docs: record CPA Codex OAuth success

This commit is contained in:
2026-05-10 22:23:52 +08:00
parent 07c86717c1
commit 7fc10a2a46
2 changed files with 97 additions and 0 deletions
@@ -49,6 +49,7 @@ These are confirmed operating rules for BOSS's environment:
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. **Before buying any 5sim number, pass the identity gate:** the browser must already be confirmed on `auth.openai.com/add-phone` for a usable OpenAI account. If OpenAI returns `account_deactivated`, if ClawEmail cannot create a new sub-mailbox due to quota, or if reused sub-mailboxes only show password mismatch, stop and ask BOSS to free mailbox quota/provide the correct password/approve another mailbox provider. **Country selection priority is `FIVE_SIM_COUNTRY_ORDER` first** (comma-separated list such as `argentina,netherlands,indonesia`), then `FIVE_SIM_COUNTRY_ID`, then the original extension default `vietnam` only if both are empty. For each configured country, rotate numbers up to `PHONE_VERIFICATION_REPLACEMENT_LIMIT`; do **not** silently switch outside the configured order unless BOSS approves. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `阿根廷 (+54)`, `荷兰 (+31)`, `印度尼西亚 (+62)`, or `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085``1083` or back), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. If OpenAI returns `account_deactivated` after email verification, stop the current account and start with a new ClawEmail sub-mailbox instead of burning 5sim numbers. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, `references/openai-phone-verification-proxy1083-resend-2026-05-10.md`, `references/codex-oauth-token-lite-automation-flow-2026-05-10.md`, and `references/clawemail-quota-identity-gate-before-phone-verify-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, identity-gate checks, and pitfalls.
- If a phone-verification runner is stopped or interrupted, immediately inspect/cancel any active 5sim activation left in `RECEIVED`; killed scripts may not execute cleanup. For a UK `+44` run, use 5sim country slug `england`, OpenAI ISO `GB`, visible selector `英国 (+44)`, and dial prefix `44`. For a Europe broadened run requested as Italy/Poland/Spain/UK, use `italy -> IT -> 意大利 (+39)`, `poland -> PL -> 波兰 (+48)`, `spain -> ES -> 西班牙 (+34)`, and `england -> GB -> 英国 (+44)`. For Chile, use `chile -> CL -> 智利 (+56)` and prefix `56`; 5sim may return HTTP 200 `text/plain` body `no free phones` for `/v1/user/buy/activation/chile/any/openai`, which means no activation was created and no cancellation is needed. When BOSS says to run “10 次” across a country set, treat it as **10 total attempts across the ordered set**, not 10 per country, unless he explicitly says per-country; if BOSS says each region switches after 3 consecutive failures, schedule chunks as `country x3 -> next country`, capped by the global total. **For global budgets larger than one full pass of chunks, cycle the country chunks until the global budget is exhausted** (e.g. 20 attempts with 4 countries and chunk size 3 must continue after UK back to Italy; do not stop at 12). When BOSS asks for free-country exploration, ignore stale `FIVE_SIM_COUNTRY_ORDER`, use a broad OpenAI-supported candidate map, cap each country (for example 2 real activations), and count only successful 5sim buys with activation ids toward the global budget; `no free phones`, country-gate/CDP errors before buying, and OAuth recovery failures are not real attempts. 5sim may return HTTP 200 `text/plain` such as `no free phones` from buy endpoints; classify it as inventory miss, no cancellation needed. For the 2026-05-10 EU4 total-20 run, all 20 real activations ended with zero SMS and WhatsApp resend classification; see `references/openai-add-phone-eu4-total20-real-activations-2026-05-10.md`. For the 2026-05-10 free-country run, Vietnam succeeded with a 5sim `openai` SMS activation, OpenAI phone verification passed, and OAuth consent produced a callback; the remaining blocker was Codex2API server-side token exchange returning `unsupported_country_region_territory` even after setting admin `proxy_url`, so inspect/fix Codex2API outbound proxy use for token exchange before retrying final callback. See `references/openai-phone-free-country-vietnam-sms-success-codex2api-region-block-2026-05-10.md`. For free-country runner policy and 5sim inventory quirks, see `references/openai-add-phone-free-country-runner-policy-2026-05-10.md`. Before buying any 5sim activation, enforce the `add-phone` identity gate: the active OpenAI page must already be a usable `https://auth.openai.com/add-phone`; if recovery lands on password mismatch, `invalid_state`, stale email verification, or `account_deactivated`, stop before buying numbers. One-off country test runners must hardcode/validate their effective country order at startup (e.g. `ORDER=['chile']`) and abort if it still reads a stale env order. Before opening a fresh OAuth recovery tab, close stale `auth.openai.com` / `phone-verification` / localhost callback tabs unless the current tab is already a usable `add-phone` page; this prevents tab pile-up and CDP target ambiguity. Before clicking OpenAI resend, **probe the resend channel without clicking** by reading button `value`/`aria-label`/`title`/text; if it says WhatsApp and BOSS's policy is SMS-only, cancel the SMS activation and rotate/stop instead of clicking. Classify `This page isnt working` / `HTTP ERROR 500` / `500 Internal Server Error` after resend as `resend_server_error`, cancel the order, and recover to `add-phone`. See `references/openai-add-phone-strict-country-gate-2026-05-10.md`, `references/openai-add-phone-uk44-and-runner-cleanup-2026-05-10.md`, `references/openai-add-phone-eu4-roundrobin-correction-2026-05-10.md`, `references/openai-add-phone-eu4-3fail-switch-results-2026-05-10.md`, `references/openai-phone-country-scheduler-cyclic-chunks-2026-05-10.md`, `references/openai-add-phone-chile-no-free-phones-2026-05-10.md`, `references/openai-login-recovery-gate-before-phone-runs-2026-05-10.md`, `references/openai-oauth-tab-cleanup-before-recovery-2026-05-10.md`, and `references/official-extension-phone-update-2026-05-10.md`.
If Codex2API callback exchange fails with OpenAI `unsupported_country_region_territory`, switch to CPA / CLI Proxy API when BOSS provides `CPA_VPS_URL` and `CPA_VPS_PASSWORD`: log in to `management.html`, use actual management endpoints under `/v0/management`, generate with `GET /v0/management/codex-auth-url?is_webui=true`, submit `POST /v0/management/oauth-callback` body `{"provider":"codex","redirect_url":"http://localhost:1455/auth/callback?..."}` with `Authorization: Bearer [CPA_VPS_PASSWORD]`, then verify `GET /v0/management/get-auth-status?state=<state>` and `/v0/management/auth-files`. Do not use root `/api/auth/url` for Codex; it may be an unrelated Amp endpoint returning `amp upstream proxy not available`. See `references/cpa-panel-codex-oauth-success-2026-05-10.md`.
- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval.
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
@@ -0,0 +1,96 @@
# CPA panel OAuth callback success (2026-05-10)
## Context
After a successful OpenAI phone verification with the free-country runner, Codex2API callback exchange kept failing with:
```text
unsupported_country_region_territory
```
BOSS switched the target panel to CPA / CLI Proxy API and said the env was configured.
## CPA panel
Env keys used:
```text
CPA_VPS_URL=http://192.168.2.62:8317/management.html
CPA_VPS_PASSWORD=[REDACTED]
```
The panel is CLI Proxy API Management Center v6.9.38.
Important API base discovered from the management UI bundle/network:
```text
/v0/management
```
Actual endpoints:
```text
GET /v0/management/codex-auth-url?is_webui=true
GET /v0/management/get-auth-status?state=<state>
POST /v0/management/oauth-callback
```
Callback submission body:
```json
{
"provider": "codex",
"redirect_url": "http://localhost:1455/auth/callback?code=[REDACTED]&state=[REDACTED]"
}
```
Auth header:
```text
Authorization: Bearer [CPA_VPS_PASSWORD]
```
## Result
CPA generated a Codex OAuth URL. The already phone-verified account was used:
```text
chickliu.apwkwesb@claw.163.com
```
OpenAI consent produced a localhost callback. Submitting it to CPA returned:
```json
{"status":"ok"}
```
Polling auth status returned:
```json
{"status":"ok"}
```
CPA auth files confirmed the new Codex credential:
```json
{
"name": "codex-chickliu.apwkwesb@claw.163.com-free.json",
"provider": "codex",
"status": "active",
"account_type": "oauth",
"plan_type": "free"
}
```
Credential path on CPA host:
```text
/root/.cli-proxy-api/codex-chickliu.apwkwesb@claw.163.com-free.json
```
## Notes
- The CPA root `/api/auth/url` route returned `amp upstream proxy not available`; it is not the Codex OAuth endpoint.
- Do not guess root endpoints. Use `/v0/management/*` for management OAuth.
- If direct curl guesses fail with 404, open `management.html`, log in, and inspect network calls. The UI calls `/v0/management/codex-auth-url?is_webui=true`.
- The panel dashboard showed proxy URL `http://192.168.2.8:1082`; token exchange succeeded through CPA, unlike Codex2API.