fix: keep skill package layout

This commit is contained in:
2026-05-10 08:45:11 +08:00
parent 828a208bde
commit dc7e952c43
17 changed files with 67 additions and 1188 deletions
-525
View File
@@ -1,525 +0,0 @@
---
name: codex-oauth-plus-onboarding
description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile."
version: 1.0.0
author: Hermes Agent
license: MIT
metadata:
hermes:
tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation]
related_skills: [clawemail-operations, browser-extension-storage-audit]
---
# Codex OAuth + Plus Onboarding
## Overview
This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**:
1. Use **ClawEmail** as the registration mailbox.
2. Register/Login through ChatGPT/OpenAI auth.
3. Optionally open ChatGPT Plus through **GoPay / GPC helper**.
4. Complete OAuth authorization.
5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**.
6. Run the browser in an isolated profile with a dedicated proxy.
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
## When to Use
Use this skill when BOSS asks for any of these:
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
- “用 GoPay 开 Plus 后把 OAuth 接进去”
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
- “把这个流程做成可复用配置和操作步骤”
Also load `clawemail-operations` before any ClawEmail mailbox work.
## BOSS-specific Operating Defaults
These are confirmed operating rules for BOSS's environment:
- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window.
- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run.
- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password.
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed.
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085``1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls.
- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval.
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`.
6. **Config export risk**: the extensions built-in settings export may contain secrets. Treat exported files as sensitive.
7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`).
## Repository and Local Paths
Known research clone:
```bash
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```
If missing, clone shallow:
```bash
mkdir -p /Users/chick/.Hermes/workspace/research
cd /Users/chick/.Hermes/workspace/research
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
```
Validate tests when modifying or before relying on a changed checkout:
```bash
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
node --test tests/*.test.js
```
Observed verification result during initial study: `772` tests passed, `0` failed.
## Configuration File
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
```bash
mkdir -p ~/.hermes/env
chmod 700 ~/.hermes/env
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
```
High-level required groups:
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected targets auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extensions built-in 711proxy/IP proxy panel.
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
Minimal template excerpt:
```bash
# Required: local extension repo
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```bash
# Required: ClawEmail mailbox
CLAWEMAIL_UID=chickliu@claw.163.com
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
# Browser isolation
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
BROWSER_HEADLESS=false
BROWSER_PROXY_SERVER=http://host:port
BROWSER_PROXY_USERNAME=
BROWSER_PROXY_PASSWORD=
# Target mode: sub2api | codex2api | cpa
OAUTH_TARGET_MODE=sub2api
# SUB2API settings
SUB2API_URL=
SUB2API_EMAIL=
SUB2API_PASSWORD=
SUB2API_GROUP_NAME=default
SUB2API_ACCOUNT_PRIORITY=1
SUB2API_DEFAULT_PROXY_NAME=
# Codex2API settings
CODEX2API_URL=
CODEX2API_ADMIN_KEY=
# CPA settings
CPA_URL=
CPA_MANAGEMENT_KEY=
CPA_LOCAL_STEP9_MODE=submit
# Plus / GoPay / GPC helper settings
PLUS_MODE_ENABLED=false
PLUS_PAYMENT_METHOD=gpc-helper
GPC_HELPER_API_URL=
GPC_HELPER_CARD_KEY=
GPC_HELPER_COUNTRY_CODE=+86
GPC_HELPER_PHONE_NUMBER=
GPC_HELPER_PIN=
GPC_HELPER_OTP_CHANNEL=whatsapp
GPC_HELPER_LOCAL_SMS_ENABLED=false
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
# Runtime behavior
RUN_COUNT=1
AUTO_RUN_SKIP_FAILURES=false
AUTO_STEP_DELAY_SECONDS=2
OAUTH_FLOW_TIMEOUT_ENABLED=true
```
Rules:
- Keep this file local only; never commit it.
- Use `[REDACTED]` in reports for all secret values.
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
## Browser Isolation and Proxy Strategy
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
- Dedicated clean `user-data-dir` profile.
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
- Proxy applied at browser launch or by a verified local proxy wrapper.
- Human-visible UI for CAPTCHA/security/payment checkpoints.
- Profile cleared after success if BOSS wants no local residue.
Recommended profile naming:
```bash
RUN_ID=$(date +%Y%m%d-%H%M%S)
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
mkdir -p "$PROFILE_DIR"
```
Chrome launch pattern:
```bash
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--user-data-dir="$PROFILE_DIR" \
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
--proxy-server="$BROWSER_PROXY_SERVER" \
--no-first-run \
--no-default-browser-check
```
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
2. Start a local forwarding proxy that injects upstream credentials.
3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
Do not reuse the normal personal browser profile for this workflow.
## ClawEmail Preparation
Load `clawemail-operations` and verify:
```bash
mail-cli auth test --json
mail-cli clawemail list --json
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
```
Registration email choice:
- Default: use `CLAWEMAIL_UID` directly.
- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extensions registration email to the created UID.
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
```bash
mail-cli mail list --fid 1 --limit 20 --json
mail-cli read body --id '<message-id>'
```
Always quote message IDs.
## Extension Architecture Reference
The project is a Manifest V3 Chrome extension:
- `manifest.json`: permissions, host permissions, content scripts, side panel.
- `background.js`: service worker and state orchestration.
- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`.
- `data/step-definitions.js`: step list for normal and Plus modes.
- `background/steps/*.js`: one executor per major step.
- `content/signup-page.js`: OpenAI/Auth page DOM automation.
- `content/*mail*.js`: mail provider automation.
- `sidepanel/sidepanel.js`: UI controls and settings collection.
Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `<all_urls>` host access.
## Normal OAuth Flow Steps
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
Normal mode step definitions:
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
2. `submit-signup-email` — enter email or phone registration identity.
3. `fill-password` — generate/use password and submit.
4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS.
5. `fill-profile` — generate and submit name + birthday.
6. `wait-registration-success` — wait for registration to stabilize.
7. `oauth-login` — refresh OAuth URL from selected target and log in.
8. `fetch-login-code` — fetch login verification code if needed.
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
### ClawEmail random suffix policy
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
```bash
FIVE_SIM_API_KEY=
FIVE_SIM_BASE_URL=https://5sim.net/v1
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
FIVE_SIM_OPERATOR=any
FIVE_SIM_PRODUCT=openai
FIVE_SIM_SERVICE=openai
```
## Plus Flow Steps
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
PayPal Plus path:
1-5. same registration steps.
6. `plus-checkout-create` — create Plus Checkout.
7. `plus-checkout-billing` — fill billing and submit order.
8. `paypal-approve` — PayPal login/approval.
9. `plus-checkout-return` — confirm return.
10. `oauth-login`.
11. `fetch-login-code`.
12. `confirm-oauth`.
13. `platform-verify`.
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings.
## Applying Settings in the Extension
The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`.
Manual UI route:
1. Open isolated Chrome profile with extension loaded.
2. Open the extension side panel.
3. Set `panelMode` according to `OAUTH_TARGET_MODE`:
- `sub2api` → fill SUB2API URL/email/password/group/proxy/priority.
- `codex2api` → fill Codex2API URL/Admin Key.
- `cpa` → fill CPA URL and management key.
4. Set registration email to ClawEmail mailbox.
5. Enable Plus mode only if requested.
6. Select `gpc-helper` / GoPay settings when using GoPay/GPC.
7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
8. Save settings.
9. Start manual steps or Auto Run with `RUN_COUNT=1`.
Programmatic route, if writing a helper script:
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
- Do not inject secrets into shell command lines where they will remain in history/process listings.
- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`.
## Execution Checklist
1. Load this skill and `clawemail-operations`.
2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target.
3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`.
4. Verify ClawEmail auth and selected mailbox.
5. Confirm extension repo exists and tests pass if the checkout changed.
6. Start a dedicated proxied browser profile with the unpacked extension.
7. Open sidepanel and apply settings.
8. Start one run.
9. Monitor logs for:
- registration email submitted
- signup verification code fetched
- profile completed
- Plus checkout/payment status, if enabled
- OAuth URL refreshed
- login code fetched, if required
- localhost callback captured
- platform verification succeeded
10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
11. After success, verify target platform has the new authorized account/session.
12. Redact secrets and callback codes in the final report.
## Storage and Export Risk
The extension stores sensitive configuration in `chrome.storage.local`, including possible:
- CPA management key / password.
- SUB2API password.
- Codex2API admin key.
- Proxy username/password/API URL.
- Hotmail account passwords, `clientId`, `refreshToken`.
- PayPal account pool credentials.
- 2925 mailbox credentials.
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
- Cloudflare Temp Email auth fields.
Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material.
## Troubleshooting
### Google Chrome stable may ignore `--load-extension`
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
### PassWall2/DNS split rules still polluted
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
Run:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
```
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
```bash
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
```
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
```
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
```bash
PROXY='socks5h://192.168.2.8:1085'
nc -vz -w 3 192.168.2.8 1085 || true
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
```
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
### Extension launch appears successful but `chrome://extensions` is empty
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
- the intended extension page/sidepanel opens and renders expected UI; or
- an extension-context runtime call reads the expected manifest/state.
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
### OpenAI verification email does not arrive in ClawEmail
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
When this happens:
1. Confirm the exact email in the OpenAI page body via DOM, not OCR only.
2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile.
3. Check inbox and spam.
4. Send a self-test email to the sub-mailbox and verify it arrives.
5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
### Proxy not applied
- Visit an IP-check page in the isolated browser before starting.
- If auth proxy fails, use a local forwarding proxy wrapper.
- Do not put proxy passwords in final answers.
### ClawEmail code not found
- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox.
- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages.
- Check spam/deleted folders if inbox is empty.
### OAuth callback not captured
- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates.
- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
- Verify target mode settings and state value mismatch errors.
### Target verify fails
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
- For Codex2API, verify URL and admin key.
- For CPA, verify management origin/key and callback endpoint support.
- Do not print callback URL with `code=`; redact.
### Plus/GoPay fails
- Confirm Plus mode and payment method are correct.
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
- Stop before retrying paid operations repeatedly; ask BOSS.
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`.
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
## Verification Checklist
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
- [ ] ClawEmail auth passes.
- [ ] Isolated browser profile is not the normal personal profile.
- [ ] Browser exit IP matches intended proxy.
- [ ] Extension is loaded and sidepanel opens.
- [ ] Only one target mode is active.
- [ ] Plus payment was explicitly approved if enabled.
- [ ] Target platform shows the OAuth account/session after verification.
- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.
@@ -1,62 +0,0 @@
# ClawEmail Prefix Probe Notes — 2026-05
Context: During Codex OAuth registration testing for BOSS, we needed fresh ClawEmail sub-mailboxes and discovered live API constraints stricter than public docs.
## Official/public expectation
Docs/help say `mail-cli clawemail create --prefix <prefix> --type sub` accepts 1-64 characters and examples mention `bot1`, `bot.v1`, `my-agent`, `support`.
## Live observed behavior
Using BOSS's primary `chickliu@claw.163.com`, successful sub-mailbox shape is:
```text
chickliu.<prefix>@claw.163.com
```
Probed prefixes were created and immediately deleted when successful.
Accepted examples:
- `a`, `ab`, `abc`, `bot`, `bot1`, `test`, `codex`, `oauth`
- `codexabcdef` (11 chars) accepted
- random lowercase lengths 1-11 accepted
- digit suffix examples like `codex12345` accepted
Rejected examples:
- length 12+ such as `codexabcdefg`, `xxxxxxxxxxxx`
- dot/hyphen examples: `a.b`, `bot.v1`, `my-agent`, `abc.def`
Observed practical rule:
```text
^[A-Za-z0-9]{1,11}$
```
## BOSS preference for Codex/OAuth runs
BOSS corrected the desired mailbox shape: after the dot, use **only 8 lowercase English random letters**, with no `cod`/`codex` fixed prefix.
Example:
```text
chickliu.ktqcxzux@claw.163.com
```
Env policy used locally:
```text
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
When a helper does not support empty base prefix + suffix policy, generate the full 8-letter create prefix yourself and pass it directly:
```bash
mail-cli clawemail create --prefix "$RANDOM_8_LOWERCASE" --type sub --display-name "Codex OAuth $RANDOM_8_LOWERCASE" --json
```
Record every created mailbox in the local JSONL record file with status `pending`, then update to `success`, `failed_*`, or `deleted_replaced`.
@@ -1,49 +0,0 @@
# Codex onboarding ClawEmail random suffix policy — 2026-05-08
BOSS corrected the mailbox policy during a Codex OAuth registration test:
- Use **only 8 lowercase English random letters** as the ClawEmail create prefix.
- Do not prepend `cod`, `codex`, or another business marker unless explicitly requested.
- Desired visible mailbox shape:
```text
chickliu.<8 lowercase random letters>@claw.163.com
```
Example created successfully in-session:
```text
chickliu.ktqcxzux@claw.163.com
```
## Why not `codex` + 8 letters?
The live ClawEmail Open API rejected create prefixes of length 12+ with `OPEN_API_1003 prefix format is invalid`, despite public docs/help saying 1-64 characters. The real accepted maximum observed was 11 characters. Since `codex` + 8 letters is 13 characters, it fails.
A temporary `cod` + 8-letter scheme created `chickliu.coddwrkviby@claw.163.com`, but BOSS clarified they want the dot-suffix itself to be only the 8 random letters. That temporary mailbox was deleted and replaced.
## Env policy
For this workflow, use:
```bash
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
```
If helper scripts do not support these fields, generate the prefix directly in the runner:
```python
import random, string
prefix = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
```
Then call:
```bash
mail-cli clawemail create --prefix "$prefix" --type sub --display-name "Codex OAuth $prefix" --json
```
Record created mailboxes in the configured `CLAWEMAIL_RECORD_FILE`, mark them `pending`, and update to `deleted_replaced`, `success`, or `failed` as the run proceeds.
-57
View File
@@ -1,57 +0,0 @@
# Codex OAuth env handling notes
Session-derived operational notes for `codex-oauth-plus-onboarding`.
## Sensitive template cleanup workflow
If BOSS temporarily writes real values into the skill template at:
```text
~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example
```
use this sequence:
1. Copy the current template to the real local env file:
```bash
mkdir -p ~/.hermes/env
chmod 700 ~/.hermes/env
cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \
~/.hermes/env/codex_oauth_onboarding.env
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
```
2. Back up the original filled template to a private workspace backup before sanitizing:
```bash
TS=$(date '+%Y%m%d_%H%M%S')
mkdir -p ~/.Hermes/workspace/codex-oauth/env-backups
cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \
~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS
chmod 600 ~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS
```
3. Sanitize the template back to placeholders/defaults. Remove real target URLs, API keys, passwords, proxy server, phone numbers, ClawEmail UID, and account password. Keep only safe defaults such as Chrome path, browser profile root, booleans/timeouts, record-file paths, and example comments.
4. Verify no obvious sensitive residues remain:
```bash
grep -nE '\*\*\*|\.\.\.|=[0-9]+\||chickliu|135601|192\.168\.2\.|socks5://[^h]|eyJhbGci|admin|password|token|key' \
~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example || true
```
Review matches manually; example comments like `socks5://host:port` are OK.
## 5sim field mapping
When BOSS provides 5sim config in JSON/camelCase form, map it into env keys as:
```bash
fiveSimApiKey -> FIVE_SIM_API_KEY
fiveSimBaseUrl -> FIVE_SIM_BASE_URL
fiveSimCountryOrder -> FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
fiveSimOperator -> FIVE_SIM_OPERATOR=any
fiveSimProduct -> FIVE_SIM_PRODUCT=openai
```
For compatibility with older extension naming, also set:
```bash
FIVE_SIM_SERVICE=openai
```
Do not echo the full JWT/API key in final replies; show only `[REDACTED]` or a short prefix/suffix if verification needs it.
@@ -1,85 +0,0 @@
# OpenAI/ChatGPT Browser Probe Notes — 2026-05-08
Session-specific learning from testing the Codex OAuth automation browser path on BOSS's Mac.
## Symptoms observed
- `https://openai.com/` loaded successfully in a real visible Chrome profile.
- `https://chatgpt.com/` failed before the registration/auth flow:
- First failure in Chrome: `NET::ERR_CERT_COMMON_NAME_INVALID` / privacy error.
- Relaunching Chrome with `--ignore-certificate-errors` bypassed the cert interstitial, but then failed with `ERR_CONNECTION_CLOSED`.
- Terminal probe also failed: `curl -I -L https://chatgpt.com/` returned `LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to chatgpt.com:443`.
- `https://openai.com/` via curl returned Cloudflare challenge/403 in one probe, while the visible browser still rendered the OpenAI page.
## Interpretation
Treat this as a network/proxy/TLS path issue before treating it as an extension automation bug. If `chatgpt.com` cannot complete TLS/HTTP loading in the same environment, steps that open ChatGPT or OpenAI Auth will fail regardless of sidepanel settings.
## Probe sequence to reuse
1. Launch an isolated Chrome profile with remote debugging and the unpacked extension, but do not start registration yet:
```bash
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--user-data-dir="$PROFILE_DIR" \
--remote-debugging-port=9228 \
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
--no-first-run \
--no-default-browser-check \
--new-window https://openai.com/
```
2. Verify CDP is reachable:
```bash
curl -s http://127.0.0.1:9228/json/version
curl -s http://127.0.0.1:9228/json
```
3. Check direct network path before blaming DOM automation:
```bash
curl -I -L --max-time 15 https://chatgpt.com/
curl -I -L --max-time 15 https://openai.com/
```
4. If Chrome shows `NET::ERR_CERT_COMMON_NAME_INVALID` for `chatgpt.com`, pause the OAuth run and fix proxy/TLS/mitm path first. `--ignore-certificate-errors` can be used only as a diagnostic; it is not a real fix because the next failure may still be `ERR_CONNECTION_CLOSED`.
## PassWall2 DNS/prerequisite follow-up
After BOSS updated PassWall2 AI split rules, the browser path was still blocked because DNS was not cleanly taken over by remote/proxied DNS:
- `curl -I -L --max-time 20 https://chatgpt.com/` still failed with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
- Visible Chrome still ended on `chrome-error://chromewebdata/` with `ERR_CONNECTION_CLOSED`, and stderr continued to show `ssl_client_socket_impl.cc:924 ... net_error -100`.
- macOS system resolver returned polluted/suspicious answers:
- `chatgpt.com -> 199.59.150.40` plus IPv6 `2a03:2880:...` (Twitter/Facebook-looking ranges, not expected Cloudflare/OpenAI path)
- `accounts.openai.com -> 128.121.146.109` plus IPv6 `2001::80f2:f09b`
- A DoH comparison for `chatgpt.com` via Cloudflare showed expected Cloudflare-style A records such as `104.18.32.47` and `172.64.155.209`, confirming local DNS pollution.
- `scutil --dns` showed local macOS DNS included ISP/public resolvers such as `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; do not assume PassWall2 domain split rules alone mean DNS is being intercepted.
Operational rule: if `chatgpt.com` or `accounts.openai.com` resolves to non-Cloudflare/Twitter/Facebook-looking addresses, stop. Ask BOSS to fix PassWall2 DNS takeover / remote DNS / fake-ip or redir-host settings before testing extension automation. Do not proceed to registration/OAuth while Chrome still shows `ERR_CONNECTION_CLOSED`.
Helpful probe snippet:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
```
Before sending `SAVE_SETTING` / `AUTO_RUN` programmatically, verify:
- `chrome://extensions/` shows `codex-oauth-automation-extension` loaded.
- The target URL/extension ID corresponds to the unpacked repo, not a built-in/other extension.
- The target context exposes the expected Chrome extension APIs and/or the sidepanel route is usable.
If `chrome://extensions/` shows no unpacked extension despite `--load-extension`, relaunch with a fresh profile and inspect Chrome stderr/profile policy before proceeding.
@@ -1,94 +0,0 @@
# OpenAI/ChatGPT Proxy Endpoint Probe Notes — 2026-05-08
## Context
During Codex/OpenAI OAuth prerequisite testing, BOSS asked to verify direct browser access and then explicit LAN proxy endpoints:
- `socks5://192.168.2.8:1085` (tested as `socks5h://` so DNS resolves through proxy)
- `http://192.168.2.8:1084`
The Mac had local IP `192.168.2.69/24`, default route via `192.168.2.8`, and an ARP entry for `192.168.2.8`, but ICMP/TCP to the gateway/proxy endpoint failed.
## Observed failure signatures
System/browser without working proxy:
```text
chatgpt.com -> polluted IPs such as 202.160.128.16 / 199.59.150.40 / 2a03:2880:...
accounts.openai.com -> polluted IPs such as 192.133.77.189 / 128.121.146.109 / 2a03:2880:...
Chrome: ERR_CONNECTION_CLOSED
curl: LibreSSL SSL_connect: SSL_ERROR_SYSCALL
```
Explicit SOCKS5/HTTP proxy endpoint unavailable:
```text
ping 192.168.2.8 -> sendto: No route to host / 100% packet loss
nc -vz -w 5 192.168.2.8 1085 -> No route to host
curl --proxy socks5h://192.168.2.8:1085 https://chatgpt.com/ -> Failed to connect
nc -vz -w 3 192.168.2.8 1084 -> No route to host
curl --proxy http://192.168.2.8:1084 https://chatgpt.com/ -> Failed to connect
```
Route/ARP could still look superficially valid:
```text
default gateway: 192.168.2.8
192.168.2.8 at <mac> on en0 ifscope
local IP: 192.168.2.69
```
Do not mistake this for a ChatGPT/OpenAI auth bug or extension bug. If the LAN proxy endpoint itself is unreachable, browser automation and OAuth should stop.
## Recommended probe order
1. Flush DNS cache only as a low-risk refresh:
```bash
dscacheutil -flushcache || true
killall -HUP mDNSResponder 2>/dev/null || true
```
2. Check current DNS and detect pollution:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
```
3. Test gateway and proxy endpoint before browser tests:
```bash
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
nc -vz -w 5 192.168.2.8 1084 || true
```
4. For SOCKS5, use `socks5h://` in curl so DNS is performed through the proxy:
```bash
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
curl --proxy socks5h://192.168.2.8:1085 --max-time 20 https://api.ipify.org
```
5. For HTTP proxy:
```bash
curl --proxy http://192.168.2.8:1084 -I -L --max-time 30 https://chatgpt.com/
curl --proxy http://192.168.2.8:1084 --max-time 20 https://api.ipify.org
```
6. Only launch a proxied browser or extension run after at least one proxy endpoint succeeds.
## Interpretation
- `No route to host` to the proxy IP/port means the local Mac cannot reach the LAN proxy service. Fix LAN/gateway/firewall/WiFi/VLAN/router first.
- `Connection refused` means the host is reachable but no service is listening on that port or firewall actively rejects it.
- HTTP 200/30x/403 Cloudflare challenge through the proxy is better than transport failure; browser testing can proceed, but CAPTCHA/security challenge may still require manual action.
- Polluted system DNS may remain even while explicit `socks5h://` works; in that case use browser `--proxy-server=socks5://...` or ensure PassWall2 DNS hijack/remote DNS is correctly applied.
@@ -1,72 +0,0 @@
# OpenAI/ChatGPT DNS Pollution Probe — 2026-05-08
Context: after BOSS updated PassWall2 AI/OpenAI分流规则, browser automation still could not proceed because the local macOS resolver was still returning polluted IPs for key ChatGPT/Auth domains.
## Observed failure pattern
System resolver results:
```text
chatgpt.com -> 199.59.150.40, 2a03:2880:f10c:83:face:b00c:0:25de
accounts.openai.com -> 128.121.146.109, 2001::80f2:f09b
auth.openai.com -> 104.18.41.241, 172.64.146.15, Cloudflare IPv6
openai.com -> 104.18.33.45, 172.64.154.211
```
`chatgpt.com` and `accounts.openai.com` above are polluted / wrong for the flow. Browser and curl failed before automation could start:
```text
curl https://chatgpt.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL
curl https://accounts.openai.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL
Chrome -> ERR_CONNECTION_CLOSED / net_error -100
```
Cloudflare DoH comparison showed `chatgpt.com` should resolve to Cloudflare-like IPs such as:
```text
chatgpt.com -> 104.18.32.47, 172.64.155.209
```
## Diagnostic commands
```bash
python3 - <<'PY'
import socket
for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(h, 'ERR', e)
PY
curl -I -L --max-time 12 https://chatgpt.com/ 2>&1 | sed -n '1,45p'
curl -I -L --max-time 12 https://accounts.openai.com/ 2>&1 | sed -n '1,45p'
scutil --dns 2>/dev/null | sed -n '1,120p'
```
## Interpretation
If `openai.com` or `auth.openai.com` returns HTTP/2 403 Cloudflare challenge but `chatgpt.com` / `accounts.openai.com` still fail TLS or resolve to non-Cloudflare/polluted ranges, do **not** continue registration/OAuth automation. Fix PassWall2 DNS handling first.
For BOSS's PassWall2 setup, ensure these domains use proxy-side/remote DNS, not the local ISP resolver:
```text
chatgpt.com
accounts.openai.com
auth.openai.com
openai.com
```
macOS resolver in the failing run still had public/ISP DNS entries like `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; rules alone were insufficient because DNS was not cleanly hijacked/forwarded for these domains.
## Process hygiene
Old Chrome test processes can continue emitting noisy GCM/Crashpad errors. These are usually not the root cause:
```text
Failed to connect to MCS endpoint
ConnectionHandler failed
Crashpad settings.dat: No such file or directory
```
Kill stale test Chrome processes after a failed probe so they do not distract from the DNS/TLS issue.
@@ -1,86 +0,0 @@
# PassWall2 / SOCKS5 Gateway Reachability Probe — 2026-05-08
Session context: after BOSS updated PassWall2 split rules for OpenAI/ChatGPT/Codex OAuth testing, macOS still could not open `chatgpt.com` and Chrome showed `ERR_CONNECTION_CLOSED`.
## Observed commands and results
Low-risk macOS network refresh was performed:
```bash
dscacheutil -flushcache
killall -HUP mDNSResponder 2>/dev/null || true
```
DNS stayed polluted after the cache flush:
```text
chatgpt.com -> 202.160.128.16 / 2a03:2880:f10e:83:face:b00c:0:25de
accounts.openai.com -> 192.133.77.189 / 2a03:2880:f117:83:face:b00c:0:25de
auth.openai.com -> 104.18.41.241 / 172.64.146.15
openai.com -> 104.18.33.45 / 172.64.154.211
```
Testing the intended SOCKS5 gateway:
```bash
nc -vz -w 3 192.168.2.8 1085
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 25 https://chatgpt.com/
curl --proxy socks5h://192.168.2.8:1085 --max-time 15 https://api.ipify.org
ping -c 3 -W 1000 192.168.2.8
arp -n 192.168.2.8
route -n get 192.168.2.8
```
Results:
```text
nc: connectx to 192.168.2.8 port 1085 (tcp) failed: No route to host
curl: (7) Failed to connect to 192.168.2.8 port 1085: Couldn't connect to server
ping: sendto: No route to host / 100% packet loss
arp: 192.168.2.8 had a MAC entry on en0
route: interface en0, host route present
```
Browser screenshot after refresh still showed:
```text
无法访问此网站
chatgpt.com 意外终止了连接。
ERR_CONNECTION_CLOSED
```
## Reusable lesson
For Codex/OpenAI onboarding tests, distinguish three layers before touching extension automation:
1. **Local DNS pollution**`chatgpt.com` / `accounts.openai.com` resolving to suspicious non-Cloudflare/Facebook-like ranges means domain rules alone are not enough.
2. **Proxy gateway reachability** — even `socks5h://...` cannot help if the Mac cannot reach the gateway/port. Test `nc`, `curl --proxy socks5h://`, `ping`, `arp`, and `route`.
3. **Browser page result** — only after gateway and DNS/proxy are healthy should Chrome/extension/OAuth be tested.
Use `socks5h://` rather than `socks5://` in curl probes when the goal is to force DNS resolution through the SOCKS proxy. If `socks5h` fails to connect to the proxy itself, stop and report gateway/port reachability first.
## Suggested probe block
```bash
PROXY='socks5h://192.168.2.8:1085'
printf '== DNS ==\n'
python3 - <<'PY'
import socket
for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(h, 'ERR', e)
PY
printf '\n== gateway/port ==\n'
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
nc -vz -w 3 192.168.2.8 1085 || true
printf '\n== through socks5h ==\n'
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
```
+67 -8
View File
@@ -47,12 +47,15 @@ These are confirmed operating rules for BOSS's environment:
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed.
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085``1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls.
- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval.
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
@@ -258,6 +261,8 @@ Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `d
## Normal OAuth Flow Steps
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
Normal mode step definitions:
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
@@ -371,12 +376,9 @@ The built-in export function exports `getPersistedSettings()` as JSON; this can
## Troubleshooting
### Extension does not appear
### Google Chrome stable may ignore `--load-extension`
- Confirm Chrome was launched with `--load-extension` and `--disable-extensions-except` pointing to the repo directory.
- Confirm `manifest.json` exists and is Manifest V3.
- Use a non-headless browser. Chrome extension side panels are usually not practical in headless mode.
- When using Chrome DevTools Protocol, do not assume the first `/json` `service_worker` target is this automation extension; verify the extension is visible in `chrome://extensions/` and that the target URL/ID corresponds to the unpacked repo before sending `SAVE_SETTING` / `AUTO_RUN`.
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
### PassWall2/DNS split rules still polluted
@@ -406,9 +408,31 @@ curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
### SOCKS5 gateway not reachable
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
```bash
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
```
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
If BOSS asks to test a specific proxy such as `socks5://192.168.2.8:1085`, test gateway reachability before browser/extension automation. Use `socks5h://` in curl when the intent is to force DNS through the SOCKS proxy:
```bash
PROXY='socks5h://192.168.2.8:1085'
@@ -422,6 +446,31 @@ ping -c 3 -W 1000 192.168.2.8 || true
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
### Extension launch appears successful but `chrome://extensions` is empty
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
- the intended extension page/sidepanel opens and renders expected UI; or
- an extension-context runtime call reads the expected manifest/state.
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
### OpenAI verification email does not arrive in ClawEmail
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
When this happens:
1. Confirm the exact email in the OpenAI page body via DOM, not OCR only.
2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile.
3. Check inbox and spam.
4. Send a self-test email to the sub-mailbox and verify it arrives.
5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
### Proxy not applied
- Visit an IP-check page in the isolated browser before starting.
@@ -453,6 +502,16 @@ If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
- Stop before retrying paid operations repeatedly; ask BOSS.
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`.
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
## Verification Checklist
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
@@ -1,150 +0,0 @@
# Codex OAuth onboarding env template for real Google Chrome flow
# Copy to ~/.hermes/env/codex_oauth_onboarding.env and chmod 600.
# Do not commit. Do not paste secrets into chat.
# 0) Local project / browser
CODEX_OAUTH_EXTENSION_DIR=
CHROME_BIN=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
BROWSER_HEADLESS=false
BROWSER_LANG=zh-CN
RUN_COUNT=1
AUTO_STEP_DELAY_SECONDS=2
AUTO_RUN_SKIP_FAILURES=false
OAUTH_FLOW_TIMEOUT_ENABLED=true
# 1) Panel / target mode. No default: leave empty and the workflow MUST NOT run.
# Must explicitly select exactly one before execution: cpa | sub2api | codex2api
PANEL_MODE=
LOCAL_CPA_STEP9_MODE=submit
# CPA panel fields
CPA_VPS_URL=
CPA_VPS_PASSWORD=
# SUB2API panel fields
SUB2API_URL=
SUB2API_EMAIL=
SUB2API_PASSWORD=
SUB2API_GROUP_NAME=
SUB2API_ACCOUNT_PRIORITY=1
SUB2API_DEFAULT_PROXY_NAME=
# Codex2API panel fields
CODEX2API_URL=
CODEX2API_ADMIN_KEY=
# 2) Browser proxy. BOSS provides SOCKS5 or HTTP proxy without username/password.
# Examples: socks5://host:port or http://host:port
BROWSER_PROXY_SERVER=
BROWSER_PROXY_CHECK_URL=https://api.ipify.org?format=json
# Extension built-in 711proxy/IP proxy fields, only if using original project proxy panel.
IP_PROXY_ENABLED=false
IP_PROXY_SERVICE=
IP_PROXY_MODE=
IP_PROXY_API_URL=
IP_PROXY_ACCOUNT_LIST=
IP_PROXY_ACCOUNT_SESSION_PREFIX=codex
IP_PROXY_ACCOUNT_LIFE_MINUTES=
IP_PROXY_POOL_TARGET_COUNT=20
IP_PROXY_AUTO_SYNC_ENABLED=false
IP_PROXY_AUTO_SYNC_INTERVAL_MINUTES=15
IP_PROXY_HOST=
IP_PROXY_PORT=
IP_PROXY_PROTOCOL=
IP_PROXY_REGION=
# 3) Registration identity and password
# ClawEmail must create a fresh mailbox each run and record it locally with status.
CLAWEMAIL_CREATE_PER_RUN=true
CLAWEMAIL_PREFIX=codex
CLAWEMAIL_UID=
CLAWEMAIL_RECORD_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl
SIGNUP_METHOD=email
CUSTOM_PASSWORD=
# 4) Mail provider fields from original project, fill only if not using Hermes-side ClawEmail polling.
MAIL_PROVIDER=
EMAIL_GENERATOR=custom
CUSTOM_EMAIL_POOL=
CUSTOM_MAIL_PROVIDER_POOL=
INBUCKET_HOST=
INBUCKET_MAILBOX=
HOTMAIL_SERVICE_MODE=
HOTMAIL_REMOTE_BASE_URL=
HOTMAIL_LOCAL_BASE_URL=
LUCKMAIL_API_KEY=
LUCKMAIL_BASE_URL=
LUCKMAIL_EMAIL_TYPE=
LUCKMAIL_DOMAIN=
CLOUDFLARE_TEMP_EMAIL_BASE_URL=
CLOUDFLARE_TEMP_EMAIL_ADMIN_AUTH=
CLOUDFLARE_TEMP_EMAIL_CUSTOM_AUTH=
CLOUDFLARE_TEMP_EMAIL_RECEIVE_MAILBOX=
CLOUDFLARE_TEMP_EMAIL_USE_RANDOM_SUBDOMAIN=false
CLOUDFLARE_TEMP_EMAIL_DOMAIN=
# 5) Phone/SMS verification fallback. No default provider: leave disabled/empty unless needed.
PHONE_VERIFICATION_ENABLED=false
SIGNUP_PHONE=
PHONE_SMS_PROVIDER=
PHONE_SMS_PROVIDER_ORDER=
VERIFICATION_RESEND_COUNT=0
PHONE_VERIFICATION_REPLACEMENT_LIMIT=3
PHONE_CODE_WAIT_SECONDS=60
PHONE_CODE_TIMEOUT_WINDOWS=2
PHONE_CODE_POLL_INTERVAL_SECONDS=5
PHONE_CODE_POLL_MAX_ROUNDS=12
PHONE_PREFERRED_ACTIVATION=
# HeroSMS
HERO_SMS_API_KEY=
HERO_SMS_REUSE_ENABLED=
HERO_SMS_ACQUIRE_PRIORITY=
HERO_SMS_MAX_PRICE=
HERO_SMS_PREFERRED_PRICE=
HERO_SMS_COUNTRY_ID=
HERO_SMS_COUNTRY_LABEL=
HERO_SMS_COUNTRY_FALLBACK=
# 5sim
FIVE_SIM_API_KEY=
FIVE_SIM_PRODUCT=
FIVE_SIM_COUNTRY_ORDER=
FIVE_SIM_COUNTRY_ID=
FIVE_SIM_COUNTRY_LABEL=
FIVE_SIM_COUNTRY_FALLBACK=
FIVE_SIM_MAX_PRICE=
FIVE_SIM_OPERATOR=any
# NexSMS
NEX_SMS_API_KEY=
NEX_SMS_COUNTRY_ORDER=
NEX_SMS_SERVICE_CODE=
# 6) Plus/payment. BOSS chose GoPay. Paid operation still requires explicit confirmation before execution.
PLUS_MODE_ENABLED=false
PLUS_PAYMENT_METHOD=gopay
GOPAY_COUNTRY_CODE=+86
GOPAY_PHONE=
GOPAY_OTP=
GOPAY_OTP_SOURCE=manual
GOPAY_OTP_MANUAL_TIMEOUT_SECONDS=180
GOPAY_PIN=
# GPC helper fields retained but not used when PLUS_PAYMENT_METHOD=gopay
GPC_HELPER_API_URL=
GPC_HELPER_CARD_KEY=
GPC_HELPER_COUNTRY_CODE=+86
GPC_HELPER_PHONE_NUMBER=
GPC_HELPER_PIN=
GPC_HELPER_OTP_CHANNEL=
GPC_HELPER_LOCAL_SMS_ENABLED=false
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
# 7) Local run records
RUN_RECORD_DIR=/Users/chick/.Hermes/workspace/codex-oauth/run-records
ACCOUNT_SUCCESS_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/success_accounts.jsonl
ACCOUNT_FAILED_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/failed_accounts.jsonl
ACCOUNT_PENDING_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/pending_accounts.jsonl