feat(cli): add minimax-oauth provider with PKCE browser flow

[amanning3390]

What

Adds minimax-oauth as a first-class inference provider in Hermes Agent, alongside the existing API-key minimax / minimax-cn providers. Users can now log in to MiniMax via browser OAuth instead of pasting an API key.

• New provider id: minimax-oauth (aliases: minimax-portal, minimax-global, minimax_oauth)
• Auth: PKCE browser-based OAuth flow against https://api.minimax.io/oauth/code and /oauth/token
• Transport: reuses the existing anthropic_messages api_mode against https://api.minimax.io/anthropic — no new adapter, no new api_mode, since agent/anthropic_adapter.py already supports Bearer-token auth
• Tokens persisted in the existing auth store (get_hermes_home()), with standard OAuth2 refresh_token grant and refresh_token_reused / invalid_grant detection
• --region global|cn flag to select between api.minimax.io and api.minimaxi.com
• Supports MiniMax-M2.7 and MiniMax-M2.7-highspeed; MiniMax-M2.7-highspeed is wired as the auxiliary model

Why

MiniMax's platform docs describe OAuth as a supported auth method for AI coding tools, and it ships today in OpenClaw via the bundled minimax extension. Per the Hermes Adding Providers guide, OAuth flows warrant a first-class built-in provider so that hermes model → MiniMax (OAuth) can drive browser login end-to-end, tokens auto-refresh, and the experience matches the existing Nous Portal / OpenAI Codex OAuth paths.

The OAuth flow is ported from openclaw/extensions/minimax/oauth.ts (PKCE S256, urn:ietf:params:oauth:grant-type:user_code grant, state validation, poll-with-deadline).

How to test

Automated

# Clean pytest run (new tests)
pytest tests/test_minimax_oauth.py -v -p no:xdist
# → 15 passed

pytest tests/hermes_cli/test_api_key_providers.py tests/hermes_cli/test_runtime_provider_resolution.py -v -p no:xdist
# → 223 passed (including the new provider-resolution + runtime cases)

Manual smoke test

hermes model
# Select "MiniMax (OAuth)" → browser opens at verification URL
# Approve in browser
# Pick MiniMax-M2.7 or MiniMax-M2.7-highspeed

hermes doctor
# Should show "MiniMax OAuth: logged in (region=global)"

hermes  # or any inference-driving command
# First prompt goes through /anthropic with Bearer <access_token>

Refresh path can be exercised by manually rolling expires_at backwards in the auth store and issuing any request — the next resolve_minimax_oauth_runtime_credentials() call triggers a standard grant_type=refresh_token exchange.

Provider-alias resolution

hermes --provider minimax-portal ...    # → resolves to minimax-oauth
hermes --provider minimax-global ...    # → resolves to minimax-oauth

What platforms

• macOS 14 (darwin-arm64, Python 3.11) — full test suite green, manual login path exercised
• Linux (Debian 12, Python 3.11) — full test suite green

Browser open is skipped automatically on remote/headless sessions (reuses the existing _is_remote_session() helper); the user gets the verification URL + user code printed for manual paste.

Related issues

• #6039 — minimax provider ignores custom base_url: orthogonal to this PR. The OAuth path always resolves inference_base_url from the registry + region flag and cannot be confused by a stale model.base_url.
• #13757 — doctor uses /v1/models for MiniMax: the new get_minimax_oauth_auth_status() check used by hermes doctor only verifies local token state (present / not expired), so it does not hit the broken endpoint. Fix for the API-key doctor path is out of scope here.
• #6620 — minimax-cn not shown in /model list: unrelated to the OAuth provider wiring; the new minimax-oauth entry is added to both CANONICAL_PROVIDERS and the select_provider_and_model() flow, so it shows up in hermes model and hermes setup from day one.

Scope / non-goals

• No change to the existing API-key minimax or minimax-cn providers. MINIMAX_API_KEY / MINIMAX_CN_API_KEY continue to work for those, and are explicitly documented as not consumed by minimax-oauth.
• No new adapter or api_mode. This is a Path A contribution per the Adding Providers guide.
• Web search / image / speech MiniMax capabilities (present in the OpenClaw plugin) are not ported — only text inference.

Checklist (per Adding Providers)

• ProviderConfig added in hermes_cli/auth.py
• Aliases added in hermes_cli/auth.py and hermes_cli/models.py
• Model catalog added in hermes_cli/models.py (_PROVIDER_MODELS, CANONICAL_PROVIDERS)
• Runtime branch added in hermes_cli/runtime_provider.py
• CLI wiring added in hermes_cli/main.py (provider_labels, providers list, --provider choices, _model_flow_minimax_oauth, dispatch)
• hermes_cli/setup.py — no changes needed (delegates to select_provider_and_model)
• Aux model added in agent/auxiliary_client.py
• Provider prefix added in agent/model_metadata.py (context length resolved via existing minimax substring rule at 204,800)
• hermes_cli/auth_commands.py — hermes auth add minimax-oauth dispatch
• hermes_cli/doctor.py — health check branch
• Runtime / CLI tests added (tests/test_minimax_oauth.py, tests/hermes_cli/test_api_key_providers.py, tests/hermes_cli/test_runtime_provider_resolution.py)
• User docs updated (website/docs/guides/minimax-oauth.md, quickstart, configuration, environment-variables)

---

Implementation ported from OpenClaw's reference OAuth flow at openclaw/extensions/minimax/oauth.ts. By contributing, I agree that this contribution will be licensed under the MIT License.

[teknium1]

Merged via PR #17524 onto current main. All 4 of your original commits were cherry-picked with your authorship preserved (rebase-merge), plus a follow-up commit closed 10 integration gaps that peer OAuth providers had but hadn't existed yet when you opened this PR (credential pool seeding, credential_sources removal step, models_dev mapping, HermesOverlay, model normalize, hermes doctor block, dashboard auth page, and 3 docs pages). Thanks for the contribution — you're credited in scripts/release.py AUTHOR_MAP and in the merged git history.