feat(models): add Z.AI (GLM) credential integration and setup flow

Implement first-class Z.AI credential storage and authentication:

- New auth provider: src/auth/zai.ts for Z.AI API key management
- New CLI command: flynn zai-auth to store Z.AI API keys
- New TUI command: /login zai for interactive credential entry
- Modified src/auth/index.ts to register zai provider
- Modified src/cli/index.ts to register zai-auth command
- Modified src/cli/setup/providers.ts to include Z.AI in setup wizard
- Modified src/daemon/models.ts to support zhipuai use_oauth flag
- Modified src/daemon/clientFactory.test.ts to add Z.AI tests
- Modified src/frontends/tui/commands.ts to add login command
- Modified src/frontends/tui/minimal.ts to support credential prompts

This allows users to authenticate with Z.AI (GLM models) without
embedding secrets in config files. Credentials are stored securely in
~/.config/flynn/auth.json and resolved at runtime.

Updated state.json with new feature entry documenting the integration.

docs/plans/state.json

@@ -777,6 +777,26 @@
       ],
       "test_status": "pnpm typecheck + pnpm test:run passing"
     },
+
+    "zai-glm-4.7-credential-integration": {
+      "status": "completed",
+      "date": "2026-02-13",
+      "summary": "Added first-class Z.AI (GLM) credential storage and setup flow. Z.AI authenticates via API keys (HTTP Bearer), so Flynn now supports `flynn zai-auth` to store the key in ~/.config/flynn/auth.json, `/login zai` in the minimal TUI, and `use_oauth: true` for the zhipuai provider to resolve credentials from the auth store (or env) without embedding secrets in config.",
+      "files_created": [
+        "src/auth/zai.ts",
+        "src/cli/zai-auth.ts"
+      ],
+      "files_modified": [
+        "src/auth/index.ts",
+        "src/cli/index.ts",
+        "src/cli/setup/providers.ts",
+        "src/daemon/models.ts",
+        "src/daemon/clientFactory.test.ts",
+        "src/frontends/tui/minimal.ts",
+        "src/frontends/tui/commands.ts"
+      ],
+      "test_status": "pnpm build + pnpm typecheck + pnpm test:run passing"
+    },
     "runtime-context-awareness": {
       "status": "completed",
       "date": "2026-02-07",

src/auth/index.ts

@@ -20,3 +20,11 @@ export {
   type OpenAIOAuthInfo,
   type IdTokenClaims,
 } from './openai.js';
+
+export {
+  loadStoredZaiAuth,
+  storeZaiAuth,
+  clearZaiAuth,
+  getZaiApiKey,
+  type ZaiAuthInfo,
+} from './zai.js';

src/auth/zai.ts

@@ -0,0 +1,84 @@
+import { readFileSync, writeFileSync, mkdirSync, chmodSync } from 'fs';
+import { resolve } from 'path';
+import { homedir } from 'os';
+
+const AUTH_DIR = resolve(homedir(), '.config/flynn');
+const AUTH_FILE = resolve(AUTH_DIR, 'auth.json');
+
+export interface ZaiAuthInfo {
+  /** Z.AI API key (used as Bearer token). */
+  api_key: string;
+  created_at: string;
+}
+
+interface AuthStore {
+  // Keep other provider entries untyped to avoid cross-module coupling.
+  github?: unknown;
+  openai?: unknown;
+  /** Preferred key for Z.AI credentials. */
+  zai?: ZaiAuthInfo;
+  /** Back-compat: older naming that matches the model provider id. */
+  zhipuai?: ZaiAuthInfo;
+}
+
+function safeJsonParse<T>(raw: string): T | null {
+  try {
+    return JSON.parse(raw) as T;
+  } catch {
+    return null;
+  }
+}
+
+function readAuthStore(): AuthStore {
+  try {
+    const raw = readFileSync(AUTH_FILE, 'utf-8');
+    const parsed = safeJsonParse<AuthStore>(raw);
+    return parsed ?? {};
+  } catch {
+    return {};
+  }
+}
+
+function writeAuthStore(store: AuthStore): void {
+  mkdirSync(AUTH_DIR, { recursive: true });
+  writeFileSync(AUTH_FILE, JSON.stringify(store, null, 2) + '\n', 'utf-8');
+  chmodSync(AUTH_FILE, 0o600);
+}
+
+export function loadStoredZaiAuth(): ZaiAuthInfo | null {
+  const store = readAuthStore();
+  return store.zai ?? store.zhipuai ?? null;
+}
+
+export function storeZaiAuth(apiKey: string): void {
+  const trimmed = apiKey.trim();
+  if (!trimmed) {
+    throw new Error('Z.AI API key is empty');
+  }
+  const store = readAuthStore();
+  store.zai = { api_key: trimmed, created_at: new Date().toISOString() };
+  // Also write the provider-id alias for compatibility.
+  store.zhipuai = store.zai;
+  writeAuthStore(store);
+}
+
+export function clearZaiAuth(): void {
+  const store = readAuthStore();
+  delete store.zai;
+  delete store.zhipuai;
+  writeAuthStore(store);
+}
+
+/**
+ * Get a Z.AI credential from any available source.
+ * Priority: ZAI_API_KEY → ZHIPUAI_API_KEY → ZHIPUAI_AUTH_TOKEN → stored auth.json.
+ */
+export function getZaiApiKey(): string | null {
+  const raw = process.env.ZAI_API_KEY
+    ?? process.env.ZHIPUAI_API_KEY
+    ?? process.env.ZHIPUAI_AUTH_TOKEN
+    ?? loadStoredZaiAuth()?.api_key;
+
+  if (!raw) {return null;}
+  return raw.startsWith('Bearer ') ? raw.slice('Bearer '.length) : raw;
+}

src/cli/index.ts

@@ -19,6 +19,7 @@ import { registerGdocsAuthCommand } from './gdocs-auth.js';
 import { registerGdriveAuthCommand } from './gdrive-auth.js';
 import { registerGtasksAuthCommand } from './gtasks-auth.js';
 import { registerOpenaiAuthCommand } from './openai-auth.js';
+import { registerZaiAuthCommand } from './zai-auth.js';
 import { registerSkillsCommand } from './skills.js';
 
 export function createProgram(): Command {
@@ -43,6 +44,7 @@ export function createProgram(): Command {
   registerGdriveAuthCommand(program);
   registerGtasksAuthCommand(program);
   registerOpenaiAuthCommand(program);
+  registerZaiAuthCommand(program);
   registerSkillsCommand(program);
 
   return program;

src/cli/setup/providers.ts

@@ -21,6 +21,7 @@ const TOP_TIER: ProviderDef[] = [
 const SECOND_TIER: ProviderDef[] = [
   { name: 'Gemini', provider: 'gemini', defaultModel: 'gemini-2.5-flash', fastModel: 'gemini-2.0-flash-lite', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'Gemini API key' },
   { name: 'OpenRouter', provider: 'openrouter', defaultModel: 'anthropic/claude-sonnet-4', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'OpenRouter API key' },
+  { name: 'Z.AI (GLM)', provider: 'zhipuai', defaultModel: 'glm-4.7', needsApiKey: true, needsEndpoint: true, defaultEndpoint: 'https://api.z.ai/api/paas/v4', apiKeyLabel: 'Z.AI API key' },
   { name: 'xAI (Grok)', provider: 'xai', defaultModel: 'grok-3', fastModel: 'grok-3-mini', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'xAI API key' },
   { name: 'Amazon Bedrock', provider: 'bedrock', defaultModel: 'anthropic.claude-sonnet-4-20250514-v1:0', needsApiKey: false, needsEndpoint: false },
   { name: 'GitHub Models', provider: 'github', defaultModel: 'claude-sonnet-4-20250514', needsApiKey: false, needsEndpoint: false },
@@ -32,6 +33,7 @@ const PROVIDER_HELP: Record<string, string> = {
   ollama: 'Ollama runs locally — install from https://ollama.com and run: ollama serve',
   gemini: 'Get your API key at https://aistudio.google.com/apikey',
   openrouter: 'Get your API key at https://openrouter.ai/keys (supports 200+ models)',
+  zhipuai: 'Get your API key at https://z.ai/manage-apikey/apikey-list (Coding Plan endpoint: https://api.z.ai/api/coding/paas/v4)',
   xai: 'Get your API key at https://console.x.ai',
   bedrock: 'Uses AWS credentials from environment (~/.aws/credentials or IAM role)',
   github: 'Uses GitHub Copilot — authenticate via OAuth device flow on first use',

src/cli/zai-auth.ts

@@ -0,0 +1,59 @@
+import type { Command } from 'commander';
+import readline from 'readline';
+import { loadStoredZaiAuth, storeZaiAuth } from '../auth/index.js';
+
+async function promptHidden(question: string): Promise<string> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const rlAny = rl as unknown as { stdoutMuted?: boolean; _writeToOutput?: (s: string) => void };
+  rlAny.stdoutMuted = true;
+
+  rlAny._writeToOutput = (s: string) => {
+    if (!rlAny.stdoutMuted) {
+      process.stdout.write(s);
+      return;
+    }
+    // Mask input characters, but preserve newlines.
+    if (s.includes('\n')) {
+      process.stdout.write('\n');
+    } else {
+      process.stdout.write('*');
+    }
+  };
+
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rlAny.stdoutMuted = false;
+  rl.close();
+  process.stdout.write('\n');
+  return answer.trim();
+}
+
+export function registerZaiAuthCommand(program: Command): void {
+  program
+    .command('zai-auth')
+    .description('Store a Z.AI API key for the zhipuai provider (auth.json)')
+    .action(async () => {
+      const existing = loadStoredZaiAuth();
+      if (existing) {
+        console.log('Z.AI credential already exists.');
+        console.log('Delete ~/.config/flynn/auth.json zai/zhipuai entry if you want to re-authenticate.');
+        process.exit(0);
+      }
+
+      console.log('Z.AI uses API keys (HTTP Bearer), not an OAuth device flow.');
+      console.log('Create a key at: https://z.ai/manage-apikey/apikey-list');
+      console.log('');
+
+      try {
+        const apiKey = await promptHidden('Enter Z.AI API key: ');
+        storeZaiAuth(apiKey);
+        console.log('');
+        console.log('Z.AI credential stored in ~/.config/flynn/auth.json');
+        console.log('');
+        console.log('Tip: For GLM Coding Plan set model endpoint to: https://api.z.ai/api/coding/paas/v4');
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Z.AI auth failed: ${message}`);
+        process.exit(1);
+      }
+    });
+}

src/daemon/clientFactory.test.ts

@@ -105,6 +105,26 @@ describe('createClientFromConfig', () => {
     expect(client).toBeInstanceOf(OpenAIClient);
   });
 
+  it('creates OpenAIClient for zhipuai when use_oauth is enabled and ZAI_API_KEY is set', () => {
+    const prev = process.env.ZAI_API_KEY;
+    process.env.ZAI_API_KEY = 'zai-api-key';
+
+    try {
+      const client = createClientFromConfig({
+        provider: 'zhipuai',
+        model: 'glm-4.7',
+        use_oauth: true,
+      });
+      expect(client).toBeInstanceOf(OpenAIClient);
+    } finally {
+      if (prev === undefined) {
+        delete process.env.ZAI_API_KEY;
+      } else {
+        process.env.ZAI_API_KEY = prev;
+      }
+    }
+  });
+
   it('creates OpenAIClient for zhipuai using ZHIPUAI_AUTH_TOKEN env var', () => {
     const prev = process.env.ZHIPUAI_AUTH_TOKEN;
     process.env.ZHIPUAI_AUTH_TOKEN = 'oauth-access-token';

src/daemon/models.ts

@@ -2,6 +2,7 @@ import type { Config, ModelConfig } from '../config/index.js';
 import { AnthropicClient, OpenAIClient, OllamaClient, LlamaCppClient, GeminiClient, BedrockClient, GitHubModelsClient, ModelRouter, DEFAULT_RETRY_CONFIG } from '../models/index.js';
 import type { ModelClient, RetryConfig, ModelTier } from '../models/index.js';
 import { logger } from '../logger.js';
+import { getZaiApiKey } from '../auth/zai.js';
 
 /**
  * Resolve an API key from config or environment variable.
@@ -78,6 +79,21 @@ export function createClientFromConfig(cfg: ModelConfig): ModelClient {
         baseURL: cfg.endpoint ?? 'https://openrouter.ai/api/v1',
       });
     case 'zhipuai':
+      if (cfg.use_oauth) {
+        const apiKey = getZaiApiKey();
+        if (!apiKey) {
+          throw new Error(
+            'Z.AI credential not configured. ' +
+            'Run `flynn zai-auth` or set ZAI_API_KEY / ZHIPUAI_API_KEY / ZHIPUAI_AUTH_TOKEN.',
+          );
+        }
+        return new OpenAIClient({
+          model: cfg.model,
+          apiKey,
+          baseURL: cfg.endpoint ?? 'https://api.z.ai/api/paas/v4',
+        });
+      }
+
       return new OpenAIClient({
         model: cfg.model,
         apiKey: resolveAuthCredential(cfg, 'ZHIPUAI_API_KEY', 'ZHIPUAI_AUTH_TOKEN'),

src/frontends/tui/commands.ts

@@ -124,7 +124,7 @@ Commands:
   /model [name]          Show or switch model tier (local, default, fast, complex)
   /model <tier> <p/m>    Change tier's provider/model (e.g. /model default anthropic/claude-sonnet-4)
   /backend [provider]    Show or switch local backend (ollama, llamacpp)
-  /login [provider]      Authenticate with GitHub or OpenAI
+  /login [provider]      Authenticate with GitHub, OpenAI, or Z.AI
   /pair                  List pending pairing codes and approved senders
   /pair generate [label] Generate a new DM pairing code
   /pair revoke <ch> <id> Revoke an approved sender
@@ -178,7 +178,7 @@ export const COMMAND_TOOLTIPS: Record<string, string> = {
   '/status': 'Show session info and token usage',
   '/fullscreen': 'Switch to fullscreen mode',
   '/fs': 'Switch to fullscreen mode',
-  '/login': 'Authenticate with GitHub or OpenAI (OAuth device flow)',
+  '/login': 'Authenticate with GitHub/OpenAI (OAuth) or Z.AI (API key store)',
   '/pair': 'Generate/list/revoke DM pairing codes',
   '/transfer': 'Transfer session to another frontend',
   '/quit': 'Exit TUI',

src/frontends/tui/minimal.ts

@@ -9,7 +9,7 @@ import type { ModelConfig, ModelProvider } from '../../config/schema.js';
 import { MODEL_PROVIDERS } from '../../config/schema.js';
 import { OllamaClient, LlamaCppClient } from '../../models/index.js';
 import { createClientFromConfig } from '../../daemon/index.js';
-import { loginGitHub, loginOpenAI } from '../../auth/index.js';
+import { loginGitHub, loginOpenAI, loadStoredZaiAuth, storeZaiAuth } from '../../auth/index.js';
 import type { PairingManager } from '../../channels/pairing.js';
 import { getColoredBanner } from './banner.js';
 import type { HookEngine } from '../../hooks/index.js';
@@ -465,7 +465,63 @@ export class MinimalTui {
       return;
     }
 
-    console.log(`${colors.gray}Unknown login provider:${colors.reset} ${target}. Supported: github, openai\n`);
+    if (target === 'zai' || target === 'zhipuai') {
+      const existing = loadStoredZaiAuth();
+      if (existing) {
+        console.log(`${colors.gray}Z.AI credential already exists.${colors.reset}`);
+        console.log(`${colors.gray}Delete ~/.config/flynn/auth.json zai/zhipuai entry to re-authenticate.${colors.reset}\n`);
+        return;
+      }
+
+      console.log(`${colors.gray}Z.AI uses API keys (HTTP Bearer), not an OAuth device flow.${colors.reset}`);
+      console.log(`${colors.gray}Create a key at:${colors.reset} https://z.ai/manage-apikey/apikey-list`);
+      console.log('');
+
+      if (!this.rl) {
+        console.log(`${colors.gray}TUI not ready for login prompt. Run: flynn zai-auth${colors.reset}\n`);
+        return;
+      }
+
+      const promptHidden = async (question: string): Promise<string> => {
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+        const rlAny = rl as any;
+        rlAny.stdoutMuted = true;
+        rlAny._writeToOutput = (s: string) => {
+          if (!rlAny.stdoutMuted) {
+            process.stdout.write(s);
+            return;
+          }
+          if (s.includes('\n')) {
+            process.stdout.write('\n');
+          } else {
+            process.stdout.write('*');
+          }
+        };
+        const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+        rlAny.stdoutMuted = false;
+        rl.close();
+        process.stdout.write('\n');
+        return answer.trim();
+      };
+
+      try {
+        this.rl.pause();
+        const apiKey = await promptHidden('Enter Z.AI API key: ');
+        storeZaiAuth(apiKey);
+        console.log('');
+        console.log(`${colors.gray}Z.AI credential stored in ~/.config/flynn/auth.json${colors.reset}`);
+        console.log(`${colors.gray}Tip: For GLM Coding Plan set endpoint to https://api.z.ai/api/coding/paas/v4${colors.reset}\n`);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.log(`${colors.gray}Z.AI auth failed:${colors.reset} ${message}\n`);
+      } finally {
+        this.rl.resume();
+      }
+
+      return;
+    }
+
+    console.log(`${colors.gray}Unknown login provider:${colors.reset} ${target}. Supported: github, openai, zai\n`);
   }
 
   private handlePairCommand(action?: 'generate' | 'list' | 'revoke', args?: string): void {