Hermes openai-codex fails on same machine/network where official Codex CLI still works

[army-u8]

Hermes openai-codex fails on same machine/network where official Codex CLI still works

Summary

On the same macOS machine and same network:

• official codex CLI is logged in with ChatGPT and can still complete core model responses
• Hermes Agent configured with openai-codex repeatedly fails in gateway/chat usage with:
  • APIConnectionError
  • APITimeoutError
  • final user-visible message: API failed after 3 retries — Connection error.

This suggests Hermes' openai-codex compatibility path is not equivalent to the official Codex CLI transport on this environment, even though both target ChatGPT/Codex-backed auth.

Environment

• OS: macOS 15.6 (arm64)
• Hermes: main branch around tag v2026.4.16
• Hermes provider: openai-codex
• Hermes base URL: https://chatgpt.com/backend-api/codex
• Official Codex CLI: codex-cli 0.120.0

What happens in Hermes

Hermes gateway/chat receives the inbound message, but model calls fail repeatedly.

Observed Hermes logs:

API call failed (attempt 1/3): APIConnectionError
Provider: openai-codex  Model: gpt-5.4
Endpoint: https://chatgpt.com/backend-api/codex
Error: Connection error.

API call failed (attempt 1/3): APITimeoutError
Provider: openai-codex  Model: gpt-5.4
Endpoint: https://chatgpt.com/backend-api/codex
Error: Request timed out.

Max retries (3) exhausted — trying fallback...
API failed after 3 retries — Connection error.

hermes status shows:

• OpenAI Codex auth: logged in
• Gateway service: running

So this does not appear to be a basic login/config/service-startup failure.

Direct endpoint behavior from shell

A simple curl to the Codex backend shows Cloudflare mitigation on this machine/network:

HTTP/2 403
cf-mitigated: challenge

This is consistent with Hermes source comments in agent/auxiliary_client.py noting that chatgpt.com/backend-api/codex is behind Cloudflare and may reject requests with 403 / cf-mitigated: challenge.

What happens in official Codex CLI on the same machine/network

Official Codex CLI is logged in successfully:

$ codex login status
Logged in using ChatGPT

Official Codex CLI local logs show successful core response flow on this same machine:

• codex_api::endpoint::responses_websocket
• codex_api::sse::responses
• response.created
• response.in_progress
• response.completed

So the official CLI is still able to complete at least the main response path here.

Important nuance

Official Codex CLI is not completely free of 403s on this machine. Its logs also show 403s for some auxiliary endpoints, e.g.:

• https://chatgpt.com/backend-api/plugins/featured
• analytics/events-related calls
• discoverable tool/apps list calls

However, despite those 403s, the official CLI can still complete core model responses.

Hermes, by contrast, fails on the main Codex request path with timeouts / connection errors.

Why this looks like a Hermes compatibility gap

From source inspection:

• Hermes openai-codex uses https://chatgpt.com/backend-api/codex
• Hermes sets _codex_cloudflare_headers(...) to mimic approved originators
• Hermes appears to use an OpenAI-compatible client + custom wrapping (codex_responses mode)
• Official Codex CLI appears to use a more native transport path involving websocket/SSE response handling

So on this environment, Hermes may be close to the official client but not close enough to pass whatever backend expectations/mitigations affect the main response path.

Expected behavior

If official Codex CLI can successfully complete core responses on the same machine/network with the same login family, Hermes openai-codex should ideally also be able to complete core responses, or at least degrade in a way that matches the official transport path more closely.

Actual behavior

Hermes repeatedly times out / connection-fails on the main Codex path and becomes unusable in gateway/chat flows.

Repro outline

1. Log in to official Codex CLI with ChatGPT
2. Confirm codex login status succeeds
3. Confirm official Codex CLI can still complete at least one normal prompt on the same machine/network
4. Configure Hermes to use openai-codex
5. Send a message through Hermes gateway or Hermes chat
6. Observe repeated APIConnectionError / APITimeoutError against https://chatgpt.com/backend-api/codex

Questions

1. Is Hermes' openai-codex path known to differ materially from the official Codex CLI transport in ways that could explain this?
2. Is there a known issue where official Codex CLI still works but Hermes openai-codex fails on the same machine/network?
3. Should Hermes be reusing a more native Codex transport path for the primary response flow instead of an OpenAI-compatible compatibility layer?
4. Are there additional headers / handshake / websocket behaviors the official client uses that Hermes does not yet mirror?

Relevant local observations

• Hermes source explicitly comments that Cloudflare can reject Codex backend calls
• Official Codex CLI shows successful responses_websocket / sse activity locally
• Hermes fails on the primary model request path, not just plugin/analytics side endpoints

If useful, I can provide

• sanitized Hermes logs
• sanitized codex local log excerpts
• exact Hermes config fields for provider/model/api_mode

[army-u8]

Additional datapoint: OpenClaw using openai-codex works normally in this environment.

On the same machine, same network, and same Codex/ChatGPT login family:

• official Codex CLI works
• OpenClaw with openai-codex works
• Hermes with openai-codex fails on the primary request path

That makes this look even more like a Hermes-specific compatibility/transport gap rather than a general Codex login or network issue.

[pinion05]

Related narrower repro: #22207

This looks related to the broader Codex/Cloudflare transport gap here, but #22207 is a more specific case:

• main Hermes text chat works
• Codex token is present
• only the auxiliary vision path fails
• even task="vision" text-only calls fail with the same Cloudflare HTML (Enable JavaScript and cookies to continue)
• a minimal keepalive/proxy-aware auxiliary client patch did not change the outcome

So the failure scope in #22207 appears narrower than “all openai-codex requests fail” and may help isolate the auxiliary vision / Responses path specifically.

[dracossan]

same here

 No first byte from provider in 45s (codex stream, model: gpt-5.5). Reconnecting.
⚠️  API call failed (attempt 1/3): APIConnectionError
   🔌 Provider: openai-codex  Model: gpt-5.5
   🌐 Endpoint: https://chatgpt.com/backend-api/codex
   📝 Error: Connection error.
⏳ Retrying in 2.3s (attempt 1/3)...
  ┊ 📚 skill     subagent-driven-development  0.0s
  ┊ 📚 skill     test-driven-development  0.0s
⚠️ No first byte from provider in 45s (codex stream, model: gpt-5.5). Reconnecting.
⚠️  API call failed (attempt 1/3): APIConnectionError
   🔌 Provider: openai-codex  Model: gpt-5.5
   🌐 Endpoint: https://chatgpt.com/backend-api/codex
   📝 Error: Connection error.
⏳ Retrying in 2.5s (attempt 1/3)...
  tests.md  0.0s
⚠️ No first byte from provider in 45s (codex stream, model: gpt-5.5). Reconnecting.
⚠️  API call failed (attempt 1/3): APIConnectionError
   🔌 Provider: openai-codex  Model: gpt-5.5
   🌐 Endpoint: https://chatgpt.com/backend-api/codex
   📝 Error: Connection error.
⏳ Retrying in 2.7s (attempt 1/3)...
  ┊ 📋 plan      7 task(s)  0.0s
⚠️ No first byte from provider in 45s (codex stream, model: gpt-5.5). Reconnecting.
⚠️  API call failed (attempt 1/3): APIConnectionError
   🔌 Provider: openai-codex  Model: gpt-5.5
   🌐 Endpoint: https://chatgpt.com/backend-api/codex
   📝 Error: Connection error.
⏳ Retrying in 2.5s (attempt 1/3)...
[subagent-0] ⚠️ No first byte from provider in 45s (codex stream, model: gpt-5.5). Reconnecting.
[subagent-0] ⚠️  API call failed (attempt 1/3): APIConnectionError
[subagent-0]    🔌 Provider: openai-codex  Model: gpt-5.5
[subagent-0]    🌐 Endpoint: https://chatgpt.com/backend-api/codex
[subagent-0]    📝 Error: Connection error.
[subagent-0]    ⏱️  Elapsed: 45.01s  Context: 2 msgs, ~2,228 tokens
[subagent-0] ⏳ Retrying in 2.1s (attempt 1/3)...

[EggsBlue]

same here.

I use main branch, but still get the same error.

2026-05-27 05:47:44,008 WARNING [20260527_054604_567e03c2] agent.chat_completion_helpers: Codex stream produced no bytes within TTFB cutoff (45s > 45s, model=gpt-5.5). Backend accepted the connection but sent no stream events. Killing connection so the retry loop can reconnect.
2026-05-27 05:47:44,009 INFO [20260527_054604_567e03c2] run_agent: OpenAI client aborted (codex_ttfb_kill, shared=False, tcp_force_closed=1, deferred_close=stranger_thread) thread=asyncio_2:139969115612864 provider=openai-codex base_url=https://chatgpt.com/backend-api/codex model=gpt-5.5
2026-05-27 05:47:44,010 INFO run_agent: OpenAI client closed (request_complete, shared=False, tcp_force_closed=0) thread=Thread-9 (_call):139968876902080 provider=openai-codex base_url=https://chatgpt.com/backend-api/codex model=gpt-5.5
2026-05-27 05:47:44,013 WARNING [20260527_054604_567e03c2] agent.conversation_loop: API call failed (attempt 1/3) error_type=APIConnectionError thread=asyncio_2:139969115612864 provider=openai-codex base_url=https://chatgpt.com/backend-api/codex model=gpt-5.5 summary=Connection error.
2026-05-27 05:47:44,014 WARNING [20260527_054604_567e03c2] agent.conversation_loop: Retrying API call in 2.2362703976285867s (attempt 1/3) thread=asyncio_2:139969115612864 provider=openai-codex base_url=https://chatgpt.com/backend-api/codex model=gpt-5.5 error=Connection error.

[HenryQW]

#33042 appears to be addressing this issue.

[pskirde]

Same issue here since this morning.

[aditsrivastava4]

I am facing same issue today

[yangguangjin]

update last verision , this problem has deal

[aditsrivastava4]

update last verision , this problem has deal

I am still facing the same issue, have update to the latest.