Add LongCat usage provider

[LeoLin990405]

What

Adds LongCat (Meituan) as a disabled-by-default usage provider, surfacing token quota (总额度) and fuel-pack balance (加油包) in the menu bar / Overview.

Why this is a cookie provider

LongCat's public OpenAI/Anthropic-compatible API (api.longcat.chat) exposes no usage/balance/quota endpoint: billing/usage paths return 404 and responses carry no useful rate-limit headers. Usage is only available from the web console (longcat.chat) session, so this mirrors the existing Kimi / MiniMax cookie providers.

Supported auth sources:

• Manual Cookie: header via settings/env.
• Automatic browser-cookie import for longcat.chat.

Auth and privacy boundary

Maintainer decision requested: this intentionally forwards the full longcat.chat cookie header because the Meituan-passport auth cookie name is undocumented. If that boundary is not acceptable, this should wait for a documented LongCat usage endpoint or a narrower supported auth token.

Current guardrails:

• Provider is disabled by default.
• Off disables web auth entirely, including lingering env cookies.
• Manual only uses the pasted/manual cookie header and does not import browser cookies.
• Browser import is limited to app runtime, user-initiated refreshes, and Auto cookie source.
• LongCat Auto import defaults to Chrome-only on macOS to avoid probing unrelated browser stores/keychains.
• user-current response bodies are never logged because they can include a session token and phone number.

Endpoints and mapping (verified against redacted live response shapes)

Endpoint	Fields used
GET /api/v1/user-current	data.name (account)
GET /api/lc-platform/v1/tokenUsage	data.usage.{totalToken, usedToken, availableToken}
GET /api/lc-platform/v1/pending-fuel-packages	data.totalQuota + data.list[]

Mapping behavior:

• Primary window = token quota used percent.
• Secondary window = fuel-pack balance, with nearest expiry when available.
• Missing/undecodable quota data leaves primary nil instead of rendering a fake 0% window.
• Envelope auth failures from required user-current surface as invalid-session errors, so expired cookies prompt re-auth instead of an empty successful snapshot.

Review follow-up

Addressed Codex review findings:

• Surfaced required envelope auth failures.
• Removed the unreachable/nonexistent today-token path.
• Routed env cookies through LongCatSettingsReader for lower-case alias and quote trimming.
• Honored Off before env-cookie fallback.
• Kept Manual from importing browser cookies.
• Omitted the primary quota window when quota data is missing.
• Changed LongCat Auto cookie import to Chrome-only by default.
• Removed the release-owned changelog edit from this PR.

Wiring

.longcat added to UsageProvider / IconStyle, descriptor registry, settings snapshot + builder, implementation registry, logging categories, widget metadata, cost-usage scanner, debug-log switch, provider icon, docs/configuration.md provider-id list, and focused unit tests covering the redacted live response shapes and cookie-source behavior.

Testing

• swift test --filter 'LongCat|BrowserCookieOrder' ✅ (28 tests)
• make check ✅
• PR CI ✅ (changes, lint, Linux x64/arm64 builds, macOS shards 0-3, lint-build-test, GitGuardian)

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 24, 2026, 2:28 AM ET / 06:28 UTC.

Summary
The branch adds a disabled-by-default LongCat cookie-backed usage provider with settings, browser/manual cookie handling, fetcher/parser code, provider/icon/widget wiring, docs, and focused tests.

Reproducibility: not applicable. as a new provider feature rather than a bug report. Parser/settings behavior is source-testable, and the contributor now supplied redacted live output from the current PR head.

Review metrics: 2 noteworthy metrics.

• Changed surface: 25 files, +1143/-4. The patch spans core provider/auth code, app settings, widget metadata, docs, and tests, so the credential and rendering paths need maintainer review.
• Credential surface: 1 new cookie-backed provider. LongCat can use a pasted Cookie header or browser-imported cookies and sends them to web-console endpoints.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🐚 platinum hermit
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get explicit maintainer acceptance of the full-cookie LongCat boundary, or replace it with a narrower documented credential before merge.

Risk before merge

• [P1] The provider forwards the full longcat.chat cookie jar because the LongCat/Meituan auth cookie name is undocumented; that needs explicit maintainer acceptance before merge.
• [P1] The usage endpoints are undocumented web-console shapes, so maintainers should decide whether disabled-by-default plus tests is an acceptable core support burden.

Maintainer options:

1. Approve the full-cookie boundary
   Maintainers can intentionally accept forwarding the full longcat.chat cookie jar because the provider is disabled by default, Auto import is Chrome-only/user-initiated, and no narrower usage credential is documented in the PR.
2. Require a narrower credential
   Before merge, ask the contributor to switch to a documented usage endpoint or specific supported cookie/token if maintainers do not want CodexBar forwarding the whole cookie header.
3. Pause until LongCat documents usage auth
   If neither full-cookie forwarding nor an undocumented console endpoint is acceptable for core, pause or close the PR until LongCat exposes a supported usage surface.

Next step before merge

• [P2] Maintainer review is needed to decide whether CodexBar core should accept full longcat.chat cookie forwarding for this disabled-by-default provider.

Security
Needs attention: Needs attention: the diff intentionally imports and forwards the full LongCat cookie header, so a maintainer must accept that credential boundary before merge.

Review details

Best possible solution:

Land the provider only if maintainers explicitly accept the disabled-by-default full-cookie web-console boundary; otherwise wait for a documented usage endpoint or narrower LongCat credential.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a new provider feature rather than a bug report. Parser/settings behavior is source-testable, and the contributor now supplied redacted live output from the current PR head.

Is this the best way to solve the issue?

Unclear pending maintainer sign-off. The implementation follows existing cookie-backed provider patterns and the previous source-level findings appear repaired, but full-cookie forwarding is a security/product decision rather than an automatic acceptance path.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 2435c93453fe.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The latest comment includes redacted live output from the current PR head showing the LongCat app runtime/user-initiated Auto path, primary quota rendering, and fuel-pack endpoint observation without private values.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The latest comment includes redacted live output from the current PR head showing the LongCat app runtime/user-initiated Auto path, primary quota rendering, and fuel-pack endpoint observation without private values.
• remove status: 📣 needs proof: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority new provider with limited blast radius, but it handles credentials and needs maintainer sign-off before merge.
• merge-risk: 🚨 auth-provider: The PR adds new LongCat credential routing, cookie settings, browser-cookie import, and provider fetch behavior.
• merge-risk: 🚨 security-boundary: The PR can import browser cookies and forwards the full LongCat cookie jar, which CI cannot approve as a privacy boundary.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🐚 platinum hermit and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The latest comment includes redacted live output from the current PR head showing the LongCat app runtime/user-initiated Auto path, primary quota rendering, and fuel-pack endpoint observation without private values.
• proof: sufficient: Contributor real behavior proof is sufficient. The latest comment includes redacted live output from the current PR head showing the LongCat app runtime/user-initiated Auto path, primary quota rendering, and fuel-pack endpoint observation without private values.

Evidence reviewed

Security concerns:

• [medium] Full LongCat cookie jar forwarding needs sign-off — Sources/CodexBarCore/Providers/LongCat/LongCatCookieImporter.swift:22
  The importer builds a Cookie header from every longcat.chat cookie because the auth cookie name is undocumented; that may be viable, but it is a sensitive credential boundary that needs explicit maintainer approval.
  Confidence: 0.84

What I checked:

• Repository policy read and applied: AGENTS.md was read fully; its guidance on cookie-import prompt avoidance, focused tests, release-owned changelog edits, and provider data boundaries shaped this review. (AGENTS.md:25, 2435c93453fe)
• Current main lacks LongCat: Current main has no LongCat/longcat paths or provider IDs, so the PR is not obsolete on main. (2435c93453fe)
• Latest release lacks LongCat: The v0.37.2 release tag exists and has no LongCat provider entry in Providers.swift, so the feature has not shipped in the latest release. (f380287041b8)
• Provider is opt-in and Chrome-narrowed: The PR sets LongCat defaultEnabled to false and routes browserCookieOrder through the LongCat-specific Chrome-only default. (Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift:20, 5197371d694e)
• Browser import is gated: The final PR code only permits browser-cookie import for app runtime, user-initiated interaction, and Auto cookie source. (Sources/CodexBarCore/Providers/LongCat/LongCatProviderDescriptor.swift:101, 5197371d694e)
• Full-cookie boundary remains: The importer intentionally builds the outbound Cookie header from every longcat.chat cookie because the LongCat auth cookie name is undocumented. (Sources/CodexBarCore/Providers/LongCat/LongCatCookieImporter.swift:22, 5197371d694e)

Likely related people:

• steipete: Current-main blame and recent refactors tie shared provider registration, provider metadata, and cookie-import default policy to this account's work. (role: recent area contributor; confidence: high; commits: f380287041b8, 22a07ef225df; files: Sources/CodexBarCore/Providers/ProviderDescriptor.swift, Sources/CodexBarCore/Providers/Providers.swift, Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift)
• LeoLin990405: Beyond authoring this PR, history shows prior merged provider work in MiMo and Doubao areas that overlaps the provider implementation pattern. (role: recent provider contributor; confidence: medium; commits: f5fa8138092d, a31709838797, 6eb3699ec977; files: Sources/CodexBarCore/Providers/MiMo/MiMoProviderDescriptor.swift, Sources/CodexBarCore/Providers/Doubao/DoubaoUsageFetcher.swift, Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift)
• Yuxin Qiao: Recent MiniMax token-plan work is relevant because this PR intentionally follows an existing cookie-backed provider pattern similar to MiniMax. (role: adjacent provider contributor; confidence: medium; commits: d00c6c0f523d; files: Sources/CodexBarCore/Providers/MiniMax/MiniMaxProviderDescriptor.swift, Sources/CodexBarCore/Providers/MiniMax)
• kiranmagic7: Kimi provider history is relevant because the PR cites Kimi as another cookie-backed provider pattern. (role: adjacent provider contributor; confidence: medium; commits: 2c7283b6fe45; files: Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift, Sources/CodexBarCore/Providers/Kimi)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c5d176640

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[LeoLin990405]

Thanks for the review — both P2s are addressed in 35076321:

1. Invalid-session surfacing — user-current now propagates envelope auth failures (try instead of try?); .invalidSession is non-fallback, so expired cookies prompt re-auth instead of an empty snapshot.
2. Unused today-token path — removed the never-assigned todayTokens/freeQuota fields and the unreachable tertiary window. LongCat's tokenUsage is a quota snapshot with no per-day figure.

On the cookie import using only the first session: that's intentional parity with the existing Kimi/MiniMax cookie providers (single-account balance read); happy to generalize if you'd prefer.

Behavior proof

The field mapping is not guessed — it's locked against live responses captured from a logged-in longcat.chat console session (the public api.longcat.chat key exposes no usage endpoint, hence the cookie path). Captured shapes (values neutralised):

GET /api/lc-platform/v1/tokenUsage →

{ "code": 0, "message": "SUCCESS",
  "data": { "usage": { "totalToken": 500000, "usedToken": 0, "availableToken": 500000 },
            "extData": { "LongCat-Flash-Lite": { "totalToken": 50000000, "usedToken": 0 } } } }

GET /api/lc-platform/v1/pending-fuel-packages → { "code": 0, "data": { "totalQuota": 0, "list": [] } }
GET /api/v1/user-current → data.name (the body also carries a session token + phone, so it is never logged).

LongCatProviderTests asserts buildSnapshot against these exact shapes (quota %, fuel-pack sum + expiry, envelope invalid-session). Full swift test is green.

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 35076321c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[LeoLin990405]

Re-review follow-up — both findings handled in 4110e2ae / the rebase:

• Env cookie routing (P2): LongCatCookieHeader now resolves the env value via LongCatSettingsReader.cookieHeader(environment:), so the lower-case longcat_manual_cookie alias + quote-trimming apply on the env path. +regression test.
• Changelog daily-token wording (P3): dropped during the rebase onto main (entry now reads "console token quota (总额度) and fuel-pack balance (加油包)").

Branch is rebased onto latest main, swift build + swift test green locally.

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4110e2ae18

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[LeoLin990405]

Both cookie-source findings fixed in 670a9d25:

• Off now fully disables web auth (env override gated in resolveCookieOverride).
• Manual no longer silently browser-imports — browser/keychain fallback is Auto-only.

+2 regression tests. swift build + swift test green locally.

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 670a9d25df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[LeoLin990405]

All Codex review threads have been addressed and resolved. PR body now documents the latest cookie-source guardrails, Chrome-only LongCat auto import default, missing-quota behavior, validation, and the maintainer auth/privacy decision point.

@codex review
@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

Reviewed commit: 5197371d69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[LeoLin990405]

@openclaw-mantis visual task: verify CodexBar renders LongCat quota and fuel-pack values from a real longcat.chat session with private cookies/account details redacted.

[LeoLin990405]

Redacted live behavior proof

Ran a local live proof against the current PR head (5197371d694e8283de0ee0120ab80c9dfceb19ac) using the LongCat provider path with:

• runtime: app
• interaction: userInitiated
• cookie source: auto
• import policy: macOS Chrome-only browser cookie import

No cookie values, auth tokens, account names, phone numbers, IPs, raw response bodies, or endpoint URLs are included below.

{
  "commit": "5197371d694e8283de0ee0120ab80c9dfceb19ac",
  "provider": "longcat",
  "runtime": "app",
  "interaction": "userInitiated",
  "cookieSource": "auto",
  "importPolicy": "macOS Chrome-only browser cookie import",
  "strategyAvailable": true,
  "fetchSource": "web",
  "identityPresent": true,
  "primaryRendered": true,
  "primaryUsedPercent": 0,
  "primaryDescription": "0/500000",
  "fuelPackEndpointObserved": true,
  "fuelPackEndpointTotalQuota": 0,
  "fuelPackEndpointPackageCount": 0,
  "fuelPackRendered": false,
  "timestamp": "2026-06-24T06:22:54Z"
}

Notes:

• Quota rendering is visible through the primary usage window (0/500000, 0%).
• The fuel-pack endpoint was reached successfully and returned total quota 0 with 0 active packages for this account, so no secondary fuel-pack window is rendered; that matches the current UsageSnapshot behavior.
• The proof was generated with a temporary local test harness and then removed from the worktree; no proof-only code is part of this PR.

Maintainer sign-off still requested: this PR intentionally forwards the full longcat.chat cookie jar because the LongCat/Meituan auth cookie name is undocumented. Please confirm whether that boundary is acceptable while the provider remains disabled by default and Auto import is Chrome-only/user-initiated.

@clawsweeper re-review

[LeoLin990405]

Maintainer sign-off requested for the final ClawSweeper gate.

The remaining decision is whether CodexBar core accepts forwarding the full longcat.chat cookie jar for this disabled-by-default provider, given that LongCat/Meituan does not document a narrower usage credential. Current mitigations are:

• provider disabled by default
• Auto import is app-runtime + user-initiated only
• Auto import defaults to Chrome-only on macOS
• Manual/Off do not silently browser-import
• user-current bodies are never logged
• redacted live proof is now posted and ClawSweeper marked proof: sufficient

@steipete could you explicitly confirm whether this full-cookie boundary is acceptable for merge?