theclawbay 0.1.13 → 0.1.15

package/dist/commands/agent.js

@@ -231,9 +231,13 @@ class AgentCommand extends base_command_1.BaseCommand {
                 const filePath = node_path_1.default.join(paths_1.accountsDir, `${account.name}.json`);
                 try {
                     const verification = (0, sync_accounts_1.buildVerificationRequestConfig)(managed, account);
+                    const requiresLocalOtp = verification === null;
+                    if (requiresLocalOtp) {
+                        this.log(`Banned-signal check for "${accountName}" will use local browser OTP flow (Outlook mailbox detected).`);
+                    }
                     await (0, account_login_1.createAuthSnapshotForAccount)(account, filePath, {
-                        oauthShowBrowser: flags.showBrowser,
-                        verification,
+                        oauthShowBrowser: flags.showBrowser || requiresLocalOtp,
+                        verification: verification !== null && verification !== void 0 ? verification : undefined,
                         log: (message) => this.log(message),
                     });
                     banVerificationState.set(accountName, { checkedAtMs: nowMs, confirmed: false });

package/dist/lib/agent/account-login.js

@@ -16,6 +16,7 @@ const ZENDRIVER_IMPORT_ERROR_TOKEN = "THECLAWBAY_ZENDRIVER_IMPORT_ERROR";
 const ZENDRIVER_ERROR_TOKEN = "THECLAWBAY_ZENDRIVER_ERROR";
 const ZENDRIVER_LAUNCH_TIMEOUT_MS = 15000;
 const ACCOUNT_DEACTIVATED_ERROR_MARKER = "THECLAWBAY_ACCOUNT_DEACTIVATED";
+const CAPTCHA_CHALLENGE_ERROR_MARKER = "THECLAWBAY_CAPTCHA_CHALLENGE";
 const DEFAULT_WIN_PATH_EXTENSIONS = [".EXE", ".CMD", ".BAT", ".COM"];
 function trimWrappingQuotes(value) {
     const trimmed = value.trim();
@@ -229,6 +230,8 @@ LOG_TOKEN = "THECLAWBAY_ZENDRIVER_LOG"
 IMPORT_ERROR_TOKEN = "THECLAWBAY_ZENDRIVER_IMPORT_ERROR"
 ERROR_TOKEN = "${ZENDRIVER_ERROR_TOKEN}"
 ACCOUNT_DEACTIVATED_TOKEN = "${ACCOUNT_DEACTIVATED_ERROR_MARKER}"
+CAPTCHA_CHALLENGE_TOKEN = "${CAPTCHA_CHALLENGE_ERROR_MARKER}"
+ALLOW_MANUAL_OTP = os.environ.get("THECLAWBAY_ALLOW_MANUAL_OTP", "").strip() == "1"
 
 try:
     import zendriver as zd
@@ -297,6 +300,15 @@ OTP_PROMPT_SNIPPETS = [
     "código de verificação",
     "código de confirmação",
 ]
+CAPTCHA_PROMPT_SNIPPETS = [
+    "captcha",
+    "verify you are human",
+    "prove you're human",
+    "human verification",
+    "security challenge",
+    "security check",
+    "i'm not a robot",
+]
 CONSENT_PROMPT_SNIPPETS = [
     "allow access",
     "authorize",
@@ -316,6 +328,32 @@ ACCOUNT_DEACTIVATED_SNIPPETS = [
 ]
 
 
+def _extract_email_domain(email):
+    value = str(email or "").strip().lower()
+    at = value.rfind("@")
+    if at < 0 or at == len(value) - 1:
+        return ""
+    return value[at + 1 :]
+
+
+def _is_outlook_domain(domain):
+    if not domain:
+        return False
+    if domain in ("outlook.com", "hotmail.com", "live.com", "msn.com"):
+        return True
+    return (
+        domain.startswith("outlook.")
+        or domain.startswith("hotmail.")
+        or domain.startswith("live.")
+        or domain.startswith("msn.")
+    )
+
+
+PREFER_OUTLOOK_LOCAL = _is_outlook_domain(
+    _extract_email_domain(VERIFICATION_ACCOUNT_EMAIL or LOGIN_EMAIL)
+)
+
+
 def _log(message):
     print(LOG_TOKEN + ":" + str(message), flush=True)
 
@@ -554,6 +592,14 @@ async def _fill_otp(tab, code):
         return "missing"
 
 
+async def _open_outlook_mail_tab(tab):
+    try:
+        opened = await tab.evaluate("(() => { window.open('https://outlook.live.com/mail/0/', '_blank'); return true; })()")
+        return bool(opened)
+    except Exception:
+        return False
+
+
 def _contains_snippet(html, snippets):
     return any(snippet in html for snippet in snippets)
 
@@ -574,6 +620,10 @@ def _is_account_deactivated_state(html):
     return _contains_snippet(html, ACCOUNT_DEACTIVATED_SNIPPETS)
 
 
+def _is_captcha_state(html):
+    return _contains_snippet(html, CAPTCHA_PROMPT_SNIPPETS)
+
+
 def _request_verification_code_sync():
     if not VERIFICATION_ENDPOINT or not VERIFICATION_AUTH:
         raise RuntimeError("verification endpoint/auth missing for OTP retrieval")
@@ -660,6 +710,8 @@ async def _automation_loop(tab):
     otp_submit_attempts = 0
     otp_total_submit_attempts = 0
     otp_needs_submit = False
+    manual_otp_mode = False
+    outlook_tab_opened = False
     transient_error_hits = 0
     success_seen_at = 0.0
 
@@ -673,6 +725,15 @@ async def _automation_loop(tab):
                 ACCOUNT_DEACTIVATED_TOKEN + ": OpenAI reported this account is deleted or deactivated."
             )
 
+        if _is_captcha_state(html):
+            if show:
+                _log("captcha/security challenge detected; complete it manually in this browser")
+                await asyncio.sleep(0.9)
+                continue
+            raise RuntimeError(
+                CAPTCHA_CHALLENGE_TOKEN + ": captcha/security challenge detected and browser is headless"
+            )
+
         if _is_success_state(html, current_url):
             if success_seen_at <= 0.0:
                 success_seen_at = now
@@ -740,9 +801,41 @@ async def _automation_loop(tab):
                 continue
 
         if _contains_snippet(html, OTP_PROMPT_SNIPPETS):
+            if manual_otp_mode:
+                await asyncio.sleep(0.9)
+                continue
             if not otp_code:
+                if not VERIFICATION_ENDPOINT or not VERIFICATION_AUTH:
+                    if show and ALLOW_MANUAL_OTP:
+                        manual_otp_mode = True
+                        if PREFER_OUTLOOK_LOCAL and not outlook_tab_opened:
+                            outlook_tab_opened = await _open_outlook_mail_tab(tab)
+                            if outlook_tab_opened:
+                                _log("opened Outlook mailbox tab for local OTP retrieval")
+                        _log("backend OTP API disabled for this account; enter OTP manually in this browser to continue")
+                        await asyncio.sleep(0.9)
+                        continue
+                    raise RuntimeError("verification endpoint/auth missing for OTP retrieval")
+
                 _log("requesting OTP code from backend")
-                otp_code = await asyncio.to_thread(_request_verification_code_sync)
+                try:
+                    otp_code = await asyncio.to_thread(_request_verification_code_sync)
+                except Exception as exc:
+                    reason = _compact_error_text(exc)
+                    if show and ALLOW_MANUAL_OTP:
+                        manual_otp_mode = True
+                        if PREFER_OUTLOOK_LOCAL and not outlook_tab_opened:
+                            outlook_tab_opened = await _open_outlook_mail_tab(tab)
+                            if outlook_tab_opened:
+                                _log("opened Outlook mailbox tab for local OTP retrieval")
+                        _log(
+                            "backend OTP retrieval failed"
+                            + (f" ({reason})" if reason else "")
+                            + "; enter OTP manually in this browser to continue"
+                        )
+                        await asyncio.sleep(0.9)
+                        continue
+                    raise
                 _log("received OTP code from backend")
                 otp_submit_attempts = 0
                 otp_needs_submit = True
@@ -883,6 +976,21 @@ function extractZendriverFailureReason(output) {
         return summarizeErrorDetails(runtimeError, 700);
     return null;
 }
+function isCaptchaChallengeAuthError(error) {
+    if (!(error instanceof Error))
+        return false;
+    const message = error.message.toLowerCase();
+    return (message.includes(CAPTCHA_CHALLENGE_ERROR_MARKER.toLowerCase()) ||
+        message.includes("captcha/security challenge detected"));
+}
+function isBackendOtpRetrievalAuthError(error) {
+    if (!(error instanceof Error))
+        return false;
+    const message = error.message.toLowerCase();
+    return (message.includes("backend verification job failed") ||
+        message.includes("backend verification request failed") ||
+        message.includes("timed out waiting for verification code"));
+}
 function extractOauthAuthorizeUrl(output) {
     var _a, _b, _c;
     const cleaned = stripAnsi(output);
@@ -922,6 +1030,7 @@ async function launchWithZendriverPython(pythonBin, oauthUrl, showBrowser, autom
             THECLAWBAY_VERIFICATION_AUTH: (_d = (_c = automation.verification) === null || _c === void 0 ? void 0 : _c.authorization) !== null && _d !== void 0 ? _d : "",
             THECLAWBAY_VERIFICATION_ACCOUNT_EMAIL: (_f = (_e = automation.verification) === null || _e === void 0 ? void 0 : _e.accountEmail) !== null && _f !== void 0 ? _f : automation.loginEmail,
             THECLAWBAY_VERIFICATION_ACCOUNT_NAME: (_h = (_g = automation.verification) === null || _g === void 0 ? void 0 : _g.accountName) !== null && _h !== void 0 ? _h : "",
+            THECLAWBAY_ALLOW_MANUAL_OTP: automation.allowManualOtpFallback ? "1" : "",
         },
     });
     return new Promise((resolve) => {
@@ -1090,7 +1199,10 @@ async function runCodexBrowserOAuth(codexHome, codexSpawnPlan, timeoutMs, automa
         if (!oauthUrl)
             return;
         oauthUrlDiscovered = true;
-        browserSessionTask = launchOauthUrlInZendriver(oauthUrl, options.showBrowser === true, automation, options.log)
+        browserSessionTask = launchOauthUrlInZendriver(oauthUrl, options.showBrowser === true, {
+            ...automation,
+            allowManualOtpFallback: options.allowManualOtpFallback === true,
+        }, options.log)
             .then((session) => {
             oauthBrowserStarted = true;
             const runtimeTask = session
@@ -1240,15 +1352,41 @@ async function createAuthSnapshotForAccount(account, destinationPath, options) {
     const authPath = node_path_1.default.join(tempCodexHome, "auth.json");
     try {
         log === null || log === void 0 ? void 0 : log(`[${account.name}] starting Codex OAuth login flow`);
-        await runCodexBrowserOAuth(tempCodexHome, codexSpawnPlan, timeoutMs, {
-            accountName: account.name,
-            loginEmail: account.loginEmail,
-            loginPassword: account.loginPassword,
-            verification: options.verification,
-        }, {
-            log,
-            showBrowser: oauthShowBrowser,
-        });
+        try {
+            await runCodexBrowserOAuth(tempCodexHome, codexSpawnPlan, timeoutMs, {
+                accountName: account.name,
+                loginEmail: account.loginEmail,
+                loginPassword: account.loginPassword,
+                verification: options.verification,
+            }, {
+                log,
+                showBrowser: oauthShowBrowser,
+                allowManualOtpFallback: oauthShowBrowser,
+            });
+        }
+        catch (error) {
+            const shouldRetryInVisibleBrowser = !oauthShowBrowser &&
+                (isCaptchaChallengeAuthError(error) || isBackendOtpRetrievalAuthError(error));
+            if (!shouldRetryInVisibleBrowser) {
+                throw error;
+            }
+            if (isCaptchaChallengeAuthError(error)) {
+                log === null || log === void 0 ? void 0 : log(`[${account.name}] captcha/security challenge detected; reopening visible browser for manual completion`);
+            }
+            else {
+                log === null || log === void 0 ? void 0 : log(`[${account.name}] backend OTP fetch failed; reopening visible browser so OTP can be completed manually`);
+            }
+            await runCodexBrowserOAuth(tempCodexHome, codexSpawnPlan, timeoutMs, {
+                accountName: account.name,
+                loginEmail: account.loginEmail,
+                loginPassword: account.loginPassword,
+                verification: options.verification,
+            }, {
+                log,
+                showBrowser: true,
+                allowManualOtpFallback: true,
+            });
+        }
         const authReady = await waitForFile(authPath, 2500);
         if (!authReady) {
             throw new Error("Codex OAuth login finished without auth.json (login not completed).");

package/dist/lib/agent/sync-accounts.d.ts

@@ -6,7 +6,8 @@ export type ManagedAccountPayload = {
     loginPassword?: string | null;
 };
 export declare function normalizeManagedCredentialAccount(item: ManagedAccountPayload): ManagedCredentialAccount | null;
-export declare function buildVerificationRequestConfig(managedConfig: ManagedConfig, account: ManagedCredentialAccount): VerificationRequestConfig;
+export declare function requiresLocalOtpAutomation(account: ManagedCredentialAccount): boolean;
+export declare function buildVerificationRequestConfig(managedConfig: ManagedConfig, account: ManagedCredentialAccount): VerificationRequestConfig | null;
 export declare function syncManagedAccounts(accounts: ManagedAccountPayload[], options: {
     managedConfig: ManagedConfig;
     log?: (message: string) => void;

package/dist/lib/agent/sync-accounts.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.normalizeManagedCredentialAccount = normalizeManagedCredentialAccount;
+exports.requiresLocalOtpAutomation = requiresLocalOtpAutomation;
 exports.buildVerificationRequestConfig = buildVerificationRequestConfig;
 exports.syncManagedAccounts = syncManagedAccounts;
 const node_crypto_1 = require("node:crypto");
@@ -13,6 +14,8 @@ const account_service_1 = require("../accounts/account-service");
 const paths_1 = require("../config/paths");
 const account_login_1 = require("./account-login");
 const ACCOUNT_NAME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
+const OUTLOOK_EXACT_DOMAINS = new Set(["outlook.com", "hotmail.com", "live.com", "msn.com"]);
+const OUTLOOK_DOMAIN_PREFIXES = ["outlook.", "hotmail.", "live.", "msn."];
 const EMPTY_STATE = {
     version: 1,
     accounts: {},
@@ -45,8 +48,32 @@ function joinUrl(base, pathname) {
     url.pathname = `${url.pathname.replace(/\/+$/g, "")}${pathname.startsWith("/") ? "" : "/"}${pathname}`;
     return url.toString();
 }
+function extractEmailDomain(email) {
+    const normalized = email.trim().toLowerCase();
+    const atIndex = normalized.lastIndexOf("@");
+    if (atIndex < 0 || atIndex === normalized.length - 1)
+        return "";
+    return normalized.slice(atIndex + 1);
+}
+function isOutlookDomain(domain) {
+    if (!domain)
+        return false;
+    if (OUTLOOK_EXACT_DOMAINS.has(domain))
+        return true;
+    for (const prefix of OUTLOOK_DOMAIN_PREFIXES) {
+        if (domain.startsWith(prefix))
+            return true;
+    }
+    return false;
+}
+function requiresLocalOtpAutomation(account) {
+    return isOutlookDomain(extractEmailDomain(account.loginEmail));
+}
 function buildVerificationRequestConfig(managedConfig, account) {
     var _a, _b, _c;
+    if (requiresLocalOtpAutomation(account)) {
+        return null;
+    }
     if (managedConfig.authType === "apiKey") {
         return {
             endpoint: joinUrl(managedConfig.backendUrl, "/api/codex-auth/v1/verification-code"),
@@ -129,10 +156,14 @@ async function syncManagedAccounts(accounts, options) {
             log === null || log === void 0 ? void 0 : log(`[${account.name}] refreshing account session via Codex OAuth login`);
             try {
                 const verification = buildVerificationRequestConfig(options.managedConfig, account);
+                const requiresLocalOtp = verification === null;
+                if (requiresLocalOtp) {
+                    log === null || log === void 0 ? void 0 : log(`[${account.name}] outlook mailbox detected; skipping backend OTP API and using local browser OTP flow`);
+                }
                 await (0, account_login_1.createAuthSnapshotForAccount)(account, filePath, {
                     log,
-                    oauthShowBrowser: options.oauthShowBrowser,
-                    verification,
+                    oauthShowBrowser: options.oauthShowBrowser || requiresLocalOtp,
+                    verification: verification !== null && verification !== void 0 ? verification : undefined,
                 });
                 log === null || log === void 0 ? void 0 : log(`[${account.name}] account session refreshed`);
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "theclawbay",
-  "version": "0.1.13",
+  "version": "0.1.15",
   "description": "The Claw Bay CLI: manage and auto-switch between Codex accounts.",
   "license": "MIT",
   "bin": {