fix(dashboard): MiniMax 'Login' button launched Claude OAuth (#22832)

[ahmedbadr3]

Fixes #22832.

Root cause

hermes_cli/web_server.py:start_oauth_login dispatched OAuth flows by the catalog's flow field rather than provider id:

if catalog_entry["flow"] == "pkce":
    return _start_anthropic_pkce()

The catalog had two flow: "pkce" entries — anthropic and minimax-oauth — so clicking "Login" on MiniMax in the dashboard's Keys tab unconditionally launched the Anthropic/Claude PKCE flow.

Fix

Three changes in hermes_cli/web_server.py:

1. Catalog entry for minimax-oauth changed from flow: "pkce" to flow: "device_code". From a UX perspective MiniMax is a verification-URI + user-code flow (open URL, enter code, backend polls) — same shape as Nous's device-code flow. The PKCE bit (verifier + challenge from _minimax_pkce_pair) is a security extension that doesn't change the operator experience; the existing dashboard modal already renders device_code correctly for this UX.

2. New MiniMax branch in _start_device_code_flow, mirroring the existing Nous branch but calling MiniMax-specific helpers (_minimax_request_user_code, _minimax_pkce_pair). Stashes the verifier + state in the session for the poller to consume. Handles the overloaded expired_in field (could be unix-ms timestamp OR seconds-from-now duration) using the same heuristic _minimax_poll_token already uses.

3. New _minimax_poller background thread mirroring _nous_poller. Calls _minimax_poll_token → on success builds the same auth_state dict the CLI flow (_minimax_oauth_login) builds, and persists via _minimax_save_auth_state so the dashboard path leaves the system in the same state as hermes auth add minimax-oauth.

Plus a dispatcher tightening to prevent regression: the pkce branch now requires provider_id == "anthropic", so any future PKCE provider added without a proper start function gets a clean 400 Unsupported flow rather than silently launching Anthropic OAuth.

Test plan

New tests/hermes_cli/test_web_oauth_dispatch.py:

• Regression: asserts the MiniMax start endpoint does NOT return claude.ai in the response and does return a device_code-shape response pointing at MiniMax
• Sanity: Anthropic PKCE still works after the dispatcher tightening
• Forward-looking: a hypothetical pkce-flagged provider without an explicit branch is rejected cleanly rather than misrouted

Both modified files pass python3 -m py_compile.

Limitations / follow-ups

• The dashboard MiniMax path defaults to region="global". CN-region operators can still use the CLI flow which supports --region cn. Adding a region toggle to the dashboard UI is a small follow-up that touches OAuthLoginModal.tsx + the start endpoint.
• I haven't added a docs page reference; the existing docs_url: "https://www.minimax.io" is preserved.

[teknium1]

Merged via #24058 — your commit was cherry-picked onto current main with your authorship preserved (05bad7b1e, Author: Ahmed Badr <ahmed@abadr.net>). Your branch was 214 commits behind main so we used the salvage flow rather than rebasing your branch. Thanks for the clean root-cause analysis and for adding the dispatcher tightening + regression tests — both made this trivial to ship.