fix: keep skill package layout
This commit is contained in:
@@ -1,525 +0,0 @@
|
||||
---
|
||||
name: codex-oauth-plus-onboarding
|
||||
description: "Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile."
|
||||
version: 1.0.0
|
||||
author: Hermes Agent
|
||||
license: MIT
|
||||
metadata:
|
||||
hermes:
|
||||
tags: [codex, oauth, clawemail, gopay, sub2api, codex2api, cpa, browser-automation]
|
||||
related_skills: [clawemail-operations, browser-extension-storage-audit]
|
||||
---
|
||||
|
||||
# Codex OAuth + Plus Onboarding
|
||||
|
||||
## Overview
|
||||
|
||||
This skill describes the safe, repeatable workflow for using the local `codex-oauth-automation-extension` project to run a **single user-authorized onboarding flow**:
|
||||
|
||||
1. Use **ClawEmail** as the registration mailbox.
|
||||
2. Register/Login through ChatGPT/OpenAI auth.
|
||||
3. Optionally open ChatGPT Plus through **GoPay / GPC helper**.
|
||||
4. Complete OAuth authorization.
|
||||
5. Submit the localhost OAuth callback to exactly one configured target: **SUB2API**, **Codex2API**, or **CPA**.
|
||||
6. Run the browser in an isolated profile with a dedicated proxy.
|
||||
|
||||
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when BOSS asks for any of these:
|
||||
|
||||
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
|
||||
- “用 GoPay 开 Plus 后把 OAuth 接进去”
|
||||
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
|
||||
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
|
||||
- “把这个流程做成可复用配置和操作步骤”
|
||||
|
||||
Also load `clawemail-operations` before any ClawEmail mailbox work.
|
||||
|
||||
## BOSS-specific Operating Defaults
|
||||
|
||||
These are confirmed operating rules for BOSS's environment:
|
||||
|
||||
- Use **Google Chrome stable** at `/Applications/Google Chrome.app/Contents/MacOS/Google Chrome` with a real visible window.
|
||||
- Do **not** set a default target platform. If `PANEL_MODE` is empty or not one of `cpa|sub2api|codex2api`, stop before launching the run.
|
||||
- Proxies are supplied as unauthenticated `socks5://host:port` or `http://host:port`; do not expect proxy username/password.
|
||||
- The new account password is unified through `CUSTOM_PASSWORD`. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run.
|
||||
- ClawEmail creates a fresh mailbox for every run (`CLAWEMAIL_CREATE_PER_RUN=true`). Record every created mailbox locally with outcome classification: pending, success, failed.
|
||||
- Phone/SMS platform has no default. Keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless BOSS configures one or approves enabling it after a phone verification appears.
|
||||
- If phone verification appears and BOSS has configured 5sim, use **SMS activation for `openai`**, not WhatsApp receive channels. The original extension's 5sim provider buys `/v1/user/buy/activation/{country}/{operator}/openai`, polls `/v1/user/check/{activationId}`, and finishes/cancels the activation. Follow the configured `FIVE_SIM_COUNTRY_ID` first; if it is empty, the extension default is `vietnam`. Do **not** silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example `越南 (+84)`); if it reverted to `美国 (+1)`, fix the selector first or the number will be parsed as invalid. Use visible UI paste/click on `add-phone` when possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is **not immediately rejected**, do not cancel it after one polling timeout: poll 5sim, click OpenAI `重新发送`, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example `1085` → `1083`), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at `/admin/accounts`; derive the API origin before calling `/api/admin/oauth/generate-auth-url`. See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md`, `references/openai-phone-verification-5sim-sms-2026-05-10.md`, and `references/openai-phone-verification-proxy1083-resend-2026-05-10.md` for observed behavior, resend strategy, proxy-switch recovery, and pitfalls.
|
||||
- Plus mode uses `PLUS_PAYMENT_METHOD=gopay`. Any paid GoPay action still requires explicit confirmation immediately before payment/approval.
|
||||
- GoPay WhatsApp OTP uses **方案 A / manual checkpoint**: set `GOPAY_OTP_SOURCE=manual`. The extension detects OTP input and opens a side-panel prompt (`requestGoPayOtpInput` / “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fills `GOPAY_PIN`, and continues.
|
||||
- `GOPAY_OTP` should normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret.
|
||||
- Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
|
||||
|
||||
- When BOSS says the environment is normal and asks to start registration testing, treat `socks5://192.168.2.8:1085` as the expected browser proxy unless BOSS overrides it. If `BROWSER_PROXY_SERVER` is empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it.
|
||||
- For ordinary-account test runs, set `PLUS_MODE_ENABLED=false` before launching. Keep `PLUS_PAYMENT_METHOD=gopay` untouched for later Plus runs, but do not enter Plus/payment steps.
|
||||
- Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
|
||||
|
||||
1. **Explicit target**: BOSS must specify exactly one target mode: `sub2api`, `codex2api`, or `cpa`; there is no default target, and an empty `PANEL_MODE` must stop execution.
|
||||
2. **Single-run default**: default to one account / one OAuth flow unless BOSS explicitly requests a count.
|
||||
3. **No CAPTCHA bypass**: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
|
||||
4. **Payment checkpoint**: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
|
||||
5. **No secret leakage**: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing `code=` in final summaries. Redact as `[REDACTED]`.
|
||||
6. **Config export risk**: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive.
|
||||
7. **Mailbox records**: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (`pending`, `success`, or `failed`).
|
||||
|
||||
## Repository and Local Paths
|
||||
|
||||
Known research clone:
|
||||
|
||||
```bash
|
||||
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
```
|
||||
|
||||
If missing, clone shallow:
|
||||
|
||||
```bash
|
||||
mkdir -p /Users/chick/.Hermes/workspace/research
|
||||
cd /Users/chick/.Hermes/workspace/research
|
||||
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
|
||||
```
|
||||
|
||||
Validate tests when modifying or before relying on a changed checkout:
|
||||
|
||||
```bash
|
||||
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
node --test tests/*.test.js
|
||||
```
|
||||
|
||||
Observed verification result during initial study: `772` tests passed, `0` failed.
|
||||
|
||||
## Configuration File
|
||||
|
||||
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at `templates/codex_oauth_onboarding.env.example`. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see `references/env-file-and-5sim-notes.md`.
|
||||
|
||||
```bash
|
||||
mkdir -p ~/.hermes/env
|
||||
chmod 700 ~/.hermes/env
|
||||
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
|
||||
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
|
||||
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
|
||||
```
|
||||
|
||||
High-level required groups:
|
||||
|
||||
1. **Local project / browser**: `CODEX_OAUTH_EXTENSION_DIR`, `CHROME_BIN`, `BROWSER_PROFILE_ROOT`, `BROWSER_HEADLESS=false`.
|
||||
2. **Panel / target mode**: `PANEL_MODE=cpa|sub2api|codex2api` has **no default**; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (`CPA_VPS_URL`/`CPA_VPS_PASSWORD`, or `SUB2API_*`, or `CODEX2API_*`).
|
||||
3. **Proxy**: fill `BROWSER_PROXY_SERVER` with BOSS-provided unauthenticated `socks5://host:port` or `http://host:port`; use `IP_PROXY_*` only when using the original extension’s built-in 711proxy/IP proxy panel.
|
||||
4. **Registration identity and password**: `CLAWEMAIL_CREATE_PER_RUN=true`, `CLAWEMAIL_PREFIX`, `CLAWEMAIL_RECORD_FILE`, `SIGNUP_METHOD=email`, and unified `CUSTOM_PASSWORD`. For BOSS's ClawEmail per-run accounts, use a pure lowercase English **8-letter random create prefix with no base prefix** (example create prefix `abcdefgh`, resulting sub-mailbox shape `chickliu.abcdefgh@claw.163.com`). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not use `codex` + 8 letters. Store/observe the policy with `CLAWEMAIL_PREFIX=` (empty), `CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8`, `CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz`, and `CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true` when helper scripts support it; if not, generate the 8-letter prefix in the runner before calling `mail-cli clawemail create --prefix ...`.
|
||||
5. **Mail provider**: `MAIL_PROVIDER`, `EMAIL_GENERATOR`, and original-provider fields only if not polling ClawEmail from Hermes.
|
||||
6. **Phone/SMS verification fallback**: no default provider; keep `PHONE_VERIFICATION_ENABLED=false` and `PHONE_SMS_PROVIDER` empty unless configured/approved.
|
||||
7. **Plus/payment**: `PLUS_MODE_ENABLED=true`, `PLUS_PAYMENT_METHOD=gopay`; paid operations still require explicit confirmation.
|
||||
|
||||
Minimal template excerpt:
|
||||
|
||||
```bash
|
||||
# Required: local extension repo
|
||||
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
|
||||
```bash
|
||||
# Required: ClawEmail mailbox
|
||||
CLAWEMAIL_UID=chickliu@claw.163.com
|
||||
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
|
||||
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
|
||||
CLAWEMAIL_PREFIX=
|
||||
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
|
||||
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
|
||||
```
|
||||
# Browser isolation
|
||||
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth
|
||||
BROWSER_HEADLESS=false
|
||||
BROWSER_PROXY_SERVER=http://host:port
|
||||
BROWSER_PROXY_USERNAME=
|
||||
BROWSER_PROXY_PASSWORD=
|
||||
|
||||
# Target mode: sub2api | codex2api | cpa
|
||||
OAUTH_TARGET_MODE=sub2api
|
||||
|
||||
# SUB2API settings
|
||||
SUB2API_URL=
|
||||
SUB2API_EMAIL=
|
||||
SUB2API_PASSWORD=
|
||||
SUB2API_GROUP_NAME=default
|
||||
SUB2API_ACCOUNT_PRIORITY=1
|
||||
SUB2API_DEFAULT_PROXY_NAME=
|
||||
|
||||
# Codex2API settings
|
||||
CODEX2API_URL=
|
||||
CODEX2API_ADMIN_KEY=
|
||||
|
||||
# CPA settings
|
||||
CPA_URL=
|
||||
CPA_MANAGEMENT_KEY=
|
||||
CPA_LOCAL_STEP9_MODE=submit
|
||||
|
||||
# Plus / GoPay / GPC helper settings
|
||||
PLUS_MODE_ENABLED=false
|
||||
PLUS_PAYMENT_METHOD=gpc-helper
|
||||
GPC_HELPER_API_URL=
|
||||
GPC_HELPER_CARD_KEY=
|
||||
GPC_HELPER_COUNTRY_CODE=+86
|
||||
GPC_HELPER_PHONE_NUMBER=
|
||||
GPC_HELPER_PIN=
|
||||
GPC_HELPER_OTP_CHANNEL=whatsapp
|
||||
GPC_HELPER_LOCAL_SMS_ENABLED=false
|
||||
GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
|
||||
|
||||
# Runtime behavior
|
||||
RUN_COUNT=1
|
||||
AUTO_RUN_SKIP_FAILURES=false
|
||||
AUTO_STEP_DELAY_SECONDS=2
|
||||
OAUTH_FLOW_TIMEOUT_ENABLED=true
|
||||
```
|
||||
|
||||
Rules:
|
||||
|
||||
- Keep this file local only; never commit it.
|
||||
- Use `[REDACTED]` in reports for all secret values.
|
||||
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
|
||||
|
||||
## Browser Isolation and Proxy Strategy
|
||||
|
||||
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
|
||||
|
||||
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
|
||||
|
||||
- Dedicated clean `user-data-dir` profile.
|
||||
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
|
||||
- Proxy applied at browser launch or by a verified local proxy wrapper.
|
||||
- Human-visible UI for CAPTCHA/security/payment checkpoints.
|
||||
- Profile cleared after success if BOSS wants no local residue.
|
||||
|
||||
Recommended profile naming:
|
||||
|
||||
```bash
|
||||
RUN_ID=$(date +%Y%m%d-%H%M%S)
|
||||
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
|
||||
mkdir -p "$PROFILE_DIR"
|
||||
```
|
||||
|
||||
Chrome launch pattern:
|
||||
|
||||
```bash
|
||||
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
|
||||
--user-data-dir="$PROFILE_DIR" \
|
||||
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
|
||||
--proxy-server="$BROWSER_PROXY_SERVER" \
|
||||
--no-first-run \
|
||||
--no-default-browser-check
|
||||
```
|
||||
|
||||
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
|
||||
|
||||
1. Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
|
||||
2. Start a local forwarding proxy that injects upstream credentials.
|
||||
3. Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
|
||||
|
||||
Do not reuse the normal personal browser profile for this workflow.
|
||||
|
||||
## ClawEmail Preparation
|
||||
|
||||
Load `clawemail-operations` and verify:
|
||||
|
||||
```bash
|
||||
mail-cli auth test --json
|
||||
mail-cli clawemail list --json
|
||||
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
|
||||
```
|
||||
|
||||
Registration email choice:
|
||||
|
||||
- Default: use `CLAWEMAIL_UID` directly.
|
||||
- If BOSS wants per-run sub-mailboxes, create them with `mail-cli clawemail create --prefix ...` and set the extension’s registration email to the created UID.
|
||||
|
||||
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
|
||||
|
||||
```bash
|
||||
mail-cli mail list --fid 1 --limit 20 --json
|
||||
mail-cli read body --id '<message-id>'
|
||||
```
|
||||
|
||||
Always quote message IDs.
|
||||
|
||||
## Extension Architecture Reference
|
||||
|
||||
The project is a Manifest V3 Chrome extension:
|
||||
|
||||
- `manifest.json`: permissions, host permissions, content scripts, side panel.
|
||||
- `background.js`: service worker and state orchestration.
|
||||
- `background/message-router.js`: handles sidepanel messages such as `EXECUTE_STEP`, `AUTO_RUN`, `SAVE_SETTING`, `EXPORT_SETTINGS`, `IMPORT_SETTINGS`.
|
||||
- `data/step-definitions.js`: step list for normal and Plus modes.
|
||||
- `background/steps/*.js`: one executor per major step.
|
||||
- `content/signup-page.js`: OpenAI/Auth page DOM automation.
|
||||
- `content/*mail*.js`: mail provider automation.
|
||||
- `sidepanel/sidepanel.js`: UI controls and settings collection.
|
||||
|
||||
Important permissions include `tabs`, `webNavigation`, `webRequest`, `proxy`, `debugger`, `cookies`, `browsingData`, `storage`, `scripting`, `activeTab`, and `<all_urls>` host access.
|
||||
|
||||
## Normal OAuth Flow Steps
|
||||
|
||||
**BOSS correction / manual-flow allowance:** if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and `mail-cli`. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
|
||||
|
||||
Normal mode step definitions:
|
||||
|
||||
1. `open-chatgpt` — clear ChatGPT/OpenAI cookies and open ChatGPT.
|
||||
2. `submit-signup-email` — enter email or phone registration identity.
|
||||
3. `fill-password` — generate/use password and submit.
|
||||
4. `fetch-signup-code` — fetch registration verification code from mailbox/SMS.
|
||||
5. `fill-profile` — generate and submit name + birthday.
|
||||
6. `wait-registration-success` — wait for registration to stabilize.
|
||||
7. `oauth-login` — refresh OAuth URL from selected target and log in.
|
||||
8. `fetch-login-code` — fetch login verification code if needed.
|
||||
9. `confirm-oauth` — click OAuth consent / Continue and capture localhost callback.
|
||||
10. `platform-verify` — submit callback/code/state to SUB2API, Codex2API, or CPA.
|
||||
|
||||
### ClawEmail random suffix policy
|
||||
|
||||
BOSS specifically prefers Codex onboarding sub-mailboxes to use **only an 8-letter lowercase English random create prefix** after the primary mailbox dot, e.g. `chickliu.ktqcxzux@claw.163.com`. Do not use `cod`/`codex` plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See `clawemail-operations` reference `references/clawemail-prefix-probe-2026-05.md` and this skill's `references/clawemail-random-suffix-policy-2026-05.md`.
|
||||
|
||||
|
||||
```bash
|
||||
FIVE_SIM_API_KEY=
|
||||
FIVE_SIM_BASE_URL=https://5sim.net/v1
|
||||
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
|
||||
FIVE_SIM_OPERATOR=any
|
||||
FIVE_SIM_PRODUCT=openai
|
||||
FIVE_SIM_SERVICE=openai
|
||||
```
|
||||
|
||||
## Plus Flow Steps
|
||||
|
||||
When `PLUS_MODE_ENABLED=true`, the extension switches step definitions.
|
||||
|
||||
PayPal Plus path:
|
||||
|
||||
1-5. same registration steps.
|
||||
6. `plus-checkout-create` — create Plus Checkout.
|
||||
7. `plus-checkout-billing` — fill billing and submit order.
|
||||
8. `paypal-approve` — PayPal login/approval.
|
||||
9. `plus-checkout-return` — confirm return.
|
||||
10. `oauth-login`.
|
||||
11. `fetch-login-code`.
|
||||
12. `confirm-oauth`.
|
||||
13. `platform-verify`.
|
||||
|
||||
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in `background/steps/create-plus-checkout.js`, `fill-plus-checkout.js`, `gopay-*`, and helper API settings.
|
||||
|
||||
## Applying Settings in the Extension
|
||||
|
||||
The sidepanel normally sends settings through `SAVE_SETTING`; the background persists keys in `chrome.storage.local` via `PERSISTED_SETTING_KEYS`.
|
||||
|
||||
Manual UI route:
|
||||
|
||||
1. Open isolated Chrome profile with extension loaded.
|
||||
2. Open the extension side panel.
|
||||
3. Set `panelMode` according to `OAUTH_TARGET_MODE`:
|
||||
- `sub2api` → fill SUB2API URL/email/password/group/proxy/priority.
|
||||
- `codex2api` → fill Codex2API URL/Admin Key.
|
||||
- `cpa` → fill CPA URL and management key.
|
||||
4. Set registration email to ClawEmail mailbox.
|
||||
5. Enable Plus mode only if requested.
|
||||
6. Select `gpc-helper` / GoPay settings when using GoPay/GPC.
|
||||
7. Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
|
||||
8. Save settings.
|
||||
9. Start manual steps or Auto Run with `RUN_COUNT=1`.
|
||||
|
||||
Programmatic route, if writing a helper script:
|
||||
|
||||
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
|
||||
- Do not inject secrets into shell command lines where they will remain in history/process listings.
|
||||
- Keep settings source in `~/.hermes/env/codex_oauth_onboarding.env`.
|
||||
|
||||
## Execution Checklist
|
||||
|
||||
1. Load this skill and `clawemail-operations`.
|
||||
2. Read `~/.hermes/env/codex_oauth_onboarding.env` locally; validate required fields for the selected target.
|
||||
3. Confirm payment/Plus intent if `PLUS_MODE_ENABLED=true`.
|
||||
4. Verify ClawEmail auth and selected mailbox.
|
||||
5. Confirm extension repo exists and tests pass if the checkout changed.
|
||||
6. Start a dedicated proxied browser profile with the unpacked extension.
|
||||
7. Open sidepanel and apply settings.
|
||||
8. Start one run.
|
||||
9. Monitor logs for:
|
||||
- registration email submitted
|
||||
- signup verification code fetched
|
||||
- profile completed
|
||||
- Plus checkout/payment status, if enabled
|
||||
- OAuth URL refreshed
|
||||
- login code fetched, if required
|
||||
- localhost callback captured
|
||||
- platform verification succeeded
|
||||
10. If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
|
||||
11. After success, verify target platform has the new authorized account/session.
|
||||
12. Redact secrets and callback codes in the final report.
|
||||
|
||||
## Storage and Export Risk
|
||||
|
||||
The extension stores sensitive configuration in `chrome.storage.local`, including possible:
|
||||
|
||||
- CPA management key / password.
|
||||
- SUB2API password.
|
||||
- Codex2API admin key.
|
||||
- Proxy username/password/API URL.
|
||||
- Hotmail account passwords, `clientId`, `refreshToken`.
|
||||
- PayPal account pool credentials.
|
||||
- 2925 mailbox credentials.
|
||||
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
|
||||
- Cloudflare Temp Email auth fields.
|
||||
|
||||
Runtime state goes mostly to `chrome.storage.session`, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
|
||||
|
||||
The built-in export function exports `getPersistedSettings()` as JSON; this can include sensitive persistent settings. Treat every export as secret material.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Google Chrome stable may ignore `--load-extension`
|
||||
|
||||
On BOSS's macOS Chrome stable 147, verbose logs showed `--load-extension is not allowed in Google Chrome, ignoring.` In that case, `ps` still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open `chrome://extensions`, enable Developer Mode, physically click **加载未打包的扩展程序**, choose the repo folder in the macOS picker, then verify the unpacked card is `ENABLED`. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md`.
|
||||
|
||||
### PassWall2/DNS split rules still polluted
|
||||
|
||||
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves `chatgpt.com` / `accounts.openai.com` through ISP/local DNS.
|
||||
|
||||
Run:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
PY
|
||||
scutil --dns | sed -n '1,120p'
|
||||
curl -I -L --max-time 20 https://chatgpt.com/
|
||||
```
|
||||
|
||||
If `chatgpt.com` resolves to suspicious non-Cloudflare ranges such as `199.59.150.40` / `202.160.128.16`, or `accounts.openai.com` resolves to `128.121.146.109` / `192.133.77.189` / `2001::80f2:f09b`, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See `references/openai-chatgpt-browser-probe-2026-05-08.md`, `references/passwall2-openai-dns-pollution-2026-05-08.md`, and `references/openai-lan-proxy-endpoint-probe-2026-05-08.md` for browser/TLS/proxy endpoint failure patterns.
|
||||
|
||||
When BOSS provides a LAN proxy endpoint such as `socks5://192.168.2.8:1085` or `http://192.168.2.8:1084`, test the endpoint before launching Chrome:
|
||||
|
||||
```bash
|
||||
ping -c 2 -W 1000 192.168.2.8 || true
|
||||
nc -vz -w 5 192.168.2.8 1085 || true
|
||||
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
|
||||
```
|
||||
|
||||
Use `socks5h://` with `curl` so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with `No route to host`, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
|
||||
|
||||
### OpenAI/ChatGPT direct-connect preflight before launching Chrome
|
||||
|
||||
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
|
||||
|
||||
```bash
|
||||
python3 - <<'PY'
|
||||
import socket
|
||||
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
|
||||
try:
|
||||
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
|
||||
except Exception as e:
|
||||
print(host, 'ERR', e)
|
||||
PY
|
||||
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
|
||||
```
|
||||
|
||||
If `BROWSER_PROXY_SERVER` is empty and DNS/TLS shows known pollution or transport failure, **stop before launching the registration/OAuth flow**. Examples observed during BOSS's Codex2API + GoPay plan-A test:
|
||||
|
||||
- `chatgpt.com` resolving to non-Cloudflare/suspicious ranges such as `67.230.169.182` or odd IPv6 entries.
|
||||
- `accounts.openai.com` resolving to suspicious ranges such as `199.59.149.234` / `2001::...`.
|
||||
- `curl https://chatgpt.com/` failing with `LibreSSL SSL_connect: SSL_ERROR_SYSCALL`.
|
||||
|
||||
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable `BROWSER_PROXY_SERVER=socks5://host:port` or `http://host:port`, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
|
||||
|
||||
|
||||
|
||||
```bash
|
||||
PROXY='socks5h://192.168.2.8:1085'
|
||||
nc -vz -w 3 192.168.2.8 1085 || true
|
||||
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
|
||||
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
|
||||
route -n get 192.168.2.8 2>/dev/null || true
|
||||
arp -n 192.168.2.8 || true
|
||||
ping -c 3 -W 1000 192.168.2.8 || true
|
||||
```
|
||||
|
||||
If the Mac cannot reach the gateway/port (`No route to host`, `Couldn't connect to server`, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See `references/passwall2-socks5-gateway-reachability-2026-05-08.md` for the session example.
|
||||
|
||||
### Extension launch appears successful but `chrome://extensions` is empty
|
||||
|
||||
Chrome/CDP can mislead in multi-profile sessions. A process may show `--load-extension`, and CDP may even transiently show a `chrome-extension://.../service_worker.js` target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
|
||||
|
||||
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
|
||||
|
||||
- `chrome://extensions/` visibly shows the `codex-oauth-automation-extension` unpacked card; or
|
||||
- `Default/Preferences` has an `extensions.settings` entry whose manifest/path match the intended repo; or
|
||||
- the intended extension page/sidepanel opens and renders expected UI; or
|
||||
- an extension-context runtime call reads the expected manifest/state.
|
||||
|
||||
If `chrome://extensions` is empty and `extensions.settings` is empty, stop before registration. Report the block as **extension launch/registration failure before signup**, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See `references/chrome-147-unpacked-extension-loading-2026-05-09.md` for the observed Chrome 147 anomaly and debug checklist.
|
||||
|
||||
### OpenAI verification email does not arrive in ClawEmail
|
||||
|
||||
A 2026-05-09 ordinary-registration test reached OpenAI's normal `email-verification` page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See `references/openai-clawemail-verification-nondelivery-2026-05-09.md`.
|
||||
|
||||
When this happens:
|
||||
|
||||
1. Confirm the exact email in the OpenAI page body via DOM, not OCR only.
|
||||
2. Poll the **sub-mailbox profile**, not just the default primary mailbox profile.
|
||||
3. Check inbox and spam.
|
||||
4. Send a self-test email to the sub-mailbox and verify it arrives.
|
||||
5. If self-test works but OpenAI mail still does not arrive after resend, stop and record `openai_email_verification` failure; try a primary ClawEmail mailbox or another provider next.
|
||||
|
||||
### Proxy not applied
|
||||
|
||||
- Visit an IP-check page in the isolated browser before starting.
|
||||
- If auth proxy fails, use a local forwarding proxy wrapper.
|
||||
- Do not put proxy passwords in final answers.
|
||||
|
||||
### ClawEmail code not found
|
||||
|
||||
- Verify the email address submitted in step 2 matches `CLAWEMAIL_UID` or the created sub-mailbox.
|
||||
- Use `mail-cli mail list --fid 1 --limit 20 --json` and inspect recent OpenAI messages.
|
||||
- Check spam/deleted folders if inbox is empty.
|
||||
|
||||
### OAuth callback not captured
|
||||
|
||||
- Step `confirm-oauth` listens for localhost callback via webNavigation/tabs updates.
|
||||
- Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
|
||||
- Verify target mode settings and state value mismatch errors.
|
||||
|
||||
### Target verify fails
|
||||
|
||||
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
|
||||
- For Codex2API, verify URL and admin key.
|
||||
- For CPA, verify management origin/key and callback endpoint support.
|
||||
- Do not print callback URL with `code=`; redact.
|
||||
|
||||
### Plus/GoPay fails
|
||||
|
||||
- Confirm Plus mode and payment method are correct.
|
||||
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
|
||||
- Stop before retrying paid operations repeatedly; ask BOSS.
|
||||
|
||||
See `references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md` for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
|
||||
|
||||
See `references/openai-clawemail-verification-nondelivery-2026-05-09.md` for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
|
||||
|
||||
See `references/openai-add-phone-5sim-sms-activation-2026-05-10.md` for the phone-verification continuation where OpenAI `add-phone` required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim `activation/*/openai` orders plus visible country selection were identified as the right class of workflow.
|
||||
|
||||
See `references/openai-phone-verification-5sim-sms-2026-05-10.md` for the later detailed retry notes: follow configured country/default `vietnam`, cancel failed 5sim orders before buying new ones, treat OpenAI `无法向此电话号码发送验证码` as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to `美国 (+1)`.
|
||||
|
||||
See `references/openai-add-phone-1083-vietnam-resend-2026-05-10.md` for the follow-up test requested by BOSS: switch browser proxy to `socks5://192.168.2.8:1083`, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country `vietnam` SMS activation, and for non-rejected numbers poll 5sim then click `重新发送` before canceling/retrying.
|
||||
|
||||
## Verification Checklist
|
||||
|
||||
- [ ] Config file exists at `~/.hermes/env/codex_oauth_onboarding.env` with mode-specific fields.
|
||||
- [ ] ClawEmail auth passes.
|
||||
- [ ] Isolated browser profile is not the normal personal profile.
|
||||
- [ ] Browser exit IP matches intended proxy.
|
||||
- [ ] Extension is loaded and sidepanel opens.
|
||||
- [ ] Only one target mode is active.
|
||||
- [ ] Plus payment was explicitly approved if enabled.
|
||||
- [ ] Target platform shows the OAuth account/session after verification.
|
||||
- [ ] Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.
|
||||
Reference in New Issue
Block a user