fix(auth): kimi-coding pool base_url seeding + PKCE endpoint fallback

[teknium1]

Summary

Two auth reliability fixes:

1. kimi-coding credential pool seeds correct base_url (fixes #5561)

_seed_from_env() in credential_pool.py now calls _resolve_kimi_base_url() for kimi-coding, matching the runtime resolver logic in auth.py. Previously, sk-kimi- prefixed keys were seeded with the default api.moonshot.ai/v1 URL (from pconfig.inference_base_url), causing HTTP 401 on the first request. The pool would mark the entry exhausted, and the second request would bypass the pool and succeed via the runtime resolver.

2. PKCE OAuth token exchange uses endpoint fallback

The Hermes-native PKCE login flow (run_hermes_oauth_login_pure) now tries platform.claude.com first with console.anthropic.com fallback for the token exchange, consistent with refresh_anthropic_oauth_pure() which was fixed in PR #3246. The old _OAUTH_TOKEN_URL constant hardcoded only console.anthropic.com.

Test plan

• tests/test_credential_pool.py — 145 passed
• tests/test_api_key_providers.py — all passed
• tests/test_anthropic_adapter.py — 107 passed
• E2E verified: sk-kimi- key routes to api.kimi.com/coding/v1, legacy key stays on moonshot, env override wins
• E2E verified: _OAUTH_TOKEN_URLS list has platform.claude.com first, old constant removed

Related issues closed

• MiniMax (/anthropic) auth gets overridden by Anthropic token refresh, causing 401 #2374 — MiniMax auth override (already fixed on main)
• [Bug]: OAuth token refresh fails on headless gateway — wrong endpoint + no recovery, causing persistent 401s with Anthropic Max #2962 — OAuth refresh endpoint (fixed in fix(auth): migrate OAuth token refresh to platform.claude.com with fallback #3246, remaining PKCE inconsistency fixed here)
• PR fix(oauth): use platform.claude.com endpoint for token refresh + startup warning #2968 — superseded by fix(auth): migrate OAuth token refresh to platform.claude.com with fallback #3246
• Feature Request: Support multiple OAuth tokens with automatic fallback #933 — Multiple OAuth tokens with fallback (implemented by credential pool system)
• [Bug]: Telegram Auth Creds lost every few minutes #2783 — Telegram auth creds lost (addressed by 401 refresh system)
• [UX] Rate limit errors (429) should show user-friendly message with configurable retry instead of traceback #1826 — User-friendly 429 messages (already implemented)

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: Outbound network calls (POST/PUT)

Outbound POST/PUT requests in new code could be data exfiltration. Verify the destination URLs are legitimate.

Matches (first 10):

46:+                with urllib.request.urlopen(req, timeout=15) as resp:

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[teknium1]

Closing during PR triage — not pursuing this approach.