scripter-x 1.0.15 → 1.0.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.15",
+  "version": "1.0.17",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -224,80 +224,204 @@ export async function run(io, api, args = {}) {
 // code → we verify, build the ZAUTH1 envelope, and write {phone}-{timestamp}.txt.
 // LOOPS: after each one it asks for the next number — keep going until the user
 // presses Esc (or double Ctrl+C). Runs entirely on your IP.
-export async function zeptoCmd(io, _api, args = {}) {
-  io.print('  ◉ Zepto — local OTP → ZAUTH1 envelope');
-  io.print('  ◉ press esc to cancel', 'accent');
-
-  let done = 0;
-  // double-Ctrl+C to exit (only meaningful in one-shot mode; the ink App owns its own Ctrl+C)
-  let lastSig = 0, stopping = false;
-  const onSigint = () => {
-    const now = Date.now();
-    if (now - lastSig < 2000) { stopping = true; process.exit(0); }
-    lastSig = now;
-    io.print('  ⚠ press Ctrl+C again to exit');
-  };
-  const interactive = !!io.startRun; // ink App present → don't grab SIGINT
-  if (!interactive) process.on('SIGINT', onSigint);
-
-  try {
-    for (;;) {
-      // number entry — escapable: Esc stops the whole loop
-      const raw = args.number || await io.ask('zepto phone number', { escapable: true });
-      if (raw === CANCEL) break;
-      const number = String(raw).replace(/\D/g, '').slice(-10);
-      if (number.length !== 10) { io.print('  ! enter a 10-digit number', 'danger'); if (args.number) break; continue; }
-
-      try {
-        const session = zepto.newSession(number);
-        io.print(`  ◉ sending OTP to ${number} …`);
-        const s = await zepto.sendOtp(session);
-        if (!s.ok) { io.print(`  ✗ could not send OTP: ${s.msg || s.status}`, 'danger'); if (args.number) break; continue; }
-        io.print('  ✓ OTP sent');
-
-        // OTP entry — escapable too (Esc abandons this number and loops back)
-        const otpRaw = args.otp || await io.ask('enter the OTP', { escapable: true });
-        if (otpRaw === CANCEL) break;
-        const v = await zepto.verifyOtp(session, String(otpRaw).trim());
-        if (!v.ok) { io.print(`  ✗ OTP verify failed: ${v.error || v.status}`, 'danger'); if (args.number) break; continue; }
-        io.print(`  ✓ logged in${v.user?.fullName ? ` as ${v.user.fullName}` : ''}`);
-
-        // Build the ZAUTH1 envelope — the format the ZeptoAuthManager tool imports.
-        const envelope = zepto.encodeEnvelope(zepto.toSessionKeys(session), args.cert);
-
-        // {phone}-{timestamp}.txt  in the chosen dir (default ~/Downloads/scripterx/zepto)
-        const stamp = new Date().toISOString().replace(/[:.]/g, '-');
-        const fname = `${number}-${stamp}.txt`;
-        let dest;
-        if (args.out) {
-          const expanded = args.out.startsWith('~') ? join(homedir(), args.out.slice(1)) : args.out;
-          dest = /\.(txt|json)$/i.test(expanded) ? expanded : join(expanded, fname);
-        } else {
-          const downloads = join(homedir(), 'Downloads');
-          dest = join(existsSync(downloads) ? downloads : homedir(), 'scripterx', 'zepto', fname);
+export async function zeptoCmd(io, api, args = {}) {
+  const mode = args.manual ? 'manual' : (args.auto ? 'auto' : (await io.select('Choose Zepto login flow', [
+    { label: 'Auto', value: 'auto', description: 'Headless extraction via OTPCart (Recommended)' },
+    { label: 'Manual', value: 'manual', description: 'Enter phone + type OTP manually' }
+  ])).value || 'auto');
+
+  if (mode === 'manual') {
+    io.print('  ◉ Zepto — local OTP → ZAUTH1 envelope (Manual)');
+    io.print('  ◉ press esc to cancel', 'accent');
+
+    let done = 0;
+    // double-Ctrl+C to exit (only meaningful in one-shot mode; the ink App owns its own Ctrl+C)
+    let lastSig = 0, stopping = false;
+    const onSigint = () => {
+      const now = Date.now();
+      if (now - lastSig < 2000) { stopping = true; process.exit(0); }
+      lastSig = now;
+      io.print('  ⚠ press Ctrl+C again to exit');
+    };
+    const interactive = !!io.startRun; // ink App present → don't grab SIGINT
+    if (!interactive) process.on('SIGINT', onSigint);
+
+    try {
+      for (;;) {
+        // number entry — escapable: Esc stops the whole loop
+        const raw = args.number || await io.ask('zepto phone number', { escapable: true });
+        if (raw === CANCEL) break;
+        const number = String(raw).replace(/\D/g, '').slice(-10);
+        if (number.length !== 10) { io.print('  ! enter a 10-digit number', 'danger'); if (args.number) break; continue; }
+
+        try {
+          const session = zepto.newSession(number);
+          io.print(`  ◉ sending OTP to ${number} …`);
+          const s = await zepto.sendOtp(session);
+          if (!s.ok) { io.print(`  ✗ could not send OTP: ${s.msg || s.status}`, 'danger'); if (args.number) break; continue; }
+          io.print('  ✓ OTP sent');
+
+          // OTP entry — escapable too (Esc abandons this number and loops back)
+          const otpRaw = args.otp || await io.ask('enter the OTP', { escapable: true });
+          if (otpRaw === CANCEL) break;
+          const v = await zepto.verifyOtp(session, String(otpRaw).trim());
+          if (!v.ok) { io.print(`  ✗ OTP verify failed: ${v.error || v.status}`, 'danger'); if (args.number) break; continue; }
+          io.print(`  ✓ logged in${v.user?.fullName ? ` as ${v.user.fullName}` : ''}`);
+
+          // Build the ZAUTH1 envelope — the format the ZeptoAuthManager tool imports.
+          const envelope = zepto.encodeEnvelope(zepto.toSessionKeys(session), args.cert);
+
+          // {phone}-{timestamp}.txt  in the chosen dir (default ~/Downloads/scripterx/zepto)
+          const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+          const fname = `${number}-${stamp}.txt`;
+          let dest;
+          if (args.out) {
+            const expanded = args.out.startsWith('~') ? join(homedir(), args.out.slice(1)) : args.out;
+            dest = /\.(txt|json)$/i.test(expanded) ? expanded : join(expanded, fname);
+          } else {
+            const downloads = join(homedir(), 'Downloads');
+            dest = join(existsSync(downloads) ? downloads : homedir(), 'scripterx', 'zepto', fname);
+          }
+          mkdirSync(dirname(dest), { recursive: true });
+          writeFileSync(dest, envelope + '\n');
+          done++;
+          io.print('  ✓ envelope saved to:');
+          io.print(`     ${dest}`, 'accent');
+          io.print('  ◉ paste into ZeptoAuthManager → Import:');
+          io.print(`     ${envelope}`, 'accent');
+        } catch (e) {
+          // never let one bad number kill the loop — surface the real reason and keep going
+          io.print(`  ✗ ${number}: ${e.message}`, 'danger');
+          if (args.number) break;
+          continue;
         }
-        mkdirSync(dirname(dest), { recursive: true });
-        writeFileSync(dest, envelope + '\n');
-        done++;
-        io.print('  ✓ envelope saved to:');
-        io.print(`     ${dest}`, 'accent');
-        io.print('  ◉ paste into ZeptoAuthManager → Import:');
-        io.print(`     ${envelope}`, 'accent');
-      } catch (e) {
-        // never let one bad number kill the loop — surface the real reason and keep going
-        io.print(`  ✗ ${number}: ${e.message}`, 'danger');
+
+        // one-shot (a number was passed on the CLI): do exactly one and stop
         if (args.number) break;
-        continue;
+        io.print('  ◉ next number (esc to finish)', 'accent');
       }
+    } finally {
+      if (!interactive && !stopping) process.off('SIGINT', onSigint);
+    }
+    io.print(`  ✓ done — ${done} envelope(s) saved.`);
+    return;
+  }
+
+  // ── Auto Mode ─────────────────────────────────────────────────────────────
+  io.print('  ◉ Zepto — local OTP → ZAUTH1 envelope (Auto)');
+  const cfg = config.load();
+  let email = cfg.otpcart_email, password = cfg.otpcart_password;
+  if (email && password) {
+    const choice = await io.select(`saved OTPCart: ${email}`, [
+      { label: 'use saved', value: 'use', description: email },
+      { label: 'add new', value: 'new', description: 'enter different creds' }]);
+    if ((choice.value || choice) === 'new') { email = null; password = null; }
+  }
+  let freshlyEntered = false;
+  if (!email || !password) {
+    email = await io.ask('OTPCart email');
+    password = await io.ask('OTPCart password', { mask: true });
+    freshlyEntered = true;
+  }
+  const jwt = await oc.login(email, password);
+  io.print('  ✓ OTPCart connected');
+  if (freshlyEntered && await io.confirm('save these creds locally for next time?', true)) {
+    config.setMany({ otpcart_email: email, otpcart_password: password });
+  }
+
+  const count = args.count || Number(await io.ask('how many sessions?', { dflt: '1' }));
+  const concurrency = args.concurrency || Number(await io.ask('concurrency (keep low — 1 recommended)', { dflt: '1' }));
+  const cert = args.cert || zepto.DEFAULT_CERT_SHA;
+  const name = args.name || `Zepto-${Math.floor(Date.now() / 1000)}`;
+
+  if (!(await io.confirm(`start ${count} Zepto auto extractions at concurrency ${concurrency}?`, true))) return;
 
-      // one-shot (a number was passed on the CLI): do exactly one and stop
-      if (args.number) break;
-      io.print('  ◉ next number (esc to finish)', 'accent');
+  const ZEPTO_SERVICE_ID = '68b2cf55980e8cf480b28c96';
+  const provider = new oc.OTPCartProvider(jwt, false, ZEPTO_SERVICE_ID);
+
+  const { ZeptoWorker } = await import('./worker.js');
+  const { RunController } = await import('./controller.js');
+  const controller = new RunController({ name, provider: 'otpcart-zepto', requested: count });
+  const worker = new ZeptoWorker(provider, {
+    requested: count,
+    concurrency,
+    certSha: cert,
+    onEvent: controller.handleEvent,
+  });
+  controller.stop = () => worker.stop();
+
+  const results = [];
+  const origRecord = worker._record.bind(worker);
+  worker._record = (res) => {
+    results.push(res);
+    origRecord(res);
+  };
+
+  const interactive = !!io.startRun;
+  if (interactive) io.startRun(controller);
+  let onSigint = null;
+  if (!interactive) {
+    let lastSig = 0;
+    onSigint = () => {
+      const now = Date.now();
+      if (now - lastSig < 2000) { worker.stop(); process.exit(0); }
+      lastSig = now;
+      worker.stop();
+      io.print('  ⚠ stopping campaign — press Ctrl+C again to exit');
+    };
+    process.on('SIGINT', onSigint);
+  }
+
+  await worker.run();
+  if (onSigint) process.off('SIGINT', onSigint);
+  if (io.endRun) io.endRun();
+
+  io.print(`  ✓ done — ${worker.stats.succeeded} succeeded · ${worker.stats.failed} failed · ${worker.stats.cancelled} cancelled · ₹${worker.stats.charges} spent`);
+
+  if (worker.stats.succeeded > 0) {
+    const saved = await saveZeptoSessions(results, name, args.out);
+    if (saved) {
+      io.print(`  ✓ saved ${saved.count} session(s) to:`);
+      io.print(`     ${saved.path}`, 'accent');
+      io.print('  ◉ ZAUTH1 envelopes:');
+      for (const r of results) {
+        if (r.status === 'success') {
+          io.print(`     +91${r.mobile}  →  ${r.envelope}`, 'accent');
+        }
+      }
     }
-  } finally {
-    if (!interactive && !stopping) process.off('SIGINT', onSigint);
+  } else {
+    io.print('  ◉ no sessions extracted — nothing to save.');
   }
-  io.print(`  ✓ done — ${done} envelope(s) saved.`);
+}
+
+async function saveZeptoSessions(results, name, out) {
+  const { statSync } = await import('node:fs');
+  const ok = results.filter((r) => r.status === 'success');
+  if (!ok.length) return null;
+
+  const safeName = name.replace(/[^A-Za-z0-9._-]+/g, '-').replace(/^-+|-+$/g, '') || 'Zepto';
+  const fname = `Zepto-${safeName}-${Math.floor(Date.now() / 1000)}.json`;
+  let dest;
+  if (out) {
+    const expanded = out.startsWith('~') ? join(homedir(), out.slice(1)) : out;
+    const isDir = (existsSync(expanded) && statSync(expanded).isDirectory()) || /[/\\]$/.test(out);
+    dest = isDir ? join(expanded, fname) : expanded;
+  } else {
+    const downloads = join(homedir(), 'Downloads');
+    const base = existsSync(downloads) ? downloads : homedir();
+    dest = join(base, 'scripterx', fname);
+  }
+
+  const payload = ok.map((r) => ({
+    mobileNo: r.mobile,
+    zauth1_envelope: r.envelope,
+    session: r.session,
+  }));
+
+  mkdirSync(dirname(dest), { recursive: true });
+  writeFileSync(dest, JSON.stringify(payload, null, 2));
+  return { path: dest, count: payload.length };
 }
 
 export async function campaigns(io, api) {

package/src/flipkart.js

@@ -159,7 +159,7 @@ export class FlipkartLogin {
       },
     });
     const text = await res.text();
-    const count = (text.match(/"orderId"\s*:\s*"(OD\w+)"/g) || []).length;
+    const count = (text.match(/OD\d{15,}/g) || []).length;
     return count === 0; // no orders ⇒ coupon available
   }
 

package/src/index.js

@@ -50,8 +50,9 @@ const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
   scripterx                 interactive shell (recommended)
   scripterx run [flags]     run an extraction directly
        --provider otpcart|tempotp  --count N  --concurrency N  --name <n>  --check-minutes
-  scripterx zepto [flags]   local Zepto OTP login → {phone}-{timestamp}.txt (ZAUTH1 envelope)
-       --number <10-digit>  --otp <code>  --out <file|dir>  --cert <64hex>
+  scripterx zepto [flags]   local Zepto OTP login → ZAUTH1 envelope (JSON/txt)
+       --auto | --manual    --count N  --concurrency N  --out <file|dir>  --cert <64hex>
+       --number <10-digit>  --otp <code>
        (envelope keyed to ZeptoAuthManager cert; override with --cert or $ZAUTH_CERT_SHA)
   scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
   scripterx --version`;
@@ -115,6 +116,7 @@ async function main() {
     mode: flags.email ? 'json_email' : flags.mode, // --email or --mode json_email
     target: flags.target, // run: 'flipkart' | 'zepto'
     number: flags.number, otp: flags.otp, cert: flags.cert, // zepto: local OTP login → ZAUTH1 envelope
+    auto: flags.auto, manual: flags.manual,
     campaign: flags._[0], out: flags.out, action: flags._[0], value: flags._[1],
   };
   try { await REGISTRY[fnName](cliIo, null, args); }

package/src/providers/otpcart.js

@@ -22,7 +22,11 @@ export async function balance() { return null; }
 
 export class OTPCartProvider {
   name = 'otpcart';
-  constructor(jwt, deepCheck = false) { this.jwt = jwt; this.deepCheck = deepCheck; }
+  constructor(jwt, deepCheck = false, serviceId = SERVICE_ID) {
+    this.jwt = jwt;
+    this.deepCheck = deepCheck;
+    this.serviceId = serviceId;
+  }
 
   _hdrs() {
     return { 'Content-Type': 'application/json', Authorization: `Bearer ${this.jwt}`,
@@ -34,7 +38,7 @@ export class OTPCartProvider {
     try {
       const res = await fetch(`${BASE}/mobile/generate`, {
         method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serviceId: SERVICE_ID, isDeepCheck: this.deepCheck }),
+        body: JSON.stringify({ serviceId: this.serviceId, isDeepCheck: this.deepCheck }),
         signal: AbortSignal.timeout(15000),
       });
       d = await res.json();
@@ -52,7 +56,7 @@ export class OTPCartProvider {
     try {
       await fetch(`${BASE}/otp/cancelOtp`, {
         method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serialNumber: number.txn, mobileId: number.extra, serviceId: SERVICE_ID }),
+        body: JSON.stringify({ serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }),
         signal: AbortSignal.timeout(12000),
       });
     } catch { /* */ }

package/src/util.js

@@ -84,11 +84,13 @@ export async function saveSessions(api, cid, { campaignName, out } = {}) {
   const minutesUsed = [];   // coupon_eligible=false → already placed a Minutes order
   const unchecked = [];      // coupon_eligible absent → check wasn't done for this account
 
+  let hasChecked = false;
   for (const a of accounts) {
     const sess = a.session;
     if (!sess) continue;
     const eligible = a.coupon_eligible;
-    if (checkMinutes && eligible !== undefined && eligible !== null) {
+    if (eligible !== undefined && eligible !== null) {
+      hasChecked = true;
       (eligible ? minutesFree : minutesUsed).push(sess);
     } else {
       unchecked.push(sess);
@@ -96,7 +98,7 @@ export async function saveSessions(api, cid, { campaignName, out } = {}) {
   }
 
   const results = [];
-  if (checkMinutes && (minutesFree.length || minutesUsed.length)) {
+  if (hasChecked || (checkMinutes && (minutesFree.length || minutesUsed.length))) {
     const destFree = write('-minutes-free', minutesFree);
     if (destFree) results.push({ label: '🟢 minutes-free (₹100 coupon)', path: destFree, count: minutesFree.length });
 

package/src/worker.js

@@ -5,6 +5,7 @@
 import { FlipkartLogin, WrongOTP, BlockedError, TransientError } from './flipkart.js';
 import { CampaignLogger } from './logger.js';
 import * as kuku from './providers/kuku.js';
+import * as zepto from './providers/zepto.js';
 
 const OTP_RESEND_AFTER = 60_000;
 const OTPCART_DEADLINE = 120_000;
@@ -241,6 +242,9 @@ export class Worker {
 
       this._emit(slot, { phase: 'saving', detail: 'saving session' });
       this.log(`SUCCESS ${number.mobile} — session extracted (₹${number.cost})${res.email_linked ? ` + email ${res.linked_email}` : ''}`);
+      res.status = 'success';
+      res.cost = number.cost;
+      res.session = session;
       const doneDetail = res.email_linked ? `extracted + ${res.linked_email}` : 'extracted';
       this._emit(slot, { phase: 'done', detail: doneDetail });
       releaseOnce(true, doneDetail); // success still releases the number (OTP already consumed)
@@ -454,3 +458,184 @@ export class Worker {
     return p;
   }
 }
+
+export class ZeptoWorker {
+  constructor(provider, { requested, concurrency, certSha, onEvent }) {
+    this.provider = provider;
+    this.requested = requested;
+    this.concurrency = Math.max(1, Math.min(concurrency, requested));
+    this.certSha = certSha;
+    this.onEvent = onEvent || (() => {});
+    this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
+    this.slots = {};
+    this.seq = 0;
+    this.stopped = false;
+    this._releases = [];
+  }
+
+  stop() { this.stopped = true; }
+  _nextSeq() { return ++this.seq; }
+
+  _claim() {
+    if (this.stopped) return 0;
+    if (this.stats.succeeded >= this.requested) return 0;
+    const active = this.stats.attempts - (this.stats.succeeded + this.stats.failed + this.stats.cancelled);
+    if (this.stats.succeeded + active >= this.requested) return 0;
+    if (this.stats.attempts >= this.requested * ATTEMPT_CAP_MULT) return 0;
+    return ++this.stats.attempts;
+  }
+
+  _emit(slot, kv) {
+    this.slots[slot] = { slot, ...(this.slots[slot] || {}), ...kv };
+    this.onEvent('slot', this.slots[slot]);
+  }
+
+  _record(res) {
+    if (res.mobile) this.stats.generated++;
+    if (res.status === 'success') { this.stats.succeeded++; this.stats.charges += res.cost || 0; }
+    else if (res.status === 'cancelled') this.stats.cancelled++;
+    else { this.stats.failed++; this.stats.charges += res.cost || 0; }
+    this.onEvent('progress', this.stats);
+    this.onEvent('row', res);
+  }
+
+  async run() {
+    const loops = Array.from({ length: this.concurrency }, (_, i) => this._loop(i + 1));
+    await Promise.all(loops);
+    if (this._releases.length) {
+      await Promise.allSettled(this._releases);
+    }
+    this.onEvent('done', this.stats);
+    return this.stats;
+  }
+
+  _release(number) {
+    const p = (async () => {
+      for (let attempt = 1; attempt <= 5; attempt++) {
+        try {
+          await this.provider.cancel(number);
+          return;
+        } catch {
+          await sleep(3000);
+        }
+      }
+    })();
+    this._releases.push(p);
+  }
+
+  async _rent(slot) {
+    let attempt = 0;
+    while (!this.stopped) {
+      attempt++;
+      this._emit(slot, { phase: 'renting', detail: `requesting a number (try ${attempt})` });
+      const { number } = await this.provider.rentOnce();
+      if (number) return number;
+      if (attempt % RENT_COOLDOWN_EVERY === 0) {
+        for (let rem = RENT_COOLDOWN_SECS; rem > 0; rem--) {
+          if (this.stopped) return null;
+          this._emit(slot, { phase: 'rent_wait', detail: 'no numbers — waiting', wait: rem });
+          await sleep(1000);
+        }
+      } else {
+        await sleep(RENT_RETRY_DELAY);
+      }
+    }
+    return null;
+  }
+
+  async _loop(slot) {
+    for (;;) {
+      if (this._claim() === 0) return;
+      const res = await this._process(slot);
+      await this._record(res);
+    }
+  }
+
+  async _process(slot) {
+    const idNo = this._nextSeq();
+    const res = { id_no: idNo, status: 'failed', cost: 0, detail: '' };
+
+    if (this.stats.succeeded >= this.requested) {
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled';
+      res.detail = 'goal reached';
+      return res;
+    }
+
+    this._emit(slot, { mobile: '', phase: 'renting', detail: 'requesting a number', wait: 0 });
+    const number = await this._rent(slot);
+    if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
+    if (this.stats.succeeded >= this.requested) {
+      this._release(number);
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled';
+      res.detail = 'goal reached';
+      return res;
+    }
+    const rentedAt = Date.now();
+    res.mobile = number.mobile;
+    this._emit(slot, { mobile: number.mobile, phase: 'rented', detail: 'got a number' });
+
+    let stream = null;
+    let released = false;
+
+    const releaseOnce = (charged = false, doneDetail = 'done') => {
+      if (released) return;
+      released = true;
+      if (charged) {
+        this._emit(slot, { phase: 'done', detail: doneDetail });
+        return;
+      }
+      this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
+      this._release(number);
+    };
+
+    const fail = (detail) => {
+      const charged = smsArrived.v;
+      res.status = charged ? 'failed' : 'cancelled';
+      res.cost = charged ? number.cost : 0;
+      res.detail = detail;
+      releaseOnce(charged, 'failed');
+      return res;
+    };
+
+    const smsArrived = { v: false };
+    const session = zepto.newSession(number.mobile);
+
+    try {
+      this._emit(slot, { phase: 'ws', detail: 'opening OTP channel' });
+      stream = this.provider.startOtp(number);
+      if (typeof stream.ready === 'function') await stream.ready();
+
+      this._emit(slot, { phase: 'send_otp', detail: 'sending OTP' });
+      const sent = await zepto.sendOtp(session);
+      if (!sent.ok) return fail(`send: ${sent.msg}`);
+
+      const end = Date.now() + 120000;
+      let otp = null;
+      while (Date.now() < end && !this.stopped) {
+        const { otp: o, arrived } = await stream.poll();
+        if (arrived) smsArrived.v = true;
+        if (o) { otp = o; break; }
+        this._emit(slot, { phase: 'await_otp', detail: 'waiting for OTP', wait: Math.floor((end - Date.now()) / 1000) });
+        await sleep(1000);
+      }
+      if (!otp) return fail('no OTP within 120s — abandoned');
+
+      this._emit(slot, { phase: 'verify', detail: 'verifying OTP' });
+      const v = await zepto.verifyOtp(session, otp);
+      if (!v.ok) return fail(`verify: ${v.error}`);
+
+      const envelope = zepto.encodeEnvelope(zepto.toSessionKeys(session), this.certSha);
+      this._emit(slot, { phase: 'saving', detail: 'encoding envelope' });
+      res.status = 'success'; res.cost = number.cost; res.session = zepto.toSessionKeys(session); res.envelope = envelope;
+      releaseOnce(true, 'extracted');
+      return res;
+    } catch (e) {
+      return fail(`unexpected: ${e.message}`);
+    } finally {
+      releaseOnce(true);
+      if (stream) try { stream.close(); } catch { /* */ }
+    }
+  }
+}