fix(auth): parse OpenAI nested error shape in Codex token refresh

[j3ffffff]

Summary

• Codex token refresh at hermes_cli/auth.py:refresh_codex_oauth_pure fails to surface the correct error code/message when OpenAI returns a 401 refresh_token_reused — the existing dedicated branch (with actionable re-auth guidance and relogin_required=True) never fires.
• Root cause: OpenAI returns errors as a nested object, not the OAuth spec's flat shape. The parser only understood the flat shape.
• Fix: handle both shapes; downstream code-based branches (refresh_token_reused, invalid_grant, invalid_token, invalid_request) now fire correctly.

Before

User's access token expires, hermes attempts refresh, another Codex client (Codex CLI, VS Code extension) had already consumed the single-use refresh token. User sees:

Provider authentication failed: Codex token refresh failed with status 401.

No indication that re-authentication is required. Every subsequent message fails the same way.

After

Same scenario now surfaces the existing (but previously unreachable) message:

Codex refresh token was already consumed by another client (e.g. Codex CLI or VS Code extension). Run codex in your terminal to generate fresh tokens, then run hermes auth to re-authenticate.

…with relogin_required=True so callers can prompt re-auth instead of silently retrying.

The two error shapes

OpenAI (https://auth.openai.com/oauth/token):

{\"error\": {\"code\": \"refresh_token_reused\", \"message\": \"...\", \"type\": \"invalid_request_error\"}}

OAuth 2.0 spec (what the old parser expected):

{\"error\": \"invalid_grant\", \"error_description\": \"...\"}

Both are now handled. The nested code/type is mapped onto the same code variable so the existing branches at lines ~1253-1262 work without change.

Test plan

• New unit tests in tests/hermes_cli/test_auth_codex_provider.py:
  • nested refresh_token_reused → code, relogin_required=True, actionable message
  • nested generic code (invalid_client) → code + message surfaced
  • flat OAuth-spec invalid_grant → back-compat, still triggers relogin_required=True
  • unparseable body → generic "status 401" fallback, relogin_required=False
• All 19 tests in the file pass locally.

🤖 Generated with Claude Code

[alt-glitch]

Likely superseded by #15104 (merged) which consolidated this fix along with #5948 and #4522. The nested error shape parsing from this PR was included in that salvage PR.

[teknium1]

Thanks for this fix, @j3ffffff! The nested OpenAI error shape parser from this PR has landed on main — this is an automated hermes-sweeper review confirming it's implemented.

The fix was included in the consolidated salvage PR #15104 (fix(codex): consolidated OAuth error parsing + failed-status fallback routing + reauth UX), merged 2026-04-24, which credited your work explicitly.

Evidence:

• hermes_cli/auth.py lines 2204–2209 — nested {"error": {"code": ...}} shape handling present on main
• tests/hermes_cli/test_auth_codex_provider.py lines 231, 258 — your tests (test_refresh_parses_openai_nested_error_shape_*) are in the repo
• Commit f76df30e0 on main — authored by you, cherry-picked via fix(codex): consolidated OAuth error parsing + failed-status fallback routing + reauth UX #15104

Closing as superseded by the merged consolidation. Your contribution is preserved in the commit history.