fix(minimax-oauth): correct authorize URL domain and handle ms timestamps

[NikolaFC]

Fixes #19337

What

Fixes two bugs in the MiniMax OAuth login flow that prevent hermes model → MiniMax (OAuth) from completing.

Bug 1: Authorize URL redirects to homepage

The /oauth/code endpoint returns verification_uri pointing to www.minimax.io/oauth-authorize, but that route returns a 307 redirect to / (the homepage). The correct domain is platform.minimax.io, which serves the actual authorize page with the user code input.

Reproduction:

curl -sI "https://www.minimax.io/oauth-authorize?user_code=TEST&client=OpenClaw"
# → 307 → /
curl -sI "https://platform.minimax.io/oauth-authorize?user_code=TEST&client=OpenClaw"
# → 200 (page loads)

Fix: Replace www.minimax.io → platform.minimax.io in the verification URL before presenting it to the user.

Bug 2: expired_in parsed as seconds but is unix-ms timestamp

The token endpoint returns expired_in as a unix-ms timestamp (e.g. 1778010274711), not a duration in seconds. The code added this directly to datetime.timestamp() (seconds), causing:

Login failed: year 58374 is out of range

Fix: Detect ms timestamps (value > now_ms // 2) and convert to seconds-from-now. Applied in both _minimax_oauth_login and _refresh_minimax_oauth_state.

Testing

• OAuth login completes successfully
• Token stored with correct expires_at (~48h from now)
• hermes chat -q "Say OK" -m m27 responds via Token Plan
• Token refresh logic uses same ms→s conversion

Related

• MiniMax OAuth returns stale verification_uri pointing to deleted /oauth-authorize page on www.minimax.io #19337 — tracking issue
• fix(auth): rewrite stale MiniMax OAuth approval URL #19461, fix(cli): rewrite stale MiniMax OAuth verification_uri and surface setup failures #19466 — URL-only fixes (no expired_in handling)
• fix: handle MiniMax OAuth URL and token expiry #20106 — similar scope but different implementation

[teknium1]

Closing as superseded by #24165.

Triage notes (high confidence):
Merged PR #24165 (2026-05-12) 'fix(minimax): harden OAuth dashboard and runtime' added ms-timestamp handling (hermes_cli/auth.py:6878 _minimax_expired_in_looks_like_unix_ms / :6883 _minimax_resolve_token_expiry_unix); duplicates PR 20374's main fix. URL rewrite portion is moot since main uses api.minimax.io base, not www.minimax.io.

Thanks for the contribution — the underlying problem this PR addresses has been resolved by the linked PR on current main. If you believe this was closed in error, please comment and we'll reopen.

(Bulk-closed during a CLI PR triage sweep.)