scripter-x 1.0.31 → 1.0.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.31",
+  "version": "1.0.33",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -552,13 +552,12 @@ function saveBigbasketSession(args, number, sessionKeys) {
 }
 
 export async function bigbasketCmd(io, api, args = {}) {
-  // Only manual exists today; auto is wired after the server contract is known.
-  const mode = args.auto ? 'auto' : 'manual';
-  if (mode === 'auto') {
-    io.print('  ! BigBasket auto mode is not wired yet — coming once the server is set.', 'danger');
-    io.print('  ◉ use manual for now:  scripterx bigbasket --manual', 'accent');
-    return;
-  }
+  const mode = args.manual ? 'manual' : (args.auto ? 'auto' : (args.number ? 'manual' : (await io.select('Choose BigBasket login flow', [
+    { label: 'Auto', value: 'auto', description: 'Auto-rent numbers via TempOTP (hands-off)' },
+    { label: 'Manual', value: 'manual', description: 'Enter phone + type OTP yourself' },
+  ])).value || 'auto'));
+
+  if (mode === 'auto') return bigbasketAuto(io, args);
 
   io.print('  ◉ BigBasket — local OTP → session JSON (Manual)');
   io.print('  ◉ press esc to cancel', 'accent');
@@ -617,6 +616,94 @@ export async function bigbasketCmd(io, api, args = {}) {
   io.print(`  ✓ done — ${done} session(s) saved.`);
 }
 
+// ── BigBasket auto: rent numbers via TempOTP, poll SMS, verify headlessly ─────
+// Mirrors the Zepto auto flow. Local-first: every success is appended to a combined
+// file the instant it lands (so a mid-run stop never loses an account).
+async function bigbasketAuto(io, args = {}) {
+  io.print('  ◉ BigBasket — auto extraction via TempOTP');
+  const cfg = config.load();
+
+  // TempOTP key (reuse the saved-key / add-new pattern from buildProvider).
+  let key = cfg.tempotp_api_key;
+  if (key) {
+    const choice = await io.select(`saved TempOTP key: ${maskSecret(key)}`, [
+      { label: 'use saved', value: 'use', description: maskSecret(key) },
+      { label: 'add new', value: 'new', description: 'enter a different key' }]);
+    if ((choice.value || choice) === 'new') key = null;
+  }
+  let freshlyEntered = false;
+  if (!key) { key = await io.ask('TempOTP API key'); freshlyEntered = true; }
+  const bal = await tp.balance(key);
+  if (bal == null) { io.print('  ✗ TempOTP key invalid or unreachable', 'danger'); return; }
+  io.print(`  ✓ TempOTP balance: ₹${bal}`);
+  if (freshlyEntered && await io.confirm('save this key locally for next time?', true)) config.setMany({ tempotp_api_key: key });
+
+  // BigBasket service picker (only the BB service ids).
+  const svc = args.service || (await io.select('BigBasket service', tp.BIGBASKET_SERVICES.map((id) => ({
+    label: `${id} · ${tp.SERVICE_NAMES[id]}`, value: id, description: `₹${tp.SERVICES[id]}`,
+  })))).value;
+  const provider = new tp.TempOTPProvider(key, svc);
+
+  const count = args.count || Number(await io.ask('how many sessions?', { dflt: '1' }));
+  const concurrency = args.concurrency || Number(await io.ask('concurrency (keep low — 1 recommended)', { dflt: '1' }));
+  const name = args.name || `BigBasket-${Math.floor(Date.now() / 1000)}`;
+  if (!(await io.confirm(`start ${count} BigBasket extraction(s) at concurrency ${concurrency} on service ${svc}?`, true))) return;
+
+  const { BigBasketWorker } = await import('./worker.js');
+  const { RunController } = await import('./controller.js');
+  const controller = new RunController({ name, provider: `tempotp-bigbasket`, requested: count });
+
+  // INCREMENTAL SAVE: append every extracted session to one JSONL the instant it lands.
+  const baseDir = bigbasketBaseDir(args);
+  const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const liveFile = join(baseDir, `${name}-${stamp}.jsonl`);
+  const onResult = (res) => {
+    if (res.status !== 'success' || !res.session) return;
+    mkdirSync(baseDir, { recursive: true });
+    appendFileSync(liveFile, JSON.stringify(res.session) + '\n');
+  };
+
+  const worker = new BigBasketWorker(provider, { requested: count, concurrency, onEvent: controller.handleEvent, onResult });
+  controller.stop = () => worker.stop();
+
+  const results = [];
+  const origRecord = worker._record.bind(worker);
+  worker._record = (res) => { results.push(res); origRecord(res); };
+
+  const interactive = !!io.startRun;
+  if (interactive) io.startRun(controller);
+  let onSigint = null;
+  if (!interactive) {
+    let lastSig = 0;
+    onSigint = () => {
+      const now = Date.now();
+      if (now - lastSig < 2000) { worker.stop(); process.exit(0); }
+      lastSig = now; worker.stop();
+      io.print('  ⚠ stopping — press Ctrl+C again to exit');
+    };
+    process.on('SIGINT', onSigint);
+  }
+
+  await worker.run();
+  if (onSigint) process.off('SIGINT', onSigint);
+  if (io.endRun) io.endRun();
+
+  io.print(`  ✓ done — ${worker.stats.succeeded} succeeded · ${worker.stats.failed} failed · ${worker.stats.cancelled} cancelled · ₹${worker.stats.charges} spent`);
+
+  // Also write a combined pretty JSON array of all successes for convenience.
+  const succeeded = results.filter((r) => r.status === 'success' && r.session).map((r) => r.session);
+  if (succeeded.length) {
+    mkdirSync(baseDir, { recursive: true });
+    const combined = join(baseDir, `${name}-${stamp}.json`);
+    writeFileSync(combined, JSON.stringify(succeeded, null, 2) + '\n');
+    io.print(`  ✓ saved ${succeeded.length} session(s):`);
+    io.print(`     ${combined}`, 'accent');
+    io.print(`     (live JSONL: ${liveFile})`, 'accent');
+  } else {
+    io.print('  ◉ no sessions extracted — nothing to save.');
+  }
+}
+
 const TIER_LABEL = { rs100: '🟢 ₹100', rs75: '🟢 ₹75', rs50: '🟢 ₹50', normal: '⚪ normal', unchecked: '❔ unchecked' };
 
 // The directory the per-tier files go in for an auto run.

package/src/index.js

@@ -55,8 +55,10 @@ const HELP = `${paint.bold('scripterx')} — local Flipkart session extractor
        --number <10-digit>  --otp <code>
        (envelope keyed to ZeptoAuthManager cert; override with --cert or $ZAUTH_CERT_SHA)
   scripterx bigbasket [flags]  local BigBasket OTP login → session JSON (alias: bb)
-       --manual             --number <10-digit>  --otp <code>  --out <file|dir>
-       → writes {phone, bbAuthToken, mId, bbVisitorId} per number (auto mode soon)
+       --auto | --manual    --count N  --concurrency N  --out <file|dir>
+       --service <1819|1874|1919|2259>   (auto: TempOTP BigBasket service id)
+       --number <10-digit>  --otp <code> (manual one-shot)
+       → writes {phone, bbAuthToken, mId, bbVisitorId} per session
   scripterx recheck <file>  re-validate Minutes status of a session JSON, locally (your IP)
        → re-splits into corrected -minutes-free / -minutes-used files + stats
   scripterx campaigns | export [name] | balance | creds | stop | delete | whoami | config
@@ -121,6 +123,7 @@ async function main() {
     mode: flags.email ? 'json_email' : flags.mode, // --email or --mode json_email
     target: flags.target, // run: 'flipkart' | 'zepto'
     number: flags.number, otp: flags.otp, cert: flags.cert, // zepto: local OTP login → ZAUTH1 envelope
+    service: flags.service, // bigbasket auto: TempOTP service id (1819/1874/1919/2259)
     auto: flags.auto, manual: flags.manual,
     checkCoupon: flags['check-coupon'] === true ? true : (flags['check-coupon'] === false ? false : null),
     campaign: flags._[0], out: flags.out, action: flags._[0], value: flags._[1],

package/src/providers/bigbasket.js

@@ -113,6 +113,8 @@ export function newSession(number) {
     mId: null,      // base64 member id (server-provided)
     visitorId: null, // base64 visitor id (server-provided)
     user: null,
+    isSignup: false, // true if verify created a brand-new account
+    activated: false, // true once the name/profile step succeeded (or wasn't needed)
   };
 }
 
@@ -146,18 +148,44 @@ export async function sendOtp(session) {
   const refId = r.json && (r.json.refId || r.json.ref_id);
   const ok = r.status === 200 && !!refId;
   if (ok) session.refId = refId;
-  return { ok, status: r.status, msg: ok ? (r.json.message || 'OTP sent') : (r.json?.message || r.text.slice(0, 160)) };
+  // Surface BigBasket's error code so callers can react:
+  //   HU4001 = account does not exist / inactive (often a recycled/dead number) → rotate
+  //   HU4000 = bad request shape
+  const err = r.json?.errors?.[0];
+  const code = err?.code_str || null;
+  return {
+    ok, status: r.status, code,
+    msg: ok ? (r.json.message || 'OTP sent') : (err?.msg || err?.display_msg || r.json?.message || r.text.slice(0, 160)),
+  };
 }
 
+// A default name for brand-new accounts. BigBasket requires a non-empty first_name to
+// activate a fresh signup; override via $BB_SIGNUP_NAME.
+const SIGNUP_NAME = (process.env.BB_SIGNUP_NAME || 'Rohan').trim();
+
 // Step 2 — verify the OTP. On success, fills session.token / mId / visitorId / user.
+// Handles BOTH returning members AND brand-new signups: a new account comes back with
+// is_signup:true and an empty name, then needs a profile/set-name call to activate
+// (otherwise the account is half-created and the session is unusable). See the BigBasket
+// signup flow: send(unified_login) → verify → [if is_signup] profile/set-name.
+async function _doVerify(session, otp, referrer) {
+  const body = { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' };
+  if (referrer) body.referrer = referrer; // signup variant adds referrer:"login_signup"
+  await throttle.wait();
+  return req(session, 'POST', '/member-tdl/v3/member/unified-login/', body,
+    { 'X-Login-Origin': referrer || 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+}
+
 export async function verifyOtp(session, otp) {
   if (!session.refId) return { ok: false, status: 0, error: 'no refId — call sendOtp first' };
-  await throttle.wait();
-  const r = await req(session, 'POST', '/member-tdl/v3/member/unified-login/',
-    { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' },
-    { 'X-Login-Origin': 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+  // First try the returning-member verify. If the number has no account yet (HU4001),
+  // retry with the signup referrer so a brand-new account is created.
+  let r = await _doVerify(session, otp, null);
+  if (r.status !== 200 && r.json?.errors?.[0]?.code_str === 'HU4001') {
+    r = await _doVerify(session, otp, 'login_signup');
+  }
 
-  // Native unified-login returns { bb_token, m_id, visitor_id }.
+  // Native unified-login returns { bb_token, m_id, visitor_id, is_signup, first_name, ... }.
   const J = r.json || {};
   const token = J.bb_token || J.BBAUTHTOKEN || session.jar.BBAUTHTOKEN || J.token;
   if (r.status === 200 && token) {
@@ -165,11 +193,39 @@ export async function verifyOtp(session, otp) {
     session.mId = J.m_id || session.jar._bb_mid || null;
     session.visitorId = J.visitor_id || session.jar._bb_vid || null;
     session.user = J.member_details || J.user || null;
-    return { ok: true, user: session.user };
+    session.isSignup = !!(J.is_signup || J.isSignup);
+    // A brand-new account (or one with no name) must be activated with a name, else the
+    // session is half-baked. Best-effort: failure here still returns the token we got.
+    const noName = !((J.first_name || J.firstName || '').trim());
+    if (session.isSignup || noName) {
+      session.activated = await setProfile(session, SIGNUP_NAME);
+    } else {
+      session.activated = true;
+    }
+    return { ok: true, user: session.user, isSignup: session.isSignup, activated: session.activated };
+  }
+  // Error codes seen at verify:
+  //   HU4011 = wrong/expired OTP   HU4001 = account does not exist/inactive   HU4000 = bad request
+  const e = J.errors?.[0];
+  const code = e?.code_str || null;
+  const error = e?.msg || e?.display_msg || J.message || r.text.slice(0, 160);
+  return { ok: false, status: r.status, code, error };
+}
+
+// Step 3 (new users only) — set the name to activate the freshly-created account.
+// POST /member-tdl/v3/member/profile/ with the BBAUTHTOKEN we just got. Returns true on
+// success. Never throws — a name-set failure shouldn't discard the token.
+export async function setProfile(session, firstName, lastName = '') {
+  try {
+    if (session.token) session.jar.BBAUTHTOKEN = session.token; // authenticate the call
+    await throttle.wait();
+    const r = await req(session, 'POST', '/member-tdl/v3/member/profile/',
+      { first_name: firstName, last_name: lastName, name: lastName ? `${firstName} ${lastName}` : firstName },
+      { 'X-Login-Origin': 'login_signup', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+    return r.status === 200;
+  } catch {
+    return false;
   }
-  // HU4000 / wrong-otp surface here
-  const err = J.errors?.[0]?.msg || J.message || r.text.slice(0, 160);
-  return { ok: false, status: r.status, error: err };
 }
 
 // Build the persisted-session object — the requested {bbAuthToken, mId, bbVisitorId}

package/src/providers/tempotp.js

@@ -3,9 +3,19 @@ import { extractOtp } from '../flipkart.js';
 
 const BASE = 'https://api.tempotp.online';
 // serviceId -> cost (₹). Keep ids as strings (they go straight into the GET params).
-export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5, '2452': 12.5, '2453': 12.0, '2484': 18.0 };
+export const SERVICES = {
+  '1040': 10.0, '940': 16.0, '2451': 12.5, '2452': 12.5, '2453': 12.0, '2484': 18.0,
+  // BigBasket (SERVER 16 [best-sv-multi])
+  '1819': 12.0, '1874': 12.0, '1919': 14.0, '2259': 14.0,
+};
 // optional friendly names shown in the service picker
-export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2452': 'Shopsy/Flipkart 2 (SERVER 16)', '2453': 'Shopsy/Flipkart 3 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])' };
+export const SERVICE_NAMES = {
+  '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2452': 'Shopsy/Flipkart 2 (SERVER 16)', '2453': 'Shopsy/Flipkart 3 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])',
+  '1819': 'BigBasket 1.0 (SERVER 16)', '1874': 'BigBasket 2.0 (SERVER 16)', '1919': 'BigBasket 3.0 (SERVER 16)', '2259': 'BigBasket 4.0 (SERVER 16)',
+};
+// BigBasket service ids (for the bigbasket auto picker)
+export const BIGBASKET_SERVICES = ['1819', '1874', '1919', '2259'];
+export const DEFAULT_BIGBASKET_SERVICE = '1819';
 export const DEFAULT_SERVICE = '940';
 const COUNTRY = '22';
 
@@ -51,8 +61,22 @@ export class TempOTPProvider {
 
   startOtp(number) { return new TempStream(this.apiKey, number.txn); }
 
+  // Cancel + refund the rented number. Returns { ok, tooEarly, msg } so the worker's
+  // releaseNumber loop knows whether the cancel landed. TempOTP enforces a ~2-min
+  // no-cancel policy: a too-early attempt is reported back so the caller waits + retries
+  // (rather than treating it as a hard failure or a success).
   async cancel(number) {
-    try { await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); } catch { /* */ }
+    let d;
+    try { d = await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); }
+    catch (e) { return { ok: false, tooEarly: false, msg: e.message }; }
+    // success: API returns status 200 (sometimes with a "cancelled"/"success" message)
+    const msg = (d && (d.message || d.msg)) || '';
+    if (d && (d.status === 200 || /cancel|success|refund/i.test(msg))) {
+      return { ok: true, tooEarly: false, msg: msg || 'cancelled' };
+    }
+    // the 2-min policy / "wait before cancel" → retryable, not a hard fail
+    const tooEarly = /2\s*min|two\s*min|120\s*sec|wait|too early|cannot cancel|not allowed yet|before/i.test(msg);
+    return { ok: false, tooEarly, msg: msg || `cancel rejected (status ${d?.status})` };
   }
 }
 

package/src/worker.js

@@ -6,10 +6,15 @@ import { FlipkartLogin, WrongOTP, BlockedError, TransientError } from './flipkar
 import { CampaignLogger } from './logger.js';
 import * as kuku from './providers/kuku.js';
 import * as zepto from './providers/zepto.js';
+import * as bigbasket from './providers/bigbasket.js';
 
 const OTP_RESEND_AFTER = 60_000;
 const OTPCART_DEADLINE = 120_000;
-const TEMPOTP_DEADLINE = 90_000;   // TempOTP: give up after 90s, cancel + buy a new number
+// TempOTP now enforces a 2-min no-cancel policy on rented numbers (you can't cancel/refund
+// a number before 120s). So wait the FULL 2 min for the OTP — there's no point bailing at
+// 90s when the number can't be released until 120s anyway. The cancel-lock below (also
+// 120s) then fires right at the unlock point, identical to OTPCart's behaviour.
+const TEMPOTP_DEADLINE = 120_000;
 const WRONG_OTP_WAIT = 60_000;
 const NUMBER_CANCEL_LOCK = 120_000;
 const RENT_RETRY_DELAY = 3_000;
@@ -759,3 +764,202 @@ export class ZeptoWorker {
     }
   }
 }
+
+// ── BigBasket auto worker ─────────────────────────────────────────────────────
+// Identical orchestration to ZeptoWorker (rent → SMS poll → verify → save), but the
+// merchant is BigBasket: bigbasket.sendOtp() does its own 3-call bootstrap+send, we
+// poll the OTP provider's SMS stream, then bigbasket.verifyOtp() → session JSON.
+// Designed for TempOTP (poll, no resend) but works with any provider exposing
+// rentOnce/startOtp(poll)/cancel. Local-first: emits res.session for incremental save;
+// server push is layered on top by the caller (onResult) when a backend is configured.
+export class BigBasketWorker {
+  constructor(provider, { requested, concurrency, deadlineMs, onEvent, onResult }) {
+    this.provider = provider;
+    this.requested = requested;
+    this.concurrency = Math.max(1, Math.min(concurrency, requested));
+    this.deadlineMs = deadlineMs || (provider?.name === 'tempotp' ? TEMPOTP_DEADLINE : OTPCART_DEADLINE);
+    this.onEvent = onEvent || (() => {});
+    this.onResult = onResult || null;
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
+    this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
+    this.slots = {};
+    this.seq = 0;
+    this.stopped = false;
+    this._releases = [];
+  }
+
+  stop() { this.stopped = true; }
+  _nextSeq() { return ++this.seq; }
+
+  _claim() {
+    if (this.stopped) return 0;
+    if (this.stats.succeeded >= this.requested) return 0;
+    const active = this.stats.attempts - (this.stats.succeeded + this.stats.failed + this.stats.cancelled);
+    if (this.stats.succeeded + active >= this.requested) return 0;
+    if (this.stats.attempts >= this.requested * ATTEMPT_CAP_MULT) return 0;
+    return ++this.stats.attempts;
+  }
+
+  _emit(slot, kv) {
+    this.slots[slot] = { slot, ...(this.slots[slot] || {}), ...kv };
+    this.onEvent('slot', this.slots[slot]);
+  }
+
+  _record(res) {
+    if (res.mobile) this.stats.generated++;
+    if (res.status === 'success') { this.stats.succeeded++; this.stats.charges += res.cost || 0; }
+    else if (res.status === 'cancelled') this.stats.cancelled++;
+    else { this.stats.failed++; this.stats.charges += res.cost || 0; }
+    this.onEvent('progress', this.stats);
+    this.onEvent('row', res);
+    if (res.status === 'success' && res.session && this.onResult) {
+      try { this.onResult(res); } catch { /* best-effort; never break the loop */ }
+    }
+  }
+
+  async run() {
+    const loops = Array.from({ length: this.concurrency }, (_, i) => this._loop(i + 1));
+    await Promise.all(loops);
+    if (this._releases.length) {
+      this.onEvent('warn', `finishing up — releasing ${this._releases.length} number(s)…`);
+      await Promise.allSettled(this._releases);
+    }
+    this.onEvent('done', this.stats);
+    return this.stats;
+  }
+
+  _release(number, rentedAt, slot) {
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: () => {},
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
+    this._releases.push(p);
+    return p;
+  }
+
+  async _rent(slot) {
+    let attempt = 0;
+    while (!this.stopped) {
+      attempt++;
+      this._emit(slot, { phase: 'renting', detail: `requesting a number (try ${attempt})` });
+      const { number } = await this.provider.rentOnce();
+      if (number) return number;
+      if (attempt % RENT_COOLDOWN_EVERY === 0) {
+        for (let rem = RENT_COOLDOWN_SECS; rem > 0; rem--) {
+          if (this.stopped) return null;
+          this._emit(slot, { phase: 'rent_wait', detail: 'no numbers — waiting', wait: rem });
+          await sleep(1000);
+        }
+      } else {
+        await sleep(RENT_RETRY_DELAY);
+      }
+    }
+    return null;
+  }
+
+  async _loop(slot) {
+    for (;;) {
+      if (this._claim() === 0) return;
+      const res = await this._process(slot);
+      await this._record(res);
+    }
+  }
+
+  async _process(slot) {
+    const idNo = this._nextSeq();
+    const res = { id_no: idNo, status: 'failed', cost: 0, detail: '' };
+
+    if (this.stats.succeeded >= this.requested) {
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled'; res.detail = 'goal reached';
+      return res;
+    }
+
+    this._emit(slot, { mobile: '', phase: 'renting', detail: 'requesting a number', wait: 0 });
+    const number = await this._rent(slot);
+    if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
+    const rentedAt = Date.now();
+    if (this.stats.succeeded >= this.requested) {
+      this._release(number, rentedAt, slot);
+      this._emit(slot, { phase: 'done', detail: 'goal reached' });
+      res.status = 'cancelled'; res.detail = 'goal reached';
+      return res;
+    }
+    res.mobile = number.mobile;
+    this._emit(slot, { mobile: number.mobile, phase: 'rented', detail: 'got a number' });
+
+    let stream = null;
+    let released = false;
+    const smsArrived = { v: false };
+
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
+      if (released) return;
+      released = true;
+      if (consumed || (charged && !this.stopped)) { this._emit(slot, { phase: 'done', detail: doneDetail }); return; }
+      this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
+      this._release(number, rentedAt, slot);
+    };
+
+    const fail = (detail, category) => {
+      const charged = smsArrived.v;
+      res.status = charged ? 'failed' : 'cancelled';
+      res.cost = charged ? number.cost : 0;
+      res.detail = detail;
+      res.category = category || (res.status === 'failed' ? 'failed' : 'cancelled');
+      releaseOnce(charged, 'failed');
+      return res;
+    };
+
+    const session = bigbasket.newSession(number.mobile);
+
+    try {
+      this._emit(slot, { phase: 'ws', detail: 'opening OTP channel' });
+      stream = this.provider.startOtp(number);
+      if (typeof stream.ready === 'function') await stream.ready();
+
+      // bigbasket.sendOtp does register/device → header → otp (all on our IP).
+      this._emit(slot, { phase: 'send_otp', detail: 'sending OTP' });
+      const sent = await bigbasket.sendOtp(session);
+      if (!sent.ok) {
+        // HU4001 = the rented number has no BigBasket account / is inactive (recycled).
+        // No SMS will ever come → don't wait; mark as a dead number and rotate to a new one.
+        const dead = sent.code === 'HU4001';
+        return fail(`send: ${sent.msg}`, dead ? 'no_account' : 'send_blocked');
+      }
+
+      // Poll the rented number's SMS stream for the BigBasket OTP.
+      const end = Date.now() + this.deadlineMs;
+      let otp = null;
+      while (Date.now() < end && !this.stopped) {
+        const { otp: o, arrived } = await stream.poll();
+        if (arrived) smsArrived.v = true;
+        if (o) { otp = o; break; }
+        this._emit(slot, { phase: 'await_otp', detail: 'waiting for OTP', wait: Math.floor((end - Date.now()) / 1000) });
+        await sleep(1000);
+      }
+      if (!otp) return fail(`no OTP within ${Math.round(this.deadlineMs / 1000)}s — abandoned`, 'timeout');
+
+      this._emit(slot, { phase: 'verify', detail: 'verifying OTP' });
+      const v = await bigbasket.verifyOtp(session, otp);
+      if (!v.ok) {
+        const wrong = /valid otp|incorrect|invalid|expired/i.test(v.error || '');
+        return fail(`verify: ${v.error}`, wrong ? 'wrong_otp' : 'failed');
+      }
+
+      res.status = 'success';
+      res.cost = number.cost;
+      res.session = bigbasket.toSessionKeys(session); // { phone, bbAuthToken, mId, bbVisitorId }
+      res.category = 'extracted';
+
+      this._emit(slot, { phase: 'saving', detail: 'saving session' });
+      releaseOnce(true, 'extracted', true); // success: OTP consumed → no cancel
+      return res;
+    } catch (e) {
+      return fail(`unexpected: ${e.message}`);
+    } finally {
+      releaseOnce(false);
+      if (stream) try { stream.close(); } catch { /* */ }
+    }
+  }
+}