Skip to content

fix: auth add openai-codex should import from ~/.codex/auth.json before device code#9284

Closed
ASRagab wants to merge 1 commit into
NousResearch:mainfrom
ASRagab:fix/auth-add-codex-import-from-cli
Closed

fix: auth add openai-codex should import from ~/.codex/auth.json before device code#9284
ASRagab wants to merge 1 commit into
NousResearch:mainfrom
ASRagab:fix/auth-add-codex-import-from-cli

Conversation

@ASRagab

@ASRagab ASRagab commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

Fixes #9283

Problem

hermes auth add openai-codex goes straight to the device code flow without checking for existing Codex CLI credentials at ~/.codex/auth.json. This blocks users whose org/workspace has device code auth disabled — they have valid tokens from codex login (browser OAuth) but no way to get them into Hermes.

The old hermes login --provider openai-codex had this import step in _login_openai_codex(), but it was never carried over to the new auth_add_command() in auth_commands.py.

Fix

  • Check _import_codex_cli_tokens() before falling through to device code in auth_add_command()
  • Prompt user to confirm import (default: yes)
  • Fall through to device code if no CLI tokens found or user declines
  • Add 3 tests covering: import path, no-tokens fallback, user-declines fallback
  • Fix existing test_auth_add_codex_oauth_persists_pool_entry to isolate CODEX_HOME (pre-existing test leak on machines with real ~/.codex/auth.json)

Test Results

All 4 codex-related auth_commands tests pass:

tests/hermes_cli/test_auth_commands.py::test_auth_add_codex_oauth_persists_pool_entry PASSED
tests/hermes_cli/test_auth_commands.py::test_auth_add_codex_imports_from_cli_tokens PASSED
tests/hermes_cli/test_auth_commands.py::test_auth_add_codex_falls_through_to_device_code_when_no_cli_tokens PASSED
tests/hermes_cli/test_auth_commands.py::test_auth_add_codex_user_declines_import_falls_to_device_code PASSED

Note: 2 pre-existing auth_remove tests (test_auth_remove_accepts_label_target, test_auth_remove_prefers_exact_numeric_label_over_index) fail on machines with a real ~/.codex/auth.json due to missing CODEX_HOME isolation — this is a separate upstream issue not introduced by this change.

@ASRagab
fix: auth add openai-codex should import from ~/.codex/auth.json befo…
f6010be 
…re device code

When running `hermes auth add openai-codex`, the command went straight to the
device code flow without checking for existing Codex CLI credentials at
~/.codex/auth.json. This blocks users whose org/workspace has device code auth
disabled — they have valid tokens from `codex login` (browser OAuth) but no
way to get them into Hermes.

The old `hermes login --provider openai-codex` (now removed) had this import
step via `_login_openai_codex()`, but it was never carried over to the new
`auth_add_command()` in auth_commands.py.

Changes:
- Check `_import_codex_cli_tokens()` before falling through to device code
- Prompt user to confirm import (default: yes)
- Fall through to device code if no CLI tokens found or user declines
- Add 3 tests covering: import path, no-tokens fallback, user-declines fallback
- Fix existing test_auth_add_codex_oauth_persists_pool_entry to isolate CODEX_HOME
@teknium1 teknium1 mentioned this pull request Apr 24, 2026
Merged
@teknium1

teknium1 commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Thanks for the submission @ASRagab. Closing as superseded — explicit import is now offered interactively via hermes auth openai-codex (with 'a separate login is recommended' messaging). See hermes_cli/auth.py:_login_openai_codex#12360 changed this to opt-in rather than automatic to avoid refresh_token_reused races between Hermes and Codex CLI.

Hermes's Codex auth design was reworked in #12360 ("Hermes owns its own Codex auth; stop touching ~/.codex/auth.json") to stop sharing refresh tokens with the Codex CLI / VS Code extension (they rotate on every use, so shared access caused refresh_token_reused races). Users who want to adopt Codex CLI credentials get a one-time explicit prompt via hermes auth openai-codex instead.

The valid adjacent fixes from this batch (error parsing, fallback chain on auth failure, reauth UX) landed together in #15104.

@teknium1 teknium1 closed this Apr 24, 2026
@alt-glitch alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/cli CLI entry point, hermes_cli/, setup wizard area/auth Authentication, OAuth, credential pools provider/openai OpenAI / Codex Responses API labels Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/auth Authentication, OAuth, credential pools comp/cli CLI entry point, hermes_cli/, setup wizard P2 Medium — degraded but workaround exists provider/openai OpenAI / Codex Responses API type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: hermes auth add openai-codex skips ~/.codex/auth.json import, forces device code flow

3 participants

@ASRagab @teknium1 @alt-glitch