scripter-x 1.0.21 → 1.0.23

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.21",
+  "version": "1.0.23",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -438,8 +438,9 @@ export async function zeptoCmd(io, api, args = {}) {
   if (worker.stats.succeeded > 0) {
     const saved = await saveZeptoSessions(results, name, args.out);
     if (saved) {
-      io.print(`  ✓ saved ${saved.count} session(s) to:`);
-      io.print(`     ${saved.path}`, 'accent');
+      io.print(`  ✓ saved ${saved.count} session(s) to 2 files:`);
+      io.print(`     full   → ${saved.fullPath}`, 'accent');
+      io.print(`     zauth  → ${saved.zauthPath}`, 'accent');
       io.print('  ◉ ZAUTH1 envelopes:');
       for (const r of results) {
         if (r.status === 'success') {
@@ -457,30 +458,46 @@ async function saveZeptoSessions(results, name, out) {
   const ok = results.filter((r) => r.status === 'success');
   if (!ok.length) return null;
 
-  const safeName = name.replace(/[^A-Za-z0-9._-]+/g, '-').replace(/^-+|-+$/g, '') || 'Zepto';
-  const fname = `Zepto-${safeName}-${Math.floor(Date.now() / 1000)}.json`;
-  let dest;
+  const count = ok.length;            // number of sessions extracted
+  const ts = Math.floor(Date.now() / 1000);
+  const fullName = `zepto-${count}-fullsession-${ts}.json`;
+  const zauthName = `zepto-${count}-zauth-${ts}.json`;
+
+  // Resolve the output directory. `out` may be a directory or an explicit file path;
+  // when it's a file path we still write BOTH files alongside it (using its directory)
+  // so each file gets its own correct name.
+  let dir;
   if (out) {
     const expanded = out.startsWith('~') ? join(homedir(), out.slice(1)) : out;
     const isDir = (existsSync(expanded) && statSync(expanded).isDirectory()) || /[/\\]$/.test(out);
-    dest = isDir ? join(expanded, fname) : expanded;
+    dir = isDir ? expanded : dirname(expanded);
   } else {
     const downloads = join(homedir(), 'Downloads');
     const base = existsSync(downloads) ? downloads : homedir();
-    dest = join(base, 'scripterx', fname);
+    dir = join(base, 'scripterx');
   }
+  mkdirSync(dir, { recursive: true });
 
-  const payload = ok.map((r) => ({
+  // 1. Full session details — everything we have per extracted account.
+  const fullPath = join(dir, fullName);
+  const fullPayload = ok.map((r) => ({
     mobileNo: r.mobile,
     zauth1_envelope: r.envelope,
     session: r.session,
   }));
+  writeFileSync(fullPath, JSON.stringify(fullPayload, null, 2));
+
+  // 2. ZAUTH1-only — just the envelope strings, nothing else.
+  const zauthPath = join(dir, zauthName);
+  const zauthPayload = ok.map((r) => r.envelope);
+  writeFileSync(zauthPath, JSON.stringify(zauthPayload, null, 2));
 
-  mkdirSync(dirname(dest), { recursive: true });
-  writeFileSync(dest, JSON.stringify(payload, null, 2));
-  return { path: dest, count: payload.length };
+  return { fullPath, zauthPath, count };
 }
 
+// Exposed for tests only.
+export const __saveZeptoSessionsForTest = saveZeptoSessions;
+
 export async function campaigns(io, api) {
   api = api || await getApi(io);
   const camps = await api.listCampaigns();
@@ -607,10 +624,23 @@ export function help(io) {
 
 export async function update(io) {
   io.print('  ◉ updating ScripterX to the latest version…');
-  const { runUpdate } = await import('./update.js');
+  const { runUpdate, restartCli } = await import('./update.js');
   const r = await runUpdate();
-  if (r.ok) io.print('  ✓ updated! restart `scripterx` to use the new version.');
-  else io.print(`  ✗ update failed: ${r.output.split('\n')[0]} — try: npm install -g scripter-x@latest`);
+  if (!r.ok) {
+    io.print(`  ✗ update failed: ${r.output.split('\n')[0]} — try: npm install -g scripter-x@latest`);
+    return;
+  }
+  io.print('  ✓ updated! restarting to load the new version…');
+  // Tear down the interactive ink UI first (restores the terminal) so the relaunched
+  // process paints onto a clean screen. exitApp exists only in the interactive shell;
+  // in one-shot mode there's nothing to tear down.
+  if (typeof io.exitApp === 'function') {
+    try { io.exitApp(); } catch { /* */ }
+  }
+  // Give ink a beat to unmount + the alt-screen restore to flush, then re-exec.
+  await new Promise((res) => setTimeout(res, 250));
+  const ok = restartCli();
+  if (!ok) io.print('  ◉ could not auto-restart — please run `scripter-x` again.');
 }
 
 // dispatch table used by the interactive shell

package/src/providers/otpcart.js

@@ -155,12 +155,15 @@ export class OTPCartProvider {
   }
 }
 
-// Grace period after the WS connects with no OTP push before we suspect the token
-// is dead and reconnect with a freshly re-logged-in token. The real SMS usually
-// lands well within this; a *dead-token* socket NEVER pushes, so this is what
-// rescues an otherwise-silent run.
-const WS_SILENT_RELOGIN_MS = 25000;
-const WS_PING_MS = 20000;      // keep-alive so an idle socket isn't dropped before the SMS lands
+// Concurrency note: OTPCart happily serves MANY concurrent WS connections on ONE valid
+// session — each rented number gets its own socket and its own OTP push. The hazard is
+// NOT the parallel sockets; it's rotating the shared JWT. So the watchdog below must
+// NEVER relogin just because a socket is *quiet* (a slow SMS would then rotate the token
+// and knock out every other concurrent slot's open socket — a relogin storm). We only
+// relogin on hard evidence the token is dead: the HANDSHAKE itself fails (close/error
+// before we ever bound the socket). A connected-but-silent socket just re-subscribes.
+const WS_RESUBSCRIBE_MS = 20000;  // periodically re-send the bind frame on a quiet socket
+const WS_PING_MS = 20000;         // keep-alive so an idle socket isn't dropped before the SMS lands
 const WS_DEBUG = process.env.OTPCART_WS_DEBUG === '1';
 
 class OTPCartStream {
@@ -176,10 +179,11 @@ class OTPCartStream {
     this._openP = null;        // resolves when the WS is OPEN
     this._reconnectTimer = null;
     this._connectedAt = 0;
-    this._silentTimer = null;  // fires if no OTP arrives → relogin + reconnect
+    this._everOpened = false;  // did this socket ever reach OPEN?
+    this._resubTimer = null;   // re-subscribe on a quiet socket (no token rotation)
     this._pingTimer = null;    // keep-alive
     this._reloggingIn = false;
-    this._silentReloginsLeft = 1; // recover a taken-over session once; don't churn a slow SMS
+    this._handshakeReloginsLeft = 1; // recover a taken-over session once on a bad handshake
     this._gotServerAck = false;   // server sent the {serialNumber,mobileId} connect frame
     this._connect();
   }
@@ -187,38 +191,34 @@ class OTPCartStream {
   _currentToken() { return this.provider.token; }
   _dbg(...a) { if (WS_DEBUG) { try { console.error('[otpcart-ws]', ...a); } catch { /* */ } } }
 
-  _clearSilentTimer() {
-    if (this._silentTimer) { clearTimeout(this._silentTimer); this._silentTimer = null; }
+  _clearResubTimer() {
+    if (this._resubTimer) { clearInterval(this._resubTimer); this._resubTimer = null; }
   }
   _clearPingTimer() {
     if (this._pingTimer) { clearInterval(this._pingTimer); this._pingTimer = null; }
   }
 
-  // Schedule the "this socket has gone quiet — maybe the token is dead" check.
-  // Only while we still have a relogin budget (a genuinely slow SMS shouldn't keep
-  // rotating the shared token, which would force every other slot to reconnect).
-  _armSilentTimer() {
-    this._clearSilentTimer();
-    if (this.closed || this.otp || !this.provider.canRelogin || this._silentReloginsLeft <= 0) return;
-    this._silentTimer = setTimeout(() => this._handleSilent(), WS_SILENT_RELOGIN_MS);
-  }
-
-  async _handleSilent() {
-    if (this.closed || this.otp || this._reloggingIn || this._silentReloginsLeft <= 0) return;
-    this._silentReloginsLeft--;
+  // A socket that errored/closed WITHOUT ever opening is the dead-token signal: the
+  // server rejected the handshake. Relogin (de-duped + epoch-guarded so concurrent
+  // slots don't storm) and reconnect with the fresh token. A socket that DID open is
+  // a valid session — we never relogin it, so other concurrent sockets stay intact.
+  async _handleHandshakeFailure() {
+    if (this.closed || this.otp || this._reloggingIn) return;
+    if (!this.provider.canRelogin || this._handshakeReloginsLeft <= 0) {
+      // No creds (or budget spent) — just retry the socket with the current token.
+      if (!this.closed && !this.otp) this._reconnectTimer = setTimeout(() => this._connect(), 1000);
+      return;
+    }
+    this._handshakeReloginsLeft--;
     this._reloggingIn = true;
-    this._dbg('silent watchdog fired — relogin + reconnect');
+    this._dbg('handshake failed before open — relogin + reconnect');
     try {
-      // Re-login (de-duped at the provider) to get a token that the WS will accept,
-      // then reconnect this socket with it. If the token was actually fine, this is
-      // a cheap no-op reconnect that costs nothing but a fresh socket.
       const epoch = this.provider.tokenEpoch;
       await this.provider.relogin(epoch);
-    } catch { /* keep the old socket; nothing better to do */ }
+    } catch { /* nothing better to do */ }
     finally { this._reloggingIn = false; }
     if (this.closed || this.otp) return;
-    try { if (this.ws) this.ws.terminate(); } catch { /* */ }
-    this._connect(); // reconnect with the (possibly refreshed) current token
+    this._connect();
   }
 
   // The browser sends an Origin (and a UA) on the WS handshake. The `ws` library
@@ -253,15 +253,21 @@ class OTPCartStream {
     this._dbg('connecting', WS_URL, 'token', String(token).slice(0, 10) + '…');
     this.ws = new WebSocket(`${WS_URL}?token=${token}`, this._wsOptions());
     this._gotServerAck = false;
+    let openedThisSocket = false; // did THIS socket reach OPEN (vs. fail the handshake)?
     this._openP = new Promise((resolve) => {
       this.ws.once('open', resolve);
       this.ws.once('error', resolve); // resolve anyway so ready() never hangs
     });
     this.ws.on('open', () => {
       this._connectedAt = Date.now();
+      this._everOpened = true;
+      openedThisSocket = true;
       this._dbg('open');
       this._subscribe();      // bind this socket to our number (browser parity)
-      this._armSilentTimer(); // start the dead-token watchdog
+      // Quiet-socket handling = RE-SUBSCRIBE only (NEVER relogin). This keeps concurrency
+      // safe: a slow SMS on one slot won't rotate the shared token and break other slots.
+      this._clearResubTimer();
+      this._resubTimer = setInterval(() => { if (!this.otp && !this.closed) this._subscribe(); }, WS_RESUBSCRIBE_MS);
       this._clearPingTimer();
       this._pingTimer = setInterval(() => { try { this.ws.ping(); } catch { /* */ } }, WS_PING_MS);
     });
@@ -272,7 +278,7 @@ class OTPCartStream {
       // OTP frame: {message, otpMessage}.
       if (msg.otpMessage) {
         const m = String(msg.otpMessage).match(OTP_RE);
-        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); this._dbg('OTP', m[1]); }
+        if (m) { this.otp = m[1]; this.arrived = true; this._clearResubTimer(); this._dbg('OTP', m[1]); }
         return;
       }
       // Ack frame: {serialNumber, mobileId, resend}. Confirms the socket is bound.
@@ -285,14 +291,20 @@ class OTPCartStream {
       }
     });
     this.ws.on('pong', () => this._dbg('pong'));
-    this.ws.on('error', (e) => { this._dbg('error', e?.message); /* swallow — poll() returns nothing; we auto-reconnect */ });
-    // Auto-reconnect if the socket drops before the OTP arrives (so a dropped WS doesn't
-    // silently lose the push — this is the "purchased but never got OTP" symptom).
+    this.ws.on('error', (e) => { this._dbg('error', e?.message); /* swallow — handled in close */ });
     this.ws.on('close', (code) => {
-      this._dbg('close', code);
-      this._clearSilentTimer();
+      this._dbg('close', code, 'opened=' + openedThisSocket);
+      this._clearResubTimer();
       this._clearPingTimer();
       if (this.closed || this.otp || this._reloggingIn) return;
+      if (!openedThisSocket) {
+        // Never reached OPEN → the handshake was rejected → likely a dead token.
+        // Relogin (epoch-guarded, capped) then reconnect — this is the ONLY relogin path.
+        this._handleHandshakeFailure();
+        return;
+      }
+      // Was a healthy socket that dropped before the OTP — just reconnect with the SAME
+      // token (no relogin, so we don't disturb other concurrent slots).
       this._reconnectTimer = setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
     });
   }
@@ -324,7 +336,7 @@ class OTPCartStream {
 
   close() {
     this.closed = true;
-    this._clearSilentTimer();
+    this._clearResubTimer();
     this._clearPingTimer();
     if (this._reconnectTimer) { clearTimeout(this._reconnectTimer); this._reconnectTimer = null; }
     try { this.ws.close(); } catch { /* */ }

package/src/update.js

@@ -2,8 +2,10 @@
 //   • checkForUpdate() — quietly asks the npm registry for the latest version (cached 6h),
 //     returns the newer version string or null. Used to show a notice on launch.
 //   • runUpdate() — runs `npm install -g scripter-x@latest`.
-import { execFile } from 'node:child_process';
+//   • restartCli() — re-exec the freshly-installed CLI so the new version takes over.
+import { execFile, spawn } from 'node:child_process';
 import { promisify } from 'node:util';
+import process from 'node:process';
 import * as config from './config.js';
 
 const execFileP = promisify(execFile);
@@ -45,3 +47,48 @@ export async function runUpdate() {
     return { ok: false, output: e.message };
   }
 }
+
+// Re-exec the CLI so the just-installed version takes over. Spawns a fresh, DETACHED
+// process that inherits this terminal, then exits the current one. The caller MUST have
+// already torn down the ink/alt-screen UI (so the terminal is restored) before calling
+// this — otherwise the child renders over a dirty screen.
+//
+// We re-run the CURRENT entry file with node (`process.argv[1]`): after `npm install -g`,
+// the global bin symlink points at the new version, so this loads the updated code. If
+// that entry path is somehow missing, we fall back to the `scripterx` bin on PATH.
+//
+// NOTE: on success it exits the process and never returns. Returns false only if BOTH
+// spawn attempts throw synchronously, so the caller can show "restart manually".
+export function restartCli({ binName = 'scripterx', delayMs = 150 } = {}) {
+  // Re-run with the SAME args the user launched with (drop node + the script path), so
+  // `scripterx` → interactive shell, `scripterx zepto` → zepto, etc.
+  const argv = process.argv.slice(2);
+  const entry = process.argv[1];
+
+  const trySpawn = (cmd, args) => {
+    const child = spawn(cmd, args, { stdio: 'inherit', detached: true, shell: false });
+    child.unref();
+    return child;
+  };
+
+  try {
+    const primary = trySpawn(process.execPath, [entry, ...argv]);
+    // If the entry re-exec fails to even start, fall back to the named bin on PATH.
+    primary.on('error', () => {
+      try { trySpawn(binName, argv); } catch { /* nothing more we can do */ }
+    });
+    // Exit the old process; its `process.on('exit', restore)` cleans the terminal and the
+    // detached child takes over the same TTY running the new version.
+    setTimeout(() => process.exit(0), delayMs);
+    return true;
+  } catch {
+    // process.execPath spawn threw synchronously — try the named bin directly.
+    try {
+      trySpawn(binName, argv);
+      setTimeout(() => process.exit(0), delayMs);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+}