fix: improve xAI Grok OAuth manual paste flow (#26923)

[welliv]

Closes #26923

Changes

• Automatically trigger manual paste mode when running hermes model and selecting xAI Grok OAuth (no need for --manual-paste flag)
• Updated prompt text to be much clearer with numbered steps
• Fixed "state mismatch" error when user pastes only the bare authorization code
• Fixed missing fallback argument in _xai_validate_inference_base_url() (the error you hit)

Tested successfully after pasting the authorization code.

The manual paste flow is now the default experience for remote/headless setups.

[kshitijk4poor]

Thanks for surfacing this — the underlying bug is real and worth fixing.

The change we're going to land is the minimal state-mismatch fix from the bare-code paste path, scoped tight. I'm closing this PR in favor of #33880 because the broader changes here can't ship as-is:

Substantive blockers

• manual_paste = True or _is_remote_session() is unconditionally True — the or is dead code. This forces every xAI OAuth login through copy-paste, including desktop users where the loopback callback works fine. --manual-paste already exists as an opt-in flag and _xai_oauth_loopback_login already auto-falls back to the manual-paste path on loopback timeout (442a920), so the loopback default is the right UX for the majority case.
• _xai_prompt_auth_method() is added (~35 lines) but never called — the dispatcher hardcodes use_manual_paste = True. Dead code on arrival.
• The saved credentials dict drops id_token, expires_in, token_type, last_refresh, and source. _refresh_xai_oauth_tokens() preserves those fields when refreshing — dropping them at login creates state inconsistency between freshly-logged-in and post-refresh credentials.
• The XAI_BASE_URL env-var fallback is removed from the login path but kept on the refresh path (auth.py:4127), creating an asymmetry where the same env var works for refresh but not for login.
• The PR body claims a "missing fallback argument in _xai_validate_inference_base_url()" was fixed, but the function signature has been def _xai_validate_inference_base_url(value: str, *, fallback: str) for a long time and the call site already passes fallback=DEFAULT_XAI_OAUTH_BASE_URL. There's no missing-argument bug.
• The _is_remote_session(): open_browser = False guards in _minimax_oauth_login and _nous_device_code_login are removed. Those guards correctly suppress webbrowser.open() on headless machines — removing them re-introduces the original OAuth loopback login broken for remote/browser-based consoles (GCP, Codespaces, etc.) #26923 problem on two unrelated providers while purporting to fix xAI.
• Existing tests in tests/hermes_cli/test_auth_manual_paste.py (~520 lines exercising both manual_paste=True and manual_paste=False, plus the auto-fallback path) would break — and the PR adds no replacement tests.

What we're shipping instead — #33880

A ~20-line fix that does just one thing: when the user pastes a bare opaque code on the --manual-paste path, _parse_pasted_callback returns state=None, and the dispatcher substitutes the locally generated state before the equality check. PKCE still protects the exchange. The loopback HTTP-server path is unchanged (state mismatches there continue to raise). New tests cover the positive bare-code path and the negative loopback-state-None path. The minimal change is exactly what @AccursedGalaxy proposed in the #26923 comment thread.

Credit

Both you and @AccursedGalaxy are credited in the #33880 PR body — you for surfacing the bug and pushing on it, and AccursedGalaxy for the root-cause analysis and proposed fix. Thanks for the contribution.