feat: add StepFun and Nous Portal provider support (#140)

- Add StepFun provider (API key auth, STEPFUN_API_KEY) - Add Nous Portal provider with full OAuth device code flow (device code request → poll for token → mint agent key → save to auth.json) - Add NousLoginModal component for OAuth UI (user code display + verification link) - Update ProviderFormModal to handle Nous OAuth flow (hide API key fields) - Add nous-auth backend controller and routes - Update PROVIDER_ENV_MAP with stepfun and nous entries - Add i18n translations for Nous OAuth in all 8 locales Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-23 08:39:19 +08:00
parent 696d19298e
commit df797d09b2
16 changed files with 692 additions and 3 deletions
@@ -0,0 +1,283 @@
+import { randomUUID } from 'crypto'
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs'
+import { getActiveAuthPath } from '../../services/hermes/hermes-profile'
+import { logger } from '../../services/logger'
+
+// --- Nous Portal OAuth Constants ---
+const NOUS_PORTAL_URL = 'https://portal.nousresearch.com'
+const NOUS_CLIENT_ID = 'hermes-cli'
+const NOUS_SCOPE = 'inference:mint_agent_key'
+const POLL_MAX_DURATION = 15 * 60 * 1000
+const POLL_DEFAULT_INTERVAL = 5000
+
+// --- Session Store ---
+interface NousSession {
+  id: string
+  deviceCode: string
+  userCode: string
+  verificationUrl: string
+  verificationUrlComplete: string
+  expiresIn: number
+  interval: number
+  status: 'pending' | 'approved' | 'denied' | 'expired' | 'error'
+  error?: string
+  createdAt: number
+}
+
+const sessions = new Map<string, NousSession>()
+
+function cleanupExpiredSessions() {
+  const now = Date.now()
+  sessions.forEach((s, id) => { if (now - s.createdAt > POLL_MAX_DURATION + 60000) sessions.delete(id) })
+}
+
+// --- Auth file helpers ---
+interface AuthJson {
+  version?: number
+  active_provider?: string
+  providers?: Record<string, any>
+  credential_pool?: Record<string, any[]>
+  updated_at?: string
+}
+
+function loadAuthJson(authPath: string): AuthJson {
+  try { return JSON.parse(readFileSync(authPath, 'utf-8')) as AuthJson } catch { return { version: 1 } }
+}
+
+function saveAuthJson(authPath: string, data: AuthJson): void {
+  data.updated_at = new Date().toISOString()
+  const dir = authPath.substring(0, authPath.lastIndexOf('/'))
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
+  writeFileSync(authPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 })
+}
+
+// --- Background poll worker ---
+async function nousLoginWorker(session: NousSession, authPath: string): Promise<void> {
+  const startTime = Date.now()
+  let interval = session.interval || POLL_DEFAULT_INTERVAL
+
+  while (Date.now() - startTime < POLL_MAX_DURATION) {
+    await new Promise(resolve => setTimeout(resolve, interval))
+    if (session.status !== 'pending') return
+
+    try {
+      const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+          client_id: NOUS_CLIENT_ID,
+          device_code: session.deviceCode,
+        }).toString(),
+        signal: AbortSignal.timeout(15000),
+      })
+
+      if (res.ok) {
+        const tokenData = await res.json() as {
+          access_token: string
+          refresh_token?: string
+          expires_in?: number
+          inference_base_url?: string
+        }
+
+        // Mint agent key
+        const inferenceBaseUrl = tokenData.inference_base_url || 'https://inference-api.nousresearch.com/v1'
+        let agentKey = ''
+        let agentKeyExpiresAt = ''
+        try {
+          const mintRes = await fetch(`${NOUS_PORTAL_URL}/api/oauth/agent-key`, {
+            method: 'POST',
+            headers: {
+              'Authorization': `Bearer ${tokenData.access_token}`,
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ min_ttl_seconds: 1800 }),
+            signal: AbortSignal.timeout(15000),
+          })
+          if (mintRes.ok) {
+            const mintData = await mintRes.json() as {
+              api_key: string
+              expires_at: string
+              inference_base_url?: string
+            }
+            agentKey = mintData.api_key
+            agentKeyExpiresAt = mintData.expires_at
+            if (mintData.inference_base_url) {
+              // eslint-disable-next-line @typescript-eslint/no-unused-vars
+              void mintData.inference_base_url
+            }
+          }
+        } catch (err: any) {
+          logger.warn(err, 'Nous agent key minting failed, proceeding without')
+        }
+
+        // Save to auth.json
+        const auth = loadAuthJson(authPath)
+        if (!auth.providers) auth.providers = {}
+        const now = new Date()
+        auth.providers['nous'] = {
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          client_id: NOUS_CLIENT_ID,
+          scope: NOUS_SCOPE,
+          token_type: 'Bearer',
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          obtained_at: now.toISOString(),
+          expires_at: tokenData.expires_in ? new Date(now.getTime() + tokenData.expires_in * 1000).toISOString() : null,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          agent_key_obtained_at: agentKey ? now.toISOString() : null,
+        }
+
+        // Credential pool entry
+        if (!auth.credential_pool) auth.credential_pool = {}
+        auth.credential_pool['nous'] = [{
+          id: `nous-${Date.now()}`,
+          label: 'Nous Portal',
+          auth_type: 'oauth',
+          source: 'device_code',
+          priority: 0,
+          access_token: tokenData.access_token,
+          refresh_token: tokenData.refresh_token || null,
+          portal_base_url: NOUS_PORTAL_URL,
+          inference_base_url: inferenceBaseUrl,
+          agent_key: agentKey || null,
+          agent_key_expires_at: agentKeyExpiresAt || null,
+          base_url: inferenceBaseUrl,
+        }]
+
+        saveAuthJson(authPath, auth)
+        session.status = 'approved'
+        logger.info('Nous login successful')
+        return
+      }
+
+      // Parse error
+      const errData = await res.json().catch(() => ({}))
+      const errorCode = errData.error
+
+      if (errorCode === 'authorization_pending') {
+        continue
+      }
+      if (errorCode === 'slow_down') {
+        interval = Math.min(interval + 1000, 30000)
+        continue
+      }
+      if (errorCode === 'access_denied' || errorCode === 'expired_token') {
+        session.status = errorCode === 'access_denied' ? 'denied' : 'expired'
+        return
+      }
+
+      logger.error('Nous poll error: %s %s', res.status, errorCode)
+      session.status = 'error'
+      session.error = `OAuth error: ${errorCode}`
+      return
+    } catch (err: any) {
+      if (err.name === 'TimeoutError' || err.name === 'AbortError') continue
+      logger.error(err, 'Nous poll error')
+      session.status = 'error'
+      session.error = err.message
+      return
+    }
+  }
+
+  session.status = 'expired'
+}
+
+// --- Controller functions ---
+
+export async function start(ctx: any) {
+  try {
+    cleanupExpiredSessions()
+
+    const res = await fetch(`${NOUS_PORTAL_URL}/api/oauth/device/code`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
+      body: new URLSearchParams({
+        client_id: NOUS_CLIENT_ID,
+        scope: NOUS_SCOPE,
+      }).toString(),
+      signal: AbortSignal.timeout(15000),
+    })
+
+    if (!res.ok) {
+      let errorBody: any = null
+      try { errorBody = await res.json() } catch { }
+      logger.error('Nous device code request failed: %d %s', res.status, errorBody)
+      ctx.status = 502
+      ctx.body = { error: `Nous Portal error: ${res.status}` }
+      return
+    }
+
+    const data = await res.json() as {
+      device_code: string
+      user_code: string
+      verification_uri: string
+      verification_uri_complete: string
+      expires_in: number
+      interval: number
+    }
+
+    const sessionId = randomUUID()
+    const session: NousSession = {
+      id: sessionId,
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUrl: data.verification_uri,
+      verificationUrlComplete: data.verification_uri_complete,
+      expiresIn: data.expires_in,
+      interval: data.interval,
+      status: 'pending',
+      createdAt: Date.now(),
+    }
+    sessions.set(sessionId, session)
+
+    const authPath = getActiveAuthPath()
+    nousLoginWorker(session, authPath).catch(err => {
+      logger.error(err, 'Nous login worker error')
+      session.status = 'error'
+      session.error = err.message
+    })
+
+    ctx.body = {
+      session_id: sessionId,
+      user_code: data.user_code,
+      verification_url: data.verification_uri_complete,
+      expires_in: data.expires_in,
+    }
+  } catch (err: any) {
+    if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+      ctx.status = 504
+      ctx.body = { error: 'Nous Portal timeout' }
+      return
+    }
+    ctx.status = 500
+    ctx.body = { error: err.message }
+  }
+}
+
+export async function poll(ctx: any) {
+  const session = sessions.get(ctx.params.sessionId)
+  if (!session) {
+    ctx.status = 404
+    ctx.body = { error: 'Session not found' }
+    return
+  }
+  ctx.body = { status: session.status, error: session.error || null }
+}
+
+export async function status(ctx: any) {
+  try {
+    const authPath = getActiveAuthPath()
+    const auth = loadAuthJson(authPath)
+    const nousProvider = auth.providers?.['nous']
+    if (!nousProvider?.access_token) {
+      ctx.body = { authenticated: false }
+      return
+    }
+    ctx.body = { authenticated: true }
+  } catch {
+    ctx.body = { authenticated: false }
+  }
+}
@@ -0,0 +1,8 @@
+import Router from '@koa/router'
+import * as ctrl from '../../controllers/hermes/nous-auth'
+
+export const nousAuthRoutes = new Router()
+
+nousAuthRoutes.post('/api/hermes/auth/nous/start', ctrl.start)
+nousAuthRoutes.get('/api/hermes/auth/nous/poll/:sessionId', ctrl.poll)
+nousAuthRoutes.get('/api/hermes/auth/nous/status', ctrl.status)
@@ -17,6 +17,7 @@ import { providerRoutes } from './hermes/providers'
 import { configRoutes } from './hermes/config'
 import { logRoutes } from './hermes/logs'
 import { codexAuthRoutes } from './hermes/codex-auth'
+import { nousAuthRoutes } from './hermes/nous-auth'
 import { gatewayRoutes } from './hermes/gateways'
 import { weixinRoutes } from './hermes/weixin'
 import { proxyRoutes, proxyMiddleware } from './hermes/proxy'
@@ -48,6 +49,7 @@ export function registerRoutes(app: any, requireAuth: (ctx: Context, next: Next)
  app.use(configRoutes.routes())
  app.use(logRoutes.routes())
  app.use(codexAuthRoutes.routes())
+  app.use(nousAuthRoutes.routes())
  app.use(gatewayRoutes.routes())
  app.use(weixinRoutes.routes())
  app.use(proxyRoutes.routes())
@@ -27,6 +27,8 @@ export const PROVIDER_ENV_MAP: Record<string, { api_key_env: string; base_url_en
  'opencode-go': { api_key_env: 'OPENCODE_API_KEY', base_url_env: '' },
  huggingface: { api_key_env: 'HF_TOKEN', base_url_env: '' },
  arcee: { api_key_env: 'ARCEE_API_KEY', base_url_env: '' },
+  stepfun: { api_key_env: 'STEPFUN_API_KEY', base_url_env: 'STEPFUN_BASE_URL' },
+  nous: { api_key_env: '', base_url_env: '' },
  'openai-codex': { api_key_env: '', base_url_env: '' },
 }

@@ -72,6 +72,7 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
    base_url: 'https://api.kimi.com/coding/v1',
    models: [
      'kimi-for-coding',
+      'kimi-k2.6',
      'kimi-k2.5',
      'kimi-k2-thinking',
      'kimi-k2-turbo-preview',
@@ -84,6 +85,7 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
    builtin: true,
    base_url: 'https://api.moonshot.cn/v1',
    models: [
+      'kimi-k2.6',
      'kimi-k2.5',
      'kimi-k2-thinking',
      'kimi-k2-turbo-preview',
@@ -247,6 +249,50 @@ export const PROVIDER_PRESETS: ProviderPreset[] = [
    base_url: 'https://api.arcee.ai/v1',
    models: ['trinity-large-thinking', 'trinity-large-preview', 'trinity-mini'],
  },
+  {
+    label: 'Nous Portal',
+    value: 'nous',
+    builtin: true,
+    base_url: 'https://inference-api.nousresearch.com/v1',
+    models: [
+      'moonshotai/kimi-k2.6',
+      'xiaomi/mimo-v2.5-pro',
+      'xiaomi/mimo-v2.5',
+      'anthropic/claude-opus-4.7',
+      'anthropic/claude-opus-4.6',
+      'anthropic/claude-sonnet-4.6',
+      'anthropic/claude-sonnet-4.5',
+      'anthropic/claude-haiku-4.5',
+      'openai/gpt-5.4',
+      'openai/gpt-5.4-mini',
+      'openai/gpt-5.3-codex',
+      'google/gemini-3-pro-preview',
+      'google/gemini-3-flash-preview',
+      'google/gemini-3.1-pro-preview',
+      'google/gemini-3.1-flash-lite-preview',
+      'qwen/qwen3.5-plus-02-15',
+      'qwen/qwen3.5-35b-a3b',
+      'stepfun/step-3.5-flash',
+      'minimax/minimax-m2.7',
+      'minimax/minimax-m2.5',
+      'minimax/minimax-m2.5:free',
+      'z-ai/glm-5.1',
+      'z-ai/glm-5v-turbo',
+      'z-ai/glm-5-turbo',
+      'x-ai/grok-4.20-beta',
+      'nvidia/nemotron-3-super-120b-a12b',
+      'arcee-ai/trinity-large-thinking',
+      'openai/gpt-5.4-pro',
+      'openai/gpt-5.4-nano',
+    ],
+  },
+  {
+    label: 'StepFun',
+    value: 'stepfun',
+    builtin: true,
+    base_url: 'https://api.stepfun.ai/step_plan/v1',
+    models: ['step-3.5-flash', 'step-3.5-flash-2603'],
+  },
  {
    label: 'OpenRouter',
    value: 'openrouter',