[Bug]: Kimi K2.5 fails with "Extra inputs are not permitted, field: safety_identifier" on OpenCode Go/Zen

[milc-surge]

Description

When using Kimi K2.5 via OpenCode Go or OpenCode Zen providers, requests fail with the following error:

Extra inputs are not permitted, field: 'safety_identifier'

This error occurs because OpenCode's backend is injecting a safety_identifier field into the request body before forwarding it to Moonshot's API, but Moonshot's API does not accept this field.

Environment

• OpenCode version: Desktop app (latest)
• Provider: OpenCode Go / OpenCode Zen
• Model: Kimi K2.5
• OS: macOS / Windows (affects all platforms)

Steps to Reproduce

1. Open OpenCode Desktop app
2. Select Kimi K2.5 model via OpenCode Go or Zen provider
3. Send any prompt
4. Observe the error: Extra inputs are not permitted, field: 'safety_identifier'

Root Cause Analysis

After investigating the source code, I found the bug in the Zen handler:

File: packages/console/app/src/routes/zen/util/handler.ts (line 474)

const opts = {
  reqModel,
  providerModel: modelProvider.model,
  adjustCacheUsage: providerProps.adjustCacheUsage,
  safetyIdentifier: ip,  // <-- ALWAYS set to IP, ignoring providerProps.safetyIdentifier
  workspaceID: authInfo?.workspaceID,
}

The safetyIdentifier is always set to the user's IP address, regardless of whether the provider supports it.

However, the ProviderSchema in packages/console/core/src/model.ts (line 52) already has a safetyIdentifier boolean field that should control this:

const ProviderSchema = z.object({
  // ...
  safetyIdentifier: z.boolean().optional(),  // <-- This field exists but is NOT used
})

The flow:

1. Kimi K2.5 uses the moonshotai provider with OpenAI-compatible format (oa-compat)
2. oaCompatHelper (in openai-compatible.ts line 35) adds safety_identifier to the request body if safetyIdentifier is truthy
3. Moonshot's API rejects the safety_identifier field with a schema validation error

Suggested Fix

Option 1: Check providerProps.safetyIdentifier before passing the IP:

safetyIdentifier: providerProps.safetyIdentifier === true ? ip : undefined,

Option 2: Set safetyIdentifier: false in the Zen data configuration for the Moonshot provider.

Related Issues

• [Bug] "Provider returned error" consistently occurs with Kimi K2.5 via OpenCode Go on Windows #16685 - "Provider returned error" with Kimi K2.5 via OpenCode Go on Windows
• Kimi k2.5 shows "The API Key appears to be invalid or may have expired" with a working API key #14892 - Kimi k2.5 shows "The API Key appears to be invalid" with a working API key
• JSON Schema validation fails on empty tool parameters {} with Kimi K2.5 (strict mode error) #11357 - JSON Schema validation fails on empty tool parameters with Kimi K2.5
• [FEATURE]: Add safety_identifier parameter support for OpenAI GPT-5.3-Codex to prevent cyber_policy_violation errors #15776 - Feature request to add safety_identifier support for OpenAI GPT-5.3-Codex (inverse case)

Workaround

Users can work around this issue by:

1. Using Kimi K2.5 via a different provider (e.g., OpenRouter, Fireworks, direct Moonshot API)
2. Using a different model until this is fixed

[wireblue]

Kimi K2.5 seems to be working again for me (was definitely broken earlier). Not sure if the new v1.3.9 OC release did anything to help, or if there was a server-side fix.

[joepetrakovich]

confirmed working in 1.3.9, thanks!

[Hona]

we fixed this in zen