clawmoney 0.17.5 → 0.17.6

package/dist/commands/relay-setup.js

@@ -76,23 +76,14 @@ const RECOMMENDED_MODELS = {
         "antigravity-gemini-3-flash",
         "antigravity-gemini-2.5-pro",
     ],
-    // ── Z.AI / GLM ──
-    // One cli_type per openclaw onboarding choice. Coding-plan variants share
-    // the same recommended catalog — the cli_type distinguishes the upstream
-    // baseUrl at call time, not the model id.
+    // ── Z.AI GLM Coding Plan ──
     "zai-coding": ["glm-5", "glm-4.7", "glm-4.7-flash", "glm-4.5-air"],
-    zai: ["glm-5", "glm-4.7", "glm-4.7-flash", "glm-4.5-air"],
-    // ── Moonshot / Kimi ──
-    moonshot: ["kimi-k2.5", "kimi-k2-thinking", "kimi-k2-turbo"],
-    "kimi-coding": ["kimi-code"],
+    // ── Kimi Coding Plan ──
+    "kimi-coding": ["kimi-k2.5", "kimi-k2-thinking", "kimi-code"],
     // ── Qwen Coding Plan ──
     "qwen-coding": ["qwen3.6-plus", "qwen-coder-plus", "qwen3-coder"],
-    // ── MiniMax ──
+    // ── MiniMax Coding Plan ──
     minimax: ["MiniMax-M2.7", "MiniMax-M2.7-highspeed"],
-    // ── OpenAI API-key (distinct from "codex" subscription adapter) ──
-    // Uses the buyer's own API key; same model catalog as codex Coding CLI
-    // plus the o-series reasoning models that codex can't serve.
-    openai: ["gpt-5.4", "gpt-5.4-mini", "gpt-5.3-codex", "o4-mini"],
 };
 function modelsForCli(cli) {
     const all = Object.keys(API_PRICES);
@@ -114,14 +105,11 @@ function modelsForCli(cli) {
         // the antigravity cli_type, not the standalone gemini cli_type.
         return all.filter((m) => m.startsWith("gemini-") && !m.startsWith("antigravity-"));
     }
-    if (cli === "zai-coding" || cli === "zai") {
+    if (cli === "zai-coding") {
         return all.filter((m) => m.startsWith("glm-"));
     }
-    if (cli === "moonshot") {
-        return all.filter((m) => m.startsWith("kimi-k2"));
-    }
     if (cli === "kimi-coding") {
-        return ["kimi-code"].filter((m) => m in API_PRICES);
+        return all.filter((m) => m.startsWith("kimi-"));
     }
     if (cli === "qwen-coding") {
         return all.filter((m) => m.startsWith("qwen"));
@@ -129,10 +117,6 @@ function modelsForCli(cli) {
     if (cli === "minimax") {
         return all.filter((m) => m.startsWith("MiniMax-"));
     }
-    if (cli === "openai") {
-        // OpenAI API-key passthrough — gpt-5.x + o-series reasoning models.
-        return all.filter((m) => m.startsWith("gpt-") || m === "o3" || m === "o4-mini");
-    }
     return [];
 }
 function detectInstalledClis() {
@@ -185,11 +169,10 @@ function detectInstalledClis() {
     // env var. Pair of (provider-id-in-openclaw, env-var-name, cli_type).
     const passthroughDetection = [
         { cli: "zai-coding", openclawProvider: "zai", env: "ZAI_API_KEY" },
-        { cli: "zai", openclawProvider: "zai", env: "ZAI_API_KEY" },
-        { cli: "moonshot", openclawProvider: "moonshot", env: "MOONSHOT_API_KEY" },
-        { cli: "kimi-coding", openclawProvider: "kimi", env: "KIMI_API_KEY" },
         { cli: "qwen-coding", openclawProvider: "qwen", env: "BAILIAN_CODING_PLAN_API_KEY" },
-        { cli: "openai", openclawProvider: "openai", env: "OPENAI_API_KEY" },
+        // NOTE: kimi-coding + minimax are intentionally absent — they have their
+        // own OAuth-aware detection blocks below. Pay-per-token cli_types
+        // (moonshot, zai, openai) were removed as provider-hostile.
     ];
     const openclawApiKeyProviders = new Set(listOpenclawApiKeyProviders());
     for (const { cli, openclawProvider, env } of passthroughDetection) {
@@ -205,6 +188,21 @@ function detectInstalledClis() {
             hint = `no key found (openclaw ${openclawProvider} profile or ${env})`;
         results.push({ cli, available, hint });
     }
+    // Kimi Coding: OAuth via kimi-cli (~/.kimi/credentials/kimi-code.json),
+    // or api_key fallback from openclaw / env. Listed separately so the hint
+    // can explain which path will actually be used at runtime.
+    const kimiOAuthPath = join(homedir(), ".kimi", "credentials", "kimi-code.json");
+    const hasKimiOAuth = existsSync(kimiOAuthPath);
+    const hasKimiKey = openclawApiKeyProviders.has("kimi") || !!process.env.KIMI_API_KEY;
+    results.push({
+        cli: "kimi-coding",
+        available: hasKimiOAuth || hasKimiKey,
+        hint: hasKimiOAuth
+            ? "kimi-cli OAuth token (~/.kimi/credentials/kimi-code.json)"
+            : hasKimiKey
+                ? "Kimi api_key (openclaw or KIMI_API_KEY env)"
+                : "no Kimi credential (run `kimi login` via kimi-cli, export KIMI_API_KEY, or `openclaw onboard --auth-choice kimi-code-api-key`)",
+    });
     // MiniMax: OAuth Coding Plan OR api_key fallback. List separately so the
     // hint can explain which path was detected.
     const hasMinimaxOauth = openclawProviders.has("minimax-portal");

package/dist/commands/relay.js

@@ -455,6 +455,10 @@ async function resolvePreflightFn(cli) {
             const { preflightMinimaxApi } = await import("../relay/upstream/minimax-api.js");
             return () => preflightMinimaxApi();
         }
+        case "kimi-coding": {
+            const { preflightKimiCodingApi } = await import("../relay/upstream/kimi-coding-api.js");
+            return () => preflightKimiCodingApi();
+        }
         default: {
             // Passthrough cli_type (zai / moonshot / kimi-coding / qwen-coding / openai).
             const { preflightPassthroughApi, getPassthroughSpec } = await import("../relay/upstream/passthrough-api.js");

package/dist/relay/provider.js

@@ -8,6 +8,7 @@ import { callCodexApi, callCodexApiPassthrough, preflightCodexApi, getRateGuardS
 import { callGeminiApi, preflightGeminiApi, getGeminiRateGuardSnapshot, } from "./upstream/gemini-api.js";
 import { callAntigravityApi, preflightAntigravityApi, getAntigravityRateGuardSnapshot, } from "./upstream/antigravity-api.js";
 import { callMinimaxApi, preflightMinimaxApi, getMinimaxRateGuardSnapshot, } from "./upstream/minimax-api.js";
+import { callKimiCodingApi, preflightKimiCodingApi, getKimiCodingRateGuardSnapshot, } from "./upstream/kimi-coding-api.js";
 import { callPassthroughApi, preflightPassthroughApi, getPassthroughRateGuardSnapshot, } from "./upstream/passthrough-api.js";
 // Side-effect import: registers all static-key passthrough specs at module
 // load time (zai, zai-coding, moonshot, kimi-coding, qwen-coding, openai).
@@ -29,6 +30,8 @@ function getRateGuardSnapshotForCli(cli) {
             return getAntigravityRateGuardSnapshot();
         case "minimax":
             return getMinimaxRateGuardSnapshot();
+        case "kimi-coding":
+            return getKimiCodingRateGuardSnapshot();
         case "api-key":
             // api-key multiplexes multiple internal specs; without model context
             // we can't pick one snapshot. Hub treats null as "no signal", which
@@ -363,6 +366,16 @@ async function executeRelayRequest(request, config, sendChunk) {
                     onRawEvent: sendChunk,
                 });
             }
+            else if (internalSpec === "kimi-coding") {
+                // OAuth-aware Kimi adapter — reads kimi-cli's local token store.
+                parsed = await callKimiCodingApi({
+                    prompt,
+                    passthroughBody: request.passthrough_body,
+                    model,
+                    maxTokens: max_budget_usd ? undefined : 8192,
+                    onRawEvent: sendChunk,
+                });
+            }
             else {
                 parsed = await callPassthroughApi({
                     cliType: internalSpec,
@@ -385,6 +398,16 @@ async function executeRelayRequest(request, config, sendChunk) {
                 onRawEvent: sendChunk,
             });
         }
+        else if (cliType === "kimi-coding") {
+            // Ditto — kept for direct probes. Production traffic arrives as "api-key".
+            parsed = await callKimiCodingApi({
+                prompt,
+                passthroughBody: request.passthrough_body,
+                model,
+                maxTokens: max_budget_usd ? undefined : 8192,
+                onRawEvent: sendChunk,
+            });
+        }
         else if (PASSTHROUGH_CLI_TYPES.has(cliType)) {
             // Same story — fine-grained cli_type path retained so local probe
             // scripts can target a specific spec without faking the Hub side.
@@ -515,6 +538,8 @@ function getPreflightFn(cliType) {
             return preflightAntigravityApi;
         case "minimax":
             return preflightMinimaxApi;
+        case "kimi-coding":
+            return preflightKimiCodingApi;
         case "api-key":
             // Credential validation for api-key happens lazily on first request —
             // we can't know which internal specs to preflight without the list of

package/dist/relay/upstream/kimi-coding-api.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Kimi Code (Moonshot Kimi Coding Plan) adapter.
+ *
+ * Supports three credential sources, in order of preference:
+ *
+ *   1. kimi-cli's native OAuth store at ~/.kimi/credentials/kimi-code.json
+ *      (populated by `kimi login`; refreshed against auth.kimi.com).
+ *   2. An OpenClaw api_key profile (provider="kimi") — static Bearer from
+ *      `openclaw onboard --auth-choice kimi-code-api-key`.
+ *   3. `KIMI_API_KEY` env var — static Bearer for providers who want to
+ *      ship their own key without involving kimi-cli or openclaw.
+ *
+ * Wire is OpenAI-compatible (/chat/completions + SSE), just like the
+ * moonshot / openai / zai passthrough specs. The wrinkles on top of
+ * vanilla passthrough are OAuth-specific:
+ *
+ *   - Token auto-refresh against https://auth.kimi.com/api/oauth/token
+ *     (standard OAuth2 refresh_token grant, client_id
+ *     17e5f671-d194-4dfb-9706-5516cb48c098 — same value the kimi-cli
+ *     public binary ships with).
+ *   - Refreshed tokens written back to the same file kimi-cli reads, so
+ *     our relay daemon and a concurrent `kimi` TUI on the same machine
+ *     stay in sync instead of fighting over token state.
+ *   - Moonshot-flavored fingerprint headers (X-Msh-Platform, -Version,
+ *     -Device-Id, etc.) — matches what a real kimi-cli sends so upstream
+ *     fraud detection doesn't flag relay traffic as unknown-client.
+ *     Device id is read from ~/.kimi/device_id; if the operator hasn't
+ *     run kimi-cli locally we synthesize one and persist it (same thing
+ *     kimi-cli does on first launch).
+ *
+ * Source of truth for all the above is
+ * https://github.com/MoonshotAI/kimi-cli/blob/main/src/kimi_cli/auth/oauth.py.
+ */
+import type { ParsedOutput, RelayRateGuardConfig } from "../types.js";
+import { RateGuard, RateGuardBudgetExceededError, RateGuardCooldownError } from "./rate-guard.js";
+export { RateGuardBudgetExceededError, RateGuardCooldownError };
+export declare function configureKimiCodingRateGuard(config?: RelayRateGuardConfig): void;
+export declare function getKimiCodingRateGuardSnapshot(): ReturnType<RateGuard["currentLoad"]> | null;
+export declare function preflightKimiCodingApi(config?: RelayRateGuardConfig): Promise<void>;
+export interface CallKimiCodingApiOptions {
+    prompt?: string;
+    passthroughBody?: Record<string, unknown>;
+    model: string;
+    maxTokens?: number;
+    onRawEvent?: (rawFrame: string) => void;
+}
+export declare function callKimiCodingApi(opts: CallKimiCodingApiOptions): Promise<ParsedOutput>;

package/dist/relay/upstream/kimi-coding-api.js

@@ -0,0 +1,395 @@
+/**
+ * Kimi Code (Moonshot Kimi Coding Plan) adapter.
+ *
+ * Supports three credential sources, in order of preference:
+ *
+ *   1. kimi-cli's native OAuth store at ~/.kimi/credentials/kimi-code.json
+ *      (populated by `kimi login`; refreshed against auth.kimi.com).
+ *   2. An OpenClaw api_key profile (provider="kimi") — static Bearer from
+ *      `openclaw onboard --auth-choice kimi-code-api-key`.
+ *   3. `KIMI_API_KEY` env var — static Bearer for providers who want to
+ *      ship their own key without involving kimi-cli or openclaw.
+ *
+ * Wire is OpenAI-compatible (/chat/completions + SSE), just like the
+ * moonshot / openai / zai passthrough specs. The wrinkles on top of
+ * vanilla passthrough are OAuth-specific:
+ *
+ *   - Token auto-refresh against https://auth.kimi.com/api/oauth/token
+ *     (standard OAuth2 refresh_token grant, client_id
+ *     17e5f671-d194-4dfb-9706-5516cb48c098 — same value the kimi-cli
+ *     public binary ships with).
+ *   - Refreshed tokens written back to the same file kimi-cli reads, so
+ *     our relay daemon and a concurrent `kimi` TUI on the same machine
+ *     stay in sync instead of fighting over token state.
+ *   - Moonshot-flavored fingerprint headers (X-Msh-Platform, -Version,
+ *     -Device-Id, etc.) — matches what a real kimi-cli sends so upstream
+ *     fraud detection doesn't flag relay traffic as unknown-client.
+ *     Device id is read from ~/.kimi/device_id; if the operator hasn't
+ *     run kimi-cli locally we synthesize one and persist it (same thing
+ *     kimi-cli does on first launch).
+ *
+ * Source of truth for all the above is
+ * https://github.com/MoonshotAI/kimi-cli/blob/main/src/kimi_cli/auth/oauth.py.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, } from "node:fs";
+import { join } from "node:path";
+import { homedir, hostname, platform as osPlatform, release as osRelease, arch as osArch, type as osType } from "node:os";
+import { randomUUID } from "node:crypto";
+import { fetch, ProxyAgent, setGlobalDispatcher } from "undici";
+import { relayLogger as logger } from "../logger.js";
+import { RateGuard, RateGuardBudgetExceededError, RateGuardCooldownError, } from "./rate-guard.js";
+import { calculateCost } from "../pricing.js";
+import { readOpenclawApiKeyProfile } from "./openclaw-creds.js";
+export { RateGuardBudgetExceededError, RateGuardCooldownError };
+// ── Constants sourced from kimi-cli's auth/oauth.py ──────────────────────
+const KIMI_CODE_CLIENT_ID = "17e5f671-d194-4dfb-9706-5516cb48c098";
+const KIMI_OAUTH_HOST = "https://auth.kimi.com";
+const KIMI_COD_BASE_URL = "https://api.kimi.com/coding/v1";
+const KIMI_SHARE_DIR = join(homedir(), ".kimi");
+const KIMI_CREDENTIALS_FILE = join(KIMI_SHARE_DIR, "credentials", "kimi-code.json");
+const KIMI_DEVICE_ID_FILE = join(KIMI_SHARE_DIR, "device_id");
+// Refresh proactively when within 5 minutes of expiry, matching kimi-cli's
+// MIN_REFRESH_THRESHOLD_SECONDS = 300.
+const REFRESH_SKEW_MS = 5 * 60 * 1000;
+// ── Dispatcher (HTTPS_PROXY support, same pattern as other adapters) ────
+let dispatcherConfigured = false;
+function configureDispatcher() {
+    if (dispatcherConfigured)
+        return;
+    const proxyUrl = process.env.HTTPS_PROXY ??
+        process.env.https_proxy ??
+        process.env.HTTP_PROXY ??
+        process.env.http_proxy;
+    if (proxyUrl) {
+        setGlobalDispatcher(new ProxyAgent(proxyUrl));
+        logger.info(`[kimi-coding] upstream proxy ${proxyUrl}`);
+    }
+    dispatcherConfigured = true;
+}
+// ── Device id (~/.kimi/device_id) ────────────────────────────────────────
+let cachedDeviceId = null;
+function getDeviceId() {
+    if (cachedDeviceId)
+        return cachedDeviceId;
+    try {
+        if (existsSync(KIMI_DEVICE_ID_FILE)) {
+            const raw = readFileSync(KIMI_DEVICE_ID_FILE, "utf-8").trim();
+            if (raw) {
+                cachedDeviceId = raw;
+                return raw;
+            }
+        }
+    }
+    catch (err) {
+        logger.warn(`[kimi-coding] failed to read device_id: ${err.message}`);
+    }
+    // First launch on this host — synthesize and persist the same way kimi-cli does.
+    const fresh = randomUUID().replace(/-/g, "");
+    try {
+        mkdirSync(KIMI_SHARE_DIR, { recursive: true });
+        writeFileSync(KIMI_DEVICE_ID_FILE, fresh, { encoding: "utf-8", mode: 0o600 });
+    }
+    catch (err) {
+        logger.warn(`[kimi-coding] failed to persist device_id: ${err.message}`);
+    }
+    cachedDeviceId = fresh;
+    return fresh;
+}
+// ── X-Msh-* fingerprint headers ──────────────────────────────────────────
+function asciiHeaderValue(value) {
+    // Node's undici rejects non-ASCII header values; kimi-cli falls back to a
+    // filtered substring too (see _ascii_header_value in oauth.py).
+    const ascii = value.replace(/[^\x20-\x7e]/g, "").trim();
+    return ascii || "unknown";
+}
+function commonMshHeaders() {
+    let deviceModel = osType();
+    if (osPlatform() === "darwin") {
+        deviceModel = `macOS ${osRelease()} ${osArch()}`;
+    }
+    else if (osPlatform() === "win32") {
+        deviceModel = `Windows ${osRelease()} ${osArch()}`;
+    }
+    else {
+        deviceModel = `${osType()} ${osRelease()} ${osArch()}`;
+    }
+    return {
+        "X-Msh-Platform": "kimi_cli",
+        "X-Msh-Version": asciiHeaderValue(process.env.KIMI_CLI_VERSION ?? "0.1.0"),
+        "X-Msh-Device-Name": asciiHeaderValue(hostname()),
+        "X-Msh-Device-Model": asciiHeaderValue(deviceModel),
+        "X-Msh-Os-Version": asciiHeaderValue(osRelease()),
+        "X-Msh-Device-Id": getDeviceId(),
+    };
+}
+// ── Credential I/O ───────────────────────────────────────────────────────
+function readCredentialsFile() {
+    if (!existsSync(KIMI_CREDENTIALS_FILE))
+        return null;
+    try {
+        const parsed = JSON.parse(readFileSync(KIMI_CREDENTIALS_FILE, "utf-8"));
+        if (!parsed.access_token || !parsed.refresh_token)
+            return null;
+        return parsed;
+    }
+    catch (err) {
+        logger.warn(`[kimi-coding] failed to parse ${KIMI_CREDENTIALS_FILE}: ${err.message}`);
+        return null;
+    }
+}
+function writeCredentialsFile(file) {
+    mkdirSync(join(KIMI_SHARE_DIR, "credentials"), { recursive: true });
+    const tmp = `${KIMI_CREDENTIALS_FILE}.tmp`;
+    writeFileSync(tmp, JSON.stringify(file, null, 2), { encoding: "utf-8", mode: 0o600 });
+    renameSync(tmp, KIMI_CREDENTIALS_FILE);
+}
+function loadCreds() {
+    // Preferred: ~/.kimi/credentials/kimi-code.json (OAuth).
+    const file = readCredentialsFile();
+    if (file) {
+        return {
+            source: "kimi-cli-file",
+            accessToken: file.access_token,
+            refreshToken: file.refresh_token,
+            expiresAt: file.expires_at * 1000, // s → ms
+            _rawFile: file,
+        };
+    }
+    // Fall back: OpenClaw api_key profile.
+    const apiKeyProfile = readOpenclawApiKeyProfile("kimi");
+    if (apiKeyProfile) {
+        logger.info(`[kimi-coding] using OpenClaw api_key fallback (profile=${apiKeyProfile.profileKey})`);
+        return {
+            source: "openclaw-apikey",
+            accessToken: apiKeyProfile.key,
+            expiresAt: Infinity,
+        };
+    }
+    // Last resort: env var.
+    const envKey = process.env.KIMI_API_KEY;
+    if (envKey && envKey.length > 0) {
+        return {
+            source: "env",
+            accessToken: envKey,
+            expiresAt: Infinity,
+        };
+    }
+    throw new Error(`Kimi Coding credentials not found (checked ${KIMI_CREDENTIALS_FILE}, ` +
+        `openclaw kimi api_key profile, and env KIMI_API_KEY). ` +
+        `Run \`kimi login\` (installs kimi-cli from pypi), \`openclaw onboard --auth-choice kimi-code-api-key\`, ` +
+        `or \`export KIMI_API_KEY=sk-...\`.`);
+}
+async function refreshUpstreamToken(refreshToken) {
+    const url = `${KIMI_OAUTH_HOST}/api/oauth/token`;
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: KIMI_CODE_CLIENT_ID,
+        refresh_token: refreshToken,
+    });
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: {
+            accept: "application/json",
+            "content-type": "application/x-www-form-urlencoded",
+            ...commonMshHeaders(),
+        },
+        body: body.toString(),
+    });
+    if (!resp.ok) {
+        const text = await resp.text();
+        throw new Error(`Kimi token refresh failed: ${resp.status} ${text.slice(0, 300)}`);
+    }
+    const data = (await resp.json());
+    if (!data.access_token || !data.refresh_token) {
+        throw new Error("Kimi refresh response missing access_token / refresh_token");
+    }
+    const expiresIn = data.expires_in ?? 3600;
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt: Date.now() + expiresIn * 1000,
+        scope: data.scope,
+        tokenType: data.token_type,
+        expiresIn,
+    };
+}
+let cachedCreds = null;
+let refreshInflight = null;
+async function doRefreshAndPersist(current) {
+    if (current.source !== "kimi-cli-file" || !current.refreshToken || !current._rawFile) {
+        // Static-key sources don't refresh.
+        return current;
+    }
+    logger.info("[kimi-coding] refreshing OAuth token...");
+    const fresh = await refreshUpstreamToken(current.refreshToken);
+    // Persist first; see claude-api / codex-api rationale for
+    // "write-before-advance" to avoid two-tokens-in-flight hijack signal.
+    const updatedFile = {
+        access_token: fresh.accessToken,
+        refresh_token: fresh.refreshToken,
+        expires_at: Math.floor(fresh.expiresAt / 1000), // ms → s to match kimi-cli
+        scope: fresh.scope ?? current._rawFile.scope,
+        token_type: fresh.tokenType ?? current._rawFile.token_type ?? "Bearer",
+        expires_in: fresh.expiresIn ?? current._rawFile.expires_in,
+    };
+    try {
+        writeCredentialsFile(updatedFile);
+        logger.info(`[kimi-coding] ${KIMI_CREDENTIALS_FILE} updated`);
+    }
+    catch (err) {
+        logger.error(`[kimi-coding] CRITICAL: persist failed — keeping old token: ${err.message}`);
+        return current;
+    }
+    return {
+        source: "kimi-cli-file",
+        accessToken: fresh.accessToken,
+        refreshToken: fresh.refreshToken,
+        expiresAt: fresh.expiresAt,
+        _rawFile: updatedFile,
+    };
+}
+async function getFreshCreds() {
+    if (!cachedCreds) {
+        cachedCreds = loadCreds();
+    }
+    if (cachedCreds.source !== "kimi-cli-file") {
+        return cachedCreds;
+    }
+    if (Date.now() < cachedCreds.expiresAt - REFRESH_SKEW_MS) {
+        return cachedCreds;
+    }
+    if (!refreshInflight) {
+        const prior = cachedCreds;
+        refreshInflight = doRefreshAndPersist(prior).finally(() => {
+            refreshInflight = null;
+        });
+    }
+    cachedCreds = await refreshInflight;
+    return cachedCreds;
+}
+// ── Rate guard ───────────────────────────────────────────────────────────
+let rateGuard = null;
+export function configureKimiCodingRateGuard(config) {
+    rateGuard = new RateGuard(config
+        ? {
+            maxConcurrency: config.max_concurrency,
+            quietHoursMaxConcurrency: config.quiet_hours_max_concurrency,
+            quietHours: config.quiet_hours,
+            minRequestGapMs: config.min_request_gap_ms,
+            jitterMs: config.jitter_ms,
+            dailyBudgetUsd: config.daily_budget_usd,
+            maxRelayUtilization: config.max_relay_utilization,
+        }
+        : {});
+}
+export function getKimiCodingRateGuardSnapshot() {
+    return rateGuard ? rateGuard.currentLoad() : null;
+}
+// ── Preflight ────────────────────────────────────────────────────────────
+export async function preflightKimiCodingApi(config) {
+    configureDispatcher();
+    if (!rateGuard)
+        configureKimiCodingRateGuard(config);
+    const creds = await getFreshCreds();
+    const expLabel = creds.expiresAt === Infinity
+        ? "never"
+        : `${Math.floor((creds.expiresAt - Date.now()) / 1000)}s`;
+    logger.info(`[kimi-coding] preflight OK (source=${creds.source}, expires_in=${expLabel})`);
+}
+export async function callKimiCodingApi(opts) {
+    configureDispatcher();
+    if (!rateGuard)
+        configureKimiCodingRateGuard();
+    return rateGuard.run(() => doCall(opts));
+}
+async function doCall(opts) {
+    const creds = await getFreshCreds();
+    const baseUrl = (process.env.KIMI_CODE_BASE_URL ?? KIMI_COD_BASE_URL).replace(/\/+$/, "");
+    const body = opts.passthroughBody
+        ? { ...opts.passthroughBody, model: opts.model, stream: true }
+        : {
+            model: opts.model,
+            stream: true,
+            messages: [{ role: "user", content: opts.prompt ?? "" }],
+            ...(opts.maxTokens ? { max_tokens: opts.maxTokens } : {}),
+        };
+    const url = `${baseUrl}/chat/completions`;
+    const resp = await fetch(url, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            accept: "text/event-stream",
+            authorization: `Bearer ${creds.accessToken}`,
+            ...commonMshHeaders(),
+        },
+        body: JSON.stringify(body),
+    });
+    if (!resp.ok) {
+        const text = await resp.text();
+        throw new Error(`kimi-coding upstream ${resp.status}: ${text.slice(0, 500)}`);
+    }
+    const reader = resp.body?.getReader();
+    if (!reader)
+        throw new Error("kimi-coding upstream returned empty body");
+    const decoder = new TextDecoder();
+    let buffered = "";
+    let text = "";
+    let usage;
+    let modelUsed = opts.model;
+    let sessionId = "";
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        buffered += decoder.decode(value, { stream: true });
+        let sepIdx;
+        while ((sepIdx = buffered.indexOf("\n\n")) !== -1) {
+            const frame = buffered.slice(0, sepIdx);
+            buffered = buffered.slice(sepIdx + 2);
+            if (!frame.trim())
+                continue;
+            if (opts.onRawEvent)
+                opts.onRawEvent(`${frame}\n\n`);
+            for (const line of frame.split("\n")) {
+                if (!line.startsWith("data:"))
+                    continue;
+                const payload = line.slice(5).trim();
+                if (!payload || payload === "[DONE]")
+                    continue;
+                try {
+                    const parsed = JSON.parse(payload);
+                    if (parsed.model && !modelUsed)
+                        modelUsed = parsed.model;
+                    if (parsed.id && !sessionId)
+                        sessionId = parsed.id;
+                    for (const ch of parsed.choices ?? []) {
+                        const delta = ch.delta?.content ?? ch.message?.content;
+                        if (typeof delta === "string")
+                            text += delta;
+                    }
+                    if (parsed.usage)
+                        usage = parsed.usage;
+                }
+                catch {
+                    // ignore non-JSON / heartbeat frames
+                }
+            }
+        }
+    }
+    const inputTokens = usage?.prompt_tokens ?? 0;
+    const cacheReadTokens = usage?.prompt_tokens_details?.cached_tokens ?? 0;
+    const outputTokens = usage?.completion_tokens ?? 0;
+    const breakdown = calculateCost(modelUsed || opts.model, Math.max(0, inputTokens - cacheReadTokens), outputTokens, 0, cacheReadTokens);
+    return {
+        text,
+        sessionId,
+        usage: {
+            input_tokens: Math.max(0, inputTokens - cacheReadTokens),
+            output_tokens: outputTokens,
+            cache_creation_tokens: 0,
+            cache_read_tokens: cacheReadTokens,
+        },
+        model: modelUsed || opts.model,
+        costUsd: breakdown.apiCost,
+    };
+}

package/dist/relay/upstream/passthrough-specs.js

@@ -16,10 +16,23 @@ function envOr(name, fallback) {
     const v = process.env[name];
     return v && v.length > 0 ? v : fallback;
 }
-// ── Z.AI / GLM ────────────────────────────────────────────────────────────
-// Two coding-plan variants (global + cn) and two general-API variants,
-// all sharing the `zai` openclaw provider id and the `ZAI_API_KEY` env var.
-// cli_type is the only field distinguishing them on the relay side.
+// ── Design note: subscription-only catalog ───────────────────────────────
+//
+// clawmoney relay only supports upstreams where the provider is selling
+// *idle capacity from a fixed monthly subscription*. Pay-per-token API
+// keys (Moonshot Open Platform, generic Z.AI API, openai.com API, raw
+// DashScope) are deliberately NOT registered here: a provider would spend
+// real money per request while the buyer only pays 20% of the API price
+// (RELAY_DISCOUNT) — a guaranteed loss on every call. Keeping only
+// subscription-backed cli_types means every entry is actually usable.
+//
+// Anthropic follows the same rule: no "anthropic" api-key spec, only the
+// `claude` OAuth subscription path + `antigravity` (Google Ultra quota
+// that also serves Claude models).
+// ── Z.AI GLM Coding Plan ──────────────────────────────────────────────────
+// Z.AI sells a monthly Coding Plan subscription separately from their
+// token-priced general API. Only the subscription endpoint is routable
+// from clawmoney.
 registerPassthroughSpec({
     cliType: "zai-coding",
     openclawProvider: "zai",
@@ -28,37 +41,14 @@ registerPassthroughSpec({
     api: "openai-completions",
     label: "Z.AI Coding Plan",
 });
-registerPassthroughSpec({
-    cliType: "zai",
-    openclawProvider: "zai",
-    envVarName: "ZAI_API_KEY",
-    baseUrl: envOr("ZAI_BASE_URL", "https://api.z.ai/api/paas/v4"),
-    api: "openai-completions",
-    label: "Z.AI General",
-});
-// ── Moonshot / Kimi K2 ────────────────────────────────────────────────────
-registerPassthroughSpec({
-    cliType: "moonshot",
-    openclawProvider: "moonshot",
-    envVarName: "MOONSHOT_API_KEY",
-    baseUrl: envOr("MOONSHOT_BASE_URL", "https://api.moonshot.ai/v1"),
-    api: "openai-completions",
-    label: "Moonshot (Kimi K2)",
-});
-// Kimi Coding is a separate product from Moonshot's public API: different
-// key, different endpoint, different catalog. Per openclaw docs the keys
-// are not interchangeable.
-registerPassthroughSpec({
-    cliType: "kimi-coding",
-    openclawProvider: "kimi",
-    envVarName: "KIMI_API_KEY",
-    baseUrl: envOr("KIMI_CODING_BASE_URL", "https://api.moonshot.ai/v1"),
-    api: "openai-completions",
-    label: "Kimi Coding",
-});
+// kimi-coding + minimax are subscription-based too but have OAuth flows
+// that need refresh handling, so they ship as dedicated adapters
+// (kimi-coding-api.ts, minimax-api.ts) and are dispatched directly from
+// provider.ts rather than through this passthrough engine.
 // ── Qwen / Alibaba ModelStudio Coding Plan ────────────────────────────────
-// Qwen's OAuth free tier was killed 2026-04-15; paid usage goes through
-// the ModelStudio Coding Plan (BAILIAN_CODING_PLAN_API_KEY, OpenAI-compat).
+// Paid subscription (the OAuth free tier was killed 2026-04-15). Uses a
+// static BAILIAN_CODING_PLAN_API_KEY against an OpenAI-compat endpoint,
+// so it fits the passthrough engine cleanly.
 registerPassthroughSpec({
     cliType: "qwen-coding",
     openclawProvider: "qwen",
@@ -67,26 +57,17 @@ registerPassthroughSpec({
     api: "openai-completions",
     label: "Qwen Coding Plan",
 });
-// ── OpenAI API key (distinct from cli_type "codex" which uses subscription OAuth) ──
-registerPassthroughSpec({
-    cliType: "openai",
-    openclawProvider: "openai",
-    envVarName: "OPENAI_API_KEY",
-    baseUrl: envOr("OPENAI_BASE_URL", "https://api.openai.com/v1"),
-    api: "openai-completions",
-    label: "OpenAI API",
-});
 // Catalog of every cli_type served by the passthrough engine. Exported so
 // provider.ts can switch on membership in one line instead of per-cli-type
 // cases. These are INTERNAL cli_type names — the Hub sees all of them
 // under the single "api-key" cli_type (see `ApiKeyInternalRoute` below).
 export const PASSTHROUGH_CLI_TYPES = new Set([
     "zai-coding",
-    "zai",
-    "moonshot",
-    "kimi-coding",
     "qwen-coding",
-    "openai",
+    // Note: "kimi-coding" and "minimax" are NOT here — they have dedicated
+    // OAuth-aware adapters in kimi-coding-api.ts and minimax-api.ts.
+    // Pay-per-token cli_types (moonshot, zai, openai) were removed because
+    // they guarantee a loss to the provider under the flat RELAY_DISCOUNT.
 ]);
 // ── Hub-side cli_type mapping ─────────────────────────────────────────────
 //
@@ -112,8 +93,13 @@ export const HUB_CLI_TYPE_FOR_PASSTHROUGH = "api-key";
 export function hubCliTypeFor(internalCli) {
     if (PASSTHROUGH_CLI_TYPES.has(internalCli))
         return HUB_CLI_TYPE_FOR_PASSTHROUGH;
-    if (internalCli === "minimax")
+    // minimax + kimi-coding have dedicated adapters but still register as
+    // Hub-canonical "api-key" — to the Hub they're just Bearer-auth
+    // OpenAI-compat providers, the OAuth + refresh lives entirely in the
+    // daemon.
+    if (internalCli === "minimax" || internalCli === "kimi-coding") {
         return HUB_CLI_TYPE_FOR_PASSTHROUGH;
+    }
     // claude / codex / gemini / antigravity pass through unchanged.
     return internalCli;
 }
@@ -134,18 +120,12 @@ export function resolveSpecByModel(model) {
         return "minimax";
     if (model.startsWith("glm-") || model.startsWith("zai-"))
         return "zai-coding";
-    if (model.startsWith("kimi-k2"))
-        return "moonshot";
-    if (model === "kimi-code")
+    if (model.startsWith("kimi-k2") || model === "kimi-code")
         return "kimi-coding";
     if (model.startsWith("qwen"))
         return "qwen-coding";
-    // OpenAI API-key path serves the same gpt-* / o-series catalog the
-    // codex OAuth path does, but dispatch comes in under cli_type="api-key"
-    // so there's no ambiguity at this point — codex traffic never reaches
-    // the resolver.
-    if (model.startsWith("gpt-") || model === "o3" || model === "o4-mini") {
-        return "openai";
-    }
+    // Intentionally nothing for gpt-*/o3/o4-mini — codex OAuth subscription
+    // is the only sanctioned path; raw openai.com API-key passthrough was
+    // removed because the provider would lose money on every buyer request.
     return null;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawmoney",
-  "version": "0.17.5",
+  "version": "0.17.6",
   "description": "ClawMoney CLI -- Earn rewards with your AI agent",
   "type": "module",
   "bin": {

package/scripts/probe-relay-call.mjs

@@ -212,14 +212,12 @@ console.log(`mock upstream at ${MOCK_URL}`);
 console.log("");
 
 try {
-  // openclaw fixture supplies zai's key via api_key profile
-  await probePassthrough("zai-coding", "glm-5", "sk-zai-openclaw");
-  await probePassthrough("zai", "glm-4.7", "sk-zai-openclaw");
-  // others fall back to env
-  await probePassthrough("moonshot", "kimi-k2.5", "sk-moonshot-env");
-  await probePassthrough("kimi-coding", "kimi-code", "sk-kimi-env");
+  // Current subscription-only passthrough catalog:
+  //   zai-coding     ← openclaw api_key
+  //   qwen-coding    ← env var fallback
+  // (moonshot / zai general / openai were removed as pay-per-token.)
+  await probePassthrough("zai-coding",  "glm-5",        "sk-zai-openclaw");
   await probePassthrough("qwen-coding", "qwen3.6-plus", "sk-qwen-env");
-  await probePassthrough("openai", "gpt-5.4", "sk-openai-env");
 
   // minimax: fresh vs expired
   await probeMinimaxFresh();
@@ -229,12 +227,13 @@ try {
   // via model prefix. Covers each family the resolver handles.
   const dispatchCases = [
     { model: "glm-5",         expected: "zai-coding" },
-    { model: "kimi-k2.5",     expected: "moonshot" },
+    { model: "kimi-k2.5",     expected: "kimi-coding" },
     { model: "kimi-code",     expected: "kimi-coding" },
     { model: "qwen3.6-plus",  expected: "qwen-coding" },
     { model: "MiniMax-M2.7",  expected: "minimax" },
-    { model: "gpt-5.4",       expected: "openai" },
-    { model: "o4-mini",       expected: "openai" },
+    // gpt-* no longer mapped — the openai passthrough was removed.
+    { model: "gpt-5.4",       expected: null },
+    { model: "o4-mini",       expected: null },
     { model: "unknown-model", expected: null },
   ];
   let dispatchFails = 0;
@@ -255,15 +254,14 @@ try {
   // hubCliTypeFor collapses fine-grained → "api-key" and leaves legacy OAuth
   // cli_types untouched.
   const collapseCases = [
-    { internal: "zai-coding",  hub: "api-key" },
-    { internal: "moonshot",    hub: "api-key" },
-    { internal: "qwen-coding", hub: "api-key" },
-    { internal: "openai",      hub: "api-key" },
-    { internal: "minimax",     hub: "api-key" },
-    { internal: "claude",      hub: "claude" },
-    { internal: "codex",       hub: "codex" },
-    { internal: "gemini",      hub: "gemini" },
-    { internal: "antigravity", hub: "antigravity" },
+    { internal: "zai-coding",   hub: "api-key" },
+    { internal: "qwen-coding",  hub: "api-key" },
+    { internal: "kimi-coding",  hub: "api-key" },
+    { internal: "minimax",      hub: "api-key" },
+    { internal: "claude",       hub: "claude" },
+    { internal: "codex",        hub: "codex" },
+    { internal: "gemini",       hub: "gemini" },
+    { internal: "antigravity",  hub: "antigravity" },
   ];
   let collapseFails = 0;
   for (const { internal, hub } of collapseCases) {