Problem
When Codex CLI reports refresh_token_reused, the current recovery guidance can send users straight to codex login even if Hermes' openai-codex provider still has fresh working tokens. That creates a split-brain auth situation: Hermes works, standalone codex exec fails.
Expected behavior
The Codex skill should distinguish a Hermes provider outage from a stale standalone Codex CLI credential store, and suggest repairing the standalone auth file only after a Hermes smoke test proves the provider route still works.
Current downstream workaround
A local downstream skill patch adds guidance to verify Hermes openai-codex, repair the standalone CLI credential store from Hermes tokens via a helper script, chmod the auth file, then re-test codex exec.
Notes
This is documentation/runbook guidance only; it does not change Codex or Hermes auth behavior.
Problem
When Codex CLI reports
refresh_token_reused, the current recovery guidance can send users straight tocodex logineven if Hermes'openai-codexprovider still has fresh working tokens. That creates a split-brain auth situation: Hermes works, standalonecodex execfails.Expected behavior
The Codex skill should distinguish a Hermes provider outage from a stale standalone Codex CLI credential store, and suggest repairing the standalone auth file only after a Hermes smoke test proves the provider route still works.
Current downstream workaround
A local downstream skill patch adds guidance to verify Hermes
openai-codex, repair the standalone CLI credential store from Hermes tokens via a helper script, chmod the auth file, then re-testcodex exec.Notes
This is documentation/runbook guidance only; it does not change Codex or Hermes auth behavior.