Skip to content

Add LongCat usage provider#1697

Open
LeoLin990405 wants to merge 9 commits into
steipete:mainfrom
LeoLin990405:feat/longcat-provider
Open

Add LongCat usage provider#1697
LeoLin990405 wants to merge 9 commits into
steipete:mainfrom
LeoLin990405:feat/longcat-provider

Conversation

@LeoLin990405

@LeoLin990405 LeoLin990405 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

What

Adds LongCat (Meituan) as a disabled-by-default usage provider, surfacing token quota (总额度) and fuel-pack balance (加油包) in the menu bar / Overview.

Why this is a cookie provider

LongCat's public OpenAI/Anthropic-compatible API (api.longcat.chat) exposes no usage/balance/quota endpoint: billing/usage paths return 404 and responses carry no useful rate-limit headers. Usage is only available from the web console (longcat.chat) session, so this mirrors the existing Kimi / MiniMax cookie providers.

Supported auth sources:

  • Manual Cookie: header via settings/env.
  • Automatic browser-cookie import for longcat.chat.

Auth and privacy boundary

Maintainer decision requested: this intentionally forwards the full longcat.chat cookie header because the Meituan-passport auth cookie name is undocumented. If that boundary is not acceptable, this should wait for a documented LongCat usage endpoint or a narrower supported auth token.

Current guardrails:

  • Provider is disabled by default.
  • Off disables web auth entirely, including lingering env cookies.
  • Manual only uses the pasted/manual cookie header and does not import browser cookies.
  • Browser import is limited to app runtime, user-initiated refreshes, and Auto cookie source.
  • LongCat Auto import defaults to Chrome-only on macOS to avoid probing unrelated browser stores/keychains.
  • user-current response bodies are never logged because they can include a session token and phone number.

Endpoints and mapping (verified against redacted live response shapes)

Endpoint Fields used
GET /api/v1/user-current data.name (account)
GET /api/lc-platform/v1/tokenUsage data.usage.{totalToken, usedToken, availableToken}
GET /api/lc-platform/v1/pending-fuel-packages data.totalQuota + data.list[]

Mapping behavior:

  • Primary window = token quota used percent.
  • Secondary window = fuel-pack balance, with nearest expiry when available.
  • Missing/undecodable quota data leaves primary nil instead of rendering a fake 0% window.
  • Envelope auth failures from required user-current surface as invalid-session errors, so expired cookies prompt re-auth instead of an empty successful snapshot.

Review follow-up

Addressed Codex review findings:

  • Surfaced required envelope auth failures.
  • Removed the unreachable/nonexistent today-token path.
  • Routed env cookies through LongCatSettingsReader for lower-case alias and quote trimming.
  • Honored Off before env-cookie fallback.
  • Kept Manual from importing browser cookies.
  • Omitted the primary quota window when quota data is missing.
  • Changed LongCat Auto cookie import to Chrome-only by default.
  • Removed the release-owned changelog edit from this PR.

Wiring

.longcat added to UsageProvider / IconStyle, descriptor registry, settings snapshot + builder, implementation registry, logging categories, widget metadata, cost-usage scanner, debug-log switch, provider icon, docs/configuration.md provider-id list, and focused unit tests covering the redacted live response shapes and cookie-source behavior.

Testing

  • swift test --filter 'LongCat|BrowserCookieOrder' ✅ (28 tests)
  • make check
  • PR CI ✅ (changes, lint, Linux x64/arm64 builds, macOS shards 0-3, lint-build-test, GitGuardian)

@clawsweeper

clawsweeper Bot commented Jun 21, 2026

Copy link
Copy Markdown

Codex review: found issues before merge. Reviewed July 3, 2026, 11:34 AM ET / 15:34 UTC.

Summary
The branch adds a disabled-by-default LongCat usage provider with manual/env/browser cookie auth, web-console quota and fuel-pack parsing, registration/settings/docs/icon wiring, and focused tests.

Reproducibility: yes. for the blocking review finding: source inspection of PR head shows LongCat defaults to ProviderHTTPClient.shared, while current main shows that shared client uses URLSessionConfiguration.default. No live Keychain or browser-cookie probe was run, consistent with AGENTS.md.

Review metrics: 2 noteworthy metrics.

  • Changed surface: 25 files, 1249 additions, 4 deletions. The provider touches shared registration, settings, widgets, docs, resources, fetching, and tests, so review spans more than one parser file.
  • Cookie provider added: 1 disabled-by-default provider. The PR introduces new web-cookie auth behavior, not only response parsing.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦞 diamond lobster
Patch quality: 🦪 silver shellfish
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Use an isolated cookie-free default transport for LongCat fetches.
  • Get explicit maintainer sign-off on full-cookie forwarding, or wait for a documented narrower credential.

Mantis proof suggestion
A redacted visual or live-session proof would still help maintainers judge the undocumented LongCat console endpoint and menu rendering path. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify CodexBar renders LongCat quota and fuel-pack values from a real longcat.chat session with private cookies/account details redacted.

Risk before merge

  • [P1] The PR forwards the full longcat.chat cookie jar because LongCat/Meituan does not document a narrower usage credential, so maintainers need to accept that auth boundary before merge.
  • [P1] The current default fetch transport can let LongCat Set-Cookie responses enter the shared provider URLSession boundary instead of staying limited to the explicit request Cookie header.
  • [P1] The quota endpoints are undocumented console endpoints, so response-shape drift remains a support risk even with focused parser tests and redacted live proof.

Maintainer options:

  1. Isolate LongCat transport (recommended)
    Before merge, give LongCat its own ephemeral cookie-free ProviderHTTPClient so web-console cookies are never stored or replayed through the shared provider session.
  2. Accept the full-cookie boundary
    After transport isolation, a maintainer can explicitly accept forwarding the full longcat.chat cookie jar while no documented narrower usage credential exists.
  3. Wait for a supported credential
    If full-cookie forwarding is not acceptable for core, pause or close the provider until LongCat exposes a documented usage endpoint or narrower auth token.

Next step before merge

  • [P2] Maintainer review is needed because a narrow transport hardening fix remains and the full-cookie auth boundary requires explicit product/security acceptance.

Security
Needs attention: The diff still needs cookie-transport isolation and maintainer acceptance of the full LongCat cookie boundary before merge.

Review findings

  • [P1] Use a cookie-free default transport — Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift:17
Review details

Best possible solution:

Use a Sakana-style ephemeral cookie-free default transport for LongCat, keep the provider disabled by default with Chrome-only user-initiated Auto import, and merge only after maintainer sign-off on full-cookie forwarding.

Do we have a high-confidence way to reproduce the issue?

Yes for the blocking review finding: source inspection of PR head shows LongCat defaults to ProviderHTTPClient.shared, while current main shows that shared client uses URLSessionConfiguration.default. No live Keychain or browser-cookie probe was run, consistent with AGENTS.md.

Is this the best way to solve the issue?

No: the provider direction is plausible and well-proven, but the implementation should first isolate LongCat cookies in a cookie-free transport and then get maintainer acceptance of the full-cookie auth boundary.

Full review comments:

  • [P1] Use a cookie-free default transport — Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift:17
    Defaulting to ProviderHTTPClient.shared sends the full longcat.chat cookie jar through the app-wide provider URLSession, whose default configuration keeps cookie handling enabled. A LongCat response can therefore store or replay web-console cookies outside the explicit request boundary; use a private ephemeral cookie-free transport like the merged Sakana provider before sending these cookies.
    Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.86

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 61ff93208255.

Label changes

Label justifications:

  • P2: This is a normal-priority new-provider improvement with concrete auth/privacy blockers before merge.
  • merge-risk: 🚨 auth-provider: The PR adds a provider that authenticates to LongCat by forwarding a full web-console cookie header.
  • merge-risk: 🚨 security-boundary: The current default LongCat fetch transport can let web-console cookies enter the shared provider URLSession boundary.
  • rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦞 diamond lobster and patch quality is 🦪 silver shellfish.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The PR discussion includes redacted live output from a real app LongCat refresh showing Auto Chrome-only cookie import and rendered quota output, with private cookies/account details omitted.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR discussion includes redacted live output from a real app LongCat refresh showing Auto Chrome-only cookie import and rendered quota output, with private cookies/account details omitted.
Evidence reviewed

Security concerns:

  • [medium] Shared transport can retain LongCat cookies — Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift:17
    LongCat defaults to ProviderHTTPClient.shared, which uses default URLSession cookie handling; that is too broad for forwarding a full web-console cookie jar.
    Confidence: 0.86
  • [medium] Full web-console cookie forwarding needs sign-off — Sources/CodexBarCore/Providers/LongCat/LongCatCookieImporter.swift:22
    The provider intentionally forwards every longcat.chat cookie because the auth cookie name is undocumented, so maintainers need to accept that boundary or require a narrower credential.
    Confidence: 0.82

What I checked:

Likely related people:

  • steipete: Merged and authored the Sakana hardening PR that established the cookie-free transport pattern for web-console cookie providers. (role: recent adjacent owner; confidence: high; commits: 87635bcc755b, 38dbb1d71232, e9e5ff479f17; files: Sources/CodexBarCore/Providers/Sakana/SakanaUsageFetcher.swift)
  • LeoLin990405: Original contributor for the merged Sakana provider work and current LongCat branch, so they have direct history in the same cookie-provider area beyond this proposal alone. (role: adjacent provider contributor; confidence: medium; commits: 3585d1b2729a, 87635bcc755b; files: Sources/CodexBarCore/Providers/Sakana/SakanaUsageFetcher.swift, Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift)
  • serezha93: Introduced the shared ProviderHTTPClient transport seam used by LongCat's current default fetch path. (role: shared transport introducer; confidence: medium; commits: f62bb8c8d564; files: Sources/CodexBarCore/ProviderHTTPClient.swift)
  • Hinotobi: Authored the provider redirect-guard hardening that is adjacent to the remaining LongCat credential boundary concern. (role: credential redirect hardening contributor; confidence: medium; commits: 08c171b6b487; files: Sources/CodexBarCore/ProviderHTTPClient.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c5d176640

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift Outdated
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift Outdated
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 1c5d176 to 0715e15 Compare June 21, 2026 13:58
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. and removed status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains. labels Jun 21, 2026
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 0715e15 to 8a6c0b4 Compare June 21, 2026 14:22
LeoLin990405 added a commit to LeoLin990405/CodexBar that referenced this pull request Jun 23, 2026
Addresses Codex review on steipete#1697:
- user-current now propagates envelope auth failures (HTTP 200 + code
  401/403 -> .invalidSession) instead of swallowing them with try?, so
  expired cookies prompt re-auth rather than reporting an empty snapshot.
- Remove the never-assigned todayTokens / freeQuota fields and the
  unreachable tertiary 'Today' window; LongCat's tokenUsage is a quota
  snapshot with no per-day figure.
- Add envelope unit tests (invalid-session + success unwrap).
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Thanks for the review — both P2s are addressed in 35076321:

  1. Invalid-session surfacinguser-current now propagates envelope auth failures (try instead of try?); .invalidSession is non-fallback, so expired cookies prompt re-auth instead of an empty snapshot.
  2. Unused today-token path — removed the never-assigned todayTokens/freeQuota fields and the unreachable tertiary window. LongCat's tokenUsage is a quota snapshot with no per-day figure.

On the cookie import using only the first session: that's intentional parity with the existing Kimi/MiniMax cookie providers (single-account balance read); happy to generalize if you'd prefer.

Behavior proof

The field mapping is not guessed — it's locked against live responses captured from a logged-in longcat.chat console session (the public api.longcat.chat key exposes no usage endpoint, hence the cookie path). Captured shapes (values neutralised):

GET /api/lc-platform/v1/tokenUsage

{ "code": 0, "message": "SUCCESS",
  "data": { "usage": { "totalToken": 500000, "usedToken": 0, "availableToken": 500000 },
            "extData": { "LongCat-Flash-Lite": { "totalToken": 50000000, "usedToken": 0 } } } }

GET /api/lc-platform/v1/pending-fuel-packages{ "code": 0, "data": { "totalQuota": 0, "list": [] } }
GET /api/v1/user-currentdata.name (the body also carries a session token + phone, so it is never logged).

LongCatProviderTests asserts buildSnapshot against these exact shapes (quota %, fuel-pack sum + expiry, envelope invalid-session). Full swift test is green.

@codex review

Cookie-based web provider for LongCat (Meituan) that surfaces console
token quota (总额度) and fuel-pack balance (加油包) by reading the
longcat.chat platform session, mirroring the Kimi/MiniMax cookie pattern.

Field mapping is locked against captured live responses:
- GET /api/v1/user-current        -> data.name
- GET /api/lc-platform/v1/tokenUsage          -> data.usage.{total,used,available}Token
- GET /api/lc-platform/v1/pending-fuel-packages -> data.totalQuota + data.list[]

The public API key path exposes no usage endpoint, so usage is read from
the web console session (all longcat.chat cookies are forwarded since the
Meituan passport cookie name is undocumented). The user-current body is
never logged (it carries a session token + phone).

Wires .longcat into the provider/icon enums, descriptor registry, settings
snapshot/builder, implementation registry, logging, widget, cost-usage and
debug switches; adds brand icon, docs provider-id list, CHANGELOG entry and
unit tests covering the live response shapes.
Addresses Codex review on steipete#1697:
- user-current now propagates envelope auth failures (HTTP 200 + code
  401/403 -> .invalidSession) instead of swallowing them with try?, so
  expired cookies prompt re-auth rather than reporting an empty snapshot.
- Remove the never-assigned todayTokens / freeQuota fields and the
  unreachable tertiary 'Today' window; LongCat's tokenUsage is a quota
  snapshot with no per-day figure.
- Add envelope unit tests (invalid-session + success unwrap).

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35076321c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatCookieHeader.swift Outdated
Comment thread CHANGELOG.md Outdated
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 3507632 to ba31d95 Compare June 23, 2026 04:01
Addresses Codex re-review on steipete#1697: resolveCookieOverride read
context.env["LONGCAT_MANUAL_COOKIE"] directly, bypassing
LongCatSettingsReader.cookieHeader(), so the lower-case
longcat_manual_cookie alias and quote-trimming never reached the env
fetch path for CLI/daemon users. Route the env value through the reader
first. (The P3 changelog 'today's token usage' wording was already
dropped during the rebase onto main.)
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Re-review follow-up — both findings handled in 4110e2ae / the rebase:

  • Env cookie routing (P2): LongCatCookieHeader now resolves the env value via LongCatSettingsReader.cookieHeader(environment:), so the lower-case longcat_manual_cookie alias + quote-trimming apply on the env path. +regression test.
  • Changelog daily-token wording (P3): dropped during the rebase onto main (entry now reads "console token quota (总额度) and fuel-pack balance (加油包)").

Branch is rebased onto latest main, swift build + swift test green locally.

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4110e2ae18

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatCookieHeader.swift
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift Outdated
Addresses Codex re-review on steipete#1697 (2 P2):
- Off now fully disables web auth: resolveCookieOverride returns nil when
  cookieSource is .off, so a lingering LONGCAT_MANUAL_COOKIE env value can
  no longer keep the web strategy available.
- Browser cookie/keychain import is gated to the Auto source only; Manual
  no longer silently falls back to a browser session when the pasted
  header is missing/invalid (it surfaces as unavailable instead).
- Add regression tests for the Off/Auto env-override gating.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Both cookie-source findings fixed in 670a9d25:

  • Off now fully disables web auth (env override gated in resolveCookieOverride).
  • Manual no longer silently browser-imports — browser/keychain fallback is Auto-only.

+2 regression tests. swift build + swift test green locally.

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 670a9d25df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageSnapshot.swift Outdated
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift Outdated
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. label Jun 24, 2026
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jun 24, 2026
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

All Codex review threads have been addressed and resolved. PR body now documents the latest cookie-source guardrails, Chrome-only LongCat auto import default, missing-quota behavior, validation, and the maintainer auth/privacy decision point.

@codex review
@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: 5197371d69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@LeoLin990405

Copy link
Copy Markdown
Contributor Author

@openclaw-mantis visual task: verify CodexBar renders LongCat quota and fuel-pack values from a real longcat.chat session with private cookies/account details redacted.

@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Redacted live behavior proof

Ran a local live proof against the current PR head (5197371d694e8283de0ee0120ab80c9dfceb19ac) using the LongCat provider path with:

  • runtime: app
  • interaction: userInitiated
  • cookie source: auto
  • import policy: macOS Chrome-only browser cookie import

No cookie values, auth tokens, account names, phone numbers, IPs, raw response bodies, or endpoint URLs are included below.

{
  "commit": "5197371d694e8283de0ee0120ab80c9dfceb19ac",
  "provider": "longcat",
  "runtime": "app",
  "interaction": "userInitiated",
  "cookieSource": "auto",
  "importPolicy": "macOS Chrome-only browser cookie import",
  "strategyAvailable": true,
  "fetchSource": "web",
  "identityPresent": true,
  "primaryRendered": true,
  "primaryUsedPercent": 0,
  "primaryDescription": "0/500000",
  "fuelPackEndpointObserved": true,
  "fuelPackEndpointTotalQuota": 0,
  "fuelPackEndpointPackageCount": 0,
  "fuelPackRendered": false,
  "timestamp": "2026-06-24T06:22:54Z"
}

Notes:

  • Quota rendering is visible through the primary usage window (0/500000, 0%).
  • The fuel-pack endpoint was reached successfully and returned total quota 0 with 0 active packages for this account, so no secondary fuel-pack window is rendered; that matches the current UsageSnapshot behavior.
  • The proof was generated with a temporary local test harness and then removed from the worktree; no proof-only code is part of this PR.

Maintainer sign-off still requested: this PR intentionally forwards the full longcat.chat cookie jar because the LongCat/Meituan auth cookie name is undocumented. Please confirm whether that boundary is acceptable while the provider remains disabled by default and Auto import is Chrome-only/user-initiated.

@clawsweeper re-review

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 24, 2026
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Maintainer sign-off requested for the final ClawSweeper gate.

The remaining decision is whether CodexBar core accepts forwarding the full longcat.chat cookie jar for this disabled-by-default provider, given that LongCat/Meituan does not document a narrower usage credential. Current mitigations are:

  • provider disabled by default
  • Auto import is app-runtime + user-initiated only
  • Auto import defaults to Chrome-only on macOS
  • Manual/Off do not silently browser-import
  • user-current bodies are never logged
  • redacted live proof is now posted and ClawSweeper marked proof: sufficient

@steipete could you explicitly confirm whether this full-cookie boundary is acceptable for merge?

…id session

Resolves conflicts from the Sakana provider landing (steipete#1774) across the shared
provider-registration surfaces (UsageStore, CostUsageScanner, ProviderDescriptor,
Providers, widgets, docs/configuration.md) — both providers are now present and
the documented ID list is regenerated in enum order. CodexParserHash regenerated.

Also classify blocked 3xx redirects (e.g. an expired-cookie login redirect that
the shared transport's redirect guard drops) as .invalidSession instead of a
generic HTTP error, matching the hardening applied to Sakana in steipete#1774.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Rebased onto latest main and resolved the conflicts introduced by the Sakana provider landing in #1774 across the shared provider-registration surfaces (Providers, ProviderDescriptor, UsageStore, CostUsageScanner, widgets, and docs/configuration.md). Both providers now coexist; the documented ID list is regenerated in enum order and CodexParserHash is regenerated.

I also folded in the same hardening pattern #1774 applied to Sakana: a blocked 3xx response (e.g. an expired-cookie login redirect that the shared transport's redirect guard drops) is now classified as .invalidSession instead of a generic HTTP <code> error, so users see "sign in again" rather than "HTTP 302". The existing envelope surfaces invalid session on auth code test already covers LongCat's primary expired-session path (the Meituan envelope returns HTTP 200 with an inner code: 401); the 3xx guard is defense-in-depth.

swift build is clean and the affected suites pass locally — LongCatProviderTests, ConfigurationDocsProviderIDTests, ProviderIconResourcesTests, and CostUsage* (239 tests). The only failures in the full local run were the known wall-clock-timing flaky suites (CodexLoginRunner, Antigravity*Deadline, DeepSeek/CommandCode grace, SubprocessRunner) that slip under local CPU load; CI is the authoritative signal there.

Now that #1774 established that core accepts cookie-source providers, this should be ready for the final maintainer look. Happy to adjust anything to match the Sakana hardening bar.

…del/doubao-coding-plan conflicts)

Second conflict resolution after upstream landed Doubao Coding Plan (steipete#1841),
qoder, and crossmodel providers. Resolutions across the shared registration
surfaces (Providers enum + IconStyle + cookie-import props, ProviderDescriptor,
ProviderImplementationRegistry, UsageStore/CostUsageScanner switches,
docs/configuration.md regenerated in enum order) keep all providers; longcat
retained alongside qoder/crossmodel. CodexParserHash regenerated.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Rebased onto latest main — resolved the conflicts from the Doubao Coding Plan (#1841), Qoder, and CrossModel providers landing, so longcat now coexists with all of them (registration surfaces + docs/configuration.md regenerated in enum order, CodexParserHash regenerated). swift build is clean, focused suites pass (LongCat / ConfigurationDocs / ProviderIcon / CostUsage), and CI is green on the current head.

Maintainer edits are enabled on this branch, so feel free to push any hardening directly if that's easier than a round-trip. Ready when you are — thanks!

Address maintainer-bar nits before review:
- Thread an injectable ProviderHTTPTransport through fetchUsage/get (mirrors
  the Doubao fetcher) and add scripted-transport tests: 401/403 and blocked
  3xx login redirects surface as .invalidSession, and a full live-shaped
  response maps account + token quota + fuel pack.
- Pin fuel-pack parsing to the fields verified against live longcat.chat
  responses (availableToken / expireTime) instead of probing a speculative
  list of candidate key names.
@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant