feat(models): add Z.AI (GLM) credential integration and setup flow

Implement first-class Z.AI credential storage and authentication:

- New auth provider: src/auth/zai.ts for Z.AI API key management
- New CLI command: flynn zai-auth to store Z.AI API keys
- New TUI command: /login zai for interactive credential entry
- Modified src/auth/index.ts to register zai provider
- Modified src/cli/index.ts to register zai-auth command
- Modified src/cli/setup/providers.ts to include Z.AI in setup wizard
- Modified src/daemon/models.ts to support zhipuai use_oauth flag
- Modified src/daemon/clientFactory.test.ts to add Z.AI tests
- Modified src/frontends/tui/commands.ts to add login command
- Modified src/frontends/tui/minimal.ts to support credential prompts

This allows users to authenticate with Z.AI (GLM models) without
embedding secrets in config files. Credentials are stored securely in
~/.config/flynn/auth.json and resolved at runtime.

Updated state.json with new feature entry documenting the integration.

src/cli/index.ts

@@ -19,6 +19,7 @@ import { registerGdocsAuthCommand } from './gdocs-auth.js';
 import { registerGdriveAuthCommand } from './gdrive-auth.js';
 import { registerGtasksAuthCommand } from './gtasks-auth.js';
 import { registerOpenaiAuthCommand } from './openai-auth.js';
+import { registerZaiAuthCommand } from './zai-auth.js';
 import { registerSkillsCommand } from './skills.js';
 
 export function createProgram(): Command {
@@ -43,6 +44,7 @@ export function createProgram(): Command {
   registerGdriveAuthCommand(program);
   registerGtasksAuthCommand(program);
   registerOpenaiAuthCommand(program);
+  registerZaiAuthCommand(program);
   registerSkillsCommand(program);
 
   return program;

src/cli/setup/providers.ts

@@ -21,6 +21,7 @@ const TOP_TIER: ProviderDef[] = [
 const SECOND_TIER: ProviderDef[] = [
   { name: 'Gemini', provider: 'gemini', defaultModel: 'gemini-2.5-flash', fastModel: 'gemini-2.0-flash-lite', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'Gemini API key' },
   { name: 'OpenRouter', provider: 'openrouter', defaultModel: 'anthropic/claude-sonnet-4', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'OpenRouter API key' },
+  { name: 'Z.AI (GLM)', provider: 'zhipuai', defaultModel: 'glm-4.7', needsApiKey: true, needsEndpoint: true, defaultEndpoint: 'https://api.z.ai/api/paas/v4', apiKeyLabel: 'Z.AI API key' },
   { name: 'xAI (Grok)', provider: 'xai', defaultModel: 'grok-3', fastModel: 'grok-3-mini', needsApiKey: true, needsEndpoint: false, apiKeyLabel: 'xAI API key' },
   { name: 'Amazon Bedrock', provider: 'bedrock', defaultModel: 'anthropic.claude-sonnet-4-20250514-v1:0', needsApiKey: false, needsEndpoint: false },
   { name: 'GitHub Models', provider: 'github', defaultModel: 'claude-sonnet-4-20250514', needsApiKey: false, needsEndpoint: false },
@@ -32,6 +33,7 @@ const PROVIDER_HELP: Record<string, string> = {
   ollama: 'Ollama runs locally — install from https://ollama.com and run: ollama serve',
   gemini: 'Get your API key at https://aistudio.google.com/apikey',
   openrouter: 'Get your API key at https://openrouter.ai/keys (supports 200+ models)',
+  zhipuai: 'Get your API key at https://z.ai/manage-apikey/apikey-list (Coding Plan endpoint: https://api.z.ai/api/coding/paas/v4)',
   xai: 'Get your API key at https://console.x.ai',
   bedrock: 'Uses AWS credentials from environment (~/.aws/credentials or IAM role)',
   github: 'Uses GitHub Copilot — authenticate via OAuth device flow on first use',

src/cli/zai-auth.ts

@@ -0,0 +1,59 @@
+import type { Command } from 'commander';
+import readline from 'readline';
+import { loadStoredZaiAuth, storeZaiAuth } from '../auth/index.js';
+
+async function promptHidden(question: string): Promise<string> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const rlAny = rl as unknown as { stdoutMuted?: boolean; _writeToOutput?: (s: string) => void };
+  rlAny.stdoutMuted = true;
+
+  rlAny._writeToOutput = (s: string) => {
+    if (!rlAny.stdoutMuted) {
+      process.stdout.write(s);
+      return;
+    }
+    // Mask input characters, but preserve newlines.
+    if (s.includes('\n')) {
+      process.stdout.write('\n');
+    } else {
+      process.stdout.write('*');
+    }
+  };
+
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rlAny.stdoutMuted = false;
+  rl.close();
+  process.stdout.write('\n');
+  return answer.trim();
+}
+
+export function registerZaiAuthCommand(program: Command): void {
+  program
+    .command('zai-auth')
+    .description('Store a Z.AI API key for the zhipuai provider (auth.json)')
+    .action(async () => {
+      const existing = loadStoredZaiAuth();
+      if (existing) {
+        console.log('Z.AI credential already exists.');
+        console.log('Delete ~/.config/flynn/auth.json zai/zhipuai entry if you want to re-authenticate.');
+        process.exit(0);
+      }
+
+      console.log('Z.AI uses API keys (HTTP Bearer), not an OAuth device flow.');
+      console.log('Create a key at: https://z.ai/manage-apikey/apikey-list');
+      console.log('');
+
+      try {
+        const apiKey = await promptHidden('Enter Z.AI API key: ');
+        storeZaiAuth(apiKey);
+        console.log('');
+        console.log('Z.AI credential stored in ~/.config/flynn/auth.json');
+        console.log('');
+        console.log('Tip: For GLM Coding Plan set model endpoint to: https://api.z.ai/api/coding/paas/v4');
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Z.AI auth failed: ${message}`);
+        process.exit(1);
+      }
+    });
+}