scripter-x 1.0.0

package/src/flipkart.js

@@ -0,0 +1,186 @@
+// The proven headless Flipkart login flow — runs on the user's residential IP.
+//   SEND   1.rome.api.flipkart.com/1/action/view (msite UA) → guest cookies + requestId
+//   VERIFY 2.rome.api.flipkart.net/1/action/view (native UA) → SESSION.isLoggedIn + at/rt
+//   MINUTES 2.rome.api.flipkart.net/4/page/fetch (HYPERLOCAL) → any orderId ⇒ coupon used
+// Every outbound Flipkart call passes through the global 2s throttle.
+import * as throttle from './throttle.js';
+
+const FKUA = 'Mozilla/5.0 (iPhone; CPU iPhone OS 18_5 like Mac OS X) AppleWebKit/605.1.15 ' +
+  '(KHTML, like Gecko) Version/18.5 Mobile/15E148 Safari/604.1 FKUA/msite/0.0.3/msite/Mobile channelType/brw';
+const WEB_HOST = 'https://1.rome.api.flipkart.com';
+const NATIVE_HOST = 'https://2.rome.api.flipkart.net';
+
+export class BlockedError extends Error {}
+export class WrongOTP extends Error {}          // genuinely wrong/expired OTP code
+export class TransientError extends Error {}    // 529 / 5xx / network — retryable, NOT the OTP's fault
+
+const OTP_RES = [/(?:otp|code)\D*(\d{6})\b/i, /\b(\d{6})\D*(?:otp|code)/i, /\b(\d{6})\b/];
+
+export function extractOtp(text) {
+  if (!text) return null;
+  const t = text.trim();
+  if (t.length === 6 && /^\d+$/.test(t)) return t;
+  for (const rx of OTP_RES) { const m = text.match(rx); if (m) return m[1]; }
+  return null;
+}
+
+const nativeUa = (vid) =>
+  `Mozilla/5.0 (Linux; Android 13; sdk_gphone64_arm64 Build/TE1A.240213.009) ` +
+  `FKUA/Retail/3130902/Android/Mobile (Google/sdk_gphone64_arm64/${(vid || '').toLowerCase()})`;
+
+// Parse a fetch Response's set-cookie headers into a {name:value} map.
+function parseCookies(res, jar) {
+  // Node fetch exposes combined set-cookie via getSetCookie() (undici).
+  const raw = typeof res.headers.getSetCookie === 'function'
+    ? res.headers.getSetCookie()
+    : (res.headers.get('set-cookie') ? [res.headers.get('set-cookie')] : []);
+  for (const line of raw) {
+    const m = line.match(/^([^=]+)=([^;]+)/);
+    if (m && m[2] && m[2] !== 'deleted') jar[m[1].trim()] = m[2].trim();
+  }
+}
+
+function cookieHeader(jar) {
+  return Object.entries(jar).map(([k, v]) => `${k}=${v}`).join('; ');
+}
+
+export class FlipkartLogin {
+  constructor() {
+    this.jar = {};
+    this.reqId = null;
+    this.sn = '';
+    this.vid = '';
+  }
+
+  async sendOtp(mobile) {
+    await throttle.wait();
+    const body = { actionRequestContext: {
+      type: 'LOGIN_IDENTITY_VERIFY', loginIdPrefix: '+91', loginId: mobile.slice(-10),
+      clientQueryParamMap: { ret: '/my-account', entryPage: 'DEFAULT' },
+      loginType: 'MOBILE', verificationType: 'OTP', screenName: 'LOGIN_V4_MOBILE',
+      triggerSna: false, sourceContext: 'DEFAULT' } };
+    let res;
+    try {
+      res = await fetch(`${WEB_HOST}/1/action/view`, {
+        method: 'POST', body: JSON.stringify(body),
+        headers: {
+          Accept: '*/*', 'Content-Type': 'application/json',
+          'X-User-Agent': FKUA, 'User-Agent': FKUA,
+          Origin: 'https://www.flipkart.com', Referer: 'https://www.flipkart.com/',
+          'sec-ch-ua-mobile': '?1', 'sec-ch-ua-platform': '"iOS"', 'sec-fetch-site': 'same-site',
+          'x-request-metaInfo': '{"actionType":"LOGIN_IDENTITY_VERIFY","pageUri":"questContext"}',
+        },
+      });
+    } catch (e) { throw new BlockedError(`send failed: ${e.message}`); }
+    parseCookies(res, this.jar);
+    const data = await res.json().catch(() => ({}));
+    const rid = data?.RESPONSE?.actionResponseContext?.requestId;
+    if (!rid) throw new BlockedError('blocked while sending OTP (no requestId)');
+    this.reqId = rid;
+    this.sn = this.jar.SN || '';
+    this.vid = this.sn ? this.sn.split('.')[0] : '';
+    return rid;
+  }
+
+  async verifyOtp(mobile, otp) {
+    await throttle.wait();
+    const secureToken = this.vid ? `${this.vid}:${this.vid}` : '';
+    const body = { actionRequestContext: {
+      type: 'LOGIN', loginIdPrefix: '+91', loginId: mobile.slice(-10), password: null,
+      otp, otpRequestId: this.reqId, remainingAttempts: 5, phoneNumberFormat: 'E164',
+      loginType: 'MOBILE', verificationType: 'OTP', sourceContext: 'GO_LOGIN', churned: false,
+      otpRegex: null, data: null, clientQueryParamMap: null } };
+    const res = await fetch(`${NATIVE_HOST}/1/action/view`, {
+      method: 'POST', body: JSON.stringify(body),
+      headers: {
+        'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
+        'Content-Type': 'application/json; charset=UTF-8',
+        'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
+        at: this.jar.at || '', sn: this.sn, secureToken, secureCookie: this.jar.S || '',
+        Cookie: cookieHeader(this.jar),
+      },
+    });
+    const text = await res.text();
+    // 529/5xx = Flipkart overloaded / soft-blocking this IP — NOT the OTP's fault.
+    if (res.status === 429 || res.status === 529 || res.status >= 500) {
+      throw new TransientError(`Flipkart busy (HTTP ${res.status}) — will retry`);
+    }
+    let data;
+    try { data = JSON.parse(text); } catch { throw new TransientError('Flipkart returned a non-JSON response — will retry'); }
+    const env = data.SESSION;
+    if (!env || !env.isLoggedIn) {
+      // pull Flipkart's own human message if present (the real reason)
+      const fkMsg = flipkartErrorMessage(data, text);
+      const low = (fkMsg + ' ' + text).toLowerCase();
+      if (/incorrect|wrong|invalid|expired|otp.*not.*match|verification code/.test(low)) {
+        throw new WrongOTP(fkMsg || 'OTP code rejected by Flipkart');
+      }
+      // not a clear wrong-OTP and not a 5xx → treat as transient (session/IP hiccup), retry
+      throw new TransientError(fkMsg || `verify did not complete (HTTP ${res.status})`);
+    }
+    // vd / refreshed ud from Set-Cookie
+    const fresh = {};
+    parseCookies(res, fresh);
+    const ud = fresh.ud || this.jar.ud || '';
+    const vd = fresh.vd || '';
+    return {
+      accountId: env.accountId || '', at: env.at || '', rt: env.rt || '', sn: env.sn || '',
+      secureToken, secureCookie: this.jar.S || '', ud, vd,
+      visitId: (env.sn || '').split('.')[0], nsid: env.nsid || '',
+      mobileNo: mobile.slice(-10), isLoggedIn: true, rt_expires_at: rtExpiry(env.rt || ''),
+    };
+  }
+
+  async checkMinutes(session) {
+    await throttle.wait();
+    const body = {
+      requestContext: { type: 'MY_ORDER_PAGE', pageView: '', queryTime: '', cxTenant: 'cs',
+        pageName: '', pageNumber: 1, marketplaceFilter: 'HYPERLOCAL', salesAppFilter: 'FLIPKART,SLAP' },
+      pageType: 'MY_ORDER_PAGE', pageUri: '/cx/my_orders',
+      pageContext: { pageHashKey: null, slotContextMap: null, paginationContextMap: null,
+        paginatedFetch: false, pageNumber: 1, fetchAllPages: false, networkSpeed: 0,
+        trackingContext: null, fetchSeoData: false },
+      locationContext: { pincode: '' } };
+    const res = await fetch(`${NATIVE_HOST}/4/page/fetch`, {
+      method: 'POST', body: JSON.stringify(body),
+      headers: {
+        'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
+        'Content-Type': 'application/json; charset=UTF-8',
+        'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
+        at: session.at || '', sn: session.sn || '',
+        secureToken: session.secureToken || '', secureCookie: session.secureCookie || '',
+      },
+    });
+    const text = await res.text();
+    const count = (text.match(/"orderId"\s*:\s*"(OD\w+)"/g) || []).length;
+    return count === 0; // no orders ⇒ coupon available
+  }
+}
+
+function rtExpiry(rt) {
+  try {
+    if ((rt.match(/\./g) || []).length >= 1) {
+      const part = rt.split('.')[1];
+      const json = JSON.parse(Buffer.from(part, 'base64').toString('utf8'));
+      if (json.exp) return new Date(json.exp * 1000).toISOString().replace(/\.\d{3}Z$/, 'Z');
+    }
+  } catch { /* */ }
+  return '';
+}
+
+// Dig Flipkart's own human-readable error out of a verify response. Flipkart surfaces it
+// in a few places (errorMessage.message inside a widget, ERROR_MESSAGE, serverErrorMessage).
+function flipkartErrorMessage(data, rawText) {
+  try {
+    if (data) {
+      if (typeof data.ERROR_MESSAGE === 'string' && data.ERROR_MESSAGE) return data.ERROR_MESSAGE;
+      if (typeof data.serverErrorMessage === 'string' && data.serverErrorMessage) return data.serverErrorMessage;
+    }
+  } catch { /* */ }
+  // the OTP-input widget carries: "errorMessage":{"message":{"text":"This Code is incorrect"}}
+  const m = (rawText || '').match(/"errorMessage"\s*:\s*\{[^}]*"text"\s*:\s*"([^"]+)"/);
+  if (m) return m[1];
+  const m2 = (rawText || '').match(/"message"\s*:\s*\{\s*"type"\s*:\s*"RichTextValue"\s*,\s*"text"\s*:\s*"([^"]+)"/);
+  if (m2) return m2[1];
+  return '';
+}

package/src/index.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+// ScripterX CLI (Node). Two modes:
+//   • no subcommand → the interactive Claude-Code-style shell (ink App)
+//   • a subcommand  → one-shot mode (plain stdio prompts), e.g. `scripterx export foo`
+import React from 'react';
+import { render } from 'ink';
+import * as config from './config.js';
+import { ApiClient } from './api.js';
+import { paint } from './util.js';
+import { ask, askSecret, confirm, askChoice } from './prompt.js';
+import { REGISTRY } from './commands.js';
+import { App } from './ui/App.js';
+
+const VERSION = '1.0.0';
+const h = React.createElement;
+
+// ── one-shot io: plain stdio, for `scripterx <cmd>` ──
+const cliIo = {
+  print: (line, color) => {
+    if (color === 'accent') console.log(paint.accent(line));
+    else if (color === 'danger') console.log(paint.err(line));
+    else if (line.includes('✓')) console.log(line.replace('✓', paint.ok('✓')));
+    else if (line.includes('✗')) console.log(line.replace('✗', paint.err('✗')));
+    else if (line.trimStart().startsWith('!')) console.log(line.replace('!', paint.warn('!')));
+    else if (line.includes('◉')) console.log(line.replace('◉', paint.accent('◉')));
+    else console.log(line);
+  },
+  ask: (msg, opts = {}) => (opts.mask ? askSecret(msg) : ask(msg, { dflt: opts.dflt })),
+  confirm: (msg, dflt) => confirm(msg, { dflt }),
+  select: async (msg, items) => {
+    const norm = items.map((it) => (typeof it === 'string' ? { label: it, value: it } : it));
+    const choice = await askChoice(msg, norm.map((n) => n.label), { dflt: norm[0]?.label });
+    return norm.find((n) => n.label === choice) || norm[0];
+  },
+  setUser: () => {},
+  // one-shot run: no live ink view, just let the worker run (events ignored)
+  startRun: () => {}, endRun: () => {},
+};
+
+const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
+
+  scripterx                 interactive shell (recommended)
+  scripterx run [flags]     run an extraction directly
+       --provider otpcart|tempotp  --count N  --concurrency N  --name <n>  --check-minutes
+  scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
+  scripterx --version`;
+
+function parseFlags(args) {
+  const out = { _: [] };
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a.startsWith('--')) {
+      const key = a.slice(2);
+      if (key.startsWith('no-')) out[key.slice(3)] = false;
+      else if (i + 1 < args.length && !args[i + 1].startsWith('--')) out[key] = args[++i];
+      else out[key] = true;
+    } else out._.push(a);
+  }
+  return out;
+}
+
+async function main() {
+  const argv = process.argv.slice(2);
+  const cmd = argv[0];
+  const flags = parseFlags(argv.slice(1));
+
+  if (flags.version || cmd === '--version') { console.log(`ScripterX ${VERSION}`); return; }
+  if (cmd === '-h' || cmd === '--help') { console.log(HELP); return; }
+
+  // ── interactive shell (default) ──
+  if (!cmd) {
+    const cfg = config.load();
+    let username = cfg.username;
+    // validate token quietly so the banner shows the right user
+    if (cfg.jwt) { try { username = (await new ApiClient().me()).username; } catch { username = null; } }
+    const ctx = {
+      username, server: cfg.server_base_url,
+      dispatch: async (name, io) => {
+        const fn = REGISTRY[name] || REGISTRY[name.split(' ')[0]];
+        if (!fn) { io.print(`  ✗ unknown command: ${name} (type 'help')`); return; }
+        await fn(io, null, {});
+      },
+    };
+    const { waitUntilExit } = render(h(App, { ctx }));
+    await waitUntilExit();
+    return;
+  }
+
+  // ── one-shot mode ──
+  const map = { run: 'run', campaigns: 'campaigns', export: 'export', balance: 'balance',
+    creds: 'creds', stop: 'stop', delete: 'delete', whoami: 'whoami', login: 'login',
+    logout: 'logout', config: 'config', help: 'help' };
+  const fnName = map[cmd];
+  if (!fnName) { cliIo.print(`  ✗ unknown command: ${cmd}`); console.log(HELP); process.exit(1); }
+  const args = {
+    provider: flags.provider, count: flags.count ? +flags.count : null,
+    concurrency: flags.concurrency ? +flags.concurrency : null, name: flags.name,
+    checkMinutes: flags['check-minutes'] === true ? true : (flags['check-minutes'] === false ? false : null),
+    campaign: flags._[0], out: flags.out, action: flags._[0], value: flags._[1],
+  };
+  try { await REGISTRY[fnName](cliIo, null, args); }
+  catch (e) { cliIo.print(`  ✗ ${e.message}`); process.exit(1); }
+}
+
+main();

package/src/prompt.js

@@ -0,0 +1,60 @@
+// Minimal interactive prompts (readline) for the non-ink screens (login, run setup).
+import readline from 'node:readline';
+import { paint } from './util.js';
+
+function makeRl() {
+  return readline.createInterface({ input: process.stdin, output: process.stdout });
+}
+
+export function ask(question, { dflt } = {}) {
+  const rl = makeRl();
+  const suffix = dflt != null ? paint.dim(` (${dflt})`) : '';
+  return new Promise((resolve) => {
+    rl.question(`  ${paint.bold(question)}${suffix}: `, (a) => {
+      rl.close();
+      resolve(a.trim() || (dflt != null ? String(dflt) : ''));
+    });
+  });
+}
+
+export function askChoice(question, choices, { dflt } = {}) {
+  return ask(`${question} ${paint.dim(`[${choices.join('/')}]`)}`, { dflt }).then((a) => {
+    const v = (a || dflt || '').toLowerCase();
+    return choices.includes(v) ? v : (dflt || choices[0]);
+  });
+}
+
+export function askInt(question, { dflt } = {}) {
+  return ask(question, { dflt }).then((a) => {
+    const n = parseInt(a, 10);
+    return Number.isFinite(n) ? n : dflt;
+  });
+}
+
+export function confirm(question, { dflt = true } = {}) {
+  return ask(`${question} ${paint.dim('[y/n]')}`, { dflt: dflt ? 'y' : 'n' })
+    .then((a) => /^y/i.test(a));
+}
+
+// Hidden password input (no echo).
+export function askSecret(question) {
+  return new Promise((resolve) => {
+    const rl = makeRl();
+    const stdin = process.stdin;
+    const onData = (chBuf) => {
+      const ch = chBuf.toString();
+      if (ch === '\n' || ch === '\r' || ch === '') { stdin.removeListener('data', onData); }
+    };
+    rl._writeToOutput = (str) => {
+      // hide everything after the prompt
+      if (rl.line.length === 0) rl.output.write(str);
+      else rl.output.write('');
+    };
+    stdin.on('data', onData);
+    rl.question(`  ${paint.bold(question)}: `, (a) => {
+      rl.close();
+      process.stdout.write('\n');
+      resolve(a.trim());
+    });
+  });
+}

package/src/providers/otpcart.js

@@ -0,0 +1,95 @@
+// OTPCart provider (api.otpcart.xyz) — email/password → JWT, WebSocket OTP push.
+import WebSocket from 'ws';
+
+const BASE = 'https://api.otpcart.xyz';
+const WS_URL = 'wss://api.otpcart.xyz/check-otp';
+const SERVICE_ID = '68b19097980e8cf480b1df04';
+const OTP_RE = /\b(\d{6})\b/;
+const UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ' +
+  '(KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36';
+
+export async function login(email, password) {
+  const res = await fetch(`${BASE}/users/login`, {
+    method: 'POST', headers: { 'Content-Type': 'application/json', Origin: 'https://www.otpcart.xyz', 'User-Agent': UA },
+    body: JSON.stringify({ email, password }), signal: AbortSignal.timeout(15000),
+  });
+  const tok = (await res.json().catch(() => ({}))).token;
+  if (!tok) throw new Error('OTPCart login failed — check email/password');
+  return tok;
+}
+
+export async function balance() { return null; }
+
+export class OTPCartProvider {
+  name = 'otpcart';
+  constructor(jwt, deepCheck = false) { this.jwt = jwt; this.deepCheck = deepCheck; }
+
+  _hdrs() {
+    return { 'Content-Type': 'application/json', Authorization: `Bearer ${this.jwt}`,
+             Origin: 'https://www.otpcart.xyz', 'User-Agent': UA };
+  }
+
+  async rentOnce() {
+    let d;
+    try {
+      const res = await fetch(`${BASE}/mobile/generate`, {
+        method: 'POST', headers: this._hdrs(),
+        body: JSON.stringify({ serviceId: SERVICE_ID, isDeepCheck: this.deepCheck }),
+        signal: AbortSignal.timeout(15000),
+      });
+      d = await res.json();
+    } catch (e) { return { number: null, msg: e.message, err: e }; }
+    if (d.isNumberGenerated && d.mobile?.mobileno) {
+      const m = d.mobile;
+      return { number: { mobile: m.mobileno, txn: m.serialNumber || '', extra: m._id || '', cost: Number(m.price || 0) }, msg: 'ok', err: null };
+    }
+    return { number: null, msg: d.message || 'no number available', err: 'err' };
+  }
+
+  startOtp(number) { return new OTPCartStream(this.jwt, number.txn, number.extra); }
+
+  async cancel(number) {
+    try {
+      await fetch(`${BASE}/otp/cancelOtp`, {
+        method: 'POST', headers: this._hdrs(),
+        body: JSON.stringify({ serialNumber: number.txn, mobileId: number.extra, serviceId: SERVICE_ID }),
+        signal: AbortSignal.timeout(12000),
+      });
+    } catch { /* */ }
+  }
+}
+
+class OTPCartStream {
+  constructor(jwt, serial, mobileId) {
+    this.serial = serial;
+    this.mobileId = mobileId;
+    this.otp = null;
+    this.arrived = false;
+    this.ws = new WebSocket(`${WS_URL}?token=${jwt}`);
+    this.ws.on('message', (raw) => {
+      let msg; try { msg = JSON.parse(raw.toString()); } catch { return; }
+      if (msg.otpMessage) {
+        const m = String(msg.otpMessage).match(OTP_RE);
+        if (m) { this.otp = m[1]; this.arrived = true; }
+      }
+    });
+    this.ws.on('error', () => { /* swallow — poll() just returns nothing */ });
+  }
+
+  async poll() {
+    if (this.otp) { const o = this.otp; this.otp = null; return { otp: o, arrived: true }; }
+    return { otp: null, arrived: this.arrived };
+  }
+
+  resend() {
+    try {
+      if (this.ws.readyState === WebSocket.OPEN) {
+        this.ws.send(JSON.stringify({ serialNumber: this.serial, mobileId: this.mobileId, resend: true }));
+        return true;
+      }
+    } catch { /* */ }
+    return false;
+  }
+
+  close() { try { this.ws.close(); } catch { /* */ } }
+}

package/src/providers/tempotp.js

@@ -0,0 +1,83 @@
+// TempOTP provider (api.tempotp.online) — GET-based, single API key, HTTP-poll OTP.
+import { extractOtp } from '../flipkart.js';
+
+const BASE = 'https://api.tempotp.online';
+export const SERVICES = { '1040': 10.0, '940': 16.0 };
+export const DEFAULT_SERVICE = '940';
+const COUNTRY = '22';
+
+async function getJson(path, params) {
+  const url = `${BASE}${path}?` + new URLSearchParams(params);
+  const res = await fetch(url, { signal: AbortSignal.timeout(12000) });
+  return res.json();
+}
+
+export async function balance(apiKey) {
+  try {
+    const d = await getJson('/getBalance', { apikey: apiKey });
+    if (d.status === 200) return d.balance ?? 0;
+  } catch { /* */ }
+  return null;
+}
+
+function bought(d) {
+  if (!d || typeof d !== 'object') return null;
+  const tid = d.tid || d.id || d.transaction_id || d.order_id;
+  const num = d.number || d.phone || d.mobile;
+  return tid && num ? { tid: String(tid), number: String(num) } : null;
+}
+
+export class TempOTPProvider {
+  name = 'tempotp';
+  constructor(apiKey, serviceId = DEFAULT_SERVICE) {
+    this.apiKey = apiKey;
+    this.serviceId = SERVICES[serviceId] ? serviceId : DEFAULT_SERVICE;
+    this.cost = SERVICES[this.serviceId];
+  }
+
+  async rentOnce() {
+    let d;
+    try { d = await getJson('/buyNumber', { apikey: this.apiKey, id: this.serviceId, country: COUNTRY }); }
+    catch (e) { return { number: null, msg: e.message, err: e }; }
+    if (d.status === 400 || d.status === 401) return { number: null, msg: d.message, err: 'err' };
+    let got = bought(d) || (typeof d.data === 'object' && !Array.isArray(d.data) ? bought(d.data) : null);
+    if (!got && Array.isArray(d.data) && d.data.length) got = bought(d.data[0]);
+    if (got) return { number: { mobile: got.number, txn: got.tid, extra: '', cost: this.cost }, msg: 'ok', err: null };
+    return { number: null, msg: d.message || 'no number available', err: 'err' };
+  }
+
+  startOtp(number) { return new TempStream(this.apiKey, number.txn); }
+
+  async cancel(number) {
+    try { await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); } catch { /* */ }
+  }
+}
+
+class TempStream {
+  constructor(apiKey, txn) { this.apiKey = apiKey; this.txn = txn; this.last = 0; this.arrived = false; }
+
+  async poll() {
+    if (Date.now() - this.last < 2000) return { otp: null, arrived: this.arrived };
+    this.last = Date.now();
+    let d;
+    try { d = await getJson('/checkSms', { apikey: this.apiKey, id: this.txn }); }
+    catch { return { otp: null, arrived: this.arrived }; }
+    const arr = d.sms;
+    if (Array.isArray(arr) && arr.length) {
+      this.arrived = true;
+      for (const s of arr) {
+        const msg = (s && typeof s === 'object') ? s.msg : s;
+        if (typeof msg === 'string') { const otp = extractOtp(msg); if (otp) return { otp, arrived: true }; }
+      }
+    }
+    if (d.status === 400 && d.message) {
+      this.arrived = true;
+      const otp = extractOtp(d.message);
+      if (otp) return { otp, arrived: true };
+    }
+    return { otp: null, arrived: this.arrived };
+  }
+
+  resend() { return false; }
+  close() { /* no socket */ }
+}

package/src/theme.js

@@ -0,0 +1,59 @@
+// Visual theme — Claude-Code / modern-editor aesthetic for the ink TUI.
+export const COLORS = {
+  accent: '#7dd3fc',   // cyan — primary
+  success: '#86efac',  // green
+  warn: '#fcd34d',     // amber
+  danger: '#fca5a5',   // red
+  muted: 'gray',
+};
+
+export const BRAND_GRAD = ['#7dd3fc', '#a5b4fc', '#c4b5fd']; // cyan→indigo→violet
+
+export const STATUS = {
+  success: { glyph: '✓', color: COLORS.success },
+  failed: { glyph: '✗', color: COLORS.danger },
+  cancelled: { glyph: '⊘', color: COLORS.warn },
+  running: { glyph: '▸', color: COLORS.accent },
+  completed: { glyph: '•', color: COLORS.muted },
+  pending: { glyph: '•', color: COLORS.muted },
+  stopping: { glyph: '◐', color: COLORS.warn },
+};
+
+export const PHASE_LABEL = {
+  renting: 'renting number',
+  rent_retry: 'retrying rent',
+  rent_wait: 'no numbers — waiting',
+  ws: 'opening OTP channel',
+  send_otp: 'sending OTP',
+  await_otp: 'waiting for OTP',
+  otp_resend: 'OTP resent',
+  verify: 'verifying OTP',
+  minutes: 'checking Minutes',
+  saving: 'saving session',
+  done: 'extracted',
+  failed: 'failed',
+  cancelling: 'releasing number',
+  cancelled: 'cancelled',
+  rented: 'got a number',
+};
+
+function hexRgb(h) {
+  h = h.replace('#', '');
+  return [parseInt(h.slice(0, 2), 16), parseInt(h.slice(2, 4), 16), parseInt(h.slice(4, 6), 16)];
+}
+
+// Return an array of {char, color} for a smooth gradient sweep across `colors`.
+export function gradientChars(s, colors = BRAND_GRAD) {
+  const stops = colors.map(hexRgb);
+  const n = Math.max(s.length - 1, 1);
+  return [...s].map((ch, i) => {
+    const pos = (i / n) * (stops.length - 1);
+    const lo = Math.floor(pos);
+    const hi = Math.min(lo + 1, stops.length - 1);
+    const f = pos - lo;
+    const r = Math.round(stops[lo][0] + (stops[hi][0] - stops[lo][0]) * f);
+    const g = Math.round(stops[lo][1] + (stops[hi][1] - stops[lo][1]) * f);
+    const b = Math.round(stops[lo][2] + (stops[hi][2] - stops[lo][2]) * f);
+    return { char: ch, color: `#${r.toString(16).padStart(2, '0')}${g.toString(16).padStart(2, '0')}${b.toString(16).padStart(2, '0')}` };
+  });
+}

package/src/throttle.js

@@ -0,0 +1,23 @@
+// Global 2-second throttle for Flipkart HTTP calls — serializes all FK requests
+// (send/verify/resend/minutes) across workers so a single residential IP never bursts.
+// Provider (OTPCart/TempOTP) and server calls are NOT throttled.
+
+const MIN_GAP = 2000; // ms
+let chain = Promise.resolve();
+let last = 0;
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+// Acquire the throttle: returns a promise that resolves once it's this caller's turn
+// AND at least MIN_GAP has passed since the previous FK call. Serializes via a chain.
+export function wait() {
+  const turn = chain.then(async () => {
+    const now = Date.now();
+    const gap = now - last;
+    if (gap < MIN_GAP) await sleep(MIN_GAP - gap);
+    last = Date.now();
+  });
+  // keep the chain going but swallow errors so one failure doesn't break the queue
+  chain = turn.catch(() => {});
+  return turn;
+}