Recover Codex auth from fresh CLI sessions

[nkongecraig-max]

Summary

• recover Hermes Codex auth from a newer ~/.codex/auth.json session when the Hermes refresh token has gone stale
• keep hermes status / doctor side-effect free by reading persisted Codex pool entries without triggering refresh
• omit max_output_tokens for ChatGPT-backed Codex Responses requests, which currently reject that parameter
• add regression coverage for the CLI-token recovery path and ChatGPT Codex request shaping

Testing

• /Users/motwe/hermes-agent/venv/bin/python -m pytest tests/hermes_cli/test_auth_codex_provider.py tests/run_agent/test_run_agent_codex_responses.py -q
  • 48 passed
• /Users/motwe/hermes-agent/venv/bin/python -m pytest tests/ -q
  • 19 failed, 9720 passed, 36 skipped, 1 xpassed
  • failing clusters observed in tests/tools/test_delegate.py, managed tool/media gateway tests, and tests/gateway/test_slack_approval_buttons.py

Notes

• this PR only contains repo source/test changes; no local config, auth stores, or secret-bearing files are included

[alt-glitch]

Related to #3279 and #6652 — same stale Codex auth recovery code path in .

[teknium1]

Thanks for the submission @nkongecraig-max. Closing as superseded — relied on _sync_codex_entry_from_cli and auto-import at pool load (both removed by #12360), and also bundled unrelated optional-skills (livekit-presence, screenpipe) that weren't in scope.

Hermes's Codex auth design was reworked in #12360 ("Hermes owns its own Codex auth; stop touching ~/.codex/auth.json") to stop sharing refresh tokens with the Codex CLI / VS Code extension (they rotate on every use, so shared access caused refresh_token_reused races). Users who want to adopt Codex CLI credentials get a one-time explicit prompt via hermes auth openai-codex instead.

The valid adjacent fixes from this batch (error parsing, fallback chain on auth failure, reauth UX) landed together in #15104.