fix(model): Fix command 'hermes model' to allow reuse, reauthentication, or new auth when for OpenAI Codex Auth to match the Anthropic flow

[MattMaximo]

Summary

hermes model treated Anthropic and OpenAI Codex differently once a user was already authenticated. Anthropic asked whether to keep existing credentials or start a new login, but Codex skipped straight to model selection with no way to rotate auth from the same flow.

This PR makes the Codex model flow match the Anthropic UX:

• show Use existing credentials / Reauthenticate (new OAuth login) / Cancel when Codex is already logged in
• route reauthentication through a fresh device-code flow instead of looping back into the existing-session/import prompts
• keep the existing import-from-~/.codex/auth.json path for first-time or not-yet-logged-in Codex setup

Why

Hermes keeps its own Codex auth state in ~/.hermes/auth.json to avoid refresh-token conflicts with Codex CLI / VS Code. That separation is the right default, but it also means users need an explicit way to say "keep this Hermes session" vs "start a new Hermes-owned session" from hermes model, not only during the first login.

Behavior before

• hermes model -> Anthropic prompted for existing vs new auth
• hermes model -> OpenAI Codex did not when already logged in

Behavior after

• hermes model -> OpenAI Codex now presents the same keep-or-reauth choice
• choosing reauthenticate always starts a fresh OAuth login
• choosing existing preserves the current Hermes auth session and continues to model selection

Tests

• uv run --with pytest --with pytest-xdist python -m pytest tests/test_codex_models.py tests/test_auth_codex_provider.py -q

Notes

• I also tried uv run --with pytest --with pytest-xdist python -m pytest tests/ -q, but current origin/main is failing broadly across many unrelated tests on this checkout, so I limited validation to the affected Codex/auth surface area.

[teknium1]

This PR's changes are already live on main — closing as implemented.

An automated hermes-sweeper review confirmed the following:

• Commit 271f0e6e (fix(model): let Codex setup reuse or reauthenticate) landed all four files from this PR into main, authored by Matt Maximo — same author as this PR.
• hermes_cli/main.py line 2451: _model_flow_openai_codex() now presents the Use existing credentials / Reauthenticate / Cancel menu when Codex is already logged in.
• hermes_cli/auth.py line 3860: _login_openai_codex() accepts force_new_login=True and routes reauthentication through a fresh device-code flow.
• Both test files (tests/hermes_cli/test_auth_codex_provider.py, tests/hermes_cli/test_codex_models.py) are present on main.

Thanks for the contribution, @MattMaximo!