve, full
+        // ipinfo OAuth signup succeeded) AND the abort-on-login-form safety invariant.
+        // The inline scope-gate block is kept one cycle as the explicit opt-out
+        // (OAUTH_ENGINE=0) and deleted next (DESIGN-oauth-consent-engine.md step 2).
+        const oauthEngineOn = !/^(0|false|off|no)$/i.test(process.env.OAUTH_ENGINE ?? "");
         for (let i = 0; i < MAX_OAUTH_NAV; i++) {
             if (this.browser.oauthPageClosed()) {
                 steps.push(`OAuth: the ${provider.label} window closed — handshake returned to the service`);
@@ -6154,6 +7223,80 @@ export class SignupAgent {
                 return this.oauthAbort("needs_login", `the bot's ${provider.label} session is missing or expired — no consent screen was reached. ` +
                     `Re-run \`${loginCmd}\` to re-establish it, then retry.`, steps);
             }
+            // authState === "consent" — route through the reducer when OAUTH_ENGINE is
+            // on (every path here continues or returns, so the inline block below is
+            // the default-off path). Faithful to the inline ordering; the executor owns
+            // the advance-success flag flip + the consentAdvanceWaits budget.
+            if (oauthEngineOn) {
+                const hasLoginForm = await this.oauthLoginFormPresent();
+                const scopes = extractOAuthScopes(url);
+                const dangerPhrases = provider.id === "google" ? scrapeGoogleScopePhrases(body) : [];
+                const consentDom = scopes === null ? await this.browser.extractText().catch(() => "") : "";
+                const { action } = decideOAuthStep({
+                    providerId: provider.id,
+                    consentAlreadyApproved,
+                    omniauthPostTried,
+                    allowBlindOAuthConsent: task.allowBlindOAuthConsent === true,
+                    allowExtraOAuthScopes: task.allowExtraOAuthScopes ?? [],
+                }, {
+                    isChooser: false,
+                    authState: "consent",
+                    hasLoginForm,
+                    omniAuthPassthru: false,
+                    scopes,
+                    dangerPhrases,
+                    domBasicFromDom: provider.id === "google" && googleConsentIsBasicFromDom(body),
+                    domBasicGis: provider.id === "google" && googleGisConsentIsBasic(consentDom),
+                }, { scopesAreBasic: (s) => provider.scopesAreBasic(s) });
+                steps.push(`OAuth[engine]: scopes=[${scopes === null ? "<unreadable>" : scopes.join(", ")}] → ` +
+                    `${action.kind}${action.kind === "advance_consent" ? `:${action.mode}` : ""}`);
+                // Faithful inline step trail: a readable all-basic approve logs the same
+                // "scopes all basic … auto-approving" line the inline scope-gate emits.
+                if (action.kind === "advance_consent" && action.mode === "approve" && scopes !== null) {
+                    steps.push(`OAuth: consent scopes all basic (${scopes.join(", ")}) — auto-approving`);
+                }
+                if (action.kind === "abort") {
+                    if (action.clearProviderLoggedIn)
+                        clearProviderLoggedIn(provider.id);
+                    const detail = action.reason === "needs_login"
+                        ? `landed on a ${provider.label} sign-in form / no session — re-run \`${loginCmd}\`, then retry. ` +
+                            `The bot will not type into ${provider.label}'s login form.`
+                        : action.unauthorizedScopes !== undefined
+                            ? `${provider.label} consent requests non-basic scopes: [${action.unauthorizedScopes.join(", ")}]. ` +
+                                `All requested: [${(scopes ?? []).join(", ")}]. Re-run provision with allow_extra_oauth_scopes set to proceed.`
+                            : `reached a ${provider.label} consent screen but could not safely auto-approve its scopes — approve it manually.`;
+                    return this.oauthAbort(action.reason, detail, steps);
+                }
+                // A consent observation only ever yields abort | advance_consent; this
+                // narrows the union for TS (and is a defensive no-op if it ever doesn't).
+                if (action.kind !== "advance_consent")
+                    break;
+                // advance_consent — perform the advance; flip the flag only on success.
+                const advanced = await this.browser.advanceOAuthConsent(provider.id);
+                if (advanced) {
+                    consentAlreadyApproved = true;
+                    await this.browser.wait(3);
+                    continue;
+                }
+                if (action.onAdvanceFail === "bounded_wait") {
+                    if (consentAdvanceWaits < MAX_CONSENT_ADVANCE_WAITS) {
+                        consentAdvanceWaits += 1;
+                        steps.push(`OAuth[engine]: approve control not present yet — waiting for hydrate/redirect ` +
+                            `(${consentAdvanceWaits}/${MAX_CONSENT_ADVANCE_WAITS})`);
+                        await this.browser.wait(4);
+                        continue;
+                    }
+                    return this.oauthAbort("oauth_consent_needs_review", `blind-consent approved but no approve control on the ${provider.label} consent page ` +
+                        `after ${consentAdvanceWaits} waits — sign up manually.`, steps);
+                }
+                if (action.onAdvanceFail === "wait_nav") {
+                    steps.push("OAuth[engine]: post-grant page, no approve control — waiting for natural navigation");
+                    await this.browser.wait(3);
+                    continue;
+                }
+                // onAdvanceFail === "abort"
+                return this.oauthAbort("oauth_consent_needs_review", `reached a ${provider.label} consent screen but found no approve control to click — approve it manually.`, steps);
+            }
             // authState === "consent". Backstop the page classifier with a
             // live-DOM check: if the page actually carries a credential
             // field it is a login form (the text classifier can catch a
@@ -6348,16 +7491,36 @@ export class SignupAgent {
         // non-auth path here and is left alone.
         if (isSignupOrLoginRoute(this.browser.currentUrl()) &&
             !isOAuthProviderHost(this.browser.currentUrl())) {
-            const root = originRoot(this.browser.currentUrl());
-            if (root !== null) {
-                steps.push(`OAuth: post-auth landing is a signup/login route (${pathOf(this.browser.currentUrl())}) — ` +
-                    `navigating to the app root (${root}) so the service routes us to the dashboard.`);
-                try {
-                    await this.browser.goto(root);
-                    await this.browser.wait(2);
-                }
-                catch {
-                    // navigation hiccup — the post-verify loop re-reads regardless.
+            // Clerk callback: don't immediately navigate away. On a Clerk combined
+            // sign-in/sign-up flow a new-user OAuth completes the account via a
+            // client-side sign-up transfer that takes a beat AFTER the callback lands;
+            // navigating to root unmounts Clerk's JS and interrupts it (the bug behind
+            // the cartesia/braintrust "oauth_session_not_persisted" cluster — proven
+            // not IP). We can't drive the transfer via window.Clerk (patchright's
+            // isolated world hides it), so instead give Clerk's own JS time and detect
+            // success via cookies (world-agnostic). If a session appears, we're signed
+            // in — skip the navigate-away.
+            const onClerkCallback = /sso-callback|\/sso\b/i.test(this.browser.currentUrl());
+            let clerkSignedIn = false;
+            if (onClerkCallback) {
+                clerkSignedIn = await this.browser.waitForClerkSession(12000).catch(() => false);
+                steps.push(`OAuth: Clerk callback — waited for session establish → ${clerkSignedIn ? "signed in" : "no session (likely login-only OAuth / needs email signup)"}`);
+            }
+            if (clerkSignedIn) {
+                await this.browser.wait(2);
+            }
+            else {
+                const root = originRoot(this.browser.currentUrl());
+                if (root !== null) {
+                    steps.push(`OAuth: post-auth landing is a signup/login route (${pathOf(this.browser.currentUrl())}) — ` +
+                        `navigating to the app root (${root}) so the service routes us to the dashboard.`);
+                    try {
+                        await this.browser.goto(root);
+                        await this.browser.wait(2);
+                    }
+                    catch {
+                        // navigation hiccup — the post-verify loop re-reads regardless.
+                    }
                 }
             }
         }
@@ -6530,6 +7693,9 @@ export class SignupAgent {
             // oauth_session_not_persisted and abort. The account simply needs
             // creating via email, so re-route to form-fill instead of bailing.
             if (detectGoogleNoAccount(gateState.url, gateText)) {
+                // Commit to email for the rest of the run — OAuth is login-only here, so
+                // the OAuth-first scan must not re-fire after the form-fill re-route.
+                this.committedToEmailPath = true;
                 steps.push(`OAuth: ${provider.label} sign-in succeeded but ${task.service} has no account for ` +
                     `this identity (login-only OAuth, ${pathOf(gateState.url)}) — abandoning OAuth and ` +
                     `falling back to email/password signup to create the account.`);
@@ -6690,6 +7856,22 @@ export class SignupAgent {
             // (oauth_session_not_persisted) instead of thrashing into
             // oauth_onboarding_failed.
             if (err instanceof OAuthSessionNotPersistedError) {
+                // The handshake completed but the service never created a session — the
+                // Clerk new-user-via-sign-in bounce, surfacing here as a stuck login page
+                // (no explicit "no account" text, so detectGoogleNoAccount missed it
+                // upstream). If the service also offers email signup, creating the account
+                // that way is the recovery — the SAME OAUTH_FALL_BACK_TO_FORM_FILL path the
+                // explicit-text case uses (runSignup re-navigates to the form and runs the
+                // email path with forceFormFill, which suppresses OAuth so it can't bounce
+                // back here). One-shot: an OAuth-only service with no email form then fails
+                // honestly on the re-run instead of looping. Generalizes the cartesia crack
+                // to the whole silent-callback Clerk cluster (openrouter/groq/northflank/…).
+                if (!this.oauthEmailFallbackTried) {
+                    this.oauthEmailFallbackTried = true;
+                    steps.push(`OAuth callback never persisted a session (Clerk new-user sign-in bounce) — ` +
+                        `falling back to email/password signup to create the account.`);
+                    return OAUTH_FALL_BACK_TO_FORM_FILL;
+                }
                 return { success: false, error: err.message, steps, ...this.resultTail() };
             }
             throw err;
@@ -6720,6 +7902,19 @@ export class SignupAgent {
         const paywallCheckText = this.lastPostVerifyDoneReason !== null
             ? `${finalText}\n${this.lastPostVerifyDoneReason}`
             : finalText;
+        // Closed / invite-only registration — no account can be created at all
+        // (turbopuffer: "Sign-ups are closed"). Terminally unservable; label it
+        // honestly so the operator dequeues rather than seeing a misleading
+        // oauth_onboarding_failed that implies a fixable nav bug.
+        if (isSignupsClosed(paywallCheckText)) {
+            return {
+                success: false,
+                error: `signups_closed: ${task.service} is not accepting new self-serve sign-ups ` +
+                    `(closed / invite-only registration) — no account can be created. Dequeue or sign up manually once open.`,
+                steps,
+                ...this.resultTail(),
+            };
+        }
         if (isAtPaywall(paywallCheckText)) {
             return {
                 success: false,
@@ -6729,6 +7924,22 @@ export class SignupAgent {
                 ...this.resultTail(),
             };
         }
+        // Service-side manual-approval gate (waiting room / waitlist / account
+        // pending review). The OAuth handshake succeeded but the service won't
+        // grant a key until a human approves the account — there is no key to
+        // reach autonomously. Same terminal onboarding_blocked status as the
+        // billing wall so it's a non-demoting human-pile outcome, not a
+        // mislabeled oauth_onboarding_failed that wrongly implies a code bug.
+        if (isAtAccountReviewGate(paywallCheckText)) {
+            return {
+                success: false,
+                error: `onboarding_blocked: ${task.service} put the account into a manual review / ` +
+                    `waitlist gate after signup — no API key is obtainable until a human approves ` +
+                    `the account. Finish the signup manually once access is granted.`,
+                steps,
+                ...this.resultTail(),
+            };
+        }
         // rc.39 — anti-bot interstitial that survived the post-OAuth
         // landing. Turso's GitHub SSO callback runs a Cloudflare check
         // that never clears for our Chromium fingerprint; the planner's
@@ -7009,6 +8220,9 @@ ${formatInventory(input.inventory)}`,
             // Deterministic form-fill picks (same rationale as the post-verify
             // planner — D2). Removes a run-to-run flakiness source.
             temperature: 0,
+            // Fix C — pin a single model + provider + seed on the proxy path.
+            // temperature 0 alone leaves the model/provider lottery in play.
+            deterministic: true,
             parse: (raw) => parseSignupPlan(raw, allowed),
         });
     }
@@ -7345,15 +8559,51 @@ ${formatInventory(input.inventory)}`,
                 steps.push(`Existing-account recovery: create-key click failed (${err instanceof Error ? err.message : String(err)}).`);
                 return null;
             }
-            // Poll for the freshly-minted key — minting is a server
-            // round-trip (Render/Mistral/Mailtrap render the value into a
-            // modal after the POST returns). Reuse the modal-reveal poll
-            // budget the click branch uses elsewhere (~8s), early-exiting the
-            // moment any tier surfaces a credential. A confirmation dialog
-            // ("Name your key" → Create) is common; fire the reveal pass each
-            // round so a modal that needs a second confirm-then-show click is
-            // still harvested.
-            const deadline = Date.now() + 8000;
+            // Forensic: capture the post-click state so a "modal never minted a key"
+            // failure is diagnosable — what does the create-key dialog render (name
+            // field? an in-modal captcha? a disabled submit?), and is it in our
+            // inventory? Off by default; production runs don't pay the snapshot.
+            if (process.env.BOT_DEBUG_MINT_MODAL === "1") {
+                await this.browser.wait(1.2);
+                await saveDebugSnapshot(this.browser, "mint-after-create-click");
+            }
+            // Drive the "name your key" dialog the create-click opened, then poll for
+            // the freshly-minted value (minting is a server round-trip; Render/Mistral
+            // render the value into the modal after the POST returns).
+            //
+            // Two gates commonly hold the dialog's submit DISABLED until satisfied:
+            //   (1) a non-empty NAME (groq's keyName field), and
+            //   (2) a CAPTCHA token — groq embeds a Cloudflare Turnstile INSIDE the
+            //       create-key modal (cf-turnstile-response), and the submit stays
+            //       disabled until the widget issues a token. The captcha gate never
+            //       ran here (it fires during form-fill, not post-verify mint), so the
+            //       modal sat unsolved and every re-click just reopened it. Satisfy
+            //       both up front: type the name, then run the captcha gate (Tier 1
+            //       behavior / Tier 2 click-and-wait, polling for the token), and only
+            //       then start clicking submit.
+            try {
+                const openInv = await this.browser.extractInteractiveElements();
+                const nameInput = findKeyNameInput(openInv);
+                if (nameInput !== null) {
+                    await this.browser.type(nameInput.selector, "trusty-squire").catch(() => { });
+                    steps.push("Existing-account recovery: named the new key.");
+                }
+            }
+            catch {
+                // best-effort name fill
+            }
+            // Solve any captcha gating the modal's submit (groq's in-modal Turnstile).
+            // Best-effort: a no-widget result or a solver miss just falls through to
+            // the submit poll below, which still works for modals with no captcha.
+            const mintGate = await this.runCaptchaGate("Mint-modal", steps);
+            if (mintGate.blocked) {
+                steps.push("Existing-account recovery: the create-key modal's captcha is blocking — cannot mint.");
+            }
+            // Poll: click the modal's affirmative submit (re-clicking is harmless —
+            // it's a no-op while still disabled, and once name+token clear the gate
+            // the click lands), harvesting the minted value each round. No
+            // single-click guard: the gate may enable a beat after we first try.
+            const deadline = Date.now() + 12000;
             while (Date.now() < deadline) {
                 await this.browser.wait(0.5);
                 const minted = await this.harvestVisibleCredentials();
@@ -7361,15 +8611,21 @@ ${formatInventory(input.inventory)}`,
                     steps.push("Existing-account recovery: extracted the freshly-minted key.");
                     return minted;
                 }
-                // A two-step create modal: clicking the page-level "Create key"
-                // opened a "name + confirm" dialog. Click a now-visible confirm
-                // affordance once, then keep polling.
                 try {
                     const modalInv = await this.browser.extractInteractiveElements();
-                    const confirmBtn = findCreateKeyAffordance(modalInv);
-                    if (confirmBtn !== null &&
-                        confirmBtn.selector !== createBtn.selector) {
-                        await this.browser.click(confirmBtn.selector);
+                    // Prefer the modal's generic submit ("Submit"/"Create"/…) over
+                    // findCreateKeyAffordance: the page-level "Create API Key" button is
+                    // still in the background DOM, and re-clicking IT just reopens the
+                    // modal (the pre-fix groq failure loop). Fall back to the affordance
+                    // matcher for modals whose confirm DOES carry a key noun.
+                    let confirmBtn = findKeyModalSubmit(modalInv, createBtn.selector);
+                    if (confirmBtn === null) {
+                        const aff = findCreateKeyAffordance(modalInv);
+                        if (aff !== null && aff.selector !== createBtn.selector)
+                            confirmBtn = aff;
+                    }
+                    if (confirmBtn !== null) {
+                        await this.browser.click(confirmBtn.selector).catch(() => { });
                     }
                 }
                 catch {
@@ -7422,7 +8678,7 @@ ${formatInventory(input.inventory)}`,
             catch {
                 break;
             }
-            const fallback = pickStuckLoopFallbackUrl(currentUrl, visitedKeysUrls);
+            const fallback = pickStuckLoopFallbackUrl(currentUrl, visitedKeysUrls, undefined, this.resolvedSignupUrl);
             if (fallback === null)
                 break;
             visitedKeysUrls.add(fallback);
@@ -7461,6 +8717,144 @@ ${formatInventory(input.inventory)}`,
         }
         return null;
     }
+    // NAV_SEARCH phase (slice 1): drive the post-verify phase with the goal-directed
+    // nav-search engine (nav-search.ts) instead of the greedy planner. Adapts the
+    // BrowserController to the engine's narrow port and wires the extractor, the
+    // capture-chain (sequential rounds → OF#1/auto-promote parity, A2), and the
+    // log. Returns the extracted credentials, or {} (+ a no_self_serve_key done
+    // reason) when the dashboard's navigation has no reachable key surface.
+    async runNavSearchPhase(args, oauth) {
+        const hasRealKey = (c) => Object.keys(c).some((k) => !NON_CREDENTIAL_KEYS.has(k));
+        // Already on a key surface at entry (bot landed there directly).
+        const entry = await this.extractCredentials();
+        if (hasRealKey(entry))
+            return entry;
+        const port = {
+            currentUrl: () => this.browser.currentUrl(),
+            // Visibility-respecting text (innerText) for goal assessment — extractText()
+            // reads textContent, which fuses inline <script> source + display:none nodes
+            // into the page text and poisons every text-based goal/onboarding signal
+            // (the false-shell class). Key extraction still reads RAW text via
+            // extractCredentials() downstream; this is the nav-decision surface only.
+            extractText: () => this.browser.extractVisibleText(),
+            extractInventory: () => this.browser.extractInteractiveElements(),
+            clickSelector: (s) => this.browser.click(s),
+            navigate: (u) => this.browser.goto(u),
+            pressEscape: () => this.browser.pressKey("Escape"),
+            settle: async () => {
+                await this.browser.waitForInteractiveDom(5, 15_000).catch(() => { });
+            },
+            expandLatentNav: () => this.browser.expandLatentNav(),
+        };
+        // Cap nav-search's LLM tiebreak calls so the navigation phase can't starve
+        // the greedy planner's budget when we hand off (DEFAULT-ON hybrid): the
+        // per-signup circuit breaker is shared, so an unbounded tiebreak could leave
+        // the form-fill handoff with no budget. Deterministic ranking is unbounded
+        // (free); only the LLM tiebreak is capped. Past the cap, tiebreak returns
+        // null (deterministic-only), which leads to honest exhaustion → handoff.
+        let tiebreakCalls = 0;
+        const MAX_NAV_TIEBREAKS = Number(process.env.NAV_SEARCH_MAX_TIEBREAKS) || 6;
+        const deps = {
+            extractKey: async () => {
+                const c = await this.extractCredentials();
+                return hasRealKey(c) ? c : null;
+            },
+            // Mint on a create-gated key surface: reuse the proven existing-account
+            // recovery (readable → reveal → click create → drive the name+confirm
+            // modal → poll the create POST → reveal masked-on-first-show). Without
+            // this, nav-search only bare-clicks "Create API Key" and never submits
+            // the resulting modal (groq's virgin /keys flow).
+            mintKey: async () => {
+                const c = await this.attemptMintNewKey(args.steps);
+                return c !== null && hasRealKey(c) ? c : null;
+            },
+            // Capture-chain parity (A2 / OF#1): one sequential round per step, full
+            // state + the real selector, so the synthesizer's chain check (no gaps)
+            // still passes and auto-promote keeps minting skills.
+            captureRound: async (ctx) => {
+                const state = await this.browser.getState().catch(() => null);
+                if (state === null)
+                    return;
+                const observed = ctx.action === "extract"
+                    ? { kind: "extract", reason: "nav-search: extract on key surface" }
+                    : ctx.selector !== undefined
+                        ? { kind: "click", selector: ctx.selector, reason: `nav-search: ${ctx.action}` }
+                        : { kind: "done", reason: `nav-search: ${ctx.action}` };
+                captureOnboardingRound({
+                    service: args.service,
+                    round: this.captureChainRound,
+                    oauth,
+                    state,
+                    inventory: ctx.inventory,
+                    observed,
+                    ...(this.lastResolvedModel !== undefined ? { resolved_model: this.lastResolvedModel } : {}),
+                    ...(this.lastResolvedProvider !== undefined
+                        ? { resolved_provider: this.lastResolvedProvider }
+                        : {}),
+                });
+                this.captureChainRound += 1;
+            },
+            // LLM tiebreak: the deterministic ranker only fires on keys-keyword text /
+            // href. When keys live behind a generically-named affordance (a settings
+            // tab like "Advanced"/"Security", an icon nav), nothing scores and the
+            // ranker can't decide. This is the ONE place the LLM touches the loop —
+            // it picks the single candidate most likely to lead to a key surface, or
+            // null. Cheap (text-only, ≤80 tokens, deterministic) and bounded by the
+            // per-signup LLM budget; a budget/parse failure falls through to null
+            // (honest exhaustion), never throws into the loop.
+            tiebreak: async (candidates) => {
+                if (candidates.length === 0)
+                    return null;
+                if (tiebreakCalls >= MAX_NAV_TIEBREAKS)
+                    return null; // reserve budget for the handoff
+                tiebreakCalls += 1;
+                const here = this.browser.currentUrl();
+                const list = candidates
+                    .map((c, i) => `${i}. "${c.text.slice(0, 60)}"${c.href !== null ? ` (href=${c.href})` : ""}`)
+                    .join("\n");
+                const system = `You navigate a SaaS dashboard after signup. Goal: reach the page that SHOWS or CREATES an API key (or any credential — token, secret, access key).
+You are given a numbered list of the clickable affordances on the current page. Pick the ONE most likely to lead toward an API-keys / tokens / developer-credentials surface.
+Reply with a single JSON object and nothing else: {"index": N} (N = the list number) or {"index": null} if NONE plausibly leads to API keys.
+Prefer items naming keys / tokens / API / developer / secrets; then credentials / advanced / settings / account / security. On a B2B product an API key is frequently scoped to an ORGANIZATION / WORKSPACE / PROJECT / TEAM rather than the personal account — so if no personal "API keys" surface exists, an "Organization", "Workspace", "Project", or "Team" link is a strong candidate (its settings usually hold the keys). NEVER pick log out, billing, invoices, usage, docs, pricing, a link back to the current page, or any destructive action (delete, remove, revoke, deactivate, cancel).`;
+                const userBlocks = [
+                    { kind: "text", text: `Current URL: ${here}\n\nAffordances:\n${list}` },
+                ];
+                try {
+                    return await this.callLLM({
+                        system,
+                        userBlocks,
+                        maxTokens: 80,
+                        temperature: 0,
+                        deterministic: true,
+                        parse: (raw) => {
+                            const m = raw.match(/\{[\s\S]*\}/);
+                            if (m === null)
+                                return null;
+                            const obj = JSON.parse(m[0]);
+                            const idx = typeof obj === "object" && obj !== null && "index" in obj
+                                ? obj.index
+                                : null;
+                            if (typeof idx !== "number")
+                                return null;
+                            return candidates[idx]?.selector ?? null;
+                        },
+                    });
+                }
+                catch {
+                    return null;
+                }
+            },
+            log: (line) => args.steps.push(line),
+            maxSteps: args.maxRounds,
+        };
+        const result = await runNavSearch(port, deps);
+        if (result.kind === "found")
+            return result.credentials;
+        this.lastPostVerifyDoneReason =
+            "no_self_serve_key: nav-search exhausted the dashboard's navigation without " +
+                "reaching an API-key surface";
+        return {};
+    }
     async postVerifyLoop(args) {
         let credentials = await this.extractCredentials();
         // 0.8.2-rc.15 — also seed DOM-proximity at loop entry. If the
@@ -7508,6 +8902,15 @@ ${formatInventory(input.inventory)}`,
         // the dashboard for those; a genuine callback rejection stays on login
         // even after reload, so this never masks a real wall.
         let oauthBounceReloadTried = false;
+        // Consecutive rounds the post-verify page read as a genuine loading shell
+        // (visible loading-text AND a sub-threshold inventory). A real SPA
+        // hydrates within the bounded per-round wait, so a streak means the route
+        // never paints content — burn a navigate-to-root retry, then bail
+        // truthfully rather than re-running the wait every round to run_timeout.
+        // Reset on any non-shell round. Mirrors the consecutiveOauthLoginPageRounds
+        // / oauthBounceReloadTried escape used for the stuck-login case.
+        let shellStreak = 0;
+        let shellRootNavTried = false;
         let planFailures = 0;
         // 0.8.2-rc.6 — separate counter for upstream-blip retries. Doesn't
         // gate planFailures (so a transient 502 won't push us into the
@@ -7519,6 +8922,44 @@ ${formatInventory(input.inventory)}`,
         let upstreamBlipRetries = 0;
         const MAX_UPSTREAM_BLIP_RETRIES = 8;
         const oauth = args.credentials === undefined;
+        // NAV_SEARCH (DEFAULT-ON as of T6): drive the post-verify phase with the
+        // goal-directed nav-search engine, then HAND OFF to the greedy planner if it
+        // couldn't finish. T6 (live, neon) proved the two are complementary:
+        // nav-search is strong at NAVIGATION (it drove through two onboarding wizards
+        // + the dashboard to the exact create-API-key modal, where the greedy planner
+        // often gets lost), but it's nav-only by design — it can't fill+submit a
+        // create-key form. The greedy planner is strong at form-fill but weak at
+        // navigation. So: nav-search navigates to (or near) the key surface; if it
+        // extracts a key, done; if not, we FALL THROUGH to the greedy loop, which
+        // resumes from the current page nav-search reached and completes the local
+        // form-fill + extract. The capture chain continues on the same
+        // this.captureChainRound counter (read below at loop start), so it stays
+        // gap-free for auto-promote.
+        //
+        // Default-on is SAFE because the worst case is the pre-existing behavior: if
+        // nav-search reaches no key, control falls through to the same greedy loop
+        // that was the default before. nav-search only changes outcomes by reaching
+        // key surfaces greedy couldn't — a strict improvement in the cases it helps.
+        // Its LLM tiebreak is budget-capped (MAX_NAV_TIEBREAKS) so the handoff keeps
+        // form-fill budget; the same-site guard keeps it on the app. Opt OUT with
+        // NAV_SEARCH=0/false/off (kept for reversibility — DESIGN A2).
+        if (!/^(0|false|off|no)$/i.test(process.env.NAV_SEARCH ?? "")) {
+            try {
+                const navResult = await this.runNavSearchPhase(args, oauth);
+                if (Object.keys(navResult).some((k) => !NON_CREDENTIAL_KEYS.has(k))) {
+                    return navResult;
+                }
+                args.steps.push("nav-search: no key via navigation alone — handing off to the planner from the current surface");
+            }
+            catch (err) {
+                // Default-on safety: nav-search must NEVER crash a signup. Any unexpected
+                // error (a browser-port method throwing, a bad selector, etc.) falls
+                // through to the greedy planner — the pre-existing default behavior — so
+                // the worst case of enabling nav-search is "no better than before".
+                args.steps.push(`nav-search: errored (${err instanceof Error ? err.message : String(err)}) — falling back to the planner`);
+            }
+            // fall through to the greedy planner loop below
+        }
         // Re-plan hint for the next round — set when an `extract` step
         // found no key, which means the visible key text is masked /
         // truncated (the S3-class trap: the planner sees a key-shaped
@@ -7637,6 +9078,9 @@ ${formatInventory(input.inventory)}`,
         let stuckFiresAtUrl = 0;
         let lastStuckFireUrl = null;
         const triedFallbackUrls = new Set();
+        // Selectors of API-keys nav links already clicked, so the
+        // click-the-real-link escalation doesn't re-click the same link.
+        const clickedKeysLinks = new Set();
         // Premature-done guard budget. When the planner gives up (`done`)
         // with zero credentials captured, we navigate to an unvisited
         // canonical keys URL and re-plan — bounded so a service that
@@ -7872,47 +9316,98 @@ ${formatInventory(input.inventory)}`,
             // SPA hydration guard. A post-OAuth dashboard (northflank's
             // /settings/access-tokens, PostHog) can render a "Connecting"/loading
             // shell while its JS bundle + websocket finish — slow over a
-            // residential tunnel. The shell often carries a stray element or two
-            // (a logo link, the <noscript>), so gating on an EMPTY inventory
-            // misses it; the loading-shell TEXT is the authoritative "not yet
-            // rendered" signal. Wait while that text persists, then proceed with
-            // whatever's there (an honest "still a shell" beats a premature done —
-            // and if the SPA never hydrates, e.g. a blocked websocket, the bound
-            // keeps us from hanging).
+            // residential tunnel. We gate on POSITIVE readiness — the instant the
+            // page has SHELL_MAX_ELEMENTS visible interactive elements it is
+            // hydrated by definition and we proceed — rather than looping on the
+            // negative "text still says loading" signal. waitForInteractiveDom
+            // returns the moment that count is met (or after the budget), so a fast
+            // page costs ~0 and a slow one waits exactly as long as needed. This is
+            // the fix for the dominant false positive: a fully-rendered dashboard
+            // whose DOM merely CONTAINS a hidden "loading…"/"please wait 30
+            // seconds…" string no longer spins the wait every round to run_timeout.
             //
             // Budget = 6x3s = 18s. MEASURED: a dashboard SPA gated on a websocket
             // (northflank's wss://platform.northflank.com/websocket) hydrates in
-            // ~12-15s over the tunnel. A larger budget BACKFIRES on a page that
-            // will NEVER hydrate (e.g. an authed user stranded on /signup): the
-            // wait re-runs every round and burns the 600s run cap. The escape for
-            // a never-hydrating route is navigate-to-root post-OAuth, not a longer
-            // wait here.
+            // ~12-15s over the tunnel.
             //
             // ADAPTIVE exception (MEASURED 2026-06-04, clerk): an OAuth/SSO
             // CALLBACK route does a token exchange that renders even slower than a
             // plain dashboard — clerk's `/sign-in/sso-callback` outlasts 18s and
             // the bot bailed at the edge with `oauth_session_not_persisted`. On a
-            // callback route the SPA IS making progress, so 12x3s = 36s of
-            // patience is warranted; everywhere else the 6-tick budget holds so a
-            // genuinely-stuck route still hits the navigate-to-root escape fast.
-            // Read the URL fresh each round (it may redirect off the callback).
-            const HYDRATION_TICKS = isOAuthCallbackRoute(state.url) ? 12 : 6;
-            for (let hydrationWait = 0; hydrationWait < HYDRATION_TICKS &&
-                isLoadingShellText(await this.browser.extractText().catch(() => "")); hydrationWait++) {
-                args.steps.push(`Post-verify round ${round}: ${pathOf(state.url)} is a loading shell ` +
-                    `(hydration wait ${hydrationWait + 1}/${HYDRATION_TICKS}) — waiting for the SPA to render`);
-                await this.browser.wait(3);
-                try {
-                    [state, inventory] = await Promise.all([
-                        this.browser.getState(),
-                        this.buildInventory(args.steps, undefined, 80),
-                    ]);
+            // callback route the SPA IS making progress, so 36s of patience is
+            // warranted; everywhere else the 18s budget holds so a genuinely-stuck
+            // route reaches the navigate-to-root escape fast. Read the URL fresh
+            // each round (it may redirect off the callback).
+            const onOAuthCallback = isOAuthCallbackRoute(state.url);
+            const HYDRATION_BUDGET_MS = onOAuthCallback ? 36_000 : 18_000;
+            await this.browser
+                .waitForInteractiveDom(SHELL_MAX_ELEMENTS, HYDRATION_BUDGET_MS)
+                .catch(() => undefined);
+            // Re-read after the wait — the page may have hydrated (or redirected).
+            try {
+                [state, inventory] = await Promise.all([
+                    this.browser.getState(),
+                    this.buildInventory(args.steps, undefined, 80),
+                ]);
+            }
+            catch {
+                // mid-navigation read — keep the prior state/inventory; the shell
+                // decision below uses whatever count we have.
+            }
+            // Negative-side decision, now visibility- AND inventory-aware: a shell
+            // requires loading-text in the VISIBLE text AND a sub-threshold
+            // inventory. The OAuth-callback exclusion keeps the navigate-to-root
+            // escape from firing mid-token-exchange (the callback IS making
+            // progress and a navigate-away would abort the session).
+            const stillShell = !onOAuthCallback &&
+                isLoadingShell(await this.browser.extractVisibleText().catch(() => ""), inventory.length);
+            if (stillShell) {
+                shellStreak += 1;
+                // On the 2nd consecutive shell round, do the navigate-to-root the
+                // budgeted wait can't fix — a route stuck mid-hydration (a blocked
+                // websocket, an SPA wedged on a stale path) often paints the real
+                // dashboard from origin root. Once only.
+                if (shellStreak >= 2 && !shellRootNavTried) {
+                    shellRootNavTried = true;
+                    const root = originRoot(state.url);
+                    args.steps.push(`Post-verify round ${round}: ${pathOf(state.url)} read as a loading shell for ` +
+                        `${shellStreak} consecutive rounds — navigating to origin root once before bailing.`);
+                    try {
+                        await this.browser.goto(root ?? state.url);
+                        await this.browser
+                            .waitForInteractiveDom(SHELL_MAX_ELEMENTS, 15_000)
+                            .catch(() => undefined);
+                        [state, inventory] = await Promise.all([
+                            this.browser.getState(),
+                            this.buildInventory(args.steps, undefined, 80),
+                        ]);
+                    }
+                    catch {
+                        // navigate/read failed — the streak check below bails on the
+                        // next shell read.
+                    }
+                    // Re-evaluate after the root nav. If it hydrated, fall through to
+                    // planning; if it's STILL a shell, bail truthfully now rather than
+                    // burning the rest of the round budget to run_timeout.
+                    const recovered = !isLoadingShell(await this.browser.extractVisibleText().catch(() => ""), inventory.length);
+                    if (recovered) {
+                        shellStreak = 0;
+                    }
+                    else {
+                        throw new SpaNeverHydratedError(`spa_never_hydrated: ${args.service}'s post-verify page (${pathOf(state.url)}) ` +
+                            `stayed a loading shell across ${shellStreak} rounds and an origin-root reload — ` +
+                            `the SPA never rendered an actionable surface (blocked websocket / wedged hydration). ` +
+                            `Not a navigation bug; retry or finish the signup manually.`);
+                    }
                 }
-                catch {
-                    // mid-navigation read — keep the prior state/inventory and let
-                    // the next hydration tick (or the planner) retry.
+                else {
+                    args.steps.push(`Post-verify round ${round}: ${pathOf(state.url)} is a loading shell ` +
+                        `(streak ${shellStreak}) — letting the SPA settle one more round`);
                 }
             }
+            else {
+                shellStreak = 0;
+            }
             // Stalled-wizard breaker. Build a content signature (URL + each
             // inventory element's selector + label) and judge whether the
             // PREVIOUS executed action changed the page. If the last few
@@ -8057,11 +9552,13 @@ ${formatInventory(input.inventory)}`,
                 if (consecutiveOauthLoginPageRounds >= 3) {
                     args.steps.push(`Post-verify: OAuth run still on a login page (${pathOf(state.url)}) for ` +
                         `${consecutiveOauthLoginPageRounds} rounds (incl. a reload) — the OAuth callback never persisted; bailing.`);
+                    await this.browser.dumpOAuthDebug(args.service, "callback-not-persisted").catch(() => { });
                     throw new OAuthSessionNotPersistedError(`oauth_session_not_persisted: signed in to ${args.service} via OAuth but the page ` +
                         `still presents a login screen (${pathOf(state.url)}) after ` +
-                        `${consecutiveOauthLoginPageRounds} rounds — the OAuth callback never established a ` +
-                        `session (anti-bot / IP rejection of the callback). Not a navigation bug; needs ` +
-                        `residential egress or manual signup.`);
+                        `${consecutiveOauthLoginPageRounds} rounds — the OAuth callback was rejected at the ` +
+                        `automation/fingerprint layer. NOT an IP issue (FALSIFIED 2026-06-14: a clean ` +
+                        `residential IP fails this callback identically — see STATE.md), so residential ` +
+                        `egress does NOT fix it. Needs a fingerprint/automation fix or manual signup.`);
                 }
             }
             else {
@@ -8199,6 +9696,10 @@ ${formatInventory(input.inventory)}`,
                 state,
                 inventory,
                 observed: nextStep,
+                // Fix C4 — stamp the backend that produced THIS round's plan
+                // (planPostVerifyStep set these via callLLM just above).
+                ...(this.lastResolvedModel !== undefined ? { resolved_model: this.lastResolvedModel } : {}),
+                ...(this.lastResolvedProvider !== undefined ? { resolved_provider: this.lastResolvedProvider } : {}),
             });
             capturedRound += 1;
             // Per-round telemetry upload (rc.11). Mirrors the disk capture
@@ -8555,7 +10056,7 @@ ${formatInventory(input.inventory)}`,
                             hint = undefined;
                             continue;
                         }
-                        const fallback = pickStuckLoopFallbackUrl(state.url, triedFallbackUrls, args.service);
+                        const fallback = pickStuckLoopFallbackUrl(state.url, triedFallbackUrls, args.service, this.resolvedSignupUrl);
                         if (fallback !== null) {
                             triedFallbackUrls.add(fallback);
                             args.steps.push(`Post-verify: stuck-loop detected ${stuckFiresAtUrl}x at ${state.url} — escalating to a hardcoded API-key URL: ${fallback}`);
@@ -8670,7 +10171,30 @@ ${formatInventory(input.inventory)}`,
                 // candidate is exhausted, `done` is honored.
                 const capturedCredCount = Object.keys(credentials).filter((k) => !NON_CREDENTIAL_KEYS.has(k)).length;
                 if (capturedCredCount === 0 && prematureDoneFallbacks < MAX_PREMATURE_DONE_FALLBACKS) {
-                    const fallback = pickStuckLoopFallbackUrl(state.url, triedFallbackUrls, args.service);
+                    // Prefer CLICKING a real API-keys nav link over guessing a URL.
+                    // The dashboard's own sidebar/menu link carries the correct href;
+                    // guessing /keys, /api-keys, /settings/api-keys 404s on services
+                    // that host keys at a non-standard path (unify-ai). Only when no
+                    // such link is in the DOM do we fall through to URL composition.
+                    const keysLink = findApiKeysNavLink(inventory, clickedKeysLinks);
+                    if (keysLink !== null) {
+                        prematureDoneFallbacks += 1;
+                        clickedKeysLinks.add(keysLink.selector);
+                        const label = (keysLink.visibleText ?? keysLink.ariaLabel ?? keysLink.href ?? keysLink.selector) || keysLink.selector;
+                        args.steps.push(`Post-verify: planner emitted done with no credential captured — ` +
+                            `clicking the in-page API-keys link "${label.slice(0, 60)}" ` +
+                            `(${keysLink.href ?? keysLink.selector}) before guessing a URL`);
+                        try {
+                            await this.browser.click(keysLink.selector);
+                            await this.browser.waitForInteractiveDom(5, 15_000);
+                        }
+                        catch (err) {
+                            args.steps.push(`Post-verify: API-keys link click failed (${err instanceof Error ? err.message : String(err)}) — continuing.`);
+                        }
+                        hint = undefined;
+                        continue;
+                    }
+                    const fallback = pickStuckLoopFallbackUrl(state.url, triedFallbackUrls, args.service, this.resolvedSignupUrl);
                     if (fallback !== null) {
                         prematureDoneFallbacks += 1;
                         triedFallbackUrls.add(fallback);
@@ -9178,6 +10702,10 @@ ${formatInventory(input.inventory)}`,
                         state: postState,
                         inventory: postInventory,
                         observed: syntheticExtract,
+                        // Fix C4 — attribute this synthetic round to the planner call
+                        // that drove us here (no LLM ran for this implicit extract).
+                        ...(this.lastResolvedModel !== undefined ? { resolved_model: this.lastResolvedModel } : {}),
+                        ...(this.lastResolvedProvider !== undefined ? { resolved_provider: this.lastResolvedProvider } : {}),
                     });
                     capturedRound += 1;
                     if (this.roundUploader !== undefined) {
@@ -9334,12 +10862,83 @@ ${formatInventory(input.inventory)}`,
     // the F3 inventory by element type. Returns false when the page
     // isn't a login form.
     async loginWithCredentials(email, password, steps) {
-        const inv = await this.buildInventory(steps);
-        const emailEl = inv.find((e) => e.tag === "input" && e.type === "email") ??
-            inv.find((e) => e.tag === "input" && (e.type === "text" || e.type === null));
-        const pwEl = inv.find((e) => e.tag === "input" && e.type === "password");
+        const findLoginFields = (inventory) => {
+            const emailEl = inventory.find((e) => e.tag === "input" && e.type === "email") ??
+                inventory.find((e) => e.tag === "input" && (e.type === "text" || e.type === null));
+            const pwEl = inventory.find((e) => e.tag === "input" && e.type === "password");
+            return { emailEl, pwEl };
+        };
+        let inv = await this.buildInventory(steps);
+        let { emailEl, pwEl } = findLoginFields(inv);
+        // Poll for the form to render after a click. SPA login forms reveal on a
+        // VARIABLE delay — portkey's "Continue with work email" → password form was
+        // a render race where a fixed wait passed one run and missed the next
+        // (stochastic login). Re-reads up to maxAttempts times ~1.2s apart, mutating
+        // inv/emailEl/pwEl, returning as soon as the wanted field(s) appear. Uses a
+        // throwaway steps array so polling doesn't spam the trail.
+        const pollForFields = async (maxAttempts, requirePassword) => {
+            for (let i = 0; i < maxAttempts; i++) {
+                await this.browser.wait(1.2);
+                inv = await this.buildInventory([]);
+                ({ emailEl, pwEl } = findLoginFields(inv));
+                const done = requirePassword
+                    ? pwEl !== undefined
+                    : pwEl !== undefined || emailEl !== undefined;
+                if (done)
+                    return;
+            }
+        };
+        // Two-stage email login: many login pages render only provider buttons
+        // ("Continue with Google / Microsoft / work email", SSO) and reveal the
+        // email+password inputs ONLY after you click the email option. portkey
+        // (MEASURED 2026-06-17): /login is button-only with "Continue with work
+        // email". Click that affordance — NOT Google/Microsoft/SSO — then re-read.
         if (emailEl === undefined || pwEl === undefined) {
-            steps.push("Login: no email/password fields on the page — skipped.");
+            const emailButton = inv.find((e) => {
+                if (e.tag !== "button" && e.type !== "submit")
+                    return false;
+                const t = `${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`.toLowerCase();
+                return (t.includes("email") &&
+                    /\b(continue|log ?in|sign ?in|use|with|password)\b/.test(t) &&
+                    !/google|microsoft|apple|github|\bsso\b|single sign/.test(t));
+            });
+            if (emailButton !== undefined) {
+                // The continue button is frequently DISABLED until a Terms/consent
+                // checkbox is ticked (portkey, MEASURED 2026-06-17: "Continue with
+                // work email" stays inert until the TOS box is checked → the click
+                // silently no-ops and the form never reveals). Tick required agreement
+                // boxes first (skips marketing opt-ins; best-effort, never throws).
+                const agreed = await this.browser.checkRequiredAgreementBoxes();
+                if (agreed.length > 0) {
+                    steps.push(`Login: ticked terms/consent box(es) [${agreed.join(", ")}] to enable the button.`);
+                    await this.browser.wait(1);
+                }
+                steps.push(`Login: two-stage page — clicking "${(emailButton.visibleText ?? "email")
+                    .slice(0, 40)
+                    .trim()}" to reveal the email/password form.`);
+                await this.browser.click(emailButton.selector);
+                // Poll up to ~10s for the form to reveal (render race — see above).
+                await pollForFields(8, false);
+            }
+        }
+        // Progressive (email-first) login: some flows reveal ONLY the email field;
+        // you enter it, click Continue, THEN the password field appears on the next
+        // step. portkey (MEASURED 2026-06-17): "Continue with work email" → email
+        // field → Continue → password. Fill the email, advance, and re-read.
+        if (emailEl !== undefined && pwEl === undefined) {
+            await this.browser.type(emailEl.selector, email).catch(() => undefined);
+            const advance = inv.find((e) => e.type === "submit") ??
+                inv.find((e) => (e.tag === "button" || e.type === "submit") &&
+                    /\b(continue|next|log ?in|sign ?in|submit)\b/i.test(`${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`));
+            if (advance !== undefined) {
+                steps.push("Login: email-first flow — submitted the email, advancing to the password step.");
+                await this.browser.clickSubmit(advance.selector).catch(() => undefined);
+                // Poll up to ~10s for the password step to render (render race).
+                await pollForFields(8, true);
+            }
+        }
+        if (pwEl === undefined) {
+            steps.push("Login: no password field reachable — skipped.");
             return false;
         }
         // Login submit: a submit-typed button, else one whose text reads
@@ -9350,7 +10949,10 @@ ${formatInventory(input.inventory)}`,
             buttons.find((e) => /\b(log ?in|sign ?in|continue|next|submit)\b/i.test(`${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`)) ??
             buttons[0];
         try {
-            await this.browser.type(emailEl.selector, email);
+            // The email may already have been entered on the prior step.
+            if (emailEl !== undefined) {
+                await this.browser.type(emailEl.selector, email);
+            }
             await this.browser.type(pwEl.selector, password);
             steps.push("Login: filled the signup credentials");
             if (submitEl !== undefined) {
@@ -9611,6 +11213,11 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
             // navigation-eval.md). The stall-detector + prior-action memory are the
             // escape from a deterministic loop.
             temperature: 0,
+            // Fix C — pin a single model + provider + seed on the proxy path so
+            // the same dashboard yields the same step regardless of which backend
+            // OpenRouter would otherwise route to (the model/provider lottery
+            // survives temperature 0).
+            deterministic: true,
             parse: (raw) => {
                 const step = parsePostVerifyStep(raw, allowed);
                 // A `check` must land on a real checkbox/radio — the planner
@@ -9798,6 +11405,18 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
         });
     }
     async extractCredentials() {
+        // EXTRACTION_ENGINE (default-ON since 2026-06-15, strangler slice 4): route the
+        // cross-pass accumulation + resolution through the pure extraction module
+        // (extraction.ts). Flipped after pass-1 live validation (ipinfo → api_key) on
+        // the dominant path; the truncated/clipboard path (pass 2) reuses the IDENTICAL
+        // I/O as inline — only the unit-tested accumulation differs — and its
+        // truncated-modal services (OpenRouter-class) are currently anti-bot-walled, so
+        // its live blast radius is ~zero. The inline 5-pass body below is kept one cycle
+        // as the explicit opt-out (EXTRACTION_ENGINE=0) and deleted next
+        // (DESIGN-extraction-engine.md migration step 4).
+        if (!/^(0|false|off|no)$/i.test(process.env.EXTRACTION_ENGINE ?? "")) {
+            return this.extractCredentialsViaEngine();
+        }
         // IMPORTANT: pull credentials from the *visible* page, not the raw
         // HTML. Reading from HTML matches anti-bot challenge JS (Cloudflare
         // Turnstile, hCaptcha) whose challenge tokens look like API keys to
@@ -9920,6 +11539,84 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
             credentials.api_key = apiKey;
         return credentials;
     }
+    // EXTRACTION_ENGINE path (strangler slice 4) — the same five-pass extraction as
+    // extractCredentials, but the cross-pass accumulation (first full wins; first
+    // truncated remembered) + final resolution go through the pure module
+    // (extraction.ts). This method owns only the I/O + the per-candidate regex
+    // classification. Faithful to the inline passes (incl. the subtlety that passes
+    // 3 + 4 accept FULL hits only — they never record a truncated stub).
+    async extractCredentialsViaEngine() {
+        const curUrl = typeof this.browser.currentUrl === "function" ? this.browser.currentUrl() : "";
+        if (typeof curUrl === "string" && isDocumentationUrl(curUrl))
+            return {};
+        let st = initialExtractionState();
+        const classify = (text) => {
+            const hit = extractApiKeyFromText(text);
+            if (hit === null)
+                return { kind: "none" };
+            return isTruncatedCapture(text, hit) ? { kind: "truncated", value: hit } : { kind: "full", value: hit };
+        };
+        // Pass 1 — visible candidates (records truncated hits).
+        for (const candidate of await this.browser.extractCredentialCandidates()) {
+            st = accumulateCandidate(st, classify(candidate));
+            if (hasFullHit(st))
+                return resolveExtraction(st);
+        }
+        // Pass 1b — body text (records truncated hits).
+        if (!hasFullHit(st)) {
+            st = accumulateCandidate(st, classify(await this.browser.extractText()));
+            if (hasFullHit(st))
+                return resolveExtraction(st);
+        }
+        // Pass 2 — copy-button + clipboard recovery, only when a truncated stub was
+        // seen. The copied value is accepted as a full hit directly (inline does the
+        // same — no re-classification).
+        if (!hasFullHit(st) && st.truncatedHit !== null) {
+            const copied = await this.tryCopyButtonExtraction();
+            if (copied !== null) {
+                st = accumulateCandidate(st, { kind: "full", value: copied });
+                if (hasFullHit(st))
+                    return resolveExtraction(st);
+            }
+        }
+        // Pass 3 — hidden-input scan. FULL hits only (inline ignores truncated here).
+        if (!hasFullHit(st)) {
+            try {
+                for (const value of await this.browser.extractAllInputValues()) {
+                    const c = classify(value);
+                    if (c.kind !== "full")
+                        continue;
+                    st = accumulateCandidate(st, c);
+                    if (hasFullHit(st))
+                        return resolveExtraction(st);
+                }
+            }
+            catch {
+                // non-fatal
+            }
+        }
+        // Pass 4 — copy-button colocation. A bare UUID is accepted directly; otherwise
+        // the normal extractor, FULL only (inline records no truncated here).
+        if (!hasFullHit(st)) {
+            try {
+                const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+                for (const candidate of await this.browser.extractCredentialsNearCopyButtons()) {
+                    const c = UUID_RE.test(candidate)
+                        ? { kind: "full", value: candidate }
+                        : classify(candidate);
+                    if (c.kind !== "full")
+                        continue;
+                    st = accumulateCandidate(st, c);
+                    if (hasFullHit(st))
+                        return resolveExtraction(st);
+                }
+            }
+            catch {
+                // non-fatal
+            }
+        }
+        return resolveExtraction(st);
+    }
     // F10: click the page's Copy button (whose label typically reads
     // "Copy", "Copy key", "Copy secret") and extract the secret from
     // `navigator.clipboard.readText()`. Returns null on any failure —