From df797d09b2772236f6dbf30ace2d921778570286 Mon Sep 17 00:00:00 2001
From: ekko <152005280+EKKOLearnAI@users.noreply.github.com>
Date: Thu, 23 Apr 2026 08:39:19 +0800
Subject: [PATCH] feat: add StepFun and Nous Portal provider support (#140)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add StepFun provider (API key auth, STEPFUN_API_KEY)
- Add Nous Portal provider with full OAuth device code flow
  (device code request → poll for token → mint agent key → save to auth.json)
- Add NousLoginModal component for OAuth UI (user code display + verification link)
- Update ProviderFormModal to handle Nous OAuth flow (hide API key fields)
- Add nous-auth backend controller and routes
- Update PROVIDER_ENV_MAP with stepfun and nous entries
- Add i18n translations for Nous OAuth in all 8 locales

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 packages/client/src/api/hermes/nous-auth.ts   |  29 ++
 .../hermes/models/NousLoginModal.vue          | 241 +++++++++++++++
 .../hermes/models/ProviderFormModal.vue       |  28 +-
 packages/client/src/i18n/locales/de.ts        |   7 +
 packages/client/src/i18n/locales/en.ts        |   7 +
 packages/client/src/i18n/locales/es.ts        |   7 +
 packages/client/src/i18n/locales/fr.ts        |   7 +
 packages/client/src/i18n/locales/ja.ts        |   7 +
 packages/client/src/i18n/locales/ko.ts        |   7 +
 packages/client/src/i18n/locales/pt.ts        |   7 +
 packages/client/src/i18n/locales/zh.ts        |   7 +
 .../src/controllers/hermes/nous-auth.ts       | 283 ++++++++++++++++++
 .../server/src/routes/hermes/nous-auth.ts     |   8 +
 packages/server/src/routes/index.ts           |   2 +
 .../server/src/services/config-helpers.ts     |   2 +
 packages/server/src/shared/providers.ts       |  46 +++
 16 files changed, 692 insertions(+), 3 deletions(-)
 create mode 100644 packages/client/src/api/hermes/nous-auth.ts
 create mode 100644 packages/client/src/components/hermes/models/NousLoginModal.vue
 create mode 100644 packages/server/src/controllers/hermes/nous-auth.ts
 create mode 100644 packages/server/src/routes/hermes/nous-auth.ts

diff --git a/packages/client/src/api/hermes/nous-auth.ts b/packages/client/src/api/hermes/nous-auth.ts
new file mode 100644
index 0000000..890ccd7
--- /dev/null
+++ b/packages/client/src/api/hermes/nous-auth.ts
@@ -0,0 +1,29 @@
+import { request } from '../client'
+
+export interface NousStartResult {
+  session_id: string
+  user_code: string
+  verification_url: string
+  expires_in: number
+}
+
+export interface NousPollResult {
+  status: 'pending' | 'approved' | 'denied' | 'expired' | 'error'
+  error: string | null
+}
+
+export interface NousStatusResult {
+  authenticated: boolean
+}
+
+export async function startNousLogin(): Promise<NousStartResult> {
+  return request<NousStartResult>('/api/hermes/auth/nous/start', { method: 'POST' })
+}
+
+export async function pollNousLogin(sessionId: string): Promise<NousPollResult> {
+  return request<NousPollResult>(`/api/hermes/auth/nous/poll/${sessionId}`)
+}
+
+export async function getNousAuthStatus(): Promise<NousStatusResult> {
+  return request<NousStatusResult>('/api/hermes/auth/nous/status')
+}
diff --git a/packages/client/src/components/hermes/models/NousLoginModal.vue b/packages/client/src/components/hermes/models/NousLoginModal.vue
new file mode 100644
index 0000000..5f9d006
--- /dev/null
+++ b/packages/client/src/components/hermes/models/NousLoginModal.vue
@@ -0,0 +1,241 @@
+<script setup lang="ts">
+import { ref, onUnmounted } from 'vue'
+import { NModal, NButton, NSpin, useMessage } from 'naive-ui'
+import { useI18n } from 'vue-i18n'
+import { startNousLogin, pollNousLogin } from '@/api/hermes/nous-auth'
+
+const { t } = useI18n()
+const emit = defineEmits<{ close: []; success: [] }>()
+const message = useMessage()
+
+const showModal = ref(true)
+const status = ref<'idle' | 'loading' | 'waiting' | 'approved' | 'expired' | 'error'>('idle')
+const userCode = ref('')
+const verificationUrl = ref('')
+const sessionId = ref('')
+const errorMessage = ref('')
+let pollTimer: ReturnType<typeof setTimeout> | null = null
+
+async function startLogin() {
+  status.value = 'loading'
+  errorMessage.value = ''
+
+  try {
+    const data = await startNousLogin()
+    userCode.value = data.user_code
+    verificationUrl.value = data.verification_url
+    sessionId.value = data.session_id
+    status.value = 'waiting'
+    startPolling()
+  } catch (err: any) {
+    status.value = 'error'
+    const msg = err.message || ''
+    try {
+      const match = msg.match(/\{[\s\S]*\}$/)
+      if (match) {
+        const body = JSON.parse(match[0])
+        errorMessage.value = body.error || msg
+      } else {
+        errorMessage.value = msg
+      }
+    } catch {
+      errorMessage.value = msg
+    }
+    message.error(errorMessage.value)
+  }
+}
+
+function startPolling() {
+  stopPolling()
+  pollTimer = setTimeout(async () => {
+    try {
+      const result = await pollNousLogin(sessionId.value)
+      if (result.status === 'pending') {
+        startPolling()
+      } else if (result.status === 'approved') {
+        status.value = 'approved'
+        message.success(t('models.nousApproved'))
+        setTimeout(() => {
+          showModal.value = false
+          setTimeout(() => emit('success'), 200)
+        }, 1000)
+      } else if (result.status === 'expired') {
+        status.value = 'expired'
+      } else if (result.status === 'denied') {
+        status.value = 'error'
+        errorMessage.value = t('models.nousDenied')
+      } else if (result.status === 'error') {
+        status.value = 'error'
+        errorMessage.value = result.error || 'Unknown error'
+      }
+    } catch {
+      startPolling()
+    }
+  }, 3000)
+}
+
+function stopPolling() {
+  if (pollTimer) {
+    clearTimeout(pollTimer)
+    pollTimer = null
+  }
+}
+
+function handleClose() {
+  stopPolling()
+  showModal.value = false
+  setTimeout(() => emit('close'), 200)
+}
+
+function copyCode() {
+  navigator.clipboard.writeText(userCode.value)
+  message.success(t('models.nousCopyCode'))
+}
+
+function openLink() {
+  window.open(verificationUrl.value, '_blank')
+}
+
+function retry() {
+  status.value = 'idle'
+  userCode.value = ''
+  verificationUrl.value = ''
+  sessionId.value = ''
+  errorMessage.value = ''
+  startLogin()
+}
+
+onUnmounted(() => {
+  stopPolling()
+})
+
+// Auto-start when modal opens
+startLogin()
+</script>
+
+<template>
+  <NModal
+    v-model:show="showModal"
+    preset="card"
+    :title="t('models.nousLoginTitle')"
+    :style="{ width: 'min(440px, calc(100vw - 32px))' }"
+    :mask-closable="status !== 'waiting'"
+    @after-leave="emit('close')"
+  >
+    <div class="nous-login">
+      <!-- Idle / Loading -->
+      <div v-if="status === 'idle' || status === 'loading'" class="nous-login__state">
+        <NSpin size="small" />
+      </div>
+
+      <!-- Waiting for authorization -->
+      <div v-else-if="status === 'waiting'" class="nous-login__state">
+        <p class="nous-login__hint">{{ t('models.nousWaiting') }}</p>
+        <div class="nous-login__code" @click="copyCode">
+          <span class="nous-login__code-text">{{ userCode }}</span>
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><rect x="9" y="9" width="13" height="13" rx="2"/><path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1"/></svg>
+        </div>
+        <NButton type="primary" block @click="openLink">
+          <template #icon>
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M18 13v6a2 2 0 01-2 2H5a2 2 0 01-2-2V8a2 2 0 012-2h6"/><polyline points="15 3 21 3 21 9"/><line x1="10" y1="14" x2="21" y2="3"/></svg>
+          </template>
+          {{ t('models.nousOpenLink') }}
+        </NButton>
+      </div>
+
+      <!-- Approved -->
+      <div v-else-if="status === 'approved'" class="nous-login__state nous-login__state--success">
+        <svg width="40" height="40" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M22 11.08V12a10 10 0 11-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg>
+        <p>{{ t('models.nousApproved') }}</p>
+      </div>
+
+      <!-- Expired -->
+      <div v-else-if="status === 'expired'" class="nous-login__state">
+        <p class="nous-login__error">{{ t('models.nousExpired') }}</p>
+        <NButton size="small" @click="retry">{{ t('common.retry') }}</NButton>
+      </div>
+
+      <!-- Error -->
+      <div v-else-if="status === 'error'" class="nous-login__state">
+        <p class="nous-login__error">{{ errorMessage }}</p>
+        <NButton size="small" @click="retry">{{ t('common.retry') }}</NButton>
+      </div>
+    </div>
+
+    <template #footer>
+      <div class="modal-footer">
+        <NButton :disabled="status === 'waiting'" @click="handleClose">{{ t('common.cancel') }}</NButton>
+      </div>
+    </template>
+  </NModal>
+</template>
+
+<style scoped lang="scss">
+.nous-login {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 8px 0;
+}
+
+.nous-login__state {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 16px;
+  min-height: 120px;
+  justify-content: center;
+  width: 100%;
+}
+
+.nous-login__hint {
+  font-size: 14px;
+  color: var(--n-text-color, inherit);
+  text-align: center;
+  line-height: 1.6;
+}
+
+.nous-login__code {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px 20px;
+  border: 1px solid var(--n-border-color, #e0e0e6);
+  border-radius: 8px;
+  cursor: pointer;
+  transition: border-color 0.2s;
+  background: var(--n-color, #fafafa);
+
+  &:hover {
+    border-color: var(--n-primary-color, #18a058);
+  }
+}
+
+.nous-login__code-text {
+  font-size: 28px;
+  font-weight: 700;
+  font-family: monospace;
+  letter-spacing: 4px;
+  color: var(--n-text-color, inherit);
+}
+
+.nous-login__state--success {
+  color: #18a058;
+
+  svg {
+    stroke: #18a058;
+  }
+}
+
+.nous-login__error {
+  color: #d03050;
+  text-align: center;
+  font-size: 13px;
+}
+
+.modal-footer {
+  display: flex;
+  justify-content: flex-end;
+  gap: 8px;
+}
+</style>
diff --git a/packages/client/src/components/hermes/models/ProviderFormModal.vue b/packages/client/src/components/hermes/models/ProviderFormModal.vue
index 32194fa..fc945d7 100644
--- a/packages/client/src/components/hermes/models/ProviderFormModal.vue
+++ b/packages/client/src/components/hermes/models/ProviderFormModal.vue
@@ -4,6 +4,7 @@ import { NModal, NForm, NFormItem, NInput, NButton, NSelect, useMessage } from '
 import { useModelsStore } from '@/stores/hermes/models'
 import { useI18n } from 'vue-i18n'
 import CodexLoginModal from './CodexLoginModal.vue'
+import NousLoginModal from './NousLoginModal.vue'
 
 const { t } = useI18n()
 
@@ -19,6 +20,7 @@ const showModal = ref(true)
 const loading = ref(false)
 const fetchingModels = ref(false)
 const showCodexLogin = ref(false)
+const showNousLogin = ref(false)
 
 const providerType = ref<'preset' | 'custom'>('preset')
 const selectedPreset = ref<string | null>(null)
@@ -32,8 +34,10 @@ const formData = ref({
 const modelOptions = ref<Array<{ label: string; value: string }>>([])
 
 const CODEX_KEY = 'openai-codex'
+const NOUS_KEY = 'nous'
 
 const isCodex = computed(() => selectedPreset.value === CODEX_KEY)
+const isNous = computed(() => selectedPreset.value === NOUS_KEY)
 
 const presetOptions = computed(() =>
   modelsStore.allProviders.map(g => ({ label: g.label, value: g.provider })),
@@ -125,6 +129,12 @@ async function handleSave() {
     return
   }
 
+  // Nous: 弹出 OAuth 设备码弹窗
+  if (isNous.value) {
+    showNousLogin.value = true
+    return
+  }
+
   if (!formData.value.base_url.trim()) {
     message.warning(t('models.baseUrlRequired'))
     return
@@ -166,6 +176,12 @@ async function handleCodexSuccess() {
   emit('saved')
 }
 
+async function handleNousSuccess() {
+  showNousLogin.value = false
+  message.success(t('models.providerAdded'))
+  emit('saved')
+}
+
 function handleClose() {
   showModal.value = false
   setTimeout(() => emit('close'), 200)
@@ -178,7 +194,7 @@ function handleClose() {
     preset="card"
     :title="t('models.addProvider')"
     :style="{ width: 'min(520px, calc(100vw - 32px))' }"
-    :mask-closable="!loading && !showCodexLogin"
+    :mask-closable="!loading && !showCodexLogin && !showNousLogin"
     @after-leave="emit('close')"
   >
     <NForm label-placement="top">
@@ -217,7 +233,7 @@ function handleClose() {
         />
       </NFormItem>
 
-      <NFormItem v-if="!isCodex" :label="t('models.baseUrl')" required>
+      <NFormItem v-if="!isCodex && !isNous" :label="t('models.baseUrl')" required>
         <NInput
           v-model:value="formData.base_url"
           :placeholder="t('models.baseUrlPlaceholder')"
@@ -225,7 +241,7 @@ function handleClose() {
         />
       </NFormItem>
 
-      <NFormItem v-if="!isCodex" :label="t('models.apiKey')" required>
+      <NFormItem v-if="!isCodex && !isNous" :label="t('models.apiKey')" required>
         <NInput
           v-model:value="formData.api_key"
           type="password"
@@ -270,6 +286,12 @@ function handleClose() {
       @close="showCodexLogin = false"
       @success="handleCodexSuccess"
     />
+
+    <NousLoginModal
+      v-if="showNousLogin"
+      @close="showNousLogin = false"
+      @success="handleNousSuccess"
+    />
   </NModal>
 </template>
 
diff --git a/packages/client/src/i18n/locales/de.ts b/packages/client/src/i18n/locales/de.ts
index 1c3ab25..5379296 100644
--- a/packages/client/src/i18n/locales/de.ts
+++ b/packages/client/src/i18n/locales/de.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: 'Autorisierungsseite öffnen',
     codexApproved: 'Anmeldung erfolgreich',
     codexExpired: 'Die Autorisierung ist abgelaufen. Bitte versuchen Sie es erneut.',
+    nousLoginTitle: 'Nous Portal Login',
+    nousWaiting: 'Geben Sie diesen Code auf der Autorisierungsseite ein:',
+    nousCopyCode: 'Code kopiert',
+    nousOpenLink: 'Autorisierungsseite öffnen',
+    nousApproved: 'Login erfolgreich',
+    nousDenied: 'Autorisierung wurde abgelehnt',
+    nousExpired: 'Autorisierung abgelaufen',
     noProviders: 'Keine Anbieter gefunden. Fugen Sie einen benutzerdefinierten Anbieter hinzu, um zu beginnen.',
     builtIn: 'Integriert',
     customType: 'Benutzerdefiniert',
diff --git a/packages/client/src/i18n/locales/en.ts b/packages/client/src/i18n/locales/en.ts
index b1858f6..f6a195e 100644
--- a/packages/client/src/i18n/locales/en.ts
+++ b/packages/client/src/i18n/locales/en.ts
@@ -268,6 +268,13 @@ export default {
     codexOpenLink: 'Open authorization page',
     codexApproved: 'Login successful',
     codexExpired: 'Authorization expired. Please try again.',
+    nousLoginTitle: 'Nous Portal Login',
+    nousWaiting: 'Enter this code at the authorization page to complete login:',
+    nousCopyCode: 'Code copied',
+    nousOpenLink: 'Open authorization page',
+    nousApproved: 'Login successful',
+    nousDenied: 'Authorization was denied. Please try again.',
+    nousExpired: 'Authorization expired. Please try again.',
     noProviders: 'No providers found. Add a custom provider to get started.',
     builtIn: 'Built-in',
     customType: 'Custom',
diff --git a/packages/client/src/i18n/locales/es.ts b/packages/client/src/i18n/locales/es.ts
index fc521b1..d9063ea 100644
--- a/packages/client/src/i18n/locales/es.ts
+++ b/packages/client/src/i18n/locales/es.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: 'Abrir página de autorización',
     codexApproved: 'Inicio de sesión exitoso',
     codexExpired: 'La autorización ha expirado. Por favor, inténtelo de nuevo.',
+    nousLoginTitle: 'Inicio de sesión de Nous Portal',
+    nousWaiting: 'Ingrese este código en la página de autorización:',
+    nousCopyCode: 'Código copiado',
+    nousOpenLink: 'Abrir página de autorización',
+    nousApproved: 'Inicio de sesión exitoso',
+    nousDenied: 'Autorización denegada',
+    nousExpired: 'Autorización expirada',
     noProviders: 'No se encontraron proveedores. Anade un proveedor personalizado para comenzar.',
     builtIn: 'Integrado',
     customType: 'Personalizado',
diff --git a/packages/client/src/i18n/locales/fr.ts b/packages/client/src/i18n/locales/fr.ts
index 539d0c5..dcfda12 100644
--- a/packages/client/src/i18n/locales/fr.ts
+++ b/packages/client/src/i18n/locales/fr.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: 'Ouvrir la page d\'autorisation',
     codexApproved: 'Connexion réussie',
     codexExpired: 'L\'autorisation a expiré. Veuillez réessayer.',
+    nousLoginTitle: 'Connexion Nous Portal',
+    nousWaiting: 'Entrez ce code sur la page d\'autorisation:',
+    nousCopyCode: 'Code copié',
+    nousOpenLink: 'Ouvrir la page d\'autorisation',
+    nousApproved: 'Connexion réussie',
+    nousDenied: 'Autorisation refusée',
+    nousExpired: 'Autorisation expirée',
     noProviders: 'Aucun fournisseur trouve. Ajoutez un fournisseur personnalise pour commencer.',
     builtIn: 'Integre',
     customType: 'Personnalise',
diff --git a/packages/client/src/i18n/locales/ja.ts b/packages/client/src/i18n/locales/ja.ts
index 36cdb4f..c9bbb05 100644
--- a/packages/client/src/i18n/locales/ja.ts
+++ b/packages/client/src/i18n/locales/ja.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: '認証ページを開く',
     codexApproved: 'ログイン成功',
     codexExpired: '認証の有効期限が切れました。もう一度お試しください。',
+    nousLoginTitle: 'Nous Portal ログイン',
+    nousWaiting: '認証ページでこのコードを入力してください:',
+    nousCopyCode: 'コードをコピーしました',
+    nousOpenLink: '認証ページを開く',
+    nousApproved: 'ログイン成功',
+    nousDenied: '認証が拒否されました',
+    nousExpired: '認証の有効期限が切れました',
     noProviders: 'プロバイダーがありません。カスタムプロバイダーを追加して始めましょう。',
     builtIn: '組み込み',
     customType: 'カスタム',
diff --git a/packages/client/src/i18n/locales/ko.ts b/packages/client/src/i18n/locales/ko.ts
index 01c8a2a..6b8a830 100644
--- a/packages/client/src/i18n/locales/ko.ts
+++ b/packages/client/src/i18n/locales/ko.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: '인증 페이지 열기',
     codexApproved: '로그인 성공',
     codexExpired: '인증이 만료되었습니다. 다시 시도해주세요.',
+    nousLoginTitle: 'Nous Portal 로그인',
+    nousWaiting: '인증 페이지에서 이 코드를 입력하세요:',
+    nousCopyCode: '코드 복사됨',
+    nousOpenLink: '인증 페이지 열기',
+    nousApproved: '로그인 성공',
+    nousDenied: '인증이 거부되었습니다',
+    nousExpired: '인증이 만료되었습니다',
     noProviders: 'Provider가 없습니다. 사용자 지정 Provider를 추가하여 시작하세요.',
     builtIn: '내장',
     customType: '사용자 지정',
diff --git a/packages/client/src/i18n/locales/pt.ts b/packages/client/src/i18n/locales/pt.ts
index 24d2b8e..a694b33 100644
--- a/packages/client/src/i18n/locales/pt.ts
+++ b/packages/client/src/i18n/locales/pt.ts
@@ -243,6 +243,13 @@ export default {
     codexOpenLink: 'Abrir página de autorização',
     codexApproved: 'Login bem-sucedido',
     codexExpired: 'A autorização expirou. Por favor, tente novamente.',
+    nousLoginTitle: 'Login do Nous Portal',
+    nousWaiting: 'Insira este código na página de autorização:',
+    nousCopyCode: 'Código copiado',
+    nousOpenLink: 'Abrir página de autorização',
+    nousApproved: 'Login bem-sucedido',
+    nousDenied: 'Autorização negada',
+    nousExpired: 'Autorização expirada',
     noProviders: 'Nenhum provedor encontrado. Adicione um provedor personalizado para comecar.',
     builtIn: 'Integrado',
     customType: 'Personalizado',
diff --git a/packages/client/src/i18n/locales/zh.ts b/packages/client/src/i18n/locales/zh.ts
index 6b917a8..53113e3 100644
--- a/packages/client/src/i18n/locales/zh.ts
+++ b/packages/client/src/i18n/locales/zh.ts
@@ -268,6 +268,13 @@ export default {
     codexOpenLink: '打开授权页面',
     codexApproved: '登录成功',
     codexExpired: '授权已过期，请重试。',
+    nousLoginTitle: 'Nous Portal 登录',
+    nousWaiting: '在授权页面输入此代码完成登录:',
+    nousCopyCode: '代码已复制',
+    nousOpenLink: '打开授权页面',
+    nousApproved: '登录成功',
+    nousDenied: '授权被拒绝，请重试。',
+    nousExpired: '授权已过期，请重试。',
     noProviders: '暂无 Provider，添加一个开始吧。',
     builtIn: '内置',
     customType: '自定义',
diff --git a/packages/server/src/controllers/hermes/nous-auth.ts b/packages/server/src/controllers/hermes/nous-auth.ts
new file mode 100644
index 0000000..6240396
--- /dev/null
+++ b/packages/server/src/controllers/hermes/nous-auth.ts
@@ -0,0 +1,283 @@
+import { randomUUID } from 'crypto'
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs'
+import { getActiveAuthPath } from '../../services/hermes/hermes-profile'
+import { logger } from '../../services/logger'
+
+// --- Nous Portal OAuth Constants ---
+const NOUS_PORTAL_URL = 'https://portal.nousresearch.com'
+const NOUS_CLIENT_ID = 'hermes-cli'
+const NOUS_SCOPE = 'inference:mint_agent_key'
+const POLL_MAX_DURATION = 15 * 60 * 1000
+const POLL_DEFAULT_INTERVAL = 5000
+
+// --- Session Store ---
+interface NousSession {
+  id: string
+  deviceCode: string
+  userCode: string
+  verificationUrl: string
+  verificationUrlComplete: string
+  expiresIn: number
+  interval: number
+  status: 'pending' | 'approved' | 'denied' | 'expired' | 'error'
+  error?: string
+  createdAt: number
+}
+
+const sessions = new Map<string, NousSession>()
+
+function cleanupExpiredSessions() {
+  const now = Date.now()
+  sessions.forEach((s, id) => { if (now - s.createdAt > POLL_MAX_DURATION + 60000) sessions.delete(id) })
+}
+
+// --- Auth file helpers ---
+interface AuthJson {
+  version?: number
+  active_provider?: string
+  providers?: Record<string, any>
+  credential_pool?: Record<string, any[]>
+  updated_at?: string
+}
+
+function loadAuthJson(authPath: string): AuthJson {
+  try { return JSON.parse(readFileSync(authPath, 'utf-8')) as AuthJson } catch { return { version: 1 } }
+}
+
+function saveAuthJson(authPath: string, data: AuthJson): void {
+  data.updated_at = new Date().toISOString()
+  const dir = authPath.substring(0, authPath.lastIndexOf('/'))
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
+  writeFileSync(authPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 })
+}
+
+// --- Background poll worker ---
+async function nousLoginWorker(session: NousSession, authPath: string): Promise<void> {
+  const startTime = Date.now()
+  let interval = session.interval || POLL_DEFAULT_INTERVAL
+
+  while (Date.now() - startTime < POLL_MAX_DURATION) {
+    await new Promise(resolve => setTimeout(resolve, interval))
+    if (session.status !== 'pending') return
+
+    try {
+      const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+          client_id: NOUS_CLIENT_ID,
+          device_code: session.deviceCode,
+        }).toString(),
+        signal: AbortSignal.timeout(15000),
+      })
+
+      if (res.ok) {
+        const tokenData = await res.json() as {
+          access_token: string
+          refresh_token?: string
+          expires_in?: number
+          inference_base_url?: string
+        }
+
+        // Mint agent key
+        const inferenceBaseUrl = tokenData.inference_base_url || 'https://inference-api.nousresearch.com/v1'
+        let agentKey = ''
+        let agentKeyExpiresAt = ''
+        try {
+          const mintRes = await fetch(`${NOUS_PORTAL_URL}/api/oauth/agent-key`, {
+            method: 'POST',
+            headers: {
+              'Authorization': `Bearer ${tokenData.access_token}`,
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ min_ttl_seconds: 1800 }),
+            signal: AbortSignal.timeout(15000),
+          })
+          if (mintRes.ok) {
+            const mintData = await mintRes.json() as {
+              api_key: string
+              expires_at: string
+              inference_base_url?: string
+            }
+            agentKey = mintData.api_key
+            agentKeyExpiresAt = mintData.expires_at
+            if (mintData.inference_base_url) {
+              // eslint-disable-next-line @typescript-eslint/no-unused-vars
+              void mintData.inference_base_url
+            }
+          }
+        } catch (err: any) {
+          logger.warn(err, 'Nous agent key minting failed, proceeding without')
+        }
+
+        // Save to auth.json
+        const auth = loadAuthJson(authPath)
+        if (!auth.providers) auth.providers = {}
+        const now = new Date()
+        auth.providers['nous'] = {
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          client_id: NOUS_CLIENT_ID,
+          scope: NOUS_SCOPE,
+          token_type: 'Bearer',
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          obtained_at: now.toISOString(),
+          expires_at: tokenData.expires_in ? new Date(now.getTime() + tokenData.expires_in * 1000).toISOString() : null,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          agent_key_obtained_at: agentKey ? now.toISOString() : null,
+        }
+
+        // Credential pool entry
+        if (!auth.credential_pool) auth.credential_pool = {}
+        auth.credential_pool['nous'] = [{
+          id: `nous-${Date.now()}`,
+          label: 'Nous Portal',
+          auth_type: 'oauth',
+          source: 'device_code',
+          priority: 0,
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          base_url: inferenceBaseUrl,
+        }]
+
+        saveAuthJson(authPath, auth)
+        session.status = 'approved'
+        logger.info('Nous login successful')
+        return
+      }
+
+      // Parse error
+      const errData = await res.json().catch(() => ({}))
+      const errorCode = errData.error
+
+      if (errorCode === 'authorization_pending') {
+        continue
+      }
+      if (errorCode === 'slow_down') {
+        interval = Math.min(interval + 1000, 30000)
+        continue
+      }
+      if (errorCode === 'access_denied' || errorCode === 'expired_token') {
+        session.status = errorCode === 'access_denied' ? 'denied' : 'expired'
+        return
+      }
+
+      logger.error('Nous poll error: %s %s', res.status, errorCode)
+      session.status = 'error'
+      session.error = `OAuth error: ${errorCode}`
+      return
+    } catch (err: any) {
+      if (err.name === 'TimeoutError' || err.name === 'AbortError') continue
+      logger.error(err, 'Nous poll error')
+      session.status = 'error'
+      session.error = err.message
+      return
+    }
+  }
+
+  session.status = 'expired'
+}
+
+// --- Controller functions ---
+
+export async function start(ctx: any) {
+  try {
+    cleanupExpiredSessions()
+
+    const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/device/code`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
+      body: new URLSearchParams({
+        client_id: NOUS_CLIENT_ID,
+        scope: NOUS_SCOPE,
+      }).toString(),
+      signal: AbortSignal.timeout(15000),
+    })
+
+    if (!res.ok) {
+      let errorBody: any = null
+      try { errorBody = await res.json() } catch { }
+      logger.error('Nous device code request failed: %d %s', res.status, errorBody)
+      ctx.status = 502
+      ctx.body = { error: `Nous Portal error: ${res.status}` }
+      return
+    }
+
+    const data = await res.json() as {
+      device_code: string
+      user_code: string
+      verification_uri: string
+      verification_uri_complete: string
+      expires_in: number
+      interval: number
+    }
+
+    const sessionId = randomUUID()
+    const session: NousSession = {
+      id: sessionId,
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUrl: data.verification_uri,
+      verificationUrlComplete: data.verification_uri_complete,
+      expiresIn: data.expires_in,
+      interval: data.interval,
+      status: 'pending',
+      createdAt: Date.now(),
+    }
+    sessions.set(sessionId, session)
+
+    const authPath = getActiveAuthPath()
+    nousLoginWorker(session, authPath).catch(err => {
+      logger.error(err, 'Nous login worker error')
+      session.status = 'error'
+      session.error = err.message
+    })
+
+    ctx.body = {
+      session_id: sessionId,
+      user_code: data.user_code,
+      verification_url: data.verification_uri_complete,
+      expires_in: data.expires_in,
+    }
+  } catch (err: any) {
+    if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+      ctx.status = 504
+      ctx.body = { error: 'Nous Portal timeout' }
+      return
+    }
+    ctx.status = 500
+    ctx.body = { error: err.message }
+  }
+}
+
+export async function poll(ctx: any) {
+  const session = sessions.get(ctx.params.sessionId)
+  if (!session) {
+    ctx.status = 404
+    ctx.body = { error: 'Session not found' }
+    return
+  }
+  ctx.body = { status: session.status, error: session.error || null }
+}
+
+export async function status(ctx: any) {
+  try {
+    const authPath = getActiveAuthPath()
+    const auth = loadAuthJson(authPath)
+    const nousProvider = auth.providers?.['nous']
+    if (!nousProvider?.access_token) {
+      ctx.body = { authenticated: false }
+      return
+    }
+    ctx.body = { authenticated: true }
+  } catch {
+    ctx.body = { authenticated: false }
+  }
+}
diff --git a/packages/server/src/routes/hermes/nous-auth.ts b/packages/server/src/routes/hermes/nous-auth.ts
new file mode 100644
index 0000000..68eaae4
--- /dev/null
+++ b/packages/server/src/routes/hermes/nous-auth.ts
@@ -0,0 +1,8 @@
+import Router from '@koa/router'
+import * as ctrl from '../../controllers/hermes/nous-auth'
+
+export const nousAuthRoutes = new Router()
+
+nousAuthRoutes.post('/api/hermes/auth/nous/start', ctrl.start)
+nousAuthRoutes.get('/api/hermes/auth/nous/poll/:sessionId', ctrl.poll)
+nousAuthRoutes.get('/api/hermes/auth/nous/status', ctrl.status)
diff --git a/packages/server/src/routes/index.ts b/packages/server/src/routes/index.ts
index 088e435..418b98d 100644
--- a/packages/server/src/routes/index.ts
+++ b/packages/server/src/routes/index.ts
@@ -17,6 +17,7 @@ import { providerRoutes } from './hermes/providers'
 import { configRoutes } from './hermes/config'
 import { logRoutes } from './hermes/logs'
 import { codexAuthRoutes } from './hermes/codex-auth'
+import { nousAuthRoutes } from './hermes/nous-auth'
 import { gatewayRoutes } from './hermes/gateways'
 import { weixinRoutes } from './hermes/weixin'
 import { proxyRoutes, proxyMiddleware } from './hermes/proxy'
@@ -48,6 +49,7 @@ export function registerRoutes(app: any, requireAuth: (ctx: Context, next: Next)
   app.use(configRoutes.routes())
   app.use(logRoutes.routes())
   app.use(codexAuthRoutes.routes())
+  app.use(nousAuthRoutes.routes())
   app.use(gatewayRoutes.routes())
   app.use(weixinRoutes.routes())
   app.use(proxyRoutes.routes())
diff --git a/packages/server/src/services/config-helpers.ts b/packages/server/src/services/config-helpers.ts
index f4d5247..7bbd30d 100644
--- a/packages/server/src/services/config-helpers.ts
+++ b/packages/server/src/services/config-helpers.ts
@@ -27,6 +27,8 @@ export const PROVIDER_ENV_MAP: Record<string, { api_key_env: string; base_url_en
   'opencode-go': { api_key_env: 'OPENCODE_API_KEY', base_url_env: '' },
   huggingface: { api_key_env: 'HF_TOKEN', base_url_env: '' },
   arcee: { api_key_env: 'ARCEE_API_KEY', base_url_env: '' },
+  stepfun: { api_key_env: 'STEPFUN_API_KEY', base_url_env: 'STEPFUN_BASE_URL' },
+  nous: { api_key_env: '', base_url_env: '' },
   'openai-codex': { api_key_env: '', base_url_env: '' },
 }
 
diff --git a/packages/server/src/shared/providers.ts b/packages/server/src/shared/providers.ts
index 88e1c61..26fd421 100644
--- a/packages/server/src/shared/providers.ts
+++ b/packages/server/src/shared/providers.ts
@@ -72,6 +72,7 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
     base_url: 'https://api.kimi.com/coding/v1',
     models: [
       'kimi-for-coding',
+      'kimi-k2.6',
       'kimi-k2.5',
       'kimi-k2-thinking',
       'kimi-k2-turbo-preview',
@@ -84,6 +85,7 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
     builtin: true,
     base_url: 'https://api.moonshot.cn/v1',
     models: [
+      'kimi-k2.6',
       'kimi-k2.5',
       'kimi-k2-thinking',
       'kimi-k2-turbo-preview',
@@ -247,6 +249,50 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
     base_url: 'https://api.arcee.ai/v1',
     models: ['trinity-large-thinking', 'trinity-large-preview', 'trinity-mini'],
   },
+  {
+    label: 'Nous Portal',
+    value: 'nous',
+    builtin: true,
+    base_url: 'https://inference-api.nousresearch.com/v1',
+    models: [
+      'moonshotai/kimi-k2.6',
+      'xiaomi/mimo-v2.5-pro',
+      'xiaomi/mimo-v2.5',
+      'anthropic/claude-opus-4.7',
+      'anthropic/claude-opus-4.6',
+      'anthropic/claude-sonnet-4.6',
+      'anthropic/claude-sonnet-4.5',
+      'anthropic/claude-haiku-4.5',
+      'openai/gpt-5.4',
+      'openai/gpt-5.4-mini',
+      'openai/gpt-5.3-codex',
+      'google/gemini-3-pro-preview',
+      'google/gemini-3-flash-preview',
+      'google/gemini-3.1-pro-preview',
+      'google/gemini-3.1-flash-lite-preview',
+      'qwen/qwen3.5-plus-02-15',
+      'qwen/qwen3.5-35b-a3b',
+      'stepfun/step-3.5-flash',
+      'minimax/minimax-m2.7',
+      'minimax/minimax-m2.5',
+      'minimax/minimax-m2.5:free',
+      'z-ai/glm-5.1',
+      'z-ai/glm-5v-turbo',
+      'z-ai/glm-5-turbo',
+      'x-ai/grok-4.20-beta',
+      'nvidia/nemotron-3-super-120b-a12b',
+      'arcee-ai/trinity-large-thinking',
+      'openai/gpt-5.4-pro',
+      'openai/gpt-5.4-nano',
+    ],
+  },
+  {
+    label: 'StepFun',
+    value: 'stepfun',
+    builtin: true,
+    base_url: 'https://api.stepfun.ai/step_plan/v1',
+    models: ['step-3.5-flash', 'step-3.5-flash-2603'],
+  },
   {
     label: 'OpenRouter',
     value: 'openrouter',