From 3fe55cfb09fc5ad796e9097b9883b88089e62ac3 Mon Sep 17 00:00:00 2001 From: Hermes Agent Date: Sun, 10 May 2026 22:37:41 +0800 Subject: [PATCH] docs: compact codex oauth onboarding skill --- skill/codex-oauth-plus-onboarding/SKILL.md | 683 ++++++------------ ...ull-before-low-token-rewrite-2026-05-10.md | 540 ++++++++++++++ 2 files changed, 773 insertions(+), 450 deletions(-) create mode 100644 skill/codex-oauth-plus-onboarding/references/SKILL-full-before-low-token-rewrite-2026-05-10.md diff --git a/skill/codex-oauth-plus-onboarding/SKILL.md b/skill/codex-oauth-plus-onboarding/SKILL.md index 5a32a34..68a6907 100644 --- a/skill/codex-oauth-plus-onboarding/SKILL.md +++ b/skill/codex-oauth-plus-onboarding/SKILL.md @@ -1,540 +1,323 @@ --- name: codex-oauth-plus-onboarding -description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile." -version: 1.0.0 +description: "Low-token, stable workflow for BOSS's Codex/OpenAI OAuth onboarding: ClawEmail signup, optional 5sim SMS phone verification, and callback import into CPA/Codex2API/SUB2API." +version: 2.0.0 author: Hermes Agent license: MIT metadata: hermes: - tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation] + tags: [codex, oauth, clawemail, 5sim, cpa, codex2api, sub2api, browser-automation] related_skills: [clawemail-operations, browser-extension-storage-audit] --- -# Codex OAuth + Plus Onboarding +# Codex OAuth + CPA/Codex2API Onboarding — low-token runbook -## Overview +Use when BOSS asks to register/login an OpenAI/Codex OAuth account, verify it via ClawEmail and possibly 5sim SMS, then import the OAuth callback into **CPA / CLI Proxy API**, Codex2API, or SUB2API. -This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**: +Safety: BOSS-owned infra/accounts only. Stop for CAPTCHA/security challenge/payment confirmation unless BOSS explicitly approves the next step. Never reveal API keys, passwords, proxy URLs, full phone numbers, OAuth `code=`, SMS/email codes, admin keys, or tokens; report `[REDACTED]`. -1. Use **ClawEmail** as the registration mailbox. -2. Register/Login through ChatGPT/OpenAI auth. -3. Optionally open ChatGPT Plus through **GoPay / GPC helper**. -4. Complete OAuth authorization. -5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**. -6. Run the browser in an isolated profile with a dedicated proxy. +## 0. Required companion skill -The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually. +Before ClawEmail work, load: -## When to Use - -Use this skill when BOSS asks for any of these: - -- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA” -- “用 GoPay 开 Plus 后把 OAuth 接进去” -- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来” -- “给这个注册流程做独立代理、无痕/隔离浏览器配置” -- “把这个流程做成可复用配置和操作步骤” - -Also load `clawemail-operations` before any ClawEmail mailbox work. - -## BOSS-specific Operating Defaults - -These are confirmed operating rules for BOSS's environment: - -- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window. -- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run. -- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password. -- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run. -- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. **Immediately after creation, actively set/verify the mailbox's communication settings before submitting it to OpenAI:** new sub-mailboxes can default to internal-only (`commLevel=1`, `extReceiveType=0`), which blocks OpenAI verification mail. The gate must pass with external receive enabled (`commLevel=2`, `extReceiveType=1`). Do not merely tell BOSS to do this manually: first try the logged-in ClawEmail Dashboard API `POST /api/v1/mailboxes/comm-settings?id=` with `{commLevel:2, extReceiveType:1, extSendType:0}`. If the Dashboard is not logged in, open/login to it and ask BOSS only for the QQ master-mailbox 6-digit login code if the agent cannot read QQ mail. See `clawemail-operations` reference `references/clawemail-dashboard-comm-settings-openai-signup-2026-05-10.md` and this skill's `references/clawemail-external-receive-gate-openai-2026-05-10.md`. -- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears. -- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls. -- If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isn’t working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`. -If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`. Original extension reference: `background/panel-bridge.js` derives the CPA management origin from `new URL(CPA_VPS_URL).origin`, then requests `GET /v0/management/codex-auth-url` with both `Authorization: Bearer ` and `X-Management-Key: `; the management UI may add `?is_webui=true`, which is also acceptable. It extracts OAuth URL from `url|auth_url|authUrl|data.*` and state from response or the URL. For callback submission, `background/steps/platform-verify.js` validates localhost callback contains `code` and `state`, rejects mismatched `cpaOAuthState`, then posts `POST /v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with the same two headers. Verify via `GET /v0/management/get-auth-status?state=` and `/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`. -- Plus mode uses -- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues. -- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. -- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later. - -- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it. -- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps. -- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow. - -1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution. -2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count. -3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action. -4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed. -5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`. -6. **Config export risk**: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive. -7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`). - -## Repository and Local Paths - -Known research clone: - -```bash -/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension +```text +clawemail-operations ``` -If missing, clone shallow: +## 1. Low-token operating mode -```bash -mkdir -p /Users/chick/.Hermes/workspace/research -cd /Users/chick/.Hermes/workspace/research -git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git +Prefer script-driven runs that emit compact JSONL. Only send screenshots or long logs when a gate fails. + +### Tool/reporting rules + +- Read secrets only from `~/.hermes/env/codex_oauth_onboarding.env`; do not paste them into chat. +- Reports should contain: phase, account email, country slug, activation id, high-level status, HTTP status, and redacted error class. +- Avoid dumping HTML, callback URLs, headers, full 5sim responses, or full phone numbers. +- Save detailed evidence to `references/` or local logs; final response stays concise. + +## 2. Environment constants for BOSS + +```text +env: ~/.hermes/env/codex_oauth_onboarding.env +workspace: /Users/chick/.Hermes/workspace +OAuth Chrome CDP default: 9223 +ClawEmail Dashboard CDP default: 9224 +OAuth profile root: /Users/chick/.Hermes/workspace/browser-profiles/codex-oauth +Dashboard profile: /Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent +Preferred browser proxy when unspecified: socks5://192.168.2.8:1085 +Chrome: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome ``` -Validate tests when modifying or before relying on a changed checkout: +Use visible Google Chrome for OpenAI/Auth pages. Do not use BOSS's personal browser profile. -```bash -cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension -node --test tests/*.test.js +## 3. Hard gates — do not skip + +1. **Target gate**: exactly one target mode: `cpa`, `codex2api`, or `sub2api`. No default if env is empty. +2. **Password gate**: `CUSTOM_PASSWORD` must be set unless BOSS approves generating one. +3. **Proxy gate**: verify proxy TCP and OpenAI reachability before browser flow. +4. **Mailbox gate**: new ClawEmail sub-mailbox must have external receive enabled before OpenAI signup. +5. **OpenAI identity gate before phone**: only buy 5sim if active page is a usable `https://auth.openai.com/add-phone` for a non-deactivated account. +6. **Country gate before phone buy/submit**: OpenAI select value and visible dial code must match target country before buying and again before clicking Continue. +7. **SMS-only gate**: if OpenAI resend channel probes as WhatsApp, do not click it; cancel/rotate under SMS-only policy. +8. **Callback state gate**: callback `state` must match generated OAuth state when known. +9. **Payment gate**: any Plus/GoPay paid action needs explicit BOSS confirmation. + +## 4. Recommended decision tree + +```text +Need OAuth import? + ├─ Target CPA available? → prefer CPA (most reliable after 2026-05-10 success) + ├─ Codex2API requested? → try Codex2API; if token exchange returns unsupported_country_region_territory, switch/fix backend proxy or use CPA + └─ SUB2API requested? → use original extension/content-script path + +Need new OpenAI account? + ├─ Create ClawEmail sub-mailbox with 8 lowercase letters + ├─ Enable external receive via Dashboard API + ├─ Submit email/password, poll ClawEmail code + └─ If phone page appears → 5sim SMS flow + +Already phone-verified account? + └─ Generate fresh target OAuth URL, login/consent, submit callback to target ``` -Observed verification result during initial study: `772` tests passed, `0` failed. +## 5. ClawEmail sub-mailbox gate -## Configuration File +BOSS preference: per-run ClawEmail prefix is **exactly 8 lowercase letters** with no `codex` prefix, e.g. `chickliu.ktqcxzux@claw.163.com`. -Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`. +After creation, enable external receive. Observed Dashboard API base: -```bash -mkdir -p ~/.hermes/env -chmod 700 ~/.hermes/env -cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env -chmod 600 ~/.hermes/env/codex_oauth_onboarding.env -$EDITOR ~/.hermes/env/codex_oauth_onboarding.env +```text +https://claw.163.com/mailserv-claw-dashboard ``` -High-level required groups: +Required final values: -1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`. -2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`). -3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extension’s built-in 711proxy/IP proxy panel. -4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`. -5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes. -6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved. -7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation. - -Minimal template excerpt: - -```bash -# Required: local extension repo -CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension -```bash -# Required: ClawEmail mailbox -CLAWEMAIL_UID=chickliu@claw.163.com -# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters. -# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com -CLAWEMAIL_PREFIX= -CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8 -CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -``` -# Browser isolation -BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth -BROWSER_HEADLESS=false -BROWSER_PROXY_SERVER=http://host:port -BROWSER_PROXY_USERNAME= -BROWSER_PROXY_PASSWORD= - -# Target mode: sub2api | codex2api | cpa -OAUTH_TARGET_MODE=sub2api - -# SUB2API settings -SUB2API_URL= -SUB2API_EMAIL= -SUB2API_PASSWORD= -SUB2API_GROUP_NAME=default -SUB2API_ACCOUNT_PRIORITY=1 -SUB2API_DEFAULT_PROXY_NAME= - -# Codex2API settings -CODEX2API_URL= -CODEX2API_ADMIN_KEY= - -# CPA settings -CPA_URL= -CPA_MANAGEMENT_KEY= -CPA_LOCAL_STEP9_MODE=submit - -# Plus / GoPay / GPC helper settings -PLUS_MODE_ENABLED=false -PLUS_PAYMENT_METHOD=gpc-helper -GPC_HELPER_API_URL= -GPC_HELPER_CARD_KEY= -GPC_HELPER_COUNTRY_CODE=+86 -GPC_HELPER_PHONE_NUMBER= -GPC_HELPER_PIN= -GPC_HELPER_OTP_CHANNEL=whatsapp -GPC_HELPER_LOCAL_SMS_ENABLED=false -GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767 - -# Runtime behavior -RUN_COUNT=1 -AUTO_RUN_SKIP_FAILURES=false -AUTO_STEP_DELAY_SECONDS=2 -OAUTH_FLOW_TIMEOUT_ENABLED=true +```json +{"commLevel":2,"extReceiveType":1,"extSendType":0} ``` -Rules: +Use Dashboard persistent Chrome/profile for master login, not the disposable OAuth profile. If Dashboard login needs a master QQ mailbox code and the agent cannot retrieve it, ask BOSS. -- Keep this file local only; never commit it. -- Use `[REDACTED]` in reports for all secret values. -- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used. +Key references: -## Browser Isolation and Proxy Strategy +- `references/clawemail-external-receive-gate-openai-2026-05-10.md` +- `references/clawemail-random-suffix-policy-2026-05.md` -This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages. +## 6. OpenAI email/profile flow -Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with: +Minimal flow: -- Dedicated clean `user-data-dir` profile. -- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`. -- Proxy applied at browser launch or by a verified local proxy wrapper. -- Human-visible UI for CAPTCHA/security/payment checkpoints. -- Profile cleared after success if BOSS wants no local residue. - -Recommended profile naming: - -```bash -RUN_ID=$(date +%Y%m%d-%H%M%S) -PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID" -mkdir -p "$PROFILE_DIR" +```text +fresh OAuth URL / signup page +submit ClawEmail sub-mailbox +submit CUSTOM_PASSWORD +poll ClawEmail inbox/spam for OpenAI code +submit code +fill profile/about-you if shown +continue to phone or OAuth consent ``` -Chrome launch pattern: +If OpenAI returns `account_deactivated`, stop that account immediately and do not buy 5sim numbers. -```bash -/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ - --user-data-dir="$PROFILE_DIR" \ - --disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \ - --load-extension="$CODEX_OAUTH_EXTENSION_DIR" \ - --proxy-server="$BROWSER_PROXY_SERVER" \ - --no-first-run \ - --no-default-browser-check -``` +If login recovery hits `Incorrect email address or password`, `invalid_state`, stale email verification, or tab ambiguity, stop before buying phone numbers; recover account/page first. -If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches: +## 7. 5sim SMS phone flow -1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history. -2. Start a local forwarding proxy that injects upstream credentials. -3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected. +Use 5sim **SMS activation** for product/service `openai`; do not use WhatsApp receive. -Do not reuse the normal personal browser profile for this workflow. +Env/API: -## ClawEmail Preparation - -Load `clawemail-operations` and verify: - -```bash -mail-cli auth test --json -mail-cli clawemail list --json -mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json -``` - -Registration email choice: - -- Default: use `CLAWEMAIL_UID` directly. -- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extension’s registration email to the created UID. - -For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes: - -```bash -mail-cli mail list --fid 1 --limit 20 --json -mail-cli read body --id '' -``` - -Always quote message IDs. - -## Extension Architecture Reference - -The project is a Manifest V3 Chrome extension: - -- `manifest.json`: permissions, host permissions, content scripts, side panel. -- `background.js`: service worker and state orchestration. -- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`. -- `data/step-definitions.js`: step list for normal and Plus modes. -- `background/steps/*.js`: one executor per major step. -- `content/signup-page.js`: OpenAI/Auth page DOM automation. -- `content/*mail*.js`: mail provider automation. -- `sidepanel/sidepanel.js`: UI controls and settings collection. - -Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `` host access. - -## Normal OAuth Flow Steps - -**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds. - -Normal mode step definitions: - -1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT. -2. `submit-signup-email` — enter email or phone registration identity. -3. `fill-password` — generate/use password and submit. -4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS. -5. `fill-profile` — generate and submit name + birthday. -6. `wait-registration-success` — wait for registration to stabilize. -7. `oauth-login` — refresh OAuth URL from selected target and log in. -8. `fetch-login-code` — fetch login verification code if needed. -9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback. -10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA. - -### ClawEmail random suffix policy - -BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`. - - -```bash -FIVE_SIM_API_KEY= -FIVE_SIM_BASE_URL=https://5sim.net/v1 -FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia +```text +PHONE_SMS_PROVIDER=5sim FIVE_SIM_OPERATOR=any FIVE_SIM_PRODUCT=openai FIVE_SIM_SERVICE=openai +BUY: /v1/user/buy/activation/{country}/any/openai +CHECK: /v1/user/check/{activation_id} +FINISH: /v1/user/finish/{activation_id} +CANCEL: /v1/user/cancel/{activation_id} ``` -## Plus Flow Steps +Country precedence for configured runs: -When `PLUS_MODE_ENABLED=true`, the extension switches step definitions. - -PayPal Plus path: - -1-5. same registration steps. -6. `plus-checkout-create` — create Plus Checkout. -7. `plus-checkout-billing` — fill billing and submit order. -8. `paypal-approve` — PayPal login/approval. -9. `plus-checkout-return` — confirm return. -10. `oauth-login`. -11. `fetch-login-code`. -12. `confirm-oauth`. -13. `platform-verify`. - -GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings. - -## Applying Settings in the Extension - -The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`. - -Manual UI route: - -1. Open isolated Chrome profile with extension loaded. -2. Open the extension side panel. -3. Set `panelMode` according to `OAUTH_TARGET_MODE`: - - `sub2api` → fill SUB2API URL/email/password/group/proxy/priority. - - `codex2api` → fill Codex2API URL/Admin Key. - - `cpa` → fill CPA URL and management key. -4. Set registration email to ClawEmail mailbox. -5. Enable Plus mode only if requested. -6. Select `gpc-helper` / GoPay settings when using GoPay/GPC. -7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy. -8. Save settings. -9. Start manual steps or Auto Run with `RUN_COUNT=1`. - -Programmatic route, if writing a helper script: - -- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context. -- Do not inject secrets into shell command lines where they will remain in history/process listings. -- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`. - -## Execution Checklist - -1. Load this skill and `clawemail-operations`. -2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target. -3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`. -4. Verify ClawEmail auth and selected mailbox. -5. Confirm extension repo exists and tests pass if the checkout changed. -6. Start a dedicated proxied browser profile with the unpacked extension. -7. Open sidepanel and apply settings. -8. Start one run. -9. Monitor logs for: - - registration email submitted - - signup verification code fetched - - profile completed - - Plus checkout/payment status, if enabled - - OAuth URL refreshed - - login code fetched, if required - - localhost callback captured - - platform verification succeeded -10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS. -11. After success, verify target platform has the new authorized account/session. -12. Redact secrets and callback codes in the final report. - -## Storage and Export Risk - -The extension stores sensitive configuration in `chrome.storage.local`, including possible: - -- CPA management key / password. -- SUB2API password. -- Codex2API admin key. -- Proxy username/password/API URL. -- Hotmail account passwords, `clientId`, `refreshToken`. -- PayPal account pool credentials. -- 2925 mailbox credentials. -- LuckMail / HeroSMS / 5sim / NexSMS API keys. -- Cloudflare Temp Email auth fields. - -Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata. - -The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material. - -## Troubleshooting - -### Google Chrome stable may ignore `--load-extension` - -On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`. - -### PassWall2/DNS split rules still polluted - -After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS. - -Run: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) -PY -scutil --dns | sed -n '1,120p' -curl -I -L --max-time 20 https://chatgpt.com/ +```text +FIVE_SIM_COUNTRY_ORDER > FIVE_SIM_COUNTRY_ID > vietnam fallback only if both empty ``` -If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns. +For free-country exploration, ignore stale configured order if BOSS explicitly says unrestricted. Count only real activations with ids toward the budget. `no free phones`, pre-buy country-gate errors, CDP errors, or OAuth recovery failures are not attempts. -When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome: +Known mappings: -```bash -ping -c 2 -W 1000 192.168.2.8 || true -nc -vz -w 5 192.168.2.8 1085 || true -curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/ +```text +vietnam -> VN -> 越南 (+84) -> 84 +argentina -> AR -> 阿根廷 (+54) -> 54 +netherlands -> NL -> 荷兰 (+31) -> 31 +indonesia -> ID -> 印度尼西亚 (+62) -> 62 +italy -> IT -> 意大利 (+39) -> 39 +poland -> PL -> 波兰 (+48) -> 48 +spain -> ES -> 西班牙 (+34) -> 34 +england -> GB -> 英国 (+44) -> 44 +chile -> CL -> 智利 (+56) -> 56 +portugal -> PT -> 葡萄牙 (+351) -> 351 +germany -> DE -> 德国 (+49) -> 49 +romania -> RO -> 罗马尼亚 (+40) -> 40 ``` -Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem. +Phone handling: -### OpenAI/ChatGPT direct-connect preflight before launching Chrome - -Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(host, 'ERR', e) -PY -curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p' +```text +OpenAI immediate reject → cancel activation, rotate +No immediate reject → poll 5sim +Before resend → probe channel text/value/aria/title + ├─ WhatsApp → cancel/rotate (SMS-only) + └─ SMS/unknown → click resend, poll again +SMS received → submit code, finish activation, verify page leaves phone-verification +Interrupted runner → inspect/cancel active RECEIVED activations immediately ``` -If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test: +Known result: free-country run succeeded with Vietnam SMS, activation `1006871765`, status `FINISHED`; OpenAI phone verification passed. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. -- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries. -- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`. -- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`. +## 8. CPA / CLI Proxy API — preferred callback target -Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth. +CPA succeeded where Codex2API failed. Use this when `CPA_VPS_URL` and `CPA_VPS_PASSWORD` are configured. +Derive API origin: - -```bash -PROXY='socks5h://192.168.2.8:1085' -nc -vz -w 3 192.168.2.8 1085 || true -curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p' -curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true -route -n get 192.168.2.8 2>/dev/null || true -arp -n 192.168.2.8 || true -ping -c 3 -W 1000 192.168.2.8 || true +```python +origin = new URL(CPA_VPS_URL).origin +# e.g. http://192.168.2.62:8317/management.html -> http://192.168.2.62:8317 ``` -If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example. +Headers, matching original extension: -### Extension launch appears successful but `chrome://extensions` is empty +```text +Authorization: Bearer [CPA_VPS_PASSWORD] +X-Management-Key: [CPA_VPS_PASSWORD] +Accept: application/json +Content-Type: application/json +``` -Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile. +Generate OAuth URL: -Before starting OpenAI registration, verify the intended automation extension with stronger evidence: +```text +GET /v0/management/codex-auth-url +# UI also uses: GET /v0/management/codex-auth-url?is_webui=true +``` -- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or -- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or -- the intended extension page/sidepanel opens and renders expected UI; or -- an extension-context runtime call reads the expected manifest/state. +Extract URL from `url|auth_url|authUrl|data.*`; extract state from payload or URL. -If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist. +Submit callback: -### OpenAI verification email does not arrive in ClawEmail +```text +POST /v0/management/oauth-callback +{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?code=[REDACTED]&state=[REDACTED]"} +``` -A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`. +Verify: -### OpenAI email verification does not arrive +```text +GET /v0/management/get-auth-status?state= -> {"status":"ok"} +GET /v0/management/auth-files -> codex--free.json active +``` -1. Confirm ClawEmail external receive is enabled on the **exact sub-mailbox** used for the run. Newly-created sub-mailboxes default to internal-only communication (`commLevel=1`, `extReceiveType=0`) and will silently miss OpenAI mail. -2. For BOSS's setup, keep ClawEmail Dashboard master-login state in a **dedicated persistent Chrome profile**, not in the disposable Codex OAuth browser profile: - - profile: `/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent` - - CDP port: `9224` - - URL: `https://claw.163.com/projects/dashboard/#/` - The Codex OAuth Chrome profile/port 9223 may be killed or recreated frequently; do not store Dashboard master login there. -3. After creating a run sub-mailbox, immediately update its communication settings before submitting it to OpenAI: - - call Dashboard API base `https://claw.163.com/mailserv-claw-dashboard` (observed via `performance.getEntriesByType('resource')`, not bare `/api/v1/...`) - - `GET /api/v1/workspaces` to obtain `workspaceId` - - `GET /api/v1/mailboxes?workspaceId=` to find the sub-mailbox `id` - - `POST /api/v1/mailboxes/comm-settings?id=` with JSON body `{"commLevel":2,"extReceiveType":1,"extSendType":0}` - - verify with `mail-cli clawemail info --uid --json` that `commLevel=2` and `extReceiveType=1` -4. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. If the profile was deleted/recreated, fix `~/.config/mail-cli/config.json` or call `mail-cli` with a valid profile/user. -5. Check inbox and spam. -6. Send a self-test email to the sub-mailbox and verify it arrives. -7. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next. +Do **not** use root `/codex-auth-url` or `/api/auth/url`; they can 404 or return unrelated `amp upstream proxy not available`. -### Proxy not applied +References: -- Visit an IP-check page in the isolated browser before starting. -- If auth proxy fails, use a local forwarding proxy wrapper. -- Do not put proxy passwords in final answers. +- `references/cpa-original-extension-api-notes-2026-05-10.md` +- `references/cpa-panel-codex-oauth-success-2026-05-10.md` -### ClawEmail code not found +## 9. Codex2API target -- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox. -- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages. -- Check spam/deleted folders if inbox is empty. +Generate URL: -### OAuth callback not captured +```text +POST /api/admin/oauth/generate-auth-url +Header: X-Admin-Key: [CODEX2API_ADMIN_KEY] +Body: {} +``` -- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates. -- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid. -- Verify target mode settings and state value mismatch errors. +Expected response contains: -### Target verify fails +```json +{"auth_url":"...","session_id":"..."} +``` -- For SUB2API, verify URL/email/password/group/priority/proxy fields. -- For Codex2API, verify URL and admin key. -- For CPA, verify management origin/key and callback endpoint support. -- Do not print callback URL with `code=`; redact. +Exchange callback: -### Plus/GoPay fails +```text +POST /api/admin/oauth/exchange-code +Header: X-Admin-Key: [CODEX2API_ADMIN_KEY] +{"session_id":"...","code":"[REDACTED]","state":"..."} +``` -- Confirm Plus mode and payment method are correct. -- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings. -- Stop before retrying paid operations repeatedly; ask BOSS. +If callback/token exchange returns `unsupported_country_region_territory`, browser-side OAuth is not the issue. The backend token exchange path needs a supported outbound proxy or use CPA. -See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence. +## 10. SUB2API target -See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working. +Use original extension/content-script route for SUB2API panel login, group, proxy, priority, and callback exchange. Do not invent direct API endpoints unless re-confirmed from source/UI. -See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow. +## 11. Browser/CDP hygiene -See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for early detailed retry notes: cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. **Do not copy the early Vietnam-default assumption when `FIVE_SIM_COUNTRY_ORDER` is set; use the corrected precedence in `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md`.** +Before fresh OAuth recovery: -See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying. +```text +close stale auth.openai.com / phone-verification / localhost callback tabs +keep only the current intended target tab +``` -See `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md` for the correction that `FIVE_SIM_COUNTRY_ORDER` (for example `argentina,netherlands,indonesia`) takes precedence over empty `FIVE_SIM_COUNTRY_ID` and default `vietnam`, plus the recovery rule that `account_deactivated` during email verification ends phone attempts for that mailbox. +Use visible Chrome with isolated profile. Chrome stable may ignore `--load-extension`; verify extension card/sidepanel if using the extension. Manual CDP flow is acceptable when BOSS only wants registration/OAuth tested; still follow all gates. -## Verification Checklist +## 12. Plus / GoPay -- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields. -- [ ] ClawEmail auth passes. -- [ ] Isolated browser profile is not the normal personal profile. -- [ ] Browser exit IP matches intended proxy. -- [ ] Extension is loaded and sidepanel opens. -- [ ] Only one target mode is active. -- [ ] Plus payment was explicitly approved if enabled. -- [ ] Target platform shows the OAuth account/session after verification. -- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials. +Default ordinary account test: + +```text +PLUS_MODE_ENABLED=false +``` + +If Plus is requested: + +```text +PLUS_PAYMENT_METHOD=gopay +GOPAY_OTP_SOURCE=manual +GOPAY_OTP empty by default +``` + +Stop immediately before paid confirmation and ask BOSS. + +## 13. Verification checklist before final report + +- [ ] New mailbox external receive enabled and recorded. +- [ ] OpenAI email verification completed or classified. +- [ ] If phone appeared: all active 5sim orders are FINISHED or CANCELED. +- [ ] If SMS succeeded: OpenAI left `phone-verification` page. +- [ ] OAuth callback submitted to chosen target. +- [ ] Target has active account/session/auth file. +- [ ] Final report redacts secrets, callback codes, SMS/email codes, full phone numbers, API keys, passwords, proxy strings. +- [ ] If new learning occurred, update this skill or a reference. + +## 14. Evidence and history references + +Full pre-rewrite skill was archived at: + +```text +references/SKILL-full-before-low-token-rewrite-2026-05-10.md +``` + +High-value references: + +```text +references/cpa-original-extension-api-notes-2026-05-10.md +references/cpa-panel-codex-oauth-success-2026-05-10.md +references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md +references/openai-add-phone-strict-country-gate-2026-05-10.md +references/openai-add-phone-free-country-runner-policy-2026-05-10.md +references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md +references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md +references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md +references/clawemail-external-receive-gate-openai-2026-05-10.md +references/openai-add-phone-chile-no-free-phones-2026-05-10.md +references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md +references/official-extension-phone-update-2026-05-10.md +``` diff --git a/skill/codex-oauth-plus-onboarding/references/SKILL-full-before-low-token-rewrite-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/SKILL-full-before-low-token-rewrite-2026-05-10.md new file mode 100644 index 0000000..5a32a34 --- /dev/null +++ b/skill/codex-oauth-plus-onboarding/references/SKILL-full-before-low-token-rewrite-2026-05-10.md @@ -0,0 +1,540 @@ +--- +name: codex-oauth-plus-onboarding +description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile." +version: 1.0.0 +author: Hermes Agent +license: MIT +metadata: + hermes: + tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation] + related_skills: [clawemail-operations, browser-extension-storage-audit] +--- + +# Codex OAuth + Plus Onboarding + +## Overview + +This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**: + +1. Use **ClawEmail** as the registration mailbox. +2. Register/Login through ChatGPT/OpenAI auth. +3. Optionally open ChatGPT Plus through **GoPay / GPC helper**. +4. Complete OAuth authorization. +5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**. +6. Run the browser in an isolated profile with a dedicated proxy. + +The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually. + +## When to Use + +Use this skill when BOSS asks for any of these: + +- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA” +- “用 GoPay 开 Plus 后把 OAuth 接进去” +- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来” +- “给这个注册流程做独立代理、无痕/隔离浏览器配置” +- “把这个流程做成可复用配置和操作步骤” + +Also load `clawemail-operations` before any ClawEmail mailbox work. + +## BOSS-specific Operating Defaults + +These are confirmed operating rules for BOSS's environment: + +- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window. +- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run. +- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password. +- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run. +- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. **Immediately after creation, actively set/verify the mailbox's communication settings before submitting it to OpenAI:** new sub-mailboxes can default to internal-only (`commLevel=1`, `extReceiveType=0`), which blocks OpenAI verification mail. The gate must pass with external receive enabled (`commLevel=2`, `extReceiveType=1`). Do not merely tell BOSS to do this manually: first try the logged-in ClawEmail Dashboard API `POST /api/v1/mailboxes/comm-settings?id=` with `{commLevel:2, extReceiveType:1, extSendType:0}`. If the Dashboard is not logged in, open/login to it and ask BOSS only for the QQ master-mailbox 6-digit login code if the agent cannot read QQ mail. See `clawemail-operations` reference `references/clawemail-dashboard-comm-settings-openai-signup-2026-05-10.md` and this skill's `references/clawemail-external-receive-gate-openai-2026-05-10.md`. +- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears. +- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls. +- If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isn’t working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`. +If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`. Original extension reference: `background/panel-bridge.js` derives the CPA management origin from `new URL(CPA_VPS_URL).origin`, then requests `GET /v0/management/codex-auth-url` with both `Authorization: Bearer ` and `X-Management-Key: `; the management UI may add `?is_webui=true`, which is also acceptable. It extracts OAuth URL from `url|auth_url|authUrl|data.*` and state from response or the URL. For callback submission, `background/steps/platform-verify.js` validates localhost callback contains `code` and `state`, rejects mismatched `cpaOAuthState`, then posts `POST /v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with the same two headers. Verify via `GET /v0/management/get-auth-status?state=` and `/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`. +- Plus mode uses +- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues. +- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. +- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later. + +- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it. +- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps. +- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow. + +1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution. +2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count. +3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action. +4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed. +5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`. +6. **Config export risk**: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive. +7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`). + +## Repository and Local Paths + +Known research clone: + +```bash +/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension +``` + +If missing, clone shallow: + +```bash +mkdir -p /Users/chick/.Hermes/workspace/research +cd /Users/chick/.Hermes/workspace/research +git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git +``` + +Validate tests when modifying or before relying on a changed checkout: + +```bash +cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension +node --test tests/*.test.js +``` + +Observed verification result during initial study: `772` tests passed, `0` failed. + +## Configuration File + +Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`. + +```bash +mkdir -p ~/.hermes/env +chmod 700 ~/.hermes/env +cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env +chmod 600 ~/.hermes/env/codex_oauth_onboarding.env +$EDITOR ~/.hermes/env/codex_oauth_onboarding.env +``` + +High-level required groups: + +1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`. +2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`). +3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extension’s built-in 711proxy/IP proxy panel. +4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`. +5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes. +6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved. +7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation. + +Minimal template excerpt: + +```bash +# Required: local extension repo +CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension +```bash +# Required: ClawEmail mailbox +CLAWEMAIL_UID=chickliu@claw.163.com +# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters. +# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com +CLAWEMAIL_PREFIX= +CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8 +CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz +CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true +CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true +``` +# Browser isolation +BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth +BROWSER_HEADLESS=false +BROWSER_PROXY_SERVER=http://host:port +BROWSER_PROXY_USERNAME= +BROWSER_PROXY_PASSWORD= + +# Target mode: sub2api | codex2api | cpa +OAUTH_TARGET_MODE=sub2api + +# SUB2API settings +SUB2API_URL= +SUB2API_EMAIL= +SUB2API_PASSWORD= +SUB2API_GROUP_NAME=default +SUB2API_ACCOUNT_PRIORITY=1 +SUB2API_DEFAULT_PROXY_NAME= + +# Codex2API settings +CODEX2API_URL= +CODEX2API_ADMIN_KEY= + +# CPA settings +CPA_URL= +CPA_MANAGEMENT_KEY= +CPA_LOCAL_STEP9_MODE=submit + +# Plus / GoPay / GPC helper settings +PLUS_MODE_ENABLED=false +PLUS_PAYMENT_METHOD=gpc-helper +GPC_HELPER_API_URL= +GPC_HELPER_CARD_KEY= +GPC_HELPER_COUNTRY_CODE=+86 +GPC_HELPER_PHONE_NUMBER= +GPC_HELPER_PIN= +GPC_HELPER_OTP_CHANNEL=whatsapp +GPC_HELPER_LOCAL_SMS_ENABLED=false +GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767 + +# Runtime behavior +RUN_COUNT=1 +AUTO_RUN_SKIP_FAILURES=false +AUTO_STEP_DELAY_SECONDS=2 +OAUTH_FLOW_TIMEOUT_ENABLED=true +``` + +Rules: + +- Keep this file local only; never commit it. +- Use `[REDACTED]` in reports for all secret values. +- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used. + +## Browser Isolation and Proxy Strategy + +This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages. + +Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with: + +- Dedicated clean `user-data-dir` profile. +- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`. +- Proxy applied at browser launch or by a verified local proxy wrapper. +- Human-visible UI for CAPTCHA/security/payment checkpoints. +- Profile cleared after success if BOSS wants no local residue. + +Recommended profile naming: + +```bash +RUN_ID=$(date +%Y%m%d-%H%M%S) +PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID" +mkdir -p "$PROFILE_DIR" +``` + +Chrome launch pattern: + +```bash +/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ + --user-data-dir="$PROFILE_DIR" \ + --disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \ + --load-extension="$CODEX_OAUTH_EXTENSION_DIR" \ + --proxy-server="$BROWSER_PROXY_SERVER" \ + --no-first-run \ + --no-default-browser-check +``` + +If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches: + +1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history. +2. Start a local forwarding proxy that injects upstream credentials. +3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected. + +Do not reuse the normal personal browser profile for this workflow. + +## ClawEmail Preparation + +Load `clawemail-operations` and verify: + +```bash +mail-cli auth test --json +mail-cli clawemail list --json +mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json +``` + +Registration email choice: + +- Default: use `CLAWEMAIL_UID` directly. +- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extension’s registration email to the created UID. + +For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes: + +```bash +mail-cli mail list --fid 1 --limit 20 --json +mail-cli read body --id '' +``` + +Always quote message IDs. + +## Extension Architecture Reference + +The project is a Manifest V3 Chrome extension: + +- `manifest.json`: permissions, host permissions, content scripts, side panel. +- `background.js`: service worker and state orchestration. +- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`. +- `data/step-definitions.js`: step list for normal and Plus modes. +- `background/steps/*.js`: one executor per major step. +- `content/signup-page.js`: OpenAI/Auth page DOM automation. +- `content/*mail*.js`: mail provider automation. +- `sidepanel/sidepanel.js`: UI controls and settings collection. + +Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `` host access. + +## Normal OAuth Flow Steps + +**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds. + +Normal mode step definitions: + +1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT. +2. `submit-signup-email` — enter email or phone registration identity. +3. `fill-password` — generate/use password and submit. +4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS. +5. `fill-profile` — generate and submit name + birthday. +6. `wait-registration-success` — wait for registration to stabilize. +7. `oauth-login` — refresh OAuth URL from selected target and log in. +8. `fetch-login-code` — fetch login verification code if needed. +9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback. +10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA. + +### ClawEmail random suffix policy + +BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`. + + +```bash +FIVE_SIM_API_KEY= +FIVE_SIM_BASE_URL=https://5sim.net/v1 +FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia +FIVE_SIM_OPERATOR=any +FIVE_SIM_PRODUCT=openai +FIVE_SIM_SERVICE=openai +``` + +## Plus Flow Steps + +When `PLUS_MODE_ENABLED=true`, the extension switches step definitions. + +PayPal Plus path: + +1-5. same registration steps. +6. `plus-checkout-create` — create Plus Checkout. +7. `plus-checkout-billing` — fill billing and submit order. +8. `paypal-approve` — PayPal login/approval. +9. `plus-checkout-return` — confirm return. +10. `oauth-login`. +11. `fetch-login-code`. +12. `confirm-oauth`. +13. `platform-verify`. + +GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings. + +## Applying Settings in the Extension + +The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`. + +Manual UI route: + +1. Open isolated Chrome profile with extension loaded. +2. Open the extension side panel. +3. Set `panelMode` according to `OAUTH_TARGET_MODE`: + - `sub2api` → fill SUB2API URL/email/password/group/proxy/priority. + - `codex2api` → fill Codex2API URL/Admin Key. + - `cpa` → fill CPA URL and management key. +4. Set registration email to ClawEmail mailbox. +5. Enable Plus mode only if requested. +6. Select `gpc-helper` / GoPay settings when using GoPay/GPC. +7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy. +8. Save settings. +9. Start manual steps or Auto Run with `RUN_COUNT=1`. + +Programmatic route, if writing a helper script: + +- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context. +- Do not inject secrets into shell command lines where they will remain in history/process listings. +- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`. + +## Execution Checklist + +1. Load this skill and `clawemail-operations`. +2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target. +3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`. +4. Verify ClawEmail auth and selected mailbox. +5. Confirm extension repo exists and tests pass if the checkout changed. +6. Start a dedicated proxied browser profile with the unpacked extension. +7. Open sidepanel and apply settings. +8. Start one run. +9. Monitor logs for: + - registration email submitted + - signup verification code fetched + - profile completed + - Plus checkout/payment status, if enabled + - OAuth URL refreshed + - login code fetched, if required + - localhost callback captured + - platform verification succeeded +10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS. +11. After success, verify target platform has the new authorized account/session. +12. Redact secrets and callback codes in the final report. + +## Storage and Export Risk + +The extension stores sensitive configuration in `chrome.storage.local`, including possible: + +- CPA management key / password. +- SUB2API password. +- Codex2API admin key. +- Proxy username/password/API URL. +- Hotmail account passwords, `clientId`, `refreshToken`. +- PayPal account pool credentials. +- 2925 mailbox credentials. +- LuckMail / HeroSMS / 5sim / NexSMS API keys. +- Cloudflare Temp Email auth fields. + +Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata. + +The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material. + +## Troubleshooting + +### Google Chrome stable may ignore `--load-extension` + +On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`. + +### PassWall2/DNS split rules still polluted + +After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS. + +Run: + +```bash +python3 - <<'PY' +import socket +for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: + print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) +PY +scutil --dns | sed -n '1,120p' +curl -I -L --max-time 20 https://chatgpt.com/ +``` + +If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns. + +When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome: + +```bash +ping -c 2 -W 1000 192.168.2.8 || true +nc -vz -w 5 192.168.2.8 1085 || true +curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/ +``` + +Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem. + +### OpenAI/ChatGPT direct-connect preflight before launching Chrome + +Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy: + +```bash +python3 - <<'PY' +import socket +for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: + try: + print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) + except Exception as e: + print(host, 'ERR', e) +PY +curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p' +``` + +If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test: + +- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries. +- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`. +- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`. + +Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth. + + + +```bash +PROXY='socks5h://192.168.2.8:1085' +nc -vz -w 3 192.168.2.8 1085 || true +curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p' +curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true +route -n get 192.168.2.8 2>/dev/null || true +arp -n 192.168.2.8 || true +ping -c 3 -W 1000 192.168.2.8 || true +``` + +If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example. + +### Extension launch appears successful but `chrome://extensions` is empty + +Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile. + +Before starting OpenAI registration, verify the intended automation extension with stronger evidence: + +- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or +- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or +- the intended extension page/sidepanel opens and renders expected UI; or +- an extension-context runtime call reads the expected manifest/state. + +If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist. + +### OpenAI verification email does not arrive in ClawEmail + +A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`. + +### OpenAI email verification does not arrive + +1. Confirm ClawEmail external receive is enabled on the **exact sub-mailbox** used for the run. Newly-created sub-mailboxes default to internal-only communication (`commLevel=1`, `extReceiveType=0`) and will silently miss OpenAI mail. +2. For BOSS's setup, keep ClawEmail Dashboard master-login state in a **dedicated persistent Chrome profile**, not in the disposable Codex OAuth browser profile: + - profile: `/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent` + - CDP port: `9224` + - URL: `https://claw.163.com/projects/dashboard/#/` + The Codex OAuth Chrome profile/port 9223 may be killed or recreated frequently; do not store Dashboard master login there. +3. After creating a run sub-mailbox, immediately update its communication settings before submitting it to OpenAI: + - call Dashboard API base `https://claw.163.com/mailserv-claw-dashboard` (observed via `performance.getEntriesByType('resource')`, not bare `/api/v1/...`) + - `GET /api/v1/workspaces` to obtain `workspaceId` + - `GET /api/v1/mailboxes?workspaceId=` to find the sub-mailbox `id` + - `POST /api/v1/mailboxes/comm-settings?id=` with JSON body `{"commLevel":2,"extReceiveType":1,"extSendType":0}` + - verify with `mail-cli clawemail info --uid --json` that `commLevel=2` and `extReceiveType=1` +4. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. If the profile was deleted/recreated, fix `~/.config/mail-cli/config.json` or call `mail-cli` with a valid profile/user. +5. Check inbox and spam. +6. Send a self-test email to the sub-mailbox and verify it arrives. +7. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next. + +### Proxy not applied + +- Visit an IP-check page in the isolated browser before starting. +- If auth proxy fails, use a local forwarding proxy wrapper. +- Do not put proxy passwords in final answers. + +### ClawEmail code not found + +- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox. +- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages. +- Check spam/deleted folders if inbox is empty. + +### OAuth callback not captured + +- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates. +- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid. +- Verify target mode settings and state value mismatch errors. + +### Target verify fails + +- For SUB2API, verify URL/email/password/group/priority/proxy fields. +- For Codex2API, verify URL and admin key. +- For CPA, verify management origin/key and callback endpoint support. +- Do not print callback URL with `code=`; redact. + +### Plus/GoPay fails + +- Confirm Plus mode and payment method are correct. +- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings. +- Stop before retrying paid operations repeatedly; ask BOSS. + +See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence. + +See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working. + +See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow. + +See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for early detailed retry notes: cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. **Do not copy the early Vietnam-default assumption when `FIVE_SIM_COUNTRY_ORDER` is set; use the corrected precedence in `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md`.** + +See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying. + +See `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md` for the correction that `FIVE_SIM_COUNTRY_ORDER` (for example `argentina,netherlands,indonesia`) takes precedence over empty `FIVE_SIM_COUNTRY_ID` and default `vietnam`, plus the recovery rule that `account_deactivated` during email verification ends phone attempts for that mailbox. + +## Verification Checklist + +- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields. +- [ ] ClawEmail auth passes. +- [ ] Isolated browser profile is not the normal personal profile. +- [ ] Browser exit IP matches intended proxy. +- [ ] Extension is loaded and sidepanel opens. +- [ ] Only one target mode is active. +- [ ] Plus payment was explicitly approved if enabled. +- [ ] Target platform shows the OAuth account/session after verification. +- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.