scripter-x 1.0.17 → 1.0.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.17",
+  "version": "1.0.20",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -10,7 +10,7 @@ import * as kuku from './providers/kuku.js';
 import * as zepto from './providers/zepto.js';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
-import { mkdirSync, writeFileSync, existsSync } from 'node:fs';
+import { mkdirSync, writeFileSync, readFileSync, existsSync } from 'node:fs';
 import { Worker } from './worker.js';
 import { RunController } from './controller.js';
 import { STATUS } from './theme.js';
@@ -122,14 +122,16 @@ async function buildProvider(io, name) {
   io.print('  ✓ OTPCart connected');
   if (freshlyEntered && await io.confirm('save these creds locally for next time?', true)) config.setMany({ otpcart_email: email, otpcart_password: password });
   const deep = await io.confirm('deep number check?', false);
-  return new oc.OTPCartProvider(jwt, deep);
+  // Pass creds so the provider can transparently re-login if OTPCart's single active
+  // session is taken over by another login mid-run (otherwise the OTP WS goes silent).
+  return new oc.OTPCartProvider(jwt, deep, undefined, { email, password });
 }
 
 export async function run(io, api, args = {}) {
   // TARGET: Flipkart (the backend campaign flow) or Zepto (local OTP → ZAUTH1 envelope).
   const target = args.target || (args.number ? 'zepto' : (await io.select('what to extract?', [
     { label: 'Flipkart', value: 'flipkart', description: 'session JSON via OTP provider (campaign)' },
-    { label: 'Zepto', value: 'zepto', description: 'local OTP login → ZAUTH1 envelope for AuthManager' }])).value);
+    { label: 'Zepto', value: 'zepto', description: 'headless extraction (auto) OR local OTP login (manual)' }])).value);
   if (target === 'zepto') return zeptoCmd(io, api, args);
 
   api = api || await getApi(io);
@@ -219,6 +221,59 @@ export async function run(io, api, args = {}) {
   if (worker.logPath) io.print(`  ◉ log saved to: ${worker.logPath}`);
 }
 
+// ── recheck: re-validate Minutes status of an EXISTING session JSON, locally ──
+// FK blocks server IPs, so the Minutes check must run here (residential IP). Takes
+// a file (array of sessions, OR our {session:{...}} export shape), re-checks each
+// account's live Minutes orders, and re-splits into correct -minutes-free /
+// -minutes-used files with real stats + the actual order ids.
+export async function recheck(io, _api, args = {}) {
+  // one-shot puts the positional path in action/campaign; interactive may pass file/_
+  const src = args.file || args._?.[0] || args.action || args.campaign;
+  if (!src || !existsSync(src)) throw new Error('usage: recheck <sessions.json>');
+  const raw = JSON.parse(readFileSync(src, 'utf8'));
+  const list = Array.isArray(raw) ? raw : (raw.accounts || raw.sessions || [raw]);
+  // normalize each entry to a flat FK session object
+  const sessions = list.map((e) => (e && e.session && typeof e.session === 'object' ? e.session : e)).filter(Boolean);
+  if (!sessions.length) throw new Error('no sessions found in file');
+
+  const { FlipkartLogin } = await import('./flipkart.js');
+  const fk = new FlipkartLogin();
+
+  io.print(`  ◉ re-checking ${sessions.length} account(s) locally (your IP) …`);
+  const free = [], used = [], errored = [];
+  for (let i = 0; i < sessions.length; i++) {
+    const s = sessions[i];
+    const mob = s.mobileNo || s.mobile || `#${i + 1}`;
+    try {
+      const m = await fk.checkMinutes(s);
+      if (m.eligible) { free.push(s); io.print(`  🟢 ${mob} — minutes-free (₹100 coupon)`); }
+      else {
+        used.push(s);
+        io.print(`  🔴 ${mob} — ${m.count} minutes order(s): ${m.orders.map((o) => o.orderId).join(', ')}`, 'danger');
+      }
+    } catch (e) { errored.push(s); io.print(`  ! ${mob} — check failed: ${e.message}`, 'danger'); }
+  }
+
+  // write corrected files next to the source
+  const dir = dirname(src);
+  const stem = src.split(/[/\\]/).pop().replace(/\.json$/i, '').replace(/-minutes-(free|used|unchecked)$/i, '');
+  const write = (suffix, arr) => {
+    if (!arr.length) return null;
+    const dest = join(dir, `${stem}-rechecked${suffix}.json`);
+    writeFileSync(dest, JSON.stringify(arr, null, 2));
+    return dest;
+  };
+  const fFree = write('-minutes-free', free);
+  const fUsed = write('-minutes-used', used);
+  const fErr = write('-errors', errored);
+
+  io.print('');
+  io.print(`  ✓ stats: 🟢 ${free.length} minutes-free · 🔴 ${used.length} minutes-used · ! ${errored.length} errors`);
+  if (fFree) io.print(`     🟢 minutes-free → ${fFree}`, 'accent');
+  if (fUsed) io.print(`     🔴 minutes-used → ${fUsed}`, 'accent');
+  if (fErr) io.print(`     ! errors → ${fErr}`, 'accent');
+}
+
 // ── zepto: local OTP login → extract session to a ZAUTH1 envelope file ──
 // Dead-simple, no backend: enter a number → we SMS an OTP locally → enter the
 // code → we verify, build the ZAUTH1 envelope, and write {phone}-{timestamp}.txt.
@@ -337,7 +392,9 @@ export async function zeptoCmd(io, api, args = {}) {
   if (!(await io.confirm(`start ${count} Zepto auto extractions at concurrency ${concurrency}?`, true))) return;
 
   const ZEPTO_SERVICE_ID = '68b2cf55980e8cf480b28c96';
-  const provider = new oc.OTPCartProvider(jwt, false, ZEPTO_SERVICE_ID);
+  // Pass creds so the provider can transparently re-login if OTPCart invalidates the
+  // session (another login with the same account takes it over → WS stops pushing OTPs).
+  const provider = new oc.OTPCartProvider(jwt, false, ZEPTO_SERVICE_ID, { email, password });
 
   const { ZeptoWorker } = await import('./worker.js');
   const { RunController } = await import('./controller.js');
@@ -545,7 +602,7 @@ export async function configCmd(io, _api, args = {}) {
 }
 
 export function help(io) {
-  io.print('  commands: run · zepto · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
+  io.print('  commands: run · zepto · recheck · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
 }
 
 export async function update(io) {
@@ -558,6 +615,6 @@ export async function update(io) {
 
 // dispatch table used by the interactive shell
 export const REGISTRY = {
-  run, zepto: zeptoCmd, campaigns, export: exportCmd, balance, creds, stop, delete: del,
+  run, zepto: zeptoCmd, recheck, campaigns, export: exportCmd, balance, creds, stop, delete: del,
   whoami, login, logout, config: configCmd, update, help,
 };

package/src/flipkart.js

@@ -29,6 +29,40 @@ const nativeUa = (vid) =>
   `Mozilla/5.0 (Linux; Android 13; sdk_gphone64_arm64 Build/TE1A.240213.009) ` +
   `FKUA/Retail/3130902/Android/Mobile (Google/sdk_gphone64_arm64/${(vid || '').toLowerCase()})`;
 
+// Parse a MY_ORDER_PAGE response and return ONLY genuine Flipkart-Minutes orders.
+// An order is a slot whose widget is an ORDER CARD (SUPER_WIDGET +
+// ORDER_CARD_SUPER_WIDGET_TRANSFORMER); its id is widget.params.trackingParams.orderId
+// (exactly one per card). It's a MINUTES order iff the card's redirect carries
+// queryParam.hyperlocal === "true" — Grocery/Kilos/memberships are NOT hyperlocal,
+// so they're excluded even in an unfiltered response. (Verified against captured
+// ground-truth: 0-Minutes accounts → 0, 1/2-Minutes accounts → exact match.)
+// Returns [{ orderId, title, status }].
+export function parseMinutesOrders(text) {
+  let env;
+  try { env = JSON.parse(text); } catch { return []; }
+  const resp = (env && env.RESPONSE) || env || {};
+  const slots = Array.isArray(resp.slots) ? resp.slots : [];
+  const seen = new Set();
+  const out = [];
+  for (const s of slots) {
+    const w = (s && s.widget) || {};
+    if (w.type !== 'SUPER_WIDGET' || w.transformerProvider !== 'ORDER_CARD_SUPER_WIDGET_TRANSFORMER') continue;
+    const tp = (w.params && w.params.trackingParams) || {};
+    const orderId = tp.orderId;
+    if (!orderId || seen.has(orderId)) continue;
+    let isMinutes = false, title = '';
+    try {
+      const rc = w.data.subWidgets[0].data.buttons.renderableComponents[0];
+      isMinutes = rc.action.nonWidgetizeRedirection.queryParam.hyperlocal === 'true';
+      title = (rc.value && rc.value.subText) || '';
+    } catch { /* malformed card → not a counted Minutes order */ }
+    if (!isMinutes) continue;
+    seen.add(orderId);
+    out.push({ orderId, title, status: tp.orderStatus || '' });
+  }
+  return out;
+}
+
 // Parse a fetch Response's set-cookie headers into a {name:value} map.
 function parseCookies(res, jar) {
   // Node fetch exposes combined set-cookie via getSetCookie() (undici).
@@ -138,7 +172,9 @@ export class FlipkartLogin {
     };
   }
 
-  async checkMinutes(session) {
+  // One MY_ORDER_PAGE / HYPERLOCAL fetch on a given DC. `withRT` attaches the refresh
+  // token so a 206 "AT expired" can be recovered in-place. Returns { status, text }.
+  async _fetchOrderPage(session, dc, withRT) {
     await throttle.wait();
     const body = {
       requestContext: { type: 'MY_ORDER_PAGE', pageView: '', queryTime: '', cxTenant: 'cs',
@@ -148,19 +184,50 @@ export class FlipkartLogin {
         paginatedFetch: false, pageNumber: 1, fetchAllPages: false, networkSpeed: 0,
         trackingContext: null, fetchSeoData: false },
       locationContext: { pincode: '' } };
-    const res = await fetch(`${NATIVE_HOST}/4/page/fetch`, {
-      method: 'POST', body: JSON.stringify(body),
-      headers: {
-        'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
-        'Content-Type': 'application/json; charset=UTF-8',
-        'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
-        at: session.at || '', sn: session.sn || '',
-        secureToken: session.secureToken || '', secureCookie: session.secureCookie || '',
-      },
-    });
-    const text = await res.text();
-    const count = (text.match(/OD\d{15,}/g) || []).length;
-    return count === 0; // no orders ⇒ coupon available
+    const host = `https://${dc}.rome.api.flipkart.net`;
+    const at = session.at || '';
+    const headers = {
+      'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(session.visitId || this.vid),
+      'Content-Type': 'application/json; charset=UTF-8',
+      'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
+      at, sn: session.sn || '',
+      secureToken: session.secureToken || '', secureCookie: session.secureCookie || '',
+      Cookie: `ud=${session.ud || ''}`,
+    };
+    if (withRT && session.rt) headers.rt = session.rt;
+    const res = await fetch(`${host}/4/page/fetch`, { method: 'POST', body: JSON.stringify(body), headers });
+    return { status: res.status, text: await res.text() };
+  }
+
+  // Robust FK Minutes check. Handles 206 (AT-expired → resend with rt) and 406
+  // (DC change → retry on home DC), then parses ORDER CARDS (not a blind regex)
+  // and gates each on its per-card `hyperlocal` flag — so non-Minutes orders
+  // (Grocery/Kilos/memberships) and page chrome never count.
+  // Returns { eligible, count, orders:[{orderId,title,status}] }.
+  async checkMinutes(session) {
+    let dc = 2;
+    const triedDC = { 2: true };
+    let r = await this._fetchOrderPage(session, dc, false);
+
+    // 206 "AT expired" → resend with rt on the same DC
+    if (r.status === 206 || /AT expired/i.test(r.text)) {
+      r = await this._fetchOrderPage(session, dc, true);
+      // adopt the refreshed token for any follow-up DC retry
+      try { const e = JSON.parse(r.text); if (e?.SESSION?.at) session = { ...session, at: e.SESSION.at }; } catch { /* */ }
+    }
+    // 406 DC change → {RESPONSE:{id:"<dc>"}} → retry on the home DC
+    if (r.status === 406) {
+      let id = null;
+      try { const e = JSON.parse(r.text); id = parseInt(e?.RESPONSE?.id || e?.id, 10); } catch { /* */ }
+      if (id >= 1 && !triedDC[id]) {
+        dc = id; triedDC[id] = true;
+        r = await this._fetchOrderPage(session, dc, false);
+        if (r.status === 206 || /AT expired/i.test(r.text)) r = await this._fetchOrderPage(session, dc, true);
+      }
+    }
+
+    const orders = parseMinutesOrders(r.text);
+    return { eligible: orders.length === 0, count: orders.length, orders };
   }
 
   // ─── Email attach (FK-5/6/7) — on the EMAIL host (2.rome.api.flipkart.com) ──────

package/src/index.js

@@ -54,6 +54,8 @@ const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
        --auto | --manual    --count N  --concurrency N  --out <file|dir>  --cert <64hex>
        --number <10-digit>  --otp <code>
        (envelope keyed to ZeptoAuthManager cert; override with --cert or $ZAUTH_CERT_SHA)
+  scripterx recheck <file>  re-validate Minutes status of a session JSON, locally (your IP)
+       → re-splits into corrected -minutes-free / -minutes-used files + stats
   scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
   scripterx --version`;
 
@@ -104,7 +106,7 @@ async function main() {
   }
 
   // ── one-shot mode ──
-  const map = { run: 'run', zepto: 'zepto', campaigns: 'campaigns', export: 'export', balance: 'balance',
+  const map = { run: 'run', zepto: 'zepto', recheck: 'recheck', campaigns: 'campaigns', export: 'export', balance: 'balance',
     creds: 'creds', stop: 'stop', delete: 'delete', whoami: 'whoami', login: 'login',
     logout: 'logout', config: 'config', update: 'update', help: 'help' };
   const fnName = map[cmd];

package/src/providers/otpcart.js

@@ -1,13 +1,33 @@
 // OTPCart provider (api.otpcart.xyz) — email/password → JWT, WebSocket OTP push.
+//
+// ⚠️ OTPCart allows only ONE active session per account: a fresh login (anyone,
+// anywhere, with the same email/password) INVALIDATES the previous JWT. When that
+// happens mid-run the symptom is a *silently dead* run — rent/cancel start returning
+// 401 and, worst of all, the OTP WebSocket connects fine but never pushes any
+// `otpMessage`, so OTPs simply never arrive.
+//
+// To survive that, the provider holds the credentials and can transparently
+// re-login (de-duped, one at a time) to mint a fresh JWT, then everything —
+// HTTP calls and NEW WebSocket connections — reads the *current* token. Callers
+// that hit an auth failure trigger relogin() and retry.
 import WebSocket from 'ws';
 
-const BASE = 'https://api.otpcart.xyz';
-const WS_URL = 'wss://api.otpcart.xyz/check-otp';
+// Overridable for tests (defaults to the real hosts).
+const BASE = process.env.OTPCART_BASE || 'https://api.otpcart.xyz';
+const WS_URL = process.env.OTPCART_WS || 'wss://api.otpcart.xyz/check-otp';
 const SERVICE_ID = '68b19097980e8cf480b1df04';
 const OTP_RE = /\b(\d{6})\b/;
 const UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ' +
   '(KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36';
 
+// Heuristic: does an OTPCart response (status + body message) look like the token
+// was rejected / the session was taken over by another login?
+function isAuthFailure(status, message) {
+  if (status === 401 || status === 403) return true;
+  const m = String(message || '').toLowerCase();
+  return /unauthor|jwt|token|please login|log\s?in again|session expired|invalid signature/.test(m);
+}
+
 export async function login(email, password) {
   const res = await fetch(`${BASE}/users/login`, {
     method: 'POST', headers: { 'Content-Type': 'application/json', Origin: 'https://www.otpcart.xyz', 'User-Agent': UA },
@@ -22,10 +42,19 @@ export async function balance() { return null; }
 
 export class OTPCartProvider {
   name = 'otpcart';
-  constructor(jwt, deepCheck = false, serviceId = SERVICE_ID) {
+
+  // Backward compatible: (jwt, deepCheck, serviceId). Pass creds via the 4th arg
+  // { email, password } to enable transparent re-login when the session is taken
+  // over by another login.
+  constructor(jwt, deepCheck = false, serviceId = SERVICE_ID, creds = null) {
     this.jwt = jwt;
     this.deepCheck = deepCheck;
     this.serviceId = serviceId;
+    this.email = creds?.email || null;
+    this.password = creds?.password || null;
+    this._reloginInflight = null; // shared promise so concurrent slots relogin once
+    this._tokenEpoch = 0;         // bumps on every successful relogin
+    this.onNotice = null;         // optional (msg) => void for UI breadcrumbs
   }
 
   _hdrs() {
@@ -33,15 +62,62 @@ export class OTPCartProvider {
              Origin: 'https://www.otpcart.xyz', 'User-Agent': UA };
   }
 
+  get token() { return this.jwt; }
+  get tokenEpoch() { return this._tokenEpoch; }
+  get canRelogin() { return !!(this.email && this.password); }
+
+  // Re-login to mint a fresh JWT after the session was invalidated. De-duped:
+  // concurrent callers share ONE in-flight login so they don't invalidate each
+  // other in a relogin storm. `seenEpoch` lets a caller say "only relogin if the
+  // token I was using is still the current one" (avoids redundant relogins when
+  // another slot already refreshed it).
+  async relogin(seenEpoch = null) {
+    if (!this.canRelogin) throw new Error('OTPCart session invalidated and no saved credentials to re-login');
+    if (seenEpoch != null && seenEpoch !== this._tokenEpoch) {
+      // Someone already refreshed since this caller's token — use the new one.
+      return this.jwt;
+    }
+    if (this._reloginInflight) return this._reloginInflight;
+    this._reloginInflight = (async () => {
+      try {
+        if (this.onNotice) this.onNotice('OTPCart session was taken over — re-logging in…');
+        const tok = await login(this.email, this.password);
+        this.jwt = tok;
+        this._tokenEpoch++;
+        return tok;
+      } finally {
+        this._reloginInflight = null;
+      }
+    })();
+    return this._reloginInflight;
+  }
+
+  // POST a JSON body to OTPCart, transparently re-logging-in + retrying ONCE on an
+  // auth failure. Returns { status, data }.
+  async _post(path, body, timeoutMs = 15000) {
+    const epoch = this._tokenEpoch;
+    const res = await fetch(`${BASE}${path}`, {
+      method: 'POST', headers: this._hdrs(), body: JSON.stringify(body),
+      signal: AbortSignal.timeout(timeoutMs),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (isAuthFailure(res.status, data?.message) && this.canRelogin) {
+      await this.relogin(epoch);
+      const res2 = await fetch(`${BASE}${path}`, {
+        method: 'POST', headers: this._hdrs(), body: JSON.stringify(body),
+        signal: AbortSignal.timeout(timeoutMs),
+      });
+      const data2 = await res2.json().catch(() => ({}));
+      return { status: res2.status, data: data2 };
+    }
+    return { status: res.status, data };
+  }
+
   async rentOnce() {
-    let d;
+    let status, d;
     try {
-      const res = await fetch(`${BASE}/mobile/generate`, {
-        method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serviceId: this.serviceId, isDeepCheck: this.deepCheck }),
-        signal: AbortSignal.timeout(15000),
-      });
-      d = await res.json();
+      ({ status, data: d } = await this._post('/mobile/generate',
+        { serviceId: this.serviceId, isDeepCheck: this.deepCheck }));
     } catch (e) { return { number: null, msg: e.message, err: e }; }
     if (d.isNumberGenerated && d.mobile?.mobileno) {
       const m = d.mobile;
@@ -50,55 +126,103 @@ export class OTPCartProvider {
     return { number: null, msg: d.message || 'no number available', err: 'err' };
   }
 
-  startOtp(number) { return new OTPCartStream(this.jwt, number.txn, number.extra); }
+  startOtp(number) { return new OTPCartStream(this, number.txn, number.extra); }
 
   async cancel(number) {
     try {
-      await fetch(`${BASE}/otp/cancelOtp`, {
-        method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }),
-        signal: AbortSignal.timeout(12000),
-      });
+      await this._post('/otp/cancelOtp',
+        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000);
     } catch { /* */ }
   }
 }
 
+// Grace period after the WS connects with no OTP push before we suspect the token
+// is dead and reconnect with a freshly re-logged-in token. The real SMS usually
+// lands well within this; a *dead-token* socket NEVER pushes, so this is what
+// rescues an otherwise-silent run.
+const WS_SILENT_RELOGIN_MS = 25000;
+
 class OTPCartStream {
-  constructor(jwt, serial, mobileId) {
+  // Takes the PROVIDER (not a frozen jwt) so every (re)connect reads the current
+  // token and can ask the provider to re-login when the session was taken over.
+  constructor(provider, serial, mobileId) {
+    this.provider = provider;
     this.serial = serial;
     this.mobileId = mobileId;
     this.otp = null;
     this.arrived = false;
     this.closed = false;
-    this.jwt = jwt;
-    this._openP = null;     // resolves when the WS is OPEN
+    this._openP = null;        // resolves when the WS is OPEN
+    this._reconnectTimer = null;
+    this._connectedAt = 0;
+    this._silentTimer = null;  // fires if no OTP arrives → relogin + reconnect
+    this._reloggingIn = false;
+    this._silentReloginsLeft = 1; // recover a taken-over session once; don't churn a slow SMS
     this._connect();
   }
 
+  _currentToken() { return this.provider.token; }
+
+  _clearSilentTimer() {
+    if (this._silentTimer) { clearTimeout(this._silentTimer); this._silentTimer = null; }
+  }
+
+  // Schedule the "this socket has gone quiet — maybe the token is dead" check.
+  // Only while we still have a relogin budget (a genuinely slow SMS shouldn't keep
+  // rotating the shared token, which would force every other slot to reconnect).
+  _armSilentTimer() {
+    this._clearSilentTimer();
+    if (this.closed || this.otp || !this.provider.canRelogin || this._silentReloginsLeft <= 0) return;
+    this._silentTimer = setTimeout(() => this._handleSilent(), WS_SILENT_RELOGIN_MS);
+  }
+
+  async _handleSilent() {
+    if (this.closed || this.otp || this._reloggingIn || this._silentReloginsLeft <= 0) return;
+    this._silentReloginsLeft--;
+    this._reloggingIn = true;
+    try {
+      // Re-login (de-duped at the provider) to get a token that the WS will accept,
+      // then reconnect this socket with it. If the token was actually fine, this is
+      // a cheap no-op reconnect that costs nothing but a fresh socket.
+      const epoch = this.provider.tokenEpoch;
+      await this.provider.relogin(epoch);
+    } catch { /* keep the old socket; nothing better to do */ }
+    finally { this._reloggingIn = false; }
+    if (this.closed || this.otp) return;
+    try { if (this.ws) this.ws.terminate(); } catch { /* */ }
+    this._connect(); // reconnect with the (possibly refreshed) current token
+  }
+
   _connect() {
-    this.ws = new WebSocket(`${WS_URL}?token=${this.jwt}`);
+    const token = this._currentToken();
+    this.ws = new WebSocket(`${WS_URL}?token=${token}`);
     this._openP = new Promise((resolve) => {
       this.ws.once('open', resolve);
       this.ws.once('error', resolve); // resolve anyway so ready() never hangs
     });
+    this.ws.on('open', () => {
+      this._connectedAt = Date.now();
+      this._armSilentTimer(); // start the dead-token watchdog
+    });
     this.ws.on('message', (raw) => {
       let msg; try { msg = JSON.parse(raw.toString()); } catch { return; }
       // OTP frame: {message, otpMessage}. Ack frame {serialNumber,mobileId,resend} is ignored.
       if (msg.otpMessage) {
         const m = String(msg.otpMessage).match(OTP_RE);
-        if (m) { this.otp = m[1]; this.arrived = true; }
+        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); }
       }
     });
     this.ws.on('error', () => { /* swallow — poll() returns nothing; we auto-reconnect */ });
     // Auto-reconnect if the socket drops before the OTP arrives (so a dropped WS doesn't
     // silently lose the push — this is the "purchased but never got OTP" symptom).
     this.ws.on('close', () => {
-      if (this.closed || this.otp) return;
-      setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
+      this._clearSilentTimer();
+      if (this.closed || this.otp || this._reloggingIn) return;
+      this._reconnectTimer = setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
     });
   }
 
-  // Wait until the WS is OPEN (so we never send the FK OTP before we can receive the push).
+  // Wait until the WS is OPEN (so we never send the OTP before we can receive the push).
   async ready(timeoutMs = 8000) {
     await Promise.race([this._openP, new Promise((r) => setTimeout(r, timeoutMs))]);
     return this.ws.readyState === WebSocket.OPEN;
@@ -122,5 +246,10 @@ class OTPCartStream {
     return false;
   }
 
-  close() { this.closed = true; try { this.ws.close(); } catch { /* */ } }
+  close() {
+    this.closed = true;
+    this._clearSilentTimer();
+    if (this._reconnectTimer) { clearTimeout(this._reconnectTimer); this._reconnectTimer = null; }
+    try { this.ws.close(); } catch { /* */ }
+  }
 }

package/src/worker.js

@@ -28,6 +28,8 @@ export class Worker {
     this.concurrency = Math.max(1, Math.min(concurrency, requested));
     this.checkMinutes = checkMinutes;
     this.onEvent = onEvent || (() => {});
+    // Surface OTPCart re-logins (session taken over by another login) in the UI.
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
     // onFailure({mobile, reason}) → Promise<boolean>: true = keep going, false = stop campaign.
     this.onFailure = onFailure || null;
     this.emailMode = !!emailMode;       // also attach a newaddr.com email to each account
@@ -73,6 +75,11 @@ export class Worker {
         fail_reason: res.detail || '', session: res.session,
         minutes_checked: !!res.minutes_checked, coupon_eligible: res.coupon_eligible ?? undefined,
         has_minutes_order: res.has_minutes_order ?? undefined,
+        // pack the local Minutes order count + ids into minutes_note (free-text the
+        // server already stores) so stats/export survive the round-trip.
+        minutes_note: res.minutes_checked
+          ? (res.minutes_order_count ? `${res.minutes_order_count} minutes order(s): ${(res.minutes_orders || []).map((o) => o.orderId).join(',')}` : 'no minutes orders')
+          : undefined,
         linked_email: res.linked_email ?? undefined,
         email_linked: res.email_linked ?? undefined,
         email_reason: res.email_reason ?? undefined,
@@ -214,8 +221,15 @@ export class Worker {
       if (this.checkMinutes) {
         this._emit(slot, { phase: 'minutes', detail: 'checking Minutes' });
         try {
-          const avail = await fk.checkMinutes(session);
-          res.minutes_checked = true; res.coupon_eligible = avail; res.has_minutes_order = !avail;
+          const m = await fk.checkMinutes(session);
+          // checkMinutes now returns { eligible, count, orders }; tolerate an old boolean too.
+          const eligible = typeof m === 'boolean' ? m : m.eligible;
+          res.minutes_checked = true;
+          res.coupon_eligible = eligible;
+          res.has_minutes_order = !eligible;
+          res.minutes_order_count = typeof m === 'boolean' ? (eligible ? 0 : 1) : m.count;
+          res.minutes_orders = typeof m === 'boolean' ? [] : (m.orders || []);
+          this._emit(slot, { phase: 'minutes', detail: eligible ? 'minutes-free (₹100 coupon)' : `has ${res.minutes_order_count} minutes order(s)` });
         } catch { /* non-fatal */ }
       }
 
@@ -466,6 +480,8 @@ export class ZeptoWorker {
     this.concurrency = Math.max(1, Math.min(concurrency, requested));
     this.certSha = certSha;
     this.onEvent = onEvent || (() => {});
+    // Surface OTPCart re-logins (session taken over by another login) in the UI.
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
     this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
     this.slots = {};
     this.seq = 0;