30 KiB
name, description, version, author, license, metadata
| name | description | version | author | license | metadata | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| codex-oauth-plus-onboarding | Use when BOSS asks to register a ChatGPT/Codex OAuth account flow with ClawEmail, optionally open Plus through GoPay/GPC, and authorize the OAuth callback into SUB2API, Codex2API, or CPA using an isolated proxied browser profile. | 1.0.0 | Hermes Agent | MIT |
|
Codex OAuth + Plus Onboarding
Overview
This skill describes the safe, repeatable workflow for using the local codex-oauth-automation-extension project to run a single user-authorized onboarding flow:
- Use ClawEmail as the registration mailbox.
- Register/Login through ChatGPT/OpenAI auth.
- Optionally open ChatGPT Plus through GoPay / GPC helper.
- Complete OAuth authorization.
- Submit the localhost OAuth callback to exactly one configured target: SUB2API, Codex2API, or CPA.
- Run the browser in an isolated profile with a dedicated proxy.
The skill is for BOSS's own infrastructure and accounts only. Do not use it for spam, credential stuffing, rate-limit evasion, CAPTCHA bypass, unauthorized account creation, or bulk registration. If a page asks for CAPTCHA, security challenge, phone ownership proof, payment confirmation, or another user-visible anti-abuse checkpoint, pause and ask BOSS to complete/approve it manually.
When to Use
Use this skill when BOSS asks for any of these:
- “用 ClawEmail 注册 Codex / ChatGPT OAuth,然后授权到 SUB2API / Codex2API / CPA”
- “用 GoPay 开 Plus 后把 OAuth 接进去”
- “把 QLHazyCoder/codex-oauth-automation-extension 那套流程跑起来”
- “给这个注册流程做独立代理、无痕/隔离浏览器配置”
- “把这个流程做成可复用配置和操作步骤”
Also load clawemail-operations before any ClawEmail mailbox work.
BOSS-specific Operating Defaults
These are confirmed operating rules for BOSS's environment:
-
Use Google Chrome stable at
/Applications/Google Chrome.app/Contents/MacOS/Google Chromewith a real visible window. -
Do not set a default target platform. If
PANEL_MODEis empty or not one ofcpa|sub2api|codex2api, stop before launching the run. -
Proxies are supplied as unauthenticated
socks5://host:portorhttp://host:port; do not expect proxy username/password. -
The new account password is unified through
CUSTOM_PASSWORD. If it is empty, stop and ask BOSS to fill it, unless BOSS explicitly allows auto-generation for that run. -
ClawEmail creates a fresh mailbox for every run (
CLAWEMAIL_CREATE_PER_RUN=true). Record every created mailbox locally with outcome classification: pending, success, failed. -
Phone/SMS platform has no default. Keep
PHONE_VERIFICATION_ENABLED=falseandPHONE_SMS_PROVIDERempty unless BOSS configures one or approves enabling it after a phone verification appears. -
If phone verification appears and BOSS has configured 5sim, use SMS activation for
openai, not WhatsApp receive channels. The original extension's 5sim provider buys/v1/user/buy/activation/{country}/{operator}/openai, polls/v1/user/check/{activationId}, and finishes/cancels the activation. Follow the configuredFIVE_SIM_COUNTRY_IDfirst; if it is empty, the extension default isvietnam. Do not silently switch countries after a rejected number unless BOSS changes config or approves fallback. Before buying/submitting a non-USA number, verify the OpenAI visible country selector is already the expected country (for example越南 (+84)); if it reverted to美国 (+1), fix the selector first or the number will be parsed as invalid. Use visible UI paste/click onadd-phonewhen possible because CDP-only input mutation can desync React state and revert the country on submit. If a number is not immediately rejected, do not cancel it after one polling timeout: poll 5sim, click OpenAI重新发送, poll again, and retry resend at least once before canceling/rotating. If changing proxy (for example1085→1083), expect OpenAI auth session invalidation and restart from a fresh target OAuth URL. Codex2API env URLs may point at/admin/accounts; derive the API origin before calling/api/admin/oauth/generate-auth-url. Seereferences/openai-add-phone-5sim-sms-activation-2026-05-10.md,references/openai-phone-verification-5sim-sms-2026-05-10.md, andreferences/openai-phone-verification-proxy1083-resend-2026-05-10.mdfor observed behavior, resend strategy, proxy-switch recovery, and pitfalls. -
Plus mode uses
PLUS_PAYMENT_METHOD=gopay. Any paid GoPay action still requires explicit confirmation immediately before payment/approval. -
GoPay WhatsApp OTP uses 方案 A / manual checkpoint: set
GOPAY_OTP_SOURCE=manual. The extension detects OTP input and opens a side-panel prompt (requestGoPayOtpInput/ “输入 GoPay 验证码”); BOSS pastes the WhatsApp code, then the extension fills OTP, fillsGOPAY_PIN, and continues. -
GOPAY_OTPshould normally stay empty before the run. It is only a temporary prefill/cache for the current OTP dialog, not a durable secret. -
Do not implement WhatsApp scraping/API automation unless BOSS explicitly requests it later.
-
When BOSS says the environment is normal and asks to start registration testing, treat
socks5://192.168.2.8:1085as the expected browser proxy unless BOSS overrides it. IfBROWSER_PROXY_SERVERis empty, patch the local env to this SOCKS5 endpoint and verify it before launching Chrome; do not stop with a question asking whether to use it. -
For ordinary-account test runs, set
PLUS_MODE_ENABLED=falsebefore launching. KeepPLUS_PAYMENT_METHOD=gopayuntouched for later Plus runs, but do not enter Plus/payment steps. -
Registration/OAuth tests are step-gated for BOSS: after environment/config prep and mailbox creation, report the created mailbox and wait for explicit “继续” before launching the visible browser flow.
- Explicit target: BOSS must specify exactly one target mode:
sub2api,codex2api, orcpa; there is no default target, and an emptyPANEL_MODEmust stop execution. - Single-run default: default to one account / one OAuth flow unless BOSS explicitly requests a count.
- No CAPTCHA bypass: if Cloudflare/CAPTCHA/security challenge appears, stop and report the required manual action.
- Payment checkpoint: Plus mode is GoPay for BOSS, but before any GoPay payment or paid operation, confirm that BOSS wants to proceed.
- No secret leakage: never print API keys, admin keys, proxy addresses if sensitive, refresh tokens, card keys, or OAuth callback URLs containing
code=in final summaries. Redact as[REDACTED]. - Config export risk: the extension’s built-in settings export may contain secrets. Treat exported files as sensitive.
- Mailbox records: every freshly-created ClawEmail mailbox must be recorded locally with run id and final status (
pending,success, orfailed).
Repository and Local Paths
Known research clone:
/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
If missing, clone shallow:
mkdir -p /Users/chick/.Hermes/workspace/research
cd /Users/chick/.Hermes/workspace/research
git clone --depth=1 https://github.com/QLHazyCoder/codex-oauth-automation-extension.git
Validate tests when modifying or before relying on a changed checkout:
cd /Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
node --test tests/*.test.js
Observed verification result during initial study: 772 tests passed, 0 failed.
Configuration File
Create a dedicated env file instead of typing secrets into chat. A fuller template is stored with this skill at templates/codex_oauth_onboarding.env.example. If BOSS has temporarily filled real values into that template, first copy it to the real env file, back up the filled template privately, and sanitize the template again; see references/env-file-and-5sim-notes.md.
mkdir -p ~/.hermes/env
chmod 700 ~/.hermes/env
cp ~/.hermes/skills/software-development/codex-oauth-plus-onboarding/templates/codex_oauth_onboarding.env.example ~/.hermes/env/codex_oauth_onboarding.env
chmod 600 ~/.hermes/env/codex_oauth_onboarding.env
$EDITOR ~/.hermes/env/codex_oauth_onboarding.env
High-level required groups:
- Local project / browser:
CODEX_OAUTH_EXTENSION_DIR,CHROME_BIN,BROWSER_PROFILE_ROOT,BROWSER_HEADLESS=false. - Panel / target mode:
PANEL_MODE=cpa|sub2api|codex2apihas no default; if empty, stop. Fill only the selected target’s auth fields copied from the original side panel (CPA_VPS_URL/CPA_VPS_PASSWORD, orSUB2API_*, orCODEX2API_*). - Proxy: fill
BROWSER_PROXY_SERVERwith BOSS-provided unauthenticatedsocks5://host:portorhttp://host:port; useIP_PROXY_*only when using the original extension’s built-in 711proxy/IP proxy panel. - Registration identity and password:
CLAWEMAIL_CREATE_PER_RUN=true,CLAWEMAIL_PREFIX,CLAWEMAIL_RECORD_FILE,SIGNUP_METHOD=email, and unifiedCUSTOM_PASSWORD. For BOSS's ClawEmail per-run accounts, use a pure lowercase English 8-letter random create prefix with no base prefix (example create prefixabcdefgh, resulting sub-mailbox shapechickliu.abcdefgh@claw.163.com). Live ClawEmail probing showed create prefixes are accepted only up to 11 characters and dots/hyphens are rejected despite docs/help text, so do not usecodex+ 8 letters. Store/observe the policy withCLAWEMAIL_PREFIX=(empty),CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8,CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz, andCLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=truewhen helper scripts support it; if not, generate the 8-letter prefix in the runner before callingmail-cli clawemail create --prefix .... - Mail provider:
MAIL_PROVIDER,EMAIL_GENERATOR, and original-provider fields only if not polling ClawEmail from Hermes. - Phone/SMS verification fallback: no default provider; keep
PHONE_VERIFICATION_ENABLED=falseandPHONE_SMS_PROVIDERempty unless configured/approved. - Plus/payment:
PLUS_MODE_ENABLED=true,PLUS_PAYMENT_METHOD=gopay; paid operations still require explicit confirmation.
Minimal template excerpt:
# Required: local extension repo
CODEX_OAUTH_EXTENSION_DIR=/Users/chick/.Hermes/workspace/research/codex-oauth-automation-extension
```bash
# Required: ClawEmail mailbox
CLAWEMAIL_UID=chickliu@claw.163.com
# BOSS preference: per-run sub-mailbox create prefix is exactly 8 lowercase English random letters.
# Example create prefix: abcdefgh -> chickliu.abcdefgh@claw.163.com
CLAWEMAIL_PREFIX=
CLAWEMAIL_RANDOM_SUFFIX_LENGTH=8
CLAWEMAIL_RANDOM_SUFFIX_CHARSET=abcdefghijklmnopqrstuvwxyz
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
CLAWEMAIL_PREFIX_WITH_RANDOM_SUFFIX=true
Browser isolation
BROWSER_PROFILE_ROOT=/Users/chick/.Hermes/workspace/browser-profiles/codex-oauth BROWSER_HEADLESS=false BROWSER_PROXY_SERVER=http://host:port BROWSER_PROXY_USERNAME= BROWSER_PROXY_PASSWORD=
Target mode: sub2api | codex2api | cpa
OAUTH_TARGET_MODE=sub2api
SUB2API settings
SUB2API_URL= SUB2API_EMAIL= SUB2API_PASSWORD= SUB2API_GROUP_NAME=default SUB2API_ACCOUNT_PRIORITY=1 SUB2API_DEFAULT_PROXY_NAME=
Codex2API settings
CODEX2API_URL= CODEX2API_ADMIN_KEY=
CPA settings
CPA_URL= CPA_MANAGEMENT_KEY= CPA_LOCAL_STEP9_MODE=submit
Plus / GoPay / GPC helper settings
PLUS_MODE_ENABLED=false PLUS_PAYMENT_METHOD=gpc-helper GPC_HELPER_API_URL= GPC_HELPER_CARD_KEY= GPC_HELPER_COUNTRY_CODE=+86 GPC_HELPER_PHONE_NUMBER= GPC_HELPER_PIN= GPC_HELPER_OTP_CHANNEL=whatsapp GPC_HELPER_LOCAL_SMS_ENABLED=false GPC_HELPER_LOCAL_SMS_URL=http://127.0.0.1:18767
Runtime behavior
RUN_COUNT=1 AUTO_RUN_SKIP_FAILURES=false AUTO_STEP_DELAY_SECONDS=2 OAUTH_FLOW_TIMEOUT_ENABLED=true
Rules:
- Keep this file local only; never commit it.
- Use `[REDACTED]` in reports for all secret values.
- If multiple target sections are filled, only the section selected by `OAUTH_TARGET_MODE` should be used.
## Browser Isolation and Proxy Strategy
This workflow must use a **real visible Chrome/Chromium browser**. Do not use headless browser mode for registration, payment, OAuth consent, or security-sensitive OpenAI/Auth pages.
Use a **dedicated browser profile** per run or per account. “无痕模式” in Chrome does not normally persist extension state and may not allow side panel/extensions unless explicitly enabled. For this extension, prefer a real visible browser with:
- Dedicated clean `user-data-dir` profile.
- Loaded unpacked extension from `CODEX_OAUTH_EXTENSION_DIR`.
- Proxy applied at browser launch or by a verified local proxy wrapper.
- Human-visible UI for CAPTCHA/security/payment checkpoints.
- Profile cleared after success if BOSS wants no local residue.
Recommended profile naming:
```bash
RUN_ID=$(date +%Y%m%d-%H%M%S)
PROFILE_DIR="$BROWSER_PROFILE_ROOT/$RUN_ID"
mkdir -p "$PROFILE_DIR"
Chrome launch pattern:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--user-data-dir="$PROFILE_DIR" \
--disable-extensions-except="$CODEX_OAUTH_EXTENSION_DIR" \
--load-extension="$CODEX_OAUTH_EXTENSION_DIR" \
--proxy-server="$BROWSER_PROXY_SERVER" \
--no-first-run \
--no-default-browser-check
If proxy authentication is required and Chrome launch flags do not authenticate reliably, use one of these approaches:
- Use an upstream proxy URL that embeds auth only in a local proxy wrapper, not in command history.
- Start a local forwarding proxy that injects upstream credentials.
- Configure proxy credentials inside the extension only if the extension supports it and the config file is protected.
Do not reuse the normal personal browser profile for this workflow.
ClawEmail Preparation
Load clawemail-operations and verify:
mail-cli auth test --json
mail-cli clawemail list --json
mail-cli clawemail info --uid "$CLAWEMAIL_UID" --json
Registration email choice:
- Default: use
CLAWEMAIL_UIDdirectly. - If BOSS wants per-run sub-mailboxes, create them with
mail-cli clawemail create --prefix ...and set the extension’s registration email to the created UID.
For code retrieval, the extension may interact with mail provider pages or helper logic, but ClawEmail can also be polled by Hermes:
mail-cli mail list --fid 1 --limit 20 --json
mail-cli read body --id '<message-id>'
Always quote message IDs.
Extension Architecture Reference
The project is a Manifest V3 Chrome extension:
manifest.json: permissions, host permissions, content scripts, side panel.background.js: service worker and state orchestration.background/message-router.js: handles sidepanel messages such asEXECUTE_STEP,AUTO_RUN,SAVE_SETTING,EXPORT_SETTINGS,IMPORT_SETTINGS.data/step-definitions.js: step list for normal and Plus modes.background/steps/*.js: one executor per major step.content/signup-page.js: OpenAI/Auth page DOM automation.content/*mail*.js: mail provider automation.sidepanel/sidepanel.js: UI controls and settings collection.
Important permissions include tabs, webNavigation, webRequest, proxy, debugger, cookies, browsingData, storage, scripting, activeTab, and <all_urls> host access.
Normal OAuth Flow Steps
BOSS correction / manual-flow allowance: if BOSS asks only to test whether ordinary registration works, do not over-focus on running the original extension as the automation engine. It is acceptable to follow the extension's normal-flow sequence manually through visible Chrome, CDP, and mail-cli. The extension should be treated as a process reference unless BOSS explicitly asks to use it. Still keep all checkpoints: stop for CAPTCHA/Cloudflare/security challenge/phone/payment, and do not proceed to OAuth until email verification succeeds.
Normal mode step definitions:
open-chatgpt— clear ChatGPT/OpenAI cookies and open ChatGPT.submit-signup-email— enter email or phone registration identity.fill-password— generate/use password and submit.fetch-signup-code— fetch registration verification code from mailbox/SMS.fill-profile— generate and submit name + birthday.wait-registration-success— wait for registration to stabilize.oauth-login— refresh OAuth URL from selected target and log in.fetch-login-code— fetch login verification code if needed.confirm-oauth— click OAuth consent / Continue and capture localhost callback.platform-verify— submit callback/code/state to SUB2API, Codex2API, or CPA.
ClawEmail random suffix policy
BOSS specifically prefers Codex onboarding sub-mailboxes to use only an 8-letter lowercase English random create prefix after the primary mailbox dot, e.g. chickliu.ktqcxzux@claw.163.com. Do not use cod/codex plus 8 letters unless BOSS asks; the live ClawEmail API only accepted create prefixes up to 11 characters and rejected dots/hyphens during probing. See clawemail-operations reference references/clawemail-prefix-probe-2026-05.md and this skill's references/clawemail-random-suffix-policy-2026-05.md.
FIVE_SIM_API_KEY=
FIVE_SIM_BASE_URL=https://5sim.net/v1
FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
FIVE_SIM_OPERATOR=any
FIVE_SIM_PRODUCT=openai
FIVE_SIM_SERVICE=openai
Plus Flow Steps
When PLUS_MODE_ENABLED=true, the extension switches step definitions.
PayPal Plus path:
1-5. same registration steps.
6. plus-checkout-create — create Plus Checkout.
7. plus-checkout-billing — fill billing and submit order.
8. paypal-approve — PayPal login/approval.
9. plus-checkout-return — confirm return.
10. oauth-login.
11. fetch-login-code.
12. confirm-oauth.
13. platform-verify.
GoPay/GPC helper paths use similar Plus step positions, with payment-specific logic in background/steps/create-plus-checkout.js, fill-plus-checkout.js, gopay-*, and helper API settings.
Applying Settings in the Extension
The sidepanel normally sends settings through SAVE_SETTING; the background persists keys in chrome.storage.local via PERSISTED_SETTING_KEYS.
Manual UI route:
- Open isolated Chrome profile with extension loaded.
- Open the extension side panel.
- Set
panelModeaccording toOAUTH_TARGET_MODE:sub2api→ fill SUB2API URL/email/password/group/proxy/priority.codex2api→ fill Codex2API URL/Admin Key.cpa→ fill CPA URL and management key.
- Set registration email to ClawEmail mailbox.
- Enable Plus mode only if requested.
- Select
gpc-helper/ GoPay settings when using GoPay/GPC. - Configure proxy mode if the extension manages proxy; otherwise rely on browser launch proxy.
- Save settings.
- Start manual steps or Auto Run with
RUN_COUNT=1.
Programmatic route, if writing a helper script:
- Prefer controlling the sidepanel UI or sending extension runtime messages from the extension context.
- Do not inject secrets into shell command lines where they will remain in history/process listings.
- Keep settings source in
~/.hermes/env/codex_oauth_onboarding.env.
Execution Checklist
- Load this skill and
clawemail-operations. - Read
~/.hermes/env/codex_oauth_onboarding.envlocally; validate required fields for the selected target. - Confirm payment/Plus intent if
PLUS_MODE_ENABLED=true. - Verify ClawEmail auth and selected mailbox.
- Confirm extension repo exists and tests pass if the checkout changed.
- Start a dedicated proxied browser profile with the unpacked extension.
- Open sidepanel and apply settings.
- Start one run.
- Monitor logs for:
- registration email submitted
- signup verification code fetched
- profile completed
- Plus checkout/payment status, if enabled
- OAuth URL refreshed
- login code fetched, if required
- localhost callback captured
- platform verification succeeded
- If security challenge/CAPTCHA/phone/payment confirmation appears, pause and notify BOSS.
- After success, verify target platform has the new authorized account/session.
- Redact secrets and callback codes in the final report.
Storage and Export Risk
The extension stores sensitive configuration in chrome.storage.local, including possible:
- CPA management key / password.
- SUB2API password.
- Codex2API admin key.
- Proxy username/password/API URL.
- Hotmail account passwords,
clientId,refreshToken. - PayPal account pool credentials.
- 2925 mailbox credentials.
- LuckMail / HeroSMS / 5sim / NexSMS API keys.
- Cloudflare Temp Email auth fields.
Runtime state goes mostly to chrome.storage.session, including generated email, password, codes, OAuth URL, localhost callback, and target session metadata.
The built-in export function exports getPersistedSettings() as JSON; this can include sensitive persistent settings. Treat every export as secret material.
Troubleshooting
Google Chrome stable may ignore --load-extension
On BOSS's macOS Chrome stable 147, verbose logs showed --load-extension is not allowed in Google Chrome, ignoring. In that case, ps still shows the flag but the extension card never appears. Do not keep relaunching the same way. Use the visible UI workaround: open chrome://extensions, enable Developer Mode, physically click 加载未打包的扩展程序, choose the repo folder in the macOS picker, then verify the unpacked card is ENABLED. See references/chrome-147-unpacked-extension-loading-2026-05-09.md.
PassWall2/DNS split rules still polluted
After BOSS updates PassWall2/domain split rules, verify DNS takeover before relaunching the extension. Domain rules alone are not enough if macOS still resolves chatgpt.com / accounts.openai.com through ISP/local DNS.
Run:
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
PY
scutil --dns | sed -n '1,120p'
curl -I -L --max-time 20 https://chatgpt.com/
If chatgpt.com resolves to suspicious non-Cloudflare ranges such as 199.59.150.40 / 202.160.128.16, or accounts.openai.com resolves to 128.121.146.109 / 192.133.77.189 / 2001::80f2:f09b, treat it as DNS pollution and stop before registration/OAuth. Ask BOSS to fix PassWall2 DNS takeover/remote DNS/fake-ip or redir-host. See references/openai-chatgpt-browser-probe-2026-05-08.md, references/passwall2-openai-dns-pollution-2026-05-08.md, and references/openai-lan-proxy-endpoint-probe-2026-05-08.md for browser/TLS/proxy endpoint failure patterns.
When BOSS provides a LAN proxy endpoint such as socks5://192.168.2.8:1085 or http://192.168.2.8:1084, test the endpoint before launching Chrome:
ping -c 2 -W 1000 192.168.2.8 || true
nc -vz -w 5 192.168.2.8 1085 || true
curl --proxy socks5h://192.168.2.8:1085 -I -L --max-time 30 https://chatgpt.com/
Use socks5h:// with curl so DNS resolution happens through the SOCKS proxy. If proxy TCP tests fail with No route to host, stop: this is a LAN/gateway/proxy reachability problem, not an OpenAI OAuth or extension problem.
OpenAI/ChatGPT direct-connect preflight before launching Chrome
Before opening the visible Chrome registration flow, run a raw DNS/TLS preflight even if the rest of the environment looks healthy:
python3 - <<'PY'
import socket
for host in ['chatgpt.com','accounts.openai.com','auth.openai.com','openai.com']:
try:
print(host, sorted({x[4][0] for x in socket.getaddrinfo(host,443,proto=socket.IPPROTO_TCP)}))
except Exception as e:
print(host, 'ERR', e)
PY
curl -I -L --max-time 25 https://chatgpt.com/ | sed -n '1,30p'
If BROWSER_PROXY_SERVER is empty and DNS/TLS shows known pollution or transport failure, stop before launching the registration/OAuth flow. Examples observed during BOSS's Codex2API + GoPay plan-A test:
chatgpt.comresolving to non-Cloudflare/suspicious ranges such as67.230.169.182or odd IPv6 entries.accounts.openai.comresolving to suspicious ranges such as199.59.149.234/2001::....curl https://chatgpt.com/failing withLibreSSL SSL_connect: SSL_ERROR_SYSCALL.
Treat this as an environment/proxy/DNS problem, not an extension, ClawEmail, Codex2API, or account problem. Ask BOSS to fill a reachable BROWSER_PROXY_SERVER=socks5://host:port or http://host:port, then re-run proxy TCP/exit-IP/ChatGPT checks before starting Chrome. This avoids burning a registration attempt on a flow that will almost certainly stall on OpenAI auth.
PROXY='socks5h://192.168.2.8:1085'
nc -vz -w 3 192.168.2.8 1085 || true
curl --proxy "$PROXY" -I -L --max-time 25 https://chatgpt.com/ 2>&1 | sed -n '1,80p'
curl --proxy "$PROXY" --max-time 15 https://api.ipify.org 2>&1 || true
route -n get 192.168.2.8 2>/dev/null || true
arp -n 192.168.2.8 || true
ping -c 3 -W 1000 192.168.2.8 || true
If the Mac cannot reach the gateway/port (No route to host, Couldn't connect to server, ping loss), report this as a local gateway/port problem rather than continuing OAuth or extension tests. See references/passwall2-socks5-gateway-reachability-2026-05-08.md for the session example.
Extension launch appears successful but chrome://extensions is empty
Chrome/CDP can mislead in multi-profile sessions. A process may show --load-extension, and CDP may even transiently show a chrome-extension://.../service_worker.js target, while the intended unpacked extension is not actually visible or registered in the isolated profile.
Before starting OpenAI registration, verify the intended automation extension with stronger evidence:
chrome://extensions/visibly shows thecodex-oauth-automation-extensionunpacked card; orDefault/Preferenceshas anextensions.settingsentry whose manifest/path match the intended repo; or- the intended extension page/sidepanel opens and renders expected UI; or
- an extension-context runtime call reads the expected manifest/state.
If chrome://extensions is empty and extensions.settings is empty, stop before registration. Report the block as extension launch/registration failure before signup, keep the ClawEmail record pending/failed according to whether signup was actually attempted, and avoid burning the mailbox on a manual unsupported flow. See references/chrome-147-unpacked-extension-loading-2026-05-09.md for the observed Chrome 147 anomaly and debug checklist.
OpenAI verification email does not arrive in ClawEmail
A 2026-05-09 ordinary-registration test reached OpenAI's normal email-verification page with two fresh ClawEmail sub-mailboxes, but no OpenAI code arrived in inbox or spam even after resend. Both sub-mailboxes passed a self-send receive test, so the block was classified as OpenAI/ClawEmail deliverability rather than browser, proxy, extension, CAPTCHA, or phone-verification failure. See references/openai-clawemail-verification-nondelivery-2026-05-09.md.
When this happens:
- Confirm the exact email in the OpenAI page body via DOM, not OCR only.
- Poll the sub-mailbox profile, not just the default primary mailbox profile.
- Check inbox and spam.
- Send a self-test email to the sub-mailbox and verify it arrives.
- If self-test works but OpenAI mail still does not arrive after resend, stop and record
openai_email_verificationfailure; try a primary ClawEmail mailbox or another provider next.
Proxy not applied
- Visit an IP-check page in the isolated browser before starting.
- If auth proxy fails, use a local forwarding proxy wrapper.
- Do not put proxy passwords in final answers.
ClawEmail code not found
- Verify the email address submitted in step 2 matches
CLAWEMAIL_UIDor the created sub-mailbox. - Use
mail-cli mail list --fid 1 --limit 20 --jsonand inspect recent OpenAI messages. - Check spam/deleted folders if inbox is empty.
OAuth callback not captured
- Step
confirm-oauthlistens for localhost callback via webNavigation/tabs updates. - Re-run the OAuth login/confirm steps only, not the full registration, unless the auth session is invalid.
- Verify target mode settings and state value mismatch errors.
Target verify fails
- For SUB2API, verify URL/email/password/group/priority/proxy fields.
- For Codex2API, verify URL and admin key.
- For CPA, verify management origin/key and callback endpoint support.
- Do not print callback URL with
code=; redact.
Plus/GoPay fails
- Confirm Plus mode and payment method are correct.
- Confirm GPC helper URL/card key/phone/PIN/OTP channel settings.
- Stop before retrying paid operations repeatedly; ask BOSS.
See references/macos-screenshot-proxy-and-registration-prep-2026-05-09.md for the session note covering the macOS TCC screenshot fix, LAN/SOCKS5 verification, and ordinary-registration prep sequence.
See references/openai-clawemail-verification-nondelivery-2026-05-09.md for the ordinary registration test where OpenAI reached the email-verification page for two ClawEmail submailboxes, but no OpenAI verification email arrived despite submailbox self-test delivery working.
See references/openai-add-phone-5sim-sms-activation-2026-05-10.md for the phone-verification continuation where OpenAI add-phone required SMS, BOSS corrected that WhatsApp receive channels must not be used, and 5sim activation/*/openai orders plus visible country selection were identified as the right class of workflow.
See references/openai-phone-verification-5sim-sms-2026-05-10.md for the later detailed retry notes: follow configured country/default vietnam, cancel failed 5sim orders before buying new ones, treat OpenAI 无法向此电话号码发送验证码 as a number/provider rejection, and avoid CDP-only mutations that desync the React country selector back to 美国 (+1).
See references/openai-add-phone-1083-vietnam-resend-2026-05-10.md for the follow-up test requested by BOSS: switch browser proxy to socks5://192.168.2.8:1083, regenerate Codex2API OAuth URL from the origin API when the auth session expires, continue with configured-country vietnam SMS activation, and for non-rejected numbers poll 5sim then click 重新发送 before canceling/retrying.
Verification Checklist
- Config file exists at
~/.hermes/env/codex_oauth_onboarding.envwith mode-specific fields. - ClawEmail auth passes.
- Isolated browser profile is not the normal personal profile.
- Browser exit IP matches intended proxy.
- Extension is loaded and sidepanel opens.
- Only one target mode is active.
- Plus payment was explicitly approved if enabled.
- Target platform shows the OAuth account/session after verification.
- Final report redacts all secrets, callback codes, passwords, API keys, and proxy credentials.