PR #15018: fix(auth): clear stale OpenAI Codex provider state on logout

• Repository: NousResearch/hermes-agent
• Author: 0xharryriddle
• State: closed | merged: False
• Link: https://github.com/NousResearch/hermes-agent/pull/15018

Description (problem / solution / changelog)

What does this PR do?

This PR fixes a logout edge case where Hermes can remain pinned to the OpenAI Codex provider even after the user has attempted to log out.

Previously, hermes logout relied primarily on auth.json.active_provider or an explicitly provided --provider value to decide which provider should be logged out. That created a stale-state failure mode:

1. OpenAI Codex auth/provider state was already removed or partially cleared from auth.json.
2. config.yaml still contained model.provider: openai-codex.
3. Running hermes logout could report that no provider was currently logged in.
4. Hermes would continue using the OpenAI Codex agent model provider because the config remained pinned to openai-codex.

This PR fixes that by making logout also inspect the configured model provider when auth state has no active provider. If config.yaml is still pinned to a logout-capable OAuth provider such as openai-codex or nous, logout now treats that as valid stale provider state and resets the configured provider back to auto.

The PR also tightens stale auth cleanup by making clear_provider_auth() treat clearing a matching active_provider as a successful cleanup, even when provider credential payloads were already missing.

This approach is intentionally narrow and backward-compatible:

• Preserves existing logout behavior when normal auth state exists.
• Does not broaden logout to arbitrary providers.
• Only adds fallback behavior for providers currently supported by the logout CLI path: nous and openai-codex.
• Adds regression tests for stale Codex states that caused the bug.

Related Issue

Fixes #15013

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

Updated hermes_cli/auth.py

• Added _get_config_provider() to safely read and normalize model.provider from config.yaml.
• Added _config_provider_matches() to check whether the current config provider matches the logout target.
• Added _logout_default_provider_from_config() to provide a fallback logout target when auth.json has no active provider but config.yaml is still pinned to a known logout-capable provider.
• Updated logout_command() so bare hermes logout can recover from stale config-only state.
• Updated logout_command() so hermes logout --provider openai-codex resets config even if provider credentials were already removed from auth.json.
• Updated clear_provider_auth() so clearing a stale matching active_provider counts as a successful mutation.

Updated tests/hermes_cli/test_auth_commands.py

• Added test_logout_resets_codex_config_when_auth_state_already_cleared
  • Covers hermes logout --provider openai-codex when auth.json has no Codex provider state but config.yaml is still pinned to Codex.
• Added test_logout_defaults_to_configured_codex_when_no_active_provider
  • Covers bare hermes logout when there is no active provider in auth state but config.yaml still selects openai-codex.
• Added test_logout_clears_stale_active_codex_without_provider_credentials
  • Covers stale active_provider: openai-codex when provider credential payloads are already missing.

How to Test

1. Run focused regression tests

   scripts/run_tests.sh \
     tests/hermes_cli/test_auth_commands.py::test_logout_resets_codex_config_when_auth_state_already_cleared \
     tests/hermes_cli/test_auth_commands.py::test_logout_defaults_to_configured_codex_when_no_active_provider \
     tests/hermes_cli/test_auth_commands.py::test_logout_clears_stale_active_codex_without_provider_credentials \
     -v --tb=long

Expected:

```text
3 passed

1. Run full related auth tests

   scripts/run_tests.sh \
     tests/hermes_cli/test_auth_commands.py \
     tests/hermes_cli/test_auth_codex_provider.py

   Expected:

   54 passed

2. Manual reproduction (before fix)

   • Ensure:

     • auth.json has no Codex credentials

     • auth.json.active_provider is empty or missing

     • config.yaml contains:

       model:
         provider: openai-codex
         base_url: https://chatgpt.com/backend-api/codex

   • Run:

     hermes logout

   • Observe:

     No provider is currently logged in.

   • Config remains pinned to Codex

3. Manual verification (after fix)

   • With the same stale state, run:

     hermes logout

     or:

     hermes logout --provider openai-codex

   • Expected output:

     Logged out of OpenAI Codex.

   • Expected config:

     model:
       provider: auto

   • If Codex base URL was set:

     model:
       base_url: https://openrouter.ai/api/v1

Checklist

Code

• I've read the [Contributing Guide](https://github.com/NousResearch/hermes-agent/blob/main/CONTRIBUTING.md)
• My commit messages follow [Conventional Commits](https://www.conventionalcommits.org/)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes
• I've tested on my platform

Documentation & Housekeeping

• I've updated relevant documentation — or N/A
• I've updated cli-config.yaml.example — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md — or N/A
• I've considered cross-platform impact — or N/A
• I've updated tool descriptions/schemas — or N/A

Screenshots / Logs

$ scripts/run_tests.sh \
  tests/hermes_cli/test_auth_commands.py::test_logout_resets_codex_config_when_auth_state_already_cleared \
  tests/hermes_cli/test_auth_commands.py::test_logout_defaults_to_configured_codex_when_no_active_provider \
  tests/hermes_cli/test_auth_commands.py::test_logout_clears_stale_active_codex_without_provider_credentials \
  -v --tb=long

3 passed

$ scripts/run_tests.sh \
  tests/hermes_cli/test_auth_commands.py \
  tests/hermes_cli/test_auth_codex_provider.py

54 passed

Changed files

• hermes_cli/auth.py (modified, +47/-4)
• tests/hermes_cli/test_auth_commands.py (modified, +85/-0)

PR #15061: fix(auth): clear stale OpenAI Codex provider state on logout (salvage #15018)

• Repository: NousResearch/hermes-agent
• Author: teknium1
• State: closed | merged: True
• Link: https://github.com/NousResearch/hermes-agent/pull/15061

Description (problem / solution / changelog)

Salvage of #15018 by @0xharryriddle onto current main.

Closes #15013.

What this PR does

hermes logout can now recover from the stale state where auth.json is already empty but config.yaml still has model.provider: openai-codex. Previously logout printed "No provider is currently logged in" and left the agent pinned to Codex.

How

• New _logout_default_provider_from_config() — when auth.json.active_provider is empty, falls back to reading model.provider from config.yaml, scoped to {nous, openai-codex} (the OAuth providers logout supports)
• logout_command() also resets config.yaml to provider: auto when the config still pins the target, even if clear_provider_auth() found nothing to clear in auth.json
• clear_provider_auth() now reports success when it clears a matching active_provider, even with no credential payload (previously returned False and skipped _save_auth_store)

Validation

• tests/hermes_cli/test_auth_commands.py — 43/43 pass (3 new tests added)
• tests/hermes_cli/test_auth_codex_provider.py, test_auth_nous_provider.py, test_codex_cli_model_picker.py — 38/38 pass
• E2E verified all 4 scenarios above with real file I/O

Co-authored-by: @0xharryriddle

Changed files

• hermes_cli/auth.py (modified, +47/-4)
• scripts/release.py (modified, +1/-0)
• tests/hermes_cli/test_auth_commands.py (modified, +85/-0)