Why does Kimi K2.6 work in the browser but Kimi Code CLI times out?

Browsers often inherit system proxy or TUN hooks that terminal agents skip. The CLI talks to api.moonshot.ai with OpenAI-compatible HTTPS; if that socket goes DIRECT or resolves through a different DNS path than platform.moonshot.ai, you see split-brain symptoms even when the dashboard looks healthy.

Which hostnames matter first for Moonshot API routing?

Start with api.moonshot.ai for chat completions and tool calls, platform.moonshot.ai for keys and console flows, and any platform.kimi.ai redirects your logs show. Add consumer kimi.ai hosts only when your workflow opens the web chat alongside the CLI.

Is Kimi K2.6 the same as routing ordinary Kimi chat?

Overlapping infrastructure helps, but agentic coding stresses longer streams, file uploads, and auxiliary tool endpoints. Treat API and platform fronts as one routed family and widen rules from connection logs after each client upgrade—not from stale community lists alone.

Should I use DOMAIN-SUFFIX,moonshot.ai as a shortcut?

Only after repeated misses on sibling hosts. Suffix rules are broader than Messages traffic alone and may capture unrelated marketing or regional redirects. Prefer explicit DOMAIN lines first, document blast radius, then suffix if logs justify it.

📖 Tutorial May 19, 2026 ⏱ About 21 min read

Kimi K2.6 Agentic Coding: Clash Split Rules for Moonshot API and Kimi Code CLI (2026)

Kimi K2.6 landed in spring 2026 as Moonshot’s open-weight push into agentic coding—long-horizon edits, multimodal context, and OpenAI-compatible calls against the Moonshot API. If platform.moonshot.ai loads but Kimi Code CLI hangs on api.moonshot.ai, or streaming tool rounds die mid-run, the usual culprit is not “K2.6 is down” first: terminals and browsers rarely share the same Clash capture path, and fake-ip DNS can split flows your YAML never classifies together. This guide is a log-first playbook for developers who want repeatable split routing—not another random node swap.

What changed with Kimi K2.6—and why routing suddenly matters

Moonshot positions Kimi K2.6 as a flagship model for software agents: large context (including vision and video inputs in the API docs), optional “thinking” modes for harder reasoning, and pricing tuned for sustained automation rather than one-off chat. The weights story drew headlines, but day-to-day builders care about three surfaces that all speak HTTPS to different hostnames: the Moonshot API at https://api.moonshot.ai/v1, the developer console and docs on platform.moonshot.ai (with mirrors such as platform.kimi.ai appearing in official links), and the terminal-first Kimi Code CLI published under MoonshotAI’s open-source org.

Agentic coding amplifies boring infrastructure failures. A single agent turn may hit the chat completions endpoint, pull file metadata, call bundled tools (web search, code runner, memory APIs documented on the platform), and stream tokens for minutes. Each hop expects stable TLS, consistent DNS answers, and one outbound policy bucket. Consumer VPN icons hide that graph; Clash Meta / Mihomo exposes it—if packets arrive at the core. That is why this article pairs the K2.6 hype with the same discipline we use for OpenAI Codex in ChatGPT or Cursor 3 multi-agent workflows: capture, ordered rules, DNS symmetry, receipts from logs.

If proxy vocabulary still feels foreign, skim the site Clash tutorial first. We assume you already run a Meta-capable core and focus on Moonshot-shaped traffic.

The three planes: capture, rules, DNS

Label failures before touching sliders:

Capture decides whether Kimi Code CLI sockets enter Mihomo. System proxy pleases Chromium; Python/Node CLIs may ignore it unless HTTPS_PROXY is exported.
Rules pick the outbound once traffic is visible. Clash walks matchers top-down; a premature MATCH,DIRECT or broad GEOIP line erases bespoke Moonshot rows.
DNS determines which names—and synthetic fake-ip addresses—the policy engine believes it is enforcing.

Mixed capture is the classic “console works, CLI doom” story: you authenticate on platform.moonshot.ai in a browser on TUN while the agent runtime still resolves api.moonshot.ai through a stub resolver that disagrees with Mihomo’s dns section. Symptoms look like product bugs until connection logs show DIRECT flows or mismatched outbound groups between REST and SSE.

Hostnames to expect (validate in your logs)

Vendor CDNs shift; treat this list as a 2026 baseline, then corroborate after every Kimi Code CLI upgrade.

API data plane: api.moonshot.ai — OpenAI-compatible /v1/chat/completions for kimi-k2.6 and siblings.
Platform & keys: platform.moonshot.ai for docs, billing, API key management; watch redirects to platform.kimi.ai in official examples.
Consumer web (optional): kimi.ai, www.kimi.ai when you mix browser chat with CLI automation on one machine.
Tooling & assets: additional fronts may appear when enabling vision uploads, file APIs, or agent tools—only promote names your logs prove during failures.
Regional mirrors: some networks resolve China-facing hosts differently; if logs show moonshot.cn or kimi.moonshot.cn variants, add explicit DOMAIN lines instead of guessing.

💡 Tip Add DOMAIN rows when logs show misses—copy-pasting megabyte “AI rulesets” trades one failure mode for collateral breakage on unrelated sites.

K2.6’s multimodal paths mean occasional bursts to CDN edges for inline images or video placeholders. Logging a failing window beats importing thousand-line remote sets you cannot explain during an incident.

YAML fragment: Moonshot API and Kimi CLI precedence

Assume a selectable group named Moonshot-Kimi. Tuck this block ahead of subscription GEOIP / MATCH catch-alls; keep LAN exemptions intact.

# LAN and loopback first (adapt to your network)
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,127.0.0.0/8,DIRECT

# Kimi K2.6 / Moonshot API — verify after vendor updates
DOMAIN,api.moonshot.ai,Moonshot-Kimi
DOMAIN,platform.moonshot.ai,Moonshot-Kimi
DOMAIN,platform.kimi.ai,Moonshot-Kimi
DOMAIN,kimi.ai,Moonshot-Kimi
DOMAIN,www.kimi.ai,Moonshot-Kimi

# Broaden only after repeated sibling misses in logs:
# DOMAIN-SUFFIX,moonshot.ai,Moonshot-Kimi

# Remaining flows follow imported profile (GEOIP, MATCH, RULE-SET, ...)

Split Moonshot-Web versus Moonshot-API when latency budgets differ—documentation on the platform through a stable exit, batch codegen through another. Duplicate lines with honest group names so logs stay readable during demos.

For RULE-SET hygiene and prepend-only overrides, see the custom rules tutorial. Another Chinese-vendor API parallel—similar web-versus-API split—is our DeepSeek split-routing guide.

Kimi Code CLI: environment variables and child processes

Kimi Code CLI behaves like modern agent terminals: it honors HTTPS_PROXY / ALL_PROXY when set, may spawn shell commands that forget your exports, and talks to api.moonshot.ai with libraries that pin their own HTTP stacks. Before enabling TUN, confirm the shell profile you actually use exports the mixed port (often http://127.0.0.1:7890—adapt to your GUI).

Installers that add IDE integrations (VS Code extensions, Agent Client Protocol bridges, Zsh helpers) can launch subprocesses outside your interactive session. If OAuth or API-key probes succeed in a login shell but fail under launchd or Task Scheduler, copy proxy variables to the scheduler environment or escalate to TUN with overlapping VPN stacks disabled during tests.

Point MOONSHOT_API_KEY (or the name your wrapper expects) at a key created on the platform console—routing fixes transport, not billing or regional entitlement errors. When HTTP 401 persists after policy looks correct, curl the API independently:

curl -v https://api.moonshot.ai/v1/models \
  -H "Authorization: Bearer $MOONSHOT_API_KEY"

Expect a structured JSON response or a clear auth error—not endless TCP retries. If curl cannot finish TLS while unrelated HTTPS works, upstream health matters more than another DOMAIN line.

DNS, fake-ip, and DoH bypasses

Fake-ip keeps DOMAIN rules meaningful by mapping names internally—until browsers use encrypted DNS directly or libc caches divergent answers. Kimi K2.6 sessions that mix browser login with CLI calls are especially sensitive: one tool may query through Mihomo while another uses Cloudflare or Google DoH, producing “works after airplane mode” ghosts.

Align deliberately: steer the OS stub to the listener your GUI documents, or route known DoH provider hostnames through the same policy bucket as Moonshot. Transparency beats blind fake-ip disabling. Linux developers should pair this page with our systemd-resolved walkthrough when resolved and Mihomo fight over port 53.

Windows and macOS shells

Elevated terminals, corporate antivirus forwarders, and split-tunnel VPNs can change interface metrics between sessions. If platform.moonshot.ai loads only in a non-admin profile, suspect parallel filters before rewriting YAML for the fourth time. macOS launchd jobs ignore .zprofile unless you inject variables where the scheduler reads them.

Streaming agent rounds and long-lived HTTP

Agentic coding loves chunked responses and lengthy SSE-style streams. Mid-run freezes may be MTU issues, upstream shaping, HTTP/3 divergence, or rate limits—not “K2.6 ran out of IQ.” When logs show healthy TLS to api.moonshot.ai but tokens stall, probe with curl --http2 through the same outbound group. Sniffing experiments belong in documented sandboxes; if metadata looks wrong, review sniffing disable patterns for Meta kernels.

Five-minute verification ritual

Confirm the merged profile revision your GUI loads—subscriptions override personal snippets on quiet Fridays.
Open connection logs; reproduce the smallest failing Kimi Code CLI command (model list, short completion, noop tool).
For each stalled flow, record hostname, matched rule, outbound group, and address family.
Mirror-check the browser: load the platform console, create or rotate a key, send one web-side test if your workflow uses it.
Only then rotate nodes inside Moonshot-Kimi if loss or latency remains suspect.

Structured notes beat screenshot archaeology two sprints later: CLI version, profile hash, capture mode, three hostnames, network type.

Compared with other 2026 coding-agent hotspots

If you run multiple agents on one laptop, keep separate proxy groups with boring names. Claude Code CLI centers on Anthropic fronts; Junie CLI adds JetBrains control planes; Codex stresses browser-long sessions in ChatGPT. Kimi’s OpenAI-compatible surface feels familiar—until you assume Anthropic YAML covers Moonshot. Duplicate the disciplined capture workflow per vendor instead of aliasing unrelated suffix rules.

CI runners without a local Clash sidecar still benefit from predictable egress documentation. For SDK automation in pipelines, compare Cursor Agent SDK plus Clash split rules so you do not confuse laptop TUN with headless runners.

Symptom cookbook

Console loads, CLI times out: align capture and DNS; token exchange may still hit DIRECT while tabs use your proxy group.
401/403 on API despite “proxy on”: verify keys and model strings (kimi-k2.6) independent of routing; then check whether only the terminal bypasses Clash.
Streams die mid-tool-call: inspect HTTP/2 keep-alives, jittery relays, or REJECT rules on telemetry hosts the agent now requires.
Failures only on office Wi-Fi: captive portals and split DNS spoofing mimic AI outages—try a hotspot before suffix explosions.
Regression after subscription refresh: diff merge order; early MATCH lines swallow Moonshot matchers.

Maintaining overrides through subscription churn

Snapshot prepend layers in Git, review diffs when remote templates update, rerun the five-minute ritual after every provider merge. K2.6 will ship minor client bumps quickly; treat DOMAIN literals like application dependencies with a changelog outside auto-generated blobs.

Privacy and workplace policy

Routing changes paths—not contractual entitlements, export controls, or employer MDM bans on unauthorized TUN. Moonshot’s data policies apply regardless of which exit relays bytes. Never paste API keys into shared log channels; redact hostnames if your SIEM is public-facing.

FAQ-style quick answers

Do I need separate rules for thinking vs instant modes?

Modes are request-body flags to the same API host—routing stays on api.moonshot.ai. Debug latency in the client and upstream, not by inventing duplicate DOMAIN rows.

Should I enable TUN for Kimi Code CLI?

Enable TUN when environment variables fail and logs show stray DIRECT hits from child processes. Disable overlapping full-tunnel VPNs during tests; confirm packets reach Mihomo before declaring TUN mandatory.

Will open-weight K2.6 remove the need for API routing?

Local inference shifts bottlenecks to GPU ops, but most teams still hit Moonshot’s hosted API for convenience, vision tooling, and platform-managed agents. Keep platform and API hostnames routed even if you experiment with on-prem weights.

Put Kimi K2.6 on routing you can audit

Kimi K2.6 rewards the same infrastructure hygiene as every other 2026 coding agent: one capture story, Moonshot hostnames prepended ahead of greedy MATCH lines, DNS that agrees with fake-ip, and Mihomo logs that prove policy before you blame the model.

Compared with blunt whole-device VPN tunnels that hide which process used which egress, many one-toggle clients leave terminals guessing—especially agent CLIs that spawn nested workers behind your back. Clash exposes rule names beside destinations so you tighten YAML deliberately instead of reinstalling opaque profiles after each Moonshot refresh.

Grab a Meta-capable build from our official download hub, wire the Moonshot block above your catch-alls, mirror DNS policy to your resolver strategy, and reuse this checklist whenever Kimi Code CLI misbehaves after the next K2.6 feature drop.