npm - scripter-x - Versions diffs - 1.0.18 → 1.0.21 - Mend

scripter-x 1.0.18 → 1.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.18",
+  "version": "1.0.21",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js CHANGED Viewed

@@ -10,7 +10,7 @@ import * as kuku from './providers/kuku.js';
 import * as zepto from './providers/zepto.js';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
-import { mkdirSync, writeFileSync, existsSync } from 'node:fs';
+import { mkdirSync, writeFileSync, readFileSync, existsSync } from 'node:fs';
 import { Worker } from './worker.js';
 import { RunController } from './controller.js';
 import { STATUS } from './theme.js';
@@ -221,6 +221,59 @@ export async function run(io, api, args = {}) {
   if (worker.logPath) io.print(`  ◉ log saved to: ${worker.logPath}`);
 }
+// ── recheck: re-validate Minutes status of an EXISTING session JSON, locally ──
+// FK blocks server IPs, so the Minutes check must run here (residential IP). Takes
+// a file (array of sessions, OR our {session:{...}} export shape), re-checks each
+// account's live Minutes orders, and re-splits into correct -minutes-free /
+// -minutes-used files with real stats + the actual order ids.
+export async function recheck(io, _api, args = {}) {
+  // one-shot puts the positional path in action/campaign; interactive may pass file/_
+  const src = args.file || args._?.[0] || args.action || args.campaign;
+  if (!src || !existsSync(src)) throw new Error('usage: recheck <sessions.json>');
+  const raw = JSON.parse(readFileSync(src, 'utf8'));
+  const list = Array.isArray(raw) ? raw : (raw.accounts || raw.sessions || [raw]);
+  // normalize each entry to a flat FK session object
+  const sessions = list.map((e) => (e && e.session && typeof e.session === 'object' ? e.session : e)).filter(Boolean);
+  if (!sessions.length) throw new Error('no sessions found in file');
+  const { FlipkartLogin } = await import('./flipkart.js');
+  const fk = new FlipkartLogin();
+  io.print(`  ◉ re-checking ${sessions.length} account(s) locally (your IP) …`);
+  const free = [], used = [], errored = [];
+  for (let i = 0; i < sessions.length; i++) {
+    const s = sessions[i];
+    const mob = s.mobileNo || s.mobile || `#${i + 1}`;
+    try {
+      const m = await fk.checkMinutes(s);
+      if (m.eligible) { free.push(s); io.print(`  🟢 ${mob} — minutes-free (₹100 coupon)`); }
+      else {
+        used.push(s);
+        io.print(`  🔴 ${mob} — ${m.count} minutes order(s): ${m.orders.map((o) => o.orderId).join(', ')}`, 'danger');
+      }
+    } catch (e) { errored.push(s); io.print(`  ! ${mob} — check failed: ${e.message}`, 'danger'); }
+  }
+  // write corrected files next to the source
+  const dir = dirname(src);
+  const stem = src.split(/[/\\]/).pop().replace(/\.json$/i, '').replace(/-minutes-(free|used|unchecked)$/i, '');
+  const write = (suffix, arr) => {
+    if (!arr.length) return null;
+    const dest = join(dir, `${stem}-rechecked${suffix}.json`);
+    writeFileSync(dest, JSON.stringify(arr, null, 2));
+    return dest;
+  };
+  const fFree = write('-minutes-free', free);
+  const fUsed = write('-minutes-used', used);
+  const fErr = write('-errors', errored);
+  io.print('');
+  io.print(`  ✓ stats: 🟢 ${free.length} minutes-free · 🔴 ${used.length} minutes-used · ! ${errored.length} errors`);
+  if (fFree) io.print(`     🟢 minutes-free → ${fFree}`, 'accent');
+  if (fUsed) io.print(`     🔴 minutes-used → ${fUsed}`, 'accent');
+  if (fErr) io.print(`     ! errors → ${fErr}`, 'accent');
+}
 // ── zepto: local OTP login → extract session to a ZAUTH1 envelope file ──
 // Dead-simple, no backend: enter a number → we SMS an OTP locally → enter the
 // code → we verify, build the ZAUTH1 envelope, and write {phone}-{timestamp}.txt.
@@ -549,7 +602,7 @@ export async function configCmd(io, _api, args = {}) {
 }
 export function help(io) {
-  io.print('  commands: run · zepto · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
+  io.print('  commands: run · zepto · recheck · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
 }
 export async function update(io) {
@@ -562,6 +615,6 @@ export async function update(io) {
 // dispatch table used by the interactive shell
 export const REGISTRY = {
-  run, zepto: zeptoCmd, campaigns, export: exportCmd, balance, creds, stop, delete: del,
+  run, zepto: zeptoCmd, recheck, campaigns, export: exportCmd, balance, creds, stop, delete: del,
   whoami, login, logout, config: configCmd, update, help,
 };

package/src/flipkart.js CHANGED Viewed

@@ -29,6 +29,40 @@ const nativeUa = (vid) =>
   `Mozilla/5.0 (Linux; Android 13; sdk_gphone64_arm64 Build/TE1A.240213.009) ` +
   `FKUA/Retail/3130902/Android/Mobile (Google/sdk_gphone64_arm64/${(vid || '').toLowerCase()})`;
+// Parse a MY_ORDER_PAGE response and return ONLY genuine Flipkart-Minutes orders.
+// An order is a slot whose widget is an ORDER CARD (SUPER_WIDGET +
+// ORDER_CARD_SUPER_WIDGET_TRANSFORMER); its id is widget.params.trackingParams.orderId
+// (exactly one per card). It's a MINUTES order iff the card's redirect carries
+// queryParam.hyperlocal === "true" — Grocery/Kilos/memberships are NOT hyperlocal,
+// so they're excluded even in an unfiltered response. (Verified against captured
+// ground-truth: 0-Minutes accounts → 0, 1/2-Minutes accounts → exact match.)
+// Returns [{ orderId, title, status }].
+export function parseMinutesOrders(text) {
+  let env;
+  try { env = JSON.parse(text); } catch { return []; }
+  const resp = (env && env.RESPONSE) || env || {};
+  const slots = Array.isArray(resp.slots) ? resp.slots : [];
+  const seen = new Set();
+  const out = [];
+  for (const s of slots) {
+    const w = (s && s.widget) || {};
+    if (w.type !== 'SUPER_WIDGET' || w.transformerProvider !== 'ORDER_CARD_SUPER_WIDGET_TRANSFORMER') continue;
+    const tp = (w.params && w.params.trackingParams) || {};
+    const orderId = tp.orderId;
+    if (!orderId || seen.has(orderId)) continue;
+    let isMinutes = false, title = '';
+    try {
+      const rc = w.data.subWidgets[0].data.buttons.renderableComponents[0];
+      isMinutes = rc.action.nonWidgetizeRedirection.queryParam.hyperlocal === 'true';
+      title = (rc.value && rc.value.subText) || '';
+    } catch { /* malformed card → not a counted Minutes order */ }
+    if (!isMinutes) continue;
+    seen.add(orderId);
+    out.push({ orderId, title, status: tp.orderStatus || '' });
+  }
+  return out;
+}
 // Parse a fetch Response's set-cookie headers into a {name:value} map.
 function parseCookies(res, jar) {
   // Node fetch exposes combined set-cookie via getSetCookie() (undici).
@@ -138,7 +172,9 @@ export class FlipkartLogin {
     };
   }
-  async checkMinutes(session) {
+  // One MY_ORDER_PAGE / HYPERLOCAL fetch on a given DC. `withRT` attaches the refresh
+  // token so a 206 "AT expired" can be recovered in-place. Returns { status, text }.
+  async _fetchOrderPage(session, dc, withRT) {
     await throttle.wait();
     const body = {
       requestContext: { type: 'MY_ORDER_PAGE', pageView: '', queryTime: '', cxTenant: 'cs',
@@ -148,19 +184,50 @@ export class FlipkartLogin {
         paginatedFetch: false, pageNumber: 1, fetchAllPages: false, networkSpeed: 0,
         trackingContext: null, fetchSeoData: false },
       locationContext: { pincode: '' } };
-    const res = await fetch(`${NATIVE_HOST}/4/page/fetch`, {
-      method: 'POST', body: JSON.stringify(body),
-      headers: {
-        'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
-        'Content-Type': 'application/json; charset=UTF-8',
-        'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
-        at: session.at || '', sn: session.sn || '',
-        secureToken: session.secureToken || '', secureCookie: session.secureCookie || '',
-      },
-    });
-    const text = await res.text();
-    const count = (text.match(/OD\d{15,}/g) || []).length;
-    return count === 0; // no orders ⇒ coupon available
+    const host = `https://${dc}.rome.api.flipkart.net`;
+    const at = session.at || '';
+    const headers = {
+      'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(session.visitId || this.vid),
+      'Content-Type': 'application/json; charset=UTF-8',
+      'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
+      at, sn: session.sn || '',
+      secureToken: session.secureToken || '', secureCookie: session.secureCookie || '',
+      Cookie: `ud=${session.ud || ''}`,
+    };
+    if (withRT && session.rt) headers.rt = session.rt;
+    const res = await fetch(`${host}/4/page/fetch`, { method: 'POST', body: JSON.stringify(body), headers });
+    return { status: res.status, text: await res.text() };
+  }
+  // Robust FK Minutes check. Handles 206 (AT-expired → resend with rt) and 406
+  // (DC change → retry on home DC), then parses ORDER CARDS (not a blind regex)
+  // and gates each on its per-card `hyperlocal` flag — so non-Minutes orders
+  // (Grocery/Kilos/memberships) and page chrome never count.
+  // Returns { eligible, count, orders:[{orderId,title,status}] }.
+  async checkMinutes(session) {
+    let dc = 2;
+    const triedDC = { 2: true };
+    let r = await this._fetchOrderPage(session, dc, false);
+    // 206 "AT expired" → resend with rt on the same DC
+    if (r.status === 206 || /AT expired/i.test(r.text)) {
+      r = await this._fetchOrderPage(session, dc, true);
+      // adopt the refreshed token for any follow-up DC retry
+      try { const e = JSON.parse(r.text); if (e?.SESSION?.at) session = { ...session, at: e.SESSION.at }; } catch { /* */ }
+    }
+    // 406 DC change → {RESPONSE:{id:"<dc>"}} → retry on the home DC
+    if (r.status === 406) {
+      let id = null;
+      try { const e = JSON.parse(r.text); id = parseInt(e?.RESPONSE?.id || e?.id, 10); } catch { /* */ }
+      if (id >= 1 && !triedDC[id]) {
+        dc = id; triedDC[id] = true;
+        r = await this._fetchOrderPage(session, dc, false);
+        if (r.status === 206 || /AT expired/i.test(r.text)) r = await this._fetchOrderPage(session, dc, true);
+      }
+    }
+    const orders = parseMinutesOrders(r.text);
+    return { eligible: orders.length === 0, count: orders.length, orders };
   }
   // ─── Email attach (FK-5/6/7) — on the EMAIL host (2.rome.api.flipkart.com) ──────

package/src/index.js CHANGED Viewed

@@ -54,6 +54,8 @@ const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
        --auto | --manual    --count N  --concurrency N  --out <file|dir>  --cert <64hex>
        --number <10-digit>  --otp <code>
        (envelope keyed to ZeptoAuthManager cert; override with --cert or $ZAUTH_CERT_SHA)
+  scripterx recheck <file>  re-validate Minutes status of a session JSON, locally (your IP)
+       → re-splits into corrected -minutes-free / -minutes-used files + stats
   scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
   scripterx --version`;
@@ -104,7 +106,7 @@ async function main() {
   }
   // ── one-shot mode ──
-  const map = { run: 'run', zepto: 'zepto', campaigns: 'campaigns', export: 'export', balance: 'balance',
+  const map = { run: 'run', zepto: 'zepto', recheck: 'recheck', campaigns: 'campaigns', export: 'export', balance: 'balance',
     creds: 'creds', stop: 'stop', delete: 'delete', whoami: 'whoami', login: 'login',
     logout: 'logout', config: 'config', update: 'update', help: 'help' };
   const fnName = map[cmd];

package/src/providers/otpcart.js CHANGED Viewed

@@ -128,11 +128,30 @@ export class OTPCartProvider {
   startOtp(number) { return new OTPCartStream(this, number.txn, number.extra); }
+  // Cancel (release) a rented number. Returns a structured outcome instead of
+  // swallowing everything, so the worker can tell apart:
+  //   { ok: true }                          → number released
+  //   { ok: false, tooEarly: true, ... }    → still inside OTPCart's ~2min cancel lock; retry later
+  //   { ok: false, ... }                    → other error; retry
+  // OTPCart refuses to cancel a number rented < ~2 min ago; the worker must wait
+  // out that lock and keep retrying, otherwise the number stays rented (charged).
   async cancel(number) {
+    let status, d;
     try {
-      await this._post('/otp/cancelOtp',
-        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000);
-    } catch { /* */ }
+      ({ status, data: d } = await this._post('/otp/cancelOtp',
+        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000));
+    } catch (e) {
+      return { ok: false, tooEarly: false, msg: e.message };
+    }
+    const msg = String(d?.message || '');
+    const low = msg.toLowerCase();
+    // success: doc says "Otp canceled successfully!!!"
+    if (status >= 200 && status < 300 && /cancel|success|refund/.test(low)) {
+      return { ok: true, msg };
+    }
+    // the cancel-lock window: messages like "you can cancel after 2 minutes" / "wait".
+    const tooEarly = /(\d+\s*min|after|wait|too soon|not allowed yet|before)/.test(low);
+    return { ok: false, tooEarly, msg: msg || `cancel failed (status ${status})` };
   }
 }
@@ -141,6 +160,8 @@ export class OTPCartProvider {
 // lands well within this; a *dead-token* socket NEVER pushes, so this is what
 // rescues an otherwise-silent run.
 const WS_SILENT_RELOGIN_MS = 25000;
+const WS_PING_MS = 20000;      // keep-alive so an idle socket isn't dropped before the SMS lands
+const WS_DEBUG = process.env.OTPCART_WS_DEBUG === '1';
 class OTPCartStream {
   // Takes the PROVIDER (not a frozen jwt) so every (re)connect reads the current
@@ -156,16 +177,22 @@ class OTPCartStream {
     this._reconnectTimer = null;
     this._connectedAt = 0;
     this._silentTimer = null;  // fires if no OTP arrives → relogin + reconnect
+    this._pingTimer = null;    // keep-alive
     this._reloggingIn = false;
     this._silentReloginsLeft = 1; // recover a taken-over session once; don't churn a slow SMS
+    this._gotServerAck = false;   // server sent the {serialNumber,mobileId} connect frame
     this._connect();
   }
   _currentToken() { return this.provider.token; }
+  _dbg(...a) { if (WS_DEBUG) { try { console.error('[otpcart-ws]', ...a); } catch { /* */ } } }
   _clearSilentTimer() {
     if (this._silentTimer) { clearTimeout(this._silentTimer); this._silentTimer = null; }
   }
+  _clearPingTimer() {
+    if (this._pingTimer) { clearInterval(this._pingTimer); this._pingTimer = null; }
+  }
   // Schedule the "this socket has gone quiet — maybe the token is dead" check.
   // Only while we still have a relogin budget (a genuinely slow SMS shouldn't keep
@@ -180,6 +207,7 @@ class OTPCartStream {
     if (this.closed || this.otp || this._reloggingIn || this._silentReloginsLeft <= 0) return;
     this._silentReloginsLeft--;
     this._reloggingIn = true;
+    this._dbg('silent watchdog fired — relogin + reconnect');
     try {
       // Re-login (de-duped at the provider) to get a token that the WS will accept,
       // then reconnect this socket with it. If the token was actually fine, this is
@@ -193,30 +221,77 @@ class OTPCartStream {
     this._connect(); // reconnect with the (possibly refreshed) current token
   }
+  // The browser sends an Origin (and a UA) on the WS handshake. The `ws` library
+  // sends NEITHER by default — and OTPCart's server appears to only attach the OTP
+  // listener for browser-origin sockets, so a header-less socket connects but never
+  // receives a push. Mirroring the browser handshake is the actual fix for the
+  // "site gets the OTP, the script doesn't" symptom.
+  _wsOptions() {
+    return {
+      headers: {
+        Origin: 'https://www.otpcart.xyz',
+        'User-Agent': UA,
+      },
+      // also keeps proxies from dropping us; ws sends its own pongs automatically
+      handshakeTimeout: 15000,
+    };
+  }
+  _subscribe() {
+    // Echo the ack frame the browser sends back to bind this socket to our number.
+    // Harmless if the server doesn't require it; necessary if it does.
+    try {
+      if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+        this.ws.send(JSON.stringify({ serialNumber: this.serial, mobileId: this.mobileId, resend: false }));
+        this._dbg('sent subscribe', this.serial, this.mobileId);
+      }
+    } catch { /* */ }
+  }
   _connect() {
     const token = this._currentToken();
-    this.ws = new WebSocket(`${WS_URL}?token=${token}`);
+    this._dbg('connecting', WS_URL, 'token', String(token).slice(0, 10) + '…');
+    this.ws = new WebSocket(`${WS_URL}?token=${token}`, this._wsOptions());
+    this._gotServerAck = false;
     this._openP = new Promise((resolve) => {
       this.ws.once('open', resolve);
       this.ws.once('error', resolve); // resolve anyway so ready() never hangs
     });
     this.ws.on('open', () => {
       this._connectedAt = Date.now();
+      this._dbg('open');
+      this._subscribe();      // bind this socket to our number (browser parity)
       this._armSilentTimer(); // start the dead-token watchdog
+      this._clearPingTimer();
+      this._pingTimer = setInterval(() => { try { this.ws.ping(); } catch { /* */ } }, WS_PING_MS);
     });
     this.ws.on('message', (raw) => {
-      let msg; try { msg = JSON.parse(raw.toString()); } catch { return; }
-      // OTP frame: {message, otpMessage}. Ack frame {serialNumber,mobileId,resend} is ignored.
+      const text = raw.toString();
+      this._dbg('recv', text.slice(0, 160));
+      let msg; try { msg = JSON.parse(text); } catch { return; }
+      // OTP frame: {message, otpMessage}.
       if (msg.otpMessage) {
         const m = String(msg.otpMessage).match(OTP_RE);
-        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); }
+        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); this._dbg('OTP', m[1]); }
+        return;
+      }
+      // Ack frame: {serialNumber, mobileId, resend}. Confirms the socket is bound.
+      // Adopt the server's serial/mobileId in case they differ from ours.
+      if (msg.serialNumber || msg.mobileId) {
+        this._gotServerAck = true;
+        if (msg.serialNumber) this.serial = msg.serialNumber;
+        if (msg.mobileId) this.mobileId = msg.mobileId;
+        this._dbg('server ack', this.serial, this.mobileId);
       }
     });
-    this.ws.on('error', () => { /* swallow — poll() returns nothing; we auto-reconnect */ });
+    this.ws.on('pong', () => this._dbg('pong'));
+    this.ws.on('error', (e) => { this._dbg('error', e?.message); /* swallow — poll() returns nothing; we auto-reconnect */ });
     // Auto-reconnect if the socket drops before the OTP arrives (so a dropped WS doesn't
     // silently lose the push — this is the "purchased but never got OTP" symptom).
-    this.ws.on('close', () => {
+    this.ws.on('close', (code) => {
+      this._dbg('close', code);
       this._clearSilentTimer();
+      this._clearPingTimer();
       if (this.closed || this.otp || this._reloggingIn) return;
       this._reconnectTimer = setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
     });
@@ -240,6 +315,7 @@ class OTPCartStream {
     try {
       if (this.ws.readyState === WebSocket.OPEN) {
         this.ws.send(JSON.stringify({ serialNumber: this.serial, mobileId: this.mobileId, resend: true }));
+        this._dbg('sent resend');
         return true;
       }
     } catch { /* */ }
@@ -249,6 +325,7 @@ class OTPCartStream {
   close() {
     this.closed = true;
     this._clearSilentTimer();
+    this._clearPingTimer();
     if (this._reconnectTimer) { clearTimeout(this._reconnectTimer); this._reconnectTimer = null; }
     try { this.ws.close(); } catch { /* */ }
   }

package/src/providers/tempotp.js CHANGED Viewed

@@ -3,9 +3,9 @@ import { extractOtp } from '../flipkart.js';
 const BASE = 'https://api.tempotp.online';
 // serviceId -> cost (₹). Keep ids as strings (they go straight into the GET params).
-export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5 };
+export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5, '2484': 18.0 };
 // optional friendly names shown in the service picker
-export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)' };
+export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])' };
 export const DEFAULT_SERVICE = '940';
 const COUNTRY = '22';

package/src/worker.js CHANGED Viewed

@@ -75,6 +75,11 @@ export class Worker {
         fail_reason: res.detail || '', session: res.session,
         minutes_checked: !!res.minutes_checked, coupon_eligible: res.coupon_eligible ?? undefined,
         has_minutes_order: res.has_minutes_order ?? undefined,
+        // pack the local Minutes order count + ids into minutes_note (free-text the
+        // server already stores) so stats/export survive the round-trip.
+        minutes_note: res.minutes_checked
+          ? (res.minutes_order_count ? `${res.minutes_order_count} minutes order(s): ${(res.minutes_orders || []).map((o) => o.orderId).join(',')}` : 'no minutes orders')
+          : undefined,
         linked_email: res.linked_email ?? undefined,
         email_linked: res.email_linked ?? undefined,
         email_reason: res.email_reason ?? undefined,
@@ -136,7 +141,7 @@ export class Worker {
     if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
     if (this.stats.succeeded >= this.requested) {
       this.log(`goal reached by another slot; releasing ${number.mobile} immediately`);
-      this._release(number, Date.now());
+      this._release(number, Date.now(), slot);
       this._emit(slot, { phase: 'done', detail: 'goal reached' });
       res.status = 'cancelled';
       res.detail = 'goal reached';
@@ -155,15 +160,19 @@ export class Worker {
     // releaseOnce — the single chokepoint that schedules the provider cancel. Called from
     // every terminal path (fail, success, error). Without this a blocked/errored number
     // could stay rented → we'd be charged.
-    const releaseOnce = (charged = false, doneDetail = 'done') => {
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
       if (released) return;
       released = true;
-      if (charged) {
+      // `consumed` = the OTP was actually used (success) → cancelling is pointless.
+      // A charged-but-not-consumed number (SMS arrived, login failed) normally isn't
+      // worth cancelling either (no refund) — EXCEPT on an explicit stop, where we
+      // ALWAYS attempt the cancel so no rented number is left active when the user bails.
+      if (consumed || (charged && !this.stopped)) {
         this._emit(slot, { phase: 'done', detail: doneDetail });
         return;
       }
       this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
-      this._release(number, rentedAt);
+      this._release(number, rentedAt, slot);
     };
     const fail = (detail) => {
@@ -216,8 +225,15 @@ export class Worker {
       if (this.checkMinutes) {
         this._emit(slot, { phase: 'minutes', detail: 'checking Minutes' });
         try {
-          const avail = await fk.checkMinutes(session);
-          res.minutes_checked = true; res.coupon_eligible = avail; res.has_minutes_order = !avail;
+          const m = await fk.checkMinutes(session);
+          // checkMinutes now returns { eligible, count, orders }; tolerate an old boolean too.
+          const eligible = typeof m === 'boolean' ? m : m.eligible;
+          res.minutes_checked = true;
+          res.coupon_eligible = eligible;
+          res.has_minutes_order = !eligible;
+          res.minutes_order_count = typeof m === 'boolean' ? (eligible ? 0 : 1) : m.count;
+          res.minutes_orders = typeof m === 'boolean' ? [] : (m.orders || []);
+          this._emit(slot, { phase: 'minutes', detail: eligible ? 'minutes-free (₹100 coupon)' : `has ${res.minutes_order_count} minutes order(s)` });
         } catch { /* non-fatal */ }
       }
@@ -249,7 +265,7 @@ export class Worker {
       res.session = session;
       const doneDetail = res.email_linked ? `extracted + ${res.linked_email}` : 'extracted';
       this._emit(slot, { phase: 'done', detail: doneDetail });
-      releaseOnce(true, doneDetail); // success still releases the number (OTP already consumed)
+      releaseOnce(true, doneDetail, true); // success: OTP consumed → no cancel
       return res;
     } catch (e) {
       // ANY unexpected error → still release the number so we're never charged for a leak
@@ -432,35 +448,71 @@ export class Worker {
   }
   // _release — GUARANTEE the rented number is cancelled so we're never charged for a
-  // number that didn't succeed. TempOTP can't be cancelled before its 2-min lock, so we
-  // wait that out first. The cancel is RETRIED up to 5× until it confirms; the outcome is
-  // logged. The returned promise is tracked so the campaign waits for it before finishing.
-  _release(number, rentedAt) {
+  // number that didn't succeed. Both TempOTP and OTPCart enforce a ~2-min cancel lock,
+  // so we wait that out, then RETRY until the provider confirms the cancel. The returned
+  // promise is tracked so the campaign waits for it before finishing (incl. on ESC/stop).
+  _release(number, rentedAt, slot) {
     if (!this._releases) this._releases = [];
-    const p = (async () => {
-      if (this.provider.name === 'tempotp') {
-        const wait = NUMBER_CANCEL_LOCK - (Date.now() - rentedAt);
-        if (wait > 0) await sleep(wait);
-      }
-      for (let attempt = 1; attempt <= 5; attempt++) {
-        try {
-          await this.provider.cancel(number);
-          this.log(`cancelled ${number.mobile} (txn ${number.txn}) — refunded`);
-          return;
-        } catch (e) {
-          this.log(`cancel ${number.mobile} attempt ${attempt}/5 failed: ${e.message}`);
-          await sleep(3000);
-        }
-      }
-      // Could NOT cancel after 5 tries — flag it loudly so the user knows a number may be charged.
-      this.log(`⚠ COULD NOT CANCEL ${number.mobile} (txn ${number.txn}) after 5 tries — may be charged! cancel manually on the provider.`);
-      this.onEvent('warn', `⚠ couldn't cancel ${number.mobile.slice(-10)} — cancel it on the provider to avoid a charge`);
-    })();
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: (m) => this.log(m),
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
     this._releases.push(p);
     return p;
   }
 }
+// Shared release routine for both workers. Waits out the provider's cancel lock,
+// then retries until the cancel is CONFIRMED (the provider returns ok), honouring a
+// `tooEarly` response by waiting and trying again rather than giving up. Never throws.
+async function releaseNumber(provider, number, rentedAt, { log = () => {}, warn = () => {}, onWait = () => {} } = {}) {
+  // OTPCart AND TempOTP both refuse to cancel a number rented < ~2 min ago.
+  const sinceRent = Date.now() - (rentedAt || Date.now());
+  const initialWait = NUMBER_CANCEL_LOCK - sinceRent;
+  if (initialWait > 0) {
+    log(`waiting ${Math.ceil(initialWait / 1000)}s for ${number.mobile} cancel-lock to expire…`);
+    // Tick down a visible countdown so ESC/stop doesn't look frozen during the wait.
+    const until = Date.now() + initialWait;
+    while (Date.now() < until) {
+      onWait(Math.ceil((until - Date.now()) / 1000));
+      await sleep(1000);
+    }
+  }
+  // Retry generously — we MUST land the cancel or the number stays charged. ~3 min of
+  // retries past the lock covers transient errors and a slightly-longer server lock.
+  const deadline = Date.now() + 180_000;
+  let attempt = 0;
+  while (Date.now() < deadline) {
+    attempt++;
+    let r;
+    try {
+      r = await provider.cancel(number);
+    } catch (e) {
+      r = { ok: false, tooEarly: false, msg: e.message };
+    }
+    if (r && r.ok) {
+      log(`cancelled ${number.mobile} (txn ${number.txn}) — refunded`);
+      return true;
+    }
+    const why = r?.msg || 'unknown error';
+    if (r?.tooEarly) {
+      log(`cancel ${number.mobile}: still locked (${why}) — retrying in 15s`);
+      await sleep(15_000);
+    } else {
+      log(`cancel ${number.mobile} attempt ${attempt} failed: ${why} — retrying in 5s`);
+      await sleep(5_000);
+    }
+  }
+  // Could NOT cancel — flag it loudly so the user knows a number may be charged.
+  log(`⚠ COULD NOT CANCEL ${number.mobile} (txn ${number.txn}) — may be charged! cancel manually on the provider.`);
+  warn(`⚠ couldn't cancel ${number.mobile.slice(-10)} — cancel it on the provider to avoid a charge`);
+  return false;
+}
+// Exposed for tests only.
+export const __releaseNumberForTest = releaseNumber;
 export class ZeptoWorker {
   constructor(provider, { requested, concurrency, certSha, onEvent }) {
     this.provider = provider;
@@ -506,25 +558,25 @@ export class ZeptoWorker {
   async run() {
     const loops = Array.from({ length: this.concurrency }, (_, i) => this._loop(i + 1));
     await Promise.all(loops);
+    // Don't report "done" until EVERY rented number is actually cancelled — including
+    // numbers still inside their 2-min cancel lock. This is what makes ESC/stop wait
+    // for the last taken number to be released properly.
     if (this._releases.length) {
+      this.onEvent('warn', `finishing up — releasing ${this._releases.length} number(s)…`);
       await Promise.allSettled(this._releases);
     }
     this.onEvent('done', this.stats);
     return this.stats;
   }
-  _release(number) {
-    const p = (async () => {
-      for (let attempt = 1; attempt <= 5; attempt++) {
-        try {
-          await this.provider.cancel(number);
-          return;
-        } catch {
-          await sleep(3000);
-        }
-      }
-    })();
+  _release(number, rentedAt, slot) {
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: () => {},
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
     this._releases.push(p);
+    return p;
   }
   async _rent(slot) {
@@ -569,29 +621,32 @@ export class ZeptoWorker {
     this._emit(slot, { mobile: '', phase: 'renting', detail: 'requesting a number', wait: 0 });
     const number = await this._rent(slot);
     if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
+    const rentedAt = Date.now();
     if (this.stats.succeeded >= this.requested) {
-      this._release(number);
+      this._release(number, rentedAt, slot);
       this._emit(slot, { phase: 'done', detail: 'goal reached' });
       res.status = 'cancelled';
       res.detail = 'goal reached';
       return res;
     }
-    const rentedAt = Date.now();
     res.mobile = number.mobile;
     this._emit(slot, { mobile: number.mobile, phase: 'rented', detail: 'got a number' });
     let stream = null;
     let released = false;
-    const releaseOnce = (charged = false, doneDetail = 'done') => {
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
       if (released) return;
       released = true;
-      if (charged) {
+      // `consumed` = OTP used (success) → no point cancelling. On an explicit stop we
+      // ALWAYS attempt the cancel for a non-consumed number (even if charged) so none
+      // is left active when the user bails.
+      if (consumed || (charged && !this.stopped)) {
         this._emit(slot, { phase: 'done', detail: doneDetail });
         return;
       }
       this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
-      this._release(number);
+      this._release(number, rentedAt, slot);
     };
     const fail = (detail) => {
@@ -633,12 +688,14 @@ export class ZeptoWorker {
       const envelope = zepto.encodeEnvelope(zepto.toSessionKeys(session), this.certSha);
       this._emit(slot, { phase: 'saving', detail: 'encoding envelope' });
       res.status = 'success'; res.cost = number.cost; res.session = zepto.toSessionKeys(session); res.envelope = envelope;
-      releaseOnce(true, 'extracted');
+      releaseOnce(true, 'extracted', true); // success: OTP consumed → no cancel
       return res;
     } catch (e) {
       return fail(`unexpected: ${e.message}`);
     } finally {
-      releaseOnce(true);
+      // Catch-all: if neither success nor fail released it (shouldn't happen), make sure
+      // the number is cancelled rather than left rented.
+      releaseOnce(false);
       if (stream) try { stream.close(); } catch { /* */ }
     }
   }