fix(auth): handle MiniMax OAuth epoch-ms expiries

[LeonSGP43]

Summary

Fix MiniMax OAuth flows that persist expired_in as if it were always a TTL in seconds. MiniMax can return a unix-ms expiry timestamp instead, which made Hermes compute impossible dates like year 58381 and fail immediately after browser approval.

Changes

• add _minimax_parse_expired_in() to normalize MiniMax/OpenClaw expired_in values from either unix-ms epoch or TTL seconds
• reuse that parser in _minimax_poll_token(), _minimax_oauth_login(), and _refresh_minimax_oauth_state()
• add regression coverage for login and refresh when expired_in is an epoch-ms timestamp

Fixes #21779.

Verification

• uv sync --frozen --extra all
• git diff --check
• ./scripts/run_tests.sh tests/test_minimax_oauth.py -q
• uv run --frozen ruff check .
• repo lint-diff semantics on hermes_cli/auth.py and tests/test_minimax_oauth.py
• clean env -i repo smoke: pytest tests/ --collect-only -q --ignore=tests/integration --ignore=tests/e2e -n auto

[alt-glitch]

Duplicate of #20374 — same fix for MiniMax OAuth expired_in epoch-ms timestamp handling. See also #22020, #22258, #21786 (all competing PRs for the same issue #21779).

[Copilot]

Pull request overview

Fixes MiniMax/OpenClaw OAuth failures caused by treating expired_in as always being a TTL (seconds) when it can be an epoch-milliseconds timestamp, which previously produced invalid far-future datetimes and immediate post-approval login failures.

Changes:

• Added _minimax_parse_expired_in() helper to normalize expired_in into (expires_at_epoch_seconds, ttl_seconds).
• Reused the helper in _minimax_poll_token(), _minimax_oauth_login(), and _refresh_minimax_oauth_state() to prevent overflow/invalid datetime conversions.
• Added regression tests covering both login and refresh flows when expired_in is epoch-ms.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
hermes_cli/auth.py	Introduces a shared expired_in parser and applies it across MiniMax OAuth polling/login/refresh to correctly handle epoch-ms expiries.
tests/test_minimax_oauth.py	Adds regression tests ensuring login/refresh accept epoch-ms expired_in and produce reasonable expires_at / expires_in values.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[teknium1]

Superseded by #24165 (#24165), which centralizes the MiniMax expired_in parsing on the same code paths your PR targeted (CLI login + refresh) plus the dashboard poller, auth status dispatch, and pool runtime api_mode pin. Thanks for the original report and fix on this — you spotted it first.