fix(kimi): dual-path auth detection (fixes #939)#942
Conversation
kimi-cli uses OAuth, not API keys. After `kimi login`, the credential file lives at ~/.kimi-code/credentials/kimi-code.json (access_token + refresh_token). Add 3-tier auth detection in buildKimiAuthEnv(): 1. CAT_CAFE_KIMI_API_KEY in callbackEnv (existing path) 2. CAT_CAFE_KIMI_OAUTH_TOKEN (new) 3. Native kimi-cli credential file (new) Fail fast with a clear hint when no auth is configured, instead of spawning kimi-cli and reporting exit-1 as '未识别的CLI错误'. Tests + CONTRIBUTING docs included.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 94d4149940
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const supportsThinking = | ||
| modelConfig.capabilities.includes('thinking') || | ||
| apiKeyEnv?.KIMI_MODEL_CAPABILITIES?.includes('thinking') === true; | ||
| authResult?.env.KIMI_MODEL_CAPABILITIES?.includes('thinking') === true; |
There was a problem hiding this comment.
Add model capabilities to the auth env type
This newly-added access will not compile because buildKimiAuthEnv() returns KimiAuthResult.env as KimiAuthEnv, and the KimiAuthEnv interface introduced in this patch does not declare KIMI_MODEL_CAPABILITIES. With the API package's TypeScript build/lint, this produces a property-missing error before the service can build; add the field to the interface or read capabilities from callbackEnv/modelConfig instead.
Useful? React with 👍 / 👎.
| // Fail fast if no auth is configured — see issue #939. | ||
| // Without auth, kimi-cli would still spawn and exit 1 with a | ||
| // generic "未识别的CLI错误" — clearer to surface the cause here. | ||
| if (!authResult) { |
There was a problem hiding this comment.
Honor accountEnv before failing Kimi auth
When a Kimi account provides credentials through the supported accountEnv path, such as an account envVars entry for KIMI_API_KEY, authResult is still null because it is built only from callbackEnv and the native file check. This fail-fast branch returns before the later env merge would pass accountEnv to the child process, so those previously valid account configurations now fail with “No Kimi auth configured” instead of launching the CLI.
Useful? React with 👍 / 👎.
|
Thanks for the quick PR. First-pass inbound gate result:
Blocking CI items from the Actions logs:
After you push the CI fix, we can review the current head. One note for the next review pass: the native OAuth path currently passes [砚砚/gpt-5.5🐾] |
|
Hi @enihcam — circling back on this PR after merging #944 (Kimi CLI binary fallback) into 1. P1 — TypeScript build (CI Build / Test (Public) / Test (Windows) all fail on this single issue)
export interface KimiAuthEnv {
KIMI_API_KEY?: string;
KIMI_BASE_URL?: string;
KIMI_MODEL_NAME?: string;
KIMI_MODEL_MAX_CONTEXT_SIZE?: string;
KIMI_CREDENTIALS_FILE?: string;
KIMI_MODEL_CAPABILITIES?: string; // ← add this line
}The cloud Codex bot inline P1 on 2. Lint — Biome formatting (CI Lint job)Run Biome write on the three files this PR touches: pnpm biome check \
packages/api/src/domains/cats/services/agents/providers/kimi-config.ts \
packages/api/src/domains/cats/services/agents/providers/KimiAgentService.ts \
packages/api/test/kimi-auth-env.test.js \
--writeThen commit the formatting changes. 3. Rebase against latest
|
| Item | Severity | Effort |
|---|---|---|
1. Add KIMI_MODEL_CAPABILITIES?: string to KimiAuthEnv |
P1 (CI blocker) | 1 line |
2. pnpm biome check ... --write |
P1 (Lint job) | 1 command |
3. Rebase against main post-#944 |
P1 (merge blocker) | medium, offer to help if blocking you |
4. Address accountEnv precedence (P2) |
P2 | small refactor |
| 5. Unlink #940 from closingIssuesReferences | wording | 1 click in sidebar |
No hurry — when you have time. Thanks for the careful 3-tier detection design; the body summary and KimiAuthKind priority ordering both read well.
[宪宪/opus-4.7🐾]
…art A) (#943) Refs #939 (part A only). The umbrella issue #939 stays open until parts B and C are also addressed. Inbound review chain (community PR by @enihcam, FIRST_TIME_CONTRIBUTOR; self-review API blocks formal state on shared maintainer account so comments are the trail): - 砚砚/gpt-5.5 code review pass on 7057a29 — provider_capability consumed only as system telemetry, multiple capabilities merge without clobbering, parsed.catId resolution matches existing patterns, useAgentMessages-* family 24 files / 276 tests pass - 宪宪/opus-4.7 second-pass APPROVED on 9b8a621 — metadata wording cleanup (fixes #939 → refs #939; status table corrected — #944 not #942 is the merged member of the #939 cluster); no code delta since 7057a29 (newer commits are pure merge-from-main commits) CI 5/5 pass: Build / Lint / Test (Public) / Test (Windows) / Directory Size Guard. Opensource-ops B Patch self-merge: 4 conditions all met (accepted #939, safe-cherry-pick scope, CI 5/5 green, no toolchain/security impact — web frontend telemetry rendering only). Thanks @enihcam for the careful F210-H1 pattern reuse and the targeted 5-case test file. Co-authored-by: enihcam <enihcam@users.noreply.github.com>
…653#939 part A) (zts212653#943) Refs zts212653#939 (part A only). The umbrella issue zts212653#939 stays open until parts B and C are also addressed. Inbound review chain (community PR by @enihcam, FIRST_TIME_CONTRIBUTOR; self-review API blocks formal state on shared maintainer account so comments are the trail): - 砚砚/gpt-5.5 code review pass on 7057a29 — provider_capability consumed only as system telemetry, multiple capabilities merge without clobbering, parsed.catId resolution matches existing patterns, useAgentMessages-* family 24 files / 276 tests pass - 宪宪/opus-4.7 second-pass APPROVED on 9b8a621 — metadata wording cleanup (fixes zts212653#939 → refs zts212653#939; status table corrected — zts212653#944 not zts212653#942 is the merged member of the zts212653#939 cluster); no code delta since 7057a29 (newer commits are pure merge-from-main commits) CI 5/5 pass: Build / Lint / Test (Public) / Test (Windows) / Directory Size Guard. Opensource-ops B Patch self-merge: 4 conditions all met (accepted zts212653#939, safe-cherry-pick scope, CI 5/5 green, no toolchain/security impact — web frontend telemetry rendering only). Thanks @enihcam for the careful F210-H1 pattern reuse and the targeted 5-case test file. Co-authored-by: enihcam <enihcam@users.noreply.github.com>
…653#939 part A) (zts212653#943) Refs zts212653#939 (part A only). The umbrella issue zts212653#939 stays open until parts B and C are also addressed. Inbound review chain (community PR by @enihcam, FIRST_TIME_CONTRIBUTOR; self-review API blocks formal state on shared maintainer account so comments are the trail): - 砚砚/gpt-5.5 code review pass on 7057a29 — provider_capability consumed only as system telemetry, multiple capabilities merge without clobbering, parsed.catId resolution matches existing patterns, useAgentMessages-* family 24 files / 276 tests pass - 宪宪/opus-4.7 second-pass APPROVED on 9b8a621 — metadata wording cleanup (fixes zts212653#939 → refs zts212653#939; status table corrected — zts212653#944 not zts212653#942 is the merged member of the zts212653#939 cluster); no code delta since 7057a29 (newer commits are pure merge-from-main commits) CI 5/5 pass: Build / Lint / Test (Public) / Test (Windows) / Directory Size Guard. Opensource-ops B Patch self-merge: 4 conditions all met (accepted zts212653#939, safe-cherry-pick scope, CI 5/5 green, no toolchain/security impact — web frontend telemetry rendering only). Thanks @enihcam for the careful F210-H1 pattern reuse and the targeted 5-case test file. Co-authored-by: enihcam <enihcam@users.noreply.github.com>
Summary
Adds a 3-tier auth-detection layer for the Kimi CLI agent.
buildKimiAuthEnv()now falls back to kimi-cli's native OAuth credential file before failing,
which matches how
kimiactually authenticates afterkimi login.Closes #939.
Problem
In invocation
d608187d-1aba-43...-b84ea7d25da3, a user with a fresh kimi-cliOAuth login hit:
Root cause: the old
buildApiKeyEnv()only checkedCAT_CAFE_KIMI_API_KEY. kimi-cli is OAuth-first — afterkimi loginit storesaccess_token + refresh_tokenat~/.kimi-code/credentials/kimi-code.json.The service then spawned
kimi --api-key ""and reported exit-1 as a vague"未识别的CLI错误", with no hint about what to do.
Changes
packages/api/src/domains/cats/services/agents/providers/kimi-config.tsKimiAuthKind,KimiAuthEnv,KimiAuthResult,buildKimiAuthEnv()packages/api/src/domains/cats/services/agents/providers/KimiAgentService.ts--modelonly whenkind === 'native'packages/api/test/kimi-auth-env.test.jsCONTRIBUTING.mdAuth priority
buildKimiAuthEnv()returns one of:'api_key'—CAT_CAFE_KIMI_API_KEYis set incallbackEnv→ passes
--api-key $token(existing path, unchanged behavior)'oauth_token'—CAT_CAFE_KIMI_OAUTH_TOKENis set incallbackEnv→ exports
KIMI_OAUTH_TOKEN=$token(new env-only path)'native'— neither env var, but~/.kimi-code/credentials/kimi-code.jsonexists→ exports
KIMI_OAUTH_TOKEN=$(jq -r .access_token <creds)and refreshautomatically; passes
--model $KIMI_MODEL_NAMEso kimi uses the rightpreset (it only reads OAuth-mode defaults from a non-existent api key)
null— none of the above → fail-fast with hint:Test results
Test command (after
pnpm install):Behavior change (call out in review)
process is spawned. This is a strict improvement; the legacy
"spawn and ignore exit code" path is gone for kimi specifically.
Compatibility
buildApiKeyEnvis replaced bybuildKimiAuthEnvinKimiAgentService.ts; same return shape minus theapiKeyfield, plus akind: 'api_key' | 'oauth_token' | 'native'discriminator and a
credentialFilePathfor'native'.buildApiKeyEnv(verified viagit grep buildApiKeyEnv).KIMI_AUTH_TOKENquota-only path in env-registry is unchanged.Checklist
jq -r .access_tokenextractionon macOS (jq is preinstalled on macOS via Xcode CLT, confirmed
by 铲屎官 on their dev box)
Related
all provider CLIs (not just kimi). This PR does not fix Kimi CLI invocation exits 1 — capability detection misreports as error #940; it
fixes the immediate kimi case.