diff --git a/SKILL.md b/SKILL.md deleted file mode 100644 index 9b0d618..0000000 --- a/SKILL.md +++ /dev/null @@ -1,525 +0,0 @@ ---- -name: codex-oauth-plus-onboarding -description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile." -version: 1.0.0 -author: Hermes Agent -license: MIT -metadata: - hermes: - tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation] - related_skills: [clawemail-operations, browser-extension-storage-audit] ---- - -# Codex OAuth + Plus Onboarding - -## Overview - -This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**: - -1. Use **ClawEmail** as the registration mailbox. -2. Register/Login through ChatGPT/OpenAI auth. -3. Optionally open ChatGPT Plus through **GoPay / GPC helper**. -4. Complete OAuth authorization. -5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**. -6. Run the browser in an isolated profile with a dedicated proxy. - -The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually. - -## When to Use - -Use this skill when BOSS asks for any of these: - -- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA” -- “用 GoPay 开 Plus 后把 OAuth 接进去” -- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来” -- “给这个注册流程做独立代理、无痕/隔离浏览器配置” -- “把这个流程做成可复用配置和操作步骤” - -Also load `clawemail-operations` before any ClawEmail mailbox work. - -## BOSS-specific Operating Defaults - -These are confirmed operating rules for BOSS's environment: - -- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window. -- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run. -- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password. -- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run. -- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. -- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears. -- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls. -- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval. -- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues. -- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. -- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later. - -- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it. -- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps. -- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow. - -1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution. -2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count. -3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action. -4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed. -5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`. -6. **Config export risk**: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive. -7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`). - -## Repository and Local Paths - -Known research clone: - -```bash -/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension -``` - -If missing, clone shallow: - -```bash -mkdir -p /Users/chick/.Hermes/workspace/research -cd /Users/chick/.Hermes/workspace/research -git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git -``` - -Validate tests when modifying or before relying on a changed checkout: - -```bash -cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension -node --test tests/*.test.js -``` - -Observed verification result during initial study: `772` tests passed, `0` failed. - -## Configuration File - -Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`. - -```bash -mkdir -p ~/.hermes/env -chmod 700 ~/.hermes/env -cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env -chmod 600 ~/.hermes/env/codex_oauth_onboarding.env -$EDITOR ~/.hermes/env/codex_oauth_onboarding.env -``` - -High-level required groups: - -1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`. -2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`). -3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extension’s built-in 711proxy/IP proxy panel. -4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`. -5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes. -6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved. -7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation. - -Minimal template excerpt: - -```bash -# Required: local extension repo -CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension -```bash -# Required: ClawEmail mailbox -CLAWEMAIL_UID=chickliu@claw.163.com -# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters. -# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com -CLAWEMAIL_PREFIX= -CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8 -CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -``` -# Browser isolation -BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth -BROWSER_HEADLESS=false -BROWSER_PROXY_SERVER=http://host:port -BROWSER_PROXY_USERNAME= -BROWSER_PROXY_PASSWORD= - -# Target mode: sub2api | codex2api | cpa -OAUTH_TARGET_MODE=sub2api - -# SUB2API settings -SUB2API_URL= -SUB2API_EMAIL= -SUB2API_PASSWORD= -SUB2API_GROUP_NAME=default -SUB2API_ACCOUNT_PRIORITY=1 -SUB2API_DEFAULT_PROXY_NAME= - -# Codex2API settings -CODEX2API_URL= -CODEX2API_ADMIN_KEY= - -# CPA settings -CPA_URL= -CPA_MANAGEMENT_KEY= -CPA_LOCAL_STEP9_MODE=submit - -# Plus / GoPay / GPC helper settings -PLUS_MODE_ENABLED=false -PLUS_PAYMENT_METHOD=gpc-helper -GPC_HELPER_API_URL= -GPC_HELPER_CARD_KEY= -GPC_HELPER_COUNTRY_CODE=+86 -GPC_HELPER_PHONE_NUMBER= -GPC_HELPER_PIN= -GPC_HELPER_OTP_CHANNEL=whatsapp -GPC_HELPER_LOCAL_SMS_ENABLED=false -GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767 - -# Runtime behavior -RUN_COUNT=1 -AUTO_RUN_SKIP_FAILURES=false -AUTO_STEP_DELAY_SECONDS=2 -OAUTH_FLOW_TIMEOUT_ENABLED=true -``` - -Rules: - -- Keep this file local only; never commit it. -- Use `[REDACTED]` in reports for all secret values. -- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used. - -## Browser Isolation and Proxy Strategy - -This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages. - -Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with: - -- Dedicated clean `user-data-dir` profile. -- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`. -- Proxy applied at browser launch or by a verified local proxy wrapper. -- Human-visible UI for CAPTCHA/security/payment checkpoints. -- Profile cleared after success if BOSS wants no local residue. - -Recommended profile naming: - -```bash -RUN_ID=$(date +%Y%m%d-%H%M%S) -PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID" -mkdir -p "$PROFILE_DIR" -``` - -Chrome launch pattern: - -```bash -/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ - --user-data-dir="$PROFILE_DIR" \ - --disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \ - --load-extension="$CODEX_OAUTH_EXTENSION_DIR" \ - --proxy-server="$BROWSER_PROXY_SERVER" \ - --no-first-run \ - --no-default-browser-check -``` - -If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches: - -1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history. -2. Start a local forwarding proxy that injects upstream credentials. -3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected. - -Do not reuse the normal personal browser profile for this workflow. - -## ClawEmail Preparation - -Load `clawemail-operations` and verify: - -```bash -mail-cli auth test --json -mail-cli clawemail list --json -mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json -``` - -Registration email choice: - -- Default: use `CLAWEMAIL_UID` directly. -- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extension’s registration email to the created UID. - -For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes: - -```bash -mail-cli mail list --fid 1 --limit 20 --json -mail-cli read body --id '' -``` - -Always quote message IDs. - -## Extension Architecture Reference - -The project is a Manifest V3 Chrome extension: - -- `manifest.json`: permissions, host permissions, content scripts, side panel. -- `background.js`: service worker and state orchestration. -- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`. -- `data/step-definitions.js`: step list for normal and Plus modes. -- `background/steps/*.js`: one executor per major step. -- `content/signup-page.js`: OpenAI/Auth page DOM automation. -- `content/*mail*.js`: mail provider automation. -- `sidepanel/sidepanel.js`: UI controls and settings collection. - -Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `` host access. - -## Normal OAuth Flow Steps - -**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds. - -Normal mode step definitions: - -1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT. -2. `submit-signup-email` — enter email or phone registration identity. -3. `fill-password` — generate/use password and submit. -4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS. -5. `fill-profile` — generate and submit name + birthday. -6. `wait-registration-success` — wait for registration to stabilize. -7. `oauth-login` — refresh OAuth URL from selected target and log in. -8. `fetch-login-code` — fetch login verification code if needed. -9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback. -10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA. - -### ClawEmail random suffix policy - -BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`. - - -```bash -FIVE_SIM_API_KEY= -FIVE_SIM_BASE_URL=https://5sim.net/v1 -FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia -FIVE_SIM_OPERATOR=any -FIVE_SIM_PRODUCT=openai -FIVE_SIM_SERVICE=openai -``` - -## Plus Flow Steps - -When `PLUS_MODE_ENABLED=true`, the extension switches step definitions. - -PayPal Plus path: - -1-5. same registration steps. -6. `plus-checkout-create` — create Plus Checkout. -7. `plus-checkout-billing` — fill billing and submit order. -8. `paypal-approve` — PayPal login/approval. -9. `plus-checkout-return` — confirm return. -10. `oauth-login`. -11. `fetch-login-code`. -12. `confirm-oauth`. -13. `platform-verify`. - -GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings. - -## Applying Settings in the Extension - -The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`. - -Manual UI route: - -1. Open isolated Chrome profile with extension loaded. -2. Open the extension side panel. -3. Set `panelMode` according to `OAUTH_TARGET_MODE`: - - `sub2api` → fill SUB2API URL/email/password/group/proxy/priority. - - `codex2api` → fill Codex2API URL/Admin Key. - - `cpa` → fill CPA URL and management key. -4. Set registration email to ClawEmail mailbox. -5. Enable Plus mode only if requested. -6. Select `gpc-helper` / GoPay settings when using GoPay/GPC. -7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy. -8. Save settings. -9. Start manual steps or Auto Run with `RUN_COUNT=1`. - -Programmatic route, if writing a helper script: - -- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context. -- Do not inject secrets into shell command lines where they will remain in history/process listings. -- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`. - -## Execution Checklist - -1. Load this skill and `clawemail-operations`. -2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target. -3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`. -4. Verify ClawEmail auth and selected mailbox. -5. Confirm extension repo exists and tests pass if the checkout changed. -6. Start a dedicated proxied browser profile with the unpacked extension. -7. Open sidepanel and apply settings. -8. Start one run. -9. Monitor logs for: - - registration email submitted - - signup verification code fetched - - profile completed - - Plus checkout/payment status, if enabled - - OAuth URL refreshed - - login code fetched, if required - - localhost callback captured - - platform verification succeeded -10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS. -11. After success, verify target platform has the new authorized account/session. -12. Redact secrets and callback codes in the final report. - -## Storage and Export Risk - -The extension stores sensitive configuration in `chrome.storage.local`, including possible: - -- CPA management key / password. -- SUB2API password. -- Codex2API admin key. -- Proxy username/password/API URL. -- Hotmail account passwords, `clientId`, `refreshToken`. -- PayPal account pool credentials. -- 2925 mailbox credentials. -- LuckMail / HeroSMS / 5sim / NexSMS API keys. -- Cloudflare Temp Email auth fields. - -Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata. - -The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material. - -## Troubleshooting - -### Google Chrome stable may ignore `--load-extension` - -On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`. - -### PassWall2/DNS split rules still polluted - -After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS. - -Run: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) -PY -scutil --dns | sed -n '1,120p' -curl -I -L --max-time 20 https://chatgpt.com/ -``` - -If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns. - -When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome: - -```bash -ping -c 2 -W 1000 192.168.2.8 || true -nc -vz -w 5 192.168.2.8 1085 || true -curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/ -``` - -Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem. - -### OpenAI/ChatGPT direct-connect preflight before launching Chrome - -Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(host, 'ERR', e) -PY -curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p' -``` - -If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test: - -- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries. -- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`. -- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`. - -Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth. - - - -```bash -PROXY='socks5h://192.168.2.8:1085' -nc -vz -w 3 192.168.2.8 1085 || true -curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p' -curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true -route -n get 192.168.2.8 2>/dev/null || true -arp -n 192.168.2.8 || true -ping -c 3 -W 1000 192.168.2.8 || true -``` - -If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example. - -### Extension launch appears successful but `chrome://extensions` is empty - -Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile. - -Before starting OpenAI registration, verify the intended automation extension with stronger evidence: - -- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or -- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or -- the intended extension page/sidepanel opens and renders expected UI; or -- an extension-context runtime call reads the expected manifest/state. - -If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist. - -### OpenAI verification email does not arrive in ClawEmail - -A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`. - -When this happens: - -1. Confirm the exact email in the OpenAI page body via DOM, not OCR only. -2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. -3. Check inbox and spam. -4. Send a self-test email to the sub-mailbox and verify it arrives. -5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next. - -### Proxy not applied - -- Visit an IP-check page in the isolated browser before starting. -- If auth proxy fails, use a local forwarding proxy wrapper. -- Do not put proxy passwords in final answers. - -### ClawEmail code not found - -- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox. -- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages. -- Check spam/deleted folders if inbox is empty. - -### OAuth callback not captured - -- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates. -- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid. -- Verify target mode settings and state value mismatch errors. - -### Target verify fails - -- For SUB2API, verify URL/email/password/group/priority/proxy fields. -- For Codex2API, verify URL and admin key. -- For CPA, verify management origin/key and callback endpoint support. -- Do not print callback URL with `code=`; redact. - -### Plus/GoPay fails - -- Confirm Plus mode and payment method are correct. -- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings. -- Stop before retrying paid operations repeatedly; ask BOSS. - -See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence. - -See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working. - -See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow. - -See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. - -See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying. - -## Verification Checklist - -- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields. -- [ ] ClawEmail auth passes. -- [ ] Isolated browser profile is not the normal personal profile. -- [ ] Browser exit IP matches intended proxy. -- [ ] Extension is loaded and sidepanel opens. -- [ ] Only one target mode is active. -- [ ] Plus payment was explicitly approved if enabled. -- [ ] Target platform shows the OAuth account/session after verification. -- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials. diff --git a/references/clawemail-prefix-probe-2026-05.md b/references/clawemail-prefix-probe-2026-05.md deleted file mode 100644 index 71e67d7..0000000 --- a/references/clawemail-prefix-probe-2026-05.md +++ /dev/null @@ -1,62 +0,0 @@ -# ClawEmail Prefix Probe Notes — 2026-05 - -Context: During Codex OAuth registration testing for BOSS, we needed fresh ClawEmail sub-mailboxes and discovered live API constraints stricter than public docs. - -## Official/public expectation - -Docs/help say `mail-cli clawemail create --prefix --type sub` accepts 1-64 characters and examples mention `bot1`, `bot.v1`, `my-agent`, `support`. - -## Live observed behavior - -Using BOSS's primary `chickliu@claw.163.com`, successful sub-mailbox shape is: - -```text -chickliu.@claw.163.com -``` - -Probed prefixes were created and immediately deleted when successful. - -Accepted examples: - -- `a`, `ab`, `abc`, `bot`, `bot1`, `test`, `codex`, `oauth` -- `codexabcdef` (11 chars) accepted -- random lowercase lengths 1-11 accepted -- digit suffix examples like `codex12345` accepted - -Rejected examples: - -- length 12+ such as `codexabcdefg`, `xxxxxxxxxxxx` -- dot/hyphen examples: `a.b`, `bot.v1`, `my-agent`, `abc.def` - -Observed practical rule: - -```text -^[A-Za-z0-9]{1,11}$ -``` - -## BOSS preference for Codex/OAuth runs - -BOSS corrected the desired mailbox shape: after the dot, use **only 8 lowercase English random letters**, with no `cod`/`codex` fixed prefix. - -Example: - -```text -chickliu.ktqcxzux@claw.163.com -``` - -Env policy used locally: - -```text -CLAWEMAIL_PREFIX= -CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8 -CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -``` - -When a helper does not support empty base prefix + suffix policy, generate the full 8-letter create prefix yourself and pass it directly: - -```bash -mail-cli clawemail create --prefix "$RANDOM_8_LOWERCASE" --type sub --display-name "Codex OAuth $RANDOM_8_LOWERCASE" --json -``` - -Record every created mailbox in the local JSONL record file with status `pending`, then update to `success`, `failed_*`, or `deleted_replaced`. diff --git a/references/clawemail-random-suffix-policy-2026-05.md b/references/clawemail-random-suffix-policy-2026-05.md deleted file mode 100644 index 3ca2f4b..0000000 --- a/references/clawemail-random-suffix-policy-2026-05.md +++ /dev/null @@ -1,49 +0,0 @@ -# Codex onboarding ClawEmail random suffix policy — 2026-05-08 - -BOSS corrected the mailbox policy during a Codex OAuth registration test: - -- Use **only 8 lowercase English random letters** as the ClawEmail create prefix. -- Do not prepend `cod`, `codex`, or another business marker unless explicitly requested. -- Desired visible mailbox shape: - -```text -chickliu.<8 lowercase random letters>@claw.163.com -``` - -Example created successfully in-session: - -```text -chickliu.ktqcxzux@claw.163.com -``` - -## Why not `codex` + 8 letters? - -The live ClawEmail Open API rejected create prefixes of length 12+ with `OPEN_API_1003 prefix format is invalid`, despite public docs/help saying 1-64 characters. The real accepted maximum observed was 11 characters. Since `codex` + 8 letters is 13 characters, it fails. - -A temporary `cod` + 8-letter scheme created `chickliu.coddwrkviby@claw.163.com`, but BOSS clarified they want the dot-suffix itself to be only the 8 random letters. That temporary mailbox was deleted and replaced. - -## Env policy - -For this workflow, use: - -```bash -CLAWEMAIL_PREFIX= -CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8 -CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz -CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true -``` - -If helper scripts do not support these fields, generate the prefix directly in the runner: - -```python -import random, string -prefix = ''.join(random.choice(string.ascii_lowercase) for _ in range(8)) -``` - -Then call: - -```bash -mail-cli clawemail create --prefix "$prefix" --type sub --display-name "Codex OAuth $prefix" --json -``` - -Record created mailboxes in the configured `CLAWEMAIL_RECORD_FILE`, mark them `pending`, and update to `deleted_replaced`, `success`, or `failed` as the run proceeds. diff --git a/references/env-file-and-5sim-notes.md b/references/env-file-and-5sim-notes.md deleted file mode 100644 index eb20786..0000000 --- a/references/env-file-and-5sim-notes.md +++ /dev/null @@ -1,57 +0,0 @@ -# Codex OAuth env handling notes - -Session-derived operational notes for `codex-oauth-plus-onboarding`. - -## Sensitive template cleanup workflow - -If BOSS temporarily writes real values into the skill template at: - -```text -~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example -``` - -use this sequence: - -1. Copy the current template to the real local env file: - ```bash - mkdir -p ~/.hermes/env - chmod 700 ~/.hermes/env - cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \ - ~/.hermes/env/codex_oauth_onboarding.env - chmod 600 ~/.hermes/env/codex_oauth_onboarding.env - ``` -2. Back up the original filled template to a private workspace backup before sanitizing: - ```bash - TS=$(date '+%Y%m%d_%H%M%S') - mkdir -p ~/.Hermes/workspace/codex-oauth/env-backups - cp -p ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example \ - ~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS - chmod 600 ~/.Hermes/workspace/codex-oauth/env-backups/codex_oauth_onboarding.env.example.with-values_$TS - ``` -3. Sanitize the template back to placeholders/defaults. Remove real target URLs, API keys, passwords, proxy server, phone numbers, ClawEmail UID, and account password. Keep only safe defaults such as Chrome path, browser profile root, booleans/timeouts, record-file paths, and example comments. -4. Verify no obvious sensitive residues remain: - ```bash - grep -nE '\*\*\*|\.\.\.|=[0-9]+\||chickliu|135601|192\.168\.2\.|socks5://[^h]|eyJhbGci|admin|password|token|key' \ - ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example || true - ``` - Review matches manually; example comments like `socks5://host:port` are OK. - -## 5sim field mapping - -When BOSS provides 5sim config in JSON/camelCase form, map it into env keys as: - -```bash -fiveSimApiKey -> FIVE_SIM_API_KEY -fiveSimBaseUrl -> FIVE_SIM_BASE_URL -fiveSimCountryOrder -> FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia -fiveSimOperator -> FIVE_SIM_OPERATOR=any -fiveSimProduct -> FIVE_SIM_PRODUCT=openai -``` - -For compatibility with older extension naming, also set: - -```bash -FIVE_SIM_SERVICE=openai -``` - -Do not echo the full JWT/API key in final replies; show only `[REDACTED]` or a short prefix/suffix if verification needs it. diff --git a/references/openai-chatgpt-browser-probe-2026-05-08.md b/references/openai-chatgpt-browser-probe-2026-05-08.md deleted file mode 100644 index 17a9376..0000000 --- a/references/openai-chatgpt-browser-probe-2026-05-08.md +++ /dev/null @@ -1,85 +0,0 @@ -# OpenAI/ChatGPT Browser Probe Notes — 2026-05-08 - -Session-specific learning from testing the Codex OAuth automation browser path on BOSS's Mac. - -## Symptoms observed - -- `https://openai.com/` loaded successfully in a real visible Chrome profile. -- `https://chatgpt.com/` failed before the registration/auth flow: - - First failure in Chrome: `NET::ERR_CERT_COMMON_NAME_INVALID` / privacy error. - - Relaunching Chrome with `--ignore-certificate-errors` bypassed the cert interstitial, but then failed with `ERR_CONNECTION_CLOSED`. - - Terminal probe also failed: `curl -I -L https://chatgpt.com/` returned `LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to chatgpt.com:443`. -- `https://openai.com/` via curl returned Cloudflare challenge/403 in one probe, while the visible browser still rendered the OpenAI page. - -## Interpretation - -Treat this as a network/proxy/TLS path issue before treating it as an extension automation bug. If `chatgpt.com` cannot complete TLS/HTTP loading in the same environment, steps that open ChatGPT or OpenAI Auth will fail regardless of sidepanel settings. - -## Probe sequence to reuse - -1. Launch an isolated Chrome profile with remote debugging and the unpacked extension, but do not start registration yet: - -```bash -/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ - --user-data-dir="$PROFILE_DIR" \ - --remote-debugging-port=9228 \ - --disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \ - --load-extension="$CODEX_OAUTH_EXTENSION_DIR" \ - --no-first-run \ - --no-default-browser-check \ - --new-window https://openai.com/ -``` - -2. Verify CDP is reachable: - -```bash -curl -s http://127.0.0.1:9228/json/version -curl -s http://127.0.0.1:9228/json -``` - -3. Check direct network path before blaming DOM automation: - -```bash -curl -I -L --max-time 15 https://chatgpt.com/ -curl -I -L --max-time 15 https://openai.com/ -``` - -4. If Chrome shows `NET::ERR_CERT_COMMON_NAME_INVALID` for `chatgpt.com`, pause the OAuth run and fix proxy/TLS/mitm path first. `--ignore-certificate-errors` can be used only as a diagnostic; it is not a real fix because the next failure may still be `ERR_CONNECTION_CLOSED`. - -## PassWall2 DNS/prerequisite follow-up - -After BOSS updated PassWall2 AI split rules, the browser path was still blocked because DNS was not cleanly taken over by remote/proxied DNS: - -- `curl -I -L --max-time 20 https://chatgpt.com/` still failed with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`. -- Visible Chrome still ended on `chrome-error://chromewebdata/` with `ERR_CONNECTION_CLOSED`, and stderr continued to show `ssl_client_socket_impl.cc:924 ... net_error -100`. -- macOS system resolver returned polluted/suspicious answers: - - `chatgpt.com -> 199.59.150.40` plus IPv6 `2a03:2880:...` (Twitter/Facebook-looking ranges, not expected Cloudflare/OpenAI path) - - `accounts.openai.com -> 128.121.146.109` plus IPv6 `2001::80f2:f09b` -- A DoH comparison for `chatgpt.com` via Cloudflare showed expected Cloudflare-style A records such as `104.18.32.47` and `172.64.155.209`, confirming local DNS pollution. -- `scutil --dns` showed local macOS DNS included ISP/public resolvers such as `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; do not assume PassWall2 domain split rules alone mean DNS is being intercepted. - -Operational rule: if `chatgpt.com` or `accounts.openai.com` resolves to non-Cloudflare/Twitter/Facebook-looking addresses, stop. Ask BOSS to fix PassWall2 DNS takeover / remote DNS / fake-ip or redir-host settings before testing extension automation. Do not proceed to registration/OAuth while Chrome still shows `ERR_CONNECTION_CLOSED`. - -Helpful probe snippet: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(host, 'ERR', e) -PY -scutil --dns | sed -n '1,120p' -curl -I -L --max-time 20 https://chatgpt.com/ -``` - - -Before sending `SAVE_SETTING` / `AUTO_RUN` programmatically, verify: - -- `chrome://extensions/` shows `codex-oauth-automation-extension` loaded. -- The target URL/extension ID corresponds to the unpacked repo, not a built-in/other extension. -- The target context exposes the expected Chrome extension APIs and/or the sidepanel route is usable. - -If `chrome://extensions/` shows no unpacked extension despite `--load-extension`, relaunch with a fresh profile and inspect Chrome stderr/profile policy before proceeding. \ No newline at end of file diff --git a/references/openai-lan-proxy-endpoint-probe-2026-05-08.md b/references/openai-lan-proxy-endpoint-probe-2026-05-08.md deleted file mode 100644 index 5e11ec9..0000000 --- a/references/openai-lan-proxy-endpoint-probe-2026-05-08.md +++ /dev/null @@ -1,94 +0,0 @@ -# OpenAI/ChatGPT Proxy Endpoint Probe Notes — 2026-05-08 - -## Context - -During Codex/OpenAI OAuth prerequisite testing, BOSS asked to verify direct browser access and then explicit LAN proxy endpoints: - -- `socks5://192.168.2.8:1085` (tested as `socks5h://` so DNS resolves through proxy) -- `http://192.168.2.8:1084` - -The Mac had local IP `192.168.2.69/24`, default route via `192.168.2.8`, and an ARP entry for `192.168.2.8`, but ICMP/TCP to the gateway/proxy endpoint failed. - -## Observed failure signatures - -System/browser without working proxy: - -```text -chatgpt.com -> polluted IPs such as 202.160.128.16 / 199.59.150.40 / 2a03:2880:... -accounts.openai.com -> polluted IPs such as 192.133.77.189 / 128.121.146.109 / 2a03:2880:... -Chrome: ERR_CONNECTION_CLOSED -curl: LibreSSL SSL_connect: SSL_ERROR_SYSCALL -``` - -Explicit SOCKS5/HTTP proxy endpoint unavailable: - -```text -ping 192.168.2.8 -> sendto: No route to host / 100% packet loss -nc -vz -w 5 192.168.2.8 1085 -> No route to host -curl --proxy socks5h://192.168.2.8:1085 https://chatgpt.com/ -> Failed to connect -nc -vz -w 3 192.168.2.8 1084 -> No route to host -curl --proxy http://192.168.2.8:1084 https://chatgpt.com/ -> Failed to connect -``` - -Route/ARP could still look superficially valid: - -```text -default gateway: 192.168.2.8 -192.168.2.8 at on en0 ifscope -local IP: 192.168.2.69 -``` - -Do not mistake this for a ChatGPT/OpenAI auth bug or extension bug. If the LAN proxy endpoint itself is unreachable, browser automation and OAuth should stop. - -## Recommended probe order - -1. Flush DNS cache only as a low-risk refresh: - -```bash -dscacheutil -flushcache || true -killall -HUP mDNSResponder 2>/dev/null || true -``` - -2. Check current DNS and detect pollution: - -```bash -python3 - <<'PY' -import socket -for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(host, 'ERR', e) -PY -``` - -3. Test gateway and proxy endpoint before browser tests: - -```bash -ping -c 2 -W 1000 192.168.2.8 || true -nc -vz -w 5 192.168.2.8 1085 || true -nc -vz -w 5 192.168.2.8 1084 || true -``` - -4. For SOCKS5, use `socks5h://` in curl so DNS is performed through the proxy: - -```bash -curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/ -curl --proxy socks5h://192.168.2.8:1085 --max-time 20 https://api.ipify.org -``` - -5. For HTTP proxy: - -```bash -curl --proxy http://192.168.2.8:1084 -I -L --max-time 30 https://chatgpt.com/ -curl --proxy http://192.168.2.8:1084 --max-time 20 https://api.ipify.org -``` - -6. Only launch a proxied browser or extension run after at least one proxy endpoint succeeds. - -## Interpretation - -- `No route to host` to the proxy IP/port means the local Mac cannot reach the LAN proxy service. Fix LAN/gateway/firewall/Wi‑Fi/VLAN/router first. -- `Connection refused` means the host is reachable but no service is listening on that port or firewall actively rejects it. -- HTTP 200/30x/403 Cloudflare challenge through the proxy is better than transport failure; browser testing can proceed, but CAPTCHA/security challenge may still require manual action. -- Polluted system DNS may remain even while explicit `socks5h://` works; in that case use browser `--proxy-server=socks5://...` or ensure PassWall2 DNS hijack/remote DNS is correctly applied. diff --git a/references/passwall2-openai-dns-pollution-2026-05-08.md b/references/passwall2-openai-dns-pollution-2026-05-08.md deleted file mode 100644 index 6bfdbc0..0000000 --- a/references/passwall2-openai-dns-pollution-2026-05-08.md +++ /dev/null @@ -1,72 +0,0 @@ -# OpenAI/ChatGPT DNS Pollution Probe — 2026-05-08 - -Context: after BOSS updated PassWall2 AI/OpenAI分流规则, browser automation still could not proceed because the local macOS resolver was still returning polluted IPs for key ChatGPT/Auth domains. - -## Observed failure pattern - -System resolver results: - -```text -chatgpt.com -> 199.59.150.40, 2a03:2880:f10c:83:face:b00c:0:25de -accounts.openai.com -> 128.121.146.109, 2001::80f2:f09b -auth.openai.com -> 104.18.41.241, 172.64.146.15, Cloudflare IPv6 -openai.com -> 104.18.33.45, 172.64.154.211 -``` - -`chatgpt.com` and `accounts.openai.com` above are polluted / wrong for the flow. Browser and curl failed before automation could start: - -```text -curl https://chatgpt.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL -curl https://accounts.openai.com/ -> LibreSSL SSL_connect: SSL_ERROR_SYSCALL -Chrome -> ERR_CONNECTION_CLOSED / net_error -100 -``` - -Cloudflare DoH comparison showed `chatgpt.com` should resolve to Cloudflare-like IPs such as: - -```text -chatgpt.com -> 104.18.32.47, 172.64.155.209 -``` - -## Diagnostic commands - -```bash -python3 - <<'PY' -import socket -for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(h, 'ERR', e) -PY - -curl -I -L --max-time 12 https://chatgpt.com/ 2>&1 | sed -n '1,45p' -curl -I -L --max-time 12 https://accounts.openai.com/ 2>&1 | sed -n '1,45p' -scutil --dns 2>/dev/null | sed -n '1,120p' -``` - -## Interpretation - -If `openai.com` or `auth.openai.com` returns HTTP/2 403 Cloudflare challenge but `chatgpt.com` / `accounts.openai.com` still fail TLS or resolve to non-Cloudflare/polluted ranges, do **not** continue registration/OAuth automation. Fix PassWall2 DNS handling first. - -For BOSS's PassWall2 setup, ensure these domains use proxy-side/remote DNS, not the local ISP resolver: - -```text -chatgpt.com -accounts.openai.com -auth.openai.com -openai.com -``` - -macOS resolver in the failing run still had public/ISP DNS entries like `2400:3200::1`, `2402:4e00::`, `114.114.114.114`, and `8.8.8.8`; rules alone were insufficient because DNS was not cleanly hijacked/forwarded for these domains. - -## Process hygiene - -Old Chrome test processes can continue emitting noisy GCM/Crashpad errors. These are usually not the root cause: - -```text -Failed to connect to MCS endpoint -ConnectionHandler failed -Crashpad settings.dat: No such file or directory -``` - -Kill stale test Chrome processes after a failed probe so they do not distract from the DNS/TLS issue. diff --git a/references/passwall2-socks5-gateway-reachability-2026-05-08.md b/references/passwall2-socks5-gateway-reachability-2026-05-08.md deleted file mode 100644 index 4962e5a..0000000 --- a/references/passwall2-socks5-gateway-reachability-2026-05-08.md +++ /dev/null @@ -1,86 +0,0 @@ -# PassWall2 / SOCKS5 Gateway Reachability Probe — 2026-05-08 - -Session context: after BOSS updated PassWall2 split rules for OpenAI/ChatGPT/Codex OAuth testing, macOS still could not open `chatgpt.com` and Chrome showed `ERR_CONNECTION_CLOSED`. - -## Observed commands and results - -Low-risk macOS network refresh was performed: - -```bash -dscacheutil -flushcache -killall -HUP mDNSResponder 2>/dev/null || true -``` - -DNS stayed polluted after the cache flush: - -```text -chatgpt.com -> 202.160.128.16 / 2a03:2880:f10e:83:face:b00c:0:25de -accounts.openai.com -> 192.133.77.189 / 2a03:2880:f117:83:face:b00c:0:25de -auth.openai.com -> 104.18.41.241 / 172.64.146.15 -openai.com -> 104.18.33.45 / 172.64.154.211 -``` - -Testing the intended SOCKS5 gateway: - -```bash -nc -vz -w 3 192.168.2.8 1085 -curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 25 https://chatgpt.com/ -curl --proxy socks5h://192.168.2.8:1085 --max-time 15 https://api.ipify.org -ping -c 3 -W 1000 192.168.2.8 -arp -n 192.168.2.8 -route -n get 192.168.2.8 -``` - -Results: - -```text -nc: connectx to 192.168.2.8 port 1085 (tcp) failed: No route to host -curl: (7) Failed to connect to 192.168.2.8 port 1085: Couldn't connect to server -ping: sendto: No route to host / 100% packet loss -arp: 192.168.2.8 had a MAC entry on en0 -route: interface en0, host route present -``` - -Browser screenshot after refresh still showed: - -```text -无法访问此网站 -chatgpt.com 意外终止了连接。 -ERR_CONNECTION_CLOSED -``` - -## Reusable lesson - -For Codex/OpenAI onboarding tests, distinguish three layers before touching extension automation: - -1. **Local DNS pollution** — `chatgpt.com` / `accounts.openai.com` resolving to suspicious non-Cloudflare/Facebook-like ranges means domain rules alone are not enough. -2. **Proxy gateway reachability** — even `socks5h://...` cannot help if the Mac cannot reach the gateway/port. Test `nc`, `curl --proxy socks5h://`, `ping`, `arp`, and `route`. -3. **Browser page result** — only after gateway and DNS/proxy are healthy should Chrome/extension/OAuth be tested. - -Use `socks5h://` rather than `socks5://` in curl probes when the goal is to force DNS resolution through the SOCKS proxy. If `socks5h` fails to connect to the proxy itself, stop and report gateway/port reachability first. - -## Suggested probe block - -```bash -PROXY='socks5h://192.168.2.8:1085' - -printf '== DNS ==\n' -python3 - <<'PY' -import socket -for h in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: - try: - print(h, sorted({x[4][0] for x in socket.getaddrinfo(h,443,proto=socket.IPPROTO_TCP)})) - except Exception as e: - print(h, 'ERR', e) -PY - -printf '\n== gateway/port ==\n' -route -n get 192.168.2.8 2>/dev/null || true -arp -n 192.168.2.8 || true -ping -c 3 -W 1000 192.168.2.8 || true -nc -vz -w 3 192.168.2.8 1085 || true - -printf '\n== through socks5h ==\n' -curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p' -curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true -``` diff --git a/skill/codex-oauth-plus-onboarding/SKILL.md b/skill/codex-oauth-plus-onboarding/SKILL.md index dcb8e05..9b0d618 100644 --- a/skill/codex-oauth-plus-onboarding/SKILL.md +++ b/skill/codex-oauth-plus-onboarding/SKILL.md @@ -47,12 +47,15 @@ These are confirmed operating rules for BOSS's environment: - The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run. - ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed. - Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears. +- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls. - Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval. - GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues. - `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. - Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later. - +- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it. +- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps. +- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow. 1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution. 2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count. @@ -258,6 +261,8 @@ Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `d ## Normal OAuth Flow Steps +**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds. + Normal mode step definitions: 1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT. @@ -371,12 +376,9 @@ The built-in export function exports `getPersistedSettings()` as JSON; this can ## Troubleshooting -### Extension does not appear +### Google Chrome stable may ignore `--load-extension` -- Confirm Chrome was launched with `--load-extension` and `--disable-extensions-except` pointing to the repo directory. -- Confirm `manifest.json` exists and is Manifest V3. -- Use a non-headless browser. Chrome extension side panels are usually not practical in headless mode. -- When using Chrome DevTools Protocol, do not assume the first `/json` `service_worker` target is this automation extension; verify the extension is visible in `chrome://extensions/` and that the target URL/ID corresponds to the unpacked repo before sending `SAVE_SETTING` / `AUTO_RUN`. +On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`. ### PassWall2/DNS split rules still polluted @@ -406,9 +408,31 @@ curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/ Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem. -### SOCKS5 gateway not reachable +### OpenAI/ChatGPT direct-connect preflight before launching Chrome + +Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy: + +```bash +python3 - <<'PY' +import socket +for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']: + try: + print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)})) + except Exception as e: + print(host, 'ERR', e) +PY +curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p' +``` + +If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test: + +- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries. +- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`. +- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`. + +Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth. + -If BOSS asks to test a specific proxy such as `socks5://192.168.2.8:1085`, test gateway reachability before browser/extension automation. Use `socks5h://` in curl when the intent is to force DNS through the SOCKS proxy: ```bash PROXY='socks5h://192.168.2.8:1085' @@ -422,6 +446,31 @@ ping -c 3 -W 1000 192.168.2.8 || true If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example. +### Extension launch appears successful but `chrome://extensions` is empty + +Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile. + +Before starting OpenAI registration, verify the intended automation extension with stronger evidence: + +- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or +- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or +- the intended extension page/sidepanel opens and renders expected UI; or +- an extension-context runtime call reads the expected manifest/state. + +If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist. + +### OpenAI verification email does not arrive in ClawEmail + +A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`. + +When this happens: + +1. Confirm the exact email in the OpenAI page body via DOM, not OCR only. +2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile. +3. Check inbox and spam. +4. Send a self-test email to the sub-mailbox and verify it arrives. +5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next. + ### Proxy not applied - Visit an IP-check page in the isolated browser before starting. @@ -453,6 +502,16 @@ If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect - Confirm GPC helper URL/card key/phone/PIN/OTP channel settings. - Stop before retrying paid operations repeatedly; ask BOSS. +See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence. + +See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working. + +See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow. + +See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`. + +See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying. + ## Verification Checklist - [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields. diff --git a/references/chrome-147-unpacked-extension-loading-2026-05-09.md b/skill/codex-oauth-plus-onboarding/references/chrome-147-unpacked-extension-loading-2026-05-09.md similarity index 100% rename from references/chrome-147-unpacked-extension-loading-2026-05-09.md rename to skill/codex-oauth-plus-onboarding/references/chrome-147-unpacked-extension-loading-2026-05-09.md diff --git a/references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md b/skill/codex-oauth-plus-onboarding/references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md similarity index 100% rename from references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md rename to skill/codex-oauth-plus-onboarding/references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md diff --git a/references/openai-add-phone-1083-vietnam-resend-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/openai-add-phone-1083-vietnam-resend-2026-05-10.md similarity index 100% rename from references/openai-add-phone-1083-vietnam-resend-2026-05-10.md rename to skill/codex-oauth-plus-onboarding/references/openai-add-phone-1083-vietnam-resend-2026-05-10.md diff --git a/references/openai-add-phone-5sim-sms-activation-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/openai-add-phone-5sim-sms-activation-2026-05-10.md similarity index 100% rename from references/openai-add-phone-5sim-sms-activation-2026-05-10.md rename to skill/codex-oauth-plus-onboarding/references/openai-add-phone-5sim-sms-activation-2026-05-10.md diff --git a/references/openai-clawemail-verification-nondelivery-2026-05-09.md b/skill/codex-oauth-plus-onboarding/references/openai-clawemail-verification-nondelivery-2026-05-09.md similarity index 100% rename from references/openai-clawemail-verification-nondelivery-2026-05-09.md rename to skill/codex-oauth-plus-onboarding/references/openai-clawemail-verification-nondelivery-2026-05-09.md diff --git a/references/openai-phone-verification-5sim-sms-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/openai-phone-verification-5sim-sms-2026-05-10.md similarity index 100% rename from references/openai-phone-verification-5sim-sms-2026-05-10.md rename to skill/codex-oauth-plus-onboarding/references/openai-phone-verification-5sim-sms-2026-05-10.md diff --git a/references/openai-phone-verification-proxy1083-resend-2026-05-10.md b/skill/codex-oauth-plus-onboarding/references/openai-phone-verification-proxy1083-resend-2026-05-10.md similarity index 100% rename from references/openai-phone-verification-proxy1083-resend-2026-05-10.md rename to skill/codex-oauth-plus-onboarding/references/openai-phone-verification-proxy1083-resend-2026-05-10.md diff --git a/templates/codex_oauth_onboarding.env.example b/templates/codex_oauth_onboarding.env.example deleted file mode 100644 index b704385..0000000 --- a/templates/codex_oauth_onboarding.env.example +++ /dev/null @@ -1,150 +0,0 @@ -# Codex OAuth onboarding env template for real Google Chrome flow -# Copy to ~/.hermes/env/codex_oauth_onboarding.env and chmod 600. -# Do not commit. Do not paste secrets into chat. - -# 0) Local project / browser -CODEX_OAUTH_EXTENSION_DIR= -CHROME_BIN=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome -BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth -BROWSER_HEADLESS=false -BROWSER_LANG=zh-CN -RUN_COUNT=1 -AUTO_STEP_DELAY_SECONDS=2 -AUTO_RUN_SKIP_FAILURES=false -OAUTH_FLOW_TIMEOUT_ENABLED=true - -# 1) Panel / target mode. No default: leave empty and the workflow MUST NOT run. -# Must explicitly select exactly one before execution: cpa | sub2api | codex2api -PANEL_MODE= -LOCAL_CPA_STEP9_MODE=submit - -# CPA panel fields -CPA_VPS_URL= -CPA_VPS_PASSWORD= - -# SUB2API panel fields -SUB2API_URL= -SUB2API_EMAIL= -SUB2API_PASSWORD= -SUB2API_GROUP_NAME= -SUB2API_ACCOUNT_PRIORITY=1 -SUB2API_DEFAULT_PROXY_NAME= - -# Codex2API panel fields -CODEX2API_URL= -CODEX2API_ADMIN_KEY= - -# 2) Browser proxy. BOSS provides SOCKS5 or HTTP proxy without username/password. -# Examples: socks5://host:port or http://host:port -BROWSER_PROXY_SERVER= -BROWSER_PROXY_CHECK_URL=https://api.ipify.org?format=json - -# Extension built-in 711proxy/IP proxy fields, only if using original project proxy panel. -IP_PROXY_ENABLED=false -IP_PROXY_SERVICE= -IP_PROXY_MODE= -IP_PROXY_API_URL= -IP_PROXY_ACCOUNT_LIST= -IP_PROXY_ACCOUNT_SESSION_PREFIX=codex -IP_PROXY_ACCOUNT_LIFE_MINUTES= -IP_PROXY_POOL_TARGET_COUNT=20 -IP_PROXY_AUTO_SYNC_ENABLED=false -IP_PROXY_AUTO_SYNC_INTERVAL_MINUTES=15 -IP_PROXY_HOST= -IP_PROXY_PORT= -IP_PROXY_PROTOCOL= -IP_PROXY_REGION= - -# 3) Registration identity and password -# ClawEmail must create a fresh mailbox each run and record it locally with status. -CLAWEMAIL_CREATE_PER_RUN=true -CLAWEMAIL_PREFIX=codex -CLAWEMAIL_UID= -CLAWEMAIL_RECORD_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/clawemail_accounts.jsonl -SIGNUP_METHOD=email -CUSTOM_PASSWORD= - -# 4) Mail provider fields from original project, fill only if not using Hermes-side ClawEmail polling. -MAIL_PROVIDER= -EMAIL_GENERATOR=custom -CUSTOM_EMAIL_POOL= -CUSTOM_MAIL_PROVIDER_POOL= -INBUCKET_HOST= -INBUCKET_MAILBOX= -HOTMAIL_SERVICE_MODE= -HOTMAIL_REMOTE_BASE_URL= -HOTMAIL_LOCAL_BASE_URL= -LUCKMAIL_API_KEY= -LUCKMAIL_BASE_URL= -LUCKMAIL_EMAIL_TYPE= -LUCKMAIL_DOMAIN= -CLOUDFLARE_TEMP_EMAIL_BASE_URL= -CLOUDFLARE_TEMP_EMAIL_ADMIN_AUTH= -CLOUDFLARE_TEMP_EMAIL_CUSTOM_AUTH= -CLOUDFLARE_TEMP_EMAIL_RECEIVE_MAILBOX= -CLOUDFLARE_TEMP_EMAIL_USE_RANDOM_SUBDOMAIN=false -CLOUDFLARE_TEMP_EMAIL_DOMAIN= - -# 5) Phone/SMS verification fallback. No default provider: leave disabled/empty unless needed. -PHONE_VERIFICATION_ENABLED=false -SIGNUP_PHONE= -PHONE_SMS_PROVIDER= -PHONE_SMS_PROVIDER_ORDER= -VERIFICATION_RESEND_COUNT=0 -PHONE_VERIFICATION_REPLACEMENT_LIMIT=3 -PHONE_CODE_WAIT_SECONDS=60 -PHONE_CODE_TIMEOUT_WINDOWS=2 -PHONE_CODE_POLL_INTERVAL_SECONDS=5 -PHONE_CODE_POLL_MAX_ROUNDS=12 -PHONE_PREFERRED_ACTIVATION= - -# HeroSMS -HERO_SMS_API_KEY= -HERO_SMS_REUSE_ENABLED= -HERO_SMS_ACQUIRE_PRIORITY= -HERO_SMS_MAX_PRICE= -HERO_SMS_PREFERRED_PRICE= -HERO_SMS_COUNTRY_ID= -HERO_SMS_COUNTRY_LABEL= -HERO_SMS_COUNTRY_FALLBACK= - -# 5sim -FIVE_SIM_API_KEY= -FIVE_SIM_PRODUCT= -FIVE_SIM_COUNTRY_ORDER= -FIVE_SIM_COUNTRY_ID= -FIVE_SIM_COUNTRY_LABEL= -FIVE_SIM_COUNTRY_FALLBACK= -FIVE_SIM_MAX_PRICE= -FIVE_SIM_OPERATOR=any - -# NexSMS -NEX_SMS_API_KEY= -NEX_SMS_COUNTRY_ORDER= -NEX_SMS_SERVICE_CODE= - -# 6) Plus/payment. BOSS chose GoPay. Paid operation still requires explicit confirmation before execution. -PLUS_MODE_ENABLED=false -PLUS_PAYMENT_METHOD=gopay -GOPAY_COUNTRY_CODE=+86 -GOPAY_PHONE= -GOPAY_OTP= -GOPAY_OTP_SOURCE=manual -GOPAY_OTP_MANUAL_TIMEOUT_SECONDS=180 -GOPAY_PIN= - -# GPC helper fields retained but not used when PLUS_PAYMENT_METHOD=gopay -GPC_HELPER_API_URL= -GPC_HELPER_CARD_KEY= -GPC_HELPER_COUNTRY_CODE=+86 -GPC_HELPER_PHONE_NUMBER= -GPC_HELPER_PIN= -GPC_HELPER_OTP_CHANNEL= -GPC_HELPER_LOCAL_SMS_ENABLED=false -GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767 - -# 7) Local run records -RUN_RECORD_DIR=/Users/chick/.Hermes/workspace/codex-oauth/run-records -ACCOUNT_SUCCESS_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/success_accounts.jsonl -ACCOUNT_FAILED_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/failed_accounts.jsonl -ACCOUNT_PENDING_FILE=/Users/chick/.Hermes/workspace/codex-oauth/run-records/pending_accounts.jsonl