From 2a2e5c0fed1e341c3250825ad7b5bee4190d1a71 Mon Sep 17 00:00:00 2001
From: Teknium <teknium1@gmail.com>
Date: Thu, 9 Apr 2026 03:06:15 -0700
Subject: [PATCH] fix: force relogin on 401/403 Codex token refresh failures

When the OAuth token endpoint returns 401/403 but the JSON body
doesn't contain a known error code (invalid_grant, etc.),
relogin_required stayed False. Users saw a bare error message
without guidance to re-authenticate.

Now any 401/403 from the token endpoint forces relogin_required=True,
since these status codes always indicate invalid credentials on a
refresh endpoint. 500+ errors remain as transient (no relogin).
---
 hermes_cli/auth.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hermes_cli/auth.py b/hermes_cli/auth.py
index 831f81bf26..c468948e98 100644
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@@ -1544,6 +1544,11 @@ def refresh_codex_oauth_pure(
                 "then run `hermes auth` to re-authenticate."
             )
             relogin_required = True
+        # A 401/403 from the token endpoint always means the refresh token
+        # is invalid/expired — force relogin even if the body error code
+        # wasn't one of the known strings above.
+        if response.status_code in (401, 403) and not relogin_required:
+            relogin_required = True
         raise AuthError(
             message,
             provider="openai-codex",