relay-glm

relay

Relay packages external-model delegation plugins for Codex and Claude Code. The Codex marketplace suite is relay-for-codex and exposes peer plugins for Claude Code, Gemini CLI, Kimi Code CLI, Grok, DeepSeek, and GLM. The generated Claude Code suite is relay-for-claude and exposes the non-self providers Gemini, Kimi, Grok, DeepSeek, and GLM. DeepSeek and GLM are provider-specific surfaces in both hosts; their shared direct-API implementation remains a hidden runtime package named api-reviewers in Codex and relay-api-reviewers in Claude Code.

• License: AGPL-3.0-only. Commercial use is permitted under the AGPL, but modified versions distributed or offered over a network must provide corresponding source under the same license. Portions are ported from MIT-licensed upstream code; see NOTICE.
• State: active development. Claude, Gemini, Kimi, Grok, DeepSeek, and GLM flows are implemented and covered by mock smoke tests. Current Codex verification uses workflow skills or companion scripts because Codex CLI 0.125.0 installs the marketplace but does not register plugin command files as TUI slash commands. Claude Code uses the generated relay/ marketplace directly and does expose its plugin command files.

Requirements

• Codex with plugin marketplace support.
• Node.js available on PATH.
• Git 2.x or newer on macOS/Linux. Reviewer scope collection defaults to the hardened /usr/bin/git path and does not resolve git from the caller's ambient PATH; set RELAY_GIT_BINARY to an absolute executable Git path when your supported environment installs Git elsewhere. Relative, workspace-local, and node_modules/.bin overrides are rejected. The configured override is trusted for the current process after first validation, so point it at an operator-controlled path that cannot be replaced by the reviewed repo.
• Claude Code installed and OAuth-authenticated if you enable the Claude plugin. claude auth status alone is not enough for review readiness; /claude-setup also verifies OAuth-only non-interactive claude -p inference because status can report logged-in while print-mode inference returns HTTP 401.
• Gemini CLI installed and authenticated if you enable the Gemini plugin.
• Kimi Code CLI installed and authenticated if you enable the Kimi plugin.
• Grok CLI installed and authenticated if you enable the Grok plugin's default path. The optional legacy web/tunnel path is explicit via --transport web, and audited CLI-first fallback is explicit via --transport auto or GROK_TRANSPORT=auto. The web path targets grok2api at GROK_WEB_BASE_URL=http://127.0.0.1:8000/v1; the plugin can bootstrap a local grok2api checkout into its durable managed runtime directory, defaulting to ~/.relay/runtime/grok2api, and auto-start the non-Docker uv run granian ... app.main:app tunnel when it is down. Successfully auto-started tunnels are left running for reuse; failed starts are cleaned up with SIGTERM/verify/SIGKILL diagnostics. Set GROK2API_HOME, GROK2API_BOOTSTRAP_DIR, or RELAY_RUNTIME_DIR only when you want a specific checkout or runtime directory. GROK2API_HOME and GROK2API_BOOTSTRAP_DIR are authoritative: if either points at a stale or invalid location, doctor reports that path instead of silently falling back. Any grok2api home under $TMPDIR, including an explicit GROK2API_HOME, produces a durability warning before browser/session sync. Set UV_CACHE_DIR only when you want uv to use a caller-managed cache instead of the plugin's sandbox-writable default; an empty UV_CACHE_DIR="" is treated as unset. Set GROK_WEB_TUNNEL_API_KEY only if your local tunnel requires a bearer value.
• DEEPSEEK_API_KEY if you enable the DeepSeek direct API reviewer.
• ZAI_API_KEY if you enable the GLM direct API reviewer. GLM Coding Plan calls use https://api.z.ai/api/coding/paas/v4, not the general Z.ai endpoint.

Claude and Gemini default to --auth-mode subscription: provider API-key env vars are stripped and the target CLI's native OAuth/subscription path must pass the live readiness probe. They also support explicit --auth-mode api_key for providers that have an API route; source-bearing API runs require the approval token flow before source is sent. The ambiguous automatic auth selector is rejected on operator-facing paths, because the selected route must be explicit. The selected path is reported as selected_auth_path; secret values are never printed. Kimi remains subscription/OAuth-only. Direct API reviewers are separate and only use API keys through explicit auth_mode: "api_key" provider config.