docs(README): link community fix for xAI OAuth callback failure on WSL2

[jett22JOE]

Summary

Adds a one-paragraph callout in the ## Quick Install section's Windows/WSL2 blockquote pointing at a community-maintained fix repo for the hermes auth add xai-oauth --type oauth callback failure on WSL2: jettoptx/hermes-xai-oauth-wsl.

Single insertion, two lines, no other changes.

Why

After xAI shipped native SuperGrok OAuth (~2026-05-15), every WSL2 user trying to log in via Hermes hits this:

1. hermes auth add xai-oauth --type oauth opens an HTTP listener on 127.0.0.1:<ephemeral-port>/callback inside WSL.
2. The Windows browser completes consent at accounts.x.ai.
3. xAI's 302 Found redirect to the loopback URL is silently dropped by the Hyper-V Firewall's default policy on the WSL VM (DefaultInboundAction = Block), which ships enabled with mirrored networking — Microsoft's current default.
4. xAI's "Could not establish connection" fallback page renders, showing the auth code as plain text.
5. Hermes (v0.14.0) has no --code flag on hermes auth add. The code is orphaned. The listener times out.

Verify the firewall block on any affected machine:

Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore |
  Format-List Name, DefaultInboundAction, LoopbackEnabled
# DefaultInboundAction : Block   <-- root cause

The same flow breaks xAI's own Grok Build CLI, since Hermes impersonates the Grok-CLI client_id (b1a00492-073a-47ea-816f-4c329264a828) and both share the loopback redirect path.

What the linked repo provides

• scripts/hermes-xai-oauth-wsl.sh — wrapper that starts the Hermes listener, prints the URL, prompts for the code from xAI's fallback page, and curls the callback URL from inside WSL (same kernel as the listener, so the firewall is irrelevant). No admin required.
• docs/permanent-fix.ps1 — elevated PowerShell that punches a one-time New-NetFirewallHyperVRule for the ephemeral TCP range, after which plain hermes auth add xai-oauth --type oauth works directly.
• Root cause writeup with the verify-the-block command and the NAT-vs-mirrored explanation.
• MIT license, signed commits, issue template.

Why a docs link rather than a code PR

A real fix would add a --code flag to hermes_cli/auth.py (_xai_oauth_loopback_login around line 5315) so the wrapper becomes unnecessary. I'm happy to follow up with that PR if you want it — wanted to land the unblock for users today first, since the docs link is zero-risk and the code change touches an auth path that probably warrants its own review cycle.

If you'd prefer to vendor the script or write your own callout instead of linking out, also happy to defer — the point is that something in the README acknowledges this trap for WSL2 users.

Test plan

• README renders cleanly (verified with local markdown preview)
• Existing WSL2 / Windows callouts unchanged
• Diff is +2 lines, no formatting churn

Falls under priority 2 (cross-platform compatibility — WSL2) in CONTRIBUTING.md.

[teknium1]

Closing per community-link-policy — we don't link contributor-owned forks/repos from the main README. The real fix is to add a --paste-code/--manual-paste path in hermes_cli/auth.py so the orphaned code from xAI's fallback page can be fed back into the listener. That work is being merged via the salvage of #26929 — thanks for surfacing the WSL2 Hyper-V firewall root cause.

[jett22JOE]

<3 you guys

…

-JOE

On Mon, May 18, 2026 at 9:00 PM Teknium ***@***.***> wrote: *teknium1* left a comment (NousResearch/hermes-agent#27305) <#27305?email_source=notifications&email_token=BDMSJJUVPPOBPSGCERMDKDD43PE5HA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINBYGQYDGMZWGMZ2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2LK4DSL5RW63LNMVXHIX3POBSW4X3DNRUWG2Y#issuecomment-4484033633> Closing per community-link-policy — we don't link contributor-owned forks/repos from the main README. The real fix is to add a --paste-code/ --manual-paste path in hermes_cli/auth.py so the orphaned code from xAI's fallback page can be fed back into the listener. That work is being merged via the salvage of #26929 <#26929> — thanks for surfacing the WSL2 Hyper-V firewall root cause. — Reply to this email directly, view it on GitHub <#27305?email_source=notifications&email_token=BDMSJJUVPPOBPSGCERMDKDD43PE5HA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINBYGQYDGMZWGMZ2M4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2LK4DSL5RW63LNMVXHIX3POBSW4X3DNRUWG2Y#issuecomment-4484033633>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDMSJJXWHQVZX77PJKW4D4343PE5HAVCNFSM6AAAAACZBEHYY2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DIOBUGAZTGNRTGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>