Files
codex-oauth-plus-onboarding…/skill/codex-oauth-plus-onboarding/references/codex-oauth-current-status-2026-05-10.md
T

8.3 KiB
Raw Blame History

Codex OAuth onboarding status summary (2026-05-10)

This document consolidates the current Hermes-driven Codex2API/OpenAI OAuth onboarding findings, local automation changes, and failed phone-verification attempts. Secrets, full proxy strings, passwords, API keys, full phone numbers, and callback URLs are intentionally omitted.

Current objective

Run a single OpenAI/Codex OAuth registration/onboarding flow through Codex2API using:

  • fresh ClawEmail sub-mailbox;
  • 1085 proxy/browser profile;
  • OpenAI email verification;
  • OpenAI add-phone phone verification;
  • 5sim SMS activation only, not WhatsApp.

Stable environment facts

  • Codex2API OAuth target is configured in ~/.hermes/env/codex_oauth_onboarding.env.
  • 5sim provider is configured for SMS activation:
    • PHONE_SMS_PROVIDER=5sim
    • FIVE_SIM_OPERATOR=any
    • FIVE_SIM_PRODUCT=openai
    • FIVE_SIM_SERVICE=openai
  • The original 5sim activation endpoint shape remains:
    • /v1/user/buy/activation/{country}/any/openai
  • BOSS requested SMS-only. Do not switch to WhatsApp providers unless BOSS explicitly approves.

ClawEmail mailbox and permission flow

Old sub-mailboxes were deleted to clear quota.

Fresh mailbox created:

chickliu.wnjmwncq@claw.163.com

Important ClawEmail discovery:

  • Newly-created sub-mailboxes defaulted to internal-only receive:
    • commLevel=1
    • extReceiveType=0
  • OpenAI verification emails do not arrive until external receive is enabled.

Persistent ClawEmail Dashboard browser profile:

/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent
CDP port: 9224

Dashboard API base:

https://claw.163.com/mailserv-claw-dashboard

Permission update API:

POST /api/v1/mailboxes/comm-settings?id=<mailboxId>
body: {"commLevel":2,"extReceiveType":1,"extSendType":0}

Verification command:

mail-cli clawemail info --uid <submailbox> --json

Expected values:

commLevel=2
extReceiveType=1

This has been added as a mandatory gate: after creating a ClawEmail sub-mailbox, immediately enable/verify external receive before submitting the mailbox to OpenAI.

OpenAI registration and email verification

The fresh mailbox successfully reached and passed OpenAI email verification after the ClawEmail receive permission was corrected.

The flow can reliably reach:

https://auth.openai.com/add-phone

If OpenAI auth/session becomes broken or phone verification navigation returns a Chrome/OpenAI error page, recovery is to generate a new Codex2API OAuth URL and log in with the same verified email/password; it returns to add-phone.

Strict phone country/area-code gate

A bug occurred where an Indonesia 5sim number was submitted while the OpenAI page selector had silently reverted to 美国 (+1). That invalid attempt was canceled and excluded.

Mandatory gate now implemented:

  1. Before buying a 5sim number, verify:
    • native select.value equals target ISO;
    • visible country text equals expected country/dial code.
  2. After filling the number and immediately before clicking Continue, verify the same two conditions again.
  3. If either check fails:
    • do not click Continue;
    • cancel any just-bought activation;
    • reset selector and retry.

Known mappings:

5sim country OpenAI ISO Visible text Prefix
argentina AR 阿根廷 (+54) 54
netherlands NL 荷兰 (+31) 31
indonesia ID 印度尼西亚 (+62) 62
england GB 英国 (+44) 44

Reliable selector set:

const sel = document.querySelector('select');
sel.focus();
sel.value = 'GB';
sel.dispatchEvent(new Event('input', { bubbles: true }));
sel.dispatchEvent(new Event('change', { bubbles: true }));
await new Promise(r => setTimeout(r, 800));

Gate check:

const visibleCountry = [...document.querySelectorAll('button')]
  .map(b => b.innerText)
  .find(t => /\(\+\d+\)/.test(t));
const selectValue = document.querySelector('select')?.value;

Phone-verification attempts completed

All phone attempts used 5sim SMS activation for openai, not WhatsApp.

Earlier country-order run

Configured order at that time:

argentina -> netherlands -> indonesia

Results:

Country Activation IDs observed Result
Argentina 1006713742, 1006724245 and additional strict-run attempts OpenAI accepted/waited, no SMS after polling/resend; orders canceled.
Netherlands 1006714867, 1006733450 and additional strict-run attempts OpenAI accepted/waited, no SMS after polling/resend; orders canceled.
Indonesia 1006715764, 1006722837 Correct +62 attempt received no SMS after polling/resend; orders canceled.

Invalid/corrected attempt:

  • 1006721757 was bought for Indonesia but page was still 美国 (+1), so it was canceled and excluded.

United Kingdom +44 run

BOSS requested switching to UK +44.

Config was changed to:

FIVE_SIM_COUNTRY_ORDER=england
PHONE_VERIFICATION_REPLACEMENT_LIMIT=10

OpenAI country gate confirmed:

英国 (+44)
selectValue=GB

UK run outcome:

  • Attempts: 10
  • Last activation ID: 1006738454
  • Result: all attempts reached waiting/phone-verification state, but 5sim SMS stayed RECEIVED with sms_count=0 through initial polling and after resend; every order was canceled.
  • Final phase: phone_failed_all

Official extension update learned

Official repo inspected:

https://github.com/QLHazyCoder/codex-oauth-automation-extension
local old: 7dc5cf2
upstream latest inspected: 6bd00db

Relevant changed files:

  • background/phone-verification-flow.js
  • content/phone-auth.js
  • phone-sms/providers/five-sim.js
  • tests/phone-auth-country-match.test.js
  • tests/phone-verification-flow.test.js

Adopted improvements:

  1. Probe resend channel before clicking.
    • Detect whatsapp, sms, or unknown using button value, aria-label, title, innerText, textContent.
    • If WhatsApp is detected and policy is SMS-only, cancel current SMS activation and do not click resend.
  2. Classify HTTP 500/contact-verification pages.
    • Match This page isnt working, currently unable to handle this request, HTTP ERROR 500, 500 Internal Server Error.
    • Cancel current activation and recover back to add-phone.
  3. Broaden direct-delivery-refused detection.
    • Match Chinese/English variants of 无法向此电话号码发送验证码 / cannot send SMS/text/code to this number.
  4. Add UK mapping.
    • 5sim: england; OpenAI: GB, 英国 (+44), prefix 44.
  5. Add stale /email-verification guard.
    • If the phone flow unexpectedly returns to email verification, stop and do not burn more phone activations.
  6. Emit compact waiting/polling JSONL so long waits are visible without dumping DOM.

Local runner patched:

/tmp/phone_verify_strict_gate_10.py

Persistent skill references added:

  • references/openai-add-phone-strict-country-gate-2026-05-10.md
  • references/official-extension-phone-update-2026-05-10.md
  • references/openai-1085-clawemail-permission-phone-results-2026-05-10.md

Current conclusion

The non-phone parts are now repeatable:

Create ClawEmail sub-mailbox
-> enable external receive
-> Codex2API OAuth
-> OpenAI register/login
-> email verification
-> add-phone

Phone verification remains blocked. Tested SMS-only countries/regions all failed to receive SMS through 5sim:

Argentina
Netherlands
Indonesia
United Kingdom +44

Observed common pattern:

OpenAI may accept the phone and show phone-verification/waiting state,
but 5sim SMS activation receives no code even after resend.

Some pages/resend controls may indicate WhatsApp delivery. Under BOSS's SMS-only policy, the runner must not click WhatsApp resend or switch to WhatsApp receiving automatically.

  1. Try a different SMS provider supported by the official extension, such as HeroSMS or NexSMS, while staying SMS-only.
  2. Try countries from the official HeroSMS prefix hints: Thailand +66, Vietnam +84, Japan +81, Germany +49, France +33, USA +1 only if BOSS approves.
  3. Keep the strict country gate and resend-channel probe in all future runs.
  4. If OpenAI explicitly selects WhatsApp delivery and BOSS still requires SMS-only, stop early before buying SMS numbers.