@oh-my-pi/pi-ai 15.4.3 → 15.5.0

package/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 ## [Unreleased]
 
+## [15.5.0] - 2026-05-26
+### Added
+
+- Added `zhipu-coding-plan` provider for Zhipu (智谱) BigModel's domestic coding-plan SKU at `https://open.bigmodel.cn/api/coding/paas/v4`, with dynamic model discovery (`ZHIPU_API_KEY`), zai-format thinking, `reasoning_content` field, and OAuth login flow ([#1340](https://github.com/can1357/oh-my-pi/issues/1340)).
+
+### Removed
+
+- Removed the `pi-ai` CLI binary (`packages/ai/src/cli.ts`) and its `bin` entry. Use the in-process equivalent in the omp coding-agent CLI: `omp auth-broker login [provider]`, `omp auth-broker logout [provider]`, and `omp auth-broker list`. The library API (`AuthStorage.login()`, `getOAuthProviders()`, etc.) is unchanged.
+
+### Fixed
+
+- Fixed delayed `toolResult` emissions so real tool results are emitted in the correct assistant `toolCall` window after handoff/compaction, preventing out-of-order or orphaned tool results
+- Fixed delayed `toolResult` handling for aborted calls so a late real result is emitted instead of a synthetic `aborted` result for the same `toolCallId`
+- Fixed usage polling to disable credentials when OAuth refresh fails definitively (for example `invalid_grant`) and clear cached last-good usage data so stale reports no longer remain visible
+
 ## [15.4.3] - 2026-05-26
 
 ### Fixed

package/README.md

@@ -1057,13 +1057,14 @@ Official docs: [Application Default Credentials](https://cloud.google.com/docs/a
 
 ### CLI Login
 
-The quickest way to authenticate:
+Authenticate via the [`omp`](https://omp.sh) coding-agent CLI, which drives this library's OAuth/API-key flows in-process and persists into `agent.db`:
 
 ```bash
-bunx @oh-my-pi/pi-ai login              # interactive provider selection
-bunx @oh-my-pi/pi-ai login anthropic    # login to specific provider
-bunx @oh-my-pi/pi-ai login vllm         # store vLLM API key (or placeholder for local no-auth)
-bunx @oh-my-pi/pi-ai list               # list available providers
+omp auth-broker login              # interactive provider selection
+omp auth-broker login anthropic    # login to a specific provider
+omp auth-broker login vllm         # store vLLM API key (or placeholder for local no-auth)
+omp auth-broker list               # list supported providers
+omp auth-broker logout             # interactive — pick a stored credential to remove
 ```
 
 Credentials are saved to `agent.db` in the agent directory. `/login qianfan` opens the Qianfan console and stores the pasted API key.

package/dist/types/auth-broker/refresher.d.ts

@@ -1,4 +1,4 @@
-import type { AuthStorage } from "../auth-storage";
+import { type AuthStorage } from "../auth-storage";
 export interface AuthBrokerRefresherOptions {
     storage: AuthStorage;
     /** Refresh credentials expiring within this window. Default 5 min. */

package/dist/types/auth-storage.d.ts

@@ -281,6 +281,7 @@ export type AuthStorageOptions = {
      */
     fetchUsageReports?: (signal?: AbortSignal) => Promise<UsageReport[] | null>;
 };
+export declare function isDefinitiveOAuthFailure(errorMsg: string): boolean;
 type AuthApiKeyOptions = {
     baseUrl?: string;
     modelId?: string;

package/dist/types/provider-models/openai-compat.d.ts

@@ -58,6 +58,11 @@ export interface DeepSeekModelManagerConfig {
     baseUrl?: string;
 }
 export declare function deepseekModelManagerOptions(config?: DeepSeekModelManagerConfig): ModelManagerOptions<"openai-completions">;
+export interface ZhipuCodingPlanModelManagerConfig {
+    apiKey?: string;
+    baseUrl?: string;
+}
+export declare function zhipuCodingPlanModelManagerOptions(config?: ZhipuCodingPlanModelManagerConfig): ModelManagerOptions<"openai-completions">;
 export interface FireworksModelManagerConfig {
     apiKey?: string;
     baseUrl?: string;

package/dist/types/types.d.ts

@@ -48,7 +48,7 @@ export interface ThinkingConfig {
     /** Provider-specific transport used to encode the selected effort. */
     mode: ThinkingControlMode;
 }
-export type KnownProvider = "alibaba-coding-plan" | "amazon-bedrock" | "anthropic" | "google" | "google-gemini-cli" | "google-antigravity" | "google-vertex" | "openai" | "openai-codex" | "kimi-code" | "minimax-code" | "minimax-code-cn" | "github-copilot" | "fireworks" | "firepass" | "gitlab-duo" | "cursor" | "deepseek" | "xai" | "groq" | "cerebras" | "openrouter" | "kilo" | "vercel-ai-gateway" | "zai" | "mistral" | "minimax" | "opencode-go" | "opencode-zen" | "synthetic" | "cloudflare-ai-gateway" | "huggingface" | "litellm" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "qianfan" | "qwen-portal" | "together" | "venice" | "vllm" | "xiaomi" | "zenmux" | "lm-studio";
+export type KnownProvider = "alibaba-coding-plan" | "amazon-bedrock" | "anthropic" | "google" | "google-gemini-cli" | "google-antigravity" | "google-vertex" | "openai" | "openai-codex" | "kimi-code" | "minimax-code" | "minimax-code-cn" | "github-copilot" | "fireworks" | "firepass" | "gitlab-duo" | "cursor" | "deepseek" | "xai" | "groq" | "cerebras" | "openrouter" | "kilo" | "vercel-ai-gateway" | "zai" | "zhipu-coding-plan" | "mistral" | "minimax" | "opencode-go" | "opencode-zen" | "synthetic" | "cloudflare-ai-gateway" | "huggingface" | "litellm" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "qianfan" | "qwen-portal" | "together" | "venice" | "vllm" | "xiaomi" | "zenmux" | "lm-studio";
 export type Provider = KnownProvider | string;
 import type { Effort } from "./model-thinking";
 /** Token budgets for each thinking level (token-based providers only) */

package/dist/types/utils/oauth/types.d.ts

@@ -7,7 +7,7 @@ export type OAuthCredentials = {
     email?: string;
     accountId?: string;
 };
-export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
+export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai" | "zhipu-coding-plan";
 export type OAuthProviderId = OAuthProvider | (string & {});
 export type OAuthPrompt = {
     message: string;

package/dist/types/utils/oauth/zhipu.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Zhipu Coding Plan login flow.
+ *
+ * Zhipu BigModel (智谱) provides an OpenAI-compatible API.
+ * API docs: https://docs.bigmodel.cn/cn/guide/develop/openai/introduction
+ *
+ * Simple API key flow:
+ * 1. User gets their API key from https://open.bigmodel.cn
+ * 2. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Zhipu Coding Plan.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginZhipuCodingPlan(options: OAuthController): Promise<string>;

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-ai",
-	"version": "15.4.3",
+	"version": "15.5.0",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -28,9 +28,6 @@
 	],
 	"main": "./src/index.ts",
 	"types": "./dist/types/index.d.ts",
-	"bin": {
-		"pi-ai": "./src/cli.ts"
-	},
 	"scripts": {
 		"check": "biome check . && bun run check:types",
 		"check:types": "tsgo -p tsconfig.json --noEmit",
@@ -43,7 +40,7 @@
 	"dependencies": {
 		"@anthropic-ai/sdk": "^0.94.0",
 		"@bufbuild/protobuf": "^2.12.0",
-		"@oh-my-pi/pi-utils": "15.4.3",
+		"@oh-my-pi/pi-utils": "15.5.0",
 		"openai": "^6.36.0",
 		"partial-json": "^0.1.7",
 		"zod": "4.4.3"

package/src/auth-broker/refresher.ts

@@ -10,7 +10,7 @@
  * snapshot pull surfaces a clean delete on the client.
  */
 import { logger } from "@oh-my-pi/pi-utils";
-import type { AuthStorage } from "../auth-storage";
+import { type AuthStorage, isDefinitiveOAuthFailure } from "../auth-storage";
 import { DEFAULT_REFRESH_INTERVAL_MS, DEFAULT_REFRESH_SKEW_MS } from "./types";
 
 export interface AuthBrokerRefresherOptions {
@@ -23,16 +23,6 @@ export interface AuthBrokerRefresherOptions {
 	now?: () => number;
 }
 
-const INVALID_GRANT_REGEX = /invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i;
-const TRANSIENT_REGEX = /timeout|network|fetch failed|ECONNREFUSED/i;
-const HTTP_401_403_REGEX = /\b(401|403)\b/;
-
-function isDefinitiveFailure(errorMsg: string): boolean {
-	if (INVALID_GRANT_REGEX.test(errorMsg)) return true;
-	if (HTTP_401_403_REGEX.test(errorMsg) && !TRANSIENT_REGEX.test(errorMsg)) return true;
-	return false;
-}
-
 export interface AuthBrokerRefresherSchedule {
 	enabled: boolean;
 	intervalMs: number;
@@ -113,7 +103,7 @@ export class AuthBrokerRefresher {
 			await this.#storage.refreshCredentialById(id);
 		} catch (error) {
 			const errorMsg = String(error);
-			if (isDefinitiveFailure(errorMsg)) {
+			if (isDefinitiveOAuthFailure(errorMsg)) {
 				logger.warn("auth-broker refresh failed definitively; disabling credential", {
 					id,
 					error: errorMsg,

package/src/auth-storage.ts

@@ -414,6 +414,29 @@ const OAUTH_REFRESH_SKEW_MS = 60_000;
  */
 const MAX_PENDING_DISABLED_EVENTS = 32;
 
+/**
+ * Classify an OAuth refresh error as a definitive credential failure (the
+ * refresh token is dead — re-login required) versus a transient blip
+ * (network/5xx — retry next sweep).
+ *
+ * Anchored at module scope so all three refresh sites — in-stream
+ * {@link AuthStorage.getApiKey}, the usage probe in
+ * {@link AuthStorage.fetchUsageReports}, and the auth-broker background
+ * refresher — disable rows on the same criteria. A drifting classifier
+ * between sites would let stale last-good usage reports surface indefinitely
+ * while streaming requests correctly tear the row down.
+ */
+const OAUTH_DEFINITIVE_FAILURE_REGEX =
+	/invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i;
+const OAUTH_TRANSIENT_FAILURE_REGEX = /timeout|network|fetch failed|ECONNREFUSED/i;
+const OAUTH_HTTP_AUTH_REGEX = /\b(401|403)\b/;
+
+export function isDefinitiveOAuthFailure(errorMsg: string): boolean {
+	if (OAUTH_DEFINITIVE_FAILURE_REGEX.test(errorMsg)) return true;
+	if (OAUTH_HTTP_AUTH_REGEX.test(errorMsg) && !OAUTH_TRANSIENT_FAILURE_REGEX.test(errorMsg)) return true;
+	return false;
+}
+
 type UsageCacheEntry<T> = {
 	value: T;
 	expiresAt: number;
@@ -1497,6 +1520,12 @@ export class AuthStorage {
 				await saveApiKeyCredential(apiKey);
 				return;
 			}
+			case "zhipu-coding-plan": {
+				const { loginZhipuCodingPlan } = await import("./utils/oauth/zhipu");
+				const apiKey = await loginZhipuCodingPlan(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
 			case "qianfan": {
 				const { loginQianfan } = await import("./utils/oauth/qianfan");
 				const apiKey = await loginQianfan(ctrl);
@@ -1832,9 +1861,50 @@ export class AuthStorage {
 						credential: refreshedCredential,
 					};
 				} catch (error) {
+					const errorMsg = String(error);
+					// Definitive failure (invalid_grant / 401 not from a network blip) means
+					// the refresh token itself is dead — probing with the original credential
+					// will 401, the catch below will return null, and #fetchUsageCached's
+					// last-good fallback will surface yesterday's report indefinitely
+					// (including its already-elapsed `resetsAt`). CAS-disable the row and
+					// clear the cache so the credential drops out of the report instead of
+					// freezing in place until the user notices and re-logs in.
+					if (isDefinitiveOAuthFailure(errorMsg)) {
+						const credentialId = this.#findStoredCredentialIdForUsageCredential(
+							request.provider,
+							request.credential,
+						);
+						if (credentialId !== undefined) {
+							const entries = this.#getStoredCredentials(request.provider);
+							const index = entries.findIndex(entry => entry.id === credentialId);
+							if (index !== -1) {
+								const disabled = this.#tryDisableCredentialAtIfMatches(
+									request.provider,
+									index,
+									refreshableCredential,
+									`oauth refresh failed during usage probe: ${errorMsg}`,
+								);
+								if (disabled) {
+									this.#usageLogger?.warn(
+										"Usage credential refresh failed definitively; credential disabled",
+										{ provider: request.provider, credentialId, error: errorMsg },
+									);
+									// Neutralize last-good for this cache key: write a null
+									// entry with an immediately-elapsed expiry so a future
+									// getStale lookup (e.g. on re-login under the same
+									// account identity) can't replay the stale report.
+									this.#usageCache.set(this.#buildUsageReportCacheKey(request), {
+										value: null,
+										expiresAt: 0,
+									});
+									return null;
+								}
+							}
+						}
+					}
 					this.#usageLogger?.debug("Usage credential refresh failed, using original credential", {
 						provider: request.provider,
-						error: String(error),
+						error: errorMsg,
 					});
 				}
 			}
@@ -2877,9 +2947,7 @@ export class AuthStorage {
 			const errorMsg = String(error);
 			// Only remove credentials for definitive auth failures
 			// Keep credentials for transient errors (network, 5xx) and block temporarily
-			const isDefinitiveFailure =
-				/invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i.test(errorMsg) ||
-				(/\b(401|403)\b/.test(errorMsg) && !/timeout|network|fetch failed|ECONNREFUSED/i.test(errorMsg));
+			const isDefinitiveFailure = isDefinitiveOAuthFailure(errorMsg);
 
 			logger.warn("OAuth token refresh failed", {
 				provider,

package/src/provider-models/descriptors.ts

@@ -42,6 +42,7 @@ import {
 	xaiModelManagerOptions,
 	xiaomiModelManagerOptions,
 	zenmuxModelManagerOptions,
+	zhipuCodingPlanModelManagerOptions,
 } from "./openai-compat";
 import { cursorModelManagerOptions, zaiModelManagerOptions } from "./special";
 
@@ -153,6 +154,17 @@ export const PROVIDER_DESCRIPTORS: readonly ProviderDescriptor[] = [
 		config => fireworksModelManagerOptions(config),
 		catalog("Fireworks", ["FIREWORKS_API_KEY"]),
 	),
+	// Fire Pass does not expose a /v1/models endpoint — the API returns HTTP 403
+	// on any catalog-discovery request, so dynamic model listing is not feasible.
+	//
+	// The single model `kimi-k2.6-turbo` is seeded via the `prevModelsJson`
+	// fallback in `generate-models.ts`, which preserves entries from the previous
+	// catalog snapshot when a provider does not surface them dynamically.
+	//
+	// IMPORTANT: Do NOT delete the firepass section from models.json. No
+	// descriptor here produces that entry dynamically — removing it from
+	// models.json would permanently drop the model from the catalog with no
+	// automated mechanism to restore it.
 	descriptor("firepass", "kimi-k2.6-turbo", config => firepassModelManagerOptions(config)),
 	descriptor("xai", "grok-4-fast-non-reasoning", config => xaiModelManagerOptions(config)),
 	catalogDescriptor(
@@ -281,6 +293,12 @@ export const PROVIDER_DESCRIPTORS: readonly ProviderDescriptor[] = [
 		catalog("ZenMux", ["ZENMUX_API_KEY"]),
 	),
 	catalogDescriptor("zai", "glm-5.1", config => zaiModelManagerOptions(config), catalog("zAI", ["ZAI_API_KEY"])),
+	catalogDescriptor(
+		"zhipu-coding-plan",
+		"glm-5.1",
+		config => zhipuCodingPlanModelManagerOptions(config),
+		catalog("Zhipu Coding Plan", ["ZHIPU_API_KEY"]),
+	),
 	descriptor("github-copilot", "gpt-4o", config => githubCopilotModelManagerOptions(config)),
 	descriptor("google", "gemini-2.5-pro", config => googleModelManagerOptions(config)),
 	descriptor("google-vertex", "gemini-3-pro-preview", config => googleVertexModelManagerOptions(config), {

package/src/provider-models/google.ts

@@ -40,7 +40,11 @@ export function googleModelManagerOptions(
 
 export function googleVertexModelManagerOptions(config?: GoogleVertexModelManagerConfig): ModelManagerOptions {
 	const project = resolveVertexProject(config);
+	const hasApiKey = (config?.apiKey ?? Bun.env.GOOGLE_CLOUD_API_KEY ?? "").trim().length > 0;
 	const location = resolveVertexLocation(config);
+	if (hasApiKey) {
+		return { providerId: "google-vertex" };
+	}
 	if (project && location) {
 		return {
 			providerId: "google-vertex",
@@ -54,15 +58,10 @@ export function googleVertexModelManagerOptions(config?: GoogleVertexModelManage
 				}),
 		};
 	}
-	// API-key-only callers hit `aiplatform.googleapis.com/v1/publishers/google/models/...`
-	// directly, so the bundled Gemini catalog is the right fallback. Otherwise — no
-	// project, no location, no API key — drop the bundled static models so stale
-	// fallbacks (e.g. `gemini-1.5-*`) cannot leak into `/models` alongside an
-	// authoritative cached Vertex project catalog on the next refresh.
-	const hasApiKey = (config?.apiKey ?? Bun.env.GOOGLE_CLOUD_API_KEY ?? "").trim().length > 0;
-	if (hasApiKey) {
-		return { providerId: "google-vertex" };
-	}
+	// With neither ADC project+location nor API key auth configured, drop the
+	// bundled static catalog so stale fallbacks (e.g. `gemini-1.5-*`) cannot leak
+	// into `/models` alongside an authoritative cached Vertex project catalog on
+	// the next refresh.
 	return { providerId: "google-vertex", staticModels: [] };
 }
 function resolveVertexProject(config?: GoogleVertexModelManagerConfig): string | undefined {

package/src/provider-models/openai-compat.ts

@@ -600,6 +600,70 @@ export function deepseekModelManagerOptions(
 ): ModelManagerOptions<"openai-completions"> {
 	return createSimpleOpenAICompletionsOptions("deepseek", "https://api.deepseek.com", config);
 }
+// ---------------------------------------------------------------------------
+// 6.7 Zhipu Coding Plan
+// ---------------------------------------------------------------------------
+
+export interface ZhipuCodingPlanModelManagerConfig {
+	apiKey?: string;
+	baseUrl?: string;
+}
+
+export function zhipuCodingPlanModelManagerOptions(
+	config?: ZhipuCodingPlanModelManagerConfig,
+): ModelManagerOptions<"openai-completions"> {
+	const apiKey = config?.apiKey;
+	const baseUrl = config?.baseUrl ?? "https://open.bigmodel.cn/api/paas/v4";
+	return {
+		providerId: "zhipu-coding-plan",
+		...(apiKey && {
+			fetchDynamicModels: () =>
+				fetchOpenAICompatibleModels({
+					api: "openai-completions",
+					provider: "zhipu-coding-plan",
+					baseUrl,
+					apiKey,
+					mapModel: (
+						_entry: OpenAICompatibleModelRecord,
+						defaults: Model<"openai-completions">,
+						_context: OpenAICompatibleModelMapperContext<"openai-completions">,
+					): Model<"openai-completions"> => {
+						const id = defaults.id;
+						return {
+							...defaults,
+							reasoning: ZHIPU_REASONING_MODELS[id] === true || id.includes("thinking"),
+							input: ZHIPU_VISION_PATTERN.test(id) ? (["text", "image"] as const) : ["text"],
+							compat: {
+								thinkingFormat: "zai",
+								reasoningContentField: "reasoning_content",
+								supportsDeveloperRole: false,
+							},
+						};
+					},
+				}),
+		}),
+	};
+}
+
+// Reasoning-capable GLM models on the BigModel coding-plan SKU. Keep this
+// explicit rather than regex-matching `glm-[45]\.\d` so newly-added integers
+// like `glm-5` / `glm-5-turbo` are covered and unrelated future SKUs (e.g.
+// `glm-5-preview`) do not silently flip into thinking mode.
+const ZHIPU_REASONING_MODELS: Readonly<Record<string, true>> = {
+	"glm-4.5": true,
+	"glm-4.5-air": true,
+	"glm-4.6": true,
+	"glm-4.7": true,
+	"glm-5": true,
+	"glm-5-turbo": true,
+	"glm-5.1": true,
+};
+
+// Vision-capable GLM models follow the `glm-<N>[.<N>]v[-<variant>]` shape
+// (e.g. `glm-4v`, `glm-4.5v`, `glm-4v-plus`). The previous `id.includes("v")`
+// check matched anything with a `v` — including the non-vision `glm-5-preview`.
+const ZHIPU_VISION_PATTERN = /^glm-[45](?:\.\d+)?v(?:-|$)/;
+
 // ---------------------------------------------------------------------------
 // 7.5 Fireworks
 // ---------------------------------------------------------------------------
@@ -2184,6 +2248,14 @@ const MODELS_DEV_PROVIDER_DESCRIPTORS_CODING_PLANS: readonly ModelsDevProviderDe
 			},
 		},
 	),
+	// --- Zhipu Coding Plan ---
+	openAiCompletionsDescriptor("zhipu-coding-plan", "zhipu-coding-plan", "https://open.bigmodel.cn/api/paas/v4", {
+		compat: {
+			thinkingFormat: "zai",
+			reasoningContentField: "reasoning_content",
+			supportsDeveloperRole: false,
+		},
+	}),
 ];
 
 const filterActiveToolCallModels = (_id: string, m: ModelsDevModel): boolean => {

package/src/providers/openai-completions-compat.ts

@@ -51,6 +51,7 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 
 	const isCerebras = provider === "cerebras" || baseUrl.includes("cerebras.ai");
 	const isZai = provider === "zai" || baseUrl.includes("api.z.ai");
+	const isZhipu = provider === "zhipu-coding-plan" || baseUrl.includes("open.bigmodel.cn");
 	const isKilo = provider === "kilo" || baseUrl.includes("api.kilo.ai");
 	const isKimiModel = model.id.includes("moonshotai/kimi") || /(^|\/)kimi[-.]/i.test(model.id);
 	const isMoonshotKimi =
@@ -97,6 +98,7 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 		baseUrl.includes("fireworks.ai") ||
 		isAlibaba ||
 		isZai ||
+		isZhipu ||
 		isKilo ||
 		isQwen ||
 		provider === "opencode-zen" ||
@@ -156,6 +158,7 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 			isMistral ||
 			isGrok ||
 			isZai ||
+			isZhipu ||
 			isCopilotHost ||
 			isZenmuxHost);
 
@@ -194,7 +197,7 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 		// OpenAI's reasoning-API surface.
 		supportsDeveloperRole: isOpenAIHost || isAzureHost,
 		supportsMultipleSystemMessages: supportsMultipleSystemMessagesDefault,
-		supportsReasoningEffort: !isGrok && !isZai,
+		supportsReasoningEffort: !isGrok && !isZai && !isZhipu,
 		reasoningEffortMap,
 		supportsUsageInStreaming: !isCerebras,
 		disableReasoningOnForcedToolChoice: isKimiModel || isAnthropicModel,
@@ -206,7 +209,7 @@ export function detectOpenAICompat(model: Model<"openai-completions">, resolvedB
 		requiresThinkingAsText: isMistral,
 		requiresMistralToolIds: isMistral,
 		thinkingFormat:
-			isZai || isMoonshotKimi
+			isZai || isZhipu || isMoonshotKimi
 				? "zai"
 				: provider === "openrouter" || baseUrl.includes("openrouter.ai")
 					? "openrouter"

package/src/providers/transform-messages.ts

@@ -11,9 +11,9 @@ import type {
 } from "../types";
 
 const enum ToolCallStatus {
-	/** Tool call has received a result (real or synthetic for orphan) */
+	/** A tool result has already been emitted for this tool call; later duplicates must be skipped. */
 	Resolved = 1,
-	/** Tool call was from an aborted message; synthetic result injected, skip real results */
+	/** A synthetic aborted result was emitted; later real results must be skipped. */
 	Aborted = 2,
 }
 
@@ -131,9 +131,12 @@ export function transformMessages<TApi extends Api>(
 		}
 		return msg;
 	});
-	const realToolResultIds = new Set(
-		transformed.filter((msg): msg is ToolResultMessage => msg.role === "toolResult").map(msg => msg.toolCallId),
-	);
+	const realToolResultsById = new Map<string, ToolResultMessage>();
+	for (const msg of transformed) {
+		if (msg.role === "toolResult" && !realToolResultsById.has(msg.toolCallId)) {
+			realToolResultsById.set(msg.toolCallId, msg);
+		}
+	}
 
 	// Anthropic rejects `tool_result` blocks whose `tool_use_id` does not appear in a prior
 	// `tool_use` block. After handoff/compaction folds an assistant turn into a summary
@@ -148,29 +151,35 @@ export function transformMessages<TApi extends Api>(
 		}
 	}
 
-	// Second pass: insert synthetic empty tool results for orphaned tool calls
-	// and preserve aborted/errored tool results when they were already persisted.
+	// Second pass: ensure each surviving assistant tool call is immediately
+	// followed by exactly one corresponding tool result.
 	const result: Message[] = [];
 	let pendingToolCalls: ToolCall[] = [];
 	let pendingAbortedToolCalls = new Map<string, ToolCall>();
 	let pendingAbortedTimestamp: number | undefined;
-	// Track tool call status: whether resolved (has result) or aborted (synthetic result injected, skip later real results)
+	// Track which tool calls already have an emitted result so delayed/duplicate
+	// toolResult messages cannot create a second provider-visible result.
 	const toolCallStatus = new Map<string, ToolCallStatus>();
 
 	const flushPendingToolCalls = (timestamp: number): void => {
 		if (pendingToolCalls.length === 0) return;
 		for (const tc of pendingToolCalls) {
-			if (!toolCallStatus.has(tc.id) && !realToolResultIds.has(tc.id)) {
-				result.push({
-					role: "toolResult",
-					toolCallId: tc.id,
-					toolName: tc.name,
-					content: [{ type: "text", text: "No result provided" }],
-					isError: true,
-					timestamp,
-				} as ToolResultMessage);
+			if (toolCallStatus.has(tc.id)) continue;
+			const realToolResult = realToolResultsById.get(tc.id);
+			if (realToolResult) {
+				result.push(realToolResult);
 				toolCallStatus.set(tc.id, ToolCallStatus.Resolved);
+				continue;
 			}
+			result.push({
+				role: "toolResult",
+				toolCallId: tc.id,
+				toolName: tc.name,
+				content: [{ type: "text", text: "No result provided" }],
+				isError: true,
+				timestamp,
+			} as ToolResultMessage);
+			toolCallStatus.set(tc.id, ToolCallStatus.Resolved);
 		}
 		pendingToolCalls = [];
 	};
@@ -178,17 +187,22 @@ export function transformMessages<TApi extends Api>(
 	const flushPendingAbortedToolCalls = (): void => {
 		if (pendingAbortedTimestamp === undefined) return;
 		for (const tc of pendingAbortedToolCalls.values()) {
-			if (!toolCallStatus.has(tc.id)) {
-				result.push({
-					role: "toolResult",
-					toolCallId: tc.id,
-					toolName: tc.name,
-					content: [{ type: "text", text: "aborted" }],
-					isError: true,
-					timestamp: pendingAbortedTimestamp,
-				} as ToolResultMessage);
-				toolCallStatus.set(tc.id, ToolCallStatus.Aborted);
+			if (toolCallStatus.has(tc.id)) continue;
+			const realToolResult = realToolResultsById.get(tc.id);
+			if (realToolResult) {
+				result.push(realToolResult);
+				toolCallStatus.set(tc.id, ToolCallStatus.Resolved);
+				continue;
 			}
+			result.push({
+				role: "toolResult",
+				toolCallId: tc.id,
+				toolName: tc.name,
+				content: [{ type: "text", text: "aborted" }],
+				isError: true,
+				timestamp: pendingAbortedTimestamp,
+			} as ToolResultMessage);
+			toolCallStatus.set(tc.id, ToolCallStatus.Aborted);
 		}
 		result.push({
 			role: "developer",
@@ -236,8 +250,9 @@ export function transformMessages<TApi extends Api>(
 			}
 
 			if (assistantMsg.stopReason === "error" || assistantMsg.stopReason === "aborted") {
-				// Keep the assistant message with tool calls intact. If real tool results follow, preserve them;
-				// otherwise synthesize aborted results before the next turn boundary.
+				// Keep the assistant message with tool calls intact. Real tool results are
+				// emitted immediately if available; otherwise synthesize aborted results
+				// before the next turn boundary.
 				result.push(msg);
 				pendingAbortedToolCalls = new Map(toolCalls.map(toolCall => [toolCall.id, toolCall] as const));
 				pendingAbortedTimestamp = assistantMsg.timestamp;
@@ -250,6 +265,8 @@ export function transformMessages<TApi extends Api>(
 
 			result.push(msg);
 		} else if (msg.role === "toolResult") {
+			if (toolCallStatus.has(msg.toolCallId)) continue;
+
 			if (pendingAbortedToolCalls.has(msg.toolCallId)) {
 				pendingAbortedToolCalls.delete(msg.toolCallId);
 				toolCallStatus.set(msg.toolCallId, ToolCallStatus.Resolved);
@@ -257,7 +274,11 @@ export function transformMessages<TApi extends Api>(
 				continue;
 			}
 
-			if (toolCallStatus.get(msg.toolCallId) === ToolCallStatus.Aborted) continue;
+			if (pendingToolCalls.some(tc => tc.id === msg.toolCallId)) {
+				toolCallStatus.set(msg.toolCallId, ToolCallStatus.Resolved);
+				result.push(msg);
+				continue;
+			}
 
 			if (!validToolUseIds.has(msg.toolCallId)) {
 				// Orphan `tool_result`: the originating `tool_use` is not present in the
@@ -272,16 +293,13 @@ export function transformMessages<TApi extends Api>(
 				// * Anthropic requires the next message after an assistant `tool_use`
 				//   to be the matching `tool_result`. Inserting a developer message
 				//   would break that contiguity.
-				// * `flushPendingAbortedToolCalls` synthesizes "aborted" results
-				//   without checking whether a real result lands later in history
-				//   (unlike `flushPendingToolCalls`, which is gated by
-				//   `realToolResultIds`). Calling it here would convert a legitimate
-				//   later `tool_result` into a synthetic "aborted" one via the
-				//   `ToolCallStatus.Aborted` skip-guard.
+				// * Flushing pending aborted calls here would wedge synthetic results
+				//   between the assistant turn and a real result that may still arrive
+				//   inside the current contiguous result window.
 				//
-				// Drop the orphan silently in that case; the upcoming real
-				// `tool_result` will land normally on the next iteration.
-				if (pendingToolCalls.length > 0 || pendingAbortedToolCalls.size > 0) {
+				// Drop the orphan silently in that case; the pending calls will be
+				// resolved in their own contiguous result window or at the next boundary.
+				if (pendingToolCalls.some(tc => !toolCallStatus.has(tc.id)) || pendingAbortedToolCalls.size > 0) {
 					continue;
 				}
 				// No pending tool-call window: safe to preserve the text payload so the
@@ -311,11 +329,12 @@ export function transformMessages<TApi extends Api>(
 						timestamp: messageTimestamp,
 					} as UserMessage);
 				}
-				continue;
 			}
 
-			toolCallStatus.set(msg.toolCallId, ToolCallStatus.Resolved);
-			result.push(msg);
+			// The matching tool_use exists elsewhere, but this result is not in
+			// the currently open result window. Emitting it here would break the
+			// provider invariant; the first real result is pulled into the correct
+			// slot by the pending-call flush instead.
 		} else if (msg.role === "user" || msg.role === "developer") {
 			flushPendingToolCalls(messageTimestamp);
 			flushPendingAbortedToolCalls();

package/src/stream.ts

@@ -108,6 +108,7 @@ const serviceProviderMap: Record<string, KeyResolver> = {
 	kilo: "KILO_API_KEY",
 	"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
 	zai: "ZAI_API_KEY",
+	"zhipu-coding-plan": "ZHIPU_API_KEY",
 	mistral: "MISTRAL_API_KEY",
 	minimax: "MINIMAX_API_KEY",
 	"minimax-code": "MINIMAX_CODE_API_KEY",

package/src/types.ts

@@ -121,6 +121,7 @@ export type KnownProvider =
 	| "kilo"
 	| "vercel-ai-gateway"
 	| "zai"
+	| "zhipu-coding-plan"
 	| "mistral"
 	| "minimax"
 	| "opencode-go"

package/src/utils/oauth/index.ts

@@ -150,6 +150,11 @@ const builtInOAuthProviders: OAuthProviderInfo[] = [
 		name: "Z.AI (GLM Coding Plan)",
 		available: true,
 	},
+	{
+		id: "zhipu-coding-plan",
+		name: "Zhipu Coding Plan (智谱)",
+		available: true,
+	},
 	{
 		id: "minimax-code",
 		name: "MiniMax Coding Plan (International)",
@@ -328,6 +333,7 @@ export async function refreshOAuthToken(
 		case "ollama-cloud":
 		case "xiaomi":
 		case "zai":
+		case "zhipu-coding-plan":
 		case "qianfan":
 		case "venice":
 		case "minimax-code":

package/src/utils/oauth/types.ts

@@ -50,7 +50,8 @@ export type OAuthProvider =
 	| "vllm"
 	| "xiaomi"
 	| "zenmux"
-	| "zai";
+	| "zai"
+	| "zhipu-coding-plan";
 
 export type OAuthProviderId = OAuthProvider | (string & {});
 

package/src/utils/oauth/zhipu.ts

@@ -0,0 +1,60 @@
+/**
+ * Zhipu Coding Plan login flow.
+ *
+ * Zhipu BigModel (智谱) provides an OpenAI-compatible API.
+ * API docs: https://docs.bigmodel.cn/cn/guide/develop/openai/introduction
+ *
+ * Simple API key flow:
+ * 1. User gets their API key from https://open.bigmodel.cn
+ * 2. User pastes the API key into the CLI
+ */
+
+import { validateOpenAICompatibleApiKey } from "./api-key-validation";
+import type { OAuthController } from "./types";
+
+const AUTH_URL = "https://open.bigmodel.cn/usercenter/apikeys";
+const API_BASE_URL = "https://open.bigmodel.cn/api/paas/v4";
+const VALIDATION_MODEL = "glm-5.1";
+
+/**
+ * Login to Zhipu Coding Plan.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export async function loginZhipuCodingPlan(options: OAuthController): Promise<string> {
+	if (!options.onPrompt) {
+		throw new Error("Zhipu Coding Plan login requires onPrompt callback");
+	}
+
+	// Open browser to API keys page
+	options.onAuth?.({
+		url: AUTH_URL,
+		instructions: "Copy your API key from the dashboard",
+	});
+
+	// Prompt user to paste their API key
+	const apiKey = await options.onPrompt({
+		message: "Paste your Zhipu API key",
+		placeholder: "sk-...",
+	});
+
+	if (options.signal?.aborted) {
+		throw new Error("Login cancelled");
+	}
+
+	const trimmed = apiKey.trim();
+	if (!trimmed) {
+		throw new Error("API key is required");
+	}
+
+	options.onProgress?.("Validating API key...");
+	await validateOpenAICompatibleApiKey({
+		provider: "Zhipu",
+		apiKey: trimmed,
+		baseUrl: API_BASE_URL,
+		model: VALIDATION_MODEL,
+		signal: options.signal,
+	});
+	return trimmed;
+}

package/src/utils/schema/fields.ts

@@ -34,6 +34,7 @@ export const UNSUPPORTED_SCHEMA_FIELDS: Record<string, true> = {
 	maximum: true,
 	exclusiveMinimum: true,
 	exclusiveMaximum: true,
+	multipleOf: true,
 	pattern: true,
 	format: true,
 };

package/src/utils/schema/types.ts

@@ -6,6 +6,5 @@ export function isJsonObject(value: unknown): value is JsonObject {
 
 /** True when `value` is a plain JSON object with no own enumerable keys. */
 export function isJsonObjectEmpty(value: JsonObject): boolean {
-	for (const _ in value) return false;
-	return true;
+	return Object.keys(value).length === 0;
 }

package/src/utils/schema/wire.ts

@@ -99,8 +99,7 @@ const SCHEMA_ARRAY_KEYS = ["anyOf", "oneOf", "allOf", "prefixItems"] as const;
 /** True when `val` is a plain empty object `{}`. */
 function isEmptyObject(val: unknown): val is Record<string, never> {
 	if (val === null || typeof val !== "object" || Array.isArray(val)) return false;
-	for (const _ in val as object) return false;
-	return true;
+	return Object.keys(val).length === 0;
 }
 
 function walk(node: unknown): void {

package/dist/types/cli.d.ts

@@ -1,2 +0,0 @@
-#!/usr/bin/env bun
-export {};

package/src/cli.ts

@@ -1,262 +0,0 @@
-#!/usr/bin/env bun
-import * as readline from "node:readline";
-import { AuthStorage, SqliteAuthCredentialStore } from "./auth-storage";
-import { getOAuthProviders } from "./utils/oauth";
-import type { OAuthProvider } from "./utils/oauth/types";
-
-const PROVIDERS = getOAuthProviders();
-
-function prompt(rl: readline.Interface, question: string): Promise<string> {
-	const { promise, resolve, reject } = Promise.withResolvers<string>();
-	const input = process.stdin as NodeJS.ReadStream;
-	const supportsRawMode = input.isTTY && typeof input.setRawMode === "function";
-	const wasRaw = supportsRawMode ? input.isRaw : false;
-	let settled = false;
-
-	const cleanup = () => {
-		rl.off("SIGINT", onSigint);
-		if (supportsRawMode) {
-			input.off("keypress", onKeypress);
-			input.setRawMode?.(wasRaw);
-		}
-	};
-
-	const finish = (result: () => void) => {
-		if (settled) return;
-		settled = true;
-		cleanup();
-		result();
-	};
-
-	const cancel = () => {
-		finish(() => reject(new Error("Login cancelled")));
-	};
-
-	const onSigint = () => {
-		cancel();
-	};
-
-	const onKeypress = (_str: string, key: readline.Key) => {
-		if (key.name === "escape" || (key.ctrl && key.name === "c")) {
-			cancel();
-			rl.close();
-		}
-	};
-
-	if (supportsRawMode) {
-		readline.emitKeypressEvents(input, rl);
-		input.setRawMode(true);
-		input.on("keypress", onKeypress);
-	}
-
-	rl.once("SIGINT", onSigint);
-	rl.question(question, answer => {
-		finish(() => resolve(answer));
-	});
-	return promise;
-}
-
-async function login(provider: OAuthProvider): Promise<void> {
-	const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-	const promptFn = (msg: string) => prompt(rl, `${msg} `);
-	const store = await SqliteAuthCredentialStore.open();
-	const storage = new AuthStorage(store);
-	await storage.reload();
-
-	try {
-		await storage.login(provider, {
-			onAuth(info) {
-				const { url, instructions } = info;
-				console.log(`\nOpen this URL in your browser:\n${url}`);
-				if (instructions) console.log(instructions);
-				console.log();
-			},
-			onProgress(message) {
-				console.log(message);
-			},
-			onPrompt(p) {
-				return promptFn(`${p.message}${p.placeholder ? ` (${p.placeholder})` : ""}:`);
-			},
-		});
-		console.log(`\nCredentials saved to ~/.omp/agent/agent.db`);
-	} finally {
-		store.close();
-		rl.close();
-	}
-}
-
-async function main(): Promise<void> {
-	const args = process.argv.slice(2);
-	const command = args[0];
-
-	if (!command || command === "help" || command === "--help" || command === "-h") {
-		console.log(`Usage: bunx @oh-my-pi/pi-ai <command> [provider]
-
-Commands:
-  login [provider]  Login to a provider
-  logout [provider] Logout from a provider
-  status            Show logged-in providers
-  list              List available providers
-
-Providers:
-  anthropic         Anthropic (Claude Pro/Max)
-  github-copilot    GitHub Copilot
-  google-gemini-cli Google Gemini CLI
-  google-antigravity Antigravity (Gemini 3, Claude, GPT-OSS)
-  openai-codex      OpenAI Codex (ChatGPT Plus/Pro)
-  kimi-code         Kimi Code
-  kilo              Kilo Gateway
-  kagi              Kagi
-  tavily            Tavily
-  zai               Z.AI (GLM Coding Plan)
-  deepseek          DeepSeek
-  nanogpt           NanoGPT
-  minimax-code      MiniMax Coding Plan (International)
-  minimax-code-cn   MiniMax Coding Plan (China)
-  cursor            Cursor (Claude, GPT, etc.)
-  zenmux            ZenMux
-  ollama-cloud      Ollama Cloud
-
-Examples:
-  bunx @oh-my-pi/pi-ai login              # interactive provider selection
-  bunx @oh-my-pi/pi-ai login anthropic    # login to specific provider
-  bunx @oh-my-pi/pi-ai logout anthropic   # logout from specific provider
-  bunx @oh-my-pi/pi-ai status             # show logged-in providers
-  bunx @oh-my-pi/pi-ai list               # list providers
-`);
-		return;
-	}
-
-	if (command === "status") {
-		const storage = await SqliteAuthCredentialStore.open();
-		try {
-			const providers = storage.listProviders();
-			if (providers.length === 0) {
-				console.log("No credentials stored.");
-				console.log(`Use 'bunx @oh-my-pi/pi-ai login' to authenticate.`);
-			} else {
-				console.log("Logged-in providers:\n");
-				for (const provider of providers) {
-					const oauth = storage.getOAuth(provider);
-					if (oauth) {
-						const expires = new Date(oauth.expires);
-						const expired = Date.now() >= oauth.expires;
-						const status = expired ? "(expired)" : `(expires ${expires.toLocaleString()})`;
-						console.log(`  ${provider.padEnd(20)} ${status}`);
-						continue;
-					}
-					const apiKey = storage.getApiKey(provider);
-					if (apiKey) {
-						console.log(`  ${provider.padEnd(20)} (api key)`);
-					}
-				}
-			}
-		} finally {
-			storage.close();
-		}
-		return;
-	}
-
-	if (command === "list") {
-		console.log("Available providers:\n");
-		for (const p of PROVIDERS) {
-			console.log(`  ${p.id.padEnd(20)} ${p.name}`);
-		}
-		return;
-	}
-
-	if (command === "logout") {
-		let provider = args[1] as OAuthProvider | undefined;
-		const storage = await SqliteAuthCredentialStore.open();
-
-		try {
-			if (!provider) {
-				const providers = storage.listProviders();
-				if (providers.length === 0) {
-					console.log("No credentials stored.");
-					return;
-				}
-
-				const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-				console.log("Select a provider to logout:\n");
-				for (let i = 0; i < providers.length; i++) {
-					console.log(`  ${i + 1}. ${providers[i]}`);
-				}
-				console.log();
-
-				const choice = await prompt(rl, `Enter number (1-${providers.length}): `);
-				rl.close();
-
-				const index = parseInt(choice, 10) - 1;
-				if (index < 0 || index >= providers.length) {
-					console.error("Invalid selection");
-					process.exit(1);
-				}
-				provider = providers[index] as OAuthProvider;
-			}
-			if (!provider) {
-				console.error("No provider selected");
-				process.exit(1);
-			}
-
-			const oauth = storage.getOAuth(provider);
-			const apiKey = storage.getApiKey(provider);
-			if (!oauth && !apiKey) {
-				console.error(`Not logged in to ${provider}`);
-				process.exit(1);
-			}
-
-			storage.deleteProvider(provider);
-			console.log(`Logged out from ${provider}`);
-		} finally {
-			storage.close();
-		}
-		return;
-	}
-
-	if (command === "login") {
-		let provider = args[1] as OAuthProvider | undefined;
-
-		if (!provider) {
-			const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-			console.log("Select a provider:\n");
-			for (let i = 0; i < PROVIDERS.length; i++) {
-				console.log(`  ${i + 1}. ${PROVIDERS[i].name}`);
-			}
-			console.log();
-
-			const choice = await prompt(rl, `Enter number (1-${PROVIDERS.length}): `);
-			rl.close();
-
-			const index = parseInt(choice, 10) - 1;
-			if (index < 0 || index >= PROVIDERS.length) {
-				console.error("Invalid selection");
-				process.exit(1);
-			}
-			provider = PROVIDERS[index].id as OAuthProvider;
-		}
-		if (!provider) {
-			console.error("No provider selected");
-			process.exit(1);
-		}
-
-		if (!PROVIDERS.some(p => p.id === provider)) {
-			console.error(`Unknown provider: ${provider}`);
-			console.error(`Use 'bunx @oh-my-pi/pi-ai list' to see available providers`);
-			process.exit(1);
-		}
-
-		console.log(`Logging in to ${provider}…`);
-		await login(provider);
-		return;
-	}
-
-	console.error(`Unknown command: ${command}`);
-	console.error(`Use 'bunx @oh-my-pi/pi-ai --help' for usage`);
-	process.exit(1);
-}
-
-main().catch(err => {
-	console.error("Error:", err.message);
-	process.exit(1);
-});