docs: sync latest codex oauth onboarding skill

This commit is contained in:
2026-05-08 21:13:53 +08:00
parent 368a5948b2
commit 9102557f8e
9 changed files with 579 additions and 9 deletions
+70 -5
View File
@@ -89,7 +89,7 @@ Observed verification result during initial study: `772` tests passed, `0` faile
## Configuration File
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`.
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
```bash
mkdir -p ~/.hermes/env
@@ -104,7 +104,7 @@ High-level required groups:
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected targets auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extensions built-in 711proxy/IP proxy panel.
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`.
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
@@ -114,11 +114,17 @@ Minimal template excerpt:
```bash
# Required: local extension repo
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```bash
# Required: ClawEmail mailbox
CLAWEMAIL_UID=chickliu@claw.163.com
CLAWEMAIL_PREFIX=codex
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
# Browser isolation
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
BROWSER_HEADLESS=false
@@ -265,6 +271,20 @@ Normal mode step definitions:
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
### ClawEmail random suffix policy
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
```bash
FIVE_SIM_API_KEY=
FIVE_SIM_BASE_URL=https://5sim.net/v1
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
FIVE_SIM_OPERATOR=any
FIVE_SIM_PRODUCT=openai
FIVE_SIM_SERVICE=openai
```
## Plus Flow Steps
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
@@ -356,6 +376,51 @@ The built-in export function exports `getPersistedSettings()` as JSON; this can
- Confirm Chrome was launched with `--load-extension` and `--disable-extensions-except` pointing to the repo directory.
- Confirm `manifest.json` exists and is Manifest V3.
- Use a non-headless browser. Chrome extension side panels are usually not practical in headless mode.
- When using Chrome DevTools Protocol, do not assume the first `/json` `service_worker` target is this automation extension; verify the extension is visible in `chrome://extensions/` and that the target URL/ID corresponds to the unpacked repo before sending `SAVE_SETTING` / `AUTO_RUN`.
### PassWall2/DNS split rules still polluted
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
Run:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
```
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
```bash
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
```
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
### SOCKS5 gateway not reachable
If BOSS asks to test a specific proxy such as `socks5://192.168.2.8:1085`, test gateway reachability before browser/extension automation. Use `socks5h://` in curl when the intent is to force DNS through the SOCKS proxy:
```bash
PROXY='socks5h://192.168.2.8:1085'
nc -vz -w 3 192.168.2.8 1085 || true
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
```
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
### Proxy not applied