docs: update OpenAI phone verification retry notes
This commit is contained in:
@@ -0,0 +1,525 @@
|
||||
---
|
||||
name: codex-oauth-plus-onboarding
|
||||
description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile."
|
||||
version: 1.0.0
|
||||
author: Hermes Agent
|
||||
license: MIT
|
||||
metadata:
|
||||
hermes:
|
||||
tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation]
|
||||
related_skills: [clawemail-operations, browser-extension-storage-audit]
|
||||
---
|
||||
|
||||
# Codex OAuth + Plus Onboarding
|
||||
|
||||
## Overview
|
||||
|
||||
This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**:
|
||||
|
||||
1. Use **ClawEmail** as the registration mailbox.
|
||||
2. Register/Login through ChatGPT/OpenAI auth.
|
||||
3. Optionally open ChatGPT Plus through **GoPay / GPC helper**.
|
||||
4. Complete OAuth authorization.
|
||||
5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**.
|
||||
6. Run the browser in an isolated profile with a dedicated proxy.
|
||||
|
||||
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when BOSS asks for any of these:
|
||||
|
||||
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
|
||||
- “用 GoPay 开 Plus 后把 OAuth 接进去”
|
||||
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
|
||||
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
|
||||
- “把这个流程做成可复用配置和操作步骤”
|
||||
|
||||
Also load `clawemail-operations` before any ClawEmail mailbox work.
|
||||
|
||||
## BOSS-specific Operating Defaults
|
||||
|
||||
These are confirmed operating rules for BOSS's environment:
|
||||
|
||||
- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window.
|
||||
- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run.
|
||||
- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password.
|
||||
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
|
||||
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed.
|
||||
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
|
||||
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls.
|
||||
- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval.
|
||||
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
|
||||
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
|
||||
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
|
||||
|
||||
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
|
||||
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
|
||||
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
|
||||
|
||||
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
|
||||
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
|
||||
3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
|
||||
4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
|
||||
5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`.
|
||||
6. **Config export risk**: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive.
|
||||
7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`).
|
||||
|
||||
## Repository and Local Paths
|
||||
|
||||
Known research clone:
|
||||
|
||||
```bash
|
||||
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
```
|
||||
|
||||
If missing, clone shallow:
|
||||
|
||||
```bash
|
||||
mkdir -p /Users/chick/.Hermes/workspace/research
|
||||
cd /Users/chick/.Hermes/workspace/research
|
||||
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
|
||||
```
|
||||
|
||||
Validate tests when modifying or before relying on a changed checkout:
|
||||
|
||||
```bash
|
||||
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
node --test tests/*.test.js
|
||||
```
|
||||
|
||||
Observed verification result during initial study: `772` tests passed, `0` failed.
|
||||
|
||||
## Configuration File
|
||||
|
||||
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
|
||||
|
||||
```bash
|
||||
mkdir -p ~/.hermes/env
|
||||
chmod 700 ~/.hermes/env
|
||||
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
|
||||
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
|
||||
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
|
||||
```
|
||||
|
||||
High-level required groups:
|
||||
|
||||
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
|
||||
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
|
||||
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extension’s built-in 711proxy/IP proxy panel.
|
||||
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
|
||||
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
|
||||
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
|
||||
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
|
||||
|
||||
Minimal template excerpt:
|
||||
|
||||
```bash
|
||||
# Required: local extension repo
|
||||
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
```bash
|
||||
# Required: ClawEmail mailbox
|
||||
CLAWEMAIL_UID=chickliu@claw.163.com
|
||||
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
|
||||
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
|
||||
CLAWEMAIL_PREFIX=
|
||||
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
|
||||
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
```
|
||||
# Browser isolation
|
||||
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
|
||||
BROWSER_HEADLESS=false
|
||||
BROWSER_PROXY_SERVER=http://host:port
|
||||
BROWSER_PROXY_USERNAME=
|
||||
BROWSER_PROXY_PASSWORD=
|
||||
|
||||
# Target mode: sub2api | codex2api | cpa
|
||||
OAUTH_TARGET_MODE=sub2api
|
||||
|
||||
# SUB2API settings
|
||||
SUB2API_URL=
|
||||
SUB2API_EMAIL=
|
||||
SUB2API_PASSWORD=
|
||||
SUB2API_GROUP_NAME=default
|
||||
SUB2API_ACCOUNT_PRIORITY=1
|
||||
SUB2API_DEFAULT_PROXY_NAME=
|
||||
|
||||
# Codex2API settings
|
||||
CODEX2API_URL=
|
||||
CODEX2API_ADMIN_KEY=
|
||||
|
||||
# CPA settings
|
||||
CPA_URL=
|
||||
CPA_MANAGEMENT_KEY=
|
||||
CPA_LOCAL_STEP9_MODE=submit
|
||||
|
||||
# Plus / GoPay / GPC helper settings
|
||||
PLUS_MODE_ENABLED=false
|
||||
PLUS_PAYMENT_METHOD=gpc-helper
|
||||
GPC_HELPER_API_URL=
|
||||
GPC_HELPER_CARD_KEY=
|
||||
GPC_HELPER_COUNTRY_CODE=+86
|
||||
GPC_HELPER_PHONE_NUMBER=
|
||||
GPC_HELPER_PIN=
|
||||
GPC_HELPER_OTP_CHANNEL=whatsapp
|
||||
GPC_HELPER_LOCAL_SMS_ENABLED=false
|
||||
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
|
||||
|
||||
# Runtime behavior
|
||||
RUN_COUNT=1
|
||||
AUTO_RUN_SKIP_FAILURES=false
|
||||
AUTO_STEP_DELAY_SECONDS=2
|
||||
OAUTH_FLOW_TIMEOUT_ENABLED=true
|
||||
```
|
||||
|
||||
Rules:
|
||||
|
||||
- Keep this file local only; never commit it.
|
||||
- Use `[REDACTED]` in reports for all secret values.
|
||||
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
|
||||
|
||||
## Browser Isolation and Proxy Strategy
|
||||
|
||||
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
|
||||
|
||||
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
|
||||
|
||||
- Dedicated clean `user-data-dir` profile.
|
||||
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
|
||||
- Proxy applied at browser launch or by a verified local proxy wrapper.
|
||||
- Human-visible UI for CAPTCHA/security/payment checkpoints.
|
||||
- Profile cleared after success if BOSS wants no local residue.
|
||||
|
||||
Recommended profile naming:
|
||||
|
||||
```bash
|
||||
RUN_ID=$(date +%Y%m%d-%H%M%S)
|
||||
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
|
||||
mkdir -p "$PROFILE_DIR"
|
||||
```
|
||||
|
||||
Chrome launch pattern:
|
||||
|
||||
```bash
|
||||
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
|
||||
--user-data-dir="$PROFILE_DIR" \
|
||||
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--proxy-server="$BROWSER_PROXY_SERVER" \
|
||||
--no-first-run \
|
||||
--no-default-browser-check
|
||||
```
|
||||
|
||||
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
|
||||
|
||||
1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
|
||||
2. Start a local forwarding proxy that injects upstream credentials.
|
||||
3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
|
||||
|
||||
Do not reuse the normal personal browser profile for this workflow.
|
||||
|
||||
## ClawEmail Preparation
|
||||
|
||||
Load `clawemail-operations` and verify:
|
||||
|
||||
```bash
|
||||
mail-cli auth test --json
|
||||
mail-cli clawemail list --json
|
||||
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
|
||||
```
|
||||
|
||||
Registration email choice:
|
||||
|
||||
- Default: use `CLAWEMAIL_UID` directly.
|
||||
- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extension’s registration email to the created UID.
|
||||
|
||||
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
|
||||
|
||||
```bash
|
||||
mail-cli mail list --fid 1 --limit 20 --json
|
||||
mail-cli read body --id '<message-id>'
|
||||
```
|
||||
|
||||
Always quote message IDs.
|
||||
|
||||
## Extension Architecture Reference
|
||||
|
||||
The project is a Manifest V3 Chrome extension:
|
||||
|
||||
- `manifest.json`: permissions, host permissions, content scripts, side panel.
|
||||
- `background.js`: service worker and state orchestration.
|
||||
- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`.
|
||||
- `data/step-definitions.js`: step list for normal and Plus modes.
|
||||
- `background/steps/*.js`: one executor per major step.
|
||||
- `content/signup-page.js`: OpenAI/Auth page DOM automation.
|
||||
- `content/*mail*.js`: mail provider automation.
|
||||
- `sidepanel/sidepanel.js`: UI controls and settings collection.
|
||||
|
||||
Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `<all_urls>` host access.
|
||||
|
||||
## Normal OAuth Flow Steps
|
||||
|
||||
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
|
||||
|
||||
Normal mode step definitions:
|
||||
|
||||
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
|
||||
2. `submit-signup-email` — enter email or phone registration identity.
|
||||
3. `fill-password` — generate/use password and submit.
|
||||
4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS.
|
||||
5. `fill-profile` — generate and submit name + birthday.
|
||||
6. `wait-registration-success` — wait for registration to stabilize.
|
||||
7. `oauth-login` — refresh OAuth URL from selected target and log in.
|
||||
8. `fetch-login-code` — fetch login verification code if needed.
|
||||
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
|
||||
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
|
||||
|
||||
### ClawEmail random suffix policy
|
||||
|
||||
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
|
||||
|
||||
|
||||
```bash
|
||||
FIVE_SIM_API_KEY=
|
||||
FIVE_SIM_BASE_URL=https://5sim.net/v1
|
||||
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
|
||||
FIVE_SIM_OPERATOR=any
|
||||
FIVE_SIM_PRODUCT=openai
|
||||
FIVE_SIM_SERVICE=openai
|
||||
```
|
||||
|
||||
## Plus Flow Steps
|
||||
|
||||
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
|
||||
|
||||
PayPal Plus path:
|
||||
|
||||
1-5. same registration steps.
|
||||
6. `plus-checkout-create` — create Plus Checkout.
|
||||
7. `plus-checkout-billing` — fill billing and submit order.
|
||||
8. `paypal-approve` — PayPal login/approval.
|
||||
9. `plus-checkout-return` — confirm return.
|
||||
10. `oauth-login`.
|
||||
11. `fetch-login-code`.
|
||||
12. `confirm-oauth`.
|
||||
13. `platform-verify`.
|
||||
|
||||
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings.
|
||||
|
||||
## Applying Settings in the Extension
|
||||
|
||||
The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`.
|
||||
|
||||
Manual UI route:
|
||||
|
||||
1. Open isolated Chrome profile with extension loaded.
|
||||
2. Open the extension side panel.
|
||||
3. Set `panelMode` according to `OAUTH_TARGET_MODE`:
|
||||
- `sub2api` → fill SUB2API URL/email/password/group/proxy/priority.
|
||||
- `codex2api` → fill Codex2API URL/Admin Key.
|
||||
- `cpa` → fill CPA URL and management key.
|
||||
4. Set registration email to ClawEmail mailbox.
|
||||
5. Enable Plus mode only if requested.
|
||||
6. Select `gpc-helper` / GoPay settings when using GoPay/GPC.
|
||||
7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
|
||||
8. Save settings.
|
||||
9. Start manual steps or Auto Run with `RUN_COUNT=1`.
|
||||
|
||||
Programmatic route, if writing a helper script:
|
||||
|
||||
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
|
||||
- Do not inject secrets into shell command lines where they will remain in history/process listings.
|
||||
- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`.
|
||||
|
||||
## Execution Checklist
|
||||
|
||||
1. Load this skill and `clawemail-operations`.
|
||||
2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target.
|
||||
3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`.
|
||||
4. Verify ClawEmail auth and selected mailbox.
|
||||
5. Confirm extension repo exists and tests pass if the checkout changed.
|
||||
6. Start a dedicated proxied browser profile with the unpacked extension.
|
||||
7. Open sidepanel and apply settings.
|
||||
8. Start one run.
|
||||
9. Monitor logs for:
|
||||
- registration email submitted
|
||||
- signup verification code fetched
|
||||
- profile completed
|
||||
- Plus checkout/payment status, if enabled
|
||||
- OAuth URL refreshed
|
||||
- login code fetched, if required
|
||||
- localhost callback captured
|
||||
- platform verification succeeded
|
||||
10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
|
||||
11. After success, verify target platform has the new authorized account/session.
|
||||
12. Redact secrets and callback codes in the final report.
|
||||
|
||||
## Storage and Export Risk
|
||||
|
||||
The extension stores sensitive configuration in `chrome.storage.local`, including possible:
|
||||
|
||||
- CPA management key / password.
|
||||
- SUB2API password.
|
||||
- Codex2API admin key.
|
||||
- Proxy username/password/API URL.
|
||||
- Hotmail account passwords, `clientId`, `refreshToken`.
|
||||
- PayPal account pool credentials.
|
||||
- 2925 mailbox credentials.
|
||||
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
|
||||
- Cloudflare Temp Email auth fields.
|
||||
|
||||
Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
|
||||
|
||||
The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Google Chrome stable may ignore `--load-extension`
|
||||
|
||||
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
|
||||
|
||||
### PassWall2/DNS split rules still polluted
|
||||
|
||||
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
|
||||
|
||||
Run:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
PY
|
||||
scutil --dns | sed -n '1,120p'
|
||||
curl -I -L --max-time 20 https://chatgpt.com/
|
||||
```
|
||||
|
||||
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
|
||||
|
||||
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
|
||||
|
||||
```bash
|
||||
ping -c 2 -W 1000 192.168.2.8 || true
|
||||
nc -vz -w 5 192.168.2.8 1085 || true
|
||||
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
|
||||
```
|
||||
|
||||
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
|
||||
|
||||
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
|
||||
|
||||
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(host, 'ERR', e)
|
||||
PY
|
||||
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
|
||||
```
|
||||
|
||||
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
|
||||
|
||||
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
|
||||
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
|
||||
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
|
||||
|
||||
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
|
||||
|
||||
|
||||
|
||||
```bash
|
||||
PROXY='socks5h://192.168.2.8:1085'
|
||||
nc -vz -w 3 192.168.2.8 1085 || true
|
||||
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
|
||||
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
|
||||
route -n get 192.168.2.8 2>/dev/null || true
|
||||
arp -n 192.168.2.8 || true
|
||||
ping -c 3 -W 1000 192.168.2.8 || true
|
||||
```
|
||||
|
||||
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
|
||||
|
||||
### Extension launch appears successful but `chrome://extensions` is empty
|
||||
|
||||
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
|
||||
|
||||
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
|
||||
|
||||
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
|
||||
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
|
||||
- the intended extension page/sidepanel opens and renders expected UI; or
|
||||
- an extension-context runtime call reads the expected manifest/state.
|
||||
|
||||
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
|
||||
|
||||
### OpenAI verification email does not arrive in ClawEmail
|
||||
|
||||
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
|
||||
|
||||
When this happens:
|
||||
|
||||
1. Confirm the exact email in the OpenAI page body via DOM, not OCR only.
|
||||
2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile.
|
||||
3. Check inbox and spam.
|
||||
4. Send a self-test email to the sub-mailbox and verify it arrives.
|
||||
5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
|
||||
|
||||
### Proxy not applied
|
||||
|
||||
- Visit an IP-check page in the isolated browser before starting.
|
||||
- If auth proxy fails, use a local forwarding proxy wrapper.
|
||||
- Do not put proxy passwords in final answers.
|
||||
|
||||
### ClawEmail code not found
|
||||
|
||||
- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox.
|
||||
- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages.
|
||||
- Check spam/deleted folders if inbox is empty.
|
||||
|
||||
### OAuth callback not captured
|
||||
|
||||
- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates.
|
||||
- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
|
||||
- Verify target mode settings and state value mismatch errors.
|
||||
|
||||
### Target verify fails
|
||||
|
||||
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
|
||||
- For Codex2API, verify URL and admin key.
|
||||
- For CPA, verify management origin/key and callback endpoint support.
|
||||
- Do not print callback URL with `code=`; redact.
|
||||
|
||||
### Plus/GoPay fails
|
||||
|
||||
- Confirm Plus mode and payment method are correct.
|
||||
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
|
||||
- Stop before retrying paid operations repeatedly; ask BOSS.
|
||||
|
||||
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
|
||||
|
||||
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
|
||||
|
||||
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
|
||||
|
||||
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`.
|
||||
|
||||
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
|
||||
|
||||
## Verification Checklist
|
||||
|
||||
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
|
||||
- [ ] ClawEmail auth passes.
|
||||
- [ ] Isolated browser profile is not the normal personal profile.
|
||||
- [ ] Browser exit IP matches intended proxy.
|
||||
- [ ] Extension is loaded and sidepanel opens.
|
||||
- [ ] Only one target mode is active.
|
||||
- [ ] Plus payment was explicitly approved if enabled.
|
||||
- [ ] Target platform shows the OAuth account/session after verification.
|
||||
- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.
|
||||
@@ -0,0 +1,128 @@
|
||||
# Chrome 147 unpacked extension loading anomaly (2026-05-09)
|
||||
|
||||
## Context
|
||||
|
||||
During a Codex OAuth ordinary-account test run, the flow stopped before registration because the isolated visible Google Chrome profile did not reliably expose the unpacked automation extension.
|
||||
|
||||
Environment observed:
|
||||
|
||||
- Chrome stable: `Chrome/147.0.7727.139`
|
||||
- Browser binary: `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome`
|
||||
- Isolated profile root: `/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth`
|
||||
- Remote debugging: `127.0.0.1:9223` / test `9224`
|
||||
- Automation extension repo: `/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension`
|
||||
- Browser proxy used for the actual run: `socks5://192.168.2.8:1085`
|
||||
|
||||
Launch flags used for the working profile included:
|
||||
|
||||
```bash
|
||||
--user-data-dir=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth/20260509-192515-working
|
||||
--remote-debugging-port=9223
|
||||
--enable-extensions
|
||||
--disable-extensions-except=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
--load-extension=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
--proxy-server=socks5://192.168.2.8:1085
|
||||
--no-first-run
|
||||
--no-default-browser-check
|
||||
--new-window https://api.ipify.org?format=json
|
||||
```
|
||||
|
||||
## Symptoms
|
||||
|
||||
- Chrome process and CDP port started correctly.
|
||||
- Process args showed `--load-extension` and `--disable-extensions-except` exactly as expected.
|
||||
- CDP `/json/version` worked.
|
||||
- CDP `/json` only showed regular pages such as `https://api.ipify.org/?format=json`.
|
||||
- Opening `chrome://extensions/` via CDP `PUT /json/new?...` worked, but the page was empty.
|
||||
- `Default/Preferences` existed, but `extensions.settings` was `{}` / empty.
|
||||
- Visual screenshot confirmed `chrome://extensions` displayed no `codex-oauth-automation-extension` card and no visible extension error.
|
||||
- Chrome stderr had updater/GCM/GPU noise but no clear manifest error.
|
||||
|
||||
A retry/minimal-extension probe showed confusing behavior:
|
||||
|
||||
- A trivial unpacked MV3 extension under `/tmp/hermes-test-extension` was launched with the same style of `--load-extension` flags on port `9224`.
|
||||
- CDP at one point listed `service_worker | chrome-extension://fignfifoniblkonapihmkfakmlgkbkcf/service_worker.js`, matching the prior automation extension ID, even when the current test was a different minimal extension.
|
||||
- `chrome://extensions/` still displayed no extension cards.
|
||||
- `Default/Preferences` `extensions.settings` could still be empty even while transient extension-related targets appeared.
|
||||
|
||||
## Confirmed root cause: Google Chrome stable blocks the flag
|
||||
|
||||
Verbose Chrome logging later produced the decisive line:
|
||||
|
||||
```text
|
||||
--load-extension is not allowed in Google Chrome, ignoring.
|
||||
```
|
||||
|
||||
This means that on this BOSS macOS setup, Chrome stable 147 can show the `--load-extension` argument in `ps`, but still intentionally ignore it. This affected both the real automation extension and a minimal MV3 test extension, proving it was not a manifest/repo problem.
|
||||
|
||||
### Working workaround: visible UI load-unpacked
|
||||
|
||||
Use the real visible Chrome UI instead of the command-line flag:
|
||||
|
||||
1. Launch the isolated proxied Chrome profile **without relying on** `--load-extension`:
|
||||
|
||||
```bash
|
||||
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
|
||||
--user-data-dir="$PROFILE_DIR" \
|
||||
--remote-debugging-port=9223 \
|
||||
--proxy-server="$BROWSER_PROXY_SERVER" \
|
||||
--no-first-run \
|
||||
--no-default-browser-check \
|
||||
--new-window chrome://extensions/
|
||||
```
|
||||
|
||||
2. Open `chrome://extensions/` via visible UI or CDP `PUT /json/new?chrome%3A%2F%2Fextensions%2F` if Chrome landed on a new-tab page.
|
||||
3. Enable Developer Mode. CDP from the `chrome://extensions` page can do this:
|
||||
|
||||
```js
|
||||
chrome.developerPrivate.updateProfileConfiguration({ inDeveloperMode: true })
|
||||
```
|
||||
|
||||
4. Physically click **加载未打包的扩展程序** in the visible Chrome window. A DOM `btn.click()` may not open the native file picker; `cliclick` physical coordinates did.
|
||||
5. In the macOS “选择扩展程序目录” dialog, use `Cmd+Shift+G`, paste the extension repo path, press Enter, then press Enter/选择.
|
||||
6. Verify `chrome://extensions` shows the card:
|
||||
- name `codex-oauth-automation-extension`
|
||||
- location `UNPACKED`
|
||||
- state `ENABLED`
|
||||
- service worker `chrome-extension://<id>/background.js`
|
||||
- no manifest/runtime errors
|
||||
|
||||
Observed successful extension ID for the 2026-05-09 run: `inebnmemmodcfoejiofegbeckbmjdlil`.
|
||||
|
||||
## Suggested next debug steps
|
||||
|
||||
1. Confirm no old profile owns the CDP port:
|
||||
|
||||
```bash
|
||||
lsof -nP -iTCP:9223 -sTCP:LISTEN || true
|
||||
ps auxww | grep -F '/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth/' | grep -v grep || true
|
||||
```
|
||||
|
||||
2. Kill only exact isolated profile processes; do not kill BOSS's normal Chrome unless explicitly approved.
|
||||
|
||||
```bash
|
||||
pkill -f '/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth/<profile-name>' || true
|
||||
```
|
||||
|
||||
3. Launch a clean profile and verify with all three channels: CDP targets, Preferences, and screenshot of `chrome://extensions/`.
|
||||
|
||||
4. If Chrome stable continues hiding/ignoring unpacked extensions, check for policy restrictions and extension developer-mode behavior:
|
||||
|
||||
```bash
|
||||
chrome://policy
|
||||
# or inspect policy files / managed preferences if present
|
||||
```
|
||||
|
||||
5. Consider a controlled comparison with another local Chrome/Chromium build only after preserving the requirement that the registration itself runs in a real visible browser and with the intended proxy.
|
||||
|
||||
## User-facing reporting guidance
|
||||
|
||||
When this happens, report clearly that the run is blocked **before registration**, not on OpenAI signup itself. Include:
|
||||
|
||||
- browser/profile launched: yes/no
|
||||
- proxy applied: yes/no
|
||||
- extension visible/registered: yes/no
|
||||
- registration started: no
|
||||
- mailbox status remains pending unless a signup was actually attempted
|
||||
|
||||
Avoid overclaiming that the extension loaded based only on a sleeping/transient service worker target.
|
||||
@@ -0,0 +1,62 @@
|
||||
# ClawEmail Prefix Probe Notes — 2026-05
|
||||
|
||||
Context: During Codex OAuth registration testing for BOSS, we needed fresh ClawEmail sub-mailboxes and discovered live API constraints stricter than public docs.
|
||||
|
||||
## Official/public expectation
|
||||
|
||||
Docs/help say `mail-cli clawemail create --prefix <prefix> --type sub` accepts 1-64 characters and examples mention `bot1`, `bot.v1`, `my-agent`, `support`.
|
||||
|
||||
## Live observed behavior
|
||||
|
||||
Using BOSS's primary `chickliu@claw.163.com`, successful sub-mailbox shape is:
|
||||
|
||||
```text
|
||||
chickliu.<prefix>@claw.163.com
|
||||
```
|
||||
|
||||
Probed prefixes were created and immediately deleted when successful.
|
||||
|
||||
Accepted examples:
|
||||
|
||||
- `a`, `ab`, `abc`, `bot`, `bot1`, `test`, `codex`, `oauth`
|
||||
- `codexabcdef` (11 chars) accepted
|
||||
- random lowercase lengths 1-11 accepted
|
||||
- digit suffix examples like `codex12345` accepted
|
||||
|
||||
Rejected examples:
|
||||
|
||||
- length 12+ such as `codexabcdefg`, `xxxxxxxxxxxx`
|
||||
- dot/hyphen examples: `a.b`, `bot.v1`, `my-agent`, `abc.def`
|
||||
|
||||
Observed practical rule:
|
||||
|
||||
```text
|
||||
^[A-Za-z0-9]{1,11}$
|
||||
```
|
||||
|
||||
## BOSS preference for Codex/OAuth runs
|
||||
|
||||
BOSS corrected the desired mailbox shape: after the dot, use **only 8 lowercase English random letters**, with no `cod`/`codex` fixed prefix.
|
||||
|
||||
Example:
|
||||
|
||||
```text
|
||||
chickliu.ktqcxzux@claw.163.com
|
||||
```
|
||||
|
||||
Env policy used locally:
|
||||
|
||||
```text
|
||||
CLAWEMAIL_PREFIX=
|
||||
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
|
||||
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
```
|
||||
|
||||
When a helper does not support empty base prefix + suffix policy, generate the full 8-letter create prefix yourself and pass it directly:
|
||||
|
||||
```bash
|
||||
mail-cli clawemail create --prefix "$RANDOM_8_LOWERCASE" --type sub --display-name "Codex OAuth $RANDOM_8_LOWERCASE" --json
|
||||
```
|
||||
|
||||
Record every created mailbox in the local JSONL record file with status `pending`, then update to `success`, `failed_*`, or `deleted_replaced`.
|
||||
@@ -0,0 +1,49 @@
|
||||
# Codex onboarding ClawEmail random suffix policy — 2026-05-08
|
||||
|
||||
BOSS corrected the mailbox policy during a Codex OAuth registration test:
|
||||
|
||||
- Use **only 8 lowercase English random letters** as the ClawEmail create prefix.
|
||||
- Do not prepend `cod`, `codex`, or another business marker unless explicitly requested.
|
||||
- Desired visible mailbox shape:
|
||||
|
||||
```text
|
||||
chickliu.<8 lowercase random letters>@claw.163.com
|
||||
```
|
||||
|
||||
Example created successfully in-session:
|
||||
|
||||
```text
|
||||
chickliu.ktqcxzux@claw.163.com
|
||||
```
|
||||
|
||||
## Why not `codex` + 8 letters?
|
||||
|
||||
The live ClawEmail Open API rejected create prefixes of length 12+ with `OPEN_API_1003 prefix format is invalid`, despite public docs/help saying 1-64 characters. The real accepted maximum observed was 11 characters. Since `codex` + 8 letters is 13 characters, it fails.
|
||||
|
||||
A temporary `cod` + 8-letter scheme created `chickliu.coddwrkviby@claw.163.com`, but BOSS clarified they want the dot-suffix itself to be only the 8 random letters. That temporary mailbox was deleted and replaced.
|
||||
|
||||
## Env policy
|
||||
|
||||
For this workflow, use:
|
||||
|
||||
```bash
|
||||
CLAWEMAIL_PREFIX=
|
||||
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
|
||||
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
```
|
||||
|
||||
If helper scripts do not support these fields, generate the prefix directly in the runner:
|
||||
|
||||
```python
|
||||
import random, string
|
||||
prefix = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
|
||||
```
|
||||
|
||||
Then call:
|
||||
|
||||
```bash
|
||||
mail-cli clawemail create --prefix "$prefix" --type sub --display-name "Codex OAuth $prefix" --json
|
||||
```
|
||||
|
||||
Record created mailboxes in the configured `CLAWEMAIL_RECORD_FILE`, mark them `pending`, and update to `deleted_replaced`, `success`, or `failed` as the run proceeds.
|
||||
@@ -0,0 +1,57 @@
|
||||
# Codex OAuth env handling notes
|
||||
|
||||
Session-derived operational notes for `codex-oauth-plus-onboarding`.
|
||||
|
||||
## Sensitive template cleanup workflow
|
||||
|
||||
If BOSS temporarily writes real values into the skill template at:
|
||||
|
||||
```text
|
||||
~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example
|
||||
```
|
||||
|
||||
use this sequence:
|
||||
|
||||
1. Copy the current template to the real local env file:
|
||||
```bash
|
||||
mkdir -p ~/.hermes/env
|
||||
chmod 700 ~/.hermes/env
|
||||
cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \
|
||||
~/.hermes/env/codex_oauth_onboarding.env
|
||||
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
|
||||
```
|
||||
2. Back up the original filled template to a private workspace backup before sanitizing:
|
||||
```bash
|
||||
TS=$(date '+%Y%m%d_%H%M%S')
|
||||
mkdir -p ~/.Hermes/workspace/codex-oauth/env-backups
|
||||
cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \
|
||||
~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS
|
||||
chmod 600 ~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS
|
||||
```
|
||||
3. Sanitize the template back to placeholders/defaults. Remove real target URLs, API keys, passwords, proxy server, phone numbers, ClawEmail UID, and account password. Keep only safe defaults such as Chrome path, browser profile root, booleans/timeouts, record-file paths, and example comments.
|
||||
4. Verify no obvious sensitive residues remain:
|
||||
```bash
|
||||
grep -nE '\*\*\*|\.\.\.|=[0-9]+\||chickliu|135601|192\.168\.2\.|socks5://[^h]|eyJhbGci|admin|password|token|key' \
|
||||
~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example || true
|
||||
```
|
||||
Review matches manually; example comments like `socks5://host:port` are OK.
|
||||
|
||||
## 5sim field mapping
|
||||
|
||||
When BOSS provides 5sim config in JSON/camelCase form, map it into env keys as:
|
||||
|
||||
```bash
|
||||
fiveSimApiKey -> FIVE_SIM_API_KEY
|
||||
fiveSimBaseUrl -> FIVE_SIM_BASE_URL
|
||||
fiveSimCountryOrder -> FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
|
||||
fiveSimOperator -> FIVE_SIM_OPERATOR=any
|
||||
fiveSimProduct -> FIVE_SIM_PRODUCT=openai
|
||||
```
|
||||
|
||||
For compatibility with older extension naming, also set:
|
||||
|
||||
```bash
|
||||
FIVE_SIM_SERVICE=openai
|
||||
```
|
||||
|
||||
Do not echo the full JWT/API key in final replies; show only `[REDACTED]` or a short prefix/suffix if verification needs it.
|
||||
@@ -0,0 +1,66 @@
|
||||
# 2026-05-09 macOS screenshot and registration-test notes
|
||||
|
||||
## Visible-window screenshot fix
|
||||
|
||||
During a Screen Sharing / screenshot debugging session, `screencapture` initially produced valid PNG files that contained only wallpaper and the menu bar even though Chrome was frontmost. `stat -f '%Su' /dev/console` returned `root`, but `scutil <<< 'show State:/Users/ConsoleUser'` showed the real GUI session was `chick` and on-console.
|
||||
|
||||
Useful diagnostic sequence:
|
||||
|
||||
```bash
|
||||
stat -f '%Su' /dev/console 2>/dev/null || true
|
||||
scutil <<< 'show State:/Users/ConsoleUser' 2>/dev/null | sed -n '1,40p' || true
|
||||
osascript -e 'tell application "System Events" to get name of first application process whose frontmost is true' 2>&1 || true
|
||||
osascript -e 'tell application "System Events" to get name of every application process whose visible is true' 2>&1 || true
|
||||
log show --last 5m --style compact \
|
||||
--predicate 'process == "tccd" AND (eventMessage CONTAINS[c] "Accessibility" OR eventMessage CONTAINS[c] "ScreenCapture" OR eventMessage CONTAINS[c] "osascript" OR eventMessage CONTAINS[c] "python")' \
|
||||
2>/dev/null | tail -120
|
||||
```
|
||||
|
||||
Key log signal: TCC attributed denied Accessibility/ScreenCapture requests to Hermes gateway's responsible Homebrew Python, not just Terminal or osascript:
|
||||
|
||||
```text
|
||||
/Users/chick/homebrew/Cellar/python@3.11/3.11.15/Frameworks/Python.framework/Versions/3.11/bin/python3.11
|
||||
/Users/chick/homebrew/Cellar/python@3.11/3.11.15/Frameworks/Python.framework/Versions/3.11/Resources/Python.app
|
||||
```
|
||||
|
||||
Grant **Accessibility** and **Screen Recording / 录屏与系统录音** to those paths. After grant, validation showed:
|
||||
|
||||
```text
|
||||
System Settings
|
||||
Terminal windows=0
|
||||
Finder windows=0
|
||||
Google Chrome windows=1
|
||||
System Settings windows=1
|
||||
```
|
||||
|
||||
A full `screencapture` then included Chrome, System Settings, Dock, menu bar, and notifications. A cropped window capture using AppleScript bounds also worked.
|
||||
|
||||
## LAN and SOCKS5 checks before registration
|
||||
|
||||
After Screen Sharing reset and permissions fix, these checks passed:
|
||||
|
||||
- `192.168.2.1`: ping OK; ports 80/443 open; visible Chrome loaded iKuai login page at `192.168.2.1/login#/login`.
|
||||
- `socks5://192.168.2.8:1085`: ping/TCP OK; `curl -x socks5h://192.168.2.8:1085 https://www.google.com/generate_204` returned HTTP 204; proxy exit IP was `54.65.165.232`.
|
||||
|
||||
For BOSS's Codex OAuth registration tests, if the env proxy field is empty after this check, set:
|
||||
|
||||
```bash
|
||||
BROWSER_PROXY_SERVER=socks5://192.168.2.8:1085
|
||||
```
|
||||
|
||||
Then verify with:
|
||||
|
||||
```bash
|
||||
curl -x socks5h://192.168.2.8:1085 -sS --connect-timeout 8 --max-time 15 https://api.ipify.org
|
||||
```
|
||||
|
||||
## Ordinary registration test setup
|
||||
|
||||
When BOSS asked to skip Plus and register a normal account:
|
||||
|
||||
- Set `PLUS_MODE_ENABLED=false`.
|
||||
- Keep target `PANEL_MODE=codex2api`.
|
||||
- Verify target `http://192.168.2.62:7878/admin/accounts` returned HTTP 200.
|
||||
- Create ClawEmail sub-mailbox using exactly 8 lowercase letters, e.g. `chickliu.zlajiqjc@claw.163.com`.
|
||||
- Append a `pending` record to `/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl`.
|
||||
- Stop and wait for BOSS to say “继续” before launching the visible browser flow.
|
||||
@@ -0,0 +1,67 @@
|
||||
# OpenAI add-phone: 1083 proxy + 5sim Vietnam SMS retry/resend notes (2026-05-10)
|
||||
|
||||
Context: during Codex2API OAuth for a freshly registered ClawEmail-backed ChatGPT account, OpenAI required `add-phone`. BOSS suggested switching browser proxy from `socks5://192.168.2.8:1085` to `socks5://192.168.2.8:1083` because phone rejection might be proxy-node related.
|
||||
|
||||
## Proxy switch observations
|
||||
|
||||
- Updated local env `BROWSER_PROXY_SERVER=socks5://192.168.2.8:1083`.
|
||||
- `1083` TCP was reachable and `curl --proxy socks5h://192.168.2.8:1083 https://api.ipify.org` showed exit IP `43.207.194.18`.
|
||||
- `curl` to ChatGPT via `1083` returned Cloudflare `HTTP 403` with `cf-mitigated: challenge`, but visible Chrome did not show a challenge during the tested OAuth flow.
|
||||
- Restarting the isolated Chrome profile with `1083` invalidated the OpenAI auth session (`你的会话已结束`). Re-open the Codex2API OAuth URL and repeat email login rather than trying to continue the old `add-phone` URL.
|
||||
- If `CODEX2API_URL` points at an admin page such as `/admin/accounts`, strip it to origin before API calls. Correct URL pattern observed:
|
||||
- `POST http://192.168.2.62:7878/api/admin/oauth/generate-auth-url`
|
||||
- header: `X-Admin-Key: [REDACTED]`
|
||||
- returns `auth_url` and `session_id`.
|
||||
|
||||
## Email re-login after proxy switch
|
||||
|
||||
After reopening OAuth under `1083`, OpenAI showed `auth.openai.com/log-in`. Submit the current ClawEmail sub-mailbox, poll `mail-cli --profile codex-current mail list --fid 1 --limit 30 --json`, choose the newest OpenAI code by date (not list order), and fill it. This returned to `https://auth.openai.com/add-phone`.
|
||||
|
||||
## 5sim country/provider rules confirmed
|
||||
|
||||
- Use SMS activation, not WhatsApp:
|
||||
- `/v1/user/buy/activation/{country}/{operator}/openai`
|
||||
- `/v1/user/check/{activationId}`
|
||||
- Follow configured `FIVE_SIM_COUNTRY_ID` first. If empty, original extension default is `vietnam`.
|
||||
- Current config had `FIVE_SIM_COUNTRY_ID=` empty, so all retries used `vietnam` with `operator=any`.
|
||||
- Before every purchase/submission, verify OpenAI country selector is visibly `越南 (+84)`. If it is `美国 (+1)`, select Vietnam through the visible dropdown first. CDP-only input/country mutations can desync React state and cause invalid parsing.
|
||||
|
||||
## Retry policy learned
|
||||
|
||||
Use two distinct branches:
|
||||
|
||||
1. If OpenAI returns `无法向此电话号码发送验证码。请稍后重试或使用其他号码。` immediately:
|
||||
- Treat as provider/number rejection.
|
||||
- Cancel the 5sim activation.
|
||||
- Buy a new number in the configured country.
|
||||
2. If the number is not immediately rejected:
|
||||
- Keep the activation.
|
||||
- Poll 5sim for SMS.
|
||||
- If no SMS arrives, try page `重新发送` before canceling.
|
||||
- Poll again after resend. BOSS explicitly requested using resend for non-rejected numbers.
|
||||
|
||||
Observed on `1083` + Vietnam:
|
||||
|
||||
- Multiple Vietnam numbers were directly rejected.
|
||||
- Some numbers were not immediately rejected, but no SMS arrived in 5sim after repeated polling and attempted resend.
|
||||
- After canceling a non-rejected activation, OpenAI may navigate/settle to `电子邮件地址已验证` at `auth.openai.com/email-verification`. To continue, re-open the current Codex2API OAuth URL and repeat email login to get back to `add-phone`.
|
||||
|
||||
## Practical implementation notes
|
||||
|
||||
- Cancel any active/rejected 5sim order before buying the next number to avoid cost leakage.
|
||||
- Use visible Chrome/UI clicks for country selection and phone submission; do not rely solely on DOM mutation.
|
||||
- Button coordinates from the tested macOS/Chrome layout:
|
||||
- country dropdown around `(622,496)`
|
||||
- phone input around `(622,561)`
|
||||
- continue button around `(622,636)`
|
||||
- Vietnam row after paging down around `(620,1173)`
|
||||
- After direct submit, inspect page text for:
|
||||
- direct rejection string: `无法向此电话号码发送验证码`
|
||||
- invalid country/number parsing: `电话号码无效`
|
||||
- SMS wait/code page or absence of rejection.
|
||||
- The previous automation tried 5 configured-country numbers before resend logic and then additional numbers with resend logic. Vietnam pool remained unreliable.
|
||||
|
||||
## Safety / reporting
|
||||
|
||||
- Redact phone numbers, 5sim API key, Codex2API admin key, OAuth callback URL/code, and account password.
|
||||
- It is OK to report activation IDs and masked phone prefixes/suffixes if useful for debugging.
|
||||
@@ -0,0 +1,53 @@
|
||||
# OpenAI add-phone with 5sim SMS activation — 2026-05-10
|
||||
|
||||
## Context
|
||||
During a manual ChatGPT/Codex OAuth onboarding run, ClawEmail verification succeeded and the OpenAI/Codex OAuth flow reached `https://auth.openai.com/add-phone`.
|
||||
|
||||
Important correction from BOSS: **phone verification must use SMS activation, not WhatsApp receive channels**.
|
||||
|
||||
## Original extension behavior confirmed
|
||||
The repo's provider `phone-sms/providers/five-sim.js` uses 5sim **activation** orders:
|
||||
|
||||
- Provider: `5sim`
|
||||
- Product/service: `openai`
|
||||
- Operator: `any` by default
|
||||
- Default country: `vietnam`
|
||||
- API pattern:
|
||||
- Buy: `/v1/user/buy/activation/{country}/{operator}/openai`
|
||||
- Poll: `/v1/user/check/{activationId}`
|
||||
- Finish: `/v1/user/finish/{activationId}`
|
||||
- Cancel: `/v1/user/cancel/{activationId}`
|
||||
- Ban: `/v1/user/ban/{activationId}`
|
||||
- Extract SMS code from latest `sms[].code` or digits in `sms[].text`.
|
||||
|
||||
This is a normal SMS OTP workflow, not WhatsApp.
|
||||
|
||||
## Observed OpenAI behavior
|
||||
OpenAI add-phone page may reject some 5sim SMS numbers immediately after submission:
|
||||
|
||||
- Vietnam `+84` 5sim `openai` activation: OpenAI displayed `无法向此电话号码发送验证码。请稍后重试或使用其他号码。`
|
||||
- USA `+1` 5sim `openai` activation: same rejection.
|
||||
- Indonesia `+62` activation: DOM-level country selection was reverted by the page back to USA, so the number was parsed as `+1` and became invalid.
|
||||
|
||||
## Automation pitfall
|
||||
The OpenAI country selector on `add-phone` can appear as a `select`, but setting it via JS/CDP may be reverted by the app state. For non-default countries, prefer **visible UI automation** (click dropdown/search/select country) rather than just `select.value=...`.
|
||||
|
||||
If the page defaults to USA `+1`, using a USA activation avoids country-selector mismatch, but OpenAI may still reject the virtual number.
|
||||
|
||||
## Recommended retry strategy
|
||||
1. Follow the configured 5sim country first. If `FIVE_SIM_COUNTRY_ID` is empty, the original extension default is `vietnam`; do **not** silently switch countries just because some numbers are rejected.
|
||||
2. Before buying or submitting another non-USA number, stabilize and verify the OpenAI page country selector first. Use visible UI automation to select the country and then confirm via CDP that the visible country button is the expected country (for example `越南 (+84)`). If the page has reverted to `美国 (+1)`, do not buy/submit a Vietnam number; fix the selector first to avoid wasting activations.
|
||||
3. Submit the local number without the country code only after the page country is verified.
|
||||
4. If OpenAI rejects the number before SMS is sent (`无法向此电话号码发送验证码` / invalid phone), cancel the activation immediately via `/v1/user/cancel/{activationId}` and retry with a **new number in the same configured country**.
|
||||
5. Only switch countries when BOSS changes the config or explicitly approves a fallback-country attempt. Good fallback candidates from the original extension support matrix are `england`, `japan`, `germany`, and `thailand`; avoid changing to these automatically.
|
||||
6. Once OpenAI accepts and sends SMS, poll `/v1/user/check/{activationId}` until a 4–8 digit code appears.
|
||||
7. After successful verification, call `/v1/user/finish/{activationId}`.
|
||||
8. If timeout or wrong/rejected number, call `/v1/user/cancel/{activationId}` and continue according to the same configured-country policy.
|
||||
|
||||
## Session-specific pitfalls observed later
|
||||
- A batch retry script accidentally bought and submitted another Vietnam number after the page country had reverted to USA. The result was `电话号码无效` because the Vietnam number was parsed as `+1`, not because the Vietnam number had been genuinely tested. Future retries must check `country == expected` immediately before buying/submitting.
|
||||
- CDP `Runtime.evaluate` may time out after clicking submit while the page/network is busy; always re-query page state afterward before deciding whether the page advanced, rejected, or simply did not submit.
|
||||
- 5sim cancel can return HTTP 400 when the order is already non-cancellable or state changed; treat it as a status to report/check, not as proof a new SMS should be bought immediately.
|
||||
|
||||
## Sensitive handling
|
||||
Do not print or paste 5sim API keys, full phone numbers, OpenAI OAuth callback codes, Codex2API admin keys, or passwords. Mask phone numbers in logs/replies.
|
||||
@@ -0,0 +1,85 @@
|
||||
# OpenAI/ChatGPT Browser Probe Notes — 2026-05-08
|
||||
|
||||
Session-specific learning from testing the Codex OAuth automation browser path on BOSS's Mac.
|
||||
|
||||
## Symptoms observed
|
||||
|
||||
- `https://openai.com/` loaded successfully in a real visible Chrome profile.
|
||||
- `https://chatgpt.com/` failed before the registration/auth flow:
|
||||
- First failure in Chrome: `NET::ERR_CERT_COMMON_NAME_INVALID` / privacy error.
|
||||
- Relaunching Chrome with `--ignore-certificate-errors` bypassed the cert interstitial, but then failed with `ERR_CONNECTION_CLOSED`.
|
||||
- Terminal probe also failed: `curl -I -L https://chatgpt.com/` returned `LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to chatgpt.com:443`.
|
||||
- `https://openai.com/` via curl returned Cloudflare challenge/403 in one probe, while the visible browser still rendered the OpenAI page.
|
||||
|
||||
## Interpretation
|
||||
|
||||
Treat this as a network/proxy/TLS path issue before treating it as an extension automation bug. If `chatgpt.com` cannot complete TLS/HTTP loading in the same environment, steps that open ChatGPT or OpenAI Auth will fail regardless of sidepanel settings.
|
||||
|
||||
## Probe sequence to reuse
|
||||
|
||||
1. Launch an isolated Chrome profile with remote debugging and the unpacked extension, but do not start registration yet:
|
||||
|
||||
```bash
|
||||
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
|
||||
--user-data-dir="$PROFILE_DIR" \
|
||||
--remote-debugging-port=9228 \
|
||||
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--no-first-run \
|
||||
--no-default-browser-check \
|
||||
--new-window https://openai.com/
|
||||
```
|
||||
|
||||
2. Verify CDP is reachable:
|
||||
|
||||
```bash
|
||||
curl -s http://127.0.0.1:9228/json/version
|
||||
curl -s http://127.0.0.1:9228/json
|
||||
```
|
||||
|
||||
3. Check direct network path before blaming DOM automation:
|
||||
|
||||
```bash
|
||||
curl -I -L --max-time 15 https://chatgpt.com/
|
||||
curl -I -L --max-time 15 https://openai.com/
|
||||
```
|
||||
|
||||
4. If Chrome shows `NET::ERR_CERT_COMMON_NAME_INVALID` for `chatgpt.com`, pause the OAuth run and fix proxy/TLS/mitm path first. `--ignore-certificate-errors` can be used only as a diagnostic; it is not a real fix because the next failure may still be `ERR_CONNECTION_CLOSED`.
|
||||
|
||||
## PassWall2 DNS/prerequisite follow-up
|
||||
|
||||
After BOSS updated PassWall2 AI split rules, the browser path was still blocked because DNS was not cleanly taken over by remote/proxied DNS:
|
||||
|
||||
- `curl -I -L --max-time 20 https://chatgpt.com/` still failed with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
|
||||
- Visible Chrome still ended on `chrome-error://chromewebdata/` with `ERR_CONNECTION_CLOSED`, and stderr continued to show `ssl_client_socket_impl.cc:924 ... net_error -100`.
|
||||
- macOS system resolver returned polluted/suspicious answers:
|
||||
- `chatgpt.com -> 199.59.150.40` plus IPv6 `2a03:2880:...` (Twitter/Facebook-looking ranges, not expected Cloudflare/OpenAI path)
|
||||
- `accounts.openai.com -> 128.121.146.109` plus IPv6 `2001::80f2:f09b`
|
||||
- A DoH comparison for `chatgpt.com` via Cloudflare showed expected Cloudflare-style A records such as `104.18.32.47` and `172.64.155.209`, confirming local DNS pollution.
|
||||
- `scutil --dns` showed local macOS DNS included ISP/public resolvers such as `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; do not assume PassWall2 domain split rules alone mean DNS is being intercepted.
|
||||
|
||||
Operational rule: if `chatgpt.com` or `accounts.openai.com` resolves to non-Cloudflare/Twitter/Facebook-looking addresses, stop. Ask BOSS to fix PassWall2 DNS takeover / remote DNS / fake-ip or redir-host settings before testing extension automation. Do not proceed to registration/OAuth while Chrome still shows `ERR_CONNECTION_CLOSED`.
|
||||
|
||||
Helpful probe snippet:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(host, 'ERR', e)
|
||||
PY
|
||||
scutil --dns | sed -n '1,120p'
|
||||
curl -I -L --max-time 20 https://chatgpt.com/
|
||||
```
|
||||
|
||||
|
||||
Before sending `SAVE_SETTING` / `AUTO_RUN` programmatically, verify:
|
||||
|
||||
- `chrome://extensions/` shows `codex-oauth-automation-extension` loaded.
|
||||
- The target URL/extension ID corresponds to the unpacked repo, not a built-in/other extension.
|
||||
- The target context exposes the expected Chrome extension APIs and/or the sidepanel route is usable.
|
||||
|
||||
If `chrome://extensions/` shows no unpacked extension despite `--load-extension`, relaunch with a fresh profile and inspect Chrome stderr/profile policy before proceeding.
|
||||
@@ -0,0 +1,103 @@
|
||||
# OpenAI 验证码未投递到 ClawEmail 子邮箱(2026-05-09)
|
||||
|
||||
## 场景
|
||||
|
||||
BOSS 要求不依赖 `codex-oauth-automation-extension` 自动化,只参照其流程手动/CDP 驱动普通 ChatGPT/OpenAI 账号注册,并跳过 Plus/GoPay。
|
||||
|
||||
环境:
|
||||
|
||||
- 真实可见 Google Chrome stable 147
|
||||
- 隔离 profile
|
||||
- 代理:`socks5://192.168.2.8:1085`
|
||||
- 目标:后续 OAuth 到 Codex2API
|
||||
- 邮箱:ClawEmail 子邮箱
|
||||
|
||||
## 测试邮箱
|
||||
|
||||
第一次:
|
||||
|
||||
```text
|
||||
chickliu.zlajiqjc@claw.163.com
|
||||
```
|
||||
|
||||
第二次全新 profile + 全新子邮箱:
|
||||
|
||||
```text
|
||||
chickliu.gmmpioju@claw.163.com
|
||||
```
|
||||
|
||||
## 观察结果
|
||||
|
||||
两次都能进入 OpenAI 邮箱验证码页,页面显示类似:
|
||||
|
||||
```text
|
||||
检查你的收件箱
|
||||
输入我们刚刚向 <clawemail-submailbox> 发送的验证码
|
||||
```
|
||||
|
||||
未出现:
|
||||
|
||||
- CAPTCHA / Cloudflare
|
||||
- 手机号验证
|
||||
- Plus / 付款页
|
||||
|
||||
但 OpenAI 验证码邮件没有到达 ClawEmail 子邮箱:
|
||||
|
||||
- 收件箱为空
|
||||
- 垃圾箱为空
|
||||
- 点击“重新发送电子邮件”后仍未到达
|
||||
- 等待约 2 分钟仍无投递
|
||||
|
||||
## 排除项
|
||||
|
||||
已确认不是子邮箱基础收信问题:
|
||||
|
||||
- 给 `chickliu.zlajiqjc@claw.163.com` 自发测试邮件,能收到。
|
||||
- 给 `chickliu.gmmpioju@claw.163.com` 自发测试邮件,能收到。
|
||||
|
||||
已确认不是邮箱填错:
|
||||
|
||||
- 通过页面 DOM 读取验证码页提示文本,确认显示的邮箱与创建的 ClawEmail 子邮箱一致。
|
||||
|
||||
已确认不是只查了主邮箱:
|
||||
|
||||
- 为子邮箱创建/使用独立 `mail-cli --profile` 查询。
|
||||
- 分别查收件箱和垃圾箱。
|
||||
|
||||
## 额外异常
|
||||
|
||||
第一次邮箱流程中,OpenAI `/email-verification` 页面曾刷新后返回:
|
||||
|
||||
```text
|
||||
HTTP ERROR 500
|
||||
```
|
||||
|
||||
重新提交同一邮箱后验证码页恢复,但邮件仍未投递。
|
||||
|
||||
## 结论
|
||||
|
||||
普通注册流程可以走到 OpenAI 邮箱验证码页,但 `@claw.163.com` 子邮箱未收到 OpenAI 验证码邮件。当前阻塞不是浏览器、代理、扩展、验证码挑战或手机号验证,而是 OpenAI/Auth 邮件投递到 ClawEmail 子邮箱失败或延迟。
|
||||
|
||||
## 下次继续测试建议
|
||||
|
||||
1. BOSS 先检查 ClawEmail 邮箱设置/后台投递策略/拦截日志。
|
||||
2. 继续前先再次测试子邮箱自发/外部普通邮件可收。
|
||||
3. 若仍不收 OpenAI 验证码,尝试:
|
||||
- 直接用 ClawEmail 主邮箱 `chickliu@claw.163.com` 测一次;
|
||||
- 换其他真实邮箱/临时邮箱服务;
|
||||
- 检查 OpenAI/Auth0 是否对 `@claw.163.com` 或其子邮箱形态做投递抑制。
|
||||
4. 若继续用子邮箱,务必用 `mail-cli --profile <sub-profile>` 查询对应子邮箱,不要只查默认主邮箱。
|
||||
|
||||
## 记录文件
|
||||
|
||||
失败记录已追加到:
|
||||
|
||||
```text
|
||||
/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl
|
||||
```
|
||||
|
||||
失败阶段:
|
||||
|
||||
```text
|
||||
openai_email_verification
|
||||
```
|
||||
@@ -0,0 +1,94 @@
|
||||
# OpenAI/ChatGPT Proxy Endpoint Probe Notes — 2026-05-08
|
||||
|
||||
## Context
|
||||
|
||||
During Codex/OpenAI OAuth prerequisite testing, BOSS asked to verify direct browser access and then explicit LAN proxy endpoints:
|
||||
|
||||
- `socks5://192.168.2.8:1085` (tested as `socks5h://` so DNS resolves through proxy)
|
||||
- `http://192.168.2.8:1084`
|
||||
|
||||
The Mac had local IP `192.168.2.69/24`, default route via `192.168.2.8`, and an ARP entry for `192.168.2.8`, but ICMP/TCP to the gateway/proxy endpoint failed.
|
||||
|
||||
## Observed failure signatures
|
||||
|
||||
System/browser without working proxy:
|
||||
|
||||
```text
|
||||
chatgpt.com -> polluted IPs such as 202.160.128.16 / 199.59.150.40 / 2a03:2880:...
|
||||
accounts.openai.com -> polluted IPs such as 192.133.77.189 / 128.121.146.109 / 2a03:2880:...
|
||||
Chrome: ERR_CONNECTION_CLOSED
|
||||
curl: LibreSSL SSL_connect: SSL_ERROR_SYSCALL
|
||||
```
|
||||
|
||||
Explicit SOCKS5/HTTP proxy endpoint unavailable:
|
||||
|
||||
```text
|
||||
ping 192.168.2.8 -> sendto: No route to host / 100% packet loss
|
||||
nc -vz -w 5 192.168.2.8 1085 -> No route to host
|
||||
curl --proxy socks5h://192.168.2.8:1085 https://chatgpt.com/ -> Failed to connect
|
||||
nc -vz -w 3 192.168.2.8 1084 -> No route to host
|
||||
curl --proxy http://192.168.2.8:1084 https://chatgpt.com/ -> Failed to connect
|
||||
```
|
||||
|
||||
Route/ARP could still look superficially valid:
|
||||
|
||||
```text
|
||||
default gateway: 192.168.2.8
|
||||
192.168.2.8 at <mac> on en0 ifscope
|
||||
local IP: 192.168.2.69
|
||||
```
|
||||
|
||||
Do not mistake this for a ChatGPT/OpenAI auth bug or extension bug. If the LAN proxy endpoint itself is unreachable, browser automation and OAuth should stop.
|
||||
|
||||
## Recommended probe order
|
||||
|
||||
1. Flush DNS cache only as a low-risk refresh:
|
||||
|
||||
```bash
|
||||
dscacheutil -flushcache || true
|
||||
killall -HUP mDNSResponder 2>/dev/null || true
|
||||
```
|
||||
|
||||
2. Check current DNS and detect pollution:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(host, 'ERR', e)
|
||||
PY
|
||||
```
|
||||
|
||||
3. Test gateway and proxy endpoint before browser tests:
|
||||
|
||||
```bash
|
||||
ping -c 2 -W 1000 192.168.2.8 || true
|
||||
nc -vz -w 5 192.168.2.8 1085 || true
|
||||
nc -vz -w 5 192.168.2.8 1084 || true
|
||||
```
|
||||
|
||||
4. For SOCKS5, use `socks5h://` in curl so DNS is performed through the proxy:
|
||||
|
||||
```bash
|
||||
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
|
||||
curl --proxy socks5h://192.168.2.8:1085 --max-time 20 https://api.ipify.org
|
||||
```
|
||||
|
||||
5. For HTTP proxy:
|
||||
|
||||
```bash
|
||||
curl --proxy http://192.168.2.8:1084 -I -L --max-time 30 https://chatgpt.com/
|
||||
curl --proxy http://192.168.2.8:1084 --max-time 20 https://api.ipify.org
|
||||
```
|
||||
|
||||
6. Only launch a proxied browser or extension run after at least one proxy endpoint succeeds.
|
||||
|
||||
## Interpretation
|
||||
|
||||
- `No route to host` to the proxy IP/port means the local Mac cannot reach the LAN proxy service. Fix LAN/gateway/firewall/Wi‑Fi/VLAN/router first.
|
||||
- `Connection refused` means the host is reachable but no service is listening on that port or firewall actively rejects it.
|
||||
- HTTP 200/30x/403 Cloudflare challenge through the proxy is better than transport failure; browser testing can proceed, but CAPTCHA/security challenge may still require manual action.
|
||||
- Polluted system DNS may remain even while explicit `socks5h://` works; in that case use browser `--proxy-server=socks5://...` or ensure PassWall2 DNS hijack/remote DNS is correctly applied.
|
||||
@@ -0,0 +1,52 @@
|
||||
# OpenAI phone verification with 5sim SMS activation — 2026-05-10
|
||||
|
||||
## Context
|
||||
|
||||
During a Codex2API OAuth onboarding run for BOSS, OpenAI registration/login reached `https://auth.openai.com/add-phone` after email verification. BOSS corrected that phone verification must use **SMS** receive channels, not WhatsApp. The original `codex-oauth-automation-extension` provider confirmed the right 5sim API shape:
|
||||
|
||||
```text
|
||||
GET https://5sim.net/v1/user/buy/activation/{country}/{operator}/openai
|
||||
GET https://5sim.net/v1/user/check/{activationId}
|
||||
GET https://5sim.net/v1/user/cancel/{activationId}
|
||||
GET https://5sim.net/v1/user/finish/{activationId}
|
||||
```
|
||||
|
||||
Use `product=openai`, `operator=any` unless configured otherwise. If `FIVE_SIM_COUNTRY_ID` is empty, the extension default is `vietnam`.
|
||||
|
||||
## Learned workflow
|
||||
|
||||
1. Cancel any current 5sim activation before switching proxy, country, or retry strategy.
|
||||
2. Follow configured country first; do not silently fall back to other countries unless BOSS approves or config changes.
|
||||
3. For non-USA numbers, select the OpenAI country selector with visible UI and verify DOM shows the expected country before buying/submitting a number.
|
||||
4. Prefer real UI paste/click for the phone page. CDP-only mutation of `input[type=tel]` can desync React state: the visible country may later revert from `越南 (+84)` to `美国 (+1)` on submit.
|
||||
5. If OpenAI returns `无法向此电话号码发送验证码。请稍后重试或使用其他号码。`, classify it as a number/provider rejection. Cancel the activation and buy a new number in the same configured region.
|
||||
6. If the page shows `电话号码无效。` after non-USA submission, first verify the country selector did not revert to `美国 (+1)`; this may be a selector-state problem, not a bad number.
|
||||
7. When changing browser proxy, expect OpenAI auth session invalidation. Re-open OAuth from the target panel, then redo email login/code before returning to `add-phone`.
|
||||
8. Codex2API admin page URL may be stored as `/admin/accounts`; derive API origin from the URL before calling `/api/admin/oauth/generate-auth-url`.
|
||||
|
||||
## Observed proxy behavior
|
||||
|
||||
- `socks5://192.168.2.8:1085`: OpenAI `add-phone` reached; multiple Vietnam 5sim numbers rejected with `无法向此电话号码发送验证码...`.
|
||||
- `socks5://192.168.2.8:1083`: TCP and exit IP worked; raw curl to ChatGPT returned Cloudflare challenge 403, but real Chrome loaded OpenAI login. Session changed to `你的会话已结束`, requiring a fresh Codex2API OAuth URL and email code. A fresh Vietnam 5sim number was still rejected.
|
||||
|
||||
## Practical checks
|
||||
|
||||
```bash
|
||||
# Probe proxy with remote DNS
|
||||
nc -vz -w 3 192.168.2.8 1083
|
||||
curl --proxy socks5h://192.168.2.8:1083 --max-time 20 https://api.ipify.org
|
||||
curl --proxy socks5h://192.168.2.8:1083 -I -L --max-time 30 https://chatgpt.com/ | sed -n '1,30p'
|
||||
```
|
||||
|
||||
```python
|
||||
# Derive Codex2API API origin from env URL that may point at /admin/accounts
|
||||
from urllib.parse import urlsplit
|
||||
raw = CODEX2API_URL
|
||||
u = urlsplit(raw)
|
||||
origin = f'{u.scheme}://{u.netloc}' if u.scheme and u.netloc else raw.rstrip('/')
|
||||
endpoint = origin + '/api/admin/oauth/generate-auth-url'
|
||||
```
|
||||
|
||||
## Do not leak
|
||||
|
||||
Do not print API keys, 5sim token, phone number, OAuth callback URL/code, account password, or admin key in final reports. Mask phone numbers and IDs if not needed.
|
||||
@@ -0,0 +1,99 @@
|
||||
# OpenAI phone verification with 5sim SMS: proxy switch + resend-on-accepted-number notes (2026-05-10)
|
||||
|
||||
## Context
|
||||
|
||||
During a Codex2API OAuth onboarding run, OpenAI registration/login reached `https://auth.openai.com/add-phone`. BOSS suspected the previous proxy node influenced SMS delivery and asked to switch the visible Chrome browser proxy from `socks5://192.168.2.8:1085` to `socks5://192.168.2.8:1083`.
|
||||
|
||||
Important operating constraints from the run:
|
||||
|
||||
- Use visible Google Chrome stable with CDP on `127.0.0.1:9223`.
|
||||
- Phone verification must use **5sim SMS activation** for product `openai`, not WhatsApp.
|
||||
- Follow configured `FIVE_SIM_COUNTRY_ID`; if empty, use the original extension default `vietnam`.
|
||||
- For non-USA numbers, verify the visible OpenAI country selector before buying/submitting the number.
|
||||
- Do not leak phone numbers, API keys, OAuth URLs with codes, callback URLs, or admin keys.
|
||||
|
||||
## Proxy switch behavior
|
||||
|
||||
`1083` probe result in this session:
|
||||
|
||||
```text
|
||||
nc 192.168.2.8 1083 -> TCP succeeded
|
||||
curl --proxy socks5h://192.168.2.8:1083 https://api.ipify.org -> 43.207.194.18
|
||||
curl --proxy socks5h://192.168.2.8:1083 -I https://chatgpt.com -> HTTP/2 403, cf-mitigated: challenge
|
||||
```
|
||||
|
||||
Visible Chrome did not show a Cloudflare challenge, but switching proxy caused the OpenAI auth session to become invalid:
|
||||
|
||||
```text
|
||||
https://auth.openai.com/add-phone -> title: 你的会话已结束 - OpenAI
|
||||
```
|
||||
|
||||
Recovery pattern:
|
||||
|
||||
1. Cancel any active 5sim order before changing proxy.
|
||||
2. Update `BROWSER_PROXY_SERVER` in `~/.hermes/env/codex_oauth_onboarding.env`.
|
||||
3. Kill/relaunch only the isolated Chrome process using `--remote-debugging-port=9223 --proxy-server=<new proxy>`.
|
||||
4. Regenerate a Codex2API OAuth URL from the **origin**, not from an admin page path:
|
||||
- If `CODEX2API_URL=http://host:port/admin/accounts`, strip to `http://host:port`.
|
||||
- Correct endpoint observed: `POST /api/admin/oauth/generate-auth-url` with `X-Admin-Key`.
|
||||
5. Re-open the auth URL in the visible Chrome profile.
|
||||
6. Re-login via email and poll ClawEmail for the latest OpenAI code.
|
||||
7. Continue to `add-phone`.
|
||||
|
||||
Pitfall: using `CODEX2API_URL` directly when it contains `/admin/accounts` leads to wrong paths like `/admin/accounts/api/...` and 404. Always parse origin first.
|
||||
|
||||
## Country selector pitfall
|
||||
|
||||
OpenAI's country selector is React-controlled. CDP-only mutation of `input[type=tel]` can desync country state or let the selector revert to `美国 (+1)`. Future runs should prefer visible UI selection and paste:
|
||||
|
||||
1. Clear phone field.
|
||||
2. Open country dropdown.
|
||||
3. PageDown/scroll to the configured country.
|
||||
4. Click the visible country row (Vietnam observed around screen coordinate `(620,1173)` on a 2560x1600 screenshot, but re-check with screenshot/OCR).
|
||||
5. Verify DOM/body text includes the expected visible selector, e.g. `越南 (+84)`.
|
||||
6. Buy 5sim activation only after the selector is stable.
|
||||
7. Paste the local part of the phone via clipboard/UI, not CDP-only assignment.
|
||||
8. Click the actual visible `继续` button; button center may differ by layout, verify screenshot if needed.
|
||||
|
||||
## Resend strategy correction from BOSS
|
||||
|
||||
BOSS corrected the workflow: when OpenAI does **not** immediately reject a phone number, do **not** cancel it after the first 5sim polling timeout. Treat it as an accepted/pending number:
|
||||
|
||||
1. Poll `/v1/user/check/{activationId}` for SMS.
|
||||
2. If no SMS arrives, click OpenAI's visible/DOM `重新发送` control.
|
||||
3. Poll again.
|
||||
4. Repeat at least one more resend/poll cycle before canceling.
|
||||
5. Only cancel and rotate when:
|
||||
- OpenAI explicitly says `无法向此电话号码发送验证码`; or
|
||||
- the number remains pending after resend attempts and no SMS arrives.
|
||||
|
||||
This matters because in this session some Vietnam numbers were not rejected immediately but never delivered SMS on 5sim. Those should be given resend attempts before cancellation.
|
||||
|
||||
## Observed results on 1083 + Vietnam
|
||||
|
||||
After switching to `socks5://192.168.2.8:1083`, multiple `vietnam/any/openai` SMS activation attempts were made. Outcomes:
|
||||
|
||||
- Several numbers were directly rejected by OpenAI with:
|
||||
```text
|
||||
无法向此电话号码发送验证码。请稍后重试或使用其他号码。
|
||||
```
|
||||
- Some numbers were not immediately rejected, but repeated 5sim checks returned `RECEIVED` with `sms=[]`.
|
||||
- Applying the resend strategy still produced no SMS for the accepted/pending numbers in this run.
|
||||
- Therefore, the current evidence points to poor availability/deliverability of the 5sim Vietnam OpenAI pool under both `1085` and `1083`, not a WhatsApp-vs-SMS mistake.
|
||||
|
||||
## Minimal reusable script pattern
|
||||
|
||||
For future automation, encapsulate this loop:
|
||||
|
||||
```text
|
||||
cancel active order
|
||||
ensure OpenAI add-phone page
|
||||
ensure visible country selector == configured country
|
||||
buy /v1/user/buy/activation/{country}/{operator}/openai
|
||||
paste local phone via UI
|
||||
click continue
|
||||
if explicit reject: cancel + rotate
|
||||
else: poll 5sim; click resend; poll; click resend; poll; then cancel + rotate if still no SMS
|
||||
```
|
||||
|
||||
Do not hard-code `vietnam` unless `FIVE_SIM_COUNTRY_ID` is empty or BOSS explicitly requests it. If BOSS changes config to `england`, `japan`, etc., use that value and update the visible-country selection accordingly.
|
||||
@@ -0,0 +1,72 @@
|
||||
# OpenAI/ChatGPT DNS Pollution Probe — 2026-05-08
|
||||
|
||||
Context: after BOSS updated PassWall2 AI/OpenAI分流规则, browser automation still could not proceed because the local macOS resolver was still returning polluted IPs for key ChatGPT/Auth domains.
|
||||
|
||||
## Observed failure pattern
|
||||
|
||||
System resolver results:
|
||||
|
||||
```text
|
||||
chatgpt.com -> 199.59.150.40, 2a03:2880:f10c:83:face:b00c:0:25de
|
||||
accounts.openai.com -> 128.121.146.109, 2001::80f2:f09b
|
||||
auth.openai.com -> 104.18.41.241, 172.64.146.15, Cloudflare IPv6
|
||||
openai.com -> 104.18.33.45, 172.64.154.211
|
||||
```
|
||||
|
||||
`chatgpt.com` and `accounts.openai.com` above are polluted / wrong for the flow. Browser and curl failed before automation could start:
|
||||
|
||||
```text
|
||||
curl https://chatgpt.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL
|
||||
curl https://accounts.openai.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL
|
||||
Chrome -> ERR_CONNECTION_CLOSED / net_error -100
|
||||
```
|
||||
|
||||
Cloudflare DoH comparison showed `chatgpt.com` should resolve to Cloudflare-like IPs such as:
|
||||
|
||||
```text
|
||||
chatgpt.com -> 104.18.32.47, 172.64.155.209
|
||||
```
|
||||
|
||||
## Diagnostic commands
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(h, 'ERR', e)
|
||||
PY
|
||||
|
||||
curl -I -L --max-time 12 https://chatgpt.com/ 2>&1 | sed -n '1,45p'
|
||||
curl -I -L --max-time 12 https://accounts.openai.com/ 2>&1 | sed -n '1,45p'
|
||||
scutil --dns 2>/dev/null | sed -n '1,120p'
|
||||
```
|
||||
|
||||
## Interpretation
|
||||
|
||||
If `openai.com` or `auth.openai.com` returns HTTP/2 403 Cloudflare challenge but `chatgpt.com` / `accounts.openai.com` still fail TLS or resolve to non-Cloudflare/polluted ranges, do **not** continue registration/OAuth automation. Fix PassWall2 DNS handling first.
|
||||
|
||||
For BOSS's PassWall2 setup, ensure these domains use proxy-side/remote DNS, not the local ISP resolver:
|
||||
|
||||
```text
|
||||
chatgpt.com
|
||||
accounts.openai.com
|
||||
auth.openai.com
|
||||
openai.com
|
||||
```
|
||||
|
||||
macOS resolver in the failing run still had public/ISP DNS entries like `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; rules alone were insufficient because DNS was not cleanly hijacked/forwarded for these domains.
|
||||
|
||||
## Process hygiene
|
||||
|
||||
Old Chrome test processes can continue emitting noisy GCM/Crashpad errors. These are usually not the root cause:
|
||||
|
||||
```text
|
||||
Failed to connect to MCS endpoint
|
||||
ConnectionHandler failed
|
||||
Crashpad settings.dat: No such file or directory
|
||||
```
|
||||
|
||||
Kill stale test Chrome processes after a failed probe so they do not distract from the DNS/TLS issue.
|
||||
@@ -0,0 +1,86 @@
|
||||
# PassWall2 / SOCKS5 Gateway Reachability Probe — 2026-05-08
|
||||
|
||||
Session context: after BOSS updated PassWall2 split rules for OpenAI/ChatGPT/Codex OAuth testing, macOS still could not open `chatgpt.com` and Chrome showed `ERR_CONNECTION_CLOSED`.
|
||||
|
||||
## Observed commands and results
|
||||
|
||||
Low-risk macOS network refresh was performed:
|
||||
|
||||
```bash
|
||||
dscacheutil -flushcache
|
||||
killall -HUP mDNSResponder 2>/dev/null || true
|
||||
```
|
||||
|
||||
DNS stayed polluted after the cache flush:
|
||||
|
||||
```text
|
||||
chatgpt.com -> 202.160.128.16 / 2a03:2880:f10e:83:face:b00c:0:25de
|
||||
accounts.openai.com -> 192.133.77.189 / 2a03:2880:f117:83:face:b00c:0:25de
|
||||
auth.openai.com -> 104.18.41.241 / 172.64.146.15
|
||||
openai.com -> 104.18.33.45 / 172.64.154.211
|
||||
```
|
||||
|
||||
Testing the intended SOCKS5 gateway:
|
||||
|
||||
```bash
|
||||
nc -vz -w 3 192.168.2.8 1085
|
||||
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 25 https://chatgpt.com/
|
||||
curl --proxy socks5h://192.168.2.8:1085 --max-time 15 https://api.ipify.org
|
||||
ping -c 3 -W 1000 192.168.2.8
|
||||
arp -n 192.168.2.8
|
||||
route -n get 192.168.2.8
|
||||
```
|
||||
|
||||
Results:
|
||||
|
||||
```text
|
||||
nc: connectx to 192.168.2.8 port 1085 (tcp) failed: No route to host
|
||||
curl: (7) Failed to connect to 192.168.2.8 port 1085: Couldn't connect to server
|
||||
ping: sendto: No route to host / 100% packet loss
|
||||
arp: 192.168.2.8 had a MAC entry on en0
|
||||
route: interface en0, host route present
|
||||
```
|
||||
|
||||
Browser screenshot after refresh still showed:
|
||||
|
||||
```text
|
||||
无法访问此网站
|
||||
chatgpt.com 意外终止了连接。
|
||||
ERR_CONNECTION_CLOSED
|
||||
```
|
||||
|
||||
## Reusable lesson
|
||||
|
||||
For Codex/OpenAI onboarding tests, distinguish three layers before touching extension automation:
|
||||
|
||||
1. **Local DNS pollution** — `chatgpt.com` / `accounts.openai.com` resolving to suspicious non-Cloudflare/Facebook-like ranges means domain rules alone are not enough.
|
||||
2. **Proxy gateway reachability** — even `socks5h://...` cannot help if the Mac cannot reach the gateway/port. Test `nc`, `curl --proxy socks5h://`, `ping`, `arp`, and `route`.
|
||||
3. **Browser page result** — only after gateway and DNS/proxy are healthy should Chrome/extension/OAuth be tested.
|
||||
|
||||
Use `socks5h://` rather than `socks5://` in curl probes when the goal is to force DNS resolution through the SOCKS proxy. If `socks5h` fails to connect to the proxy itself, stop and report gateway/port reachability first.
|
||||
|
||||
## Suggested probe block
|
||||
|
||||
```bash
|
||||
PROXY='socks5h://192.168.2.8:1085'
|
||||
|
||||
printf '== DNS ==\n'
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(h, 'ERR', e)
|
||||
PY
|
||||
|
||||
printf '\n== gateway/port ==\n'
|
||||
route -n get 192.168.2.8 2>/dev/null || true
|
||||
arp -n 192.168.2.8 || true
|
||||
ping -c 3 -W 1000 192.168.2.8 || true
|
||||
nc -vz -w 3 192.168.2.8 1085 || true
|
||||
|
||||
printf '\n== through socks5h ==\n'
|
||||
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
|
||||
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
|
||||
```
|
||||
@@ -0,0 +1,150 @@
|
||||
# Codex OAuth onboarding env template for real Google Chrome flow
|
||||
# Copy to ~/.hermes/env/codex_oauth_onboarding.env and chmod 600.
|
||||
# Do not commit. Do not paste secrets into chat.
|
||||
|
||||
# 0) Local project / browser
|
||||
CODEX_OAUTH_EXTENSION_DIR=
|
||||
CHROME_BIN=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
|
||||
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
|
||||
BROWSER_HEADLESS=false
|
||||
BROWSER_LANG=zh-CN
|
||||
RUN_COUNT=1
|
||||
AUTO_STEP_DELAY_SECONDS=2
|
||||
AUTO_RUN_SKIP_FAILURES=false
|
||||
OAUTH_FLOW_TIMEOUT_ENABLED=true
|
||||
|
||||
# 1) Panel / target mode. No default: leave empty and the workflow MUST NOT run.
|
||||
# Must explicitly select exactly one before execution: cpa | sub2api | codex2api
|
||||
PANEL_MODE=
|
||||
LOCAL_CPA_STEP9_MODE=submit
|
||||
|
||||
# CPA panel fields
|
||||
CPA_VPS_URL=
|
||||
CPA_VPS_PASSWORD=
|
||||
|
||||
# SUB2API panel fields
|
||||
SUB2API_URL=
|
||||
SUB2API_EMAIL=
|
||||
SUB2API_PASSWORD=
|
||||
SUB2API_GROUP_NAME=
|
||||
SUB2API_ACCOUNT_PRIORITY=1
|
||||
SUB2API_DEFAULT_PROXY_NAME=
|
||||
|
||||
# Codex2API panel fields
|
||||
CODEX2API_URL=
|
||||
CODEX2API_ADMIN_KEY=
|
||||
|
||||
# 2) Browser proxy. BOSS provides SOCKS5 or HTTP proxy without username/password.
|
||||
# Examples: socks5://host:port or http://host:port
|
||||
BROWSER_PROXY_SERVER=
|
||||
BROWSER_PROXY_CHECK_URL=https://api.ipify.org?format=json
|
||||
|
||||
# Extension built-in 711proxy/IP proxy fields, only if using original project proxy panel.
|
||||
IP_PROXY_ENABLED=false
|
||||
IP_PROXY_SERVICE=
|
||||
IP_PROXY_MODE=
|
||||
IP_PROXY_API_URL=
|
||||
IP_PROXY_ACCOUNT_LIST=
|
||||
IP_PROXY_ACCOUNT_SESSION_PREFIX=codex
|
||||
IP_PROXY_ACCOUNT_LIFE_MINUTES=
|
||||
IP_PROXY_POOL_TARGET_COUNT=20
|
||||
IP_PROXY_AUTO_SYNC_ENABLED=false
|
||||
IP_PROXY_AUTO_SYNC_INTERVAL_MINUTES=15
|
||||
IP_PROXY_HOST=
|
||||
IP_PROXY_PORT=
|
||||
IP_PROXY_PROTOCOL=
|
||||
IP_PROXY_REGION=
|
||||
|
||||
# 3) Registration identity and password
|
||||
# ClawEmail must create a fresh mailbox each run and record it locally with status.
|
||||
CLAWEMAIL_CREATE_PER_RUN=true
|
||||
CLAWEMAIL_PREFIX=codex
|
||||
CLAWEMAIL_UID=
|
||||
CLAWEMAIL_RECORD_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl
|
||||
SIGNUP_METHOD=email
|
||||
CUSTOM_PASSWORD=
|
||||
|
||||
# 4) Mail provider fields from original project, fill only if not using Hermes-side ClawEmail polling.
|
||||
MAIL_PROVIDER=
|
||||
EMAIL_GENERATOR=custom
|
||||
CUSTOM_EMAIL_POOL=
|
||||
CUSTOM_MAIL_PROVIDER_POOL=
|
||||
INBUCKET_HOST=
|
||||
INBUCKET_MAILBOX=
|
||||
HOTMAIL_SERVICE_MODE=
|
||||
HOTMAIL_REMOTE_BASE_URL=
|
||||
HOTMAIL_LOCAL_BASE_URL=
|
||||
LUCKMAIL_API_KEY=
|
||||
LUCKMAIL_BASE_URL=
|
||||
LUCKMAIL_EMAIL_TYPE=
|
||||
LUCKMAIL_DOMAIN=
|
||||
CLOUDFLARE_TEMP_EMAIL_BASE_URL=
|
||||
CLOUDFLARE_TEMP_EMAIL_ADMIN_AUTH=
|
||||
CLOUDFLARE_TEMP_EMAIL_CUSTOM_AUTH=
|
||||
CLOUDFLARE_TEMP_EMAIL_RECEIVE_MAILBOX=
|
||||
CLOUDFLARE_TEMP_EMAIL_USE_RANDOM_SUBDOMAIN=false
|
||||
CLOUDFLARE_TEMP_EMAIL_DOMAIN=
|
||||
|
||||
# 5) Phone/SMS verification fallback. No default provider: leave disabled/empty unless needed.
|
||||
PHONE_VERIFICATION_ENABLED=false
|
||||
SIGNUP_PHONE=
|
||||
PHONE_SMS_PROVIDER=
|
||||
PHONE_SMS_PROVIDER_ORDER=
|
||||
VERIFICATION_RESEND_COUNT=0
|
||||
PHONE_VERIFICATION_REPLACEMENT_LIMIT=3
|
||||
PHONE_CODE_WAIT_SECONDS=60
|
||||
PHONE_CODE_TIMEOUT_WINDOWS=2
|
||||
PHONE_CODE_POLL_INTERVAL_SECONDS=5
|
||||
PHONE_CODE_POLL_MAX_ROUNDS=12
|
||||
PHONE_PREFERRED_ACTIVATION=
|
||||
|
||||
# HeroSMS
|
||||
HERO_SMS_API_KEY=
|
||||
HERO_SMS_REUSE_ENABLED=
|
||||
HERO_SMS_ACQUIRE_PRIORITY=
|
||||
HERO_SMS_MAX_PRICE=
|
||||
HERO_SMS_PREFERRED_PRICE=
|
||||
HERO_SMS_COUNTRY_ID=
|
||||
HERO_SMS_COUNTRY_LABEL=
|
||||
HERO_SMS_COUNTRY_FALLBACK=
|
||||
|
||||
# 5sim
|
||||
FIVE_SIM_API_KEY=
|
||||
FIVE_SIM_PRODUCT=
|
||||
FIVE_SIM_COUNTRY_ORDER=
|
||||
FIVE_SIM_COUNTRY_ID=
|
||||
FIVE_SIM_COUNTRY_LABEL=
|
||||
FIVE_SIM_COUNTRY_FALLBACK=
|
||||
FIVE_SIM_MAX_PRICE=
|
||||
FIVE_SIM_OPERATOR=any
|
||||
|
||||
# NexSMS
|
||||
NEX_SMS_API_KEY=
|
||||
NEX_SMS_COUNTRY_ORDER=
|
||||
NEX_SMS_SERVICE_CODE=
|
||||
|
||||
# 6) Plus/payment. BOSS chose GoPay. Paid operation still requires explicit confirmation before execution.
|
||||
PLUS_MODE_ENABLED=false
|
||||
PLUS_PAYMENT_METHOD=gopay
|
||||
GOPAY_COUNTRY_CODE=+86
|
||||
GOPAY_PHONE=
|
||||
GOPAY_OTP=
|
||||
GOPAY_OTP_SOURCE=manual
|
||||
GOPAY_OTP_MANUAL_TIMEOUT_SECONDS=180
|
||||
GOPAY_PIN=
|
||||
|
||||
# GPC helper fields retained but not used when PLUS_PAYMENT_METHOD=gopay
|
||||
GPC_HELPER_API_URL=
|
||||
GPC_HELPER_CARD_KEY=
|
||||
GPC_HELPER_COUNTRY_CODE=+86
|
||||
GPC_HELPER_PHONE_NUMBER=
|
||||
GPC_HELPER_PIN=
|
||||
GPC_HELPER_OTP_CHANNEL=
|
||||
GPC_HELPER_LOCAL_SMS_ENABLED=false
|
||||
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
|
||||
|
||||
# 7) Local run records
|
||||
RUN_RECORD_DIR=/Users/chick/.Hermes/workspace/codex-oauth/run-records
|
||||
ACCOUNT_SUCCESS_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/success_accounts.jsonl
|
||||
ACCOUNT_FAILED_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/failed_accounts.jsonl
|
||||
ACCOUNT_PENDING_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/pending_accounts.jsonl
|
||||
Reference in New Issue
Block a user