feat(kimi): add Kimi CLI forward mode support

- Add AccountTypeCLI domain constant
- Add KimiCLIGateway to forward requests through local kimi-cli binary
- Route CLI accounts in ForwardKimiChatCompletions to cli gateway
- Handle CLI type in GetAccessToken (no token needed)
- Fix Gin oneof binding to accept 'cli' type (Create/Update Account)
- Fix validateDataAccount to accept bedrock and cli types
- Remove unsupported --model arg from kimi-cli invocation
- Frontend: CLI account creation UI with model mapping, pool mode
- Frontend: CLI edit modal support
- Frontend: UseKeyModal shows OpenAI examples for kimi platform
- Add i18n strings for CLI account type

[缅因猫/Codex🐾]

backend/config.test.yaml

@@ -0,0 +1,181 @@
+server:
+  host: "0.0.0.0"
+  port: 3004
+  mode: "debug"
+  frontend_url: "http://localhost:3003"
+
+database:
+  host: "localhost"
+  port: 5432
+  user: "sub2api"
+  password: "sub2api"
+  dbname: "sub2api"
+  sslmode: "disable"
+  max_open_conns: 50
+  max_idle_conns: 10
+
+redis:
+  host: "localhost"
+  port: 6379
+  password: ""
+  db: 0
+  pool_size: 100
+  min_idle_conns: 10
+
+jwt:
+  secret: "test-secret-do-not-use-in-production"
+  expire_hour: 24
+
+totp:
+  encryption_key: ""
+
+default:
+  admin_email: "admin@test.com"
+  admin_password: "admin123"
+  user_concurrency: 5
+  user_balance: 0
+  api_key_prefix: "sk-"
+  rate_multiplier: 1.0
+
+gateway:
+  response_header_timeout: 600
+  max_body_size: 268435456
+  upstream_response_read_max_bytes: 8388608
+  connection_pool_isolation: "account_proxy"
+  max_idle_conns: 2560
+  max_idle_conns_per_host: 120
+  max_conns_per_host: 1024
+  idle_conn_timeout_seconds: 90
+  max_upstream_clients: 5000
+  client_idle_ttl_seconds: 900
+  concurrency_slot_ttl_minutes: 30
+  stream_data_interval_timeout: 180
+  stream_keepalive_interval: 10
+  max_line_size: 41943040
+  log_upstream_error_body: true
+  log_upstream_error_body_max_bytes: 2048
+  inject_beta_for_apikey: false
+  failover_on_400: false
+  scheduling:
+    sticky_session_max_waiting: 3
+    sticky_session_wait_timeout: 120s
+    fallback_wait_timeout: 30s
+    fallback_max_waiting: 100
+    load_batch_enabled: true
+    slot_cleanup_interval: 30s
+    db_fallback_enabled: true
+    db_fallback_timeout_seconds: 0
+    db_fallback_max_qps: 0
+    outbox_poll_interval_seconds: 1
+    outbox_lag_warn_seconds: 5
+    outbox_lag_rebuild_seconds: 10
+    outbox_lag_rebuild_failures: 3
+    outbox_backlog_rebuild_rows: 10000
+    full_rebuild_interval_seconds: 300
+  tls_fingerprint:
+    enabled: false
+
+log:
+  level: "debug"
+  format: "console"
+  service_name: "sub2api"
+  env: "dev"
+  caller: true
+  stacktrace_level: "error"
+  output:
+    to_stdout: true
+    to_file: false
+  rotation:
+    max_size_mb: 100
+    max_backups: 10
+    max_age_days: 7
+    compress: true
+    local_time: true
+  sampling:
+    enabled: false
+    initial: 100
+    thereafter: 100
+
+api_key_auth_cache:
+  l1_size: 65535
+  l1_ttl_seconds: 15
+  l2_ttl_seconds: 300
+  negative_ttl_seconds: 30
+  jitter_percent: 10
+  singleflight: true
+
+dashboard_cache:
+  enabled: true
+  key_prefix: "sub2api:"
+  stats_fresh_ttl_seconds: 15
+  stats_ttl_seconds: 30
+  stats_refresh_timeout_seconds: 30
+
+dashboard_aggregation:
+  enabled: false
+  interval_seconds: 60
+  lookback_seconds: 120
+  backfill_enabled: false
+  backfill_max_days: 31
+  recompute_days: 2
+  retention:
+    usage_logs_days: 90
+    hourly_days: 180
+    daily_days: 730
+
+usage_cleanup:
+  enabled: false
+  max_range_days: 31
+  batch_size: 5000
+  worker_interval_seconds: 10
+  task_timeout_seconds: 1800
+
+idempotency:
+  observe_only: true
+  default_ttl_seconds: 86400
+  system_operation_ttl_seconds: 3600
+  processing_timeout_seconds: 30
+  failed_retry_backoff_seconds: 5
+  max_stored_response_len: 65536
+  cleanup_interval_seconds: 60
+  cleanup_batch_size: 500
+
+concurrency:
+  ping_interval: 10
+
+token_refresh:
+  sync_linked_sora_accounts: false
+
+ops:
+  enabled: false
+
+rate_limit:
+  overload_cooldown_minutes: 10
+
+security:
+  url_allowlist:
+    enabled: false
+    upstream_hosts: []
+    pricing_hosts: []
+    crs_hosts: []
+    allow_private_hosts: true
+    allow_insecure_http: true
+  response_headers:
+    enabled: true
+    additional_allowed: []
+    force_remove: []
+  csp:
+    enabled: false
+  proxy_probe:
+    insecure_skip_verify: false
+  proxy_fallback:
+    allow_direct_on_error: false
+
+turnstile:
+  required: false
+
+linuxdo_connect:
+  enabled: false
+
+oidc_connect:
+  enabled: false

backend/internal/domain/constants.go

@@ -32,6 +32,7 @@ const (
 	AccountTypeAPIKey     = "apikey"      // API Key类型账号
 	AccountTypeUpstream   = "upstream"    // 上游透传类型账号（通过 Base URL + API Key 连接上游）
 	AccountTypeBedrock    = "bedrock"     // AWS Bedrock 类型账号（通过 SigV4 签名或 API Key 连接 Bedrock，由 credentials.auth_mode 区分）
+	AccountTypeCLI        = "cli"         // 本地CLI代理类型账号（通过本地安装的CLI工具转发请求）
 )
 
 // Redeem type constants

backend/internal/handler/admin/account_data.go

@@ -560,7 +560,7 @@ func validateDataAccount(item DataAccount) error {
 		return errors.New("account credentials is required")
 	}
 	switch item.Type {
-	case service.AccountTypeOAuth, service.AccountTypeSetupToken, service.AccountTypeAPIKey, service.AccountTypeUpstream:
+	case service.AccountTypeOAuth, service.AccountTypeSetupToken, service.AccountTypeAPIKey, service.AccountTypeUpstream, service.AccountTypeBedrock, service.AccountTypeCLI:
 	default:
 		return fmt.Errorf("account type is invalid: %s", item.Type)
 	}

backend/internal/handler/admin/account_handler.go

@@ -98,7 +98,7 @@ type CreateAccountRequest struct {
 	Name                    string         `json:"name" binding:"required"`
 	Notes                   *string        `json:"notes"`
 	Platform                string         `json:"platform" binding:"required"`
-	Type                    string         `json:"type" binding:"required,oneof=oauth setup-token apikey upstream bedrock"`
+	Type                    string         `json:"type" binding:"required,oneof=oauth setup-token apikey upstream bedrock cli"`
 	Credentials             map[string]any `json:"credentials" binding:"required"`
 	Extra                   map[string]any `json:"extra"`
 	ProxyID                 *int64         `json:"proxy_id"`
@@ -117,7 +117,7 @@ type CreateAccountRequest struct {
 type UpdateAccountRequest struct {
 	Name                    string         `json:"name"`
 	Notes                   *string        `json:"notes"`
-	Type                    string         `json:"type" binding:"omitempty,oneof=oauth setup-token apikey upstream bedrock"`
+	Type                    string         `json:"type" binding:"omitempty,oneof=oauth setup-token apikey upstream bedrock cli"`
 	Credentials             map[string]any `json:"credentials"`
 	Extra                   map[string]any `json:"extra"`
 	ProxyID                 *int64         `json:"proxy_id"`

backend/internal/service/domain_constants.go

@@ -34,6 +34,7 @@ const (
 	AccountTypeAPIKey     = domain.AccountTypeAPIKey     // API Key类型账号
 	AccountTypeUpstream   = domain.AccountTypeUpstream   // 上游透传类型账号（通过 Base URL + API Key 连接上游）
 	AccountTypeBedrock    = domain.AccountTypeBedrock    // AWS Bedrock 类型账号（通过 SigV4 签名或 API Key 连接 Bedrock，由 credentials.auth_mode 区分）
+	AccountTypeCLI        = domain.AccountTypeCLI        // 本地CLI代理类型账号（通过本地安装的CLI工具转发请求）
 )
 
 // Redeem type constants

backend/internal/service/gateway_service.go

@@ -3454,6 +3454,8 @@ func (s *GatewayService) GetAccessToken(ctx context.Context, account *Account) (
 		return apiKey, "apikey", nil
 	case AccountTypeBedrock:
 		return "", "bedrock", nil // Bedrock 使用 SigV4 签名或 API Key，由 forwardBedrock 处理
+	case AccountTypeCLI:
+		return "", "cli", nil // CLI 类型由 CLI gateway 自行管理认证
 	default:
 		return "", "", fmt.Errorf("unsupported account type: %s", account.Type)
 	}

backend/internal/service/kimi_cli_gateway.go

@@ -0,0 +1,442 @@
+package service
+
+import (
+	"bufio"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
+	"github.com/gin-gonic/gin"
+	"github.com/tidwall/gjson"
+)
+
+const (
+	kimiCLICommand        = "kimi"
+	kimiCLITimeout        = 10 * time.Minute
+	kimiCLIStreamJSONFlag = "stream-json"
+)
+
+// KimiCLIGateway handles forwarding chat completions requests through the local kimi-cli.
+type KimiCLIGateway struct {
+	// cliPath is the resolved path to the kimi binary. If empty, "kimi" is used.
+	cliPath string
+}
+
+// NewKimiCLIGateway creates a new CLI gateway, attempting to resolve the kimi binary.
+func NewKimiCLIGateway() *KimiCLIGateway {
+	path := resolveKimiCLI()
+	return &KimiCLIGateway{cliPath: path}
+}
+
+// IsAvailable returns true if the kimi CLI is found on the system.
+func (g *KimiCLIGateway) IsAvailable() bool {
+	return g.cliPath != ""
+}
+
+// ForwardChatCompletions forwards an OpenAI Chat Completions request through kimi-cli.
+func (g *KimiCLIGateway) ForwardChatCompletions(
+	ctx context.Context,
+	c *gin.Context,
+	account *Account,
+	body []byte,
+) (*ForwardResult, error) {
+	startTime := time.Now()
+
+	if !g.IsAvailable() {
+		return nil, errors.New("kimi CLI not found. Please install it: uv tool install --python 3.13 kimi-cli")
+	}
+
+	// 1. Parse request
+	reqStream := gjson.GetBytes(body, "stream").Bool()
+	originalModel := gjson.GetBytes(body, "model").String()
+	mappedModel := account.GetMappedModel(originalModel)
+	if mappedModel == "" {
+		mappedModel = originalModel
+	}
+
+	// 2. Build NDJSON messages for stdin
+	ndjsonInput, err := buildKimiNDJSONMessages(body)
+	if err != nil {
+		return nil, fmt.Errorf("build messages: %w", err)
+	}
+
+	// 3. Build CLI args
+	// Note: kimi-cli does not support --model; it uses the default model.
+	// The API only exposes K2.6, but the actual model is determined by the CLI.
+	args := []string{
+		"--print",
+		"--output-format", kimiCLIStreamJSONFlag,
+		"--input-format", "stream-json",
+	}
+
+	// 4. Run CLI (CLI manages its own OAuth auth via `kimi login`)
+	cmd := exec.CommandContext(ctx, g.cliPath, args...)
+	cmd.Stdin = strings.NewReader(ndjsonInput)
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stdout pipe: %w", err)
+	}
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return nil, fmt.Errorf("start cli: %w", err)
+	}
+
+	// Drain stderr in background for debugging
+	go func() {
+		slurp, _ := io.ReadAll(stderr)
+		if len(slurp) > 0 {
+			logger.LegacyPrintf("service.kimi_cli", "stderr: %s", string(slurp))
+		}
+	}()
+
+	// 5. Parse output and forward
+	var result *ForwardResult
+	if reqStream {
+		result, err = g.handleStreamingResponse(stdout, c, originalModel, mappedModel, startTime)
+	} else {
+		result, err = g.handleNonStreamingResponse(stdout, c, originalModel, mappedModel, startTime)
+	}
+
+	// Wait for process to finish
+	if waitErr := cmd.Wait(); waitErr != nil && result == nil {
+		return nil, fmt.Errorf("cli exited: %w", waitErr)
+	}
+
+	return result, err
+}
+
+// handleStreamingResponse reads the single NDJSON line from kimi-cli and sends it as SSE.
+func (g *KimiCLIGateway) handleStreamingResponse(
+	stdout io.Reader,
+	c *gin.Context,
+	originalModel, mappedModel string,
+	startTime time.Time,
+) (*ForwardResult, error) {
+	if c == nil || c.Writer == nil {
+		return nil, errors.New("gin context or writer is nil")
+	}
+
+	c.Writer.Header().Set("Content-Type", "text/event-stream; charset=utf-8")
+	c.Writer.Header().Set("Cache-Control", "no-cache")
+	c.Writer.Header().Set("Connection", "keep-alive")
+	c.Writer.WriteHeader(http.StatusOK)
+
+	flusher, ok := c.Writer.(http.Flusher)
+	if !ok {
+		return nil, errors.New("streaming not supported")
+	}
+
+	msg, err := parseKimiCLIMessage(stdout)
+	if err != nil {
+		return nil, fmt.Errorf("parse cli output: %w", err)
+	}
+
+	var firstTokenTime *time.Duration
+	chatID := generateChatCompletionID()
+	created := time.Now().Unix()
+
+	// Extract text content
+	text := extractKimiTextContent(msg)
+	thinking := extractKimiThinkingContent(msg)
+
+	// Build full content (prepend thinking if present)
+	fullContent := text
+	if thinking != "" {
+		fullContent = fmt.Sprintf("<think>\n%s\n</think>\n\n%s", thinking, text)
+	}
+
+	// Send role delta
+	if firstTokenTime == nil {
+		elapsed := time.Since(startTime)
+		firstTokenTime = &elapsed
+	}
+	chunk := buildSSEChunk(chatID, created, mappedModel, 0, &kimiDelta{Role: "assistant"}, nil)
+	fmt.Fprintf(c.Writer, "data: %s\n\n", chunk)
+	flusher.Flush()
+
+	// Send content delta (simplified: send all at once since CLI gives full response)
+	chunk = buildSSEChunk(chatID, created, mappedModel, 0, &kimiDelta{Content: fullContent}, nil)
+	fmt.Fprintf(c.Writer, "data: %s\n\n", chunk)
+	flusher.Flush()
+
+	// Send finish
+	chunk = buildSSEChunk(chatID, created, mappedModel, 0, &kimiDelta{}, stringPtr("stop"))
+	fmt.Fprintf(c.Writer, "data: %s\n\n", chunk)
+	flusher.Flush()
+
+	// [DONE]
+	fmt.Fprintf(c.Writer, "data: [DONE]\n\n")
+	flusher.Flush()
+
+	var firstTokenMs *int
+	if firstTokenTime != nil {
+		ms := int(firstTokenTime.Milliseconds())
+		firstTokenMs = &ms
+	}
+
+	return &ForwardResult{
+		UpstreamModel: mappedModel,
+		FirstTokenMs:  firstTokenMs,
+	}, nil
+}
+
+// handleNonStreamingResponse reads the single NDJSON line and returns a complete OpenAI response.
+func (g *KimiCLIGateway) handleNonStreamingResponse(
+	stdout io.Reader,
+	c *gin.Context,
+	originalModel, mappedModel string,
+	startTime time.Time,
+) (*ForwardResult, error) {
+	msg, err := parseKimiCLIMessage(stdout)
+	if err != nil {
+		return nil, fmt.Errorf("parse cli output: %w", err)
+	}
+
+	text := extractKimiTextContent(msg)
+	thinking := extractKimiThinkingContent(msg)
+
+	fullContent := text
+	if thinking != "" {
+		fullContent = fmt.Sprintf("<think>\n%s\n</think>\n\n%s", thinking, text)
+	}
+
+	resp := kimiChatCompletionResponse{
+		ID:      generateChatCompletionID(),
+		Object:  "chat.completion",
+		Created: time.Now().Unix(),
+		Model:   mappedModel,
+		Choices: []kimiChoice{
+			{
+				Index: 0,
+				Message: kimiMessage{
+					Role:    "assistant",
+					Content: fullContent,
+				},
+				FinishReason: stringPtr("stop"),
+			},
+		},
+	}
+
+	respBytes, _ := json.Marshal(resp)
+
+	if c != nil && c.Writer != nil {
+		c.Writer.Header().Set("Content-Type", "application/json")
+		c.Writer.WriteHeader(http.StatusOK)
+		_, _ = c.Writer.Write(respBytes)
+	}
+
+	return &ForwardResult{
+		UpstreamModel: mappedModel,
+	}, nil
+}
+
+// --- Helpers ---
+
+// resolveKimiCLI attempts to find the kimi binary in PATH.
+func resolveKimiCLI() string {
+	if path, err := exec.LookPath(kimiCLICommand); err == nil && path != "" {
+		return path
+	}
+	return ""
+}
+
+// buildKimiNDJSONMessages converts an OpenAI Chat Completions request body into
+// NDJSON lines suitable for kimi-cli --input-format stream-json.
+func buildKimiNDJSONMessages(body []byte) (string, error) {
+	messagesResult := gjson.GetBytes(body, "messages")
+	if !messagesResult.Exists() || !messagesResult.IsArray() {
+		return "", errors.New("missing or invalid messages array")
+	}
+
+	var lines []string
+	messagesResult.ForEach(func(_, msg gjson.Result) bool {
+		role := msg.Get("role").String()
+		content := msg.Get("content").String()
+
+		// Handle array content (e.g. vision messages with multiple parts)
+		if content == "" && msg.Get("content").IsArray() {
+			var texts []string
+			msg.Get("content").ForEach(func(_, item gjson.Result) bool {
+				if item.Get("type").String() == "text" {
+					texts = append(texts, item.Get("text").String())
+				}
+				return true
+			})
+			content = strings.Join(texts, "\n")
+		}
+
+		if role == "" || content == "" {
+			return true // skip empty
+		}
+
+		line := fmt.Sprintf(`{"role":%q,"content":%q}`, role, content)
+		lines = append(lines, line)
+		return true
+	})
+
+	if len(lines) == 0 {
+		return "", errors.New("no valid messages found")
+	}
+
+	return strings.Join(lines, "\n") + "\n", nil
+}
+
+// parseKimiCLIMessage reads all NDJSON lines from stdout and returns the last valid one.
+// When multiple messages are piped via stdin, kimi-cli outputs one response per turn;
+// we only need the last one (the response to the final user message).
+func parseKimiCLIMessage(stdout io.Reader) (map[string]interface{}, error) {
+	scanner := bufio.NewScanner(stdout)
+	scanner.Buffer(make([]byte, 4096), 1024*1024)
+
+	var lastMsg map[string]interface{}
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" {
+			continue
+		}
+		// Skip the "To resume this session" line
+		if strings.HasPrefix(line, "To resume this session") {
+			continue
+		}
+
+		var msg map[string]interface{}
+		if err := json.Unmarshal([]byte(line), &msg); err != nil {
+			continue // skip non-JSON lines
+		}
+		lastMsg = msg
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("scan cli output: %w", err)
+	}
+
+	if lastMsg == nil {
+		return nil, errors.New("no valid JSON output from kimi-cli")
+	}
+	return lastMsg, nil
+}
+
+// extractKimiTextContent extracts text from a kimi-cli message.
+func extractKimiTextContent(msg map[string]interface{}) string {
+	content, ok := msg["content"]
+	if !ok {
+		return ""
+	}
+
+	// String content
+	if s, ok := content.(string); ok {
+		return s
+	}
+
+	// Array content
+	arr, ok := content.([]interface{})
+	if !ok {
+		return ""
+	}
+
+	var texts []string
+	for _, item := range arr {
+		block, ok := item.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		if block["type"] == "text" {
+			if t, ok := block["text"].(string); ok {
+				texts = append(texts, t)
+			}
+		}
+	}
+	return strings.Join(texts, "\n")
+}
+
+// extractKimiThinkingContent extracts thinking content from a kimi-cli message.
+func extractKimiThinkingContent(msg map[string]interface{}) string {
+	content, ok := msg["content"]
+	if !ok {
+		return ""
+	}
+
+	arr, ok := content.([]interface{})
+	if !ok {
+		return ""
+	}
+
+	var thinks []string
+	for _, item := range arr {
+		block, ok := item.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		if block["type"] == "think" {
+			if t, ok := block["think"].(string); ok {
+				thinks = append(thinks, t)
+			}
+		}
+	}
+	return strings.Join(thinks, "\n")
+}
+
+// --- OpenAI-compatible response structs ---
+
+type kimiDelta struct {
+	Role    string `json:"role,omitempty"`
+	Content string `json:"content,omitempty"`
+}
+
+type kimiChoice struct {
+	Index        int         `json:"index"`
+	Message      kimiMessage `json:"message,omitempty"`
+	Delta        *kimiDelta  `json:"delta,omitempty"`
+	FinishReason *string     `json:"finish_reason"`
+}
+
+type kimiMessage struct {
+	Role    string `json:"role"`
+	Content string `json:"content"`
+}
+
+type kimiChatCompletionResponse struct {
+	ID      string       `json:"id"`
+	Object  string       `json:"object"`
+	Created int64        `json:"created"`
+	Model   string       `json:"model"`
+	Choices []kimiChoice `json:"choices"`
+}
+
+func buildSSEChunk(id string, created int64, model string, index int, delta *kimiDelta, finishReason *string) string {
+	chunk := kimiChatCompletionResponse{
+		ID:      id,
+		Object:  "chat.completion.chunk",
+		Created: created,
+		Model:   model,
+		Choices: []kimiChoice{
+			{
+				Index:        index,
+				Delta:        delta,
+				FinishReason: finishReason,
+			},
+		},
+	}
+	b, _ := json.Marshal(chunk)
+	return string(b)
+}
+
+func generateChatCompletionID() string {
+	return fmt.Sprintf("chatcmpl-%d", time.Now().UnixNano())
+}
+
+func stringPtr(s string) *string {
+	return &s
+}

backend/internal/service/kimi_gateway_service.go

@@ -24,12 +24,19 @@ const (
 
 // ForwardKimiChatCompletions forwards an OpenAI Chat Completions request directly to Kimi API.
 // Kimi API is OpenAI Chat Completions compatible, so the body is forwarded as-is.
+// For CLI-type accounts, requests are forwarded through the local kimi-cli binary.
 func (s *GatewayService) ForwardKimiChatCompletions(
 	ctx context.Context,
 	c *gin.Context,
 	account *Account,
 	body []byte,
 ) (*ForwardResult, error) {
+	// If account type is CLI, use local kimi-cli (CLI manages its own auth)
+	if account.Type == AccountTypeCLI {
+		cliGateway := NewKimiCLIGateway()
+		return cliGateway.ForwardChatCompletions(ctx, c, account, body)
+	}
+
 	startTime := time.Now()
 
 	// 1. Get access token

deploy/docker-compose.test.yml

@@ -0,0 +1,28 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: sub2api-test-postgres
+    environment:
+      POSTGRES_USER: sub2api
+      POSTGRES_PASSWORD: sub2api
+      POSTGRES_DB: sub2api
+    ports:
+      - "127.0.0.1:5432:5432"
+    volumes:
+      - ./postgres_test_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U sub2api -d sub2api"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  redis:
+    image: redis:7-alpine
+    container_name: sub2api-test-redis
+    ports:
+      - "127.0.0.1:6379:6379"
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5

frontend/src/components/account/CreateAccountModal.vue

@@ -744,10 +744,10 @@
         </div>
       </div>
 
-      <!-- Account Type Selection (Kimi - OAuth or API Key) -->
+      <!-- Account Type Selection (Kimi - OAuth, API Key, or CLI) -->
       <div v-if="form.platform === 'kimi'">
         <label class="input-label">{{ t('admin.accounts.accountType') }}</label>
-        <div class="mt-2 grid grid-cols-2 gap-3">
+        <div class="mt-2 grid grid-cols-3 gap-3">
           <button
             type="button"
             @click="accountCategory = 'oauth-based'"
@@ -798,6 +798,32 @@
               <div class="text-xs text-gray-500">Kimi API Key</div>
             </div>
           </button>
+          <!-- CLI Option -->
+          <button
+            type="button"
+            @click="accountCategory = 'cli'"
+            :class="[
+              'flex items-center gap-3 rounded-lg border-2 p-3 text-left transition-all',
+              accountCategory === 'cli'
+                ? 'border-teal-500 bg-teal-50 dark:bg-teal-900/20'
+                : 'border-gray-200 hover:border-teal-300 dark:border-dark-600 dark:hover:border-teal-700'
+            ]"
+          >
+            <div
+              :class="[
+                'flex h-8 w-8 shrink-0 items-center justify-center rounded-lg',
+                accountCategory === 'cli'
+                  ? 'bg-teal-100 text-teal-600 dark:bg-teal-800'
+                  : 'bg-gray-100 text-gray-500 dark:bg-dark-700'
+              ]"
+            >
+              <Icon name="terminal" size="sm" />
+            </div>
+            <div>
+              <div class="text-sm font-medium">CLI</div>
+              <div class="text-xs text-gray-500">Local kimi-cli</div>
+            </div>
+          </button>
         </div>
       </div>
 
@@ -3260,7 +3286,7 @@ interface TempUnschedRuleForm {
 // State
 const step = ref(1)
 const submitting = ref(false)
-const accountCategory = ref<'oauth-based' | 'apikey' | 'bedrock'>('oauth-based') // UI selection for account category
+const accountCategory = ref<'oauth-based' | 'apikey' | 'bedrock' | 'cli'>('oauth-based') // UI selection for account category
 const addMethod = ref<AddMethod>('oauth') // For oauth-based: 'oauth' or 'setup-token'
 const apiKeyBaseUrl = ref('https://api.anthropic.com')
 const apiKeyValue = ref('')
@@ -3502,6 +3528,10 @@ const isOAuthFlow = computed(() => {
   if (form.platform === 'anthropic' && accountCategory.value === 'bedrock') {
     return false
   }
+  // CLI 类型不需要 OAuth 流程
+  if (accountCategory.value === 'cli') {
+    return false
+  }
   return accountCategory.value === 'oauth-based'
 })
 
@@ -3577,6 +3607,11 @@ watch(
       form.type = 'bedrock' as AccountType
       return
     }
+    // CLI 类型
+    if (category === 'cli') {
+      form.type = 'cli'
+      return
+    }
     if (category === 'oauth-based') {
       form.type = method as AccountType // 'oauth' or 'setup-token'
     } else {
@@ -4179,6 +4214,36 @@ const handleSubmit = async () => {
     return
   }
 
+  // For CLI type, create directly (CLI manages its own auth)
+  if (accountCategory.value === 'cli') {
+    if (!form.name.trim()) {
+      appStore.showError(t('admin.accounts.pleaseEnterAccountName'))
+      return
+    }
+
+    const credentials: Record<string, unknown> = {}
+
+    // Add model mapping if configured
+    const modelMapping = buildModelMappingObject(modelRestrictionMode.value, allowedModels.value, modelMappings.value)
+    if (modelMapping) {
+      credentials.model_mapping = modelMapping
+    }
+
+    // Add pool mode if enabled
+    if (poolModeEnabled.value) {
+      credentials.pool_mode = true
+      credentials.pool_mode_retry_count = normalizePoolModeRetryCount(poolModeRetryCount.value)
+    }
+
+    applyInterceptWarmup(credentials, interceptWarmupRequests.value, 'create')
+    if (!applyTempUnschedConfig(credentials)) {
+      return
+    }
+
+    await createAccountAndFinish(form.platform, 'cli', credentials)
+    return
+  }
+
   // For Bedrock type, create directly
   if (form.platform === 'anthropic' && accountCategory.value === 'bedrock') {
     if (!form.name.trim()) {

frontend/src/components/account/EditAccountModal.vue

@@ -407,6 +407,144 @@
 
       </div>
 
+      <!-- CLI Account Settings (model restriction, pool mode, etc.) -->
+      <div v-if="account.type === 'cli'" class="space-y-4">
+        <div class="rounded-lg border border-teal-200 bg-teal-50 p-4 dark:border-teal-700 dark:bg-teal-900/30">
+          <div class="flex items-start gap-3">
+            <Icon name="terminal" size="sm" class="mt-0.5 text-teal-600 dark:text-teal-400" />
+            <div>
+              <p class="text-sm font-medium text-teal-900 dark:text-teal-200">Local kimi-cli</p>
+              <p class="text-xs text-teal-700 dark:text-teal-300">This account uses your locally installed kimi-cli. Authentication is managed by the CLI itself.</p>
+            </div>
+          </div>
+        </div>
+
+        <!-- Model Restriction Section (same as apikey) -->
+        <div v-if="account.platform !== 'antigravity'" class="border-t border-gray-200 pt-4 dark:border-dark-600">
+          <label class="input-label">{{ t('admin.accounts.modelRestriction') }}</label>
+
+          <div
+            v-if="isOpenAIModelRestrictionDisabled"
+            class="mb-3 rounded-lg bg-amber-50 p-3 dark:bg-amber-900/20"
+          >
+            <p class="text-xs text-amber-700 dark:text-amber-400">
+              {{ t('admin.accounts.openai.modelRestrictionDisabledByPassthrough') }}
+            </p>
+          </div>
+
+          <template v-else>
+            <!-- Mode Toggle -->
+            <div class="mb-4 flex gap-2">
+              <button
+                type="button"
+                @click="modelRestrictionMode = 'whitelist'"
+                :class="[
+                  'flex-1 rounded-lg px-4 py-2 text-sm font-medium transition-all',
+                  modelRestrictionMode === 'whitelist'
+                    ? 'bg-primary-100 text-primary-700 dark:bg-primary-900/30 dark:text-primary-400'
+                    : 'bg-gray-100 text-gray-600 hover:bg-gray-200 dark:bg-dark-700 dark:text-gray-400 dark:hover:bg-dark-600'
+                ]"
+              >
+                {{ t('admin.accounts.whitelistMode') }}
+              </button>
+              <button
+                type="button"
+                @click="modelRestrictionMode = 'mapping'"
+                :class="[
+                  'flex-1 rounded-lg px-4 py-2 text-sm font-medium transition-all',
+                  modelRestrictionMode === 'mapping'
+                    ? 'bg-primary-100 text-primary-700 dark:bg-primary-900/30 dark:text-primary-400'
+                    : 'bg-gray-100 text-gray-600 hover:bg-gray-200 dark:bg-dark-700 dark:text-gray-400 dark:hover:bg-dark-600'
+                ]"
+              >
+                {{ t('admin.accounts.mappingMode') }}
+              </button>
+            </div>
+
+            <div v-if="modelRestrictionMode === 'whitelist'">
+              <ModelWhitelistSelector v-model="allowedModels" :platform="account?.platform || 'anthropic'" />
+              <p class="mt-2 text-sm text-gray-600 dark:text-gray-400">
+                {{ t('admin.accounts.selectedModels', { count: allowedModels.length }) }}
+                <span v-if="allowedModels.length === 0">{{
+                  t('admin.accounts.allModelsAllowed')
+                }}</span>
+              </p>
+            </div>
+
+            <div v-else>
+              <div v-if="modelMappings.length > 0" class="mb-3 space-y-2">
+                <div
+                  v-for="(mapping, index) in modelMappings"
+                  :key="getModelMappingKey(mapping)"
+                  class="flex items-center gap-2"
+                >
+                  <input
+                    v-model="mapping.from"
+                    type="text"
+                    class="input flex-1"
+                    :placeholder="t('admin.accounts.requestModel')"
+                  />
+                  <svg class="h-4 w-4 flex-shrink-0 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M14 5l7 7m0 0l-7 7m7-7H3" />
+                  </svg>
+                  <input
+                    v-model="mapping.to"
+                    type="text"
+                    class="input flex-1"
+                    :placeholder="t('admin.accounts.actualModel')"
+                  />
+                  <button
+                    type="button"
+                    @click="removeModelMapping(index)"
+                    class="rounded-lg p-2 text-red-500 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                  >
+                    <svg class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                      <path
+                        stroke-linecap="round"
+                        stroke-linejoin="round"
+                        stroke-width="2"
+                        d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"
+                      />
+                    </svg>
+                  </button>
+                </div>
+              </div>
+
+              <button
+                type="button"
+                @click="addModelMapping"
+                class="mb-3 w-full rounded-lg border-2 border-dashed border-gray-300 px-4 py-2 text-gray-600 transition-colors hover:border-gray-400 hover:text-gray-700 dark:border-dark-500 dark:text-gray-400 dark:hover:border-dark-400 dark:hover:text-gray-300"
+              >
+                + {{ t('admin.accounts.addMapping') }}
+              </button>
+
+              <!-- Quick Add Buttons -->
+              <div class="flex flex-wrap gap-2">
+                <button
+                  v-for="preset in presetMappings"
+                  :key="'cli-' + preset.label"
+                  type="button"
+                  @click="addPresetMapping(preset.from, preset.to)"
+                  :class="['rounded-lg px-3 py-1 text-xs transition-colors', preset.color]"
+                >
+                  + {{ preset.label }}
+                </button>
+              </div>
+            </div>
+          </template>
+        </div>
+
+        <!-- Pool Mode -->
+        <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+          <PoolModeConfig />
+        </div>
+
+        <!-- Custom Error Codes -->
+        <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+          <CustomErrorCodesConfig />
+        </div>
+      </div>
+
       <!-- OpenAI OAuth Model Mapping (OAuth 类型没有 apikey 容器，需要独立的模型映射区域) -->
       <div
         v-if="account.platform === 'openai' && account.type === 'oauth'"
@@ -2377,6 +2515,43 @@ const syncFormFromAccount = (newAccount: Account | null) => {
       modelMappings.value = []
       allowedModels.value = []
     }
+  } else if (newAccount.type === 'cli' && newAccount.credentials) {
+    const credentials = newAccount.credentials as Record<string, unknown>
+
+    // Load model mappings and detect mode
+    const existingMappings = credentials.model_mapping as Record<string, string> | undefined
+    if (existingMappings && typeof existingMappings === 'object') {
+      const entries = Object.entries(existingMappings)
+      const isWhitelistMode = entries.length > 0 && entries.every(([from, to]) => from === to)
+      if (isWhitelistMode) {
+        modelRestrictionMode.value = 'whitelist'
+        allowedModels.value = entries.map(([from]) => from)
+        modelMappings.value = []
+      } else {
+        modelRestrictionMode.value = 'mapping'
+        modelMappings.value = entries.map(([from, to]) => ({ from, to }))
+        allowedModels.value = []
+      }
+    } else {
+      modelRestrictionMode.value = 'whitelist'
+      modelMappings.value = []
+      allowedModels.value = []
+    }
+
+    // Load pool mode
+    poolModeEnabled.value = credentials.pool_mode === true
+    poolModeRetryCount.value = normalizePoolModeRetryCount(
+      Number(credentials.pool_mode_retry_count ?? DEFAULT_POOL_MODE_RETRY_COUNT)
+    )
+
+    // Load custom error codes
+    customErrorCodesEnabled.value = credentials.custom_error_codes_enabled === true
+    const existingErrorCodes = credentials.custom_error_codes as number[] | undefined
+    if (existingErrorCodes && Array.isArray(existingErrorCodes)) {
+      selectedErrorCodes.value = [...existingErrorCodes]
+    } else {
+      selectedErrorCodes.value = []
+    }
   } else if (newAccount.type === 'upstream' && newAccount.credentials) {
     const credentials = newAccount.credentials as Record<string, unknown>
     editBaseUrl.value = (credentials.base_url as string) || ''
@@ -2954,6 +3129,48 @@ const handleSubmit = async () => {
         return
       }
 
+      updatePayload.credentials = newCredentials
+    } else if (props.account.type === 'cli') {
+      const currentCredentials = (props.account.credentials as Record<string, unknown>) || {}
+      const newCredentials: Record<string, unknown> = { ...currentCredentials }
+
+      // Add model mapping if configured
+      const shouldApplyModelMapping = !(props.account.platform === 'openai' && openaiPassthroughEnabled.value)
+      if (shouldApplyModelMapping) {
+        const modelMapping = buildModelMappingObject(modelRestrictionMode.value, allowedModels.value, modelMappings.value)
+        if (modelMapping) {
+          newCredentials.model_mapping = modelMapping
+        } else {
+          delete newCredentials.model_mapping
+        }
+      } else if (currentCredentials.model_mapping) {
+        newCredentials.model_mapping = currentCredentials.model_mapping
+      }
+
+      // Add pool mode if enabled
+      if (poolModeEnabled.value) {
+        newCredentials.pool_mode = true
+        newCredentials.pool_mode_retry_count = normalizePoolModeRetryCount(poolModeRetryCount.value)
+      } else {
+        delete newCredentials.pool_mode
+        delete newCredentials.pool_mode_retry_count
+      }
+
+      // Add custom error codes if enabled
+      if (customErrorCodesEnabled.value) {
+        newCredentials.custom_error_codes_enabled = true
+        newCredentials.custom_error_codes = [...selectedErrorCodes.value]
+      } else {
+        delete newCredentials.custom_error_codes_enabled
+        delete newCredentials.custom_error_codes
+      }
+
+      // Add intercept warmup requests setting
+      applyInterceptWarmup(newCredentials, interceptWarmupRequests.value, 'edit')
+      if (!applyTempUnschedConfig(newCredentials)) {
+        return
+      }
+
       updatePayload.credentials = newCredentials
     } else if (props.account.type === 'bedrock') {
       const currentCredentials = (props.account.credentials as Record<string, unknown>) || {}

frontend/src/components/admin/account/AccountTableFilters.vue

@@ -26,7 +26,7 @@ const updateStatus = (value: string | number | boolean | null) => { emit('update
 const updatePrivacyMode = (value: string | number | boolean | null) => { emit('update:filters', { ...props.filters, privacy_mode: value }) }
 const updateGroup = (value: string | number | boolean | null) => { emit('update:filters', { ...props.filters, group: value }) }
 const pOpts = computed(() => [{ value: '', label: t('admin.accounts.allPlatforms') }, { value: 'anthropic', label: 'Anthropic' }, { value: 'openai', label: 'OpenAI' }, { value: 'gemini', label: 'Gemini' }, { value: 'antigravity', label: 'Antigravity' }, { value: 'kimi', label: 'Kimi' }])
-const tOpts = computed(() => [{ value: '', label: t('admin.accounts.allTypes') }, { value: 'oauth', label: t('admin.accounts.oauthType') }, { value: 'setup-token', label: t('admin.accounts.setupToken') }, { value: 'apikey', label: t('admin.accounts.apiKey') }, { value: 'bedrock', label: 'AWS Bedrock' }])
+const tOpts = computed(() => [{ value: '', label: t('admin.accounts.allTypes') }, { value: 'oauth', label: t('admin.accounts.oauthType') }, { value: 'setup-token', label: t('admin.accounts.setupToken') }, { value: 'apikey', label: t('admin.accounts.apiKey') }, { value: 'bedrock', label: 'AWS Bedrock' }, { value: 'cli', label: t('admin.accounts.cliType') }])
 const sOpts = computed(() => [{ value: '', label: t('admin.accounts.allStatus') }, { value: 'active', label: t('admin.accounts.status.active') }, { value: 'inactive', label: t('admin.accounts.status.inactive') }, { value: 'error', label: t('admin.accounts.status.error') }, { value: 'rate_limited', label: t('admin.accounts.status.rateLimited') }, { value: 'temp_unschedulable', label: t('admin.accounts.status.tempUnschedulable') }, { value: 'unschedulable', label: t('admin.accounts.status.unschedulable') }])
 const privacyOpts = computed(() => [
   { value: '', label: t('admin.accounts.allPrivacyModes') },

frontend/src/components/common/PlatformTypeBadge.vue

@@ -24,6 +24,8 @@
         </svg>
         <!-- Setup Token icon -->
         <Icon v-else-if="type === 'setup-token'" name="shield" size="xs" />
+        <!-- CLI icon -->
+        <Icon v-else-if="type === 'cli'" name="terminal" size="xs" />
         <!-- API Key icon -->
         <Icon v-else name="key" size="xs" />
         <span>{{ typeLabel }}</span>
@@ -75,6 +77,7 @@ const platformLabel = computed(() => {
   if (props.platform === 'anthropic') return 'Anthropic'
   if (props.platform === 'openai') return 'OpenAI'
   if (props.platform === 'antigravity') return 'Antigravity'
+  if (props.platform === 'kimi') return 'Kimi'
   return 'Gemini'
 })
 
@@ -88,6 +91,8 @@ const typeLabel = computed(() => {
       return 'Key'
     case 'bedrock':
       return 'AWS'
+    case 'cli':
+      return 'CLI'
     default:
       return props.type
   }

frontend/src/components/keys/UseKeyModal.vue

@@ -181,6 +181,8 @@ const defaultClientTab = computed(() => {
   switch (props.platform) {
     case 'openai':
       return 'codex'
+    case 'kimi':
+      return 'codex'
     case 'gemini':
       return 'gemini'
     case 'antigravity':
@@ -266,7 +268,8 @@ const SparkleIcon = {
 const clientTabs = computed((): TabConfig[] => {
   if (!props.platform) return []
   switch (props.platform) {
-    case 'openai': {
+    case 'openai':
+    case 'kimi': {
       const tabs: TabConfig[] = [
         { id: 'codex', label: t('keys.useKeyModal.cliTabs.codexCli'), icon: TerminalIcon },
         { id: 'codex-ws', label: t('keys.useKeyModal.cliTabs.codexCliWs'), icon: TerminalIcon },
@@ -322,6 +325,7 @@ const currentTabs = computed(() => {
 const platformDescription = computed(() => {
   switch (props.platform) {
     case 'openai':
+    case 'kimi':
       if (activeClientTab.value === 'claude') {
         return t('keys.useKeyModal.description')
       }
@@ -338,6 +342,7 @@ const platformDescription = computed(() => {
 const platformNote = computed(() => {
   switch (props.platform) {
     case 'openai':
+    case 'kimi':
       if (activeClientTab.value === 'claude') {
         return t('keys.useKeyModal.note')
       }
@@ -399,6 +404,7 @@ const currentFiles = computed((): FileConfig[] => {
       case 'anthropic':
         return [generateOpenCodeConfig('anthropic', apiBase, apiKey)]
       case 'openai':
+      case 'kimi':
         return [generateOpenCodeConfig('openai', apiBase, apiKey)]
       case 'gemini':
         return [generateOpenCodeConfig('gemini', geminiBase, apiKey)]
@@ -414,6 +420,7 @@ const currentFiles = computed((): FileConfig[] => {
 
   switch (props.platform) {
     case 'openai':
+    case 'kimi':
       if (activeClientTab.value === 'claude') {
         return generateAnthropicFiles(baseUrl, apiKey)
       }

frontend/src/i18n/locales/en.ts

@@ -2205,6 +2205,7 @@ export default {
       oauthType: 'OAuth',
       setupToken: 'Setup Token',
       apiKey: 'API Key',
+      cliType: 'CLI',
       // Schedulable toggle
       schedulable: 'Schedulable',
       schedulableHint: 'Enable to include this account in API request scheduling',

frontend/src/i18n/locales/zh.ts

@@ -2284,6 +2284,7 @@ export default {
       allGroups: '全部分组',
       ungroupedGroup: '未分配分组',
       oauthType: 'OAuth',
+      cliType: 'CLI',
       // Schedulable toggle
       schedulable: '参与调度',
       schedulableHint: '开启后账号参与API请求调度',

frontend/src/types/index.ts

@@ -610,7 +610,7 @@ export interface UpdateGroupRequest {
 // ==================== Account & Proxy Types ====================
 
 export type AccountPlatform = 'anthropic' | 'openai' | 'gemini' | 'antigravity' | 'kimi'
-export type AccountType = 'oauth' | 'setup-token' | 'apikey' | 'upstream' | 'bedrock'
+export type AccountType = 'oauth' | 'setup-token' | 'apikey' | 'upstream' | 'bedrock' | 'cli'
 export type OAuthAddMethod = 'oauth' | 'setup-token'
 export type ProxyProtocol = 'http' | 'https' | 'socks5' | 'socks5h'