Skip to content

Add Kimi K2 usage dashboard shortcut#1919

Open
joeVenner wants to merge 7 commits into
steipete:mainfrom
joeVenner:feat/kimi-k2-dashboard
Open

Add Kimi K2 usage dashboard shortcut#1919
joeVenner wants to merge 7 commits into
steipete:mainfrom
joeVenner:feat/kimi-k2-dashboard

Conversation

@joeVenner

@joeVenner joeVenner commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

  • expose Kimi K2 in the Usage Dashboard submenu
  • link the dashboard action to https://kimi-k2.ai/api/user/credits, the same host/path the credits fetcher polls

Proof

Deterministic test run on this branch (no network, no credentials):

$ swift test --disable-sandbox --filter 'MenuDescriptorKimiK2Tests|ProviderMetadataStatusLinkTests'
✔ Test "kimi K2 metadata identifies the unofficial provider and its dashboard" passed
✔ Test "kimi K2 menu exposes the usage dashboard action" passed
✔ Test run with 3 tests in 2 suites passed.

Open question for the maintainer — please advise

The linked URL is the authenticated API endpoint that KimiK2UsageFetcher polls with Authorization: Bearer <apiKey>. The menu's openDashboard action opens it in a browser via NSWorkspace with no auth headers, so a no-auth request returns HTTP 401 (confirmed by curl). The shortcut may still work for a user logged into kimi-k2.ai in their browser (cookie auth), but it is not a confirmed human-readable credits page.

This also reverts the deliberate decision in #967 to keep KimiK2 dashboardURL nil, to avoid presenting the unofficial kimi-k2.ai endpoint as an official surface. docs/kimi-k2.md recommends the Moonshot/Kimi provider for the official billing surface, and an earlier Codex review suggested https://kimrel.com/my-credits as the human usage page. I could not verify the correct browser URL without a live account, so I'm flagging rather than guessing. Options:

  1. Keep https://kimi-k2.ai/api/user/credits (works only for cookie-authenticated browser sessions).
  2. Switch to https://kimrel.com/my-credits (the human page suggested by the Codex review).
  3. Revert dashboardURL to nil (preserves the Clarify unofficial Kimi K2 provider #967 decision — no shortcut).

Codex review follow-up

The earlier review flagged a host mismatch (dashboard vs. fetcher host). The descriptor and metadata both point at https://kimi-k2.ai/api/user/credits, matching KimiK2UsageFetcher.creditsURL, and the metadata test was aligned to that value (it was stale at https://kimi-k2.ai/ and failing).

Testing

  • swift test --disable-sandbox --filter 'MenuDescriptorKimiK2Tests|ProviderMetadataStatusLinkTests' (3 passed)
  • swift build clean

@clawsweeper

clawsweeper Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codex review: needs real behavior proof before merge. Reviewed July 6, 2026, 6:07 PM ET / 22:07 UTC.

Summary
The branch sets Kimi K2 metadata to expose https://kimi-k2.ai/api/user/credits as a Usage Dashboard URL, adds a MenuDescriptor test, updates metadata assertions, and edits CHANGELOG.md.

Reproducibility: yes. for the PR defect: source shows Usage Dashboard opens metadata URLs directly through NSWorkspace, the Kimi K2 docs require a bearer API key for this endpoint, and a no-auth request returns HTTP 401 JSON. I did not run the native app because this is a read-only review.

Review metrics: 2 noteworthy metrics.

  • Diff Surface: 4 files changed, +49/-3. The small patch still spans provider metadata, menu descriptor coverage, metadata assertions, and release-owned notes.
  • Live Proof: 0 live artifacts; tests/build output only. The changed behavior is a native menu action plus browser landing, so unit tests do not prove the user-visible path.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Replace the API endpoint with a maintainer-approved browser dashboard URL or keep Kimi K2 dashboardURL nil.
  • [P1] Add redacted live proof showing the Kimi K2 Usage Dashboard item and the final browser landing after selecting it.
  • Remove the release-owned CHANGELOG.md entry unless a release owner asks for it.

Proof guidance:

  • [P1] Needs real behavior proof before merge: The PR body provides focused test/build output but no redacted live CodexBar menu and browser-destination proof; after adding proof, updating the PR body should trigger a fresh review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

  • [P1] Merging now would show a Usage Dashboard item that opens a raw JSON credits API endpoint; a browser-style unauthenticated request returns HTTP 401.
  • [P1] The change reverses the merged Kimi K2 clarification that kept the unofficial legacy endpoint from being presented as an official account surface.
  • [P1] The PR body has focused test/build output but no redacted live CodexBar menu and final browser landing proof for the proposed shortcut.
  • [P1] The branch edits release-owned CHANGELOG.md, which should stay out of normal feature PRs unless a release owner asks for it.

Maintainer options:

  1. Keep Kimi K2 Dashboard Disabled (recommended)
    Remove the dashboardURL change, menu test, and changelog entry so the unofficial API-only provider keeps current behavior.
  2. Repair As Browser Dashboard
    Replace the API endpoint with a maintainer-approved browser dashboard URL, keep focused tests, and require live menu/browser proof.
  3. Accept API Endpoint Behavior
    Merge only if maintainers intentionally want Usage Dashboard to open the raw Kimi K2 credits API endpoint despite the 401 no-auth browser result.

Next step before merge

  • [P1] A maintainer needs to decide whether the unofficial Kimi K2 provider should expose any dashboard shortcut and which browser-safe URL is acceptable before automation can safely repair the branch.

Maintainer decision needed

  • Question: Should CodexBar expose a Usage Dashboard action for the legacy unofficial Kimi K2 provider, and what browser-safe URL should it use if so?
  • Rationale: Current main intentionally removed this dashboard surface, and the proposed URL is the bearer-token API endpoint rather than a proven human dashboard.
  • Likely owner: steipete — This decision crosses provider product boundary, shared dashboard behavior, and release-owned changelog policy, all of which route most strongly to steipete in current history.
  • Options:
    • Keep Shortcut Disabled (recommended): Preserve the current nil dashboardURL for Kimi K2 until a real browser dashboard is identified and approved.
    • Approve Browser-Safe Shortcut: Allow the shortcut only after the PR uses a proven browser dashboard URL, aligns tests, removes the release-owned changelog edit, and provides live menu/browser proof.
    • Accept Raw API Shortcut: Maintainers may intentionally expose the API endpoint, but users should expect unauthenticated browser opens to fail without custom auth handling.

Security
Cleared: The diff adds a hard-coded HTTPS URL, tests, and release-note text; it does not change dependencies, scripts, secrets handling, credential storage, or package execution paths.

Review findings

  • [P1] Don't open the API endpoint as a dashboard — Sources/CodexBarCore/Providers/KimiK2/KimiK2ProviderDescriptor.swift:24
  • [P3] Remove the release-owned changelog edit — CHANGELOG.md:32
Review details

Best possible solution:

Keep Kimi K2 dashboardURL nil unless maintainers approve a proven browser-safe credits page; if approved, align the descriptor/tests and leave release notes in the PR body unless release owners request a changelog edit.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR defect: source shows Usage Dashboard opens metadata URLs directly through NSWorkspace, the Kimi K2 docs require a bearer API key for this endpoint, and a no-auth request returns HTTP 401 JSON. I did not run the native app because this is a read-only review.

Is this the best way to solve the issue?

No as submitted; the shared metadata seam is the right implementation point only if there is a maintainer-approved browser dashboard URL. The current value is the API endpoint and lacks live proof of a usable dashboard landing.

Full review comments:

  • [P1] Don't open the API endpoint as a dashboard — Sources/CodexBarCore/Providers/KimiK2/KimiK2ProviderDescriptor.swift:24
    The shared Usage Dashboard action opens this metadata URL directly in the browser, but Kimi K2 documents this path as an API endpoint requiring Authorization: Bearer <api key>. A no-auth request returns HTTP 401 JSON, so users would get an API error rather than a dashboard; keep this nil or use a proven browser-safe URL.
    Confidence: 0.95
  • [P3] Remove the release-owned changelog edit — CHANGELOG.md:32
    This repo treats CHANGELOG.md as release-owned, so normal feature PRs should keep release-note context in the PR body or commits unless release owners ask for an entry.
    Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.94

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 63c69fdcc47f.

Label changes

Label justifications:

  • P3: This is an optional shortcut for an unofficial provider with limited blast radius, not a regression in usage fetching or core app availability.
  • merge-risk: 🚨 other: Green tests cannot settle whether this unofficial provider should expose a browser dashboard action or whether the external API URL is a usable user-facing destination.
  • rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🧂 unranked krab.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body provides focused test/build output but no redacted live CodexBar menu and browser-destination proof; after adding proof, updating the PR body should trigger a fresh review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
Evidence reviewed

What I checked:

Likely related people:

  • steipete: Current-main blame for shared dashboard/menu action paths points to Peter Steinberger, and prior Kimi K2 wiring and release-note history also route through this account. (role: recent area contributor and release owner; confidence: high; commits: a3454640cf53, a5fb02b7d0f2, 76ff4ad294cd; files: Sources/CodexBar/StatusItemController+Actions.swift, Sources/CodexBar/MenuDescriptor.swift, CHANGELOG.md)
  • mturac: Merged clarification work in Clarify unofficial Kimi K2 provider #967 removed the Kimi K2 dashboard URL and added the metadata assertion this PR changes. (role: provider metadata/docs contributor; confidence: high; commits: 5391950070f9, bf4424bb7ff8; files: Sources/CodexBarCore/Providers/KimiK2/KimiK2ProviderDescriptor.swift, Tests/CodexBarTests/ProviderMetadataStatusLinkTests.swift, docs/kimi-k2.md)
  • 0-CYBERDYNE-SYSTEMS-0: The original Kimi K2 provider PR introduced the provider descriptor, fetcher, settings wiring, tests, and docs that define the legacy credits endpoint behavior. (role: original provider contributor; confidence: medium; commits: eade57bfde35, 54d2c6dbf6f7; files: Sources/CodexBarCore/Providers/KimiK2/KimiK2ProviderDescriptor.swift, Sources/CodexBarCore/Providers/KimiK2/KimiK2UsageFetcher.swift, Sources/CodexBar/Providers/KimiK2/KimiK2ProviderImplementation.swift)
  • joeVenner: Separate merged Kimi K2 usage-fetcher fixes on current main make this author relevant beyond this PR proposal. (role: recent Kimi K2 usage contributor; confidence: medium; commits: b00797537dbf, 4fe943fd2a69; files: Sources/CodexBarCore/Providers/KimiK2/KimiK2UsageFetcher.swift, Tests/CodexBarTests/KimiK2UsageFetcherTests.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (6 earlier review cycles)
  • reviewed 2026-07-05T16:19:46.362Z sha 9bfd638 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-05T16:39:10.801Z sha 038e0b0 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-05T16:45:58.609Z sha 038e0b0 :: needs real behavior proof before merge. :: [P2] Point the shortcut at the credits page
  • reviewed 2026-07-05T16:51:01.638Z sha 038e0b0 :: needs real behavior proof before merge. :: [P2] Point the shortcut at a credit dashboard
  • reviewed 2026-07-06T19:19:41.631Z sha 0555e45 :: needs real behavior proof before merge. :: [P1] Don't open the API endpoint as a dashboard | [P2] Keep the metadata URL assertions consistent | [P3] Remove the release-owned changelog edit
  • reviewed 2026-07-06T21:45:46.525Z sha 1a753da :: needs real behavior proof before merge. :: [P1] Don't open the API endpoint as a dashboard | [P3] Remove the release-owned changelog edit

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9bfd6389b9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/KimiK2/KimiK2ProviderDescriptor.swift Outdated
@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 5, 2026
@joeVenner joeVenner changed the title Add Kimi K2 dashboard link Add Kimi K2 usage dashboard shortcut Jul 5, 2026
@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@joeVenner

Copy link
Copy Markdown
Contributor Author

@codex review

@clawsweeper

clawsweeper Bot commented Jul 5, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 038e0b0be3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

usesAccountFallback: false,
browserCookieOrder: nil,
dashboardURL: nil,
dashboardURL: "https://kimi-k2.ai/",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point Kimi K2 dashboard at the credits page

The new menu action opens this URL directly through dashboardURL(for:), but the Kimi K2/Kimrel API docs list usage tracking at /my-credits (https://kimrel.com/my-credits). With https://kimi-k2.ai/, the “Usage Dashboard” shortcut lands on the marketing/home page instead of the credit dashboard, so users still have to navigate manually to see the balance this provider tracks.

Useful? React with 👍 / 👎.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@joeVenner

Copy link
Copy Markdown
Contributor Author

@openclaw-mantis visual task: verify Kimi K2 shows Usage Dashboard in CodexBar and opens https://kimrel.com/ via https://kimi-k2.ai/.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jul 5, 2026
@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 6, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 6, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

joeVenner added 2 commits July 6, 2026 22:28
The descriptor was updated to https://kimi-k2.ai/api/user/credits but this
expectation was left at the prior https://kimi-k2.ai/ value, so the suite
failed after the dashboard URL change.
The committed proof image was a 1x1 placeholder, not real evidence.
Executable test output in the PR description replaces it.
@joeVenner

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 6, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant