scripter-x 1.0.30 → 1.0.32

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.30",
+  "version": "1.0.32",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -8,6 +8,7 @@ import * as tp from './providers/tempotp.js';
 import * as oc from './providers/otpcart.js';
 import * as kuku from './providers/kuku.js';
 import * as zepto from './providers/zepto.js';
+import * as bigbasket from './providers/bigbasket.js';
 import { checkCouponTier } from './providers/zeptoCoupon.js';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
@@ -129,11 +130,13 @@ async function buildProvider(io, name) {
 }
 
 export async function run(io, api, args = {}) {
-  // TARGET: Flipkart (the backend campaign flow) or Zepto (local OTP → ZAUTH1 envelope).
-  const target = args.target || (args.number ? 'zepto' : (await io.select('what to extract?', [
+  // TARGET: Flipkart (backend campaign), Zepto, or BigBasket (local OTP → session JSON).
+  const target = args.target || (await io.select('what to extract?', [
     { label: 'Flipkart', value: 'flipkart', description: 'session JSON via OTP provider (campaign)' },
-    { label: 'Zepto', value: 'zepto', description: 'headless extraction (auto) OR local OTP login (manual)' }])).value);
+    { label: 'Zepto', value: 'zepto', description: 'headless extraction (auto) OR local OTP login (manual)' },
+    { label: 'BigBasket', value: 'bigbasket', description: 'local OTP login → session JSON (manual; auto soon)' }])).value;
   if (target === 'zepto') return zeptoCmd(io, api, args);
+  if (target === 'bigbasket') return bigbasketCmd(io, api, args);
 
   api = api || await getApi(io);
 
@@ -441,12 +444,29 @@ export async function zeptoCmd(io, api, args = {}) {
   const { ZeptoWorker } = await import('./worker.js');
   const { RunController } = await import('./controller.js');
   const controller = new RunController({ name, provider: 'otpcart-zepto', requested: count });
+
+  // INCREMENTAL SAVE: append every extracted envelope to its tier file the instant it
+  // succeeds — so a mid-campaign stop / double-Ctrl+C / crash never loses an account.
+  const tierDir = checkCoupon ? zeptoTierDir(args, name) : null;
+  const savedTiers = {}; // tier -> count, for the final summary
+  const onResult = (res) => {
+    if (res.status !== 'success' || !res.envelope) return;
+    if (checkCoupon) {
+      const tier = res.coupon_tier || 'unchecked';
+      mkdirSync(tierDir, { recursive: true });
+      const dest = join(tierDir, `${tier}.txt`);
+      appendFileSync(dest, (existsSync(dest) ? '\n' : '') + res.envelope + '\n');
+      savedTiers[tier] = (savedTiers[tier] || 0) + 1;
+    }
+  };
+
   const worker = new ZeptoWorker(provider, {
     requested: count,
     concurrency,
     certSha: cert,
     checkCoupon,
     onEvent: controller.handleEvent,
+    onResult,
   });
   controller.stop = () => worker.stop();
 
@@ -478,37 +498,207 @@ export async function zeptoCmd(io, api, args = {}) {
 
   io.print(`  ✓ done — ${worker.stats.succeeded} succeeded · ${worker.stats.failed} failed · ${worker.stats.cancelled} cancelled · ₹${worker.stats.charges} spent`);
 
-  if (worker.stats.succeeded > 0) {
+  // Note "stopped" so the summary is honest about a mid-run stop.
+  if (worker.stopped) io.print('  ⚠ campaign stopped — saving everything extracted so far', 'warn');
+
+  const succeeded = results.filter((r) => r.status === 'success' && r.envelope);
+  if (succeeded.length > 0) {
+    // combined full/zauth files (all successes, for convenience)
     const saved = await saveZeptoSessions(results, name, args.out);
     if (saved) {
       io.print(`  ✓ saved ${saved.count} session(s) to 2 files:`);
       io.print(`     full   → ${saved.fullPath}`, 'accent');
       io.print(`     zauth  → ${saved.zauthPath}`, 'accent');
     }
-    // If coupon-tier was checked, ALSO split the envelopes into per-tier files.
     if (checkCoupon) {
-      const tiers = {};
-      for (const r of results) {
-        if (r.status !== 'success') continue;
-        const tier = r.coupon_tier || 'unchecked';
-        (tiers[tier] = tiers[tier] || []).push(r.envelope);
-      }
-      io.print('  ◉ coupon tiers:');
+      // tier files were written INCREMENTALLY during the run (survives any exit).
+      io.print(`  ◉ coupon tiers (saved live in ${tierDir}):`);
       for (const tier of ['rs100', 'rs75', 'rs50', 'normal', 'unchecked']) {
-        if (!tiers[tier]?.length) continue;
-        const dir = zeptoTierDir(args, name);
-        const dest = join(dir, `${tier}.txt`);
-        mkdirSync(dir, { recursive: true });
-        // one envelope per block, separated by a blank line — readable + paste-friendly
-        writeFileSync(dest, tiers[tier].join('\n\n') + '\n');
-        io.print(`     ${TIER_LABEL[tier]} (${tiers[tier].length}) → ${dest}`, 'accent');
+        if (!savedTiers[tier]) continue;
+        io.print(`     ${TIER_LABEL[tier]} (${savedTiers[tier]}) → ${join(tierDir, `${tier}.txt`)}`, 'accent');
       }
     } else {
       io.print('  ◉ ZAUTH1 envelopes:');
-      for (const r of results) {
-        if (r.status === 'success') io.print(`     +91${r.mobile}  →  ${r.envelope}`, 'accent');
+      for (const r of succeeded) io.print(`     +91${r.mobile}  →  ${r.envelope}`, 'accent');
+    }
+  } else {
+    io.print('  ◉ no sessions extracted — nothing to save.');
+  }
+}
+
+// ── BigBasket: local OTP login → session JSON ────────────────────────────────
+// Manual mode (built now): enter a number → SMS an OTP locally → type the code →
+// verify → write {phone}-{timestamp}.json with { phone, bbAuthToken, mId, bbVisitorId }.
+// LOOPS until Esc. Runs entirely on your IP. Auto mode lands once the server is wired.
+
+// Resolve the base dir for BigBasket session output.
+function bigbasketBaseDir(args) {
+  if (args.out) {
+    const expanded = args.out.startsWith('~') ? join(homedir(), args.out.slice(1)) : args.out;
+    return /\.(json|txt)$/i.test(expanded) ? dirname(expanded) : expanded;
+  }
+  const downloads = join(homedir(), 'Downloads');
+  return join(existsSync(downloads) ? downloads : homedir(), 'scripterx', 'bigbasket');
+}
+
+// Save one session as a per-number JSON. Returns the path written.
+function saveBigbasketSession(args, number, sessionKeys) {
+  const baseDir = bigbasketBaseDir(args);
+  mkdirSync(baseDir, { recursive: true });
+  const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const dest = join(baseDir, `${number}-${stamp}.json`);
+  writeFileSync(dest, JSON.stringify(sessionKeys, null, 2) + '\n');
+  return dest;
+}
+
+export async function bigbasketCmd(io, api, args = {}) {
+  const mode = args.manual ? 'manual' : (args.auto ? 'auto' : (args.number ? 'manual' : (await io.select('Choose BigBasket login flow', [
+    { label: 'Auto', value: 'auto', description: 'Auto-rent numbers via TempOTP (hands-off)' },
+    { label: 'Manual', value: 'manual', description: 'Enter phone + type OTP yourself' },
+  ])).value || 'auto'));
+
+  if (mode === 'auto') return bigbasketAuto(io, args);
+
+  io.print('  ◉ BigBasket — local OTP → session JSON (Manual)');
+  io.print('  ◉ press esc to cancel', 'accent');
+
+  let done = 0;
+  let lastSig = 0, stopping = false;
+  const onSigint = () => {
+    const now = Date.now();
+    if (now - lastSig < 2000) { stopping = true; process.exit(0); }
+    lastSig = now;
+    io.print('  ⚠ press Ctrl+C again to exit');
+  };
+  const interactive = !!io.startRun; // ink App owns its own Ctrl+C
+  if (!interactive) process.on('SIGINT', onSigint);
+
+  try {
+    for (;;) {
+      // number entry — Esc stops the whole loop
+      const raw = args.number || await io.ask('bigbasket phone number', { escapable: true });
+      if (raw === CANCEL) break;
+      const number = String(raw).replace(/\D/g, '').slice(-10);
+      if (number.length !== 10) { io.print('  ! enter a 10-digit number', 'danger'); if (args.number) break; continue; }
+
+      try {
+        const session = bigbasket.newSession(number);
+        io.print(`  ◉ sending OTP to ${number} …`);
+        const s = await bigbasket.sendOtp(session);
+        if (!s.ok) { io.print(`  ✗ could not send OTP: ${s.msg || s.status}`, 'danger'); if (args.number) break; continue; }
+        io.print('  ✓ OTP sent');
+
+        // OTP entry — Esc abandons this number and loops back
+        const otpRaw = args.otp || await io.ask('enter the OTP', { escapable: true });
+        if (otpRaw === CANCEL) break;
+        const v = await bigbasket.verifyOtp(session, String(otpRaw).trim());
+        if (!v.ok) { io.print(`  ✗ OTP verify failed: ${v.error || v.status}`, 'danger'); if (args.number) break; continue; }
+        io.print(`  ✓ logged in${v.user?.first_name ? ` as ${v.user.first_name}` : ''}`);
+
+        const keys = bigbasket.toSessionKeys(session);
+        const dest = saveBigbasketSession(args, number, keys);
+        done++;
+        io.print('  ✓ session saved to:');
+        io.print(`     ${dest}`, 'accent');
+        io.print(`     bbAuthToken=${(keys.bbAuthToken || '').slice(0, 24)}…  mId=${keys.mId}  bbVisitorId=${keys.bbVisitorId}`, 'accent');
+      } catch (e) {
+        io.print(`  ✗ ${number}: ${e.message}`, 'danger');
+        if (args.number) break;
+        continue;
       }
+
+      if (args.number) break;            // one-shot: do exactly one and stop
+      io.print('  ◉ next number (esc to finish)', 'accent');
     }
+  } finally {
+    if (!interactive && !stopping) process.off('SIGINT', onSigint);
+  }
+  io.print(`  ✓ done — ${done} session(s) saved.`);
+}
+
+// ── BigBasket auto: rent numbers via TempOTP, poll SMS, verify headlessly ─────
+// Mirrors the Zepto auto flow. Local-first: every success is appended to a combined
+// file the instant it lands (so a mid-run stop never loses an account).
+async function bigbasketAuto(io, args = {}) {
+  io.print('  ◉ BigBasket — auto extraction via TempOTP');
+  const cfg = config.load();
+
+  // TempOTP key (reuse the saved-key / add-new pattern from buildProvider).
+  let key = cfg.tempotp_api_key;
+  if (key) {
+    const choice = await io.select(`saved TempOTP key: ${maskSecret(key)}`, [
+      { label: 'use saved', value: 'use', description: maskSecret(key) },
+      { label: 'add new', value: 'new', description: 'enter a different key' }]);
+    if ((choice.value || choice) === 'new') key = null;
+  }
+  let freshlyEntered = false;
+  if (!key) { key = await io.ask('TempOTP API key'); freshlyEntered = true; }
+  const bal = await tp.balance(key);
+  if (bal == null) { io.print('  ✗ TempOTP key invalid or unreachable', 'danger'); return; }
+  io.print(`  ✓ TempOTP balance: ₹${bal}`);
+  if (freshlyEntered && await io.confirm('save this key locally for next time?', true)) config.setMany({ tempotp_api_key: key });
+
+  // BigBasket service picker (only the BB service ids).
+  const svc = args.service || (await io.select('BigBasket service', tp.BIGBASKET_SERVICES.map((id) => ({
+    label: `${id} · ${tp.SERVICE_NAMES[id]}`, value: id, description: `₹${tp.SERVICES[id]}`,
+  })))).value;
+  const provider = new tp.TempOTPProvider(key, svc);
+
+  const count = args.count || Number(await io.ask('how many sessions?', { dflt: '1' }));
+  const concurrency = args.concurrency || Number(await io.ask('concurrency (keep low — 1 recommended)', { dflt: '1' }));
+  const name = args.name || `BigBasket-${Math.floor(Date.now() / 1000)}`;
+  if (!(await io.confirm(`start ${count} BigBasket extraction(s) at concurrency ${concurrency} on service ${svc}?`, true))) return;
+
+  const { BigBasketWorker } = await import('./worker.js');
+  const { RunController } = await import('./controller.js');
+  const controller = new RunController({ name, provider: `tempotp-bigbasket`, requested: count });
+
+  // INCREMENTAL SAVE: append every extracted session to one JSONL the instant it lands.
+  const baseDir = bigbasketBaseDir(args);
+  const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const liveFile = join(baseDir, `${name}-${stamp}.jsonl`);
+  const onResult = (res) => {
+    if (res.status !== 'success' || !res.session) return;
+    mkdirSync(baseDir, { recursive: true });
+    appendFileSync(liveFile, JSON.stringify(res.session) + '\n');
+  };
+
+  const worker = new BigBasketWorker(provider, { requested: count, concurrency, onEvent: controller.handleEvent, onResult });
+  controller.stop = () => worker.stop();
+
+  const results = [];
+  const origRecord = worker._record.bind(worker);
+  worker._record = (res) => { results.push(res); origRecord(res); };
+
+  const interactive = !!io.startRun;
+  if (interactive) io.startRun(controller);
+  let onSigint = null;
+  if (!interactive) {
+    let lastSig = 0;
+    onSigint = () => {
+      const now = Date.now();
+      if (now - lastSig < 2000) { worker.stop(); process.exit(0); }
+      lastSig = now; worker.stop();
+      io.print('  ⚠ stopping — press Ctrl+C again to exit');
+    };
+    process.on('SIGINT', onSigint);
+  }
+
+  await worker.run();
+  if (onSigint) process.off('SIGINT', onSigint);
+  if (io.endRun) io.endRun();
+
+  io.print(`  ✓ done — ${worker.stats.succeeded} succeeded · ${worker.stats.failed} failed · ${worker.stats.cancelled} cancelled · ₹${worker.stats.charges} spent`);
+
+  // Also write a combined pretty JSON array of all successes for convenience.
+  const succeeded = results.filter((r) => r.status === 'success' && r.session).map((r) => r.session);
+  if (succeeded.length) {
+    mkdirSync(baseDir, { recursive: true });
+    const combined = join(baseDir, `${name}-${stamp}.json`);
+    writeFileSync(combined, JSON.stringify(succeeded, null, 2) + '\n');
+    io.print(`  ✓ saved ${succeeded.length} session(s):`);
+    io.print(`     ${combined}`, 'accent');
+    io.print(`     (live JSONL: ${liveFile})`, 'accent');
   } else {
     io.print('  ◉ no sessions extracted — nothing to save.');
   }
@@ -695,7 +885,7 @@ export async function configCmd(io, _api, args = {}) {
 }
 
 export function help(io) {
-  io.print('  commands: run · zepto · recheck · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
+  io.print('  commands: run · zepto · bigbasket · recheck · campaigns · export · balance · creds · stop · delete · whoami · config · update · logout · exit');
 }
 
 export async function update(io) {
@@ -721,6 +911,6 @@ export async function update(io) {
 
 // dispatch table used by the interactive shell
 export const REGISTRY = {
-  run, zepto: zeptoCmd, recheck, campaigns, export: exportCmd, balance, creds, stop, delete: del,
+  run, zepto: zeptoCmd, bigbasket: bigbasketCmd, recheck, campaigns, export: exportCmd, balance, creds, stop, delete: del,
   whoami, login, logout, config: configCmd, update, help,
 };

package/src/index.js

@@ -54,6 +54,11 @@ const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
        --auto | --manual    --count N  --concurrency N  --out <file|dir>  --cert <64hex>
        --number <10-digit>  --otp <code>
        (envelope keyed to ZeptoAuthManager cert; override with --cert or $ZAUTH_CERT_SHA)
+  scripterx bigbasket [flags]  local BigBasket OTP login → session JSON (alias: bb)
+       --auto | --manual    --count N  --concurrency N  --out <file|dir>
+       --service <1819|1874|1919|2259>   (auto: TempOTP BigBasket service id)
+       --number <10-digit>  --otp <code> (manual one-shot)
+       → writes {phone, bbAuthToken, mId, bbVisitorId} per session
   scripterx recheck <file>  re-validate Minutes status of a session JSON, locally (your IP)
        → re-splits into corrected -minutes-free / -minutes-used files + stats
   scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
@@ -106,7 +111,7 @@ async function main() {
   }
 
   // ── one-shot mode ──
-  const map = { run: 'run', zepto: 'zepto', recheck: 'recheck', campaigns: 'campaigns', export: 'export', balance: 'balance',
+  const map = { run: 'run', zepto: 'zepto', bigbasket: 'bigbasket', bb: 'bigbasket', recheck: 'recheck', campaigns: 'campaigns', export: 'export', balance: 'balance',
     creds: 'creds', stop: 'stop', delete: 'delete', whoami: 'whoami', login: 'login',
     logout: 'logout', config: 'config', update: 'update', help: 'help' };
   const fnName = map[cmd];
@@ -118,6 +123,7 @@ async function main() {
     mode: flags.email ? 'json_email' : flags.mode, // --email or --mode json_email
     target: flags.target, // run: 'flipkart' | 'zepto'
     number: flags.number, otp: flags.otp, cert: flags.cert, // zepto: local OTP login → ZAUTH1 envelope
+    service: flags.service, // bigbasket auto: TempOTP service id (1819/1874/1919/2259)
     auto: flags.auto, manual: flags.manual,
     checkCoupon: flags['check-coupon'] === true ? true : (flags['check-coupon'] === false ? false : null),
     campaign: flags._[0], out: flags.out, action: flags._[0], value: flags._[1],

package/src/providers/bigbasket.js

@@ -0,0 +1,184 @@
+// BigBasket local login provider — send an OTP to a phone number and verify it,
+// straight against BigBasket's native API (runs on YOUR IP, no emulator, no backend).
+//
+// Flow (reverse-engineered from the native app; the login screen is Flutter, so its
+// OTP calls don't show in a proxy — but they're plain native endpoints we can call):
+//   1. sendOtp(session)        -> register device + harvest csrf/csurf, then SMS an OTP.
+//   2. verifyOtp(session, otp) -> unified-login returns { bb_token, m_id, visitor_id }.
+//
+// IMPORTANT: the native /member-tdl/v3/member/otp/ endpoint needs **no reCAPTCHA**.
+// Bootstrap (register/device + ui-svc/header) is what mints the csrftoken + csurftoken
+// the OTP/verify POSTs require. Verify body uses mobile_no + mobile_no_otp + refId +
+// source:"BIGBASKET" (NOT identifier/referrer — that 400s with HU4000).
+//
+// Same shape as providers/zepto.js so the CLI command can mirror zeptoCmd exactly.
+import https from 'node:https';
+import crypto from 'node:crypto';
+import { hostname } from 'node:os';
+import * as throttle from '../throttle.js';
+
+const HOST = 'www.bigbasket.com';
+const APP_VERSION = '8.13.0';
+const BUILD_CODE = '24105210';
+const OS_RELEASE = '13';
+
+const uuid = () => crypto.randomUUID();
+// stable per-machine device id (the app keeps one forever in SharedPreferences)
+function deviceId() {
+  const seed = hostname() + '|scripterx-bb-android';
+  return crypto.createHash('sha1').update(seed).digest('hex').slice(0, 16);
+}
+
+// ── cookie jar (the app quotes some identity cookies) ─────────────────────────
+const QUOTED = new Set(['_bb_source', '_bb_vid', 'BBAUTHTOKEN', '_bb_mid']);
+function cookieHeader(jar) {
+  jar._bb_source = 'app'; // marks the session as the Android app
+  return Object.entries(jar)
+    .filter(([, v]) => v != null && v !== '')
+    .map(([k, v]) => (QUOTED.has(k) ? `${k}="${v}"` : `${k}=${v}`))
+    .join('; ');
+}
+function absorb(jar, setCookie) {
+  (setCookie || []).forEach((c) => {
+    const kv = c.split(';')[0];
+    const i = kv.indexOf('=');
+    if (i > 0) {
+      const name = kv.slice(0, i).trim();
+      const val = kv.slice(i + 1).trim().replace(/^"(.*)"$/, '$1');
+      if (val && val.toLowerCase() !== 'deleted') jar[name] = val;
+    }
+  });
+}
+
+// ── native header builder (mirrors the two OkHttp interceptors) ───────────────
+function headers(session, method, extra = {}) {
+  const h = {
+    Accept: 'application/json, text/plain, */*',
+    'Content-Type': 'application/json',
+    'User-Agent': `BB Android/v${APP_VERSION}/os ${OS_RELEASE}`,
+    'X-Channel': 'BB-Android',
+    'X-Caller': 'Monster-SVC',
+    'X-Tracker': uuid(),
+    'X-Tcp-Platform': 'native',
+    'X-Tcp-Device-Version': `android_${APP_VERSION}_${BUILD_CODE}`,
+    'common-client-static-version': '101',
+    'X-Entry-Context': 'bbnow',
+    'X-Entry-Context-Id': '10',
+    'x-device-id': session.deviceId,
+    'x-device-model': 'Google sdk_gphone64_arm64',
+    'x-is-debug': 'false',
+    'X-Pharma': 'true',
+    Cookie: cookieHeader(session.jar),
+  };
+  // csurftoken/csrftoken only on mutating requests (ApiCallInterceptor.addCsrfToken)
+  const m = method.toUpperCase();
+  if (m === 'POST' || m === 'PUT' || m === 'DELETE' || m === 'PATCH') {
+    if (session.jar.csurftoken) h['x-csurftoken'] = session.jar.csurftoken;
+    if (session.jar.csrftoken) h['x-csrftoken'] = session.jar.csrftoken;
+  }
+  return { ...h, ...extra };
+}
+
+function req(session, method, path, body, extra = {}) {
+  return new Promise((resolve) => {
+    const payload = body == null ? '' : typeof body === 'string' ? body : JSON.stringify(body);
+    const h = { ...headers(session, method, extra), host: HOST };
+    if (payload) h['Content-Length'] = Buffer.byteLength(payload);
+    const r = https.request({ hostname: HOST, port: 443, method, path, headers: h, timeout: 20000 }, (res) => {
+      const ch = [];
+      res.on('data', (c) => ch.push(c));
+      res.on('end', () => {
+        absorb(session.jar, res.headers['set-cookie']);
+        const text = Buffer.concat(ch).toString('utf8');
+        let json = null;
+        try { json = JSON.parse(text); } catch { /* not json */ }
+        resolve({ status: res.statusCode, text, json });
+      });
+    });
+    r.on('error', (e) => resolve({ status: 0, text: 'err:' + e.message, json: null }));
+    r.on('timeout', () => { r.destroy(); resolve({ status: 0, text: 'timeout', json: null }); });
+    if (payload) r.write(payload);
+    r.end();
+  });
+}
+
+// A fresh session = a new cookie jar + a stable device identity.
+export function newSession(number) {
+  return {
+    jar: {},
+    deviceId: deviceId(),
+    refId: null,
+    mobile: String(number).replace(/\D/g, '').slice(-10),
+    token: null,    // bb_token (BBAUTHTOKEN JWT)
+    mId: null,      // base64 member id (server-provided)
+    visitorId: null, // base64 visitor id (server-provided)
+    user: null,
+  };
+}
+
+// Step 1 — bootstrap (register device + header) then request the OTP SMS.
+// Returns { ok, status, msg }. Stores session.refId on success.
+export async function sendOtp(session) {
+  // (a) register device → csrftoken + _bb_vid
+  const form =
+    'imei=02%3A00%3A00%3A00%3A00%3A00&device_id=' + session.deviceId + '&city_id=1&properties=' +
+    encodeURIComponent(JSON.stringify({
+      platform: 'java', os_name: 'android', os_version: OS_RELEASE, app_version: APP_VERSION,
+      device_make: 'Google', device_model: 'sdk_gphone64_arm64', screen_resolution: '1080X2201', screen_dpi: 420,
+    }));
+  await throttle.wait();
+  await req(session, 'POST', '/mapi/v4.2.0/register/device/', form, { 'Content-Type': 'application/x-www-form-urlencoded' });
+
+  // (b) header → csurftoken
+  await throttle.wait();
+  await req(session, 'GET', '/ui-svc/v2/header/?send_door_info=true');
+
+  if (!session.jar.csurftoken) {
+    return { ok: false, status: 0, msg: 'no csurftoken after bootstrap (blocked?)' };
+  }
+
+  // (c) send OTP
+  await throttle.wait();
+  const r = await req(session, 'POST', '/member-tdl/v3/member/otp/',
+    { identifier: session.mobile, referrer: 'unified_login' },
+    { 'X-Login-Origin': 'unified_login' });
+
+  const refId = r.json && (r.json.refId || r.json.ref_id);
+  const ok = r.status === 200 && !!refId;
+  if (ok) session.refId = refId;
+  return { ok, status: r.status, msg: ok ? (r.json.message || 'OTP sent') : (r.json?.message || r.text.slice(0, 160)) };
+}
+
+// Step 2 — verify the OTP. On success, fills session.token / mId / visitorId / user.
+export async function verifyOtp(session, otp) {
+  if (!session.refId) return { ok: false, status: 0, error: 'no refId — call sendOtp first' };
+  await throttle.wait();
+  const r = await req(session, 'POST', '/member-tdl/v3/member/unified-login/',
+    { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' },
+    { 'X-Login-Origin': 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+
+  // Native unified-login returns { bb_token, m_id, visitor_id }.
+  const J = r.json || {};
+  const token = J.bb_token || J.BBAUTHTOKEN || session.jar.BBAUTHTOKEN || J.token;
+  if (r.status === 200 && token) {
+    session.token = token;
+    session.mId = J.m_id || session.jar._bb_mid || null;
+    session.visitorId = J.visitor_id || session.jar._bb_vid || null;
+    session.user = J.member_details || J.user || null;
+    return { ok: true, user: session.user };
+  }
+  // HU4000 / wrong-otp surface here
+  const err = J.errors?.[0]?.msg || J.message || r.text.slice(0, 160);
+  return { ok: false, status: r.status, error: err };
+}
+
+// Build the persisted-session object — the requested {bbAuthToken, mId, bbVisitorId}
+// shape, plus phone for traceability.
+export function toSessionKeys(session) {
+  return {
+    phone: session.mobile,
+    bbAuthToken: session.token || '',
+    mId: session.mId || '',
+    bbVisitorId: session.visitorId || '',
+  };
+}

package/src/providers/tempotp.js

@@ -3,9 +3,19 @@ import { extractOtp } from '../flipkart.js';
 
 const BASE = 'https://api.tempotp.online';
 // serviceId -> cost (₹). Keep ids as strings (they go straight into the GET params).
-export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5, '2452': 12.5, '2453': 12.0, '2484': 18.0 };
+export const SERVICES = {
+  '1040': 10.0, '940': 16.0, '2451': 12.5, '2452': 12.5, '2453': 12.0, '2484': 18.0,
+  // BigBasket (SERVER 16 [best-sv-multi])
+  '1819': 12.0, '1874': 12.0, '1919': 14.0, '2259': 14.0,
+};
 // optional friendly names shown in the service picker
-export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2452': 'Shopsy/Flipkart 2 (SERVER 16)', '2453': 'Shopsy/Flipkart 3 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])' };
+export const SERVICE_NAMES = {
+  '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2452': 'Shopsy/Flipkart 2 (SERVER 16)', '2453': 'Shopsy/Flipkart 3 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])',
+  '1819': 'BigBasket 1.0 (SERVER 16)', '1874': 'BigBasket 2.0 (SERVER 16)', '1919': 'BigBasket 3.0 (SERVER 16)', '2259': 'BigBasket 4.0 (SERVER 16)',
+};
+// BigBasket service ids (for the bigbasket auto picker)
+export const BIGBASKET_SERVICES = ['1819', '1874', '1919', '2259'];
+export const DEFAULT_BIGBASKET_SERVICE = '1819';
 export const DEFAULT_SERVICE = '940';
 const COUNTRY = '22';
 

package/src/ui/RunView.js

@@ -30,10 +30,28 @@ function SlotRow({ slot, mobile, phase, detail, wait }) {
   );
 }
 
+// Per Zepto coupon tier → a colored note for the live results row.
+function couponNote(tier, label) {
+  const C = COLORS;
+  switch (tier) {
+    case 'rs100': return { note: '₹100 coupon', color: C.success };
+    case 'rs75':  return { note: '₹75 coupon',  color: C.success };
+    case 'rs50':  return { note: '₹50 coupon',  color: C.success };
+    case 'normal': return { note: 'no coupon',  color: C.muted };
+    case 'unchecked': return { note: 'coupon unchecked', color: C.warn };
+    default: return { note: label || 'extracted', color: 'gray' };
+  }
+}
+
 // Map a result to a clean { glyph, label, color, note } for display. Driven by the
 // worker's `category` so every outcome reads consistently (no "successed"/"success" mix).
-function resultDisplay({ status, category, detail }) {
+function resultDisplay({ status, category, detail, couponTier, couponLabel }) {
   const C = COLORS;
+  // Zepto coupon-tier success rows: show the EXACT coupon the account has.
+  if (status === 'success' && couponTier) {
+    const cn = couponNote(couponTier, couponLabel);
+    return { glyph: '✓', label: 'success', color: C.success, note: cn.note, noteColor: cn.color };
+  }
   switch (category) {
     case 'fresh':            return { glyph: '🆕', label: 'fresh account',  color: C.accent,  note: 'new account created' };
     case 'coupon':           return { glyph: '✓',  label: 'success',        color: C.success, note: '₹100 coupon available' };
@@ -52,13 +70,13 @@ function resultDisplay({ status, category, detail }) {
   }
 }
 
-function ResultRow({ status, category, mobile, detail, cost }) {
-  const d = resultDisplay({ status, category, detail });
+function ResultRow({ status, category, mobile, detail, cost, couponTier, couponLabel }) {
+  const d = resultDisplay({ status, category, detail, couponTier, couponLabel });
   const mob = (mobile || '—').slice(-10) || '—';
   return h(Box, null,
     h(Box, { width: 13 }, h(Text, null, mob)),
     h(Box, { width: 14 }, h(Text, { color: d.color }, `${d.glyph} ${d.label}`)),
-    h(Box, { flexGrow: 1 }, h(Text, { color: 'gray' }, d.note)),
+    h(Box, { flexGrow: 1 }, h(Text, { color: d.noteColor || 'gray' }, d.note)),
     h(Box, { width: 7, justifyContent: 'flex-end' }, h(Text, { color: 'gray' }, cost ? `₹${cost}` : '')),
   );
 }
@@ -97,7 +115,7 @@ export function RunView({ controller }) {
       slotList.length ? slotList.map((sl) => h(SlotRow, { key: sl.slot, ...sl }))
         : h(Text, { color: 'gray' }, 'starting…')),
     h(Panel, { title: 'results' },
-      lastRows.length ? lastRows.map((r, i) => h(ResultRow, { key: i, status: r.status, category: r.category, mobile: r.mobile, detail: r.detail, cost: r.cost }))
+      lastRows.length ? lastRows.map((r, i) => h(ResultRow, { key: i, status: r.status, category: r.category, mobile: r.mobile, detail: r.detail, cost: r.cost, couponTier: r.coupon_tier, couponLabel: r.coupon_label }))
         : h(Text, { color: 'gray' }, 'waiting for first result…')),
     h(Box, { borderStyle: 'round', borderColor: COLORS.accent, paddingX: 1 },
       h(Text, { color: COLORS.success }, `✓ ${stats.succeeded}`),

package/src/ui/Shell.js

@@ -13,6 +13,7 @@ const h = React.createElement;
 
 export const COMMANDS = [
   { name: 'run', desc: 'run an extraction' },
+  { name: 'bigbasket', desc: 'local BigBasket OTP login → session JSON' },
   { name: 'campaigns', desc: 'list your campaigns' },
   { name: 'export', desc: "download a campaign's sessions" },
   { name: 'balance', desc: 'check provider balance' },

package/src/worker.js

@@ -6,6 +6,7 @@ import { FlipkartLogin, WrongOTP, BlockedError, TransientError } from './flipkar
 import { CampaignLogger } from './logger.js';
 import * as kuku from './providers/kuku.js';
 import * as zepto from './providers/zepto.js';
+import * as bigbasket from './providers/bigbasket.js';
 
 const OTP_RESEND_AFTER = 60_000;
 const OTPCART_DEADLINE = 120_000;
@@ -555,13 +556,14 @@ async function releaseNumber(provider, number, rentedAt, { log = () => {}, warn
 export const __releaseNumberForTest = releaseNumber;
 
 export class ZeptoWorker {
-  constructor(provider, { requested, concurrency, certSha, onEvent, checkCoupon }) {
+  constructor(provider, { requested, concurrency, certSha, onEvent, onResult, checkCoupon }) {
     this.provider = provider;
     this.requested = requested;
     this.concurrency = Math.max(1, Math.min(concurrency, requested));
     this.certSha = certSha;
     this.checkCoupon = !!checkCoupon; // also classify the ₹50/₹75/₹100 coupon tier
     this.onEvent = onEvent || (() => {});
+    this.onResult = onResult || null; // called per successful result for incremental save
     // Surface OTPCart re-logins (session taken over by another login) in the UI.
     if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
     this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
@@ -595,6 +597,11 @@ export class ZeptoWorker {
     else { this.stats.failed++; this.stats.charges += res.cost || 0; }
     this.onEvent('progress', this.stats);
     this.onEvent('row', res);
+    // Persist each successful envelope IMMEDIATELY (incremental save) so a mid-run
+    // stop / double-Ctrl+C / crash never loses an already-extracted account.
+    if (res.status === 'success' && res.envelope && this.onResult) {
+      try { this.onResult(res); } catch { /* best-effort; never break the loop */ }
+    }
   }
 
   async run() {
@@ -753,3 +760,197 @@ export class ZeptoWorker {
     }
   }
 }
+
+// ── BigBasket auto worker ─────────────────────────────────────────────────────
+// Identical orchestration to ZeptoWorker (rent → SMS poll → verify → save), but the
+// merchant is BigBasket: bigbasket.sendOtp() does its own 3-call bootstrap+send, we
+// poll the OTP provider's SMS stream, then bigbasket.verifyOtp() → session JSON.
+// Designed for TempOTP (poll, no resend) but works with any provider exposing
+// rentOnce/startOtp(poll)/cancel. Local-first: emits res.session for incremental save;
+// server push is layered on top by the caller (onResult) when a backend is configured.
+export class BigBasketWorker {
+  constructor(provider, { requested, concurrency, deadlineMs, onEvent, onResult }) {
+    this.provider = provider;
+    this.requested = requested;
+    this.concurrency = Math.max(1, Math.min(concurrency, requested));
+    this.deadlineMs = deadlineMs || (provider?.name === 'tempotp' ? TEMPOTP_DEADLINE : OTPCART_DEADLINE);
+    this.onEvent = onEvent || (() => {});
+    this.onResult = onResult || null;
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
+    this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
+    this.slots = {};
+    this.seq = 0;
+    this.stopped = false;
+    this._releases = [];
+  }
+
+  stop() { this.stopped = true; }
+  _nextSeq() { return ++this.seq; }
+
+  _claim() {
+    if (this.stopped) return 0;
+    if (this.stats.succeeded >= this.requested) return 0;
+    const active = this.stats.attempts - (this.stats.succeeded + this.stats.failed + this.stats.cancelled);
+    if (this.stats.succeeded + active >= this.requested) return 0;
+    if (this.stats.attempts >= this.requested * ATTEMPT_CAP_MULT) return 0;
+    return ++this.stats.attempts;
+  }
+
+  _emit(slot, kv) {
+    this.slots[slot] = { slot, ...(this.slots[slot] || {}), ...kv };
+    this.onEvent('slot', this.slots[slot]);
+  }
+
+  _record(res) {
+    if (res.mobile) this.stats.generated++;
+    if (res.status === 'success') { this.stats.succeeded++; this.stats.charges += res.cost || 0; }
+    else if (res.status === 'cancelled') this.stats.cancelled++;
+    else { this.stats.failed++; this.stats.charges += res.cost || 0; }
+    this.onEvent('progress', this.stats);
+    this.onEvent('row', res);
+    if (res.status === 'success' && res.session && this.onResult) {
+      try { this.onResult(res); } catch { /* best-effort; never break the loop */ }
+    }
+  }
+
+  async run() {
+    const loops = Array.from({ length: this.concurrency }, (_, i) => this._loop(i + 1));
+    await Promise.all(loops);
+    if (this._releases.length) {
+      this.onEvent('warn', `finishing up — releasing ${this._releases.length} number(s)…`);
+      await Promise.allSettled(this._releases);
+    }
+    this.onEvent('done', this.stats);
+    return this.stats;
+  }
+
+  _release(number, rentedAt, slot) {
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: () => {},
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
+    this._releases.push(p);
+    return p;
+  }
+
+  async _rent(slot) {
+    let attempt = 0;
+    while (!this.stopped) {
+      attempt++;
+      this._emit(slot, { phase: 'renting', detail: `requesting a number (try ${attempt})` });
+      const { number } = await this.provider.rentOnce();
+      if (number) return number;
+      if (attempt % RENT_COOLDOWN_EVERY === 0) {
+        for (let rem = RENT_COOLDOWN_SECS; rem > 0; rem--) {
+          if (this.stopped) return null;
+          this._emit(slot, { phase: 'rent_wait', detail: 'no numbers — waiting', wait: rem });
+          await sleep(1000);
+        }
+      } else {
+        await sleep(RENT_RETRY_DELAY);
+      }
+    }
+    return null;
+  }
+
+  async _loop(slot) {
+    for (;;) {
+      if (this._claim() === 0) return;
+      const res = await this._process(slot);
+      await this._record(res);
+    }
+  }
+
+  async _process(slot) {
+    const idNo = this._nextSeq();
+    const res = { id_no: idNo, status: 'failed', cost: 0, detail: '' };
+
+    if (this.stats.succeeded >= this.requested) {
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled'; res.detail = 'goal reached';
+      return res;
+    }
+
+    this._emit(slot, { mobile: '', phase: 'renting', detail: 'requesting a number', wait: 0 });
+    const number = await this._rent(slot);
+    if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
+    const rentedAt = Date.now();
+    if (this.stats.succeeded >= this.requested) {
+      this._release(number, rentedAt, slot);
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled'; res.detail = 'goal reached';
+      return res;
+    }
+    res.mobile = number.mobile;
+    this._emit(slot, { mobile: number.mobile, phase: 'rented', detail: 'got a number' });
+
+    let stream = null;
+    let released = false;
+    const smsArrived = { v: false };
+
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
+      if (released) return;
+      released = true;
+      if (consumed || (charged && !this.stopped)) { this._emit(slot, { phase: 'done', detail: doneDetail }); return; }
+      this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
+      this._release(number, rentedAt, slot);
+    };
+
+    const fail = (detail, category) => {
+      const charged = smsArrived.v;
+      res.status = charged ? 'failed' : 'cancelled';
+      res.cost = charged ? number.cost : 0;
+      res.detail = detail;
+      res.category = category || (res.status === 'failed' ? 'failed' : 'cancelled');
+      releaseOnce(charged, 'failed');
+      return res;
+    };
+
+    const session = bigbasket.newSession(number.mobile);
+
+    try {
+      this._emit(slot, { phase: 'ws', detail: 'opening OTP channel' });
+      stream = this.provider.startOtp(number);
+      if (typeof stream.ready === 'function') await stream.ready();
+
+      // bigbasket.sendOtp does register/device → header → otp (all on our IP).
+      this._emit(slot, { phase: 'send_otp', detail: 'sending OTP' });
+      const sent = await bigbasket.sendOtp(session);
+      if (!sent.ok) return fail(`send: ${sent.msg}`, 'send_blocked');
+
+      // Poll the rented number's SMS stream for the BigBasket OTP.
+      const end = Date.now() + this.deadlineMs;
+      let otp = null;
+      while (Date.now() < end && !this.stopped) {
+        const { otp: o, arrived } = await stream.poll();
+        if (arrived) smsArrived.v = true;
+        if (o) { otp = o; break; }
+        this._emit(slot, { phase: 'await_otp', detail: 'waiting for OTP', wait: Math.floor((end - Date.now()) / 1000) });
+        await sleep(1000);
+      }
+      if (!otp) return fail(`no OTP within ${Math.round(this.deadlineMs / 1000)}s — abandoned`, 'timeout');
+
+      this._emit(slot, { phase: 'verify', detail: 'verifying OTP' });
+      const v = await bigbasket.verifyOtp(session, otp);
+      if (!v.ok) {
+        const wrong = /valid otp|incorrect|invalid|expired/i.test(v.error || '');
+        return fail(`verify: ${v.error}`, wrong ? 'wrong_otp' : 'failed');
+      }
+
+      res.status = 'success';
+      res.cost = number.cost;
+      res.session = bigbasket.toSessionKeys(session); // { phone, bbAuthToken, mId, bbVisitorId }
+      res.category = 'extracted';
+
+      this._emit(slot, { phase: 'saving', detail: 'saving session' });
+      releaseOnce(true, 'extracted', true); // success: OTP consumed → no cancel
+      return res;
+    } catch (e) {
+      return fail(`unexpected: ${e.message}`);
+    } finally {
+      releaseOnce(false);
+      if (stream) try { stream.close(); } catch { /* */ }
+    }
+  }
+}