docs: consolidate codex oauth current status

This commit is contained in:
2026-05-10 15:50:41 +08:00
parent 02121412e3
commit eeacb3b6a3
@@ -0,0 +1,266 @@
# Codex OAuth onboarding status summary (2026-05-10)
This document consolidates the current Hermes-driven Codex2API/OpenAI OAuth onboarding findings, local automation changes, and failed phone-verification attempts. Secrets, full proxy strings, passwords, API keys, full phone numbers, and callback URLs are intentionally omitted.
## Current objective
Run a single OpenAI/Codex OAuth registration/onboarding flow through Codex2API using:
- fresh ClawEmail sub-mailbox;
- 1085 proxy/browser profile;
- OpenAI email verification;
- OpenAI add-phone phone verification;
- 5sim SMS activation only, not WhatsApp.
## Stable environment facts
- Codex2API OAuth target is configured in `~/.hermes/env/codex_oauth_onboarding.env`.
- 5sim provider is configured for SMS activation:
- `PHONE_SMS_PROVIDER=5sim`
- `FIVE_SIM_OPERATOR=any`
- `FIVE_SIM_PRODUCT=openai`
- `FIVE_SIM_SERVICE=openai`
- The original 5sim activation endpoint shape remains:
- `/v1/user/buy/activation/{country}/any/openai`
- BOSS requested SMS-only. Do not switch to WhatsApp providers unless BOSS explicitly approves.
## ClawEmail mailbox and permission flow
Old sub-mailboxes were deleted to clear quota.
Fresh mailbox created:
```text
chickliu.wnjmwncq@claw.163.com
```
Important ClawEmail discovery:
- Newly-created sub-mailboxes defaulted to internal-only receive:
- `commLevel=1`
- `extReceiveType=0`
- OpenAI verification emails do not arrive until external receive is enabled.
Persistent ClawEmail Dashboard browser profile:
```text
/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent
CDP port: 9224
```
Dashboard API base:
```text
https://claw.163.com/mailserv-claw-dashboard
```
Permission update API:
```text
POST /api/v1/mailboxes/comm-settings?id=<mailboxId>
body: {"commLevel":2,"extReceiveType":1,"extSendType":0}
```
Verification command:
```bash
mail-cli clawemail info --uid <submailbox> --json
```
Expected values:
```text
commLevel=2
extReceiveType=1
```
This has been added as a mandatory gate: after creating a ClawEmail sub-mailbox, immediately enable/verify external receive before submitting the mailbox to OpenAI.
## OpenAI registration and email verification
The fresh mailbox successfully reached and passed OpenAI email verification after the ClawEmail receive permission was corrected.
The flow can reliably reach:
```text
https://auth.openai.com/add-phone
```
If OpenAI auth/session becomes broken or phone verification navigation returns a Chrome/OpenAI error page, recovery is to generate a new Codex2API OAuth URL and log in with the same verified email/password; it returns to `add-phone`.
## Strict phone country/area-code gate
A bug occurred where an Indonesia 5sim number was submitted while the OpenAI page selector had silently reverted to `美国 (+1)`. That invalid attempt was canceled and excluded.
Mandatory gate now implemented:
1. Before buying a 5sim number, verify:
- native `select.value` equals target ISO;
- visible country text equals expected country/dial code.
2. After filling the number and immediately before clicking Continue, verify the same two conditions again.
3. If either check fails:
- do not click Continue;
- cancel any just-bought activation;
- reset selector and retry.
Known mappings:
| 5sim country | OpenAI ISO | Visible text | Prefix |
| --- | --- | --- | --- |
| `argentina` | `AR` | `阿根廷 (+54)` | `54` |
| `netherlands` | `NL` | `荷兰 (+31)` | `31` |
| `indonesia` | `ID` | `印度尼西亚 (+62)` | `62` |
| `england` | `GB` | `英国 (+44)` | `44` |
Reliable selector set:
```js
const sel = document.querySelector('select');
sel.focus();
sel.value = 'GB';
sel.dispatchEvent(new Event('input', { bubbles: true }));
sel.dispatchEvent(new Event('change', { bubbles: true }));
await new Promise(r => setTimeout(r, 800));
```
Gate check:
```js
const visibleCountry = [...document.querySelectorAll('button')]
.map(b => b.innerText)
.find(t => /\(\+\d+\)/.test(t));
const selectValue = document.querySelector('select')?.value;
```
## Phone-verification attempts completed
All phone attempts used 5sim SMS activation for `openai`, not WhatsApp.
### Earlier country-order run
Configured order at that time:
```text
argentina -> netherlands -> indonesia
```
Results:
| Country | Activation IDs observed | Result |
| --- | --- | --- |
| Argentina | `1006713742`, `1006724245` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. |
| Netherlands | `1006714867`, `1006733450` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. |
| Indonesia | `1006715764`, `1006722837` | Correct `+62` attempt received no SMS after polling/resend; orders canceled. |
Invalid/corrected attempt:
- `1006721757` was bought for Indonesia but page was still `美国 (+1)`, so it was canceled and excluded.
### United Kingdom +44 run
BOSS requested switching to UK +44.
Config was changed to:
```text
FIVE_SIM_COUNTRY_ORDER=england
PHONE_VERIFICATION_REPLACEMENT_LIMIT=10
```
OpenAI country gate confirmed:
```text
英国 (+44)
selectValue=GB
```
UK run outcome:
- Attempts: 10
- Last activation ID: `1006738454`
- Result: all attempts reached waiting/phone-verification state, but 5sim SMS stayed `RECEIVED` with `sms_count=0` through initial polling and after resend; every order was canceled.
- Final phase: `phone_failed_all`
## Official extension update learned
Official repo inspected:
```text
https://github.com/QLHazyCoder/codex-oauth-automation-extension
local old: 7dc5cf2
upstream latest inspected: 6bd00db
```
Relevant changed files:
- `background/phone-verification-flow.js`
- `content/phone-auth.js`
- `phone-sms/providers/five-sim.js`
- `tests/phone-auth-country-match.test.js`
- `tests/phone-verification-flow.test.js`
Adopted improvements:
1. Probe resend channel before clicking.
- Detect `whatsapp`, `sms`, or `unknown` using button `value`, `aria-label`, `title`, `innerText`, `textContent`.
- If WhatsApp is detected and policy is SMS-only, cancel current SMS activation and do not click resend.
2. Classify HTTP 500/contact-verification pages.
- Match `This page isnt working`, `currently unable to handle this request`, `HTTP ERROR 500`, `500 Internal Server Error`.
- Cancel current activation and recover back to `add-phone`.
3. Broaden direct-delivery-refused detection.
- Match Chinese/English variants of `无法向此电话号码发送验证码` / cannot send SMS/text/code to this number.
4. Add UK mapping.
- 5sim: `england`; OpenAI: `GB`, `英国 (+44)`, prefix `44`.
5. Add stale `/email-verification` guard.
- If the phone flow unexpectedly returns to email verification, stop and do not burn more phone activations.
6. Emit compact waiting/polling JSONL so long waits are visible without dumping DOM.
Local runner patched:
```text
/tmp/phone_verify_strict_gate_10.py
```
Persistent skill references added:
- `references/openai-add-phone-strict-country-gate-2026-05-10.md`
- `references/official-extension-phone-update-2026-05-10.md`
- `references/openai-1085-clawemail-permission-phone-results-2026-05-10.md`
## Current conclusion
The non-phone parts are now repeatable:
```text
Create ClawEmail sub-mailbox
-> enable external receive
-> Codex2API OAuth
-> OpenAI register/login
-> email verification
-> add-phone
```
Phone verification remains blocked. Tested SMS-only countries/regions all failed to receive SMS through 5sim:
```text
Argentina
Netherlands
Indonesia
United Kingdom +44
```
Observed common pattern:
```text
OpenAI may accept the phone and show phone-verification/waiting state,
but 5sim SMS activation receives no code even after resend.
```
Some pages/resend controls may indicate WhatsApp delivery. Under BOSS's SMS-only policy, the runner must not click WhatsApp resend or switch to WhatsApp receiving automatically.
## Recommended next experiments
1. Try a different SMS provider supported by the official extension, such as HeroSMS or NexSMS, while staying SMS-only.
2. Try countries from the official HeroSMS prefix hints: Thailand `+66`, Vietnam `+84`, Japan `+81`, Germany `+49`, France `+33`, USA `+1` only if BOSS approves.
3. Keep the strict country gate and resend-channel probe in all future runs.
4. If OpenAI explicitly selects WhatsApp delivery and BOSS still requires SMS-only, stop early before buying SMS numbers.