Skip to content

Add LongCat usage provider#1697

Open
LeoLin990405 wants to merge 10 commits into
steipete:mainfrom
LeoLin990405:feat/longcat-provider
Open

Add LongCat usage provider#1697
LeoLin990405 wants to merge 10 commits into
steipete:mainfrom
LeoLin990405:feat/longcat-provider

Conversation

@LeoLin990405

@LeoLin990405 LeoLin990405 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

What

Adds LongCat (Meituan) as a disabled-by-default usage provider, surfacing token quota (总额度) and fuel-pack balance (加油包) in the menu bar / Overview.

Why this is a cookie provider

LongCat's public OpenAI/Anthropic-compatible API (api.longcat.chat) exposes no usage/balance/quota endpoint: billing/usage paths return 404 and responses carry no useful rate-limit headers. Usage is only available from the web console (longcat.chat) session, so this mirrors the existing Kimi / MiniMax cookie providers.

Supported auth sources:

  • Manual Cookie: header via settings/env.
  • Automatic browser-cookie import for longcat.chat.

Auth and privacy boundary

Maintainer decision requested: this intentionally forwards the full longcat.chat cookie header because the Meituan-passport auth cookie name is undocumented. If that boundary is not acceptable, this should wait for a documented LongCat usage endpoint or a narrower supported auth token.

Current guardrails:

  • Provider is disabled by default.
  • Off disables web auth entirely, including lingering env cookies.
  • Manual only uses the pasted/manual cookie header and does not import browser cookies.
  • Browser import is limited to app runtime, user-initiated refreshes, and Auto cookie source.
  • LongCat Auto import defaults to Chrome-only on macOS to avoid probing unrelated browser stores/keychains.
  • user-current response bodies are never logged because they can include a session token and phone number.

Endpoints and mapping (verified against redacted live response shapes)

Endpoint Fields used
GET /api/v1/user-current data.name (account)
GET /api/lc-platform/v1/tokenUsage data.usage.{totalToken, usedToken, availableToken}
GET /api/lc-platform/v1/pending-fuel-packages data.totalQuota + data.list[]

Mapping behavior:

  • Primary window = token quota used percent.
  • Secondary window = fuel-pack balance, with nearest expiry when available.
  • Missing/undecodable quota data leaves primary nil instead of rendering a fake 0% window.
  • Envelope auth failures from required user-current surface as invalid-session errors, so expired cookies prompt re-auth instead of an empty successful snapshot.

Review follow-up

Addressed Codex review findings:

  • Surfaced required envelope auth failures.
  • Removed the unreachable/nonexistent today-token path.
  • Routed env cookies through LongCatSettingsReader for lower-case alias and quote trimming.
  • Honored Off before env-cookie fallback.
  • Kept Manual from importing browser cookies.
  • Omitted the primary quota window when quota data is missing.
  • Changed LongCat Auto cookie import to Chrome-only by default.
  • Removed the release-owned changelog edit from this PR.

Wiring

.longcat added to UsageProvider / IconStyle, descriptor registry, settings snapshot + builder, implementation registry, logging categories, widget metadata, cost-usage scanner, debug-log switch, provider icon, docs/configuration.md provider-id list, and focused unit tests covering the redacted live response shapes and cookie-source behavior.

Testing

  • swift test --filter 'LongCat|BrowserCookieOrder' ✅ (28 tests)
  • make check
  • PR CI ✅ (changes, lint, Linux x64/arm64 builds, macOS shards 0-3, lint-build-test, GitGuardian)

@clawsweeper

clawsweeper Bot commented Jun 21, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 7, 2026, 5:20 AM ET / 09:20 UTC.

Summary
The branch adds a disabled-by-default LongCat cookie-based usage provider with settings, browser-cookie import, quota/fuel-pack parsing, icon/docs/widget/registry wiring, and focused tests.

Reproducibility: not applicable. this is a provider feature PR rather than a bug report. The changed behavior is source-reviewable through the new fetcher/settings code and the posted redacted live-output proof.

Review metrics: 2 noteworthy metrics.

  • Provider integration size: 25 files changed, +1262/-4. The branch touches shared provider registration, settings, docs, widgets, icon resources, fetcher code, and tests, so maintainers should review it as a full provider addition.
  • New auth surface: 1 cookie-based provider added. LongCat introduces browser/manual cookie handling and session forwarding that need explicit security-boundary acceptance.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Get explicit maintainer sign-off to accept the full-cookie LongCat boundary, or revise the provider around a documented narrower credential.

Risk before merge

  • [P1] Merging accepts a new core auth-provider path that forwards the full imported longcat.chat cookie header because LongCat/Meituan does not document a narrower usage credential.
  • [P1] The console response mapping is pinned to live but undocumented endpoints, so future LongCat web-console changes may break usage display even though focused tests cover the captured shapes.

Maintainer options:

  1. Accept the cookie boundary before merge (recommended)
    A maintainer can explicitly approve the full-cookie LongCat provider with its current disabled-by-default and isolated-transport guardrails.
  2. Block until a narrow credential exists
    Pause or close this PR if core should not forward a whole browser session cookie jar for LongCat usage data.
  3. Request extra user-facing consent copy
    If maintainers accept the boundary but want stronger UX disclosure, ask for a focused settings warning before merge.

Next step before merge

  • [P2] No mechanical repair remains; the next action is human sign-off on the LongCat auth/privacy boundary.

Maintainer decision needed

  • Question: Should CodexBar core accept a disabled-by-default LongCat provider that forwards the full longcat.chat cookie header to LongCat console endpoints because no narrower documented usage credential is available?
  • Rationale: The implementation guardrails are now in place, but deciding whether full browser-session cookie forwarding is acceptable is a security/product boundary choice rather than a mechanical code-review issue.
  • Likely owner: steipete — He is the tagged repository owner and authored the adjacent merged Sakana cookie-provider hardening that this PR mirrors.
  • Options:
    • Accept guarded full-cookie provider (recommended): Approve the current boundary with the existing mitigations: disabled by default, Manual/Off semantics, user-initiated Chrome-only Auto import, no user-current body logging, and isolated cookie-free transport.
    • Require a narrower credential: Ask the contributor to remove or defer the provider until LongCat exposes a documented usage endpoint or named auth token that avoids forwarding the whole cookie jar.
    • Keep as external/custom-provider work: Decline a first-class provider for now and steer this demand toward a future custom-provider or plugin-style surface once that exists.

Security
Needs attention: No narrow code exploit was found, but merge needs maintainer acceptance of the new full-cookie auth boundary.

Review details

Best possible solution:

Merge only after a maintainer explicitly accepts the full-cookie boundary for this disabled-by-default provider; otherwise park LongCat until a documented narrower credential or usage endpoint exists.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a provider feature PR rather than a bug report. The changed behavior is source-reviewable through the new fetcher/settings code and the posted redacted live-output proof.

Is this the best way to solve the issue?

Unclear until maintainer sign-off: the implementation now matches the hardened cookie-provider pattern and resolves the prior transport issue, but full-cookie forwarding must be accepted or rejected as a product/security boundary.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 46edb383c0ac.

Label changes

Label changes:

  • add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR includes redacted live output from a real app-runtime LongCat Auto refresh showing identity present and quota rendered, with private cookies/account details omitted.
  • remove rating: 🦪 silver shellfish: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.
  • remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

  • P2: This is a normal-priority optional provider addition with meaningful auth/security review surface but no urgent current-user regression.
  • merge-risk: 🚨 auth-provider: The PR adds a new provider route that resolves manual/env/browser cookies and uses them for LongCat usage fetching.
  • merge-risk: 🚨 security-boundary: The PR intentionally forwards the full longcat.chat cookie header because LongCat does not document a narrower auth token.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR includes redacted live output from a real app-runtime LongCat Auto refresh showing identity present and quota rendered, with private cookies/account details omitted.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR includes redacted live output from a real app-runtime LongCat Auto refresh showing identity present and quota rendered, with private cookies/account details omitted.
Evidence reviewed

Security concerns:

  • [medium] Full LongCat cookie forwarding needs sign-off — Sources/CodexBarCore/Providers/LongCat/LongCatCookieImporter.swift:22
    The importer builds a request Cookie header from every longcat.chat cookie because the auth cookie name is undocumented; even with disabled-by-default and Chrome-only/user-initiated guardrails, that is a sensitive session boundary maintainers must explicitly accept.
    Confidence: 0.86

What I checked:

Likely related people:

  • steipete: Repository owner was explicitly asked for sign-off, authored the merged Sakana cookie-provider hardening, and current main blame shows the adjacent cookie-free transport pattern under his commits. (role: likely decision owner; confidence: high; commits: 87635bcc755b, a83a83fa4131; files: Sources/CodexBarCore/Providers/Sakana/SakanaUsageFetcher.swift, Sources/CodexBarCore/ProviderHTTPClient.swift)
  • LeoLin990405: The author carried the LongCat branch and was credited in related merged Sakana provider context, making them the best implementation follow-up owner if maintainers request changes. (role: adjacent provider contributor; confidence: medium; commits: 39b5b5af1cb2; files: Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift, Sources/CodexBarCore/Providers/LongCat/LongCatCookieImporter.swift, Tests/CodexBarTests/LongCatProviderTests.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (1 earlier review cycle)
  • reviewed 2026-07-03T15:34:31.836Z sha ef5d28e :: found issues before merge. :: [P1] Use a cookie-free default transport

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c5d176640

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift Outdated
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageFetcher.swift Outdated
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 1c5d176 to 0715e15 Compare June 21, 2026 13:58
@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. and removed status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains. labels Jun 21, 2026
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 0715e15 to 8a6c0b4 Compare June 21, 2026 14:22
LeoLin990405 added a commit to LeoLin990405/CodexBar that referenced this pull request Jun 23, 2026
Addresses Codex review on steipete#1697:
- user-current now propagates envelope auth failures (HTTP 200 + code
  401/403 -> .invalidSession) instead of swallowing them with try?, so
  expired cookies prompt re-auth rather than reporting an empty snapshot.
- Remove the never-assigned todayTokens / freeQuota fields and the
  unreachable tertiary 'Today' window; LongCat's tokenUsage is a quota
  snapshot with no per-day figure.
- Add envelope unit tests (invalid-session + success unwrap).
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Thanks for the review — both P2s are addressed in 35076321:

  1. Invalid-session surfacinguser-current now propagates envelope auth failures (try instead of try?); .invalidSession is non-fallback, so expired cookies prompt re-auth instead of an empty snapshot.
  2. Unused today-token path — removed the never-assigned todayTokens/freeQuota fields and the unreachable tertiary window. LongCat's tokenUsage is a quota snapshot with no per-day figure.

On the cookie import using only the first session: that's intentional parity with the existing Kimi/MiniMax cookie providers (single-account balance read); happy to generalize if you'd prefer.

Behavior proof

The field mapping is not guessed — it's locked against live responses captured from a logged-in longcat.chat console session (the public api.longcat.chat key exposes no usage endpoint, hence the cookie path). Captured shapes (values neutralised):

GET /api/lc-platform/v1/tokenUsage

{ "code": 0, "message": "SUCCESS",
  "data": { "usage": { "totalToken": 500000, "usedToken": 0, "availableToken": 500000 },
            "extData": { "LongCat-Flash-Lite": { "totalToken": 50000000, "usedToken": 0 } } } }

GET /api/lc-platform/v1/pending-fuel-packages{ "code": 0, "data": { "totalQuota": 0, "list": [] } }
GET /api/v1/user-currentdata.name (the body also carries a session token + phone, so it is never logged).

LongCatProviderTests asserts buildSnapshot against these exact shapes (quota %, fuel-pack sum + expiry, envelope invalid-session). Full swift test is green.

@codex review

Cookie-based web provider for LongCat (Meituan) that surfaces console
token quota (总额度) and fuel-pack balance (加油包) by reading the
longcat.chat platform session, mirroring the Kimi/MiniMax cookie pattern.

Field mapping is locked against captured live responses:
- GET /api/v1/user-current        -> data.name
- GET /api/lc-platform/v1/tokenUsage          -> data.usage.{total,used,available}Token
- GET /api/lc-platform/v1/pending-fuel-packages -> data.totalQuota + data.list[]

The public API key path exposes no usage endpoint, so usage is read from
the web console session (all longcat.chat cookies are forwarded since the
Meituan passport cookie name is undocumented). The user-current body is
never logged (it carries a session token + phone).

Wires .longcat into the provider/icon enums, descriptor registry, settings
snapshot/builder, implementation registry, logging, widget, cost-usage and
debug switches; adds brand icon, docs provider-id list, CHANGELOG entry and
unit tests covering the live response shapes.
Addresses Codex review on steipete#1697:
- user-current now propagates envelope auth failures (HTTP 200 + code
  401/403 -> .invalidSession) instead of swallowing them with try?, so
  expired cookies prompt re-auth rather than reporting an empty snapshot.
- Remove the never-assigned todayTokens / freeQuota fields and the
  unreachable tertiary 'Today' window; LongCat's tokenUsage is a quota
  snapshot with no per-day figure.
- Add envelope unit tests (invalid-session + success unwrap).

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35076321c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatCookieHeader.swift Outdated
Comment thread CHANGELOG.md Outdated
@LeoLin990405 LeoLin990405 force-pushed the feat/longcat-provider branch from 3507632 to ba31d95 Compare June 23, 2026 04:01
Addresses Codex re-review on steipete#1697: resolveCookieOverride read
context.env["LONGCAT_MANUAL_COOKIE"] directly, bypassing
LongCatSettingsReader.cookieHeader(), so the lower-case
longcat_manual_cookie alias and quote-trimming never reached the env
fetch path for CLI/daemon users. Route the env value through the reader
first. (The P3 changelog 'today's token usage' wording was already
dropped during the rebase onto main.)
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Re-review follow-up — both findings handled in 4110e2ae / the rebase:

  • Env cookie routing (P2): LongCatCookieHeader now resolves the env value via LongCatSettingsReader.cookieHeader(environment:), so the lower-case longcat_manual_cookie alias + quote-trimming apply on the env path. +regression test.
  • Changelog daily-token wording (P3): dropped during the rebase onto main (entry now reads "console token quota (总额度) and fuel-pack balance (加油包)").

Branch is rebased onto latest main, swift build + swift test green locally.

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4110e2ae18

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatCookieHeader.swift
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift Outdated
Addresses Codex re-review on steipete#1697 (2 P2):
- Off now fully disables web auth: resolveCookieOverride returns nil when
  cookieSource is .off, so a lingering LONGCAT_MANUAL_COOKIE env value can
  no longer keep the web strategy available.
- Browser cookie/keychain import is gated to the Auto source only; Manual
  no longer silently falls back to a browser session when the pasted
  header is missing/invalid (it surfaces as unavailable instead).
- Add regression tests for the Off/Auto env-override gating.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Both cookie-source findings fixed in 670a9d25:

  • Off now fully disables web auth (env override gated in resolveCookieOverride).
  • Manual no longer silently browser-imports — browser/keychain fallback is Auto-only.

+2 regression tests. swift build + swift test green locally.

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 670a9d25df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatUsageSnapshot.swift Outdated
Comment thread Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift Outdated
@clawsweeper clawsweeper Bot added the merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. label Jun 24, 2026
@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. labels Jun 24, 2026
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

All Codex review threads have been addressed and resolved. PR body now documents the latest cookie-source guardrails, Chrome-only LongCat auto import default, missing-quota behavior, validation, and the maintainer auth/privacy decision point.

@codex review
@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 24, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: 5197371d69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@LeoLin990405

Copy link
Copy Markdown
Contributor Author

@openclaw-mantis visual task: verify CodexBar renders LongCat quota and fuel-pack values from a real longcat.chat session with private cookies/account details redacted.

@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Redacted live behavior proof

Ran a local live proof against the current PR head (5197371d694e8283de0ee0120ab80c9dfceb19ac) using the LongCat provider path with:

  • runtime: app
  • interaction: userInitiated
  • cookie source: auto
  • import policy: macOS Chrome-only browser cookie import

No cookie values, auth tokens, account names, phone numbers, IPs, raw response bodies, or endpoint URLs are included below.

{
  "commit": "5197371d694e8283de0ee0120ab80c9dfceb19ac",
  "provider": "longcat",
  "runtime": "app",
  "interaction": "userInitiated",
  "cookieSource": "auto",
  "importPolicy": "macOS Chrome-only browser cookie import",
  "strategyAvailable": true,
  "fetchSource": "web",
  "identityPresent": true,
  "primaryRendered": true,
  "primaryUsedPercent": 0,
  "primaryDescription": "0/500000",
  "fuelPackEndpointObserved": true,
  "fuelPackEndpointTotalQuota": 0,
  "fuelPackEndpointPackageCount": 0,
  "fuelPackRendered": false,
  "timestamp": "2026-06-24T06:22:54Z"
}

Notes:

  • Quota rendering is visible through the primary usage window (0/500000, 0%).
  • The fuel-pack endpoint was reached successfully and returned total quota 0 with 0 active packages for this account, so no secondary fuel-pack window is rendered; that matches the current UsageSnapshot behavior.
  • The proof was generated with a temporary local test harness and then removed from the worktree; no proof-only code is part of this PR.

Maintainer sign-off still requested: this PR intentionally forwards the full longcat.chat cookie jar because the LongCat/Meituan auth cookie name is undocumented. Please confirm whether that boundary is acceptable while the provider remains disabled by default and Auto import is Chrome-only/user-initiated.

@clawsweeper re-review

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. and removed status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 24, 2026
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Maintainer sign-off requested for the final ClawSweeper gate.

The remaining decision is whether CodexBar core accepts forwarding the full longcat.chat cookie jar for this disabled-by-default provider, given that LongCat/Meituan does not document a narrower usage credential. Current mitigations are:

  • provider disabled by default
  • Auto import is app-runtime + user-initiated only
  • Auto import defaults to Chrome-only on macOS
  • Manual/Off do not silently browser-import
  • user-current bodies are never logged
  • redacted live proof is now posted and ClawSweeper marked proof: sufficient

@steipete could you explicitly confirm whether this full-cookie boundary is acceptable for merge?

…id session

Resolves conflicts from the Sakana provider landing (steipete#1774) across the shared
provider-registration surfaces (UsageStore, CostUsageScanner, ProviderDescriptor,
Providers, widgets, docs/configuration.md) — both providers are now present and
the documented ID list is regenerated in enum order. CodexParserHash regenerated.

Also classify blocked 3xx redirects (e.g. an expired-cookie login redirect that
the shared transport's redirect guard drops) as .invalidSession instead of a
generic HTTP error, matching the hardening applied to Sakana in steipete#1774.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Rebased onto latest main and resolved the conflicts introduced by the Sakana provider landing in #1774 across the shared provider-registration surfaces (Providers, ProviderDescriptor, UsageStore, CostUsageScanner, widgets, and docs/configuration.md). Both providers now coexist; the documented ID list is regenerated in enum order and CodexParserHash is regenerated.

I also folded in the same hardening pattern #1774 applied to Sakana: a blocked 3xx response (e.g. an expired-cookie login redirect that the shared transport's redirect guard drops) is now classified as .invalidSession instead of a generic HTTP <code> error, so users see "sign in again" rather than "HTTP 302". The existing envelope surfaces invalid session on auth code test already covers LongCat's primary expired-session path (the Meituan envelope returns HTTP 200 with an inner code: 401); the 3xx guard is defense-in-depth.

swift build is clean and the affected suites pass locally — LongCatProviderTests, ConfigurationDocsProviderIDTests, ProviderIconResourcesTests, and CostUsage* (239 tests). The only failures in the full local run were the known wall-clock-timing flaky suites (CodexLoginRunner, Antigravity*Deadline, DeepSeek/CommandCode grace, SubprocessRunner) that slip under local CPU load; CI is the authoritative signal there.

Now that #1774 established that core accepts cookie-source providers, this should be ready for the final maintainer look. Happy to adjust anything to match the Sakana hardening bar.

…del/doubao-coding-plan conflicts)

Second conflict resolution after upstream landed Doubao Coding Plan (steipete#1841),
qoder, and crossmodel providers. Resolutions across the shared registration
surfaces (Providers enum + IconStyle + cookie-import props, ProviderDescriptor,
ProviderImplementationRegistry, UsageStore/CostUsageScanner switches,
docs/configuration.md regenerated in enum order) keep all providers; longcat
retained alongside qoder/crossmodel. CodexParserHash regenerated.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Rebased onto latest main — resolved the conflicts from the Doubao Coding Plan (#1841), Qoder, and CrossModel providers landing, so longcat now coexists with all of them (registration surfaces + docs/configuration.md regenerated in enum order, CodexParserHash regenerated). swift build is clean, focused suites pass (LongCat / ConfigurationDocs / ProviderIcon / CostUsage), and CI is green on the current head.

Maintainer edits are enabled on this branch, so feel free to push any hardening directly if that's easier than a round-trip. Ready when you are — thanks!

Address maintainer-bar nits before review:
- Thread an injectable ProviderHTTPTransport through fetchUsage/get (mirrors
  the Doubao fetcher) and add scripted-transport tests: 401/403 and blocked
  3xx login redirects surface as .invalidSession, and a full live-shaped
  response maps account + token quota + fuel pack.
- Pin fuel-pack parsing to the fields verified against live longcat.chat
  responses (availableToken / expireTime) instead of probing a speculative
  list of candidate key names.
@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jul 3, 2026
… session)

Third conflict resolution (clawrouter + earlier crossmodel/qoder landings) across the
shared registration surfaces; docs regenerated in enum order, CodexParserHash regenerated.

Address the ClawSweeper P1 patch-quality finding: LongCat fetches now run on an isolated,
ephemeral, cookie-free ProviderHTTPClient (httpCookieStorage = nil, httpShouldSetCookies =
false) so the console's Set-Cookie responses never enter the shared provider cookie jar; auth
is carried solely by the explicit request Cookie header. Mirrors the Sakana provider.
@LeoLin990405

Copy link
Copy Markdown
Contributor Author

Addressed the blocking patch-quality finding (isolated transport) and rebased onto latest main.

  • Isolated, cookie-free transport. LongCat fetches now run on their own ephemeral ProviderHTTPClient with httpCookieStorage = nil and httpShouldSetCookies = false (behind the same redirect guard), so the console's Set-Cookie responses can no longer enter the shared provider URLSession cookie jar — auth is carried solely by the explicit request Cookie header. This mirrors the Sakana provider's isolated transport.
  • Rebased onto latest main, resolving conflicts from the ClawRouter/CrossModel/Qoder landings (registration surfaces + docs/configuration.md regenerated in enum order, CodexParserHash regenerated).
  • Earlier follow-ups already in this branch: HTTP status paths (401/403 and blocked 3xx login redirects → .invalidSession) now have scripted-transport tests, and fuel-pack parsing is pinned to the live-verified availableToken/expireTime fields.

swift build is clean and the focused suites pass (LongCat / ConfigurationDocs / ProviderIcon / CostUsage). The remaining item is the product decision on forwarding the full longcat.chat cookie — happy to follow whichever way you prefer (accept the boundary, or gate behind a documented narrower credential).

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. labels Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant