Fix Z.AI credential resolution and improve 401 auth diagnostics

src/daemon/models.ts

@@ -33,17 +33,16 @@ function requireApiKey(cfg: ModelConfig, envVar: string): string {
   return key;
 }
 
-function resolveAuthCredential(cfg: ModelConfig, apiKeyEnvVar: string, authTokenEnvVar?: string): string {
+function resolveZaiCredential(cfg: ModelConfig): string {
   const raw = cfg.api_key
     ?? cfg.auth_token
-    ?? process.env[apiKeyEnvVar]
-    ?? (authTokenEnvVar ? process.env[authTokenEnvVar] : undefined);
+    ?? getZaiApiKey();
 
   if (!raw) {
-    const envHint = authTokenEnvVar ? `${apiKeyEnvVar} or ${authTokenEnvVar}` : apiKeyEnvVar;
     throw new Error(
-      `Credential required for ${cfg.provider}. ` +
-      `Set ${envHint} environment variable or provide api_key/auth_token in config.`,
+      'Z.AI credential not configured. ' +
+      'Run `flynn zai-auth` or set ZAI_API_KEY / ZHIPUAI_API_KEY / ZHIPUAI_AUTH_TOKEN, ' +
+      'or provide api_key/auth_token in config.',
     );
   }
 
@@ -197,24 +196,9 @@ export function createClientFromConfig(cfg: ModelConfig): ModelClient {
         baseURL: cfg.endpoint ?? 'https://ai-gateway.vercel.sh/v1',
       });
     case 'zhipuai':
-      if (cfg.use_oauth) {
-        const apiKey = getZaiApiKey();
-        if (!apiKey) {
-          throw new Error(
-            'Z.AI credential not configured. ' +
-            'Run `flynn zai-auth` or set ZAI_API_KEY / ZHIPUAI_API_KEY / ZHIPUAI_AUTH_TOKEN.',
-          );
-        }
-        return new OpenAIClient({
-          model: cfg.model,
-          apiKey,
-          baseURL: cfg.endpoint ?? 'https://api.z.ai/api/paas/v4',
-        });
-      }
-
       return new OpenAIClient({
         model: cfg.model,
-        apiKey: resolveAuthCredential(cfg, 'ZHIPUAI_API_KEY', 'ZHIPUAI_AUTH_TOKEN'),
+        apiKey: resolveZaiCredential(cfg),
         baseURL: cfg.endpoint ?? 'https://api.z.ai/api/paas/v4',
       });
     case 'xai':