Merge 03c3eee9f3 into 8ab375161d

packages/shared/IpcChannel.ts

@@ -386,5 +386,13 @@ export enum IpcChannel {
   WebSocket_Stop = 'webSocket:stop',
   WebSocket_Status = 'webSocket:status',
   WebSocket_SendFile = 'webSocket:send-file',
-  WebSocket_GetAllCandidates = 'webSocket:get-all-candidates'
+  WebSocket_GetAllCandidates = 'webSocket:get-all-candidates',
+
+  // Volcengine
+  Volcengine_SaveCredentials = 'volcengine:save-credentials',
+  Volcengine_HasCredentials = 'volcengine:has-credentials',
+  Volcengine_ClearCredentials = 'volcengine:clear-credentials',
+  Volcengine_ListModels = 'volcengine:list-models',
+  Volcengine_GetAuthHeaders = 'volcengine:get-auth-headers',
+  Volcengine_MakeRequest = 'volcengine:make-request'
 }

src/main/ipc.ts

@@ -80,6 +80,7 @@ import {
 import storeSyncService from './services/StoreSyncService'
 import { themeService } from './services/ThemeService'
 import VertexAIService from './services/VertexAIService'
+import VolcengineService from './services/VolcengineService'
 import WebSocketService from './services/WebSocketService'
 import { setOpenLinkExternal } from './services/WebviewService'
 import { windowService } from './services/WindowService'
@@ -1121,6 +1122,14 @@ export function registerIpc(mainWindow: BrowserWindow, app: Electron.App) {
   ipcMain.handle(IpcChannel.WebSocket_SendFile, WebSocketService.sendFile)
   ipcMain.handle(IpcChannel.WebSocket_GetAllCandidates, WebSocketService.getAllCandidates)
 
+  // Volcengine
+  ipcMain.handle(IpcChannel.Volcengine_SaveCredentials, VolcengineService.saveCredentials)
+  ipcMain.handle(IpcChannel.Volcengine_HasCredentials, VolcengineService.hasCredentials)
+  ipcMain.handle(IpcChannel.Volcengine_ClearCredentials, VolcengineService.clearCredentials)
+  ipcMain.handle(IpcChannel.Volcengine_ListModels, VolcengineService.listModels)
+  ipcMain.handle(IpcChannel.Volcengine_GetAuthHeaders, VolcengineService.getAuthHeaders)
+  ipcMain.handle(IpcChannel.Volcengine_MakeRequest, VolcengineService.makeRequest)
+
   ipcMain.handle(IpcChannel.APP_CrashRenderProcess, () => {
     mainWindow.webContents.forcefullyCrashRenderer()
   })

src/main/services/VolcengineService.ts

@@ -0,0 +1,762 @@
+import { loggerService } from '@logger'
+import crypto from 'crypto'
+import { app, net, safeStorage } from 'electron'
+import fs from 'fs'
+import path from 'path'
+import * as z from 'zod'
+
+import { getConfigDir } from '../utils/file'
+
+const logger = loggerService.withContext('VolcengineService')
+
+/**
+ * Calculate SHA256 hash of data and return hex encoded string
+ * @internal
+ */
+export function _sha256Hash(data: string | Buffer): string {
+  return crypto.createHash('sha256').update(data).digest('hex')
+}
+
+/**
+ * Calculate HMAC-SHA256 and return buffer
+ * @internal
+ */
+export function _hmacSha256(key: Buffer | string, data: string): Buffer {
+  return crypto.createHmac('sha256', key).update(data, 'utf8').digest()
+}
+
+/**
+ * Calculate HMAC-SHA256 and return hex encoded string
+ * @internal
+ */
+export function _hmacSha256Hex(key: Buffer | string, data: string): string {
+  return crypto.createHmac('sha256', key).update(data, 'utf8').digest('hex')
+}
+
+/**
+ * URL encode according to RFC3986
+ * @internal
+ */
+export function _uriEncode(str: string, encodeSlash: boolean = true): string {
+  if (!str) return ''
+
+  // RFC3986 unreserved: A-Z a-z 0-9 - _ . ~
+  // If encodeSlash is false, / is also unencoded
+  const pattern = encodeSlash ? /[^A-Za-z0-9_\-.~]/g : /[^A-Za-z0-9_\-.~/]/g
+  return str.replace(pattern, (char) => encodeURIComponent(char))
+}
+
+/**
+ * Build canonical query string from query parameters
+ * @internal
+ */
+export function _buildCanonicalQueryString(query: Record<string, string>): string {
+  if (!query || Object.keys(query).length === 0) {
+    return ''
+  }
+
+  return Object.keys(query)
+    .sort()
+    .map((key) => `${_uriEncode(key)}=${_uriEncode(query[key])}`)
+    .join('&')
+}
+
+/**
+ * Build canonical headers string
+ * @internal
+ */
+export function _buildCanonicalHeaders(headers: Record<string, string>): {
+  canonicalHeaders: string
+  signedHeaders: string
+} {
+  // Create a lowercase-keyed map to handle mixed-case input headers
+  const lowercaseHeaders: Record<string, string> = {}
+  for (const [key, value] of Object.entries(headers)) {
+    lowercaseHeaders[key.toLowerCase()] = value
+  }
+
+  const sortedKeys = Object.keys(lowercaseHeaders).sort()
+
+  const canonicalHeaders = sortedKeys.map((key) => `${key}:${lowercaseHeaders[key]?.trim() || ''}`).join('\n') + '\n'
+
+  const signedHeaders = sortedKeys.join(';')
+
+  return { canonicalHeaders, signedHeaders }
+}
+
+/**
+ * Create the signing key through a series of HMAC operations
+ * @internal
+ */
+export function _deriveSigningKey(secretKey: string, date: string, region: string, service: string): Buffer {
+  const kDate = _hmacSha256(secretKey, date)
+  const kRegion = _hmacSha256(kDate, region)
+  const kService = _hmacSha256(kRegion, service)
+  const kSigning = _hmacSha256(kService, 'request')
+  return kSigning
+}
+
+/**
+ * Create canonical request string
+ * @internal
+ */
+export function _createCanonicalRequest(
+  method: string,
+  canonicalUri: string,
+  canonicalQueryString: string,
+  canonicalHeaders: string,
+  signedHeaders: string,
+  payloadHash: string
+): string {
+  return [method, canonicalUri, canonicalQueryString, canonicalHeaders, signedHeaders, payloadHash].join('\n')
+}
+
+/**
+ * Create string to sign
+ * @internal
+ */
+export function _createStringToSign(dateTime: string, credentialScope: string, canonicalRequest: string): string {
+  const hashedCanonicalRequest = _sha256Hash(canonicalRequest)
+  return ['HMAC-SHA256', dateTime, credentialScope, hashedCanonicalRequest].join('\n')
+}
+
+// Configuration constants
+const CONFIG = {
+  ALGORITHM: 'HMAC-SHA256',
+  REQUEST_TYPE: 'request',
+  DEFAULT_REGION: 'cn-beijing',
+  SERVICE_NAME: 'ark',
+  DEFAULT_HEADERS: {
+    'content-type': 'application/json',
+    accept: 'application/json'
+  },
+  API_URLS: {
+    ARK_HOST: 'open.volcengineapi.com'
+  },
+  CREDENTIALS_FILE_NAME: '.volcengine_credentials',
+  API_VERSION: '2024-01-01',
+  DEFAULT_PAGE_SIZE: 100
+} as const
+
+// Request schemas
+const ListFoundationModelsRequestSchema = z.object({
+  PageNumber: z.optional(z.number()),
+  PageSize: z.optional(z.number())
+})
+
+const ListEndpointsRequestSchema = z.object({
+  ProjectName: z.optional(z.string()),
+  PageNumber: z.optional(z.number()),
+  PageSize: z.optional(z.number())
+})
+
+// Response schemas - only keep fields needed for model list
+const FoundationModelItemSchema = z.object({
+  Name: z.string(),
+  DisplayName: z.optional(z.string()),
+  Description: z.optional(z.string())
+})
+
+const EndpointItemSchema = z.object({
+  Id: z.string(),
+  Name: z.optional(z.string()),
+  Description: z.optional(z.string()),
+  ModelReference: z.optional(
+    z.object({
+      FoundationModel: z.optional(
+        z.object({
+          Name: z.optional(z.string()),
+          ModelVersion: z.optional(z.string())
+        })
+      ),
+      CustomModelId: z.optional(z.string())
+    })
+  )
+})
+
+const ListFoundationModelsResponseSchema = z.object({
+  Result: z.object({
+    TotalCount: z.number(),
+    Items: z.array(FoundationModelItemSchema)
+  })
+})
+
+const ListEndpointsResponseSchema = z.object({
+  Result: z.object({
+    TotalCount: z.number(),
+    Items: z.array(EndpointItemSchema)
+  })
+})
+
+// Infer types from schemas
+type ListFoundationModelsRequest = z.infer<typeof ListFoundationModelsRequestSchema>
+type ListEndpointsRequest = z.infer<typeof ListEndpointsRequestSchema>
+type ListFoundationModelsResponse = z.infer<typeof ListFoundationModelsResponseSchema>
+type ListEndpointsResponse = z.infer<typeof ListEndpointsResponseSchema>
+
+// ============= Internal Type Definitions =============
+
+interface VolcengineCredentials {
+  accessKeyId: string
+  secretAccessKey: string
+}
+
+interface SignedRequestParams {
+  method: 'GET' | 'POST'
+  host: string
+  path: string
+  query: Record<string, string>
+  headers: Record<string, string>
+  body?: string
+  service: string
+  region: string
+}
+
+interface SignedHeaders {
+  Authorization: string
+  'X-Date': string
+  'X-Content-Sha256': string
+  Host: string
+}
+
+interface ModelInfo {
+  id: string
+  name: string
+  description?: string
+  created?: number
+}
+
+interface ListModelsResult {
+  models: ModelInfo[]
+  total?: number
+  warnings?: string[]
+}
+
+// Custom error class
+class VolcengineServiceError extends Error {
+  constructor(
+    message: string,
+    public readonly cause?: unknown
+  ) {
+    super(message)
+    this.name = 'VolcengineServiceError'
+  }
+}
+
+/**
+ * Volcengine API Signing Service
+ *
+ * Implements HMAC-SHA256 signing algorithm for Volcengine API authentication.
+ * Securely stores credentials using Electron's safeStorage.
+ */
+class VolcengineService {
+  private readonly credentialsFilePath: string
+
+  constructor() {
+    this.credentialsFilePath = this.getCredentialsFilePath()
+  }
+
+  /**
+   * Get the path for storing encrypted credentials
+   */
+  private getCredentialsFilePath(): string {
+    const oldPath = path.join(app.getPath('userData'), CONFIG.CREDENTIALS_FILE_NAME)
+    if (fs.existsSync(oldPath)) {
+      return oldPath
+    }
+    return path.join(getConfigDir(), CONFIG.CREDENTIALS_FILE_NAME)
+  }
+
+  // ============= Cryptographic Helper Methods =============
+  private sha256Hash(data: string | Buffer): string {
+    return _sha256Hash(data)
+  }
+
+  private hmacSha256Hex(key: Buffer | string, data: string): string {
+    return _hmacSha256Hex(key, data)
+  }
+
+  private uriEncode(str: string, encodeSlash: boolean = true): string {
+    return _uriEncode(str, encodeSlash)
+  }
+
+  // ============= Signing Implementation =============
+
+  /**
+   * Get current UTC time in ISO8601 format (YYYYMMDD'T'HHMMSS'Z')
+   */
+  private getIso8601DateTime(): string {
+    const now = new Date()
+    return now
+      .toISOString()
+      .replace(/[-:]/g, '')
+      .replace(/\.\d{3}/, '')
+  }
+
+  /**
+   * Get date portion from datetime (YYYYMMDD)
+   */
+  private getDateFromDateTime(dateTime: string): string {
+    return dateTime.substring(0, 8)
+  }
+
+  private buildCanonicalQueryString(query: Record<string, string>): string {
+    return _buildCanonicalQueryString(query)
+  }
+
+  private buildCanonicalHeaders(headers: Record<string, string>): {
+    canonicalHeaders: string
+    signedHeaders: string
+  } {
+    return _buildCanonicalHeaders(headers)
+  }
+
+  private deriveSigningKey(secretKey: string, date: string, region: string, service: string): Buffer {
+    return _deriveSigningKey(secretKey, date, region, service)
+  }
+
+  private createCanonicalRequest(
+    method: string,
+    canonicalUri: string,
+    canonicalQueryString: string,
+    canonicalHeaders: string,
+    signedHeaders: string,
+    payloadHash: string
+  ): string {
+    return _createCanonicalRequest(
+      method,
+      canonicalUri,
+      canonicalQueryString,
+      canonicalHeaders,
+      signedHeaders,
+      payloadHash
+    )
+  }
+
+  private createStringToSign(dateTime: string, credentialScope: string, canonicalRequest: string): string {
+    return _createStringToSign(dateTime, credentialScope, canonicalRequest)
+  }
+
+  /**
+   * Generate signature for the request
+   */
+  private generateSignature(params: SignedRequestParams, credentials: VolcengineCredentials): SignedHeaders {
+    const { method, host, path: requestPath, query, body, service, region } = params
+
+    // Step 1: Prepare datetime
+    const dateTime = this.getIso8601DateTime()
+    const date = this.getDateFromDateTime(dateTime)
+
+    // Step 2: Calculate payload hash
+    const payloadHash = this.sha256Hash(body || '')
+
+    // Step 3: Prepare headers for signing
+    const headersToSign: Record<string, string> = {
+      host: host,
+      'x-date': dateTime,
+      'x-content-sha256': payloadHash,
+      'content-type': 'application/json'
+    }
+
+    // Step 4: Build canonical components
+    const canonicalUri = this.uriEncode(requestPath, false) || '/'
+    const canonicalQueryString = this.buildCanonicalQueryString(query)
+    const { canonicalHeaders, signedHeaders } = this.buildCanonicalHeaders(headersToSign)
+
+    // Step 5: Create canonical request
+    const canonicalRequest = this.createCanonicalRequest(
+      method.toUpperCase(),
+      canonicalUri,
+      canonicalQueryString,
+      canonicalHeaders,
+      signedHeaders,
+      payloadHash
+    )
+
+    // Step 6: Create credential scope and string to sign
+    const credentialScope = `${date}/${region}/${service}/${CONFIG.REQUEST_TYPE}`
+    const stringToSign = this.createStringToSign(dateTime, credentialScope, canonicalRequest)
+
+    // Step 7: Calculate signature
+    const signingKey = this.deriveSigningKey(credentials.secretAccessKey, date, region, service)
+    const signature = this.hmacSha256Hex(signingKey, stringToSign)
+
+    // Step 8: Build authorization header
+    const authorization = `${CONFIG.ALGORITHM} Credential=${credentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`
+
+    return {
+      Authorization: authorization,
+      'X-Date': dateTime,
+      'X-Content-Sha256': payloadHash,
+      Host: host
+    }
+  }
+
+  // ============= Credential Management =============
+
+  /**
+   * Save credentials securely using Electron's safeStorage
+   */
+  public saveCredentials = async (
+    _: Electron.IpcMainInvokeEvent,
+    accessKeyId: string,
+    secretAccessKey: string
+  ): Promise<void> => {
+    try {
+      if (!accessKeyId || !secretAccessKey) {
+        throw new VolcengineServiceError('Access Key ID and Secret Access Key are required')
+      }
+
+      if (!safeStorage.isEncryptionAvailable()) {
+        throw new VolcengineServiceError('Secure storage is not available on this platform')
+      }
+
+      const credentials: VolcengineCredentials = { accessKeyId, secretAccessKey }
+      const credentialsJson = JSON.stringify(credentials)
+      const encryptedData = safeStorage.encryptString(credentialsJson)
+
+      // Ensure directory exists
+      const dir = path.dirname(this.credentialsFilePath)
+      if (!fs.existsSync(dir)) {
+        await fs.promises.mkdir(dir, { recursive: true })
+      }
+
+      await fs.promises.writeFile(this.credentialsFilePath, encryptedData)
+      await fs.promises.chmod(this.credentialsFilePath, 0o600) // Read/write for owner only
+      logger.info('Volcengine credentials saved successfully')
+    } catch (error) {
+      logger.error('Failed to save Volcengine credentials:', error as Error)
+      throw new VolcengineServiceError('Failed to save credentials', error)
+    }
+  }
+
+  /**
+   * Load credentials from encrypted storage
+   * @throws VolcengineServiceError if credentials file exists but is corrupted
+   */
+  private async loadCredentials(): Promise<VolcengineCredentials | null> {
+    if (!fs.existsSync(this.credentialsFilePath)) {
+      return null
+    }
+
+    try {
+      const encryptedData = await fs.promises.readFile(this.credentialsFilePath)
+      const decryptedJson = safeStorage.decryptString(Buffer.from(encryptedData))
+      return JSON.parse(decryptedJson) as VolcengineCredentials
+    } catch (error) {
+      logger.error('Failed to load Volcengine credentials:', error as Error)
+      throw new VolcengineServiceError(
+        'Credentials file exists but could not be loaded. Please re-enter your credentials.',
+        error
+      )
+    }
+  }
+
+  /**
+   * Check if credentials exist
+   */
+  public hasCredentials = async (): Promise<boolean> => {
+    return fs.existsSync(this.credentialsFilePath)
+  }
+
+  /**
+   * Clear stored credentials
+   */
+  public clearCredentials = async (): Promise<void> => {
+    try {
+      if (fs.existsSync(this.credentialsFilePath)) {
+        await fs.promises.unlink(this.credentialsFilePath)
+        logger.info('Volcengine credentials cleared')
+      }
+    } catch (error) {
+      logger.error('Failed to clear Volcengine credentials:', error as Error)
+      throw new VolcengineServiceError('Failed to clear credentials', error)
+    }
+  }
+
+  // ============= API Methods =============
+
+  /**
+   * Make a signed request to Volcengine API
+   */
+  private async makeSignedRequest<T>(
+    method: 'GET' | 'POST',
+    host: string,
+    path: string,
+    action: string,
+    version: string,
+    query?: Record<string, string>,
+    body?: Record<string, unknown>,
+    service: string = CONFIG.SERVICE_NAME,
+    region: string = CONFIG.DEFAULT_REGION
+  ): Promise<T> {
+    const credentials = await this.loadCredentials()
+    if (!credentials) {
+      throw new VolcengineServiceError('No credentials found. Please save credentials first.')
+    }
+
+    const fullQuery: Record<string, string> = {
+      Action: action,
+      Version: version,
+      ...query
+    }
+
+    const bodyString = body ? JSON.stringify(body) : ''
+
+    const signedHeaders = this.generateSignature(
+      {
+        method,
+        host,
+        path,
+        query: fullQuery,
+        headers: {},
+        body: bodyString,
+        service,
+        region
+      },
+      credentials
+    )
+
+    // Build URL with query string (use simple encoding for URL, canonical encoding is only for signature)
+    const urlParams = new URLSearchParams(fullQuery)
+    const url = `https://${host}${path}?${urlParams.toString()}`
+
+    const requestHeaders: Record<string, string> = {
+      ...CONFIG.DEFAULT_HEADERS,
+      Authorization: signedHeaders.Authorization,
+      'X-Date': signedHeaders['X-Date'],
+      'X-Content-Sha256': signedHeaders['X-Content-Sha256']
+    }
+
+    logger.debug('Making Volcengine API request', { url, method, action })
+
+    try {
+      const response = await net.fetch(url, {
+        method,
+        headers: requestHeaders,
+        body: method === 'POST' && bodyString ? bodyString : undefined
+      })
+
+      if (!response.ok) {
+        const errorText = await response.text()
+        logger.error(`Volcengine API error: ${response.status}`, { errorText })
+        throw new VolcengineServiceError(`API request failed: ${response.status} - ${errorText}`)
+      }
+
+      return (await response.json()) as T
+    } catch (error) {
+      if (error instanceof VolcengineServiceError) {
+        throw error
+      }
+      logger.error('Volcengine API request failed:', error as Error)
+      throw new VolcengineServiceError('API request failed', error)
+    }
+  }
+
+  /**
+   * List foundation models from Volcengine ARK
+   */
+  private async listFoundationModels(region: string = CONFIG.DEFAULT_REGION): Promise<ListFoundationModelsResponse> {
+    const requestBody: ListFoundationModelsRequest = {
+      PageNumber: 1,
+      PageSize: CONFIG.DEFAULT_PAGE_SIZE
+    }
+
+    const response = await this.makeSignedRequest<unknown>(
+      'POST',
+      CONFIG.API_URLS.ARK_HOST,
+      '/',
+      'ListFoundationModels',
+      CONFIG.API_VERSION,
+      {},
+      requestBody,
+      CONFIG.SERVICE_NAME,
+      region
+    )
+
+    return ListFoundationModelsResponseSchema.parse(response)
+  }
+
+  /**
+   * List user-created endpoints from Volcengine ARK
+   */
+  private async listEndpoints(
+    projectName?: string,
+    region: string = CONFIG.DEFAULT_REGION
+  ): Promise<ListEndpointsResponse> {
+    const requestBody: ListEndpointsRequest = {
+      ProjectName: projectName || 'default',
+      PageNumber: 1,
+      PageSize: CONFIG.DEFAULT_PAGE_SIZE
+    }
+
+    const response = await this.makeSignedRequest<unknown>(
+      'POST',
+      CONFIG.API_URLS.ARK_HOST,
+      '/',
+      'ListEndpoints',
+      CONFIG.API_VERSION,
+      {},
+      requestBody,
+      CONFIG.SERVICE_NAME,
+      region
+    )
+
+    return ListEndpointsResponseSchema.parse(response)
+  }
+
+  /**
+   * List all available models from Volcengine ARK
+   * Combines foundation models and user-created endpoints
+   */
+  public listModels = async (
+    _?: Electron.IpcMainInvokeEvent,
+    projectName?: string,
+    region?: string
+  ): Promise<ListModelsResult> => {
+    try {
+      const effectiveRegion = region || CONFIG.DEFAULT_REGION
+      const [foundationModelsResult, endpointsResult] = await Promise.allSettled([
+        this.listFoundationModels(effectiveRegion),
+        this.listEndpoints(projectName, effectiveRegion)
+      ])
+
+      const models: ModelInfo[] = []
+      const warnings: string[] = []
+
+      if (foundationModelsResult.status === 'fulfilled') {
+        const foundationModels = foundationModelsResult.value
+        for (const item of foundationModels.Result.Items) {
+          models.push({
+            id: item.Name,
+            name: item.DisplayName || item.Name,
+            description: item.Description
+          })
+        }
+        logger.info(`Found ${foundationModels.Result.Items.length} foundation models`)
+      } else {
+        const errorMsg = `Failed to fetch foundation models: ${foundationModelsResult.reason}`
+        logger.warn(errorMsg)
+        warnings.push(errorMsg)
+      }
+
+      // Process endpoints
+      if (endpointsResult.status === 'fulfilled') {
+        const endpoints = endpointsResult.value
+        for (const item of endpoints.Result.Items) {
+          const modelRef = item.ModelReference
+          const foundationModelName = modelRef?.FoundationModel?.Name
+          const modelVersion = modelRef?.FoundationModel?.ModelVersion
+          const customModelId = modelRef?.CustomModelId
+
+          let displayName = item.Name || item.Id
+          if (foundationModelName) {
+            displayName = modelVersion ? `${foundationModelName} (${modelVersion})` : foundationModelName
+          } else if (customModelId) {
+            displayName = customModelId
+          }
+
+          models.push({
+            id: item.Id,
+            name: displayName,
+            description: item.Description
+          })
+        }
+        logger.info(`Found ${endpoints.Result.Items.length} endpoints`)
+      } else {
+        const errorMsg = `Failed to fetch endpoints: ${endpointsResult.reason}`
+        logger.warn(errorMsg)
+        warnings.push(errorMsg)
+      }
+
+      // If both failed, throw error
+      if (foundationModelsResult.status === 'rejected' && endpointsResult.status === 'rejected') {
+        throw new VolcengineServiceError('Failed to fetch both foundation models and endpoints')
+      }
+
+      const total =
+        (foundationModelsResult.status === 'fulfilled' ? foundationModelsResult.value.Result.TotalCount : 0) +
+        (endpointsResult.status === 'fulfilled' ? endpointsResult.value.Result.TotalCount : 0)
+
+      logger.info(`Total models found: ${models.length}`)
+
+      return {
+        models,
+        total,
+        warnings: warnings.length > 0 ? warnings : undefined
+      }
+    } catch (error) {
+      logger.error('Failed to list Volcengine models:', error as Error)
+      throw new VolcengineServiceError('Failed to list models', error)
+    }
+  }
+
+  /**
+   * Get authorization headers for external use
+   * This allows the renderer process to make direct API calls with proper authentication
+   */
+  public getAuthHeaders = async (
+    _: Electron.IpcMainInvokeEvent,
+    params: {
+      method: 'GET' | 'POST'
+      host: string
+      path: string
+      query?: Record<string, string>
+      body?: string
+      service?: string
+      region?: string
+    }
+  ): Promise<SignedHeaders> => {
+    const credentials = await this.loadCredentials()
+    if (!credentials) {
+      throw new VolcengineServiceError('No credentials found. Please save credentials first.')
+    }
+
+    return this.generateSignature(
+      {
+        method: params.method,
+        host: params.host,
+        path: params.path,
+        query: params.query || {},
+        headers: {},
+        body: params.body,
+        service: params.service || CONFIG.SERVICE_NAME,
+        region: params.region || CONFIG.DEFAULT_REGION
+      },
+      credentials
+    )
+  }
+
+  /**
+   * Make a generic signed API request
+   * This is a more flexible method that allows custom API calls
+   */
+  public makeRequest = async (
+    _: Electron.IpcMainInvokeEvent,
+    params: {
+      method: 'GET' | 'POST'
+      host: string
+      path: string
+      action: string
+      version: string
+      query?: Record<string, string>
+      body?: Record<string, unknown>
+      service?: string
+      region?: string
+    }
+  ): Promise<unknown> => {
+    return this.makeSignedRequest(
+      params.method,
+      params.host,
+      params.path,
+      params.action,
+      params.version,
+      params.query,
+      params.body,
+      params.service || CONFIG.SERVICE_NAME,
+      params.region || CONFIG.DEFAULT_REGION
+    )
+  }
+}
+
+export default new VolcengineService()

src/main/services/__tests__/VolcengineService.test.ts

@@ -0,0 +1,700 @@
+import crypto from 'crypto'
+import fs from 'fs'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+// Mock dependencies
+// Mock fs first before any imports
+vi.mock('fs', async () => {
+  const actual = await vi.importActual('fs')
+  return {
+    ...actual,
+    default: {
+      ...actual,
+      existsSync: vi.fn(() => false),
+      promises: {
+        writeFile: vi.fn(),
+        readFile: vi.fn(),
+        unlink: vi.fn(),
+        mkdir: vi.fn(),
+        chmod: vi.fn()
+      }
+    },
+    existsSync: vi.fn(() => false),
+    promises: {
+      writeFile: vi.fn(),
+      readFile: vi.fn(),
+      unlink: vi.fn(),
+      mkdir: vi.fn(),
+      chmod: vi.fn()
+    }
+  }
+})
+
+vi.mock('@logger', () => ({
+  loggerService: {
+    withContext: () => ({
+      info: vi.fn(),
+      error: vi.fn(),
+      warn: vi.fn(),
+      debug: vi.fn()
+    })
+  }
+}))
+
+vi.mock('electron', () => ({
+  app: {
+    getPath: vi.fn(() => '/test/userData')
+  },
+  safeStorage: {
+    isEncryptionAvailable: vi.fn(() => true),
+    encryptString: vi.fn((str: string) => Buffer.from(`encrypted:${str}`)),
+    decryptString: vi.fn((buffer: Buffer) => {
+      const str = buffer.toString()
+      if (str.startsWith('encrypted:')) {
+        return str.substring('encrypted:'.length)
+      }
+      throw new Error('Invalid encrypted data')
+    })
+  },
+  net: {
+    fetch: vi.fn()
+  }
+}))
+
+vi.mock('@main/utils/file', () => ({
+  getConfigDir: vi.fn(() => '/test/config')
+}))
+
+// Import after mocks
+import { net, safeStorage } from 'electron'
+
+import VolcengineService, {
+  _buildCanonicalHeaders,
+  _buildCanonicalQueryString,
+  _createCanonicalRequest,
+  _createStringToSign,
+  _deriveSigningKey,
+  _hmacSha256,
+  _hmacSha256Hex,
+  _sha256Hash,
+  _uriEncode
+} from '../VolcengineService'
+
+const service = VolcengineService
+
+describe('VolcengineService', () => {
+  const mockEvent = {} as Electron.IpcMainInvokeEvent
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  describe('Cryptographic Helper Methods', () => {
+    describe('sha256Hash', () => {
+      it('should correctly hash a string', () => {
+        const input = 'test string'
+        const expectedHash = crypto.createHash('sha256').update(input).digest('hex')
+
+        const result = _sha256Hash(input)
+
+        expect(result).toBe(expectedHash)
+      })
+
+      it('should correctly hash a buffer', () => {
+        const input = Buffer.from('test buffer')
+        const expectedHash = crypto.createHash('sha256').update(input).digest('hex')
+
+        const result = _sha256Hash(input)
+
+        expect(result).toBe(expectedHash)
+      })
+
+      it('should hash empty string', () => {
+        const expectedHash = crypto.createHash('sha256').update('').digest('hex')
+
+        const result = _sha256Hash('')
+
+        expect(result).toBe(expectedHash)
+      })
+    })
+
+    describe('hmacSha256', () => {
+      it('should correctly compute HMAC-SHA256 with string key', () => {
+        const key = 'secret'
+        const data = 'message'
+        const expectedHmac = crypto.createHmac('sha256', key).update(data, 'utf8').digest()
+
+        const result = _hmacSha256(key, data)
+
+        expect(result.equals(expectedHmac)).toBe(true)
+      })
+
+      it('should correctly compute HMAC-SHA256 with buffer key', () => {
+        const key = Buffer.from('secret')
+        const data = 'message'
+        const expectedHmac = crypto.createHmac('sha256', key).update(data, 'utf8').digest()
+
+        const result = _hmacSha256(key, data)
+
+        expect(result.equals(expectedHmac)).toBe(true)
+      })
+    })
+
+    describe('hmacSha256Hex', () => {
+      it('should correctly compute HMAC-SHA256 and return hex string', () => {
+        const key = 'secret'
+        const data = 'message'
+        const expectedHex = crypto.createHmac('sha256', key).update(data, 'utf8').digest('hex')
+
+        const result = _hmacSha256Hex(key, data)
+
+        expect(result).toBe(expectedHex)
+      })
+    })
+  })
+
+  describe('URL Encoding (RFC3986)', () => {
+    describe('uriEncode', () => {
+      it('should encode special characters', () => {
+        const input = 'hello world@#$%^&*()'
+        const result = _uriEncode(input)
+
+        // RFC3986 unreserved: A-Z a-z 0-9 - _ . ~
+        // encodeURIComponent encodes most special chars except ! ' ( ) *
+        expect(result).toContain('hello%20world')
+        expect(result).toContain('%40') // @
+        expect(result).toContain('%23') // #
+        expect(result).toContain('%24') // $
+      })
+
+      it('should not encode unreserved characters', () => {
+        const input = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.~'
+        const result = _uriEncode(input)
+
+        expect(result).toBe(input)
+      })
+
+      it('should encode slash by default', () => {
+        const input = 'path/to/resource'
+        const result = _uriEncode(input)
+
+        expect(result).toBe('path%2Fto%2Fresource')
+      })
+
+      it('should not encode slash when encodeSlash is false', () => {
+        const input = 'path/to/resource'
+        const result = _uriEncode(input, false)
+
+        expect(result).toBe('path/to/resource')
+      })
+
+      it('should handle empty string', () => {
+        const result = _uriEncode('')
+
+        expect(result).toBe('')
+      })
+
+      it('should encode spaces as %20', () => {
+        const input = 'hello world'
+        const result = _uriEncode(input)
+
+        expect(result).toBe('hello%20world')
+      })
+
+      it('should handle unicode characters', () => {
+        const input = '你好世界'
+        const result = _uriEncode(input)
+
+        expect(result).not.toBe(input)
+        expect(result).toContain('%')
+      })
+    })
+  })
+
+  describe('Canonical Request Building', () => {
+    describe('buildCanonicalQueryString', () => {
+      it('should build sorted query string', () => {
+        const query = {
+          z: 'last',
+          a: 'first',
+          m: 'middle'
+        }
+
+        const result = _buildCanonicalQueryString(query)
+
+        expect(result).toBe('a=first&m=middle&z=last')
+      })
+
+      it('should handle empty query object', () => {
+        const result = _buildCanonicalQueryString({})
+
+        expect(result).toBe('')
+      })
+
+      it('should URL encode keys and values', () => {
+        const query = {
+          'key with space': 'value with space',
+          'special@#': 'chars$%^'
+        }
+
+        const result = _buildCanonicalQueryString(query)
+
+        expect(result).toContain('key%20with%20space=value%20with%20space')
+        expect(result).toContain('special%40%23=chars%24%25%5E')
+      })
+
+      it('should handle single parameter', () => {
+        const query = { action: 'ListModels' }
+
+        const result = _buildCanonicalQueryString(query)
+
+        expect(result).toBe('action=ListModels')
+      })
+    })
+
+    describe('buildCanonicalHeaders', () => {
+      it('should lowercase and sort header names', () => {
+        // Headers should already be lowercase when passed to this method
+        const headers = {
+          'x-date': '20240101T120000Z',
+          'content-type': 'application/json',
+          host: 'example.com'
+        }
+
+        const result = _buildCanonicalHeaders(headers)
+
+        expect(result.canonicalHeaders).toBe(
+          'content-type:application/json\nhost:example.com\nx-date:20240101T120000Z\n'
+        )
+        expect(result.signedHeaders).toBe('content-type;host;x-date')
+      })
+
+      it('should trim header values', () => {
+        // Headers should already be lowercase when passed to this method
+        const headers = {
+          host: '  example.com  ',
+          'x-date': '  20240101T120000Z  '
+        }
+
+        const result = _buildCanonicalHeaders(headers)
+
+        expect(result.canonicalHeaders).toBe('host:example.com\nx-date:20240101T120000Z\n')
+      })
+
+      it('should handle empty header values', () => {
+        // Headers should already be lowercase when passed to this method
+        const headers = {
+          host: 'example.com',
+          'x-custom': ''
+        }
+
+        const result = _buildCanonicalHeaders(headers)
+
+        expect(result.canonicalHeaders).toBe('host:example.com\nx-custom:\n')
+      })
+
+      it('should handle mixed-case header keys', () => {
+        const headers = {
+          'X-Date': '20240101T120000Z',
+          'Content-Type': 'application/json',
+          Host: 'example.com'
+        }
+
+        const result = _buildCanonicalHeaders(headers)
+
+        expect(result.canonicalHeaders).toBe(
+          'content-type:application/json\nhost:example.com\nx-date:20240101T120000Z\n'
+        )
+        expect(result.signedHeaders).toBe('content-type;host;x-date')
+      })
+    })
+
+    describe('deriveSigningKey', () => {
+      it('should derive signing key correctly', () => {
+        const secretKey = 'testSecret'
+        const date = '20240101'
+        const region = 'cn-beijing'
+        const serviceName = 'ark'
+
+        const result = _deriveSigningKey(secretKey, date, region, serviceName)
+
+        // The result should be a Buffer
+        expect(Buffer.isBuffer(result)).toBe(true)
+
+        // The key derivation should be deterministic
+        const result2 = _deriveSigningKey(secretKey, date, region, serviceName)
+        expect(result.equals(result2)).toBe(true)
+      })
+
+      it('should produce different keys for different inputs', () => {
+        const secretKey = 'testSecret'
+        const date = '20240101'
+        const region = 'cn-beijing'
+        const serviceName = 'ark'
+
+        const key1 = _deriveSigningKey(secretKey, date, region, serviceName)
+        const key2 = _deriveSigningKey('differentSecret', date, region, serviceName)
+        const key3 = _deriveSigningKey(secretKey, '20240102', region, serviceName)
+
+        expect(key1.equals(key2)).toBe(false)
+        expect(key1.equals(key3)).toBe(false)
+      })
+    })
+
+    describe('createCanonicalRequest', () => {
+      it('should create canonical request string correctly', () => {
+        const method = 'POST'
+        const canonicalUri = '/'
+        const canonicalQueryString = 'Action=ListModels&Version=2024-01-01'
+        const canonicalHeaders = 'host:open.volcengineapi.com\nx-date:20240101T120000Z\n'
+        const signedHeaders = 'host;x-date'
+        const payloadHash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+
+        const result = _createCanonicalRequest(
+          method,
+          canonicalUri,
+          canonicalQueryString,
+          canonicalHeaders,
+          signedHeaders,
+          payloadHash
+        )
+
+        const expected = [
+          method,
+          canonicalUri,
+          canonicalQueryString,
+          canonicalHeaders,
+          signedHeaders,
+          payloadHash
+        ].join('\n')
+
+        expect(result).toBe(expected)
+      })
+    })
+
+    describe('createStringToSign', () => {
+      it('should create string to sign correctly', () => {
+        const dateTime = '20240101T120000Z'
+        const credentialScope = '20240101/cn-beijing/ark/request'
+        const canonicalRequest = 'POST\n/\n\nhost:example.com\n\nhost\npayloadhash'
+
+        const result = _createStringToSign(dateTime, credentialScope, canonicalRequest)
+
+        const expectedHash = _sha256Hash(canonicalRequest)
+        const expected = ['HMAC-SHA256', dateTime, credentialScope, expectedHash].join('\n')
+
+        expect(result).toBe(expected)
+      })
+    })
+  })
+
+  // Note: Signature generation is tested through the public getAuthHeaders method
+  // This ensures the complete signature flow works correctly
+
+  describe('Credential Management', () => {
+    describe('saveCredentials', () => {
+      it('should save credentials using safeStorage', async () => {
+        vi.mocked(safeStorage.isEncryptionAvailable).mockReturnValue(true)
+
+        await service.saveCredentials(mockEvent, 'testAccessKey', 'testSecretKey')
+
+        expect(safeStorage.encryptString).toHaveBeenCalledWith(
+          JSON.stringify({
+            accessKeyId: 'testAccessKey',
+            secretAccessKey: 'testSecretKey'
+          })
+        )
+        expect(fs.promises.writeFile).toHaveBeenCalled()
+        expect(fs.promises.chmod).toHaveBeenCalledWith(expect.any(String), 0o600)
+      })
+
+      it('should throw error when credentials are empty', async () => {
+        await expect(service.saveCredentials(mockEvent, '', 'secret')).rejects.toThrow('Failed to save credentials')
+
+        await expect(service.saveCredentials(mockEvent, 'key', '')).rejects.toThrow('Failed to save credentials')
+      })
+
+      it('should throw error when safeStorage is not available', async () => {
+        vi.mocked(safeStorage.isEncryptionAvailable).mockReturnValue(false)
+
+        await expect(service.saveCredentials(mockEvent, 'key', 'secret')).rejects.toThrow('Failed to save credentials')
+      })
+
+      it('should create directory if it does not exist', async () => {
+        vi.mocked(safeStorage.isEncryptionAvailable).mockReturnValue(true)
+        vi.spyOn(fs, 'existsSync').mockReturnValue(false)
+
+        await service.saveCredentials(mockEvent, 'testAccessKey', 'testSecretKey')
+
+        expect(fs.promises.mkdir).toHaveBeenCalledWith(expect.any(String), { recursive: true })
+      })
+    })
+
+    // loadCredentials is tested indirectly through public APIs like getAuthHeaders and listModels
+
+    describe('hasCredentials', () => {
+      it('should return true when credentials file exists', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+
+        const result = await service.hasCredentials()
+
+        expect(result).toBe(true)
+      })
+
+      it('should return false when credentials file does not exist', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(false)
+
+        const result = await service.hasCredentials()
+
+        expect(result).toBe(false)
+      })
+    })
+
+    describe('clearCredentials', () => {
+      it('should delete credentials file when it exists', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+
+        await service.clearCredentials()
+
+        expect(fs.promises.unlink).toHaveBeenCalled()
+      })
+
+      it('should not throw error when credentials file does not exist', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(false)
+
+        await expect(service.clearCredentials()).resolves.not.toThrow()
+        expect(fs.promises.unlink).not.toHaveBeenCalled()
+      })
+
+      it('should throw error when file deletion fails', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.unlink).mockRejectedValue(new Error('Permission denied'))
+
+        await expect(service.clearCredentials()).rejects.toThrow('Failed to clear credentials')
+      })
+    })
+  })
+
+  describe('API Methods', () => {
+    describe('listModels', () => {
+      it('should fetch and combine foundation models and endpoints', async () => {
+        const mockFoundationModelsResponse = {
+          Result: {
+            TotalCount: 2,
+            Items: [
+              { Name: 'model1', DisplayName: 'Model 1', Description: 'Test model 1' },
+              { Name: 'model2', DisplayName: 'Model 2', Description: 'Test model 2' }
+            ]
+          }
+        }
+
+        const mockEndpointsResponse = {
+          Result: {
+            TotalCount: 1,
+            Items: [
+              {
+                Id: 'ep-123',
+                Name: 'Custom Endpoint',
+                Description: 'Custom endpoint',
+                ModelReference: {
+                  FoundationModel: {
+                    Name: 'base-model',
+                    ModelVersion: 'v1.0'
+                  }
+                }
+              }
+            ]
+          }
+        }
+
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        // Mock API calls
+        vi.mocked(net.fetch)
+          .mockResolvedValueOnce({
+            ok: true,
+            json: async () => mockFoundationModelsResponse
+          } as any)
+          .mockResolvedValueOnce({
+            ok: true,
+            json: async () => mockEndpointsResponse
+          } as any)
+
+        const result = await service.listModels(mockEvent)
+
+        expect(result.models).toHaveLength(3)
+        expect(result.total).toBe(3)
+        expect(result.models[0].id).toBe('model1')
+        expect(result.models[2].id).toBe('ep-123')
+      })
+
+      it('should handle partial failures gracefully', async () => {
+        const mockFoundationModelsResponse = {
+          Result: {
+            TotalCount: 1,
+            Items: [{ Name: 'model1', DisplayName: 'Model 1' }]
+          }
+        }
+
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        // Mock API calls - first succeeds, second fails
+        vi.mocked(net.fetch)
+          .mockResolvedValueOnce({
+            ok: true,
+            json: async () => mockFoundationModelsResponse
+          } as any)
+          .mockResolvedValueOnce({
+            ok: false,
+            status: 500,
+            text: async () => 'Server error'
+          } as any)
+
+        const result = await service.listModels(mockEvent)
+
+        expect(result.models).toHaveLength(1)
+        expect(result.warnings).toBeDefined()
+        expect(result.warnings?.length).toBeGreaterThan(0)
+      })
+
+      it('should throw error when both API calls fail', async () => {
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        // Mock both API calls to fail
+        vi.mocked(net.fetch).mockResolvedValue({
+          ok: false,
+          status: 500,
+          text: async () => 'Server error'
+        } as any)
+
+        await expect(service.listModels(mockEvent)).rejects.toThrow('Failed to list models')
+      })
+
+      it('should throw error when no credentials are found', async () => {
+        vi.spyOn(fs, 'existsSync').mockReturnValue(false)
+
+        await expect(service.listModels(mockEvent)).rejects.toThrow('Failed to list models')
+      })
+    })
+
+    describe('getAuthHeaders', () => {
+      it('should generate auth headers for external use', async () => {
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        const params = {
+          method: 'POST' as const,
+          host: 'open.volcengineapi.com',
+          path: '/v1/chat/completions',
+          query: {},
+          body: '{"model":"test"}'
+        }
+
+        const result = await service.getAuthHeaders(mockEvent, params)
+
+        expect(result).toHaveProperty('Authorization')
+        expect(result).toHaveProperty('X-Date')
+        expect(result).toHaveProperty('X-Content-Sha256')
+        expect(result).toHaveProperty('Host')
+      })
+
+      it('should use default service and region when not provided', async () => {
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        const params = {
+          method: 'POST' as const,
+          host: 'open.volcengineapi.com',
+          path: '/',
+          query: {}
+        }
+
+        const result = await service.getAuthHeaders(mockEvent, params)
+
+        // Should not throw and should generate headers
+        expect(result).toHaveProperty('Authorization')
+        expect(result.Authorization).toContain('cn-beijing/ark/request')
+      })
+    })
+
+    describe('makeRequest', () => {
+      it('should make a generic signed API request', async () => {
+        const mockResponse = { success: true, data: 'test' }
+
+        // Setup credentials
+        vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+        vi.mocked(fs.promises.readFile).mockResolvedValue(
+          Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+        )
+
+        vi.mocked(net.fetch).mockResolvedValue({
+          ok: true,
+          json: async () => mockResponse
+        } as any)
+
+        const params = {
+          method: 'POST' as const,
+          host: 'open.volcengineapi.com',
+          path: '/',
+          action: 'TestAction',
+          version: '2024-01-01',
+          query: {},
+          body: { test: true }
+        }
+
+        const result = await service.makeRequest(mockEvent, params)
+
+        expect(result).toEqual(mockResponse)
+        expect(net.fetch).toHaveBeenCalled()
+      })
+    })
+  })
+
+  describe('Error Handling', () => {
+    it('should handle network errors in API requests', async () => {
+      // Setup credentials
+      vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+      vi.mocked(fs.promises.readFile).mockResolvedValue(
+        Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+      )
+
+      vi.mocked(net.fetch).mockRejectedValue(new Error('Network error'))
+
+      await expect(service.listModels(mockEvent)).rejects.toThrow('Failed to list models')
+    })
+
+    it('should handle API error responses', async () => {
+      // Setup credentials
+      vi.spyOn(fs, 'existsSync').mockReturnValue(true)
+      vi.mocked(fs.promises.readFile).mockResolvedValue(
+        Buffer.from(`encrypted:${JSON.stringify({ accessKeyId: 'test', secretAccessKey: 'test' })}`)
+      )
+
+      vi.mocked(net.fetch).mockResolvedValue({
+        ok: false,
+        status: 401,
+        text: async () => 'Unauthorized'
+      } as any)
+
+      await expect(service.listModels(mockEvent)).rejects.toThrow()
+    })
+  })
+})

src/preload/index.ts

@@ -595,6 +595,41 @@ const api = {
     status: () => ipcRenderer.invoke(IpcChannel.WebSocket_Status),
     sendFile: (filePath: string) => ipcRenderer.invoke(IpcChannel.WebSocket_SendFile, filePath),
     getAllCandidates: () => ipcRenderer.invoke(IpcChannel.WebSocket_GetAllCandidates)
+  },
+  volcengine: {
+    saveCredentials: (accessKeyId: string, secretAccessKey: string): Promise<void> =>
+      ipcRenderer.invoke(IpcChannel.Volcengine_SaveCredentials, accessKeyId, secretAccessKey),
+    hasCredentials: (): Promise<boolean> => ipcRenderer.invoke(IpcChannel.Volcengine_HasCredentials),
+    clearCredentials: (): Promise<void> => ipcRenderer.invoke(IpcChannel.Volcengine_ClearCredentials),
+    listModels: (
+      projectName?: string,
+      region?: string
+    ): Promise<{
+      models: Array<{ id: string; name: string; description?: string; created?: number }>
+      total?: number
+      warnings?: string[]
+    }> => ipcRenderer.invoke(IpcChannel.Volcengine_ListModels, projectName, region),
+    getAuthHeaders: (params: {
+      method: 'GET' | 'POST'
+      host: string
+      path: string
+      query?: Record<string, string>
+      body?: string
+      service?: string
+      region?: string
+    }): Promise<{ Authorization: string; 'X-Date': string; 'X-Content-Sha256': string; Host: string }> =>
+      ipcRenderer.invoke(IpcChannel.Volcengine_GetAuthHeaders, params),
+    makeRequest: (params: {
+      method: 'GET' | 'POST'
+      host: string
+      path: string
+      action: string
+      version: string
+      query?: Record<string, string>
+      body?: Record<string, unknown>
+      service?: string
+      region?: string
+    }): Promise<unknown> => ipcRenderer.invoke(IpcChannel.Volcengine_MakeRequest, params)
   }
 }
 

src/renderer/src/aiCore/legacy/clients/ApiClientFactory.ts

@@ -14,6 +14,7 @@ import { OpenAIAPIClient } from './openai/OpenAIApiClient'
 import { OpenAIResponseAPIClient } from './openai/OpenAIResponseAPIClient'
 import { OVMSClient } from './ovms/OVMSClient'
 import { PPIOAPIClient } from './ppio/PPIOAPIClient'
+import { VolcengineAPIClient } from './volcengine/VolcengineAPIClient'
 import { ZhipuAPIClient } from './zhipu/ZhipuAPIClient'
 
 const logger = loggerService.withContext('ApiClientFactory')
@@ -64,6 +65,12 @@ export class ApiClientFactory {
       return instance
     }
 
+    if (provider.id === 'doubao') {
+      logger.debug(`Creating VolcengineAPIClient for provider: ${provider.id}`)
+      instance = new VolcengineAPIClient(provider) as BaseApiClient
+      return instance
+    }
+
     if (provider.id === 'ovms') {
       logger.debug(`Creating OVMSClient for provider: ${provider.id}`)
       instance = new OVMSClient(provider) as BaseApiClient

src/renderer/src/aiCore/legacy/clients/volcengine/VolcengineAPIClient.ts

@@ -0,0 +1,88 @@
+import type OpenAI from '@cherrystudio/openai'
+import { loggerService } from '@logger'
+import { getVolcengineProjectName, getVolcengineRegion } from '@renderer/hooks/useVolcengine'
+import type { Provider } from '@renderer/types'
+
+import { OpenAIAPIClient } from '../openai/OpenAIApiClient'
+
+const logger = loggerService.withContext('VolcengineAPIClient')
+
+/**
+ * Volcengine (Doubao) API Client
+ *
+ * Extends OpenAIAPIClient for standard chat completions (OpenAI-compatible),
+ * but overrides listModels to use Volcengine's signed API via IPC.
+ */
+export class VolcengineAPIClient extends OpenAIAPIClient {
+  constructor(provider: Provider) {
+    super(provider)
+  }
+
+  /**
+   * List models using Volcengine's signed API
+   * This calls the main process VolcengineService which handles HMAC-SHA256 signing
+   */
+  override async listModels(): Promise<OpenAI.Models.Model[]> {
+    try {
+      const hasCredentials = await window.api.volcengine.hasCredentials()
+
+      if (!hasCredentials) {
+        logger.info('Volcengine credentials not configured, falling back to OpenAI-compatible list')
+        // Fall back to standard OpenAI-compatible API if no Volcengine credentials
+        return super.listModels()
+      }
+
+      logger.info('Fetching models from Volcengine API using signed request')
+
+      const projectName = getVolcengineProjectName()
+      const region = getVolcengineRegion()
+      const response = await window.api.volcengine.listModels(projectName, region)
+
+      if (!response || !response.models) {
+        logger.warn('Empty response from Volcengine listModels')
+        return []
+      }
+
+      // Notify user of any partial failures
+      if (response.warnings && response.warnings.length > 0) {
+        for (const warning of response.warnings) {
+          logger.warn(warning)
+        }
+        window.toast?.warning('Some Volcengine models could not be fetched. Check logs for details.')
+      }
+
+      const models: OpenAI.Models.Model[] = response.models.map((model) => ({
+        id: model.id,
+        object: 'model' as const,
+        created: model.created || Math.floor(Date.now() / 1000),
+        owned_by: 'volcengine',
+        // @ts-ignore - description is used by UI to display model name
+        name: model.name || model.id
+      }))
+
+      logger.info(`Found ${models.length} models from Volcengine API`)
+      return models
+    } catch (error) {
+      logger.error('Failed to list Volcengine models:', error as Error)
+
+      const errorMessage = error instanceof Error ? error.message : String(error)
+
+      // Credential errors should not fall back - user must fix
+      if (errorMessage.includes('could not be loaded') || errorMessage.includes('credentials')) {
+        window.toast?.error('Volcengine credentials error. Please re-enter your credentials in settings.')
+        throw error
+      }
+
+      // Auth errors should not fall back
+      if (errorMessage.includes('401') || errorMessage.includes('403')) {
+        window.toast?.error('Volcengine authentication failed. Please verify your Access Key.')
+        throw error
+      }
+
+      // Only fall back for transient network errors
+      window.toast?.warning('Temporarily unable to fetch Volcengine models. Using fallback.')
+      logger.info('Falling back to OpenAI-compatible model list')
+      return super.listModels()
+    }
+  }
+}

src/renderer/src/hooks/useVolcengine.ts

@@ -0,0 +1,26 @@
+import store, { useAppSelector } from '@renderer/store'
+import { setVolcengineProjectName, setVolcengineRegion } from '@renderer/store/llm'
+import { useDispatch } from 'react-redux'
+
+export function useVolcengineSettings() {
+  const settings = useAppSelector((state) => state.llm.settings.volcengine)
+  const dispatch = useDispatch()
+
+  return {
+    ...settings,
+    setRegion: (region: string) => dispatch(setVolcengineRegion(region)),
+    setProjectName: (projectName: string) => dispatch(setVolcengineProjectName(projectName))
+  }
+}
+
+export function getVolcengineSettings() {
+  return store.getState().llm.settings.volcengine
+}
+
+export function getVolcengineRegion() {
+  return store.getState().llm.settings.volcengine.region
+}
+
+export function getVolcengineProjectName() {
+  return store.getState().llm.settings.volcengine.projectName
+}

src/renderer/src/i18n/locales/en-us.json

@@ -4601,6 +4601,25 @@
           "private_key_placeholder": "Enter Service Account private key",
           "title": "Service Account Configuration"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Access Key ID",
+        "access_key_id_help": "Your Volcengine Access Key ID",
+        "clear_credentials": "Clear Credentials",
+        "credentials_cleared": "Credentials cleared",
+        "credentials_required": "Please fill in Access Key ID and Secret Access Key",
+        "credentials_save_failed": "Failed to save credentials",
+        "credentials_saved": "Credentials saved",
+        "credentials_saved_notice": "Credentials have been securely saved. Clear credentials to update them.",
+        "description": "Volcengine is ByteDance's cloud service platform, providing Doubao and other large language model services. Please use IAM user's Access Key for authentication, do not use the root user credentials.",
+        "project_name": "Project Name",
+        "project_name_help": "Project name for endpoint filtering, default is 'default'",
+        "region": "Region",
+        "region_help": "Service region, e.g., cn-beijing",
+        "save_credentials": "Save Credentials",
+        "secret_access_key": "Secret Access Key",
+        "secret_access_key_help": "Your Volcengine Secret Access Key, please keep it secure",
+        "title": "Volcengine Configuration"
       }
     },
     "proxy": {

src/renderer/src/i18n/locales/zh-cn.json

@@ -4601,6 +4601,25 @@
           "private_key_placeholder": "请输入 Service Account 私钥",
           "title": "Service Account 配置"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Access Key ID",
+        "access_key_id_help": "您的火山引擎 Access Key ID",
+        "clear_credentials": "清除凭证",
+        "credentials_cleared": "凭证已清除",
+        "credentials_required": "请填写 Access Key ID 和 Secret Access Key",
+        "credentials_save_failed": "凭证保存失败",
+        "credentials_saved": "凭证已保存",
+        "credentials_saved_notice": "凭证已安全保存。如需更新，请先清除凭证。",
+        "description": "火山引擎是字节跳动旗下的云服务平台，提供豆包等大语言模型服务。请使用 IAM 子用户的 Access Key 进行身份验证，不要使用主账号的根用户密钥。",
+        "project_name": "项目名称",
+        "project_name_help": "用于筛选推理接入点的项目名称，默认为 'default'",
+        "region": "地域",
+        "region_help": "服务地域，例如 cn-beijing",
+        "save_credentials": "保存凭证",
+        "secret_access_key": "Secret Access Key",
+        "secret_access_key_help": "您的火山引擎 Secret Access Key，请妥善保管",
+        "title": "火山引擎配置"
       }
     },
     "proxy": {

src/renderer/src/i18n/locales/zh-tw.json

@@ -4601,6 +4601,25 @@
           "private_key_placeholder": "輸入服務帳戶私密金鑰",
           "title": "服務帳戶設定"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Access Key ID",
+        "access_key_id_help": "您的火山引擎 Access Key ID",
+        "clear_credentials": "清除憑證",
+        "credentials_cleared": "憑證已清除",
+        "credentials_required": "請填寫 Access Key ID 和 Secret Access Key",
+        "credentials_save_failed": "憑證儲存失敗",
+        "credentials_saved": "憑證已儲存",
+        "credentials_saved_notice": "憑證已安全儲存。如需更新，請先清除憑證。",
+        "description": "火山引擎是字節跳動旗下的雲端服務平台，提供豆包等大型語言模型服務。請使用 IAM 子用戶的 Access Key 進行身份驗證，不要使用主帳號的根用戶密鑰。",
+        "project_name": "專案名稱",
+        "project_name_help": "用於篩選推論接入點的專案名稱，預設為 'default'",
+        "region": "地區",
+        "region_help": "服務地區，例如 cn-beijing",
+        "save_credentials": "儲存憑證",
+        "secret_access_key": "Secret Access Key",
+        "secret_access_key_help": "您的火山引擎 Secret Access Key，請妥善保管",
+        "title": "火山引擎設定"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/de-de.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Service Account-Privat-Schlüssel eingeben",
           "title": "Service Account-Konfiguration"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Zugangsschlüssel-ID",
+        "access_key_id_help": "Ihre Volcengine-Zugriffsschlüssel-ID",
+        "clear_credentials": "Berechtigungen löschen",
+        "credentials_cleared": "Anmeldeinformationen gelöscht",
+        "credentials_required": "Bitte geben Sie die Access-Key-ID und den Secret Access Key ein.",
+        "credentials_save_failed": "Fehler beim Speichern der Anmeldeinformationen",
+        "credentials_saved": "Anmeldedaten gespeichert",
+        "description": "Volcengine ist die Cloud-Service-Plattform von ByteDance und bietet Doubao sowie weitere große Sprachmodell-Dienste an. Verwenden Sie den Access Key zur Authentifizierung, um die Modellliste abzurufen.",
+        "project_name": "Projektname",
+        "project_name_help": "Projektname für Endpunktfilterung, Standardwert ist 'default'",
+        "region": "Region",
+        "region_help": "Service-Region, z. B. cn-beijing",
+        "save_credentials": "Anmeldedaten speichern",
+        "secret_access_key": "Geheimer Zugangsschlüssel",
+        "secret_access_key_help": "Ihr Volcengine Secret Access Key, bitte bewahren Sie ihn sicher auf.",
+        "title": "Volcengine-Konfiguration"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/el-gr.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Παρακαλώ εισάγετε το ιδιωτικό κλειδί του λογαριασμού υπηρεσίας",
           "title": "Διαμόρφωση λογαριασμού υπηρεσίας"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Αναγνωριστικό Κλειδιού Πρόσβασης",
+        "access_key_id_help": "Το Αναγνωριστικό Κλειδιού Πρόσβασης του Volcengine σας",
+        "clear_credentials": "Καθαρά Διαπιστευτήρια",
+        "credentials_cleared": "Τα διαπιστευτήρια διαγράφηκαν",
+        "credentials_required": "Παρακαλούμε συμπληρώστε το Access Key ID και το Secret Access Key",
+        "credentials_save_failed": "Αποτυχία αποθήκευσης διαπιστευτηρίων",
+        "credentials_saved": "Τα διαπιστευτήρια αποθηκεύτηκαν",
+        "description": "Η Volcengine είναι η πλατφόρμα υπηρεσιών cloud της ByteDance, παρέχοντας το Doubao και άλλες υπηρεσίες μεγάλων γλωσσικών μοντέλων. Χρησιμοποιήστε το Access Key για πιστοποίηση για να ανακτήσετε τη λίστα μοντέλων.",
+        "project_name": "Όνομα Έργου",
+        "project_name_help": "Όνομα έργου για φιλτράρισμα τελικού σημείου, προεπιλογή είναι 'default'",
+        "region": "Περιοχή",
+        "region_help": "Περιοχή υπηρεσίας, π.χ. cn-beijing",
+        "save_credentials": "Αποθήκευση Διαπιστευτηρίων",
+        "secret_access_key": "Μυστικό Κλειδί Πρόσβασης",
+        "secret_access_key_help": "Το μυστικό κλειδί πρόσβασής σας στο Volcengine, παρακαλώ διατηρήστε το ασφαλές",
+        "title": "Διαμόρφωση Volcengine"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/es-es.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Ingrese la clave privada de Service Account",
           "title": "Configuración de Service Account"
         }
+      },
+      "volcengine": {
+        "access_key_id": "ID de clave de acceso",
+        "access_key_id_help": "Tu ID de clave de acceso de Volcengine",
+        "clear_credentials": "Credenciales Claras",
+        "credentials_cleared": "Credenciales borradas",
+        "credentials_required": "Por favor, complete el ID de clave de acceso y la clave de acceso secreta.",
+        "credentials_save_failed": "Error al guardar las credenciales",
+        "credentials_saved": "Credenciales guardadas",
+        "description": "Volcengine es la plataforma de servicios en la nube de ByteDance, que proporciona Doubao y otros servicios de modelos de lenguaje de gran escala. Utiliza Access Key para la autenticación y obtener la lista de modelos.",
+        "project_name": "Nombre del Proyecto",
+        "project_name_help": "Nombre del proyecto para el filtrado de puntos de conexión, el valor predeterminado es 'default'",
+        "region": "Región",
+        "region_help": "Región de servicio, p. ej., cn-beijing",
+        "save_credentials": "Guardar Credenciales",
+        "secret_access_key": "Clave de acceso secreta",
+        "secret_access_key_help": "Tu clave de acceso secreta de Volcengine, por favor mantenla segura.",
+        "title": "Configuración de Volcengine"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/fr-fr.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Veuillez saisir la clé privée du compte de service",
           "title": "Configuration du compte de service"
         }
+      },
+      "volcengine": {
+        "access_key_id": "ID de clé d’accès",
+        "access_key_id_help": "Votre ID de clé d'accès Volcengine",
+        "clear_credentials": "Effacer les identifiants",
+        "credentials_cleared": "Identifiants effacés",
+        "credentials_required": "Veuillez renseigner l'ID de clé d'accès et la clé d'accès secrète",
+        "credentials_save_failed": "Échec de l'enregistrement des identifiants",
+        "credentials_saved": "Identifiants enregistrés",
+        "description": "Volcengine est la plateforme de services cloud de ByteDance, fournissant des services de modèles de langage de grande taille tels que Doubao. Utilisez la clé d'accès pour l'authentification afin de récupérer la liste des modèles.",
+        "project_name": "Nom du projet",
+        "project_name_help": "Nom du projet pour le filtrage des points de terminaison, la valeur par défaut est 'default'",
+        "region": "Région",
+        "region_help": "Région de service, par ex. cn-beijing",
+        "save_credentials": "Enregistrer les identifiants",
+        "secret_access_key": "Clé d'accès secrète",
+        "secret_access_key_help": "Votre clé d'accès secrète Volcengine, veuillez la conserver en sécurité",
+        "title": "Configuration Volcengine"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/ja-jp.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "サービスアカウントの秘密鍵を入力してください",
           "title": "サービスアカウント設定"
         }
+      },
+      "volcengine": {
+        "access_key_id": "アクセスキーID",
+        "access_key_id_help": "あなたのVolcengineアクセスキーID",
+        "clear_credentials": "資格証明書をクリア",
+        "credentials_cleared": "資格情報がクリアされました",
+        "credentials_required": "アクセスキーIDとシークレットアクセスキーを入力してください",
+        "credentials_save_failed": "認証情報の保存に失敗しました",
+        "credentials_saved": "認証情報が保存されました",
+        "description": "VolcengineはByteDanceのクラウドサービスプラットフォームで、Doubaoやその他の大規模言語モデルサービスを提供しています。認証にはアクセスキーを使用してモデルリストを取得します。",
+        "project_name": "プロジェクト名",
+        "project_name_help": "エンドポイントフィルタリング用のプロジェクト名、デフォルトは「default」",
+        "region": "地域",
+        "region_help": "サービスリージョン、例: cn-beijing",
+        "save_credentials": "資格情報を保存",
+        "secret_access_key": "シークレットアクセスキー",
+        "secret_access_key_help": "あなたの Volcengine シークレットアクセスキーは、安全に保管してください。",
+        "title": "Volcengine設定"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/pt-pt.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Por favor, insira a chave privada da Conta de Serviço",
           "title": "Configuração da Conta de Serviço"
         }
+      },
+      "volcengine": {
+        "access_key_id": "ID da Chave de Acesso",
+        "access_key_id_help": "Seu ID de Chave de Acesso Volcengine",
+        "clear_credentials": "Credenciais Limpas",
+        "credentials_cleared": "Credenciais limpas",
+        "credentials_required": "Por favor, preencha o ID da Chave de Acesso e a Chave de Acesso Secreta",
+        "credentials_save_failed": "Falha ao salvar as credenciais",
+        "credentials_saved": "Credenciais salvas",
+        "description": "Volcengine é a plataforma de serviços em nuvem da ByteDance, fornecendo o Doubao e outros serviços de grandes modelos de linguagem. Use a Access Key para autenticação ao obter a lista de modelos.",
+        "project_name": "Nome do Projeto",
+        "project_name_help": "Nome do projeto para filtragem de endpoint, o padrão é 'default'",
+        "region": "Região",
+        "region_help": "Região de serviço, por exemplo, cn-beijing",
+        "save_credentials": "Salvar Credenciais",
+        "secret_access_key": "Chave de Acesso Secreta",
+        "secret_access_key_help": "Sua Chave de Acesso Secreta da Volcengine, mantenha-a segura",
+        "title": "Configuração do Volcengine"
       }
     },
     "proxy": {

src/renderer/src/i18n/translate/ru-ru.json

@@ -4601,6 +4601,24 @@
           "private_key_placeholder": "Введите приватный ключ Service Account",
           "title": "Конфигурация Service Account"
         }
+      },
+      "volcengine": {
+        "access_key_id": "Идентификатор ключа доступа",
+        "access_key_id_help": "Ваш идентификатор ключа доступа Volcengine",
+        "clear_credentials": "Очистить учетные данные",
+        "credentials_cleared": "Учетные данные очищены",
+        "credentials_required": "Пожалуйста, введите идентификатор ключа доступа и секретный ключ доступа",
+        "credentials_save_failed": "Не удалось сохранить учетные данные",
+        "credentials_saved": "Учетные данные сохранены",
+        "description": "Volcengine — это облачная платформа ByteDance, предоставляющая Doubao и другие сервисы крупных языковых моделей. Для аутентификации используйте Access Key, чтобы получить список моделей.",
+        "project_name": "Название проекта",
+        "project_name_help": "Имя проекта для фильтрации конечных точек, по умолчанию — «default»",
+        "region": "Регион",
+        "region_help": "Регион обслуживания, например, cn-beijing",
+        "save_credentials": "Сохранить учетные данные",
+        "secret_access_key": "Секретный ключ доступа",
+        "secret_access_key_help": "Ваш секретный ключ доступа Volcengine, пожалуйста, храните его в безопасности",
+        "title": "Конфигурация Volcengine"
       }
     },
     "proxy": {

src/renderer/src/pages/settings/ProviderSettings/ProviderSetting.tsx

@@ -62,6 +62,7 @@ import OVMSSettings from './OVMSSettings'
 import ProviderOAuth from './ProviderOAuth'
 import SelectProviderModelPopup from './SelectProviderModelPopup'
 import VertexAISettings from './VertexAISettings'
+import VolcengineSettings from './VolcengineSettings'
 
 interface Props {
   providerId: string
@@ -602,6 +603,7 @@ const ProviderSetting: FC<Props> = ({ providerId }) => {
       {provider.id === 'copilot' && <GithubCopilotSettings providerId={provider.id} />}
       {provider.id === 'aws-bedrock' && <AwsBedrockSettings />}
       {provider.id === 'vertexai' && <VertexAISettings />}
+      {provider.id === 'doubao' && <VolcengineSettings />}
       <ModelList providerId={provider.id} />
     </SettingContainer>
   )

src/renderer/src/pages/settings/ProviderSettings/VolcengineSettings.tsx

@@ -0,0 +1,165 @@
+import { loggerService } from '@logger'
+import { HStack } from '@renderer/components/Layout'
+import { useVolcengineSettings } from '@renderer/hooks/useVolcengine'
+import { Alert, Button, Input, Space } from 'antd'
+import type { FC } from 'react'
+import { useCallback, useEffect, useState } from 'react'
+import { useTranslation } from 'react-i18next'
+
+import { SettingHelpLink, SettingHelpText, SettingHelpTextRow, SettingSubtitle } from '..'
+const accessKeyWebSite = 'https://console.volcengine.com/iam/identitymanage'
+
+const VolcengineSettings: FC = () => {
+  const { t } = useTranslation()
+  const { region, projectName, setRegion, setProjectName } = useVolcengineSettings()
+
+  const [localAccessKeyId, setLocalAccessKeyId] = useState('')
+  const [localSecretAccessKey, setLocalSecretAccessKey] = useState('')
+  const [localRegion, setLocalRegion] = useState(region)
+  const [localProjectName, setLocalProjectName] = useState(projectName)
+  const [saving, setSaving] = useState(false)
+  const [hasCredentials, setHasCredentials] = useState(false)
+
+  // Check if credentials exist on mount
+  useEffect(() => {
+    window.api.volcengine
+      .hasCredentials()
+      .then(setHasCredentials)
+      .catch((error) => {
+        loggerService.withContext('VolcengineSettings').error('Failed to check credentials:', error as Error)
+        window.toast?.error('Failed to check Volcengine credentials')
+      })
+  }, [])
+
+  // Sync local state with store (only for region and projectName)
+  useEffect(() => {
+    setLocalRegion(region)
+    setLocalProjectName(projectName)
+  }, [region, projectName])
+
+  const handleSaveCredentials = useCallback(async () => {
+    if (!localAccessKeyId || !localSecretAccessKey) {
+      window.toast.error(t('settings.provider.volcengine.credentials_required'))
+      return
+    }
+
+    setSaving(true)
+    try {
+      // Save credentials to secure storage via IPC first
+      await window.api.volcengine.saveCredentials(localAccessKeyId, localSecretAccessKey)
+
+      // Only update Redux after IPC success (for region and projectName only)
+      setRegion(localRegion)
+      setProjectName(localProjectName)
+
+      setHasCredentials(true)
+      // Clear local credential state after successful save (they're now in secure storage)
+      setLocalAccessKeyId('')
+      setLocalSecretAccessKey('')
+      window.toast.success(t('settings.provider.volcengine.credentials_saved'))
+    } catch (error) {
+      loggerService.withContext('VolcengineSettings').error('Failed to save credentials:', error as Error)
+      window.toast.error(t('settings.provider.volcengine.credentials_save_failed'))
+    } finally {
+      setSaving(false)
+    }
+  }, [localAccessKeyId, localSecretAccessKey, localRegion, localProjectName, setRegion, setProjectName, t])
+
+  const handleClearCredentials = useCallback(async () => {
+    try {
+      await window.api.volcengine.clearCredentials()
+      setLocalAccessKeyId('')
+      setLocalSecretAccessKey('')
+      setHasCredentials(false)
+      window.toast.success(t('settings.provider.volcengine.credentials_cleared'))
+    } catch (error) {
+      loggerService.withContext('VolcengineSettings').error('Failed to clear credentials:', error as Error)
+      window.toast.error(String(error))
+    }
+  }, [t])
+
+  return (
+    <>
+      <SettingSubtitle style={{ marginTop: 5 }}>{t('settings.provider.volcengine.title')}</SettingSubtitle>
+      <Alert type="info" style={{ marginTop: 5 }} message={t('settings.provider.volcengine.description')} showIcon />
+
+      {!hasCredentials ? (
+        <>
+          <SettingSubtitle style={{ marginTop: 15 }}>{t('settings.provider.volcengine.access_key_id')}</SettingSubtitle>
+          <Input
+            value={localAccessKeyId}
+            placeholder="Access Key ID"
+            onChange={(e) => setLocalAccessKeyId(e.target.value)}
+            style={{ marginTop: 5 }}
+            spellCheck={false}
+          />
+          <SettingHelpTextRow>
+            <SettingHelpText>{t('settings.provider.volcengine.access_key_id_help')}</SettingHelpText>
+          </SettingHelpTextRow>
+
+          <SettingSubtitle style={{ marginTop: 15 }}>
+            {t('settings.provider.volcengine.secret_access_key')}
+          </SettingSubtitle>
+          <Input.Password
+            value={localSecretAccessKey}
+            placeholder="Secret Access Key"
+            onChange={(e) => setLocalSecretAccessKey(e.target.value)}
+            style={{ marginTop: 5 }}
+            spellCheck={false}
+          />
+          <SettingHelpTextRow style={{ justifyContent: 'space-between' }}>
+            <HStack>
+              <SettingHelpLink target="_blank" href={accessKeyWebSite}>
+                {t('settings.provider.get_api_key')}
+              </SettingHelpLink>
+            </HStack>
+            <SettingHelpText>{t('settings.provider.volcengine.secret_access_key_help')}</SettingHelpText>
+          </SettingHelpTextRow>
+          <SettingSubtitle style={{ marginTop: 15 }}>{t('settings.provider.volcengine.region')}</SettingSubtitle>
+          <Input
+            value={localRegion}
+            placeholder="cn-beijing"
+            onChange={(e) => setLocalRegion(e.target.value)}
+            onBlur={() => setRegion(localRegion)}
+            style={{ marginTop: 5 }}
+          />
+          <SettingHelpTextRow>
+            <SettingHelpText>{t('settings.provider.volcengine.region_help')}</SettingHelpText>
+          </SettingHelpTextRow>
+
+          <SettingSubtitle style={{ marginTop: 15 }}>{t('settings.provider.volcengine.project_name')}</SettingSubtitle>
+          <Input
+            value={localProjectName}
+            placeholder="default"
+            onChange={(e) => setLocalProjectName(e.target.value)}
+            onBlur={() => setProjectName(localProjectName)}
+            style={{ marginTop: 5 }}
+          />
+          <SettingHelpTextRow>
+            <SettingHelpText>{t('settings.provider.volcengine.project_name_help')}</SettingHelpText>
+          </SettingHelpTextRow>
+        </>
+      ) : (
+        <Alert
+          type="success"
+          style={{ marginTop: 15 }}
+          message={t('settings.provider.volcengine.credentials_saved_notice')}
+          showIcon
+        />
+      )}
+
+      <Space style={{ marginTop: 15 }}>
+        <Button type="primary" onClick={handleSaveCredentials} loading={saving}>
+          {t('settings.provider.volcengine.save_credentials')}
+        </Button>
+        {hasCredentials && (
+          <Button danger onClick={handleClearCredentials}>
+            {t('settings.provider.volcengine.clear_credentials')}
+          </Button>
+        )}
+      </Space>
+    </>
+  )
+}
+
+export default VolcengineSettings

src/renderer/src/services/__tests__/ApiService.test.ts

@@ -242,6 +242,10 @@ vi.mock('@renderer/store/llm.ts', () => {
         secretAccessKey: '',
         apiKey: '',
         region: ''
+      },
+      volcengine: {
+        region: 'cn-beijing',
+        projectName: 'default'
       }
     }
   } satisfies LlmState

src/renderer/src/store/llm.ts

@@ -31,6 +31,10 @@ type LlmSettings = {
     apiKey: string
     region: string
   }
+  volcengine: {
+    region: string
+    projectName: string
+  }
 }
 
 export interface LlmState {
@@ -75,6 +79,10 @@ export const initialState: LlmState = {
       secretAccessKey: '',
       apiKey: '',
       region: ''
+    },
+    volcengine: {
+      region: 'cn-beijing',
+      projectName: 'default'
     }
   }
 }
@@ -216,6 +224,12 @@ const llmSlice = createSlice({
     setAwsBedrockRegion: (state, action: PayloadAction<string>) => {
       state.settings.awsBedrock.region = action.payload
     },
+    setVolcengineRegion: (state, action: PayloadAction<string>) => {
+      state.settings.volcengine.region = action.payload
+    },
+    setVolcengineProjectName: (state, action: PayloadAction<string>) => {
+      state.settings.volcengine.projectName = action.payload
+    },
     updateModel: (
       state,
       action: PayloadAction<{
@@ -257,6 +271,8 @@ export const {
   setAwsBedrockSecretAccessKey,
   setAwsBedrockApiKey,
   setAwsBedrockRegion,
+  setVolcengineRegion,
+  setVolcengineProjectName,
   updateModel
 } = llmSlice.actions
 

src/renderer/src/store/migrate.ts

@@ -2961,6 +2961,9 @@ const migrateConfig = {
         }
       })
       state.llm.providers = moveProvider(state.llm.providers, SystemProviderIds.poe, 10)
+      if (!state.llm.settings.volcengine) {
+        state.llm.settings.volcengine = llmInitialState.settings.volcengine
+      }
       logger.info('migrate 183 success')
       return state
     } catch (error) {