Files
codex-oauth-plus-onboarding…/skill/codex-oauth-plus-onboarding/references/codex-oauth-token-lite-automation-flow-2026-05-10.md
T

6.3 KiB
Raw Blame History

Codex OAuth onboarding: token-lite automation flow (2026-05-10)

Goal: future runs should be script-driven and low-token. The agent should not paste every browser/5sim/mail intermediate state into chat. Use compact status lines, local logs, screenshots only on blockers, and one final summary.

Core state machine

Use one orchestrator script that owns the flow and writes structured JSONL logs under a run directory, e.g.

~/.Hermes/workspace/runs/codex-oauth/<run_id>/
  run.json
  events.jsonl
  screenshots/
  cdp-targets.json
  fivesim-orders.jsonl

Recommended phases:

  1. preflight
    • Read ~/.hermes/env/codex_oauth_onboarding.env once.
    • Redact secrets in all printed output.
    • Validate selected target mode, Codex2API origin/admin key, ClawEmail profile, browser proxy, and 5sim settings.
    • Verify proxy TCP + exit IP with short timeouts.
  2. browser_start
    • Kill only the dedicated CDP Chrome process for port 9223.
    • Start visible Chrome with a dedicated profile and --proxy-server.
    • Verify CDP /json/version and browser target.
  3. oauth_start
    • Generate a fresh target OAuth URL via target API.
    • For Codex2API, derive API origin if CODEX2API_URL includes /admin/accounts.
    • Open URL through CDP /json/new.
  4. email_login
    • Submit ClawEmail address.
    • Poll mail-cli --profile codex-current mail list --fid 1 --limit 50 --json.
    • Select latest OpenAI code by timestamp, not message-list order.
    • Fill code through CDP with React-safe value setter.
    • If OpenAI returns account_deactivated, stop the current account and mark run failed before buying 5sim numbers.
  5. phone_verify
    • Enter only if URL/text indicates add-phone.
    • Country priority: FIVE_SIM_COUNTRY_ORDER -> FIVE_SIM_COUNTRY_ID -> vietnam fallback only if both empty.
    • For each country, rotate up to PHONE_VERIFICATION_REPLACEMENT_LIMIT numbers.
    • Before buying/submitting, set visible OpenAI country selector to the intended country and verify it.
    • Buy SMS activation: /v1/user/buy/activation/{country}/{operator}/openai.
    • Submit local phone digits by visible paste/click or React-safe setter + visible submit.
    • If direct rejection (无法向此电话号码发送验证码), cancel activation and rotate.
    • If accepted/no direct rejection, poll /v1/user/check/{activationId}; if no SMS, click 重新发送, poll again, retry resend at least once, then cancel/rotate.
  6. oauth_callback
    • After phone/email success, continue consent screen if present.
    • Capture/submit callback to target API.
    • Verify target platform shows account/session.
  7. cleanup/report
    • Cancel any active 5sim order on failure.
    • Save screenshot on blocker.
    • Final response includes: phase, outcome, account email, target session id (safe), current URL class, orders tried (activation IDs + country + outcome), screenshot path if blocker. No secrets/callback codes.

Token-minimizing output rules

  • Do not stream full DOM/body text to chat.
  • Scripts should print compact JSON or single-line events, e.g.
{"phase":"phone_verify","country":"argentina","attempt":1,"activation_id":"100...","result":"direct_reject"}
{"phase":"phone_verify","country":"netherlands","attempt":2,"result":"accepted_no_sms_after_resend"}
{"phase":"email_login","result":"account_deactivated","screenshot":"/tmp/...png"}
  • Store verbose outputs in files and only surface paths.
  • Only send screenshots for blockers or when BOSS asks.
  • Use execute_code or one terminal script for loops; avoid repeated tool calls for each 5sim poll.
  • Avoid browser_snapshot/full DOM dumps unless diagnosing a selector bug.
  • Prefer CDP helper functions that return exact state classes:
    • login_page
    • email_code_page
    • add_phone_page
    • phone_code_page
    • account_deactivated
    • cloudflare_or_challenge
    • unknown

Correct 5sim country handling

Current env can include both:

FIVE_SIM_COUNTRY_ORDER=argentina,netherlands,indonesia
FIVE_SIM_COUNTRY_ID=
PHONE_VERIFICATION_REPLACEMENT_LIMIT=3

Do not ignore FIVE_SIM_COUNTRY_ORDER. Country order should be:

  1. Split non-empty FIVE_SIM_COUNTRY_ORDER by comma and trim.
  2. Else use non-empty FIVE_SIM_COUNTRY_ID.
  3. Else fallback to original extension default vietnam.

Known OpenAI Chinese labels/prefixes used in visible country selector:

argentina      阿根廷 (+54)
netherlands    荷兰 (+31)
indonesia      印度尼西亚 (+62)
vietnam        越南 (+84)
england        英国 (+44)
japan          日本 (+81)
germany        德国 (+49)

Known pitfalls from completed run

  • Proxy switch can invalidate OpenAI auth session; always be ready to regenerate target OAuth URL and redo email login.
  • CODEX2API_URL may be a web admin page; use origin for API calls.
  • CDP-only phone/country changes can desync React state and submit the number under 美国 (+1). Verify visible selector before buying/submitting.
  • A page returning account_deactivated after email-code submit means the current account is no longer usable; do not spend 5sim numbers on it.
  • Clicking/resending on a non-rejected phone may leave the flow at 电子邮件地址已验证; if continuing same account, reopen current OAuth URL and redo login. If account_deactivated, stop.
  • Chrome stable may require visible profile/UI; keep a visible browser for auth pages.

Suggested implementation artifact

Create or maintain a reusable local script, e.g.

/Users/chick/.Hermes/workspace/scripts/codex_oauth_onboarding_runner.py

It should accept flags:

python3 codex_oauth_onboarding_runner.py \
  --env ~/.hermes/env/codex_oauth_onboarding.env \
  --mode codex2api \
  --proxy-from-env \
  --run-once \
  --max-phone-countries-from-env \
  --screenshot-on-blocker

The script should be idempotent enough to resume from email_login or phone_verify if the browser is already open, but should default to a clean profile per run.

Final report template

结果:失败/成功
阶段:email_login / phone_verify / oauth_callback
邮箱:...
代理:socks5://192.168.2.8:1085(出口 IP: ...
目标:Codex2API session_id=...
手机验证:argentina[...], netherlands[...], indonesia[...]
阻塞原因:account_deactivated / no_sms_after_resend / direct_reject_all / challenge
截图:MEDIA:/path/to/screenshot.png
下一步:...