fix(codex): recover stale CLI auth sync state

[lkyprogramer]

What does this PR do?

Fixes a follow-up gap in Codex credential recovery after #5610.

Hermes already knew how to sync an exhausted openai-codex pool entry from ~/.codex/auth.json, but recovery still broke in two common cases:

1. Hermes had a stale or partially invalid ~/.hermes/auth.json Codex state, so resolve_codex_runtime_credentials() never pulled in the newer local Codex CLI token pair.
2. The credential pool was reseeded with newer tokens, but the entry kept its old transient last_status=exhausted runtime state and stayed unavailable.

That left gateway / auxiliary Codex flows reporting no Codex OAuth token found even though the local Codex CLI was healthy.

This PR makes the recovery path end-to-end:

• proactively sync newer token pairs from ~/.codex/auth.json into the Hermes auth store
• clear stale exhaustion/error state when authoritative credential material changes during pool seeding
• let auxiliary Codex token resolution use the same CLI sync path instead of reading only the stale Hermes auth store

Related Issue

Fixes #6651
Follow-up to #5610

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• hermes_cli/auth.py
  • add a shared helper to sync newer token pairs from ~/.codex/auth.json into the Hermes auth store
  • use that helper inside resolve_codex_runtime_credentials() so stale / invalid Hermes Codex auth can self-repair
• agent/credential_pool.py
  • clear transient exhaustion/error state when seeded credential material changes (access_token, refresh_token, last_refresh, etc.)
• agent/auxiliary_client.py
  • reuse the CLI sync path before falling back to the Hermes auth store for Codex auxiliary resolution
• tests
  • add regression coverage for auth-store repair from Codex CLI tokens
  • add regression coverage for auxiliary fallback using refreshed CLI tokens
  • add regression coverage for clearing stale exhausted pool state after reseeding

How to Test

1. Reproduce the broken state:
   • keep Hermes on openai-codex
   • let ~/.codex/auth.json rotate to a newer token pair than ~/.hermes/auth.json
   • mark the Codex pool entry exhausted or trigger an auxiliary/gateway Codex call
2. Verify Hermes recovers automatically instead of reporting no Codex OAuth token found
3. Run the targeted regression suite:
   • pytest tests/hermes_cli/test_auth_codex_provider.py tests/agent/test_credential_pool.py tests/agent/test_auxiliary_client.py -q

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 26.4 / Python 3.11.15

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

Regression suite used for this patch:

pytest tests/hermes_cli/test_auth_codex_provider.py tests/agent/test_credential_pool.py tests/agent/test_auxiliary_client.py -q
# 139 passed

🤖 Generated with OpenAI Codex

[teknium1]

Thanks for the submission @lkyprogramer. Closing as superseded — relied on _sync_codex_entry_from_cli — removed by #12360.

Hermes's Codex auth design was reworked in #12360 ("Hermes owns its own Codex auth; stop touching ~/.codex/auth.json") to stop sharing refresh tokens with the Codex CLI / VS Code extension (they rotate on every use, so shared access caused refresh_token_reused races). Users who want to adopt Codex CLI credentials get a one-time explicit prompt via hermes auth openai-codex instead.

The valid adjacent fixes from this batch (error parsing, fallback chain on auth failure, reauth UX) landed together in #15104.