Kimi (Moonshot) local API integration unreliable — needs first-class provider support

[fwends]

Problem

Kimi (Moonshot AI) local API integration via OpenClaw is unreliable and has never worked consistently as a custom provider. The user has kimi-coding configured as a custom OpenAI-compatible provider pointing at https://api.kimi.com/coding/v1, but:

Issues encountered:

1. 401 auth rejections — Kimi's API rejects requests from non-whitelisted clients. It only allows known coding CLIs (Kimi CLI, Claude Code, etc.) via User-Agent sniffing. We had to add a User-Agent: kimi-cli/1.0 header hack to work around this.

2. Token/JWT auth complexity — Kimi uses short-lived JWTs that auto-refresh via the Kimi CLI (~/.kimi/credentials/kimi-code.json). The API key in openclaw.json goes stale. The env var approach $(cat ~/.kimi/credentials/kimi-code.json | jq -r '.access_token') is fragile.

3. CLI backend as workaround — We set up a cliBackends.kimi entry that shells out to kimi --print -y -p, but this is a hacky workaround, not a real integration. It doesn't support streaming, tool use, or proper session management.

4. Model picker confusion — When searching for 'kimi' in /model, the user gets 296 models including dozens of Kimi variants from OpenRouter/groq/etc that aren't configured. The one that IS configured (kimi-coding/k2p5) is buried. (Separate issue filed: TUI model picker shows all 296 provider models instead of only user-configured ones #18816)

5. Agent spawning fails — Spawning a Kimi sub-agent via sessions_spawn with the API provider consistently fails with 401s. Only the CLI backend works, and only in non-interactive mode.

What would help:

• First-class Kimi provider support in OpenClaw (like Anthropic/OpenAI have), handling JWT refresh automatically
• Or better CLI backend integration — proper streaming, tool passthrough, session support for CLI-wrapped models
• Auth profile support for providers with rotating tokens (not just static API keys)
• Provider health checks — if a configured provider is returning 401s, surface that clearly instead of silent failures

Current workaround:

User runs kimi CLI directly in terminal. The OpenClaw integration has never reliably completed a request through the agent system.

Environment

• OpenClaw with custom kimi-coding provider
• Kimi CLI installed at ~/.local/bin/kimi
• macOS, Asia/Bangkok timezone

[steipete]

Status update against current main:

Already fixed on trunk for Moonshot/Kimi reliability:

• 3640484e2847fe495837e99d55092680ecf27639 — Moonshot developer-role compatibility normalization
• 9757d2bb646d1a1cd9ea9dd041054af6988372d7 — strict OpenAI-compatible turn-order normalization
• 15e32c7341ed5c8d4abe0c3eca38dc9f5165f56d — refresh Moonshot Kimi catalog capabilities
• 9bd04849ed05367da5f013b3bbca387e6490767d — detect Kimi model-token-limit overflow and fail clearly

Keeping this issue open as umbrella for any remaining first-class provider gaps that still reproduce on latest trunk/release.

[steipete]

Closing as mostly covered by the landed Kimi pass.

Landed SHAs:

• f93ca934988fdfd0fba3b9c9995f45ee01aac52b (cache-ttl eligibility for Moonshot/ZAI + OpenRouter refs)
• e02c470d5e06d6973695963208c0fe344137272d (Kimi web_search provider + config/schema wiring)
• 7837d23103da587937e52aa00d4bc3050553affd (Moonshot media video provider + runner override precedence fixes)
• ff0c40d367d7eb2072d2c972ec9654801bcc5746 (follow-up test fix)

What is now on main relevant to this integration cluster:

• Kimi-specific tooling path for web search.
• Kimi/Moonshot cache-ttl pruning support path.
• Moonshot media-understanding video provider path.

Given these landed changes, this umbrella Kimi integration item is mostly superseded.