feat: add GitHub Copilot provider

Copilot device login + onboarding option; model list auth detection.

src/providers/github-copilot-auth.ts

@@ -0,0 +1,192 @@
+import { intro, note, outro, spinner } from "@clack/prompts";
+
+import {
+  ensureAuthProfileStore,
+  upsertAuthProfile,
+} from "../agents/auth-profiles.js";
+import { updateConfig } from "../commands/models/shared.js";
+import { applyAuthProfileConfig } from "../commands/onboard-auth.js";
+import { CONFIG_PATH_CLAWDBOT } from "../config/config.js";
+import type { RuntimeEnv } from "../runtime.js";
+import { stylePromptTitle } from "../terminal/prompt-style.js";
+
+const CLIENT_ID = "Iv1.b507a08c87ecfe98";
+const DEVICE_CODE_URL = "https://github.com/login/device/code";
+const ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
+
+type DeviceCodeResponse = {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  expires_in: number;
+  interval: number;
+};
+
+type DeviceTokenResponse =
+  | {
+      access_token: string;
+      token_type: string;
+      scope?: string;
+    }
+  | {
+      error: string;
+      error_description?: string;
+      error_uri?: string;
+    };
+
+function parseJsonResponse<T>(value: unknown): T {
+  if (!value || typeof value !== "object") {
+    throw new Error("Unexpected response from GitHub");
+  }
+  return value as T;
+}
+
+async function requestDeviceCode(params: {
+  scope: string;
+}): Promise<DeviceCodeResponse> {
+  const body = new URLSearchParams({
+    client_id: CLIENT_ID,
+    scope: params.scope,
+  });
+
+  const res = await fetch(DEVICE_CODE_URL, {
+    method: "POST",
+    headers: {
+      Accept: "application/json",
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body,
+  });
+
+  if (!res.ok) {
+    throw new Error(`GitHub device code failed: HTTP ${res.status}`);
+  }
+
+  const json = parseJsonResponse<DeviceCodeResponse>(await res.json());
+  if (!json.device_code || !json.user_code || !json.verification_uri) {
+    throw new Error("GitHub device code response missing fields");
+  }
+  return json;
+}
+
+async function pollForAccessToken(params: {
+  deviceCode: string;
+  intervalMs: number;
+  expiresAt: number;
+}): Promise<string> {
+  const bodyBase = new URLSearchParams({
+    client_id: CLIENT_ID,
+    device_code: params.deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+  });
+
+  while (Date.now() < params.expiresAt) {
+    const res = await fetch(ACCESS_TOKEN_URL, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: bodyBase,
+    });
+
+    if (!res.ok) {
+      throw new Error(`GitHub device token failed: HTTP ${res.status}`);
+    }
+
+    const json = parseJsonResponse<DeviceTokenResponse>(await res.json());
+    if ("access_token" in json && typeof json.access_token === "string") {
+      return json.access_token;
+    }
+
+    const err = "error" in json ? json.error : "unknown";
+    if (err === "authorization_pending") {
+      await new Promise((r) => setTimeout(r, params.intervalMs));
+      continue;
+    }
+    if (err === "slow_down") {
+      await new Promise((r) => setTimeout(r, params.intervalMs + 2000));
+      continue;
+    }
+    if (err === "expired_token") {
+      throw new Error("GitHub device code expired; run login again");
+    }
+    if (err === "access_denied") {
+      throw new Error("GitHub login cancelled");
+    }
+    throw new Error(`GitHub device flow error: ${err}`);
+  }
+
+  throw new Error("GitHub device code expired; run login again");
+}
+
+export async function githubCopilotLoginCommand(
+  opts: { profileId?: string; yes?: boolean },
+  runtime: RuntimeEnv,
+) {
+  if (!process.stdin.isTTY) {
+    throw new Error("github-copilot login requires an interactive TTY.");
+  }
+
+  intro(stylePromptTitle("GitHub Copilot login"));
+
+  const profileId = opts.profileId?.trim() || "github-copilot:github";
+  const store = ensureAuthProfileStore(undefined, {
+    allowKeychainPrompt: false,
+  });
+
+  if (store.profiles[profileId] && !opts.yes) {
+    note(
+      `Auth profile already exists: ${profileId}\nRe-running will overwrite it.`,
+      stylePromptTitle("Existing credentials"),
+    );
+  }
+
+  const spin = spinner();
+  spin.start("Requesting device code from GitHub...");
+  const device = await requestDeviceCode({ scope: "read:user" });
+  spin.stop("Device code ready");
+
+  note(
+    [`Visit: ${device.verification_uri}`, `Code: ${device.user_code}`].join(
+      "\n",
+    ),
+    stylePromptTitle("Authorize"),
+  );
+
+  const expiresAt = Date.now() + device.expires_in * 1000;
+  const intervalMs = Math.max(1000, device.interval * 1000);
+
+  const polling = spinner();
+  polling.start("Waiting for GitHub authorization...");
+  const accessToken = await pollForAccessToken({
+    deviceCode: device.device_code,
+    intervalMs,
+    expiresAt,
+  });
+  polling.stop("GitHub access token acquired");
+
+  upsertAuthProfile({
+    profileId,
+    credential: {
+      type: "token",
+      provider: "github-copilot",
+      token: accessToken,
+      // GitHub device flow token doesn't reliably include expiry here.
+      // Leave expires unset; we'll exchange into Copilot token plus expiry later.
+    },
+  });
+
+  await updateConfig((cfg) =>
+    applyAuthProfileConfig(cfg, {
+      provider: "github-copilot",
+      profileId,
+      mode: "token",
+    }),
+  );
+
+  runtime.log(`Updated ${CONFIG_PATH_CLAWDBOT}`);
+  runtime.log(`Auth profile: ${profileId} (github-copilot/token)`);
+
+  outro("Done");
+}

src/providers/github-copilot-models.ts

@@ -0,0 +1,41 @@
+import type { ModelDefinitionConfig } from "../config/types.js";
+
+const DEFAULT_CONTEXT_WINDOW = 128_000;
+const DEFAULT_MAX_TOKENS = 8192;
+
+// Copilot model ids vary by plan/org and can change.
+// We keep this list intentionally broad; if a model isn't available Copilot will
+// return an error and users can remove it from their config.
+const DEFAULT_MODEL_IDS = [
+  "gpt-4o",
+  "gpt-4.1",
+  "gpt-4.1-mini",
+  "gpt-4.1-nano",
+  "o1",
+  "o1-mini",
+  "o3-mini",
+] as const;
+
+export function getDefaultCopilotModelIds(): string[] {
+  return [...DEFAULT_MODEL_IDS];
+}
+
+export function buildCopilotModelDefinition(
+  modelId: string,
+): ModelDefinitionConfig {
+  const id = modelId.trim();
+  if (!id) throw new Error("Model id required");
+  return {
+    id,
+    name: id,
+    // pi-coding-agent's registry schema doesn't know about a "github-copilot" API.
+    // We use OpenAI-compatible responses API, while keeping the provider id as
+    // "github-copilot" (pi-ai uses that to attach Copilot-specific headers).
+    api: "openai-responses",
+    reasoning: false,
+    input: ["text", "image"],
+    cost: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 },
+    contextWindow: DEFAULT_CONTEXT_WINDOW,
+    maxTokens: DEFAULT_MAX_TOKENS,
+  };
+}

src/providers/github-copilot-token.test.ts

@@ -0,0 +1,79 @@
+import { describe, expect, it, vi } from "vitest";
+
+const loadJsonFile = vi.fn();
+const saveJsonFile = vi.fn();
+const resolveStateDir = vi.fn().mockReturnValue("/tmp/clawdbot-state");
+
+vi.mock("../infra/json-file.js", () => ({
+  loadJsonFile,
+  saveJsonFile,
+}));
+
+vi.mock("../config/paths.js", () => ({
+  resolveStateDir,
+}));
+
+describe("github-copilot token", () => {
+  it("derives baseUrl from token", async () => {
+    const { deriveCopilotApiBaseUrlFromToken } = await import(
+      "./github-copilot-token.js"
+    );
+
+    expect(
+      deriveCopilotApiBaseUrlFromToken("token;proxy-ep=proxy.example.com;"),
+    ).toBe("https://api.example.com");
+    expect(
+      deriveCopilotApiBaseUrlFromToken("token;proxy-ep=https://proxy.foo.bar;"),
+    ).toBe("https://api.foo.bar");
+  });
+
+  it("uses cache when token is still valid", async () => {
+    const now = Date.now();
+    loadJsonFile.mockReturnValue({
+      token: "cached;proxy-ep=proxy.example.com;",
+      expiresAt: now + 60 * 60 * 1000,
+      updatedAt: now,
+    });
+
+    const { resolveCopilotApiToken } = await import(
+      "./github-copilot-token.js"
+    );
+
+    const fetchImpl = vi.fn();
+    const res = await resolveCopilotApiToken({
+      githubToken: "gh",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    expect(res.token).toBe("cached;proxy-ep=proxy.example.com;");
+    expect(res.baseUrl).toBe("https://api.example.com");
+    expect(String(res.source)).toContain("cache:");
+    expect(fetchImpl).not.toHaveBeenCalled();
+  });
+
+  it("fetches and stores token when cache is missing", async () => {
+    loadJsonFile.mockReturnValue(undefined);
+
+    const fetchImpl = vi.fn().mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        token: "fresh;proxy-ep=https://proxy.contoso.test;",
+        expires_at: Math.floor(Date.now() / 1000) + 3600,
+      }),
+    });
+
+    const { resolveCopilotApiToken } = await import(
+      "./github-copilot-token.js"
+    );
+
+    const res = await resolveCopilotApiToken({
+      githubToken: "gh",
+      fetchImpl: fetchImpl as unknown as typeof fetch,
+    });
+
+    expect(res.token).toBe("fresh;proxy-ep=https://proxy.contoso.test;");
+    expect(res.baseUrl).toBe("https://api.contoso.test");
+    expect(saveJsonFile).toHaveBeenCalledTimes(1);
+  });
+});

src/providers/github-copilot-token.ts

@@ -0,0 +1,140 @@
+import path from "node:path";
+
+import { resolveStateDir } from "../config/paths.js";
+import { loadJsonFile, saveJsonFile } from "../infra/json-file.js";
+
+const COPILOT_TOKEN_URL = "https://api.github.com/copilot_internal/v2/token";
+
+export type CachedCopilotToken = {
+  token: string;
+  /** milliseconds since epoch */
+  expiresAt: number;
+  /** milliseconds since epoch */
+  updatedAt: number;
+};
+
+function resolveCopilotTokenCachePath(env: NodeJS.ProcessEnv = process.env) {
+  return path.join(
+    resolveStateDir(env),
+    "credentials",
+    "github-copilot.token.json",
+  );
+}
+
+function isTokenUsable(cache: CachedCopilotToken, now = Date.now()): boolean {
+  // Keep a small safety margin when checking expiry.
+  return cache.expiresAt - now > 5 * 60 * 1000;
+}
+
+function parseCopilotTokenResponse(value: unknown): {
+  token: string;
+  expiresAt: number;
+} {
+  if (!value || typeof value !== "object") {
+    throw new Error("Unexpected response from GitHub Copilot token endpoint");
+  }
+  const asRecord = value as Record<string, unknown>;
+  const token = asRecord.token;
+  const expiresAt = asRecord.expires_at;
+  if (typeof token !== "string" || token.trim().length === 0) {
+    throw new Error("Copilot token response missing token");
+  }
+
+  // GitHub returns a unix timestamp (seconds), but we defensively accept ms too.
+  let expiresAtMs: number;
+  if (typeof expiresAt === "number" && Number.isFinite(expiresAt)) {
+    expiresAtMs = expiresAt > 10_000_000_000 ? expiresAt : expiresAt * 1000;
+  } else if (typeof expiresAt === "string" && expiresAt.trim().length > 0) {
+    const parsed = Number.parseInt(expiresAt, 10);
+    if (!Number.isFinite(parsed)) {
+      throw new Error("Copilot token response has invalid expires_at");
+    }
+    expiresAtMs = parsed > 10_000_000_000 ? parsed : parsed * 1000;
+  } else {
+    throw new Error("Copilot token response missing expires_at");
+  }
+
+  return { token, expiresAt: expiresAtMs };
+}
+
+export const DEFAULT_COPILOT_API_BASE_URL =
+  "https://api.individual.githubcopilot.com";
+
+export function deriveCopilotApiBaseUrlFromToken(token: string): string | null {
+  const trimmed = token.trim();
+  if (!trimmed) return null;
+
+  // The token returned from the Copilot token endpoint is a semicolon-delimited
+  // set of key/value pairs. One of them is `proxy-ep=...`.
+  const match = trimmed.match(/(?:^|;)\s*proxy-ep=([^;\s]+)/i);
+  const proxyEp = match?.[1]?.trim();
+  if (!proxyEp) return null;
+
+  // pi-ai expects converting proxy.* -> api.*
+  // (see upstream getGitHubCopilotBaseUrl).
+  const host = proxyEp.replace(/^https?:\/\//, "").replace(/^proxy\./i, "api.");
+  if (!host) return null;
+
+  return `https://${host}`;
+}
+
+export async function resolveCopilotApiToken(params: {
+  githubToken: string;
+  env?: NodeJS.ProcessEnv;
+  fetchImpl?: typeof fetch;
+}): Promise<{
+  token: string;
+  expiresAt: number;
+  source: string;
+  baseUrl: string;
+}> {
+  const env = params.env ?? process.env;
+  const cachePath = resolveCopilotTokenCachePath(env);
+  const cached = loadJsonFile(cachePath) as CachedCopilotToken | undefined;
+  if (
+    cached &&
+    typeof cached.token === "string" &&
+    typeof cached.expiresAt === "number"
+  ) {
+    if (isTokenUsable(cached)) {
+      return {
+        token: cached.token,
+        expiresAt: cached.expiresAt,
+        source: `cache:${cachePath}`,
+        baseUrl:
+          deriveCopilotApiBaseUrlFromToken(cached.token) ??
+          DEFAULT_COPILOT_API_BASE_URL,
+      };
+    }
+  }
+
+  const fetchImpl = params.fetchImpl ?? fetch;
+  const res = await fetchImpl(COPILOT_TOKEN_URL, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      Authorization: `Bearer ${params.githubToken}`,
+    },
+  });
+
+  if (!res.ok) {
+    throw new Error(`Copilot token exchange failed: HTTP ${res.status}`);
+  }
+
+  const json = parseCopilotTokenResponse(await res.json());
+  const payload: CachedCopilotToken = {
+    token: json.token,
+    expiresAt: json.expiresAt,
+    updatedAt: Date.now(),
+  };
+  saveJsonFile(cachePath, payload);
+
+  return {
+    token: payload.token,
+    expiresAt: payload.expiresAt,
+    source: `fetched:${COPILOT_TOKEN_URL}`,
+    baseUrl:
+      deriveCopilotApiBaseUrlFromToken(payload.token) ??
+      DEFAULT_COPILOT_API_BASE_URL,
+  };
+}