PR #54619: fix(onboarding): restore Kimi Code under Moonshot setup

• Repository: openclaw/openclaw
• Author: sparkyrider
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/54619

Description (problem / solution / changelog)

Summary

tldr; Restore missing Kimi Code API key (subscription) option in the Moonshot onboarding menu. (regression)

Describe the problem and fix in 2–5 bullets:

• Problem: openclaw onboard still supported --auth-choice kimi-code-api-key, but the interactive Moonshot setup menu no longer showed the Kimi Code API key option there.
• Why it matters: users following the interactive CLI path could reasonably conclude the Kimi Code setup path had been removed, even though the underlying API-key flow still worked.
• What changed: aligned the bundled Kimi manifest metadata with the current onboarding/runtime grouping so kimi-code-api-key is grouped under Moonshot AI (Kimi K2.5) again, regenerated bundled metadata, and added a regression test for the real bundled manifest contract.
• What did NOT change (scope boundary): this does not change the underlying Kimi auth/config/provider flow, network behavior, model behavior, or any non-onboarding UX.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #54412
• Related #N/A
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write N/A. If the cause is unclear, write Unknown.

• Root cause: the CLI onboarding picker reads bundled manifest auth-choice metadata, and the Kimi manifest metadata had drifted from the runtime onboarding metadata.
• Missing detection / guardrail: existing onboarding/auth tests covered kimi-code-api-key as a valid flow, but did not assert how the real bundled manifest grouped that option in the interactive picker.
• Prior context (git blame, prior PR, issue, or refactor if known): c64f6adc83 (refactor: finish provider auth extraction and canonicalize kimi) moved the Kimi auth choice into its own Kimi Code group. Later, 9ebe38b6e3 (refactor: untangle remaining plugin sdk boundaries) moved the runtime wizard metadata back under Moonshot but left the manifest metadata unchanged.
• Why this regressed now: once onboarding started preferring manifest auth metadata, the stale manifest grouping became the source of truth for the CLI picker.
• If unknown, what was ruled out: ruled out the underlying auth flow being removed; kimi-code-api-key still exists and is still tested directly in src/commands/auth-choice.test.ts.

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should have caught this. Otherwise write N/A.

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/plugins/contracts/registry.contract.test.ts
• Scenario the test should lock in: the bundled kimi plugin manifest must expose kimi-code-api-key under groupId: "moonshot" / groupLabel: "Moonshot AI (Kimi K2.5)".
• Why this is the smallest reliable guardrail: it checks the real bundled manifest metadata consumed by the CLI picker without requiring a fragile interactive TTY end-to-end test.
• Existing test that already covers this (if any): src/commands/auth-choice.test.ts already covers that kimi-code-api-key remains a valid auth flow.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

• In interactive onboarding, the Moonshot setup menu shows the Kimi Code API key option again alongside the .ai and .cn Moonshot API key options.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local repo checkout on Node 22.16.0 / pnpm
• Model/provider: Moonshot / Kimi Code
• Integration/channel (if any): N/A
• Relevant config (redacted): default local dev checkout; no special config required

Steps

1. Run openclaw onboard.
2. Select Moonshot AI (Kimi K2.5) from the interactive provider picker.
3. Inspect the auth method menu.

Expected

• The Moonshot auth menu includes the Kimi Code API key option along with the .ai and .cn Moonshot API key options.

Actual

• Before this fix, the Moonshot auth menu only showed the .ai and .cn options, while kimi-code-api-key was grouped separately.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: rebuilt bundled metadata, inspected the built onboarding auth-choice output, confirmed the moonshot group now contains kimi-code-api-key, moonshot-api-key, and moonshot-api-key-cn; also reran the targeted auth-choice and metadata tests.
• Edge cases checked: verified kimi-code-api-key still works as a direct auth choice; verified bundled metadata regeneration stays in sync.
• What you did not verify: I did not manually click through the full interactive TTY prompts end-to-end after the fix; verification was done through the built picker output plus automated coverage.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit 045d01c0d3
• Files/config to restore: extensions/kimi-coding/openclaw.plugin.json, src/plugins/bundled-plugin-metadata.generated.ts, src/plugins/contracts/registry.contract.test.ts, CHANGELOG.md
• Known bad symptoms reviewers should watch for: Kimi Code disappears from the Moonshot onboarding submenu again, or appears as a duplicate/misgrouped top-level provider entry

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: changing manifest grouping could unintentionally affect onboarding label/hint ordering within the shared Moonshot group.
  • Mitigation: kept the change to bundled manifest metadata only, regenerated the bundled metadata artifact, and added a contract test against the real bundled manifest grouping.

Changed files

• CHANGELOG.md (modified, +1/-0)
• extensions/kimi-coding/index.ts (modified, +3/-3)
• extensions/kimi-coding/openclaw.plugin.json (modified, +5/-5)
• src/plugins/bundled-plugin-metadata.generated.ts (modified, +5/-5)
• src/plugins/contracts/registry.contract.test.ts (modified, +18/-0)