Skip to content

fix: openai-codex credential rotation — sync guard + 429 token refresh#11727

Closed
Nicolas-Formenton wants to merge 1 commit into
NousResearch:mainfrom
Nicolas-Formenton:fix/codex-credential-rotation
Closed

fix: openai-codex credential rotation — sync guard + 429 token refresh#11727
Nicolas-Formenton wants to merge 1 commit into
NousResearch:mainfrom
Nicolas-Formenton:fix/codex-credential-rotation

Conversation

@Nicolas-Formenton

@Nicolas-Formenton Nicolas-Formenton commented Apr 17, 2026

Copy link
Copy Markdown

Two fixes for openai-codex multi-account credential rotation:

1. credential_pool.py: _sync_codex_entry_from_cli now only syncs the singleton entry (source="device_code"). Previously it synced ALL exhausted entries, overwriting manual entries' unique tokens with the singleton token from ~/.codex/auth.json. This caused the pool to become N copies of the same account, defeating rotation.

2. run_agent.py: On HTTP 429 for openai-codex, attempt _try_refresh_codex_client_credentials before aborting. This detects token changes made externally (e.g. via hermes-switch) and rebuilds the OpenAI client mid-session, enabling manual credential rotation without restarting the agent.

Fixes #11364

@Nicolas-Formenton
fix: codex credential rotation — sync guard + 429 token refresh
3aecdcf 
Two fixes for openai-codex multi-account credential rotation:

1. credential_pool.py: _sync_codex_entry_from_cli now only syncs the
   singleton entry (source='device_code'). Previously it synced ALL
   exhausted entries, overwriting manual entries' unique tokens with
   the singleton token from ~/.codex/auth.json. This caused the pool
   to become N copies of the same account, defeating rotation.

2. run_agent.py: On HTTP 429 for openai-codex, attempt
   _try_refresh_codex_client_credentials before aborting. This detects
   token changes made externally (e.g. via hermes-switch) and rebuilds
   the OpenAI client mid-session, enabling manual credential rotation
   without restarting the agent.

Fixes NousResearch#11364
@Nicolas-Formenton Nicolas-Formenton force-pushed the fix/codex-credential-rotation branch from 90a7a4a to 3aecdcf Compare April 17, 2026 18:12
@alt-glitch alt-glitch mentioned this pull request Apr 22, 2026
Closed
@alt-glitch alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/agent Core agent loop, run_agent.py, prompt builder area/auth Authentication, OAuth, credential pools provider/copilot GitHub Copilot (ACP + Chat) labels Apr 24, 2026
@alt-glitch alt-glitch mentioned this pull request Apr 25, 2026
Closed
@teknium1

teknium1 commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Thanks for the detailed report and fix, @Nicolas-Formenton! This automated hermes-sweeper review found that both changes in this PR are superseded by work already merged to main.

Fix 1 (credential_pool.py — sync guard): The _sync_codex_entry_from_cli method this PR patches was deleted entirely in PR #12360 (merged 2026-04-18, one day after this PR was opened). That PR took the nuclear approach (Option C from your own issue analysis) and removed the auto-sync path completely — Hermes Codex auth now lives exclusively in ~/.hermes/auth.json with no runtime reads from ~/.codex/auth.json. The function no longer exists in agent/credential_pool.py. Issue #11364 was closed with that fix.

Fix 2 (run_agent.py — 429 token refresh): The proposed 429-path credential refresh calls _try_refresh_codex_client_credentials, which re-reads from ~/.codex/auth.json — the external file access that #12360 intentionally removed. The mechanism this hunk relies on is gone from the design.

Evidence:

This is an automated hermes-sweeper review.

@teknium1 teknium1 closed this Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/auth Authentication, OAuth, credential pools comp/agent Core agent loop, run_agent.py, prompt builder P2 Medium — degraded but workaround exists provider/copilot GitHub Copilot (ACP + Chat) type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

openai-codex credential pool: _sync_codex_entry_from_cli overwrites all entries with the same token

3 participants

@Nicolas-Formenton @teknium1 @alt-glitch