[Bug]: `hermes auth add openai-codex` skips ~/.codex/auth.json import, forces device code flow

[ASRagab]

Bug Description

hermes auth add openai-codex goes straight to the device code flow (_codex_device_code_login()) without first checking for existing Codex CLI credentials at ~/.codex/auth.json. This blocks users whose org/workspace has device code auth disabled by their admin — they have valid tokens from codex login (browser-based OAuth) but no way to get them into Hermes.

The old hermes login --provider openai-codex command (now removed) had this import step in _login_openai_codex() at auth.py:2823-2840, but it was never carried over to the new auth_add_command() in auth_commands.py:231-251.

Steps to Reproduce

1. Be in an OpenAI workspace/org that has device code auth disabled (common in Team/Enterprise workspaces)
2. Authenticate via the Codex CLI directly: codex login (this uses browser OAuth on localhost:1455, works fine)
3. Verify ~/.codex/auth.json has valid access_token and refresh_token
4. Run hermes auth add openai-codex
5. Observe: Hermes immediately starts the device code flow, printing a URL and user code
6. The device code flow fails or the user cannot complete it because their workspace doesn't support it

Expected Behavior

hermes auth add openai-codex should check ~/.codex/auth.json for existing valid tokens first and offer to import them, only falling back to device code if no CLI tokens are found or the user declines the import. This is exactly what the old hermes login --provider openai-codex did.

Actual Behavior

hermes auth add openai-codex jumps straight to _codex_device_code_login() at auth_commands.py:232 with no import step. Users whose org blocks device code auth are completely locked out even though they have valid credentials sitting in ~/.codex/auth.json.

Root Cause

In hermes_cli/auth_commands.py, the openai-codex branch (line 231) calls auth_mod._codex_device_code_login() directly. The _import_codex_cli_tokens() function and the interactive import prompt from the old _login_openai_codex() in auth.py:2795-2858 were not ported to the new auth commands system.

Affected Component

• Configuration (hermes auth, credential pool)

Operating System

macOS (reproducible on any platform)

Hermes Version

v0.8.0 (current main)

Workaround

Manually import tokens by reading ~/.codex/auth.json and writing the credential pool entry into ~/.hermes/auth.json, or use the runtime migration path which only triggers when Hermes has no stored Codex auth at all.

Fix

PR: https://github.com/ASRagab/hermes-agent/tree/fix/auth-add-codex-import-from-cli

The fix adds the _import_codex_cli_tokens() check before the device code fallback in auth_add_command(), matching the behavior of the old _login_openai_codex(). Includes 3 new tests and a test isolation fix for CODEX_HOME.

[teknium1]

Closing — fixed by #12360 ("Hermes owns its own Codex auth; stop touching ~/.codex/auth.json").

That PR removed the auto-import, auto-sync, and post-refresh writeback paths that caused this issue. Hermes Codex auth now lives entirely in ~/.hermes/auth.json; users who want to adopt Codex CLI credentials get an explicit one-time prompt via hermes auth openai-codex.

Thanks for the report @ASRagab!