fix(xai-oauth): strip service_tier and add safety-net sanitization for slash enums

[Nami4D]

What changed

Strip service_tier from xAI Responses API requests and add a safety-net strip_slash_enum call in the preflight path.

Why

xAI's /v1/responses endpoint rejects two request shapes with HTTP 400:

1. service_tier — "Argument not supported: service_tier" (hit when /fast mode is active)
2. Tool schema enum values containing / — "Invalid arguments passed to the model" (HuggingFace model IDs like Qwen/Qwen3.5-0.8B from MCP servers). The existing strip_slash_enum sanitizer in build_api_kwargs is bypassed in some code paths, so this adds a safety-net call in the preflight function.

How to test

Run Hermes with xai-oauth provider (SuperGrok):

hermes model  # → pick xAI Grok OAuth (SuperGrok Subscription)
hermes        # → chat normally

Platforms tested

• macOS (direct API testing with 23 request variants against api.x.ai/v1/responses + end-to-end Hermes agent runs)

Tests

• tests/agent/transports/test_codex_transport.py — 39 passed
• tests/run_agent/test_run_agent_codex_responses.py — 63 passed
• scripts/check-windows-footguns.py — clean

[teknium1]

Closing — merged via salvage PR #32443 (#32443).

Your two commits were cherry-picked onto current main with authorship preserved (Co-authored-by: trailer in the merge commit). The salvage added:

• Resolution for a merge conflict from a timeout-forwarding block that landed between your branch point and main.
• A model-name gate on the slash-enum preflight strip so it only fires for Grok models (the original PR applied to all codex_responses requests, but native Codex / GitHub Models actually accept slash enums and stripping the constraint there would silently degrade tool-schema correctness).
• 6 regression tests covering both fixes in both directions.

Both bugs are now fixed on main. Thanks for the careful diagnosis — 23 request variants against api.x.ai is exactly the empirical work that makes these salvageable in an afternoon.