clawmoney 0.17.3 → 0.17.4

package/dist/commands/relay-setup.js

@@ -12,6 +12,8 @@ import { API_PRICES, PLATFORM_FEE } from "../relay/pricing.js";
 import { hasClaudeFingerprint, bootstrapClaudeFingerprint, } from "../relay/upstream/claude-bootstrap.js";
 import { hasGeminiFingerprint, bootstrapGeminiFingerprint, } from "../relay/upstream/gemini-bootstrap.js";
 import { hasCodexFingerprint, bootstrapCodexFingerprint, } from "../relay/upstream/codex-bootstrap.js";
+import { listOpenclawOAuthProviders, listOpenclawApiKeyProviders, } from "../relay/upstream/openclaw-creds.js";
+import { hubCliTypeFor } from "../relay/upstream/passthrough-specs.js";
 // ── Per-cli_type model catalogs ──
 //
 // `RECOMMENDED_MODELS` is what gets registered when the user picks "all
@@ -74,6 +76,23 @@ const RECOMMENDED_MODELS = {
         "antigravity-gemini-3-flash",
         "antigravity-gemini-2.5-pro",
     ],
+    // ── Z.AI / GLM ──
+    // One cli_type per openclaw onboarding choice. Coding-plan variants share
+    // the same recommended catalog — the cli_type distinguishes the upstream
+    // baseUrl at call time, not the model id.
+    "zai-coding": ["glm-5", "glm-4.7", "glm-4.7-flash", "glm-4.5-air"],
+    zai: ["glm-5", "glm-4.7", "glm-4.7-flash", "glm-4.5-air"],
+    // ── Moonshot / Kimi ──
+    moonshot: ["kimi-k2.5", "kimi-k2-thinking", "kimi-k2-turbo"],
+    "kimi-coding": ["kimi-code"],
+    // ── Qwen Coding Plan ──
+    "qwen-coding": ["qwen3.6-plus", "qwen-coder-plus", "qwen3-coder"],
+    // ── MiniMax ──
+    minimax: ["MiniMax-M2.7", "MiniMax-M2.7-highspeed"],
+    // ── OpenAI API-key (distinct from "codex" subscription adapter) ──
+    // Uses the buyer's own API key; same model catalog as codex Coding CLI
+    // plus the o-series reasoning models that codex can't serve.
+    openai: ["gpt-5.4", "gpt-5.4-mini", "gpt-5.3-codex", "o4-mini"],
 };
 function modelsForCli(cli) {
     const all = Object.keys(API_PRICES);
@@ -95,6 +114,25 @@ function modelsForCli(cli) {
         // the antigravity cli_type, not the standalone gemini cli_type.
         return all.filter((m) => m.startsWith("gemini-") && !m.startsWith("antigravity-"));
     }
+    if (cli === "zai-coding" || cli === "zai") {
+        return all.filter((m) => m.startsWith("glm-"));
+    }
+    if (cli === "moonshot") {
+        return all.filter((m) => m.startsWith("kimi-k2"));
+    }
+    if (cli === "kimi-coding") {
+        return ["kimi-code"].filter((m) => m in API_PRICES);
+    }
+    if (cli === "qwen-coding") {
+        return all.filter((m) => m.startsWith("qwen"));
+    }
+    if (cli === "minimax") {
+        return all.filter((m) => m.startsWith("MiniMax-"));
+    }
+    if (cli === "openai") {
+        // OpenAI API-key passthrough — gpt-5.x + o-series reasoning models.
+        return all.filter((m) => m.startsWith("gpt-") || m === "o3" || m === "o4-mini");
+    }
     return [];
 }
 function detectInstalledClis() {
@@ -103,6 +141,17 @@ function detectInstalledClis() {
     // validate OAuth state here — the daemon's preflight does that on
     // first start, and probing OAuth from a sync setup wizard would be
     // brittle (keychain prompts, refresh-token races, etc).
+    // Map clawmoney cli_type → openclaw provider id. Used so a machine with
+    // only openclaw installed still surfaces the relevant subscriptions via
+    // ~/.openclaw/agents/*/agent/auth-profiles.json instead of requiring the
+    // underlying official CLI binary. The adapters (claude-api / codex-api /
+    // gemini-api) transparently fall back to those profiles at runtime.
+    const openclawProviders = new Set(listOpenclawOAuthProviders());
+    const openclawProviderFor = {
+        claude: "anthropic",
+        codex: "openai-codex",
+        gemini: "google",
+    };
     const binaries = [
         { cli: "claude", bin: "claude" },
         { cli: "codex", bin: "codex" },
@@ -117,14 +166,58 @@ function detectInstalledClis() {
         catch {
             installed = false;
         }
-        results.push({
-            cli,
-            available: installed,
-            hint: installed
-                ? "binary in PATH (login state will be validated when daemon starts)"
-                : `${bin} not found in PATH`,
-        });
+        const hasOpenclawProfile = openclawProviders.has(openclawProviderFor[cli]);
+        const available = installed || hasOpenclawProfile;
+        let hint;
+        if (installed) {
+            hint = "binary in PATH (login state will be validated when daemon starts)";
+        }
+        else if (hasOpenclawProfile) {
+            hint = "OpenClaw OAuth profile detected (no official CLI binary needed)";
+        }
+        else {
+            hint = `${bin} not found in PATH`;
+        }
+        results.push({ cli, available, hint });
     }
+    // ── Static-key passthrough providers ──
+    // No binary to probe — each maps to an openclaw api_key profile or an
+    // env var. Pair of (provider-id-in-openclaw, env-var-name, cli_type).
+    const passthroughDetection = [
+        { cli: "zai-coding", openclawProvider: "zai", env: "ZAI_API_KEY" },
+        { cli: "zai", openclawProvider: "zai", env: "ZAI_API_KEY" },
+        { cli: "moonshot", openclawProvider: "moonshot", env: "MOONSHOT_API_KEY" },
+        { cli: "kimi-coding", openclawProvider: "kimi", env: "KIMI_API_KEY" },
+        { cli: "qwen-coding", openclawProvider: "qwen", env: "BAILIAN_CODING_PLAN_API_KEY" },
+        { cli: "openai", openclawProvider: "openai", env: "OPENAI_API_KEY" },
+    ];
+    const openclawApiKeyProviders = new Set(listOpenclawApiKeyProviders());
+    for (const { cli, openclawProvider, env } of passthroughDetection) {
+        const hasOpenclawKey = openclawApiKeyProviders.has(openclawProvider);
+        const hasEnv = !!process.env[env];
+        const available = hasOpenclawKey || hasEnv;
+        let hint;
+        if (hasOpenclawKey)
+            hint = `OpenClaw api_key profile (${openclawProvider})`;
+        else if (hasEnv)
+            hint = `${env} env var set`;
+        else
+            hint = `no key found (openclaw ${openclawProvider} profile or ${env})`;
+        results.push({ cli, available, hint });
+    }
+    // MiniMax: OAuth Coding Plan OR api_key fallback. List separately so the
+    // hint can explain which path was detected.
+    const hasMinimaxOauth = openclawProviders.has("minimax-portal");
+    const hasMinimaxKey = openclawApiKeyProviders.has("minimax") || !!process.env.MINIMAX_API_KEY;
+    results.push({
+        cli: "minimax",
+        available: hasMinimaxOauth || hasMinimaxKey,
+        hint: hasMinimaxOauth
+            ? "OpenClaw minimax-portal OAuth profile"
+            : hasMinimaxKey
+                ? "MiniMax api_key (openclaw or MINIMAX_API_KEY)"
+                : "no MiniMax credential (run `openclaw onboard --auth-choice minimax-global-oauth` or export MINIMAX_API_KEY)",
+    });
     // Antigravity is OAuth-file based — there's no `antigravity` binary
     // installed locally. We check for the OAuth credentials file that
     // `clawmoney antigravity login` writes.
@@ -431,9 +524,15 @@ export async function relaySetupCommand() {
     const failures = [];
     const regSpin = spinner();
     regSpin.start(`Registering ${registrations.length} providers...`);
+    // Hub only recognizes a closed set of cli_types (claude / codex / gemini /
+    // antigravity / api-key / session-token). Our fine-grained internal names
+    // (zai-coding / moonshot / qwen-coding / minimax / …) all fold to api-key
+    // on the wire — the daemon does the actual upstream routing by model
+    // prefix at request time. Preserve the fine-grained label only in the
+    // wizard UI for operator readability.
     const batchBody = {
         providers: registrations.map((r) => ({
-            cli_type: r.cli,
+            cli_type: hubCliTypeFor(r.cli),
             model: r.model,
             mode: "chat",
             concurrency,
@@ -500,7 +599,7 @@ export async function relaySetupCommand() {
     try {
         const pruneResp = await apiPost("/api/v1/relay/providers/prune", {
             keep: registrations.map((r) => ({
-                cli_type: r.cli,
+                cli_type: hubCliTypeFor(r.cli),
                 model: r.model,
             })),
         }, config.api_key);

package/dist/commands/relay.d.ts

@@ -18,4 +18,7 @@ export declare function relayLogsCommand(options: {
 }): Promise<void>;
 export declare function relayStatusCommand(): Promise<void>;
 export declare function relayModelsCommand(): Promise<void>;
+export declare function relayPreflightCommand(options: {
+    cli?: string;
+}): Promise<void>;
 export {};

package/dist/commands/relay.js

@@ -387,3 +387,81 @@ export async function relayModelsCommand() {
         throw err;
     }
 }
+// ── relay preflight ──
+//
+// Standalone credential validation. Runs each upstream adapter's preflight
+// function against the provider's local auth state (native CLI file,
+// keychain, OpenClaw profile, or env var) WITHOUT starting the WebSocket
+// daemon or contacting the Hub. Useful for operators who want to verify
+// "my openclaw profile is being picked up" before committing to a real
+// `relay start`.
+//
+// With --cli <type> we preflight just that one. Without, we loop over a
+// sensible default set (claude / codex / gemini / api-key) and report
+// each independently — a failure in one cli_type doesn't short-circuit
+// the others.
+const PREFLIGHT_DEFAULTS = ["claude", "codex", "gemini", "antigravity"];
+export async function relayPreflightCommand(options) {
+    const toCheck = options.cli
+        ? [options.cli]
+        : PREFLIGHT_DEFAULTS;
+    console.log(chalk.bold("\n  Relay credential preflight\n"));
+    let failed = 0;
+    for (const cli of toCheck) {
+        const spin = ora(`  ${cli}`).start();
+        try {
+            const fn = await resolvePreflightFn(cli);
+            if (!fn) {
+                spin.info(chalk.dim(`  ${cli}: no preflight (unknown cli_type)`));
+                continue;
+            }
+            await fn();
+            spin.succeed(chalk.green(`  ${cli}: OK`));
+        }
+        catch (err) {
+            failed++;
+            spin.fail(chalk.red(`  ${cli}: ${err.message.slice(0, 200)}`));
+        }
+    }
+    console.log("");
+    if (failed === 0) {
+        console.log(chalk.green(`  All ${toCheck.length} preflight checks passed.`));
+    }
+    else {
+        console.log(chalk.yellow(`  ${failed} of ${toCheck.length} preflight checks failed.`));
+    }
+    console.log("");
+    process.exit(failed === 0 ? 0 : 1);
+}
+async function resolvePreflightFn(cli) {
+    switch (cli) {
+        case "claude": {
+            const { preflightClaudeApi } = await import("../relay/upstream/claude-api.js");
+            return () => preflightClaudeApi();
+        }
+        case "codex": {
+            const { preflightCodexApi } = await import("../relay/upstream/codex-api.js");
+            return () => preflightCodexApi();
+        }
+        case "gemini": {
+            const { preflightGeminiApi } = await import("../relay/upstream/gemini-api.js");
+            return () => preflightGeminiApi();
+        }
+        case "antigravity": {
+            const { preflightAntigravityApi } = await import("../relay/upstream/antigravity-api.js");
+            return () => preflightAntigravityApi();
+        }
+        case "minimax": {
+            const { preflightMinimaxApi } = await import("../relay/upstream/minimax-api.js");
+            return () => preflightMinimaxApi();
+        }
+        default: {
+            // Passthrough cli_type (zai / moonshot / kimi-coding / qwen-coding / openai).
+            const { preflightPassthroughApi, getPassthroughSpec } = await import("../relay/upstream/passthrough-api.js");
+            await import("../relay/upstream/passthrough-specs.js");
+            if (!getPassthroughSpec(cli))
+                return null;
+            return () => preflightPassthroughApi(cli);
+        }
+    }
+}

package/dist/index.js

@@ -8,7 +8,7 @@ import { walletStatusCommand, walletBalanceCommand, walletAddressCommand, wallet
 import { tweetCommand } from './commands/tweet.js';
 import { gigCreateCommand, gigBrowseCommand, gigDetailCommand, gigAcceptCommand, gigDeliverCommand, gigApproveCommand, gigDisputeCommand, } from './commands/gig.js';
 import { hubStartCommand, hubStopCommand, hubStatusCommand, hubSearchCommand, hubCallCommand, hubRegisterCommand, hubSkillsCommand, hubOrderCommand, hubHistoryCommand, } from './commands/hub.js';
-import { relayRegisterCommand, relayStartCommand, relayStopCommand, relayStatusCommand, relayModelsCommand, relayLogsCommand, } from './commands/relay.js';
+import { relayRegisterCommand, relayStartCommand, relayStopCommand, relayStatusCommand, relayModelsCommand, relayLogsCommand, relayPreflightCommand, } from './commands/relay.js';
 import { antigravityLoginCommand, antigravityStatusCommand, } from './commands/antigravity.js';
 import { createRequire } from 'node:module';
 const require = createRequire(import.meta.url);
@@ -549,6 +549,19 @@ relay
         process.exit(1);
     }
 });
+relay
+    .command('preflight')
+    .description('Validate upstream credentials without starting the daemon (useful for verifying openclaw fallback, keychain state, etc.)')
+    .option('--cli <type>', 'Check a single cli_type (claude, codex, gemini, antigravity, minimax, zai, zai-coding, moonshot, kimi-coding, qwen-coding, openai). Default: claude+codex+gemini+antigravity.')
+    .action(async (options) => {
+    try {
+        await relayPreflightCommand(options);
+    }
+    catch (err) {
+        console.error(err.message);
+        process.exit(1);
+    }
+});
 // antigravity (Google Antigravity IDE OAuth — separate quota pool + Claude access)
 const antigravity = program
     .command('antigravity')

package/dist/relay/pricing.js

@@ -59,6 +59,43 @@ export const API_PRICES = {
     "antigravity-claude-opus-4-6-thinking": { input: 5, output: 25 },
     "antigravity-claude-sonnet-4-6": { input: 3, output: 15 },
     "antigravity-claude-sonnet-4-5": { input: 3, output: 15 },
+    // ── Z.AI / GLM ──
+    // GLM models are paid per-token; Coding Plan is a flat monthly rate but
+    // we still bill relay by tokens so providers see their opportunity cost
+    // approximately. Numbers sourced from z.ai/pricing + LiteLLM; trimmed to
+    // the bundled openclaw catalog + widely-used legacy ids.
+    "glm-5.1": { input: 0.60, output: 3.00 },
+    "glm-5": { input: 0.60, output: 3.00 },
+    "glm-5-turbo": { input: 0.20, output: 1.00 },
+    "glm-4.7": { input: 0.60, output: 2.20 },
+    "glm-4.7-flash": { input: 0.10, output: 0.40 },
+    "glm-4.7-flashx": { input: 0.05, output: 0.20 },
+    "glm-4.6": { input: 0.60, output: 2.20 },
+    "glm-4.5": { input: 0.60, output: 2.20 },
+    "glm-4.5-air": { input: 0.20, output: 1.10 },
+    "glm-4.5-flash": { input: 0.10, output: 0.40 },
+    // ── Moonshot / Kimi K2 ──
+    // Moonshot public pricing.  Kimi K2 family on Moonshot Open Platform.
+    "kimi-k2.5": { input: 0.60, output: 2.50 },
+    "kimi-k2-thinking": { input: 0.60, output: 2.50 },
+    "kimi-k2-thinking-turbo": { input: 1.15, output: 8.00 },
+    "kimi-k2-turbo": { input: 1.15, output: 5.00 },
+    // Kimi Coding product (separate key / endpoint from Moonshot API).
+    // Pricing here is placeholder — Kimi Coding is a subscription product,
+    // so there's no official token price; we use Kimi K2.5 Open Platform
+    // rates as a proxy so providers see comparable opportunity-cost billing.
+    "kimi-code": { input: 0.60, output: 2.50 },
+    // ── Qwen / Alibaba ModelStudio Coding Plan ──
+    // Coding Plan is flat monthly; same proxy-price approach as kimi-code.
+    // Based on public DashScope Qwen pricing (qwen-plus / qwen-max tier).
+    "qwen3.6-plus": { input: 1.20, output: 3.60 },
+    "qwen3.5-plus": { input: 0.80, output: 2.40 },
+    "qwen-coder-plus": { input: 0.80, output: 2.40 },
+    "qwen3-coder": { input: 0.80, output: 2.40 },
+    // ── MiniMax ──
+    // From openclaw provider catalog (docs/providers/minimax.md).
+    "MiniMax-M2.7": { input: 0.30, output: 1.20 },
+    "MiniMax-M2.7-highspeed": { input: 0.60, output: 2.40 },
     // ── Google (Gemini) ──
     // Verified against LiteLLM pricing DB.
     "gemini-3.1-pro-preview": { input: 2, output: 12 },

package/dist/relay/provider.js

@@ -7,6 +7,11 @@ import { callClaudeApi, callClaudeApiPassthrough, preflightClaudeApi, getRateGua
 import { callCodexApi, callCodexApiPassthrough, preflightCodexApi, getRateGuardSnapshot as getCodexRateGuardSnapshot, } from "./upstream/codex-api.js";
 import { callGeminiApi, preflightGeminiApi, getGeminiRateGuardSnapshot, } from "./upstream/gemini-api.js";
 import { callAntigravityApi, preflightAntigravityApi, getAntigravityRateGuardSnapshot, } from "./upstream/antigravity-api.js";
+import { callMinimaxApi, preflightMinimaxApi, getMinimaxRateGuardSnapshot, } from "./upstream/minimax-api.js";
+import { callPassthroughApi, preflightPassthroughApi, getPassthroughRateGuardSnapshot, } from "./upstream/passthrough-api.js";
+// Side-effect import: registers all static-key passthrough specs at module
+// load time (zai, zai-coding, moonshot, kimi-coding, qwen-coding, openai).
+import { PASSTHROUGH_CLI_TYPES, resolveSpecByModel, } from "./upstream/passthrough-specs.js";
 import { apiGet, apiPost } from "../utils/api.js";
 /**
  * Pick the rate-guard snapshot matching this request's cli_type. Fixes a
@@ -22,8 +27,23 @@ function getRateGuardSnapshotForCli(cli) {
             return getGeminiRateGuardSnapshot();
         case "antigravity":
             return getAntigravityRateGuardSnapshot();
+        case "minimax":
+            return getMinimaxRateGuardSnapshot();
+        case "api-key":
+            // api-key multiplexes multiple internal specs; without model context
+            // we can't pick one snapshot. Hub treats null as "no signal", which
+            // is accurate here — each internal spec has its own per-cli rate-guard
+            // state, none of which is canonical for the whole api-key bucket.
+            return null;
         case "claude":
+            return getClaudeRateGuardSnapshot();
         default:
+            // Passthrough cli_types share the generic rate-guard shape but track
+            // per-cli load independently. Returns null for unknown cli_types,
+            // which is fine — the Hub treats missing snapshots as "no signal".
+            if (PASSTHROUGH_CLI_TYPES.has(cli)) {
+                return getPassthroughRateGuardSnapshot(cli);
+            }
             return getClaudeRateGuardSnapshot();
     }
 }
@@ -324,6 +344,59 @@ async function executeRelayRequest(request, config, sendChunk) {
                 maxTokens: max_budget_usd ? undefined : 8192,
             });
         }
+        else if (cliType === "api-key") {
+            // Canonical Hub cli_type for every static-key / Bearer-passthrough
+            // upstream. The Hub doesn't know (or care) which third-party provider
+            // is on the other side — it just sees "OpenAI-compat, uses a Bearer
+            // token". Daemon resolves the actual upstream by model prefix.
+            const internalSpec = resolveSpecByModel(model);
+            if (!internalSpec) {
+                throw new Error(`api-key dispatch failed: model "${model}" matches no known passthrough family ` +
+                    `(supported prefixes: glm-*, zai-*, kimi-k2*, kimi-code, qwen*, MiniMax-*, gpt-*, o3, o4-mini)`);
+            }
+            if (internalSpec === "minimax") {
+                parsed = await callMinimaxApi({
+                    prompt,
+                    passthroughBody: request.passthrough_body,
+                    model,
+                    maxTokens: max_budget_usd ? undefined : 8192,
+                    onRawEvent: sendChunk,
+                });
+            }
+            else {
+                parsed = await callPassthroughApi({
+                    cliType: internalSpec,
+                    prompt,
+                    passthroughBody: request.passthrough_body,
+                    model,
+                    maxTokens: max_budget_usd ? undefined : 4096,
+                    onRawEvent: sendChunk,
+                });
+            }
+        }
+        else if (cliType === "minimax") {
+            // Legacy fine-grained cli_type kept for the probe harness; Hub never
+            // sends this value in production.
+            parsed = await callMinimaxApi({
+                prompt,
+                passthroughBody: request.passthrough_body,
+                model,
+                maxTokens: max_budget_usd ? undefined : 8192,
+                onRawEvent: sendChunk,
+            });
+        }
+        else if (PASSTHROUGH_CLI_TYPES.has(cliType)) {
+            // Same story — fine-grained cli_type path retained so local probe
+            // scripts can target a specific spec without faking the Hub side.
+            parsed = await callPassthroughApi({
+                cliType,
+                prompt,
+                passthroughBody: request.passthrough_body,
+                model,
+                maxTokens: max_budget_usd ? undefined : 4096,
+                onRawEvent: sendChunk,
+            });
+        }
         else {
             // Claude: two modes.
             //
@@ -440,7 +513,19 @@ function getPreflightFn(cliType) {
             return preflightGeminiApi;
         case "antigravity":
             return preflightAntigravityApi;
+        case "minimax":
+            return preflightMinimaxApi;
+        case "api-key":
+            // Credential validation for api-key happens lazily on first request —
+            // we can't know which internal specs to preflight without the list of
+            // registered models, and the adapters throw clear errors on missing
+            // creds anyway. Return a trivial resolved preflight so the daemon
+            // launcher doesn't log a "no preflight registered" warning.
+            return async () => undefined;
         default:
+            if (PASSTHROUGH_CLI_TYPES.has(cliType)) {
+                return (config) => preflightPassthroughApi(cliType, config);
+            }
             return null;
     }
 }

package/dist/relay/upstream/claude-api.js

@@ -26,6 +26,7 @@ import { ProxyAgent, setGlobalDispatcher } from "undici";
 import { relayLogger as logger } from "../logger.js";
 import { RateGuard, RateGuardBudgetExceededError, RateGuardCooldownError, } from "./rate-guard.js";
 import { calculateCost } from "../pricing.js";
+import { readOpenclawOAuthProfile, persistOpenclawOAuthProfile, } from "./openclaw-creds.js";
 export { RateGuardBudgetExceededError, RateGuardCooldownError };
 // ── Constants (sourced from sub2api + claude-cli/2.1.100 capture) ──
 const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
@@ -480,24 +481,44 @@ function loadClaudeOAuth() {
     const fromKeychain = readCredentialsFromKeychain();
     const fromFile = fromKeychain ? null : readCredentialsFromFile();
     const raw = fromKeychain ?? fromFile;
-    if (!raw) {
-        throw new Error("Claude Code credentials not found. Log in with `claude` first.");
+    if (raw) {
+        const oauth = raw.claudeAiOauth;
+        if (!oauth?.accessToken) {
+            throw new Error("Credentials file missing claudeAiOauth.accessToken");
+        }
+        return {
+            source: fromKeychain ? "keychain" : "file",
+            filePath: fromKeychain ? undefined : CLAUDE_CREDENTIALS_FILE_PATH,
+            accessToken: oauth.accessToken,
+            refreshToken: oauth.refreshToken,
+            expiresAt: oauth.expiresAt,
+            scopes: oauth.scopes ?? [],
+            subscriptionType: oauth.subscriptionType,
+            rateLimitTier: oauth.rateLimitTier,
+            _rawWrapper: raw,
+        };
     }
-    const oauth = raw.claudeAiOauth;
-    if (!oauth?.accessToken) {
-        throw new Error("Credentials file missing claudeAiOauth.accessToken");
+    // Fallback: openclaw's auth-profiles.json. Anthropic subscription OAuth
+    // stored under provider="anthropic". openclaw does not record scopes /
+    // subscriptionType / rateLimitTier, so those stay undefined — preflight
+    // logs will show "subscription=? tier=?", which is accurate ("we don't
+    // know"). Refresh responses from Anthropic's OAuth endpoint echo the
+    // scopes array back, so the field gets populated on the first refresh.
+    const openclawProfile = readOpenclawOAuthProfile("anthropic");
+    if (openclawProfile) {
+        logger.info(`[claude-api] using OpenClaw credential fallback (profile=${openclawProfile.profileKey}, store=${openclawProfile.storePath})`);
+        return {
+            source: "openclaw",
+            openclawProfile,
+            accessToken: openclawProfile.access,
+            refreshToken: openclawProfile.refresh,
+            expiresAt: openclawProfile.expires,
+            scopes: [],
+        };
     }
-    return {
-        source: fromKeychain ? "keychain" : "file",
-        filePath: fromKeychain ? undefined : CLAUDE_CREDENTIALS_FILE_PATH,
-        accessToken: oauth.accessToken,
-        refreshToken: oauth.refreshToken,
-        expiresAt: oauth.expiresAt,
-        scopes: oauth.scopes ?? [],
-        subscriptionType: oauth.subscriptionType,
-        rateLimitTier: oauth.rateLimitTier,
-        _rawWrapper: raw,
-    };
+    throw new Error("Claude Code credentials not found (checked keychain, ~/.claude/.credentials.json, " +
+        "and ~/.openclaw/agents/*/agent/auth-profiles.json). " +
+        "Log in with `claude` or `openclaw onboard` first.");
 }
 function writeCredentialsToKeychain(wrapper) {
     if (process.platform !== "darwin") {
@@ -579,9 +600,43 @@ function isAuthBrokenError(err) {
         /token refresh failed:\s*40[0134]/.test(msg));
 }
 async function doRefreshAndPersist(current) {
-    logger.info("[claude-api] refreshing OAuth token...");
+    logger.info(`[claude-api] refreshing OAuth token (source=${current.source})...`);
     const fresh = await refreshUpstreamToken(current.refreshToken);
-    const wrapper = { ...current._rawWrapper };
+    // IMPORTANT: persist BEFORE advancing the in-memory state. If the keychain
+    // write silently fails we must NOT start using the new access/refresh token
+    // — doing so creates a "two valid tokens in flight" pattern that looks to
+    // Anthropic like account hijacking (same account_id, two access_tokens
+    // issued within the 3-minute refresh skew window). The correct fallback is
+    // to keep serving on the old token until the next refresh cycle retries
+    // the persist, so on-disk and in-memory state always agree.
+    if (current.source === "openclaw" && current.openclawProfile) {
+        try {
+            persistOpenclawOAuthProfile(current.openclawProfile, {
+                access: fresh.accessToken,
+                refresh: fresh.refreshToken,
+                expires: fresh.expiresAt,
+            });
+            logger.info(`[claude-api] OpenClaw profile ${current.openclawProfile.profileKey} updated (${current.openclawProfile.storePath})`);
+        }
+        catch (err) {
+            logger.error(`[claude-api] CRITICAL: openclaw persist failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+            return current;
+        }
+        return {
+            ...current,
+            accessToken: fresh.accessToken,
+            refreshToken: fresh.refreshToken,
+            expiresAt: fresh.expiresAt,
+            scopes: fresh.scopes.length > 0 ? fresh.scopes : current.scopes,
+            openclawProfile: {
+                ...current.openclawProfile,
+                access: fresh.accessToken,
+                refresh: fresh.refreshToken,
+                expires: fresh.expiresAt,
+            },
+        };
+    }
+    const wrapper = { ...(current._rawWrapper ?? {}) };
     wrapper.claudeAiOauth = {
         ...wrapper.claudeAiOauth,
         accessToken: fresh.accessToken,
@@ -591,13 +646,6 @@ async function doRefreshAndPersist(current) {
             ? fresh.scopes
             : wrapper.claudeAiOauth.scopes,
     };
-    // IMPORTANT: persist BEFORE advancing the in-memory state. If the keychain
-    // write silently fails we must NOT start using the new access/refresh token
-    // — doing so creates a "two valid tokens in flight" pattern that looks to
-    // Anthropic like account hijacking (same account_id, two access_tokens
-    // issued within the 3-minute refresh skew window). The correct fallback is
-    // to keep serving on the old token until the next refresh cycle retries
-    // the persist, so on-disk and in-memory state always agree.
     if (current.source === "keychain") {
         try {
             writeCredentialsToKeychain(wrapper);