feat: proper Copilot auth with OAuth device code flow and token validation

Builds on PR #1879's Copilot integration with critical auth improvements modeled after opencode's implementation: - Add hermes_cli/copilot_auth.py with: - OAuth device code flow (copilot_device_code_login) using the same client_id (Ov23li8tweQw6odWQebz) as opencode and Copilot CLI - Token type validation: reject classic PATs (ghp_*) with a clear error message explaining supported token types - Proper env var priority: COPILOT_GITHUB_TOKEN > GH_TOKEN > GITHUB_TOKEN (matching Copilot CLI documentation) - copilot_request_headers() with Openai-Intent, x-initiator, and Copilot-Vision-Request headers (matching opencode) - Update auth.py: - PROVIDER_REGISTRY copilot entry uses correct env var order - _resolve_api_key_provider_secret delegates to copilot_auth for the copilot provider with proper token validation - Update models.py: - copilot_default_headers() now includes Openai-Intent and x-initiator - Update main.py: - _model_flow_copilot offers OAuth device code login when no token is found, with manual token entry as fallback - Shows supported vs unsupported token types - 22 new tests covering token validation, env var priority, header generation, and integration with existing auth infrastructure
2026-04-27 01:11:40 +00:00 · 2026-03-18 03:25:58 -07:00 · 2026-03-18 03:25:58 -07:00 · 21c45ba0ac
commit 21c45ba0ac
parent 8422196e89
6 changed files with 563 additions and 26 deletions
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@ -116,7 +116,7 @@ PROVIDER_REGISTRY: Dict[str, ProviderConfig] = {
        name="GitHub Copilot",
        auth_type="api_key",
        inference_base_url=DEFAULT_GITHUB_MODELS_BASE_URL,
-        api_key_env_vars=("GITHUB_TOKEN", "GH_TOKEN"),
+        api_key_env_vars=("COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"),
    ),
    "copilot-acp": ProviderConfig(
        id="copilot-acp",
@ -282,16 +282,24 @@ def _resolve_api_key_provider_secret(
    provider_id: str, pconfig: ProviderConfig
 ) -> tuple[str, str]:
    """Resolve an API-key provider's token and indicate where it came from."""
+    if provider_id == "copilot":
+        # Use the dedicated copilot auth module for proper token validation
+        try:
+            from hermes_cli.copilot_auth import resolve_copilot_token
+            token, source = resolve_copilot_token()
+            if token:
+                return token, source
+        except ValueError as exc:
+            logger.warning("Copilot token validation failed: %s", exc)
+        except Exception:
+            pass
+        return "", ""
+
    for env_var in pconfig.api_key_env_vars:
        val = os.getenv(env_var, "").strip()
        if val:
            return val, env_var

-    if provider_id == "copilot":
-        token = _try_gh_cli_token()
-        if token:
-            return token, "gh auth token"
-
    return "", ""