# Codex OAuth onboarding status summary (2026-05-10) This document consolidates the current Hermes-driven Codex2API/OpenAI OAuth onboarding findings, local automation changes, and failed phone-verification attempts. Secrets, full proxy strings, passwords, API keys, full phone numbers, and callback URLs are intentionally omitted. ## Current objective Run a single OpenAI/Codex OAuth registration/onboarding flow through Codex2API using: - fresh ClawEmail sub-mailbox; - 1085 proxy/browser profile; - OpenAI email verification; - OpenAI add-phone phone verification; - 5sim SMS activation only, not WhatsApp. ## Stable environment facts - Codex2API OAuth target is configured in `~/.hermes/env/codex_oauth_onboarding.env`. - 5sim provider is configured for SMS activation: - `PHONE_SMS_PROVIDER=5sim` - `FIVE_SIM_OPERATOR=any` - `FIVE_SIM_PRODUCT=openai` - `FIVE_SIM_SERVICE=openai` - The original 5sim activation endpoint shape remains: - `/v1/user/buy/activation/{country}/any/openai` - BOSS requested SMS-only. Do not switch to WhatsApp providers unless BOSS explicitly approves. ## ClawEmail mailbox and permission flow Old sub-mailboxes were deleted to clear quota. Fresh mailbox created: ```text chickliu.wnjmwncq@claw.163.com ``` Important ClawEmail discovery: - Newly-created sub-mailboxes defaulted to internal-only receive: - `commLevel=1` - `extReceiveType=0` - OpenAI verification emails do not arrive until external receive is enabled. Persistent ClawEmail Dashboard browser profile: ```text /Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent CDP port: 9224 ``` Dashboard API base: ```text https://claw.163.com/mailserv-claw-dashboard ``` Permission update API: ```text POST /api/v1/mailboxes/comm-settings?id= body: {"commLevel":2,"extReceiveType":1,"extSendType":0} ``` Verification command: ```bash mail-cli clawemail info --uid --json ``` Expected values: ```text commLevel=2 extReceiveType=1 ``` This has been added as a mandatory gate: after creating a ClawEmail sub-mailbox, immediately enable/verify external receive before submitting the mailbox to OpenAI. ## OpenAI registration and email verification The fresh mailbox successfully reached and passed OpenAI email verification after the ClawEmail receive permission was corrected. The flow can reliably reach: ```text https://auth.openai.com/add-phone ``` If OpenAI auth/session becomes broken or phone verification navigation returns a Chrome/OpenAI error page, recovery is to generate a new Codex2API OAuth URL and log in with the same verified email/password; it returns to `add-phone`. ## Strict phone country/area-code gate A bug occurred where an Indonesia 5sim number was submitted while the OpenAI page selector had silently reverted to `美国 (+1)`. That invalid attempt was canceled and excluded. Mandatory gate now implemented: 1. Before buying a 5sim number, verify: - native `select.value` equals target ISO; - visible country text equals expected country/dial code. 2. After filling the number and immediately before clicking Continue, verify the same two conditions again. 3. If either check fails: - do not click Continue; - cancel any just-bought activation; - reset selector and retry. Known mappings: | 5sim country | OpenAI ISO | Visible text | Prefix | | --- | --- | --- | --- | | `argentina` | `AR` | `阿根廷 (+54)` | `54` | | `netherlands` | `NL` | `荷兰 (+31)` | `31` | | `indonesia` | `ID` | `印度尼西亚 (+62)` | `62` | | `england` | `GB` | `英国 (+44)` | `44` | Reliable selector set: ```js const sel = document.querySelector('select'); sel.focus(); sel.value = 'GB'; sel.dispatchEvent(new Event('input', { bubbles: true })); sel.dispatchEvent(new Event('change', { bubbles: true })); await new Promise(r => setTimeout(r, 800)); ``` Gate check: ```js const visibleCountry = [...document.querySelectorAll('button')] .map(b => b.innerText) .find(t => /\(\+\d+\)/.test(t)); const selectValue = document.querySelector('select')?.value; ``` ## Phone-verification attempts completed All phone attempts used 5sim SMS activation for `openai`, not WhatsApp. ### Earlier country-order run Configured order at that time: ```text argentina -> netherlands -> indonesia ``` Results: | Country | Activation IDs observed | Result | | --- | --- | --- | | Argentina | `1006713742`, `1006724245` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. | | Netherlands | `1006714867`, `1006733450` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. | | Indonesia | `1006715764`, `1006722837` | Correct `+62` attempt received no SMS after polling/resend; orders canceled. | Invalid/corrected attempt: - `1006721757` was bought for Indonesia but page was still `美国 (+1)`, so it was canceled and excluded. ### United Kingdom +44 run BOSS requested switching to UK +44. Config was changed to: ```text FIVE_SIM_COUNTRY_ORDER=england PHONE_VERIFICATION_REPLACEMENT_LIMIT=10 ``` OpenAI country gate confirmed: ```text 英国 (+44) selectValue=GB ``` UK run outcome: - Attempts: 10 - Last activation ID: `1006738454` - Result: all attempts reached waiting/phone-verification state, but 5sim SMS stayed `RECEIVED` with `sms_count=0` through initial polling and after resend; every order was canceled. - Final phase: `phone_failed_all` ## Official extension update learned Official repo inspected: ```text https://github.com/QLHazyCoder/codex-oauth-automation-extension local old: 7dc5cf2 upstream latest inspected: 6bd00db ``` Relevant changed files: - `background/phone-verification-flow.js` - `content/phone-auth.js` - `phone-sms/providers/five-sim.js` - `tests/phone-auth-country-match.test.js` - `tests/phone-verification-flow.test.js` Adopted improvements: 1. Probe resend channel before clicking. - Detect `whatsapp`, `sms`, or `unknown` using button `value`, `aria-label`, `title`, `innerText`, `textContent`. - If WhatsApp is detected and policy is SMS-only, cancel current SMS activation and do not click resend. 2. Classify HTTP 500/contact-verification pages. - Match `This page isn’t working`, `currently unable to handle this request`, `HTTP ERROR 500`, `500 Internal Server Error`. - Cancel current activation and recover back to `add-phone`. 3. Broaden direct-delivery-refused detection. - Match Chinese/English variants of `无法向此电话号码发送验证码` / cannot send SMS/text/code to this number. 4. Add UK mapping. - 5sim: `england`; OpenAI: `GB`, `英国 (+44)`, prefix `44`. 5. Add stale `/email-verification` guard. - If the phone flow unexpectedly returns to email verification, stop and do not burn more phone activations. 6. Emit compact waiting/polling JSONL so long waits are visible without dumping DOM. Local runner patched: ```text /tmp/phone_verify_strict_gate_10.py ``` Persistent skill references added: - `references/openai-add-phone-strict-country-gate-2026-05-10.md` - `references/official-extension-phone-update-2026-05-10.md` - `references/openai-1085-clawemail-permission-phone-results-2026-05-10.md` ## Current conclusion The non-phone parts are now repeatable: ```text Create ClawEmail sub-mailbox -> enable external receive -> Codex2API OAuth -> OpenAI register/login -> email verification -> add-phone ``` Phone verification remains blocked. Tested SMS-only countries/regions all failed to receive SMS through 5sim: ```text Argentina Netherlands Indonesia United Kingdom +44 ``` Observed common pattern: ```text OpenAI may accept the phone and show phone-verification/waiting state, but 5sim SMS activation receives no code even after resend. ``` Some pages/resend controls may indicate WhatsApp delivery. Under BOSS's SMS-only policy, the runner must not click WhatsApp resend or switch to WhatsApp receiving automatically. ## Recommended next experiments 1. Try a different SMS provider supported by the official extension, such as HeroSMS or NexSMS, while staying SMS-only. 2. Try countries from the official HeroSMS prefix hints: Thailand `+66`, Vietnam `+84`, Japan `+81`, Germany `+49`, France `+33`, USA `+1` only if BOSS approves. 3. Keep the strict country gate and resend-channel probe in all future runs. 4. If OpenAI explicitly selects WhatsApp delivery and BOSS still requires SMS-only, stop early before buying SMS numbers.