Problem or Use Case
Background / Problem
Currently, Hermes primarily uses the device-code flow for OpenAI Codex authentication. While this works well in many environments, some users (especially those in specific network environments or using shared credentials) may prefer or require a browser-based login flow for better compatibility and credential reuse.
Proposed Improvement
I propose adding an optional browser-based login method to the Codex provider while keeping the device-code flow as the default to ensure backward compatibility.
Key features of this proposal:
- Support
--method browser flag for hermes auth add openai-codex.
- Automatically reuse existing shared Codex credentials if available.
- Interactive prompts in
hermes model to choose between device-code and browser login when no valid credential is found.
Impact
This change will improve the onboarding experience for users who have trouble with the device-code flow and enable more flexible credential management within Hermes.
I have already implemented these changes and verified them with local tests. If the maintainers are interested, I'd be happy to submit a PR.
中文内容:
改进说明:为 Hermes 增加兼容浏览器的 Codex 登录方式
新增功能:在保留原有的 device-code(设备代码)默认登录方式基础上,新增了 --method browser 模式。
优化体验:执行 hermes model 时,如果本地已有可复用的 Codex 凭据,系统将直接使用;若无凭据,会引导用户在“设备代码”和“浏览器登录”中二选一。
稳定性:同步更新了凭据刷新和同步逻辑,确保在多模型切换时 runtime 凭据的一致性。
测试验证:已通过 22 项针对 Codex Auth 的自动化测试,确保对现有流程无破坏。
Proposed Solution
Summary
This PR adds a browser-compatible OpenAI Codex login flow to Hermes while keeping the existing device-code flow as the default.
Hermes now supports:
-
hermes auth add openai-codex
- default device-code login
-
hermes auth add openai-codex --method browser
-
hermes model
- if a reusable shared Codex credential already exists, Hermes uses it directly
- otherwise Hermes prompts the user to choose:
- device-code login
- browser login
What Changed
- Kept device-code login as the default Codex auth path
- Added an explicit browser login path for Codex
- Updated Codex credential resolution so Hermes prefers an already-available shared credential
- Updated the interactive model-selection flow so
hermes model can offer both login methods when needed
- Updated Codex refresh and sync behavior so Hermes keeps runtime credentials consistent
- Updated removal behavior so Hermes does not delete shared Codex credentials by default
User-Facing Behavior
Default login
hermes auth add openai-codex
### Alternatives Considered
_No response_
### Feature Type
Configuration option
### Scope
None
### Contribution
- [x] I'd like to implement this myself and submit a PR
### Debug Report (optional)
```shell
Problem or Use Case
Background / Problem
Currently, Hermes primarily uses the device-code flow for OpenAI Codex authentication. While this works well in many environments, some users (especially those in specific network environments or using shared credentials) may prefer or require a browser-based login flow for better compatibility and credential reuse.
Proposed Improvement
I propose adding an optional browser-based login method to the Codex provider while keeping the device-code flow as the default to ensure backward compatibility.
Key features of this proposal:
--method browserflag forhermes auth add openai-codex.hermes modelto choose between device-code and browser login when no valid credential is found.Impact
This change will improve the onboarding experience for users who have trouble with the device-code flow and enable more flexible credential management within Hermes.
I have already implemented these changes and verified them with local tests. If the maintainers are interested, I'd be happy to submit a PR.
中文内容:
改进说明:为 Hermes 增加兼容浏览器的 Codex 登录方式
新增功能:在保留原有的 device-code(设备代码)默认登录方式基础上,新增了 --method browser 模式。
优化体验:执行 hermes model 时,如果本地已有可复用的 Codex 凭据,系统将直接使用;若无凭据,会引导用户在“设备代码”和“浏览器登录”中二选一。
稳定性:同步更新了凭据刷新和同步逻辑,确保在多模型切换时 runtime 凭据的一致性。
测试验证:已通过 22 项针对 Codex Auth 的自动化测试,确保对现有流程无破坏。
Proposed Solution
Summary
This PR adds a browser-compatible OpenAI Codex login flow to Hermes while keeping the existing device-code flow as the default.
Hermes now supports:
hermes auth add openai-codexhermes auth add openai-codex --method browserhermes modelWhat Changed
hermes modelcan offer both login methods when neededUser-Facing Behavior
Default login