[Bug] xAI Grok OAuth token expires within ~24h; auxiliary title generation fails with HTTP 403

[jfdnet]

Bug Description

After authenticating with xAI Grok via hermes auth login xai, the OAuth access token becomes invalid within less than 24 hours. This causes auxiliary title generation (and potentially other xAI-dependent background tasks) to fail with:

HTTP 403: OAuth2 access token could not be validated

The user must manually re-authenticate (hermes auth login xai) to restore functionality.

Expected Behavior

The token should be automatically refreshed before expiry, as documented in the xAI Grok OAuth guide:

"After the first login, credentials are stored under ~/.hermes/auth.json and refreshed automatically before they expire."

Actual Behavior

• Token expires in < 24 hours.
• No automatic refresh occurs.
• Background services (e.g., title generation) break silently until the user notices and manually re-logs in.

Environment

• Hermes Agent: latest stable
• OS: macOS
• Auth provider: xAI Grok OAuth

Possible Cause

The automatic refresh logic may not be triggering for xAI tokens, or the refresh token itself has a very short validity window that Hermes does not account for.

Workaround

Manually run hermes auth login xai every day.

Suggested Fix

1. Investigate why xAI token refresh is not happening automatically.
2. If xAI's refresh window is unusually short, consider more aggressive pre-emptive refresh scheduling.
3. Surface token expiry warnings to the user before background tasks start failing.

[jfdnet]

补充诊断信息：

从 `~/.hermes/auth.json` 中可以看到 xAI OAuth token 的结构问题：

Token 元数据（providers.xai-oauth）：

• `expires_in`: 21600 (即 6 小时)
• `last_refresh`: `2026-05-18T23:27:42.613189Z`
• 按此计算，token 应在 `2026-05-19T05:27:42Z` 过期

Credential pool 中的两条 xai-oauth 记录：

1. `b8d211` — `last_refresh: 2026-05-18T23:13:59.402693Z`（更早，可能已过期）
2. `44c8a3` — `last_refresh: 2026-05-18T23:27:42.613189Z`（最新，6小时后过期）

关键发现：

• xAI access token 的 `expires_in` 只有 6 小时，不是 24 小时。
• 但用户报告说"一天不到就过期"，这说明 自动刷新机制没有在 6 小时到期前执行。
• `auth.json` 中 xAI 的 provider 记录里 没有 `expires_at` 字段（不像 nous provider 有明确的 `expires_at`）。
• Credential pool 里虽然有 `last_refresh`，但代码可能依赖 provider 级别的 `expires_at` 来判断是否需要刷新，而 xAI provider 缺少这个字段。

推测根因：
Hermes 的 token 刷新逻辑可能只在 provider 级别检查 `expires_at`，而 xAI OAuth 的 token 元数据只写了 `expires_in`（相对时间）和 `last_refresh`，没有计算并存储绝对的 `expires_at`。导致刷新调度器无法判断 token 何时过期，也就不会触发自动刷新。

[alt-glitch]

Related to #26847 (xAI 403 for standard SuperGrok subscribers) and the merged quarantine fix #28116. Those PRs handle dead-token cleanup after failure; this issue reports tokens expiring within ~24h with no automatic refresh — may be a distinct root cause.