Add Kimi Code API usage source

[kiranmagic7]

Fixes #1412

Summary

• Add a Kimi .api source mode that reads KIMI_API_KEY, KIMI_CODE_API_KEY, or providers[].apiKey and calls GET /coding/v1/usages.
• Keep .auto user-friendly by trying the Kimi Code API key first, then falling back to the existing Kimi web cookie strategy.
• Add Settings UI source/API-key controls, config/env mapping, diagnose support, docs, and parser/config/settings regression tests.

Test plan

• swift test --filter KimiProviderTests --skip-update
• swift test --filter ProviderConfigEnvironmentTests --skip-update
• swift test --filter CLIConfigCommandTests --skip-update
• swift test --filter ProviderSettingsDescriptorTests --skip-update
• make check
• git diff --check
• swift test --skip-update ran the full suite and hit an unrelated StatusMenuSwitcherClickTests keyboard-navigation failure in the full-suite order; immediate isolated rerun passed with swift test --filter StatusMenuSwitcherClickTests --skip-update (19 tests passed).

No live Kimi account probe or browser/Keychain prompt was run; coverage is parser/config/settings/fetch-strategy level.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 11, 2026, 3:28 AM ET / 07:28 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model internal, reasoning high; reviewed against 9015e94901c4.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this PR with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 966b807b0c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fall back from invalid API keys in auto mode

In Auto mode, any stale or non-Code KIMI_API_KEY/saved apiKey makes the API strategy available, but a 401/403 is converted to KimiAPIError.invalidToken and this branch returns false, so the pipeline stops before trying valid manual/browser cookies. This especially affects users who already had KIMI_API_KEY for another Kimi/Moonshot integration and rely on the existing web-cookie Kimi provider; Auto no longer behaves as an API-then-web fallback unless the API failure is one of these narrower cases.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid duplicating the Kimi coding path

When KIMI_CODE_BASE_URL or providers[].enterpriseHost is set to the documented Kimi Code base URL (https://api.kimi.com/coding/v1) or to a proxy that already exposes that base path, this appends another coding/v1/usages and requests /coding/v1/coding/v1/usages, so the API source fails only for configured/custom base URLs. Either normalize a full base URL or append only usages when the path already ends in /coding/v1.

Useful? React with 👍 / 👎.