* feat(agent-core): strengthen default system prompt
Add high-confidence, prompt-only guardrails to the default agent system prompt:
- Personality/candor: extend the HELPFUL/CONCISE/ACCURATE line with CANDID, and
require plainly stating what could not be run, reproduced, or verified.
- Reminders: avoid cheerleading; voice evidence-based disagreement; deliver
complete code with no placeholders; update now-stale comments/docstrings after
a change; re-check the user's latest request before finalizing a reply.
- Context Management: explain automatic compaction — continue from the summary,
re-establish transient state with tools, do not restart from scratch.
- Output formatting: replies render as Markdown in the terminal; keep lists flat;
no emojis unless the user uses them first.
- Project Information: frame injected AGENTS.md as project context, not a
privileged instruction channel that can override system rules.
Prompt text only; no code or template-variable changes.
* feat(agent-core): hoist key working rules into the system prompt
Lift a few high-leverage rules from individual tool descriptions up into the
default system prompt, so they shape default behavior before any specific tool
is in play (kept terse and integrated, not bolted on):
- Planning: for multi-step or multi-file work, maintain a `TodoList` (one item
in_progress, mark done as it finishes) and prefer `EnterPlanMode` first when
the approach isn't settled.
- Default to making progress, not asking: once the goal is clear and sanctioned,
carry it through and work blockers yourself; ask only when the answer would
change the next step. Explicitly does not override stopping to discuss an
unclear goal or waiting for go-ahead before writing code.
- Tool routing: prefer dedicated tools (Read/Glob/Grep/Write/Edit) over raw
shell when one fits; keep Bash for genuine shell work.
- Definition of done: verify with the checks that cover the change before
marking it complete, independent of whether a TodoList is in use.
- Delegation: explore subagents also keep intermediate file contents out of your
own context — you get a conclusion back, not a pile of dumps.
Prompt text only; no code or template-variable changes.
* fix: clarify guidelines for file pattern matching and tool usage in explore.yaml and system.md
* fix(agent-core): hide the Skills section from agents without the Skill tool
Subagents (coder/explore/plan) inherit the root system prompt but lack the Skill tool, yet KIMI_SKILLS was rendered unconditionally — leaking the full skill listing into agents that cannot invoke any skill. Gate KIMI_SKILLS on the profile's tool set and wrap the '# Skills' section in {% if KIMI_SKILLS %} so it disappears for those profiles.
Also note in the Working Directory section that Bash enforces none of the workspace/secret-file guards, so the model must hold that discipline itself.
Tests: assert the Skills section renders for the root agent and is absent for Skill-less subagents; update the prompt-rendering fixtures for the new gating.
* fix(agent-core): gate Agent, background-task, and TodoList guidance by tool availability
Subagents (coder/explore/plan) inherit the root system prompt but lack the Agent, TaskList, and TodoList tools, so they were shown usage guidance for tools they cannot call. Derive HAS_AGENT/HAS_TASKLIST/HAS_TODOLIST from each profile's tool set and gate those sections with inline {% if %}, so they render only for agents that hold the tool.
Root rendering is byte-identical (the inline tags collapse to the original text when the flag is set). The cross-tool secret-file guard stays shared, since explore/plan still hold Read/Grep/Glob.
Tests: assert the gated guidance is present for the root agent and absent for explore/plan, while the shared secret-file guard remains.
* refactor(agent-core): move Agent-delegation and Glob-anchor guidance into the tool descriptions
The Agent-delegation paragraph in the system prompt duplicated mechanics already documented on the Agent tool itself (new-vs-resume, zero-context briefing, foreground default / run_in_background threshold), so remove it. HAS_AGENT still gates the explore-delegation bullet, which carries the 'when to delegate' nudge the tool description deliberately omits.
Move the proactive 'anchor the pattern up front' guidance into the Glob tool description (it previously only described the reactive 'refine after hitting the cap' path) and drop the now-redundant Glob bullet from the system prompt.
Tests: drop the assertions tied to the removed Agent paragraph; HAS_AGENT gating stays covered via the explore bullet.
* test(agent-core): add guidance for blast-radius and concrete examples in agent profiles
* docs: update descriptions for skill-tool and fetch-url; enhance web-search citation instructions
* feat(agent-core): disclose enforced constraints in tool descriptions; fix GetGoal field doc
Surface runtime-enforced behavior in the Agent / AgentSwarm / AskUserQuestion / Goal
tool descriptions so the model learns the rules from the tool, not from a failed call:
- Agent: resuming excludes subagent_type (setting both is rejected)
- AgentSwarm: at least 2 items unless resuming, prompt_template required and must
contain {{item}}, distinct resulting prompts; plus Agent-vs-AgentSwarm fan-out note
- AskUserQuestion: result is {answers}; an empty answers with a dismissal note means
the user declined — fall back to best judgment instead of re-asking
- CreateGoal: creating fails when a goal already exists (use replace)
- SetGoalBudget: state the hard 1s-24h time-budget band
- UpdateGoal: do not mark blocked merely because work is hard/slow/incomplete
- GetGoal: drop the advertised self-report / evaluator-verdict fields — GoalSnapshot
never held them, so the tool never returned them
Each change is covered by a description assertion.
* fix(agent-core): soften AskUserQuestion answers-keying wording to match the code
The answers object is passed through from the host/RPC layer (QuestionAnswers is
Record<string, string | true>); this code does not key it by question text. Describe
what the keys identify instead of asserting a guarantee the code does not provide.
* feat(agent-core): tighten Bash/Grep/Write/Edit tool descriptions
- Bash: prefer the cwd argument (or absolute paths) over a cd from an earlier
call, since each call runs in a fresh shell
- Grep: note that files_with_matches is ordered most-recently-modified first
- Write: do not create documentation/README files unless the user asks
- Edit: frame replace_all with its rename-across-file use-case
Each change is covered by a description assertion.
* feat(agent-core): refine plan-mode/todo/cron tool descriptions
- ExitPlanMode: describe what a good plan contains (specific, verifiable steps
grounded in the codebase, not vague filler)
- TodoList: stop calling it useful 'in Plan mode' — plan-mode planning goes to
the plan file; TodoList tracks execution progress
- CronCreate: warn that a one-shot whose pinned day/month already passed this
year is rejected; document the 50-task session cap and the 8 KiB prompt cap
- CronCreate: drop the bench-only KIMI_CRON_NO_STALE / KIMI_CRON_NO_JITTER env
knobs from the model-facing description (CI-only; the model never sets them)
Each change is covered by a description assertion.
* refactor(agent-core): dedupe ExitPlanMode options docs into the param schema; trim EnterPlanMode workflow
- ExitPlanMode: the options field mechanics (label format, recommended, count,
single-option=plain-approval, reserved labels) now live only in the options
param describe; the tool description routes to it and keeps the yolo/manual UI
behavior it uniquely documents. The options consistency test now enforces a
single source of truth (describe) plus the schema-consistency guard, instead
of requiring the same facts in both surfaces.
- EnterPlanMode: trim the duplicated 'What Happens in Plan Mode' steps to a
pointer (the full workflow is injected unconditionally once plan mode is
active), keeping the explore-subagent recommendation.
* fix(agent-core): correct prompt/code inaccuracies found in the final audit
Every item below was re-verified against the live code:
- Skill: drop the never-fired recursion-depth cap (production never seeds depth);
keep the <kimi-skill-loaded> 'already loaded, don't re-invoke' guard
- TaskOutput: terminal_reason can also be `failed`, not just timed_out/stopped
- Grep: count_matches emits per-file `path:count`, with the total reported separately
- Plan mode: the reminder names TaskStop/CronCreate/CronDelete as blocked (they are
hard-denied by plan-mode-guard-deny)
- Bash: the failure trailer is non-zero-exit-specific; timeout/interrupt differ
- CreateGoal: replace also covers a blocked goal, not just active/paused
- UpdateGoal: it also injects the completion/blocked outcome prompt, so it does more
than 'only record the status'
- FetchURL: state the universal http/https contract instead of provider-internal SSRF
and 10 MiB limits (the primary Moonshot fetcher enforces neither)
- TodoList: query mode triggers on omitting `todos`, not on zero args
- TaskList: command/PID/exit code are shell-task fields only
- CronCreate: the returned fields include `cron`
- SetGoalBudget: turn/token budgets are rounded up to >= 1, not rejected below 1
Each change is covered by a description/param assertion; plan.test.ts snapshots
refreshed for the longer plan-mode reminder.
* fix(agent-core): gate prompt tool guidance on runtime availability, not declared profile tools
The HAS_* / Skills gating computed flags from the profile's declared tools, but
Agent/AgentSwarm only register when a subagentHost exists (ToolManager
.initializeBuiltinTools). A runtime built without a subagentHost (e.g. direct SDK
construction) therefore rendered the explore-delegation guidance for an Agent
tool the model could not call.
SystemPromptContext now carries an optional availableTools; buildTemplateVars
gates on it when present and falls back to the declared tools otherwise. useProfile
passes the profile tools minus Agent/AgentSwarm when no subagentHost is wired, so
the render reflects what the model can actually call. The normal session path
(subagentHost always defaulted) is unchanged.
* fix(agent-core): exempt the plan-mode plan file from the Write *.md ban
Plan mode writes its plan to plans/<id>.md (plan/index.ts) and the reminder tells
the model to create it with Write when missing, which contradicted Write's blanket
'do not create *.md unless asked' guard. Carve the plan file out of the ban.
* fix(agent-core): scope plan-mode prompt guidance and the Write *.md ban to runtime reality
- Gate the TodoList bullet's "enter plan mode via EnterPlanMode" suggestion
on a new HAS_ENTERPLANMODE flag. A custom profile that keeps TodoList but
drops EnterPlanMode no longer steers the model toward a tool it cannot call;
the default profile render is unchanged.
- Reframe the Write *.md prohibition around intent (unsolicited docs) instead
of a blanket extension ban, so artifacts a task or project instruction
requires — the plan-mode plan file, a repo-mandated changeset — are no
longer contradicted by the tool's own rules.
* refactor(agent-core): move tool-coupled guidance into tool descriptions
The default system prompt carried tool-usage guidance behind {% if HAS_* %}
gates that re-derived, in prose, the availability the tool schema already
encodes — and the same guidance was duplicated in each tool's own
description. Drop the four gated blocks (background Bash, Agent/explore,
TodoList, EnterPlanMode) and the compaction TaskList/TodoList bullets; the
tool descriptions, shipped only when the tool is registered, already carry
the same instructions, so subagents and tool-trimmed profiles are no longer
pointed at tools they lack.
Fold the two genuinely unique lines into the tool descriptions: bash.md
gains "return control after starting a background task", agent.md gains the
context-hygiene reason to delegate. Collapse the compaction bullets into one
tool-agnostic sentence. Remove the now-unused availableTools / HAS_* render
machinery.
* fix(skill-tool): clarify no-reinvoke guard and argument handling in tool description
* feat(fetch-url): indicate content retrieval mode in output for better model context
* fix(agent-core): correct goal-budget rounding and task-output failure docs
set-goal-budget.md said turn/token budgets are "rounded up", but the code uses
Math.round — say "rounded to the nearest whole number" instead. task-output.md
implied every failed task carries terminal_reason/stop_reason, but a plain
non-zero command exit carries only status plus exit_code; describe that exit_code
path and reserve terminal_reason for non-exit endings (timeout, explicit stop,
or an internal error with no exit code).
* fix(agent-core): scope free-work guidance by role and steer one-shots near-term
The blast-radius paragraph told every profile that local work — including
editing files — may be done freely, but the read-only explore/plan subagents
render it too; scope it to "work your role permits" so it no longer undercuts
their read-only constraints.
The one-shot cron guidance leaned on a year-boundary heuristic ("avoid a
day/month already passed this year") that misfires across Dec 31 to Jan 1 and
duplicated a limit the code already enforces. Replace it with a plain near-term
nudge and leave the hard future-window guard in code.
* fix(enter-plan-mode): clarify availability of Agent tool in plan mode description
* fix(agent-core): surface Grep count_matches total and pagination in output
count_matches put the aggregate "Found N occurrences" summary and the
"Results truncated... use offset=N to see more" notice on the result's
message field, which normalizeToolResult drops before the result reaches the
model. The model saw only the path:count lines and could miss the total and,
worse, the pagination cue — so it would not know to page through truncated
counts. Append both to output after the path:count lines, the same way the
content and files_with_matches modes already inline their notices.
* fix(grep): reorder count summary and results in output for clarity
* chore(changeset): consolidate prompt-hardening changesets into one
Squash the five per-change changesets for this PR into a single concise
entry; they all bump @moonshot-ai/kimi-code (patch) for the same
system-prompt and tool-description hardening work.
* fix(agent-core): stop the agent from blocking on background tasks
Both the Agent and Bash background-launch messages invited the model to "peek
at progress" via TaskOutput, and the foreground-vs-background guidance had been
thinned to a single parameter hint. Together that led the model to launch a
background subagent and then immediately wait on it through TaskOutput —
defeating the point of background execution.
Make both launch messages take the same anti-wait stance the user-detach path
already uses (do NOT wait, poll, or call TaskOutput on it), restore
foreground-by-default guidance in the Agent background description (run in the
background only when you have other work and do not need the result to proceed),
and add a TaskOutput backstop against using it to sit and wait. Also fold the
fix into the consolidated changeset.
|
||
|---|---|---|
| .agents/skills | ||
| .changeset | ||
| .github | ||
| apps | ||
| build | ||
| docs | ||
| packages | ||
| plugins | ||
| scripts | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .npmrc | ||
| .nvmrc | ||
| .oxfmtrc.json | ||
| .oxlintrc.json | ||
| AGENTS.md | ||
| CONTRIBUTING.md | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| Makefile | ||
| package.json | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
| README.zh-CN.md | ||
| SECURITY.md | ||
| tsconfig.json | ||
| vitest.config.ts | ||
Kimi Code CLI
Documentation · Issues · 中文
What is Kimi Code CLI
Kimi Code CLI is an AI coding agent that runs in your terminal — it can read and edit code, run shell commands, search files, fetch web pages, and choose the next step based on the feedback it receives. It works out of the box with Moonshot AI’s Kimi models and can also be configured to use other compatible providers.
Install
Install with the official script. No Node.js required.
- macOS or Linux:
curl -fsSL https://code.kimi.com/kimi-code/install.sh | bash
- Homebrew (macOS/Linux):
brew install kimi-code
- Windows (PowerShell):
irm https://code.kimi.com/kimi-code/install.ps1 | iex
On Windows, install Git for Windows before first launch because Kimi Code CLI uses the bundled Git Bash as its shell environment. If Git Bash is installed in a custom location, set
KIMI_SHELL_PATHto the absolute path ofbash.exe.
Then, run it with a new shell session:
kimi --version
For npm install, upgrade, uninstall, see Getting Started.
Quick Start
Open a project and start the interactive UI:
cd your-project
kimi
On first launch, run /login inside Kimi Code CLI and choose either Kimi Code OAuth or a Moonshot AI Open Platform API key. After login, try your first task:
Take a look at this project and explain its main directories.
Key Features
- Single-binary distribution. Install with one command: no Node.js setup, PATH gymnastics, or global module conflicts.
- Blazing-fast startup. The TUI is ready in milliseconds, so starting a session never feels heavy.
- Purpose-built TUI. A carefully tuned interface, optimized end to end for long, focused agent sessions.
- Video input. Drop a screen recording or demo clip into the chat and let the agent watch what is hard to describe in words — turn a reference clip into a LUT, a long video into a short, a screen recording into working code, and more.
- AI-native MCP configuration. Add, edit, and authenticate Model Context Protocol servers conversationally with
/mcp-config, without hand-editing JSON. - Rich plugin ecosystem. Install skills, MCP servers, and data sources from the marketplace or any GitHub repo, with each install's trust level surfaced up front.
- Subagents for focused, parallel work. Dispatch built-in
coder,explore, andplansubagents in isolated contexts while keeping the main conversation clean. - Lifecycle hooks. Run local commands at key points to gate risky tool calls, audit decisions, trigger desktop notifications, or connect to your own automation.
- Editor & IDE integration (ACP). Drive a Kimi Code CLI session straight from Zed, JetBrains, or any Agent Client Protocol client with
kimi acp.
Use it in your editor (ACP)
Kimi Code CLI speaks the Agent Client Protocol, so ACP-compatible editors and IDEs (Zed, JetBrains, …) can drive a session over stdio. Log in once, then point your editor at the kimi acp subcommand — no extra login needed.
For Zed, add this to ~/.config/zed/settings.json:
{
"agent_servers": {
"Kimi Code CLI": {
"type": "custom",
"command": "kimi",
"args": ["acp"],
"env": {}
}
}
}
Then open a new conversation in Zed's Agent panel. See Using in IDEs for JetBrains setup and troubleshooting, and the kimi acp reference for the full capability matrix.
Docs
- Getting Started
- Interaction and approvals
- Sessions
- Using in IDEs (ACP)
- Configuration
- Command reference
Develop
Requirements: Node.js ≥ 24.15.0, pnpm 10.33.0.
git clone https://github.com/MoonshotAI/kimi-code.git
cd kimi-code
pnpm install
pnpm dev:cli # run the CLI in dev mode
pnpm test # run tests
pnpm typecheck # TypeScript check
pnpm lint # oxlint
pnpm build # build all packages
See CONTRIBUTING.md for the full contribution guide.
Community
- Issues
- For security vulnerabilities, see SECURITY.md.
Acknowledgements
Our TUI is built on top of pi-tui. We thank the authors of pi-tui for their valuable work.
License
Released under the MIT License.
