Add codex app-server ChatGPT OAuth provider path

[chiggly007]

Background

codex app-server is Codex’s stateful JSON-RPC integration surface for rich clients. Instead of calling model endpoints directly, a client talks to app-server, and app-server manages auth/account state, thread/turn lifecycle, streaming item events, approvals, and Codex config layering (~/.codex/config.toml + project .codex/config.toml in trusted repos).

Hermes historically ran through direct OpenAI-compatible client calls. This PR adds an explicit codex-app-server provider path so Hermes can operate as an app-server client.

Why this change

• adds a first-class ChatGPT OAuth path via app-server auth endpoints
• aligns Hermes with Codex-native thread/turn/event model
• preserves existing providers and keeps this rollout opt-in (--provider codex-app-server)

What changed

• Added runtime provider support for codex-app-server
• Added stdio JSON-RPC app-server client (hermes_cli/codex_app_server.py)
• CLI integration:
  • initialize handshake
  • account/read + ChatGPT login flow (if required)
  • thread/start + turn/start lifecycle
  • streamed deltas and final completion handling
• Added app-server logging:
  • stderr: ~/.hermes/logs/codex-app-server.log
  • optional RPC transcript: ~/.hermes/logs/codex-app-server-rpc.log (enable with HERMES_CODEX_APP_SERVER_RPC_LOG=1)
• Added session persistence for codex-app-server path in SQLite
• Added hermes model support for selecting codex-app-server
• Added hermes setup provider flow for codex-app-server (including model selection and keep-current detection)
• Gateway integration:
  • supports codex-app-server execution path (instead of attempting HTTP calls to stdio://...)
  • session-scoped app-server client/thread lifecycle
  • cleanup on gateway stop
• Tool progress integration for codex-app-server:
  • maps app-server item/started + item/completed events into Hermes progress modes (off|new|all|verbose) in CLI and gateway
• Reasoning effort integration for codex-app-server:
  • maps Hermes agent.reasoning_effort to app-server turn/start.effort
  • mapping: xhigh -> high, minimal -> low, high|medium|low -> unchanged, none -> omit
• CLI flag ambiguity fix:
  • hermes chat now uses --model only (removed -m alias) to avoid model vs max_turns ambiguity

Compatibility note

Hermes currently sets these fields explicitly on app-server thread/start/turn/start requests:

• model
• cwd
• approvalPolicy=never
• sandboxPolicy=workspaceWrite+networkEnabled

If those are also configured in ~/.codex/config.toml, Hermes request-level values win for those fields. Other Codex behavior still follows app-server config layering.

For reasoning effort:

• if agent.reasoning_effort is set in Hermes config, Hermes sends effort on turn/start
• if unset or none, Hermes omits effort, allowing Codex defaults/config layering to apply

Tests

• pytest -q tests/test_codex_app_server_cli.py
• pytest -q tests/test_codex_app_server_cli.py tests/test_cli_provider_resolution.py tests/test_runtime_provider_resolution.py tests/test_auth_codex_provider.py tests/test_codex_models.py tests/test_codex_execution_paths.py
• pytest -q tests/test_codex_models.py tests/test_runtime_provider_resolution.py
• pytest -q tests/test_runtime_provider_resolution.py tests/test_codex_app_server_cli.py tests/gateway/test_channel_directory.py
• pytest -q tests/test_codex_app_server_cli.py tests/test_runtime_provider_resolution.py tests/test_cli_provider_resolution.py tests/gateway/test_channel_directory.py

Latest targeted run in this branch: 30 passed.

[teknium1]

Im a bit confused as to why we want this when this would require the codex-cli being installed, and our current doesn't rely on it at all?

[chiggly007]

@teknium1 this doesn't require the codex-cli at all. This would spin up the codex app server

[teknium1]

What is the app server exactly I guess I'm still confused xD

[chiggly007]

The app server is Codex's backend for rich clients, not the Codex terminal UI itself. It speaks JSON-RPC over stdio by default, and it handles things like auth, conversation history, approvals, and streamed agent events. The VS Code extension uses this same surface.

In this PR, Hermes becomes a client of that backend. Hermes launches codex app-server, sends initialize, then uses thread/start and turn/start to run the conversation and read the streamed item/* and turn/* events. So the point is not "make Hermes use the Codex CLI UX". The point is "let Hermes reuse Codex's native client/runtime layer."

One important clarification, though: this path does require the local codex binary to be installed, because Hermes starts codex app-server as a subprocess. But Hermes is still the user-facing interface here; codex app-server is just the local backend/provider layer behind it.

[teknium1]

Closing this — Hermes already has a working Codex OAuth path (the openai-codex provider) that talks directly to the Codex Responses API. This PR would add a second, parallel path via codex app-server that:

• Requires users to install the Codex CLI as a dependency
• Replaces direct API calls with a stdio JSON-RPC subprocess (app-server), adding a process management layer
• Introduces an entirely different conversation model (thread/turn/event lifecycle) that doesn't align with how Hermes manages sessions
• Adds 1500+ lines of complexity for functionality we already have

The existing openai-codex provider handles auth, model selection, and streaming without requiring any external CLI tools. We don't see the value in adding a second Codex integration path that burdens users with an extra install and reimplements conversation management in a fundamentally different way.

Appreciate the thorough work though — the PR is well-structured.