docs: compact codex oauth onboarding skill

This commit is contained in:
2026-05-10 22:37:41 +08:00
parent 432eebb55e
commit 3fe55cfb09
2 changed files with 773 additions and 450 deletions
+233 -450
View File
@@ -1,540 +1,323 @@
---
name: codex-oauth-plus-onboarding
description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile."
version: 1.0.0
description: "Low-token, stable workflow for BOSS's Codex/OpenAI OAuth onboarding: ClawEmail signup, optional 5sim SMS phone verification, and callback import into CPA/Codex2API/SUB2API."
version: 2.0.0
author: Hermes Agent
license: MIT
metadata:
hermes:
tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation]
tags: [codex, oauth, clawemail, 5sim, cpa, codex2api, sub2api, browser-automation]
related_skills: [clawemail-operations, browser-extension-storage-audit]
---
# Codex OAuth + Plus Onboarding
# Codex OAuth + CPA/Codex2API Onboarding — low-token runbook
## Overview
Use when BOSS asks to register/login an OpenAI/Codex OAuth account, verify it via ClawEmail and possibly 5sim SMS, then import the OAuth callback into **CPA / CLI Proxy API**, Codex2API, or SUB2API.
This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**:
Safety: BOSS-owned infra/accounts only. Stop for CAPTCHA/security challenge/payment confirmation unless BOSS explicitly approves the next step. Never reveal API keys, passwords, proxy URLs, full phone numbers, OAuth `code=`, SMS/email codes, admin keys, or tokens; report `[REDACTED]`.
1. Use **ClawEmail** as the registration mailbox.
2. Register/Login through ChatGPT/OpenAI auth.
3. Optionally open ChatGPT Plus through **GoPay / GPC helper**.
4. Complete OAuth authorization.
5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**.
6. Run the browser in an isolated profile with a dedicated proxy.
## 0. Required companion skill
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
Before ClawEmail work, load:
## When to Use
Use this skill when BOSS asks for any of these:
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
- “用 GoPay 开 Plus 后把 OAuth 接进去”
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
- “把这个流程做成可复用配置和操作步骤”
Also load `clawemail-operations` before any ClawEmail mailbox work.
## BOSS-specific Operating Defaults
These are confirmed operating rules for BOSS's environment:
- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window.
- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run.
- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password.
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. **Immediately after creation, actively set/verify the mailbox's communication settings before submitting it to OpenAI:** new sub-mailboxes can default to internal-only (`commLevel=1`, `extReceiveType=0`), which blocks OpenAI verification mail. The gate must pass with external receive enabled (`commLevel=2`, `extReceiveType=1`). Do not merely tell BOSS to do this manually: first try the logged-in ClawEmail Dashboard API `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>` with `{commLevel:2, extReceiveType:1, extSendType:0}`. If the Dashboard is not logged in, open/login to it and ask BOSS only for the QQ master-mailbox 6-digit login code if the agent cannot read QQ mail. See `clawemail-operations` reference `references/clawemail-dashboard-comm-settings-openai-signup-2026-05-10.md` and this skill's `references/clawemail-external-receive-gate-openai-2026-05-10.md`.
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085``1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls.
- If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isnt working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`.
If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`. Original extension reference: `background/panel-bridge.js` derives the CPA management origin from `new URL(CPA_VPS_URL).origin`, then requests `GET <origin>/v0/management/codex-auth-url` with both `Authorization: Bearer <CPA_VPS_PASSWORD>` and `X-Management-Key: <CPA_VPS_PASSWORD>`; the management UI may add `?is_webui=true`, which is also acceptable. It extracts OAuth URL from `url|auth_url|authUrl|data.*` and state from response or the URL. For callback submission, `background/steps/platform-verify.js` validates localhost callback contains `code` and `state`, rejects mismatched `cpaOAuthState`, then posts `POST <origin>/v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with the same two headers. Verify via `GET <origin>/v0/management/get-auth-status?state=<state>` and `<origin>/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`.
- Plus mode uses
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`.
6. **Config export risk**: the extensions built-in settings export may contain secrets. Treat exported files as sensitive.
7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`).
## Repository and Local Paths
Known research clone:
```bash
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```text
clawemail-operations
```
If missing, clone shallow:
## 1. Low-token operating mode
```bash
mkdir -p /Users/chick/.Hermes/workspace/research
cd /Users/chick/.Hermes/workspace/research
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
Prefer script-driven runs that emit compact JSONL. Only send screenshots or long logs when a gate fails.
### Tool/reporting rules
- Read secrets only from `~/.hermes/env/codex_oauth_onboarding.env`; do not paste them into chat.
- Reports should contain: phase, account email, country slug, activation id, high-level status, HTTP status, and redacted error class.
- Avoid dumping HTML, callback URLs, headers, full 5sim responses, or full phone numbers.
- Save detailed evidence to `references/` or local logs; final response stays concise.
## 2. Environment constants for BOSS
```text
env: ~/.hermes/env/codex_oauth_onboarding.env
workspace: /Users/chick/.Hermes/workspace
OAuth Chrome CDP default: 9223
ClawEmail Dashboard CDP default: 9224
OAuth profile root: /Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
Dashboard profile: /Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent
Preferred browser proxy when unspecified: socks5://192.168.2.8:1085
Chrome: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
```
Validate tests when modifying or before relying on a changed checkout:
Use visible Google Chrome for OpenAI/Auth pages. Do not use BOSS's personal browser profile.
```bash
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
node --test tests/*.test.js
## 3. Hard gates — do not skip
1. **Target gate**: exactly one target mode: `cpa`, `codex2api`, or `sub2api`. No default if env is empty.
2. **Password gate**: `CUSTOM_PASSWORD` must be set unless BOSS approves generating one.
3. **Proxy gate**: verify proxy TCP and OpenAI reachability before browser flow.
4. **Mailbox gate**: new ClawEmail sub-mailbox must have external receive enabled before OpenAI signup.
5. **OpenAI identity gate before phone**: only buy 5sim if active page is a usable `https://auth.openai.com/add-phone` for a non-deactivated account.
6. **Country gate before phone buy/submit**: OpenAI select value and visible dial code must match target country before buying and again before clicking Continue.
7. **SMS-only gate**: if OpenAI resend channel probes as WhatsApp, do not click it; cancel/rotate under SMS-only policy.
8. **Callback state gate**: callback `state` must match generated OAuth state when known.
9. **Payment gate**: any Plus/GoPay paid action needs explicit BOSS confirmation.
## 4. Recommended decision tree
```text
Need OAuth import?
├─ Target CPA available? → prefer CPA (most reliable after 2026-05-10 success)
├─ Codex2API requested? → try Codex2API; if token exchange returns unsupported_country_region_territory, switch/fix backend proxy or use CPA
└─ SUB2API requested? → use original extension/content-script path
Need new OpenAI account?
├─ Create ClawEmail sub-mailbox with 8 lowercase letters
├─ Enable external receive via Dashboard API
├─ Submit email/password, poll ClawEmail code
└─ If phone page appears → 5sim SMS flow
Already phone-verified account?
└─ Generate fresh target OAuth URL, login/consent, submit callback to target
```
Observed verification result during initial study: `772` tests passed, `0` failed.
## 5. ClawEmail sub-mailbox gate
## Configuration File
BOSS preference: per-run ClawEmail prefix is **exactly 8 lowercase letters** with no `codex` prefix, e.g. `chickliu.ktqcxzux@claw.163.com`.
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
After creation, enable external receive. Observed Dashboard API base:
```bash
mkdir -p ~/.hermes/env
chmod 700 ~/.hermes/env
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
```text
https://claw.163.com/mailserv-claw-dashboard
```
High-level required groups:
Required final values:
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected targets auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extensions built-in 711proxy/IP proxy panel.
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
Minimal template excerpt:
```bash
# Required: local extension repo
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```bash
# Required: ClawEmail mailbox
CLAWEMAIL_UID=chickliu@claw.163.com
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
# Browser isolation
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
BROWSER_HEADLESS=false
BROWSER_PROXY_SERVER=http://host:port
BROWSER_PROXY_USERNAME=
BROWSER_PROXY_PASSWORD=
# Target mode: sub2api | codex2api | cpa
OAUTH_TARGET_MODE=sub2api
# SUB2API settings
SUB2API_URL=
SUB2API_EMAIL=
SUB2API_PASSWORD=
SUB2API_GROUP_NAME=default
SUB2API_ACCOUNT_PRIORITY=1
SUB2API_DEFAULT_PROXY_NAME=
# Codex2API settings
CODEX2API_URL=
CODEX2API_ADMIN_KEY=
# CPA settings
CPA_URL=
CPA_MANAGEMENT_KEY=
CPA_LOCAL_STEP9_MODE=submit
# Plus / GoPay / GPC helper settings
PLUS_MODE_ENABLED=false
PLUS_PAYMENT_METHOD=gpc-helper
GPC_HELPER_API_URL=
GPC_HELPER_CARD_KEY=
GPC_HELPER_COUNTRY_CODE=+86
GPC_HELPER_PHONE_NUMBER=
GPC_HELPER_PIN=
GPC_HELPER_OTP_CHANNEL=whatsapp
GPC_HELPER_LOCAL_SMS_ENABLED=false
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
# Runtime behavior
RUN_COUNT=1
AUTO_RUN_SKIP_FAILURES=false
AUTO_STEP_DELAY_SECONDS=2
OAUTH_FLOW_TIMEOUT_ENABLED=true
```json
{"commLevel":2,"extReceiveType":1,"extSendType":0}
```
Rules:
Use Dashboard persistent Chrome/profile for master login, not the disposable OAuth profile. If Dashboard login needs a master QQ mailbox code and the agent cannot retrieve it, ask BOSS.
- Keep this file local only; never commit it.
- Use `[REDACTED]` in reports for all secret values.
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
Key references:
## Browser Isolation and Proxy Strategy
- `references/clawemail-external-receive-gate-openai-2026-05-10.md`
- `references/clawemail-random-suffix-policy-2026-05.md`
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
## 6. OpenAI email/profile flow
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
Minimal flow:
- Dedicated clean `user-data-dir` profile.
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
- Proxy applied at browser launch or by a verified local proxy wrapper.
- Human-visible UI for CAPTCHA/security/payment checkpoints.
- Profile cleared after success if BOSS wants no local residue.
Recommended profile naming:
```bash
RUN_ID=$(date +%Y%m%d-%H%M%S)
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
mkdir -p "$PROFILE_DIR"
```text
fresh OAuth URL / signup page
submit ClawEmail sub-mailbox
submit CUSTOM_PASSWORD
poll ClawEmail inbox/spam for OpenAI code
submit code
fill profile/about-you if shown
continue to phone or OAuth consent
```
Chrome launch pattern:
If OpenAI returns `account_deactivated`, stop that account immediately and do not buy 5sim numbers.
```bash
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--user-data-dir="$PROFILE_DIR" \
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
--proxy-server="$BROWSER_PROXY_SERVER" \
--no-first-run \
--no-default-browser-check
```
If login recovery hits `Incorrect email address or password`, `invalid_state`, stale email verification, or tab ambiguity, stop before buying phone numbers; recover account/page first.
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
## 7. 5sim SMS phone flow
1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
2. Start a local forwarding proxy that injects upstream credentials.
3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
Use 5sim **SMS activation** for product/service `openai`; do not use WhatsApp receive.
Do not reuse the normal personal browser profile for this workflow.
Env/API:
## ClawEmail Preparation
Load `clawemail-operations` and verify:
```bash
mail-cli auth test --json
mail-cli clawemail list --json
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
```
Registration email choice:
- Default: use `CLAWEMAIL_UID` directly.
- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extensions registration email to the created UID.
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
```bash
mail-cli mail list --fid 1 --limit 20 --json
mail-cli read body --id '<message-id>'
```
Always quote message IDs.
## Extension Architecture Reference
The project is a Manifest V3 Chrome extension:
- `manifest.json`: permissions, host permissions, content scripts, side panel.
- `background.js`: service worker and state orchestration.
- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`.
- `data/step-definitions.js`: step list for normal and Plus modes.
- `background/steps/*.js`: one executor per major step.
- `content/signup-page.js`: OpenAI/Auth page DOM automation.
- `content/*mail*.js`: mail provider automation.
- `sidepanel/sidepanel.js`: UI controls and settings collection.
Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `<all_urls>` host access.
## Normal OAuth Flow Steps
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
Normal mode step definitions:
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
2. `submit-signup-email` — enter email or phone registration identity.
3. `fill-password` — generate/use password and submit.
4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS.
5. `fill-profile` — generate and submit name + birthday.
6. `wait-registration-success` — wait for registration to stabilize.
7. `oauth-login` — refresh OAuth URL from selected target and log in.
8. `fetch-login-code` — fetch login verification code if needed.
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
### ClawEmail random suffix policy
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
```bash
FIVE_SIM_API_KEY=
FIVE_SIM_BASE_URL=https://5sim.net/v1
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
```text
PHONE_SMS_PROVIDER=5sim
FIVE_SIM_OPERATOR=any
FIVE_SIM_PRODUCT=openai
FIVE_SIM_SERVICE=openai
BUY: /v1/user/buy/activation/{country}/any/openai
CHECK: /v1/user/check/{activation_id}
FINISH: /v1/user/finish/{activation_id}
CANCEL: /v1/user/cancel/{activation_id}
```
## Plus Flow Steps
Country precedence for configured runs:
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
PayPal Plus path:
1-5. same registration steps.
6. `plus-checkout-create` — create Plus Checkout.
7. `plus-checkout-billing` — fill billing and submit order.
8. `paypal-approve` — PayPal login/approval.
9. `plus-checkout-return` — confirm return.
10. `oauth-login`.
11. `fetch-login-code`.
12. `confirm-oauth`.
13. `platform-verify`.
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings.
## Applying Settings in the Extension
The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`.
Manual UI route:
1. Open isolated Chrome profile with extension loaded.
2. Open the extension side panel.
3. Set `panelMode` according to `OAUTH_TARGET_MODE`:
- `sub2api` → fill SUB2API URL/email/password/group/proxy/priority.
- `codex2api` → fill Codex2API URL/Admin Key.
- `cpa` → fill CPA URL and management key.
4. Set registration email to ClawEmail mailbox.
5. Enable Plus mode only if requested.
6. Select `gpc-helper` / GoPay settings when using GoPay/GPC.
7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
8. Save settings.
9. Start manual steps or Auto Run with `RUN_COUNT=1`.
Programmatic route, if writing a helper script:
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
- Do not inject secrets into shell command lines where they will remain in history/process listings.
- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`.
## Execution Checklist
1. Load this skill and `clawemail-operations`.
2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target.
3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`.
4. Verify ClawEmail auth and selected mailbox.
5. Confirm extension repo exists and tests pass if the checkout changed.
6. Start a dedicated proxied browser profile with the unpacked extension.
7. Open sidepanel and apply settings.
8. Start one run.
9. Monitor logs for:
- registration email submitted
- signup verification code fetched
- profile completed
- Plus checkout/payment status, if enabled
- OAuth URL refreshed
- login code fetched, if required
- localhost callback captured
- platform verification succeeded
10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
11. After success, verify target platform has the new authorized account/session.
12. Redact secrets and callback codes in the final report.
## Storage and Export Risk
The extension stores sensitive configuration in `chrome.storage.local`, including possible:
- CPA management key / password.
- SUB2API password.
- Codex2API admin key.
- Proxy username/password/API URL.
- Hotmail account passwords, `clientId`, `refreshToken`.
- PayPal account pool credentials.
- 2925 mailbox credentials.
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
- Cloudflare Temp Email auth fields.
Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material.
## Troubleshooting
### Google Chrome stable may ignore `--load-extension`
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
### PassWall2/DNS split rules still polluted
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
Run:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
```text
FIVE_SIM_COUNTRY_ORDER > FIVE_SIM_COUNTRY_ID > vietnam fallback only if both empty
```
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
For free-country exploration, ignore stale configured order if BOSS explicitly says unrestricted. Count only real activations with ids toward the budget. `no free phones`, pre-buy country-gate errors, CDP errors, or OAuth recovery failures are not attempts.
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
Known mappings:
```bash
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
```text
vietnam -> VN -> 越南 (+84) -> 84
argentina -> AR -> 阿根廷 (+54) -> 54
netherlands -> NL -> 荷兰 (+31) -> 31
indonesia -> ID -> 印度尼西亚 (+62) -> 62
italy -> IT -> 意大利 (+39) -> 39
poland -> PL -> 波兰 (+48) -> 48
spain -> ES -> 西班牙 (+34) -> 34
england -> GB -> 英国 (+44) -> 44
chile -> CL -> 智利 (+56) -> 56
portugal -> PT -> 葡萄牙 (+351) -> 351
germany -> DE -> 德国 (+49) -> 49
romania -> RO -> 罗马尼亚 (+40) -> 40
```
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
Phone handling:
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
```text
OpenAI immediate reject → cancel activation, rotate
No immediate reject → poll 5sim
Before resend → probe channel text/value/aria/title
├─ WhatsApp → cancel/rotate (SMS-only)
└─ SMS/unknown → click resend, poll again
SMS received → submit code, finish activation, verify page leaves phone-verification
Interrupted runner → inspect/cancel active RECEIVED activations immediately
```
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
Known result: free-country run succeeded with Vietnam SMS, activation `1006871765`, status `FINISHED`; OpenAI phone verification passed. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`.
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
## 8. CPA / CLI Proxy API — preferred callback target
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
CPA succeeded where Codex2API failed. Use this when `CPA_VPS_URL` and `CPA_VPS_PASSWORD` are configured.
Derive API origin:
```bash
PROXY='socks5h://192.168.2.8:1085'
nc -vz -w 3 192.168.2.8 1085 || true
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
```python
origin = new URL(CPA_VPS_URL).origin
# e.g. http://192.168.2.62:8317/management.html -> http://192.168.2.62:8317
```
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
Headers, matching original extension:
### Extension launch appears successful but `chrome://extensions` is empty
```text
Authorization: Bearer [CPA_VPS_PASSWORD]
X-Management-Key: [CPA_VPS_PASSWORD]
Accept: application/json
Content-Type: application/json
```
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
Generate OAuth URL:
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
```text
GET <origin>/v0/management/codex-auth-url
# UI also uses: GET <origin>/v0/management/codex-auth-url?is_webui=true
```
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
- the intended extension page/sidepanel opens and renders expected UI; or
- an extension-context runtime call reads the expected manifest/state.
Extract URL from `url|auth_url|authUrl|data.*`; extract state from payload or URL.
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
Submit callback:
### OpenAI verification email does not arrive in ClawEmail
```text
POST <origin>/v0/management/oauth-callback
{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?code=[REDACTED]&state=[REDACTED]"}
```
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
Verify:
### OpenAI email verification does not arrive
```text
GET <origin>/v0/management/get-auth-status?state=<state> -> {"status":"ok"}
GET <origin>/v0/management/auth-files -> codex-<email>-free.json active
```
1. Confirm ClawEmail external receive is enabled on the **exact sub-mailbox** used for the run. Newly-created sub-mailboxes default to internal-only communication (`commLevel=1`, `extReceiveType=0`) and will silently miss OpenAI mail.
2. For BOSS's setup, keep ClawEmail Dashboard master-login state in a **dedicated persistent Chrome profile**, not in the disposable Codex OAuth browser profile:
- profile: `/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent`
- CDP port: `9224`
- URL: `https://claw.163.com/projects/dashboard/#/`
The Codex OAuth Chrome profile/port 9223 may be killed or recreated frequently; do not store Dashboard master login there.
3. After creating a run sub-mailbox, immediately update its communication settings before submitting it to OpenAI:
- call Dashboard API base `https://claw.163.com/mailserv-claw-dashboard` (observed via `performance.getEntriesByType('resource')`, not bare `/api/v1/...`)
- `GET /api/v1/workspaces` to obtain `workspaceId`
- `GET /api/v1/mailboxes?workspaceId=<workspaceId>` to find the sub-mailbox `id`
- `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>` with JSON body `{"commLevel":2,"extReceiveType":1,"extSendType":0}`
- verify with `mail-cli clawemail info --uid <submailbox> --json` that `commLevel=2` and `extReceiveType=1`
4. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. If the profile was deleted/recreated, fix `~/.config/mail-cli/config.json` or call `mail-cli` with a valid profile/user.
5. Check inbox and spam.
6. Send a self-test email to the sub-mailbox and verify it arrives.
7. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
Do **not** use root `/codex-auth-url` or `/api/auth/url`; they can 404 or return unrelated `amp upstream proxy not available`.
### Proxy not applied
References:
- Visit an IP-check page in the isolated browser before starting.
- If auth proxy fails, use a local forwarding proxy wrapper.
- Do not put proxy passwords in final answers.
- `references/cpa-original-extension-api-notes-2026-05-10.md`
- `references/cpa-panel-codex-oauth-success-2026-05-10.md`
### ClawEmail code not found
## 9. Codex2API target
- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox.
- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages.
- Check spam/deleted folders if inbox is empty.
Generate URL:
### OAuth callback not captured
```text
POST <origin>/api/admin/oauth/generate-auth-url
Header: X-Admin-Key: [CODEX2API_ADMIN_KEY]
Body: {}
```
- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates.
- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
- Verify target mode settings and state value mismatch errors.
Expected response contains:
### Target verify fails
```json
{"auth_url":"...","session_id":"..."}
```
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
- For Codex2API, verify URL and admin key.
- For CPA, verify management origin/key and callback endpoint support.
- Do not print callback URL with `code=`; redact.
Exchange callback:
### Plus/GoPay fails
```text
POST <origin>/api/admin/oauth/exchange-code
Header: X-Admin-Key: [CODEX2API_ADMIN_KEY]
{"session_id":"...","code":"[REDACTED]","state":"..."}
```
- Confirm Plus mode and payment method are correct.
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
- Stop before retrying paid operations repeatedly; ask BOSS.
If callback/token exchange returns `unsupported_country_region_territory`, browser-side OAuth is not the issue. The backend token exchange path needs a supported outbound proxy or use CPA.
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
## 10. SUB2API target
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
Use original extension/content-script route for SUB2API panel login, group, proxy, priority, and callback exchange. Do not invent direct API endpoints unless re-confirmed from source/UI.
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
## 11. Browser/CDP hygiene
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for early detailed retry notes: cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. **Do not copy the early Vietnam-default assumption when `FIVE_SIM_COUNTRY_ORDER` is set; use the corrected precedence in `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md`.**
Before fresh OAuth recovery:
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
```text
close stale auth.openai.com / phone-verification / localhost callback tabs
keep only the current intended target tab
```
See `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md` for the correction that `FIVE_SIM_COUNTRY_ORDER` (for example `argentina,netherlands,indonesia`) takes precedence over empty `FIVE_SIM_COUNTRY_ID` and default `vietnam`, plus the recovery rule that `account_deactivated` during email verification ends phone attempts for that mailbox.
Use visible Chrome with isolated profile. Chrome stable may ignore `--load-extension`; verify extension card/sidepanel if using the extension. Manual CDP flow is acceptable when BOSS only wants registration/OAuth tested; still follow all gates.
## Verification Checklist
## 12. Plus / GoPay
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
- [ ] ClawEmail auth passes.
- [ ] Isolated browser profile is not the normal personal profile.
- [ ] Browser exit IP matches intended proxy.
- [ ] Extension is loaded and sidepanel opens.
- [ ] Only one target mode is active.
- [ ] Plus payment was explicitly approved if enabled.
- [ ] Target platform shows the OAuth account/session after verification.
- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.
Default ordinary account test:
```text
PLUS_MODE_ENABLED=false
```
If Plus is requested:
```text
PLUS_PAYMENT_METHOD=gopay
GOPAY_OTP_SOURCE=manual
GOPAY_OTP empty by default
```
Stop immediately before paid confirmation and ask BOSS.
## 13. Verification checklist before final report
- [ ] New mailbox external receive enabled and recorded.
- [ ] OpenAI email verification completed or classified.
- [ ] If phone appeared: all active 5sim orders are FINISHED or CANCELED.
- [ ] If SMS succeeded: OpenAI left `phone-verification` page.
- [ ] OAuth callback submitted to chosen target.
- [ ] Target has active account/session/auth file.
- [ ] Final report redacts secrets, callback codes, SMS/email codes, full phone numbers, API keys, passwords, proxy strings.
- [ ] If new learning occurred, update this skill or a reference.
## 14. Evidence and history references
Full pre-rewrite skill was archived at:
```text
references/SKILL-full-before-low-token-rewrite-2026-05-10.md
```
High-value references:
```text
references/cpa-original-extension-api-notes-2026-05-10.md
references/cpa-panel-codex-oauth-success-2026-05-10.md
references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md
references/openai-add-phone-strict-country-gate-2026-05-10.md
references/openai-add-phone-free-country-runner-policy-2026-05-10.md
references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md
references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md
references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md
references/clawemail-external-receive-gate-openai-2026-05-10.md
references/openai-add-phone-chile-no-free-phones-2026-05-10.md
references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md
references/official-extension-phone-update-2026-05-10.md
```
@@ -0,0 +1,540 @@
---
name: codex-oauth-plus-onboarding
description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile."
version: 1.0.0
author: Hermes Agent
license: MIT
metadata:
hermes:
tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation]
related_skills: [clawemail-operations, browser-extension-storage-audit]
---
# Codex OAuth + Plus Onboarding
## Overview
This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**:
1. Use **ClawEmail** as the registration mailbox.
2. Register/Login through ChatGPT/OpenAI auth.
3. Optionally open ChatGPT Plus through **GoPay / GPC helper**.
4. Complete OAuth authorization.
5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**.
6. Run the browser in an isolated profile with a dedicated proxy.
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
## When to Use
Use this skill when BOSS asks for any of these:
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
- “用 GoPay 开 Plus 后把 OAuth 接进去”
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
- “把这个流程做成可复用配置和操作步骤”
Also load `clawemail-operations` before any ClawEmail mailbox work.
## BOSS-specific Operating Defaults
These are confirmed operating rules for BOSS's environment:
- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window.
- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run.
- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password.
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. **Immediately after creation, actively set/verify the mailbox's communication settings before submitting it to OpenAI:** new sub-mailboxes can default to internal-only (`commLevel=1`, `extReceiveType=0`), which blocks OpenAI verification mail. The gate must pass with external receive enabled (`commLevel=2`, `extReceiveType=1`). Do not merely tell BOSS to do this manually: first try the logged-in ClawEmail Dashboard API `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>` with `{commLevel:2, extReceiveType:1, extSendType:0}`. If the Dashboard is not logged in, open/login to it and ask BOSS only for the QQ master-mailbox 6-digit login code if the agent cannot read QQ mail. See `clawemail-operations` reference `references/clawemail-dashboard-comm-settings-openai-signup-2026-05-10.md` and this skill's `references/clawemail-external-receive-gate-openai-2026-05-10.md`.
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085``1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls.
- If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isnt working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`.
If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`. Original extension reference: `background/panel-bridge.js` derives the CPA management origin from `new URL(CPA_VPS_URL).origin`, then requests `GET <origin>/v0/management/codex-auth-url` with both `Authorization: Bearer <CPA_VPS_PASSWORD>` and `X-Management-Key: <CPA_VPS_PASSWORD>`; the management UI may add `?is_webui=true`, which is also acceptable. It extracts OAuth URL from `url|auth_url|authUrl|data.*` and state from response or the URL. For callback submission, `background/steps/platform-verify.js` validates localhost callback contains `code` and `state`, rejects mismatched `cpaOAuthState`, then posts `POST <origin>/v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with the same two headers. Verify via `GET <origin>/v0/management/get-auth-status?state=<state>` and `<origin>/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`.
- Plus mode uses
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`.
6. **Config export risk**: the extensions built-in settings export may contain secrets. Treat exported files as sensitive.
7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`).
## Repository and Local Paths
Known research clone:
```bash
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```
If missing, clone shallow:
```bash
mkdir -p /Users/chick/.Hermes/workspace/research
cd /Users/chick/.Hermes/workspace/research
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
```
Validate tests when modifying or before relying on a changed checkout:
```bash
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
node --test tests/*.test.js
```
Observed verification result during initial study: `772` tests passed, `0` failed.
## Configuration File
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
```bash
mkdir -p ~/.hermes/env
chmod 700 ~/.hermes/env
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
```
High-level required groups:
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected targets auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extensions built-in 711proxy/IP proxy panel.
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
Minimal template excerpt:
```bash
# Required: local extension repo
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```bash
# Required: ClawEmail mailbox
CLAWEMAIL_UID=chickliu@claw.163.com
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
# Browser isolation
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
BROWSER_HEADLESS=false
BROWSER_PROXY_SERVER=http://host:port
BROWSER_PROXY_USERNAME=
BROWSER_PROXY_PASSWORD=
# Target mode: sub2api | codex2api | cpa
OAUTH_TARGET_MODE=sub2api
# SUB2API settings
SUB2API_URL=
SUB2API_EMAIL=
SUB2API_PASSWORD=
SUB2API_GROUP_NAME=default
SUB2API_ACCOUNT_PRIORITY=1
SUB2API_DEFAULT_PROXY_NAME=
# Codex2API settings
CODEX2API_URL=
CODEX2API_ADMIN_KEY=
# CPA settings
CPA_URL=
CPA_MANAGEMENT_KEY=
CPA_LOCAL_STEP9_MODE=submit
# Plus / GoPay / GPC helper settings
PLUS_MODE_ENABLED=false
PLUS_PAYMENT_METHOD=gpc-helper
GPC_HELPER_API_URL=
GPC_HELPER_CARD_KEY=
GPC_HELPER_COUNTRY_CODE=+86
GPC_HELPER_PHONE_NUMBER=
GPC_HELPER_PIN=
GPC_HELPER_OTP_CHANNEL=whatsapp
GPC_HELPER_LOCAL_SMS_ENABLED=false
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
# Runtime behavior
RUN_COUNT=1
AUTO_RUN_SKIP_FAILURES=false
AUTO_STEP_DELAY_SECONDS=2
OAUTH_FLOW_TIMEOUT_ENABLED=true
```
Rules:
- Keep this file local only; never commit it.
- Use `[REDACTED]` in reports for all secret values.
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
## Browser Isolation and Proxy Strategy
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
- Dedicated clean `user-data-dir` profile.
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
- Proxy applied at browser launch or by a verified local proxy wrapper.
- Human-visible UI for CAPTCHA/security/payment checkpoints.
- Profile cleared after success if BOSS wants no local residue.
Recommended profile naming:
```bash
RUN_ID=$(date +%Y%m%d-%H%M%S)
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
mkdir -p "$PROFILE_DIR"
```
Chrome launch pattern:
```bash
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--user-data-dir="$PROFILE_DIR" \
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
--proxy-server="$BROWSER_PROXY_SERVER" \
--no-first-run \
--no-default-browser-check
```
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
2. Start a local forwarding proxy that injects upstream credentials.
3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
Do not reuse the normal personal browser profile for this workflow.
## ClawEmail Preparation
Load `clawemail-operations` and verify:
```bash
mail-cli auth test --json
mail-cli clawemail list --json
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
```
Registration email choice:
- Default: use `CLAWEMAIL_UID` directly.
- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extensions registration email to the created UID.
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
```bash
mail-cli mail list --fid 1 --limit 20 --json
mail-cli read body --id '<message-id>'
```
Always quote message IDs.
## Extension Architecture Reference
The project is a Manifest V3 Chrome extension:
- `manifest.json`: permissions, host permissions, content scripts, side panel.
- `background.js`: service worker and state orchestration.
- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`.
- `data/step-definitions.js`: step list for normal and Plus modes.
- `background/steps/*.js`: one executor per major step.
- `content/signup-page.js`: OpenAI/Auth page DOM automation.
- `content/*mail*.js`: mail provider automation.
- `sidepanel/sidepanel.js`: UI controls and settings collection.
Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `<all_urls>` host access.
## Normal OAuth Flow Steps
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
Normal mode step definitions:
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
2. `submit-signup-email` — enter email or phone registration identity.
3. `fill-password` — generate/use password and submit.
4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS.
5. `fill-profile` — generate and submit name + birthday.
6. `wait-registration-success` — wait for registration to stabilize.
7. `oauth-login` — refresh OAuth URL from selected target and log in.
8. `fetch-login-code` — fetch login verification code if needed.
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
### ClawEmail random suffix policy
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
```bash
FIVE_SIM_API_KEY=
FIVE_SIM_BASE_URL=https://5sim.net/v1
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
FIVE_SIM_OPERATOR=any
FIVE_SIM_PRODUCT=openai
FIVE_SIM_SERVICE=openai
```
## Plus Flow Steps
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
PayPal Plus path:
1-5. same registration steps.
6. `plus-checkout-create` — create Plus Checkout.
7. `plus-checkout-billing` — fill billing and submit order.
8. `paypal-approve` — PayPal login/approval.
9. `plus-checkout-return` — confirm return.
10. `oauth-login`.
11. `fetch-login-code`.
12. `confirm-oauth`.
13. `platform-verify`.
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings.
## Applying Settings in the Extension
The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`.
Manual UI route:
1. Open isolated Chrome profile with extension loaded.
2. Open the extension side panel.
3. Set `panelMode` according to `OAUTH_TARGET_MODE`:
- `sub2api` → fill SUB2API URL/email/password/group/proxy/priority.
- `codex2api` → fill Codex2API URL/Admin Key.
- `cpa` → fill CPA URL and management key.
4. Set registration email to ClawEmail mailbox.
5. Enable Plus mode only if requested.
6. Select `gpc-helper` / GoPay settings when using GoPay/GPC.
7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
8. Save settings.
9. Start manual steps or Auto Run with `RUN_COUNT=1`.
Programmatic route, if writing a helper script:
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
- Do not inject secrets into shell command lines where they will remain in history/process listings.
- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`.
## Execution Checklist
1. Load this skill and `clawemail-operations`.
2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target.
3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`.
4. Verify ClawEmail auth and selected mailbox.
5. Confirm extension repo exists and tests pass if the checkout changed.
6. Start a dedicated proxied browser profile with the unpacked extension.
7. Open sidepanel and apply settings.
8. Start one run.
9. Monitor logs for:
- registration email submitted
- signup verification code fetched
- profile completed
- Plus checkout/payment status, if enabled
- OAuth URL refreshed
- login code fetched, if required
- localhost callback captured
- platform verification succeeded
10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
11. After success, verify target platform has the new authorized account/session.
12. Redact secrets and callback codes in the final report.
## Storage and Export Risk
The extension stores sensitive configuration in `chrome.storage.local`, including possible:
- CPA management key / password.
- SUB2API password.
- Codex2API admin key.
- Proxy username/password/API URL.
- Hotmail account passwords, `clientId`, `refreshToken`.
- PayPal account pool credentials.
- 2925 mailbox credentials.
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
- Cloudflare Temp Email auth fields.
Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material.
## Troubleshooting
### Google Chrome stable may ignore `--load-extension`
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
### PassWall2/DNS split rules still polluted
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
Run:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
```
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
```bash
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
```
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
```
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
```bash
PROXY='socks5h://192.168.2.8:1085'
nc -vz -w 3 192.168.2.8 1085 || true
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
```
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
### Extension launch appears successful but `chrome://extensions` is empty
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
- the intended extension page/sidepanel opens and renders expected UI; or
- an extension-context runtime call reads the expected manifest/state.
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
### OpenAI verification email does not arrive in ClawEmail
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
### OpenAI email verification does not arrive
1. Confirm ClawEmail external receive is enabled on the **exact sub-mailbox** used for the run. Newly-created sub-mailboxes default to internal-only communication (`commLevel=1`, `extReceiveType=0`) and will silently miss OpenAI mail.
2. For BOSS's setup, keep ClawEmail Dashboard master-login state in a **dedicated persistent Chrome profile**, not in the disposable Codex OAuth browser profile:
- profile: `/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent`
- CDP port: `9224`
- URL: `https://claw.163.com/projects/dashboard/#/`
The Codex OAuth Chrome profile/port 9223 may be killed or recreated frequently; do not store Dashboard master login there.
3. After creating a run sub-mailbox, immediately update its communication settings before submitting it to OpenAI:
- call Dashboard API base `https://claw.163.com/mailserv-claw-dashboard` (observed via `performance.getEntriesByType('resource')`, not bare `/api/v1/...`)
- `GET /api/v1/workspaces` to obtain `workspaceId`
- `GET /api/v1/mailboxes?workspaceId=<workspaceId>` to find the sub-mailbox `id`
- `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>` with JSON body `{"commLevel":2,"extReceiveType":1,"extSendType":0}`
- verify with `mail-cli clawemail info --uid <submailbox> --json` that `commLevel=2` and `extReceiveType=1`
4. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. If the profile was deleted/recreated, fix `~/.config/mail-cli/config.json` or call `mail-cli` with a valid profile/user.
5. Check inbox and spam.
6. Send a self-test email to the sub-mailbox and verify it arrives.
7. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
### Proxy not applied
- Visit an IP-check page in the isolated browser before starting.
- If auth proxy fails, use a local forwarding proxy wrapper.
- Do not put proxy passwords in final answers.
### ClawEmail code not found
- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox.
- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages.
- Check spam/deleted folders if inbox is empty.
### OAuth callback not captured
- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates.
- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
- Verify target mode settings and state value mismatch errors.
### Target verify fails
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
- For Codex2API, verify URL and admin key.
- For CPA, verify management origin/key and callback endpoint support.
- Do not print callback URL with `code=`; redact.
### Plus/GoPay fails
- Confirm Plus mode and payment method are correct.
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
- Stop before retrying paid operations repeatedly; ask BOSS.
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for early detailed retry notes: cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. **Do not copy the early Vietnam-default assumption when `FIVE_SIM_COUNTRY_ORDER` is set; use the corrected precedence in `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md`.**
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
See `references/openai-phone-verification-country-order-account-deactivated-2026-05-10.md` for the correction that `FIVE_SIM_COUNTRY_ORDER` (for example `argentina,netherlands,indonesia`) takes precedence over empty `FIVE_SIM_COUNTRY_ID` and default `vietnam`, plus the recovery rule that `account_deactivated` during email verification ends phone attempts for that mailbox.
## Verification Checklist
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
- [ ] ClawEmail auth passes.
- [ ] Isolated browser profile is not the normal personal profile.
- [ ] Browser exit IP matches intended proxy.
- [ ] Extension is loaded and sidepanel opens.
- [ ] Only one target mode is active.
- [ ] Plus payment was explicitly approved if enabled.
- [ ] Target platform shows the OAuth account/session after verification.
- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.