fix: soften codex oauth expiry hint

CHANGELOG.md

@@ -9,6 +9,7 @@
 - Telegram: retry long-polling conflicts with backoff to avoid fatal exits.
 - Agent system prompt: avoid automatic self-updates unless explicitly requested.
 - Onboarding: tighten QuickStart hint copy for configuring later.
+- Onboarding: avoid “token expired” for Codex CLI when expiry is heuristic.
 
 ## 2026.1.8
 

src/commands/auth-choice-options.ts

@@ -12,7 +12,10 @@ export type AuthChoiceOption = {
   hint?: string;
 };
 
-function formatOAuthHint(expires?: number): string {
+function formatOAuthHint(
+  expires?: number,
+  opts?: { allowStale?: boolean },
+): string {
   const rich = isRich();
   if (!expires) {
     return colorize(rich, theme.muted, "token unavailable");
@@ -20,6 +23,9 @@ function formatOAuthHint(expires?: number): string {
   const now = Date.now();
   const remaining = expires - now;
   if (remaining <= 0) {
+    if (opts?.allowStale) {
+      return colorize(rich, theme.warn, "token present · refresh on use");
+    }
     return colorize(rich, theme.error, "token expired");
   }
   const minutes = Math.round(remaining / (60 * 1000));
@@ -47,7 +53,7 @@ export function buildAuthChoiceOptions(params: {
     options.push({
       value: "codex-cli",
       label: "OpenAI Codex OAuth (Codex CLI)",
-      hint: formatOAuthHint(codexCli.expires),
+      hint: formatOAuthHint(codexCli.expires, { allowStale: true }),
     });
   }