Find a file
Haozhe 60dfb68a2d
feat(server): add bearer-token auth and safe host exposure (#1006)
* test(server): add API surface snapshot guardrail

Boot startServer on port 0 and snapshot the documented v1 route table derived from /openapi.json paths, plus the reachability of doc/meta endpoints (/healthz, /openapi.json, /asyncapi.json, /). Gives later auth/--host phases an intentional diff when routes change. M0 makes no production behavior change.

* test(server): add e2e server harness with token support

Add test/helpers/serverHarness.ts: boot() wraps startServer with an isolated lock + home dir and returns a handle (server, address, baseUrl, wsUrl, token, close) plus authedFetch/authedWs that carry Authorization: Bearer <token> (and the kimi-code.bearer.<token> WS subprotocol). serviceOverrides is the generic DI seam later phases use to inject a fixed-token auth service; IAuthTokenService is not referenced yet. closeAll() tears down every booted server and socket. M0 makes no production behavior change; typecheck-only gate.

* feat(server): add privateFiles 0600 atomic write/read utility

* feat(server): add per-start tokenStore

* feat(server): add env-based bcrypt password hash utility

* feat(server): add IAuthTokenService DI seam

* feat(server): add global onRequest auth hook with bypass + redaction

* fix(server): stop reflecting Host header in /asyncapi.json

* feat(server): add WS bearer subprotocol constant and parser

* feat(server): enforce bearer token auth on WS upgrade

* feat(server): add Host header allowlist middleware

* feat(server): add Origin/CORS middleware

* feat(server): wire Host/Origin checks into HTTP and WS

* feat(server): wire token auth, Host/Origin, and WS auth into start.ts

* fix(server): create lock file with 0600 permissions

* fix(server): suppress debug routes on non-loopback binds

* feat(kimi-code): read server token and send Authorization on CLI calls

* feat(kimi-code): inject server token into /web URL fragment

* feat(server): add bindClassify for loopback/lan/public classification

* feat(kimi-code): register --host flag and pass it through the daemon

* feat(server): require password and TLS opt-out on non-loopback binds

* feat(server): rate-limit repeated auth failures on non-loopback binds

* feat(server): disable shutdown and terminals on public binds by default

* feat(server): add security response headers on non-loopback binds

* test(server): cover LAN/public host-exposure hardening end to end

* docs(server): add deployment security and threat-model guide

* changeset: minor kimi-code for server auth and host exposure

* feat(kimi-web): add server bearer-token auth support

* fix: repair CI for server auth and host exposure

- Replace native @node-rs/bcrypt with pure-JS bcryptjs so the ESM CLI
  bundle and the SEA native bundle both build without native-addon
  require issues (node-rs/bcrypt broke the ESM smoke and the SEA
  check-bundle allowlist).
- Remove dead cleanup references (stopSpinner, authLogoBlinkTimer) in
  apps/kimi-web App.vue that failed vue-tsc.
- Fix lint: drop empty spread fallbacks in the e2e auth-header merge,
  void the intentionally-async WS upgrade listener, add missing
  assertions to satisfy jest/expect-expect, and convert a ternary
  statement to if/else.
- Send the bearer token in the snapshot perf/smoke tests so they pass
  under the new global auth hook.
- Refresh the pnpmDeps hash in flake.nix for the updated lockfile.

* feat(server): persist bearer token and add rotate-token command

- persist the server bearer token in <home>/server.token (0600) and reuse it across restarts instead of per-start server-<pid>.token
- add `kimi server rotate-token` to regenerate the token; the token store reloads on mtime/inode change so rotation applies without restart
- print the token and Vite-style Local/Network URLs in the startup banner
- allow non-loopback binds with bearer-token-only auth (password now optional) and update SECURITY.md
- surface daemon boot failures immediately with the exit reason and log tail instead of waiting for the spawn timeout

* feat(server): print full token URLs and re-print links after rotate

- Drop the ready-panel border so token URLs print in full for copying; keep the Kimi sprite beside the title.
- Re-print Local/Network access links after `server rotate-token` (host/port from the lock).
- Extract shared access-URL helpers into access-urls.ts.
- Unify link and token colors between the banner and rotate-token.

* feat(server): dim URL #token= fragment and de-highlight token

- Render the `#token=…` fragment in a dim gray so the host/port stands out in the banner and rotate-token links.
- De-highlight the standalone token; set it off with surrounding whitespace instead of color.
- Add splitTokenFragment helper.

* refactor(cli): polish server ready banner and rotate-token output

- move version onto the ready banner title line; drop the separate
  Ready:/Version: rows and the startup-time metric
- reorder rotate-token output so the new token sits between the
  invalidation note and the access links
- update server CLI tests for the new layout

* feat(server): warn on reuse and refine ready banner

- Warn when `server run` reuses an already-running daemon (its options are not applied) and show the running server's actual URLs.
- Show a `Network: off  use --host 0.0.0.0 to enable` hint on loopback binds.
- Move the version onto the title line and drop the startup-time metric.

* fix(web): relabel auth dialog to token and cover full page

- Relabel the server auth dialog from "password" to "token"; the server accepts the bearer token, with the password only as a fallback.
- Make the auth dialog overlay fully opaque so it covers the whole page instead of revealing the login page underneath.

* fix: resolve CI failures on web auth PR

- Replace chalk.yellow named color with chalk.hex(darkColors.warning)
  in the server reuse notice to satisfy the chalk named color guard.
- Update pnpmDeps hash in flake.nix to match the regenerated
  pnpm-lock.yaml so the Nix build succeeds.
- Retry rmSync in ws-broadcast e2e teardown to ride out EBUSY /
  ENOTEMPTY races while the server flushes files after close().

* test(server): update API surface snapshot for warnings route

The feat/web-auth branch adds GET /api/v1/sessions/{session_id}/warnings
(packages/server/src/routes/sessions.ts), so the API surface guardrail
snapshot needs to record the new documented v1 route.
2026-06-25 17:57:56 +08:00
.agents/skills feat(tui): add ctrl+t to expand the todo list (#1009) 2026-06-23 15:49:07 +08:00
.changeset feat(server): add bearer-token auth and safe host exposure (#1006) 2026-06-25 17:57:56 +08:00
.github feat(web): introduce Kimi web app and daemon gateway (#625) 2026-06-17 20:53:46 +08:00
apps feat(server): add bearer-token auth and safe host exposure (#1006) 2026-06-25 17:57:56 +08:00
build chore: use raw query imports for prompt sources (#682) 2026-06-12 11:47:44 +08:00
docs feat(tui): confirm before installing third-party plugins (#1088) 2026-06-25 13:48:23 +08:00
packages feat(server): add bearer-token auth and safe host exposure (#1006) 2026-06-25 17:57:56 +08:00
plugins feat(plugins): source Superpowers from GitHub and show update badges (#1066) 2026-06-24 21:58:13 +08:00
scripts feat(web): introduce Kimi web app and daemon gateway (#625) 2026-06-17 20:53:46 +08:00
.editorconfig Kimi For Coding 2026-05-22 15:54:50 +08:00
.gitignore feat(plugins): source Superpowers from GitHub and show update badges (#1066) 2026-06-24 21:58:13 +08:00
.npmrc Kimi For Coding 2026-05-22 15:54:50 +08:00
.nvmrc Kimi For Coding 2026-05-22 15:54:50 +08:00
.oxfmtrc.json Kimi For Coding 2026-05-22 15:54:50 +08:00
.oxlintrc.json feat(plugins): source Superpowers from GitHub and show update badges (#1066) 2026-06-24 21:58:13 +08:00
AGENTS.md feat(web): introduce Kimi web app and daemon gateway (#625) 2026-06-17 20:53:46 +08:00
CONTRIBUTING.md docs: enhance PR guidelines and template (#28) 2026-05-25 20:04:23 +08:00
flake.lock Kimi For Coding 2026-05-22 15:54:50 +08:00
flake.nix feat(server): add bearer-token auth and safe host exposure (#1006) 2026-06-25 17:57:56 +08:00
LICENSE Kimi For Coding 2026-05-22 15:54:50 +08:00
Makefile Kimi For Coding 2026-05-22 15:54:50 +08:00
package.json feat(plugins): source Superpowers from GitHub and show update badges (#1066) 2026-06-24 21:58:13 +08:00
pnpm-lock.yaml feat(server): add bearer-token auth and safe host exposure (#1006) 2026-06-25 17:57:56 +08:00
pnpm-workspace.yaml feat(web): introduce Kimi web app and daemon gateway (#625) 2026-06-17 20:53:46 +08:00
README.md docs: add Homebrew installation (#531) 2026-06-08 16:11:31 +08:00
README.zh-CN.md docs: add Homebrew installation (#531) 2026-06-08 16:11:31 +08:00
SECURITY.md Kimi For Coding 2026-05-22 15:54:50 +08:00
tsconfig.json feat(web): introduce Kimi web app and daemon gateway (#625) 2026-06-17 20:53:46 +08:00
vitest.config.ts Kimi For Coding 2026-05-22 15:54:50 +08:00

Kimi Code CLI

License Docs
Documentation · Issues · 中文

Demo of using Kimi Code

What is Kimi Code CLI

Kimi Code CLI is an AI coding agent that runs in your terminal — it can read and edit code, run shell commands, search files, fetch web pages, and choose the next step based on the feedback it receives. It works out of the box with Moonshot AIs Kimi models and can also be configured to use other compatible providers.

Install

Install with the official script. No Node.js required.

  • macOS or Linux:
curl -fsSL https://code.kimi.com/kimi-code/install.sh | bash
  • Homebrew (macOS/Linux):
brew install kimi-code
  • Windows (PowerShell):
irm https://code.kimi.com/kimi-code/install.ps1 | iex

On Windows, install Git for Windows before first launch because Kimi Code CLI uses the bundled Git Bash as its shell environment. If Git Bash is installed in a custom location, set KIMI_SHELL_PATH to the absolute path of bash.exe.

Then, run it with a new shell session:

kimi --version

For npm install, upgrade, uninstall, see Getting Started.

Quick Start

Open a project and start the interactive UI:

cd your-project
kimi

On first launch, run /login inside Kimi Code CLI and choose either Kimi Code OAuth or a Moonshot AI Open Platform API key. After login, try your first task:

Take a look at this project and explain its main directories.

Key Features

  • Single-binary distribution. Install with one command: no Node.js setup, PATH gymnastics, or global module conflicts.
  • Blazing-fast startup. The TUI is ready in milliseconds, so starting a session never feels heavy.
  • Purpose-built TUI. A carefully tuned interface, optimized end to end for long, focused agent sessions.
  • Video input. Drop a screen recording or demo clip into the chat and let the agent watch what is hard to describe in words — turn a reference clip into a LUT, a long video into a short, a screen recording into working code, and more.
  • AI-native MCP configuration. Add, edit, and authenticate Model Context Protocol servers conversationally with /mcp-config, without hand-editing JSON.
  • Rich plugin ecosystem. Install skills, MCP servers, and data sources from the marketplace or any GitHub repo, with each install's trust level surfaced up front.
  • Subagents for focused, parallel work. Dispatch built-in coder, explore, and plan subagents in isolated contexts while keeping the main conversation clean.
  • Lifecycle hooks. Run local commands at key points to gate risky tool calls, audit decisions, trigger desktop notifications, or connect to your own automation.
  • Editor & IDE integration (ACP). Drive a Kimi Code CLI session straight from Zed, JetBrains, or any Agent Client Protocol client with kimi acp.

Use it in your editor (ACP)

Kimi Code CLI speaks the Agent Client Protocol, so ACP-compatible editors and IDEs (Zed, JetBrains, …) can drive a session over stdio. Log in once, then point your editor at the kimi acp subcommand — no extra login needed.

For Zed, add this to ~/.config/zed/settings.json:

{
  "agent_servers": {
    "Kimi Code CLI": {
      "type": "custom",
      "command": "kimi",
      "args": ["acp"],
      "env": {}
    }
  }
}

Then open a new conversation in Zed's Agent panel. See Using in IDEs for JetBrains setup and troubleshooting, and the kimi acp reference for the full capability matrix.

Docs

Develop

Requirements: Node.js ≥ 24.15.0, pnpm 10.33.0.

git clone https://github.com/MoonshotAI/kimi-code.git
cd kimi-code
pnpm install
pnpm dev:cli    # run the CLI in dev mode
pnpm test       # run tests
pnpm typecheck  # TypeScript check
pnpm lint       # oxlint
pnpm build      # build all packages

See CONTRIBUTING.md for the full contribution guide.

Community

Acknowledgements

Our TUI is built on top of pi-tui. We thank the authors of pi-tui for their valuable work.

License

Released under the MIT License.