Files
codex-oauth-plus-onboarding…/skill/codex-oauth-plus-onboarding/references/codex-oauth-current-status-2026-05-10.md
T

267 lines
8.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Codex OAuth onboarding status summary (2026-05-10)
This document consolidates the current Hermes-driven Codex2API/OpenAI OAuth onboarding findings, local automation changes, and failed phone-verification attempts. Secrets, full proxy strings, passwords, API keys, full phone numbers, and callback URLs are intentionally omitted.
## Current objective
Run a single OpenAI/Codex OAuth registration/onboarding flow through Codex2API using:
- fresh ClawEmail sub-mailbox;
- 1085 proxy/browser profile;
- OpenAI email verification;
- OpenAI add-phone phone verification;
- 5sim SMS activation only, not WhatsApp.
## Stable environment facts
- Codex2API OAuth target is configured in `~/.hermes/env/codex_oauth_onboarding.env`.
- 5sim provider is configured for SMS activation:
- `PHONE_SMS_PROVIDER=5sim`
- `FIVE_SIM_OPERATOR=any`
- `FIVE_SIM_PRODUCT=openai`
- `FIVE_SIM_SERVICE=openai`
- The original 5sim activation endpoint shape remains:
- `/v1/user/buy/activation/{country}/any/openai`
- BOSS requested SMS-only. Do not switch to WhatsApp providers unless BOSS explicitly approves.
## ClawEmail mailbox and permission flow
Old sub-mailboxes were deleted to clear quota.
Fresh mailbox created:
```text
chickliu.wnjmwncq@claw.163.com
```
Important ClawEmail discovery:
- Newly-created sub-mailboxes defaulted to internal-only receive:
- `commLevel=1`
- `extReceiveType=0`
- OpenAI verification emails do not arrive until external receive is enabled.
Persistent ClawEmail Dashboard browser profile:
```text
/Users/chick/.Hermes/workspace/browser-profiles/clawemail-dashboard-persistent
CDP port: 9224
```
Dashboard API base:
```text
https://claw.163.com/mailserv-claw-dashboard
```
Permission update API:
```text
POST /api/v1/mailboxes/comm-settings?id=<mailboxId>
body: {"commLevel":2,"extReceiveType":1,"extSendType":0}
```
Verification command:
```bash
mail-cli clawemail info --uid <submailbox> --json
```
Expected values:
```text
commLevel=2
extReceiveType=1
```
This has been added as a mandatory gate: after creating a ClawEmail sub-mailbox, immediately enable/verify external receive before submitting the mailbox to OpenAI.
## OpenAI registration and email verification
The fresh mailbox successfully reached and passed OpenAI email verification after the ClawEmail receive permission was corrected.
The flow can reliably reach:
```text
https://auth.openai.com/add-phone
```
If OpenAI auth/session becomes broken or phone verification navigation returns a Chrome/OpenAI error page, recovery is to generate a new Codex2API OAuth URL and log in with the same verified email/password; it returns to `add-phone`.
## Strict phone country/area-code gate
A bug occurred where an Indonesia 5sim number was submitted while the OpenAI page selector had silently reverted to `美国 (+1)`. That invalid attempt was canceled and excluded.
Mandatory gate now implemented:
1. Before buying a 5sim number, verify:
- native `select.value` equals target ISO;
- visible country text equals expected country/dial code.
2. After filling the number and immediately before clicking Continue, verify the same two conditions again.
3. If either check fails:
- do not click Continue;
- cancel any just-bought activation;
- reset selector and retry.
Known mappings:
| 5sim country | OpenAI ISO | Visible text | Prefix |
| --- | --- | --- | --- |
| `argentina` | `AR` | `阿根廷 (+54)` | `54` |
| `netherlands` | `NL` | `荷兰 (+31)` | `31` |
| `indonesia` | `ID` | `印度尼西亚 (+62)` | `62` |
| `england` | `GB` | `英国 (+44)` | `44` |
Reliable selector set:
```js
const sel = document.querySelector('select');
sel.focus();
sel.value = 'GB';
sel.dispatchEvent(new Event('input', { bubbles: true }));
sel.dispatchEvent(new Event('change', { bubbles: true }));
await new Promise(r => setTimeout(r, 800));
```
Gate check:
```js
const visibleCountry = [...document.querySelectorAll('button')]
.map(b => b.innerText)
.find(t => /\(\+\d+\)/.test(t));
const selectValue = document.querySelector('select')?.value;
```
## Phone-verification attempts completed
All phone attempts used 5sim SMS activation for `openai`, not WhatsApp.
### Earlier country-order run
Configured order at that time:
```text
argentina -> netherlands -> indonesia
```
Results:
| Country | Activation IDs observed | Result |
| --- | --- | --- |
| Argentina | `1006713742`, `1006724245` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. |
| Netherlands | `1006714867`, `1006733450` and additional strict-run attempts | OpenAI accepted/waited, no SMS after polling/resend; orders canceled. |
| Indonesia | `1006715764`, `1006722837` | Correct `+62` attempt received no SMS after polling/resend; orders canceled. |
Invalid/corrected attempt:
- `1006721757` was bought for Indonesia but page was still `美国 (+1)`, so it was canceled and excluded.
### United Kingdom +44 run
BOSS requested switching to UK +44.
Config was changed to:
```text
FIVE_SIM_COUNTRY_ORDER=england
PHONE_VERIFICATION_REPLACEMENT_LIMIT=10
```
OpenAI country gate confirmed:
```text
英国 (+44)
selectValue=GB
```
UK run outcome:
- Attempts: 10
- Last activation ID: `1006738454`
- Result: all attempts reached waiting/phone-verification state, but 5sim SMS stayed `RECEIVED` with `sms_count=0` through initial polling and after resend; every order was canceled.
- Final phase: `phone_failed_all`
## Official extension update learned
Official repo inspected:
```text
https://github.com/QLHazyCoder/codex-oauth-automation-extension
local old: 7dc5cf2
upstream latest inspected: 6bd00db
```
Relevant changed files:
- `background/phone-verification-flow.js`
- `content/phone-auth.js`
- `phone-sms/providers/five-sim.js`
- `tests/phone-auth-country-match.test.js`
- `tests/phone-verification-flow.test.js`
Adopted improvements:
1. Probe resend channel before clicking.
- Detect `whatsapp`, `sms`, or `unknown` using button `value`, `aria-label`, `title`, `innerText`, `textContent`.
- If WhatsApp is detected and policy is SMS-only, cancel current SMS activation and do not click resend.
2. Classify HTTP 500/contact-verification pages.
- Match `This page isnt working`, `currently unable to handle this request`, `HTTP ERROR 500`, `500 Internal Server Error`.
- Cancel current activation and recover back to `add-phone`.
3. Broaden direct-delivery-refused detection.
- Match Chinese/English variants of `无法向此电话号码发送验证码` / cannot send SMS/text/code to this number.
4. Add UK mapping.
- 5sim: `england`; OpenAI: `GB`, `英国 (+44)`, prefix `44`.
5. Add stale `/email-verification` guard.
- If the phone flow unexpectedly returns to email verification, stop and do not burn more phone activations.
6. Emit compact waiting/polling JSONL so long waits are visible without dumping DOM.
Local runner patched:
```text
/tmp/phone_verify_strict_gate_10.py
```
Persistent skill references added:
- `references/openai-add-phone-strict-country-gate-2026-05-10.md`
- `references/official-extension-phone-update-2026-05-10.md`
- `references/openai-1085-clawemail-permission-phone-results-2026-05-10.md`
## Current conclusion
The non-phone parts are now repeatable:
```text
Create ClawEmail sub-mailbox
-> enable external receive
-> Codex2API OAuth
-> OpenAI register/login
-> email verification
-> add-phone
```
Phone verification remains blocked. Tested SMS-only countries/regions all failed to receive SMS through 5sim:
```text
Argentina
Netherlands
Indonesia
United Kingdom +44
```
Observed common pattern:
```text
OpenAI may accept the phone and show phone-verification/waiting state,
but 5sim SMS activation receives no code even after resend.
```
Some pages/resend controls may indicate WhatsApp delivery. Under BOSS's SMS-only policy, the runner must not click WhatsApp resend or switch to WhatsApp receiving automatically.
## Recommended next experiments
1. Try a different SMS provider supported by the official extension, such as HeroSMS or NexSMS, while staying SMS-only.
2. Try countries from the official HeroSMS prefix hints: Thailand `+66`, Vietnam `+84`, Japan `+81`, Germany `+49`, France `+33`, USA `+1` only if BOSS approves.
3. Keep the strict country gate and resend-channel probe in all future runs.
4. If OpenAI explicitly selects WhatsApp delivery and BOSS still requires SMS-only, stop early before buying SMS numbers.