diff --git a/skill/codex-oauth-plus-onboarding/SKILL.md b/skill/codex-oauth-plus-onboarding/SKILL.md index 9ce16ad..5a32a34 100644 --- a/skill/codex-oauth-plus-onboarding/SKILL.md +++ b/skill/codex-oauth-plus-onboarding/SKILL.md @@ -49,8 +49,8 @@ These are confirmed operating rules for BOSS's environment: - Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears. - If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls. - If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isn’t working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`. -If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`: log in to `management.html`, use actual management endpoints under `/v0/management`, generate with `GET /v0/management/codex-auth-url?is_webui=true`, submit `POST /v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with `Authorization: Bearer [CPA_VPS_PASSWORD]`, then verify `GET /v0/management/get-auth-status?state=` and `/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`. -- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval. +If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`. Original extension reference: `background/panel-bridge.js` derives the CPA management origin from `new URL(CPA_VPS_URL).origin`, then requests `GET /v0/management/codex-auth-url` with both `Authorization: Bearer ` and `X-Management-Key: `; the management UI may add `?is_webui=true`, which is also acceptable. It extracts OAuth URL from `url|auth_url|authUrl|data.*` and state from response or the URL. For callback submission, `background/steps/platform-verify.js` validates localhost callback contains `code` and `state`, rejects mismatched `cpaOAuthState`, then posts `POST /v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with the same two headers. Verify via `GET /v0/management/get-auth-status?state=` and `/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`. +- Plus mode uses - GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues. - `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. - Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later. diff --git a/skill/codex-oauth-plus-onboarding/references/cpa-original-extension-api-notes-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/cpa-original-extension-api-notes-2026-05-10.md new file mode 100644 index 0000000..e0b2d65 --- /dev/null +++ b/skill/codex-oauth-plus-onboarding/references/cpa-original-extension-api-notes-2026-05-10.md @@ -0,0 +1,162 @@ +# CPA / CLI Proxy API details learned from original extension + +Source repository checked: + +```text +https://github.com/QLHazyCoder/codex-oauth-automation-extension +commit d058676f9579825f74a02e9d8264868eb7d7e896 +``` + +Relevant source files: + +```text +background/panel-bridge.js +tests/background-panel-bridge-module.test.js +background/steps/platform-verify.js +tests/background-platform-verify-cpa-api.test.js +``` + +## Management origin + +The extension does **not** use the full `CPA_VPS_URL` path as the API base. It derives the origin: + +```js +const origin = new URL(CPA_VPS_URL).origin; +``` + +Example: + +```text +CPA_VPS_URL=http://192.168.2.62:8317/management.html +origin=http://192.168.2.62:8317 +``` + +## Auth headers + +For CPA management API calls, the original extension sends both headers: + +```text +Authorization: Bearer [CPA_VPS_PASSWORD] +X-Management-Key: [CPA_VPS_PASSWORD] +Accept: application/json +Content-Type: application/json +``` + +During the successful Hermes run, `Authorization: Bearer ...` alone worked, but the reusable workflow should include both headers to match the extension and tests. + +## Generate Codex OAuth URL + +Original extension endpoint: + +```text +GET /v0/management/codex-auth-url +``` + +The CPA management UI also calls: + +```text +GET /v0/management/codex-auth-url?is_webui=true +``` + +Both shapes are valid enough to try. Prefer the original extension endpoint first; if the UI is already open or remote-browser mode is expected, `?is_webui=true` is acceptable. + +The extension extracts the OAuth URL from any of: + +```text +url +auth_url +authUrl +data.url +data.auth_url +data.authUrl +``` + +It extracts the OAuth state from any of: + +```text +state +auth_state +authState +data.state +data.auth_state +data.authState +``` + +If the API payload has no explicit state, parse `state` from the returned OAuth URL. + +## Submit localhost callback + +Before submission, validate: + +```text +callback URL parses as URL +callback query has code +callback query has state +if expected cpaOAuthState is known, it must equal callback.state +``` + +Endpoint: + +```text +POST /v0/management/oauth-callback +``` + +Body: + +```json +{ + "provider": "codex", + "redirect_url": "http://localhost:1455/auth/callback?code=[REDACTED]&state=[REDACTED]" +} +``` + +Success can be: + +```json +{"status":"ok"} +``` + +or a message field such as: + +```json +{"message":"CPA API 回调提交成功"} +``` + +## Verify + +Status: + +```text +GET /v0/management/get-auth-status?state= +``` + +Expected: + +```json +{"status":"ok"} +``` + +Auth files: + +```text +GET /v0/management/auth-files +``` + +Look for a Codex file such as: + +```json +{ + "provider": "codex", + "status": "active", + "account_type": "oauth", + "name": "codex--free.json" +} +``` + +## Pitfalls + +- Do not call root `/codex-auth-url`; it returns 404. +- Do not call root `/api/auth/url` for Codex. On the tested CPA instance it returned `amp upstream proxy not available`, which is unrelated to Codex OAuth. +- Do not submit a callback if its `state` does not match the generated CPA OAuth state; original extension fails fast before any API call. +- If `CPA_VPS_PASSWORD` is empty, stop before API calls; original extension requires the management key. +- If direct API discovery fails, open `management.html`, log in, click “OAuth 登录 → 开始 Codex 登录”, and inspect requests. The UI network calls reveal `/v0/management/codex-auth-url?is_webui=true` and polling `/v0/management/get-auth-status`.