docs: record 1085 clawemail permission and phone results

This commit is contained in:
2026-05-10 14:33:58 +08:00
parent ba6d673650
commit ca30d4c5cd
6 changed files with 393 additions and 9 deletions
@@ -0,0 +1,75 @@
# ClawEmail external-receive gate for OpenAI verification (2026-05-10)
Context: during a fresh Codex2API/OpenAI OAuth registration run with `socks5://192.168.2.8:1085`, a new ClawEmail sub-mailbox was created successfully:
```text
chickliu.<8letters>@claw.163.com
```
The OpenAI flow reached `https://auth.openai.com/email-verification` after password creation, but no OpenAI verification email arrived. `mail-cli clawemail info --uid ... --json` showed the newly-created sub-mailbox defaults to:
```json
{
"commLevel": 1,
"extReceiveType": 0,
"extSendType": 0
}
```
Meaning: internal communication only. External OpenAI mail is blocked unless communication settings are changed.
## Required gate before submitting a new sub-mailbox to OpenAI
After creating a per-run ClawEmail sub-mailbox and before using it in OpenAI registration:
1. Verify mailbox info:
```bash
mail-cli clawemail info --uid "$NEW_UID" --json
```
2. If it is not already external-receive enabled, stop and set it in ClawEmail Dashboard:
```text
通讯规则 -> 开放外部通信 -> 收信范围:所有人
```
Target state:
```json
{
"commLevel": 2,
"extReceiveType": 1
}
```
3. Only after the gate passes, submit the mailbox to OpenAI / click resend verification.
## Why this matters
If the sub-mailbox remains `commLevel=1`, OpenAI verification mail may never arrive. Repeated resend attempts can also destabilize the OpenAI email-verification page (observed page class: HTTP 500 / `chrome-error://chromewebdata/`) and wastes a registration session.
## mail-cli profile pitfall after cleanup
If old test sub-mailboxes were deleted, named profiles such as `codex-current`, `codex-retry`, or `codex-zlajiqjc` can still point to deleted mailboxes. Polling with a stale profile can return errors like:
```text
JWT_FETCH_FAILED / 资源不存在
```
For new runs, either:
- update/create a profile for the new mailbox before polling, or
- poll through the verified default/master profile only if the API actually exposes the new sub-mailbox's mail there.
Do not treat `JWT_FETCH_FAILED` from a stale profile as an OpenAI non-delivery signal.
## Recommended automation behavior
The low-token runner should include a `clawemail_external_receive_gate` phase:
```json
{"phase":"clawemail_external_receive_gate","uid":"chickliu.<prefix>@claw.163.com","commLevel":1,"extReceiveType":0,"result":"blocked_requires_dashboard"}
```
When blocked, emit a screenshot/instruction and stop before burning the OpenAI auth session or proceeding to 5sim.
@@ -0,0 +1,59 @@
# ClawEmail quota and reusable-account gate before phone verification (2026-05-10)
Context: after the OpenAI/Codex OAuth flow was mostly proven, BOSS asked to continue using `socks5://192.168.2.8:1085` and run the phone-verification part again. The current OpenAI account `chickliu.hykolnqk@claw.163.com` was already returning `account_deactivated`, so the expected path was to create a fresh ClawEmail sub-mailbox and reach `add-phone` again.
## What happened
Creating a fresh 8-letter ClawEmail sub-mailbox failed:
```text
OPEN_API_1004
邮箱数量已达上限
```
The existing sub-mailboxes listed under `chickliu@claw.163.com` were:
```text
chickliu.ktqcxzux@claw.163.com
chickliu.zlajiqjc@claw.163.com
chickliu.gmmpioju@claw.163.com
chickliu.hykolnqk@claw.163.com
```
Known state:
- `chickliu.hykolnqk@claw.163.com`: OpenAI returned `account_deactivated` after email-code submit.
- `chickliu.gmmpioju@claw.163.com`: OpenAI recognized it as an existing account and showed password login; configured `CUSTOM_PASSWORD` returned `Incorrect email address or password`.
- `chickliu.zlajiqjc@claw.163.com`: same password mismatch.
- `chickliu.ktqcxzux@claw.163.com`: same password mismatch.
Result: no usable account reached `add-phone`, so no 5sim numbers were purchased. This avoided wasting SMS activations.
## Operational lesson
Before running the phone-verification phase, add an **identity gate**:
1. Check ClawEmail mailbox quota/list first.
2. If the current account is `account_deactivated`, do not continue it.
3. If a fresh sub-mailbox cannot be created because of quota, do not start 5sim.
4. Existing sub-mailboxes are not automatically reusable. First verify either:
- OpenAI login works with the configured password, or
- the account is genuinely unregistered and can enter signup.
5. If all existing sub-mailboxes are either deactivated or password-mismatch accounts, stop and ask BOSS to free quota/delete old sub-mailboxes, provide the correct password, or approve another mailbox provider.
## Low-token event examples
```json
{"phase":"identity_gate","result":"clawemail_quota_full","code":"OPEN_API_1004"}
{"phase":"identity_gate","email":"chickliu.gmmpioju@claw.163.com","result":"password_mismatch"}
{"phase":"identity_gate","result":"no_usable_mailbox","next":"free_clawemail_quota_or_provide_password"}
```
## Runner impact
The token-lite runner should implement this gate before `phone_verify`:
- `clawemail list` and parse `data.mailbox.subMailboxes`.
- Attempt new sub-mailbox creation only if quota allows.
- Maintain a local status file for each sub-mailbox with outcomes: `deactivated`, `password_mismatch`, `usable`, `unknown`.
- Never buy a 5sim activation until the browser is confirmed to be on `auth.openai.com/add-phone`.
@@ -22,7 +22,14 @@ Recommended phases:
- Redact secrets in all printed output.
- Validate selected target mode, Codex2API origin/admin key, ClawEmail profile, browser proxy, and 5sim settings.
- Verify proxy TCP + exit IP with short timeouts.
2. `browser_start`
- If creating a fresh ClawEmail sub-mailbox, immediately open external receive before OpenAI submission: set/verify `commLevel=2` and `extReceiveType=1` via the logged-in ClawEmail Dashboard API `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>` with `{commLevel:2, extReceiveType:1, extSendType:0}`. If Dashboard login requires QQ master-mailbox OTP and the agent cannot read QQ mail, pause only for that 6-digit code.
2. `identity_gate`
- Before any 5sim purchase, confirm there is a usable OpenAI identity path.
- If creating a fresh ClawEmail sub-mailbox returns `OPEN_API_1004` / quota full, parse `data.mailbox.subMailboxes` and only reuse a mailbox after proving OpenAI login or signup can proceed.
- After creating a fresh ClawEmail sub-mailbox, verify its communication rules before submitting it to OpenAI: target state is `commLevel=2` and `extReceiveType=1`. New sub-mailboxes can default to internal-only (`commLevel=1`, `extReceiveType=0`), which blocks OpenAI verification mail. If internal-only, stop with `blocked_requires_dashboard` and ask BOSS to enable `通讯规则 -> 开放外部通信 -> 收信范围:所有人` in the ClawEmail Dashboard.
- Mark sub-mailbox outcomes locally (`deactivated`, `password_mismatch`, `usable`, `external_receive_blocked`, `unknown`).
- If all candidates are deactivated/password-mismatch and quota is full, stop with `no_usable_mailbox` instead of buying SMS activations.
3. `browser_start`
- Kill only the dedicated CDP Chrome process for port 9223.
- Start visible Chrome with a dedicated profile and `--proxy-server`.
- Verify CDP `/json/version` and browser target.
@@ -0,0 +1,105 @@
# Codex OAuth 1085 full run notes: ClawEmail permission + add-phone SMS/WhatsApp behavior (2026-05-10)
## Summary
This run used proxy `socks5://192.168.2.8:1085`, a fresh ClawEmail sub-mailbox, and a fresh Codex2API OAuth session. The email-registration part is now reproducible. The run reached OpenAI `https://auth.openai.com/add-phone` successfully.
Phone verification did not complete because OpenAI accepted the submitted phone numbers but 5sim SMS activation did not receive any SMS after resend. During some non-US country selections, the OpenAI page text changed to a WhatsApp-specific message, suggesting OpenAI may be trying WhatsApp delivery for those regions rather than SMS.
No full phone numbers or secrets are stored here.
## Working pieces confirmed
1. ClawEmail sub-mailbox can be created after cleaning old sub-mailboxes.
2. Newly-created ClawEmail sub-mailboxes default to internal-only communication:
- `commLevel=1`
- `extReceiveType=0`
- `extSendType=0`
3. External OpenAI mail will not arrive until the sub-mailbox communication setting is changed.
4. A dedicated persistent Dashboard browser should be used for master mailbox login:
- profile: `/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent`
- CDP port: `9224`
- URL: `https://claw.163.com/projects/dashboard/#/`
5. The ClawEmail Dashboard API base is not bare `/api/v1`; it is:
- `https://claw.163.com/mailserv-claw-dashboard`
6. After Dashboard login, the sub-mailbox permission can be updated through:
- `GET /api/v1/workspaces`
- `GET /api/v1/mailboxes?workspaceId=<workspaceId>`
- `POST /api/v1/mailboxes/comm-settings?id=<mailboxId>`
- body: `{"commLevel":2,"extReceiveType":1,"extSendType":0}`
7. Verification command:
- `mail-cli clawemail info --uid <submailbox> --json`
- expected: `commLevel=2`, `extReceiveType=1`
8. Once external receive is enabled, OpenAI email codes arrive at the sub-mailbox. In this run, OpenAI sent both temporary login-code style messages and email-verification codes; reading the full body is more reliable than scanning list previews.
## OpenAI add-phone page country selection
The country selector is backed by a real hidden/native `select` element with ISO country codes. React Aria click events were unreliable in CDP. The reliable approach was setting the native select directly and dispatching input/change:
```js
const sel = document.querySelector('select');
sel.focus();
sel.value = 'AR'; // AR, NL, ID, VN, etc.
sel.dispatchEvent(new Event('input', {bubbles: true}));
sel.dispatchEvent(new Event('change', {bubbles: true}));
await new Promise(r => setTimeout(r, 800));
```
Then verify the visible button text, e.g.:
```js
[...document.querySelectorAll('button')]
.map(b => b.innerText)
.find(t => /\(\+\d+\)/.test(t))
```
Expected values observed:
- Argentina: `阿根廷 (+54)`
- Netherlands: `荷兰 (+31)`
- Indonesia: `印度尼西亚 (+62)`
## 5sim country-order run results
Configured order:
```text
argentina -> netherlands -> indonesia
```
The run used 5sim SMS activation (`product=openai`, operator `any`), not WhatsApp channels.
Results:
- Argentina: activation `1006713742`, OpenAI did not direct-reject; 5sim status stayed `RECEIVED`, no SMS after initial polling + resend; order canceled.
- Netherlands: activation `1006714867`, OpenAI did not direct-reject; 5sim status stayed `RECEIVED`, no SMS after initial polling + resend; order canceled.
- Indonesia: activation `1006715764`, OpenAI did not direct-reject; 5sim status stayed `RECEIVED`, no SMS after initial polling + resend; order canceled.
## Important behavior observed
For Argentina, after selecting the country, OpenAI page text changed from generic SMS wording:
```text
我们将向该号码发送一次性验证码以进行验证。
```
to WhatsApp wording:
```text
我们会通过 WhatsApp 向该号码发送一次性验证码进行验证。
```
This likely explains why 5sim SMS activation did not receive codes even though OpenAI did not direct-reject the numbers. Future phone tests should detect page wording before buying SMS numbers:
- If page says generic SMS/one-time code, continue 5sim SMS.
- If page explicitly says WhatsApp, either stop before buying SMS or switch to a WhatsApp-capable provider only if BOSS explicitly approves. BOSS previously said OpenAI/Codex接码必须用 SMS, not WhatsApp.
## Automation improvements for next runner
1. After creating ClawEmail sub-mailbox, immediately update Dashboard communication settings.
2. Persist Dashboard master login in profile 9224; never put it in disposable OAuth profile 9223.
3. Read full OpenAI email body to extract code, not only message list preview.
4. Use native select `.value = ISO` for country selection.
5. Before buying 5sim, inspect page text for WhatsApp wording. If WhatsApp wording appears and policy is SMS-only, emit blocker and do not buy.
6. If OpenAI accepted number and navigates to phone-verification but no SMS arrives, resend once, poll again, cancel order, and log compact JSONL.
7. Some OpenAI phone-verification transitions produce `chrome-error://chromewebdata/` HTTP 500 after waiting/resend. Recover by generating a fresh Codex2API OAuth session and logging in with the same email/password; the account returns to add-phone.