Fix Codex CLI sync clobbering manual pool entries

[Alex-giao]

Summary

This fixes an openai-codex credential-pool bug where ~/.codex/auth.json could overwrite manual pool entries, causing 429-rotated entries to appear to rotate but then immediately select the same logical slot again.

Root cause

_sync_codex_entry_from_cli() treated any exhausted Codex OAuth entry as eligible for CLI token sync. In mixed pools, that allowed shared CLI/device-code tokens to clobber manual dashboard entries, drift labels away from the underlying token identity, and leave duplicated polluted entries in the pool.

Changes

• restrict Codex CLI sync to canonical device-code style sources only
• update labels when CLI-managed tokens are refreshed from ~/.codex/auth.json
• sync repaired device-code entries back into providers.openai-codex.tokens
• repair polluted Codex pool state on load by converging the canonical device-code entry and removing duplicate entries that carry the same CLI token pair
• add regression tests for manual-entry protection, device-code sync behavior, and polluted-pool repair

Test plan

• venv/bin/python -m pytest tests/agent/test_credential_pool.py -q
• venv/bin/python -m pytest tests/agent/test_credential_pool_routing.py -q

[Alex-giao]

Repro context from production use: an pool contained both shared CLI/device-code credentials and manual dashboard-added credentials. After a 429, the exhausted manual entry could be synced from , immediately become selectable again, and appear to rotate back to the same label. In the affected state, labels could also drift away from the actual token identity, and duplicate polluted entries could remain in the pool.

[Alex-giao]

Repro context from production use: an openai-codex pool contained both shared CLI/device-code credentials and manual dashboard-added credentials. After a 429, the exhausted manual entry could be synced from ~/.codex/auth.json, immediately become selectable again, and appear to rotate back to the same label. In the affected state, labels could also drift away from the actual token identity, and duplicate polluted entries could remain in the pool.

[alt-glitch]

Related to #11727 (credential rotation sync guard), #11364 (same root cause description). May supersede both.

[alt-glitch]

Related to #11727, #11364.

[teknium1]

Thanks for the submission @Alex-giao. Closing as superseded — fixed _sync_codex_entry_from_cli() which was removed by #12360 — Hermes no longer touches ~/.codex/auth.json at runtime.

Hermes's Codex auth design was reworked in #12360 ("Hermes owns its own Codex auth; stop touching ~/.codex/auth.json") to stop sharing refresh tokens with the Codex CLI / VS Code extension (they rotate on every use, so shared access caused refresh_token_reused races). Users who want to adopt Codex CLI credentials get a one-time explicit prompt via hermes auth openai-codex instead.

The valid adjacent fixes from this batch (error parsing, fallback chain on auth failure, reauth UX) landed together in #15104.