@gnahz77/opencode-copilot-multi-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 SST
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,149 @@
+# opencode-copilot-multi-auth
+
+Package on npm: https://www.npmjs.com/package/@gnahz77/opencode-copilot-multi-auth
+
+This fork replaces the older GitHub Copilot chat-auth flow with the newer Copilot CLI-style OAuth flow and makes `opencode` use the live Copilot model metadata for your account.
+
+## How to use
+
+Add the plugin to your `opencode` config:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": [
+    "@gnahz77/opencode-copilot-multi-auth@0.1.0"
+  ]
+}
+```
+
+Then start `opencode` and log in to the `github-copilot` provider. The plugin handles the Copilot CLI-style device flow and will reuse the stored GitHub OAuth token afterward.
+
+For local development before publishing, you can load the file directly:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": [
+    "file:///absolute/path/to/index.mjs"
+  ]
+}
+```
+
+Important: if the file path contains `opencode-copilot-auth`, current `opencode` builds may skip loading it because of a hardcoded plugin-name filter. Use a path that does not contain that substring.
+
+## What changed in this fork
+
+- Auth flow: uses the Copilot CLI-style OAuth client flow and keeps the GitHub OAuth token directly.
+- Entitlement: fetches `/copilot_internal/user` and uses the entitlement-provided Copilot API base URL.
+- Token exchange: does not call `/copilot_internal/v2/token`.
+- Request profile: uses the newer `copilot-developer-cli` headers instead of the older chat profile.
+- Model metadata: fetches the live Copilot `/models` response via the plugin `provider.models` hook so the final `opencode` model list comes from the entitlement-backed Copilot API.
+
+## Context window and model limits
+
+The main practical difference from upstream is that this fork patches live per-model limits from Copilot instead of relying only on static metadata.
+
+That means `opencode` can see the Copilot-advertised values for:
+
+- `limit.context`
+- `limit.input`
+- `limit.output`
+
+As of March 10, 2026, the live GitHub Copilot `/models` response used by this
+fork exposes the Copilot CLI model profile. The table below compares the live
+Copilot CLI context window against the static `github-copilot` catalog on
+[`models.dev`](https://models.dev).
+
+| Model               | This Fork (CLI Context) | `models.dev` Context | Difference |
+| ------------------- | ----------------------: | -------------------: | ---------: |
+| `claude-opus-4.6`   |                 200,000 |              128,000 |    +72,000 |
+| `claude-sonnet-4.6` |                 200,000 |              128,000 |    +72,000 |
+| `claude-haiku-4.5`  |                 144,000 |              128,000 |    +16,000 |
+
+The practical takeaway is that this fork exposes larger live Claude context
+windows than the static `models.dev` values.
+
+Examples observed with this fork:
+
+- `claude-sonnet-4.6`
+  - context window: `200000`
+  - prompt/input limit: `168000`
+  - output limit: `32000`
+- `claude-opus-4.6`
+  - context window: `200000`
+  - prompt/input limit: `168000`
+  - output limit: `64000`
+- `claude-haiku-4.5`
+  - context window: `144000`
+  - prompt/input limit: `128000`
+  - output limit: `32000`
+
+Without this patching, `opencode` may show stale or smaller limits depending on the static model catalog it started from.
+
+## Claude thinking budget behavior
+
+This fork also changes Copilot Claude request behavior:
+
+- when the `thinking` variant is selected, it sends `thinking_budget: 16000`
+- when no variant is selected, it omits `thinking_budget` entirely
+
+This differs from upstream `opencode`, which currently sends `thinking_budget: 4000` for the built-in `thinking` variant.
+
+The plugin intentionally does not try to change the `opencode` core UI. So the visible Claude variant list is still controlled by `opencode` itself; this fork changes the request behavior, not the built-in variant picker labels.
+
+## Publishing
+
+```zsh
+./script/publish.ts
+```
+
+## Multi-Account Support
+
+This fork can keep a pool of Copilot logins in `~/.local/share/opencode/copilot-auth.json`.
+Each successful OAuth login updates that pool automatically: logging in with a new deployment-scoped account appends a new record, and logging in again with the same GitHub identity on the same deployment updates the existing record instead of creating a duplicate.
+
+The pool stores one object per account under `accounts` in a `version: 1` document.
+
+| Field | Meaning |
+| --- | --- |
+| `id` | Stable human-friendly identifier stored with the account record. |
+| `name` | Display name for the account. |
+| `enabled` | Whether the account can participate in automatic routing. Disabled accounts stay stored but are ignored for winner selection. |
+| `priority` | Higher values win when multiple enabled accounts can serve the same raw model ID. |
+| `allowlist` | Exact raw model IDs this account is allowed to serve. Empty means no allowlist restriction. |
+| `blocklist` | Exact raw model IDs this account must never serve, even if its allowlist or priority would otherwise match. |
+
+Automatic routing works on the raw Copilot model IDs that `opencode` already uses. The plugin filters eligible accounts by `enabled`, then applies `allowlist` and `blocklist`, and finally picks exactly one winning account by highest `priority` (with a stable key-based tie-breaker). The model ID itself is not rewritten, so account identity does not appear in model IDs.
+
+Example pool file:
+
+```json
+{
+  "version": 1,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "id": "work",
+      "name": "Work",
+      "enabled": true,
+      "priority": 100,
+      "allowlist": ["claude-sonnet-4.6"],
+      "blocklist": [],
+      "deployment": "github.com",
+      "domain": "github.com",
+      "baseUrl": "https://api.githubcopilot.com",
+      "identity": {
+        "login": "octocat",
+        "userId": 12345678
+      },
+      "auth": {
+        "type": "oauth",
+        "refresh": "<oauth token>"
+      },
+      "createdAt": "2026-04-15T00:00:00.000Z",
+      "updatedAt": "2026-04-15T00:00:00.000Z"
+    }
+  ]
+}
+```

package/index.mjs

@@ -0,0 +1,1211 @@
+import { homedir } from "os";
+import {
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  renameSync,
+  chmodSync,
+  existsSync,
+} from "fs";
+import { dirname } from "path";
+
+const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
+const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
+const INTERNAL_ROUTING_HEADERS = new Set([
+  ROUTING_ACCOUNT_KEY_HEADER,
+  ROUTING_SOURCE_HEADER,
+]);
+
+export function getPoolPath() {
+  return `${homedir()}/.local/share/opencode/copilot-auth.json`;
+}
+
+function validatePoolSchema(pool, context) {
+  if (
+    !pool
+    || typeof pool !== "object"
+    || pool.version !== ACCOUNT_POOL_SCHEMA_VERSION
+    || !Array.isArray(pool.accounts)
+  ) {
+    throw new Error(
+      `[opencode-copilot-cli-auth] Invalid ${context}: expected { version: ${ACCOUNT_POOL_SCHEMA_VERSION}, accounts: [] } schema.`,
+    );
+  }
+
+  return pool;
+}
+
+export function readPool() {
+  const poolPath = getPoolPath();
+
+  if (!existsSync(poolPath)) {
+    const defaultPool = {
+      version: ACCOUNT_POOL_SCHEMA_VERSION,
+      accounts: [],
+    };
+    writePool(defaultPool);
+    return defaultPool;
+  }
+
+  const raw = readFileSync(poolPath, "utf8");
+
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (error) {
+    throw new Error(
+      `[opencode-copilot-cli-auth] Malformed JSON in account pool file at ${poolPath}: ${error instanceof Error ? error.message : String(error)}`,
+    );
+  }
+
+  return validatePoolSchema(parsed, `account pool file at ${poolPath}`);
+}
+
+export function writePool(pool) {
+  const validatedPool = validatePoolSchema(pool, "account pool payload");
+  const poolPath = getPoolPath();
+  const dirPath = dirname(poolPath);
+  const tmpPath = `${poolPath}.tmp`;
+
+  mkdirSync(dirPath, { recursive: true });
+  writeFileSync(tmpPath, `${JSON.stringify(validatedPool, null, 2)}\n`, "utf8");
+  renameSync(tmpPath, poolPath);
+  chmodSync(poolPath, 0o600);
+}
+
+function normalizeHeaderObject(headers) {
+  if (!headers) {
+    return {};
+  }
+
+  if (typeof Headers !== "undefined" && headers instanceof Headers) {
+    return Object.fromEntries(headers.entries());
+  }
+
+  if (Array.isArray(headers)) {
+    return Object.fromEntries(headers);
+  }
+
+  return { ...headers };
+}
+
+function normalizeList(value) {
+  return Array.isArray(value) ? value : [];
+}
+
+function normalizePriority(value) {
+  return Number.isInteger(value) ? value : 0;
+}
+
+function normalizeDomain(urlOrDomain) {
+  if (!urlOrDomain || typeof urlOrDomain !== "string") {
+    return "github.com";
+  }
+
+  const value = urlOrDomain.trim();
+  if (!value) {
+    return "github.com";
+  }
+
+  try {
+    const parsed = value.includes("://")
+      ? new URL(value)
+      : new URL(`https://${value}`);
+    return parsed.hostname.toLowerCase();
+  } catch { // intentional: fall back to regex-based normalization if URL parsing fails
+    return value
+      .replace(/^https?:\/\//i, "")
+      .replace(/\/.*$/, "")
+      .replace(/\/+$/, "")
+      .toLowerCase();
+  }
+}
+
+function normalizeIdSource(value) {
+  return String(value ?? "")
+    .toLowerCase()
+    .replace(/[^a-z0-9-]/g, "-")
+    .replace(/-+/g, "-")
+    .replace(/^-+|-+$/g, "");
+}
+
+function preserveStringOrDefault(value, fallback) {
+  if (typeof value === "string" && value.trim()) {
+    return value;
+  }
+  return fallback;
+}
+
+function deriveDefaultAccountId(accounts, key, identity) {
+  const userIdText = String(identity.userId);
+  const baseId = normalizeIdSource(identity.login || userIdText) || userIdText;
+  const idTakenByDifferentKey = accounts.some(
+    (account) => account?.id === baseId && account?.key !== key,
+  );
+
+  if (!idTakenByDifferentKey) {
+    return baseId;
+  }
+
+  return `${baseId}-${userIdText.slice(-6)}`;
+}
+
+export function deriveAccountKey(deployment, userId) {
+  return `${deployment}:${userId}`;
+}
+
+export async function lookupGitHubIdentity(accessToken, enterpriseUrl) {
+  const deployment = enterpriseUrl ? normalizeDomain(enterpriseUrl) : "github.com";
+  const apiDomain = deployment === "github.com" ? "api.github.com" : `api.${deployment}`;
+  const identityUrl = `https://${apiDomain}/user`;
+
+  const response = await fetch(identityUrl, {
+    method: "GET",
+    headers: {
+      Accept: "application/json",
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(
+      `[opencode-copilot-cli-auth] Failed to lookup GitHub identity from ${identityUrl}: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const payload = await response.json();
+  const userId = Number(payload?.id);
+  if (!Number.isFinite(userId)) {
+    throw new Error(
+      "[opencode-copilot-cli-auth] Failed to lookup GitHub identity: response did not include a numeric user id.",
+    );
+  }
+
+  return {
+    login: typeof payload?.login === "string" ? payload.login : "",
+    userId,
+  };
+}
+
+export function upsertAccount(pool, accountData) {
+  const validatedPool = validatePoolSchema(pool, "account pool payload");
+  const now = new Date().toISOString();
+  const {
+    key,
+    deployment,
+    domain,
+    identity,
+    enterpriseUrl,
+    baseUrl,
+    auth,
+    authResult,
+  } = accountData ?? {};
+
+  if (!key || typeof key !== "string") {
+    throw new Error("[opencode-copilot-cli-auth] Cannot upsert account: missing key.");
+  }
+
+  const userId = Number(identity?.userId);
+  if (!Number.isFinite(userId)) {
+    throw new Error("[opencode-copilot-cli-auth] Cannot upsert account: missing numeric identity.userId.");
+  }
+
+  const login = typeof identity?.login === "string" ? identity.login : "";
+  const normalizedDeployment = normalizeDomain(deployment || domain || enterpriseUrl || "github.com");
+  const normalizedDomain = normalizeDomain(domain || normalizedDeployment);
+  const normalizedEnterpriseUrl =
+    normalizedDeployment === "github.com"
+      ? null
+      : normalizeDomain(enterpriseUrl || normalizedDeployment);
+  const normalizedIdentity = {
+    login,
+    userId,
+  };
+  const defaultId = deriveDefaultAccountId(validatedPool.accounts, key, normalizedIdentity);
+  const defaultName = login || String(userId);
+  const mergedAuth = auth ?? authResult ?? {};
+  const nextBaseUrl = baseUrl ?? authResult?.baseUrl ?? null;
+
+  const existingIndex = validatedPool.accounts.findIndex((account) => account?.key === key);
+  if (existingIndex === -1) {
+    return {
+      ...validatedPool,
+      accounts: [
+        ...validatedPool.accounts,
+        {
+          key,
+          id: defaultId,
+          name: defaultName,
+          enabled: true,
+          priority: 0,
+          deployment: normalizedDeployment,
+          domain: normalizedDomain,
+          identity: normalizedIdentity,
+          enterpriseUrl: normalizedEnterpriseUrl,
+          baseUrl: nextBaseUrl,
+          allowlist: [],
+          blocklist: [],
+          auth: mergedAuth,
+          createdAt: now,
+          updatedAt: now,
+        },
+      ],
+    };
+  }
+
+  const existing = validatedPool.accounts[existingIndex];
+  const updatedAccount = {
+    ...existing,
+    key,
+    deployment: normalizedDeployment,
+    domain: normalizedDomain,
+    identity: normalizedIdentity,
+    enterpriseUrl: normalizedEnterpriseUrl,
+    auth: mergedAuth,
+    baseUrl: nextBaseUrl ?? existing.baseUrl ?? null,
+    id: preserveStringOrDefault(existing.id, defaultId),
+    name: preserveStringOrDefault(existing.name, defaultName),
+    enabled: typeof existing.enabled === "boolean" ? existing.enabled : true,
+    priority: Number.isFinite(existing.priority) ? existing.priority : 0,
+    allowlist: Array.isArray(existing.allowlist) ? existing.allowlist : [],
+    blocklist: Array.isArray(existing.blocklist) ? existing.blocklist : [],
+    createdAt: existing.createdAt ?? now,
+    updatedAt: now,
+  };
+
+  const nextAccounts = [...validatedPool.accounts];
+  nextAccounts[existingIndex] = updatedAccount;
+
+  return {
+    ...validatedPool,
+    accounts: nextAccounts,
+  };
+}
+
+export function resolveWinnerAccount(rawModelId, pool) {
+  const candidates = (Array.isArray(pool?.accounts) ? pool.accounts : [])
+    .filter((account) => account?.enabled !== false)
+    .filter((account) => {
+      const allowlist = normalizeList(account?.allowlist);
+      return allowlist.length === 0 || allowlist.includes(rawModelId);
+    })
+    .filter((account) => !normalizeList(account?.blocklist).includes(rawModelId))
+    .sort((left, right) => {
+      const priorityDelta = normalizePriority(right?.priority) - normalizePriority(left?.priority);
+      if (priorityDelta !== 0) {
+        return priorityDelta;
+      }
+
+      return String(left?.key ?? "").localeCompare(String(right?.key ?? ""));
+    });
+
+  return candidates[0] ?? null;
+}
+
+export function injectRoutingHeaders(headers, accountKey) {
+  return {
+    ...normalizeHeaderObject(headers),
+    [ROUTING_ACCOUNT_KEY_HEADER]: accountKey,
+    [ROUTING_SOURCE_HEADER]: "model-resolution",
+  };
+}
+
+export function stripRoutingHeaders(headers) {
+  return Object.fromEntries(
+    Object.entries(normalizeHeaderObject(headers)).filter(
+      ([key]) => !INTERNAL_ROUTING_HEADERS.has(key.toLowerCase()),
+    ),
+  );
+}
+
+/**
+ * @type {import("@opencode-ai/plugin").Plugin}
+ */
+export async function CopilotAuthPlugin(input = {}) {
+  const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+  const API_VERSION = "2025-05-01";
+  const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+  const OAUTH_SCOPES = "read:user read:org repo gist";
+  const RESPONSES_API_ALTERNATE_INPUT_TYPES = [
+    "file_search_call",
+    "computer_call",
+    "computer_call_output",
+    "web_search_call",
+    "function_call",
+    "function_call_output",
+    "image_generation_call",
+    "code_interpreter_call",
+    "local_shell_call",
+    "local_shell_call_output",
+    "mcp_list_tools",
+    "mcp_approval_request",
+    "mcp_approval_response",
+    "mcp_call",
+    "reasoning",
+  ];
+
+  function getUrls(domain) {
+    const apiDomain = domain === "github.com" ? "api.github.com" : `api.${domain}`;
+    return {
+      DEVICE_CODE_URL: `https://${domain}/login/device/code`,
+      ACCESS_TOKEN_URL: `https://${domain}/login/oauth/access_token`,
+      COPILOT_ENTITLEMENT_URL: `https://${apiDomain}/copilot_internal/user`,
+    };
+  }
+
+  async function fetchEntitlement(info) {
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    const urls = getUrls(domain);
+
+    const response = await fetch(urls.COPILOT_ENTITLEMENT_URL, {
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${info.refresh}`,
+        "User-Agent": "GithubCopilot/1.155.0",
+      },
+    });
+
+    if (!response.ok) {
+      throw new Error(`[opencode-copilot-cli-auth] Entitlement fetch failed: ${response.status}`);
+    }
+
+    return response.json();
+  }
+
+  async function getBaseURL(info) {
+    if (info.baseUrl) return info.baseUrl;
+    const entitlement = await fetchEntitlement(info);
+    return entitlement?.endpoints?.api;
+  }
+
+  async function fetchModels(info, baseURL) {
+    const response = await fetch(`${baseURL}/models`, {
+      headers: {
+        Authorization: `Bearer ${info.refresh}`,
+        "Copilot-Integration-Id": "copilot-developer-cli",
+        "Openai-Intent": "model-access",
+        "User-Agent": "opencode-copilot-cli-auth/0.0.16",
+        "X-GitHub-Api-Version": API_VERSION,
+        "X-Interaction-Type": "model-access",
+        "X-Request-Id": crypto.randomUUID(),
+      },
+    });
+
+    if (!response.ok) {
+      throw new Error(`[opencode-copilot-cli-auth] Model fetch failed: ${response.status}`);
+    }
+
+    const data = await response.json();
+    return Array.isArray(data?.data) ? data.data : [];
+  }
+
+  function zeroCost() {
+    return {
+      input: 0,
+      output: 0,
+      cache: {
+        read: 0,
+        write: 0,
+      },
+    };
+  }
+
+  function isLiveChatModel(model) {
+    return model?.capabilities?.type === "chat";
+  }
+
+  function isPickerModel(model) {
+    return isLiveChatModel(model) && model?.model_picker_enabled !== false;
+  }
+
+  function getReleaseDate(id, version, fallback = "") {
+    if (typeof version === "string" && version.startsWith(`${id}-`)) {
+      return version.slice(id.length + 1);
+    }
+    return version || fallback;
+  }
+
+  function createProviderModel(existing, live, baseURL) {
+    const limits = live.capabilities?.limits ?? {};
+    const supports = live.capabilities?.supports ?? {};
+    const vision = !!supports.vision || !!limits.vision;
+    const reasoning =
+      existing?.capabilities?.reasoning
+      ?? (
+        !!supports.adaptive_thinking
+        || typeof supports.max_thinking_budget === "number"
+        || Array.isArray(supports.reasoning_effort)
+      );
+
+    return {
+      ...structuredClone(existing ?? {}),
+      id: live.id,
+      api: {
+        ...(existing?.api ?? {}),
+        id: live.id,
+        url: baseURL,
+        npm: "@ai-sdk/github-copilot",
+      },
+      name: live.name ?? existing?.name ?? live.id,
+      family: live.capabilities?.family ?? existing?.family ?? "",
+      cost: zeroCost(),
+      limit: {
+        context:
+          limits.max_context_window_tokens
+          ?? existing?.limit?.context
+          ?? 0,
+        input:
+          limits.max_prompt_tokens
+          ?? existing?.limit?.input
+          ?? limits.max_context_window_tokens,
+        output:
+          limits.max_output_tokens
+          ?? limits.max_non_streaming_output_tokens
+          ?? existing?.limit?.output
+          ?? 0,
+      },
+      capabilities: {
+        temperature: existing?.capabilities?.temperature ?? true,
+        reasoning,
+        attachment: existing?.capabilities?.attachment ?? vision,
+        toolcall: !!supports.tool_calls,
+        input: {
+          text: existing?.capabilities?.input?.text ?? true,
+          audio: existing?.capabilities?.input?.audio ?? false,
+          image: existing?.capabilities?.input?.image ?? vision,
+          video: existing?.capabilities?.input?.video ?? false,
+          pdf: existing?.capabilities?.input?.pdf ?? false,
+        },
+        output: {
+          text: existing?.capabilities?.output?.text ?? true,
+          audio: existing?.capabilities?.output?.audio ?? false,
+          image: existing?.capabilities?.output?.image ?? false,
+          video: existing?.capabilities?.output?.video ?? false,
+          pdf: existing?.capabilities?.output?.pdf ?? false,
+        },
+        interleaved: existing?.capabilities?.interleaved ?? false,
+      },
+      options: existing?.options ?? {},
+      headers: existing?.headers ?? {},
+      release_date: getReleaseDate(live.id, live.version, existing?.release_date ?? ""),
+      variants: existing?.variants ?? {},
+      status: "active",
+    };
+  }
+
+  function buildProviderModels(existingModels, liveModels, baseURL) {
+    const existingById = new Map(
+      Object.values(existingModels ?? {}).map((model) => [model?.api?.id ?? model?.id, model]),
+    );
+
+    return Object.fromEntries(
+      liveModels
+        .filter(isPickerModel)
+        .map((model) => [
+          model.id,
+          createProviderModel(existingById.get(model.id), model, baseURL),
+        ]),
+    );
+  }
+
+  function normalizeExistingModels(existingModels, baseURL) {
+    return Object.fromEntries(
+      Object.entries(existingModels ?? {}).map(([id, model]) => [
+        id,
+        {
+          ...structuredClone(model),
+          cost: zeroCost(),
+          api: {
+            ...model.api,
+            url: baseURL ?? model.api?.url,
+            npm: "@ai-sdk/github-copilot",
+          },
+        },
+      ]),
+    );
+  }
+
+  async function resolveProviderModels(existingModels, auth) {
+    const baseURL = auth ? await getBaseURL(auth) : undefined;
+    if (!auth || auth.type !== "oauth" || !baseURL) {
+      return normalizeExistingModels(existingModels, baseURL);
+    }
+
+    const liveModels = await fetchModels(auth, baseURL);
+    return buildProviderModels(existingModels, liveModels, baseURL);
+  }
+
+  async function buildPoolBackedModels(existingModels, pool) {
+    const enabledAccounts = (Array.isArray(pool?.accounts) ? pool.accounts : [])
+      .filter((account) => account?.enabled !== false);
+
+    if (enabledAccounts.length === 0) {
+      return {};
+    }
+
+    const candidatesByModel = new Map();
+
+    for (const account of enabledAccounts) {
+      try {
+        const baseURL = account.baseUrl ?? await getBaseURL(account.auth);
+        const liveModels = await fetchModels(account.auth, baseURL);
+
+        for (const liveModel of liveModels.filter(isPickerModel)) {
+          const winner = resolveWinnerAccount(liveModel.id, pool);
+          if (winner?.key === account.key) {
+            candidatesByModel.set(liveModel.id, {
+              account,
+              liveModel,
+              baseURL,
+            });
+          }
+        }
+      } catch (error) {
+        console.warn(
+          `[opencode-copilot-cli-auth] Skipping account ${account?.key ?? "unknown"} during model sync:`,
+          error?.message ?? error,
+        );
+      }
+    }
+
+    const existingById = new Map(
+      Object.values(existingModels ?? {}).map((model) => [model?.api?.id ?? model?.id, model]),
+    );
+
+    return Object.fromEntries(
+      [...candidatesByModel.entries()]
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([rawModelId, { liveModel, baseURL }]) => [
+          rawModelId,
+          createProviderModel(existingById.get(rawModelId), liveModel, baseURL),
+        ]),
+    );
+  }
+
+  function getHeader(headers, name) {
+    if (!headers) return undefined;
+    const target = name.toLowerCase();
+
+    if (typeof Headers !== "undefined" && headers instanceof Headers) {
+      return headers.get(name) ?? headers.get(target) ?? undefined;
+    }
+
+    if (Array.isArray(headers)) {
+      const found = headers.find(([key]) => String(key).toLowerCase() === target);
+      return found?.[1];
+    }
+
+    for (const [key, value] of Object.entries(headers)) {
+      if (key.toLowerCase() === target) {
+        return value;
+      }
+    }
+
+    return undefined;
+  }
+
+  function getConversationMetadata(init) {
+    try {
+      const body = typeof init?.body === "string" ? JSON.parse(init.body) : init?.body;
+
+      if (body?.messages) {
+        const lastMessage = body.messages[body.messages.length - 1];
+        return {
+          isVision: body.messages.some(
+            (message) =>
+              Array.isArray(message.content) &&
+              message.content.some((part) => part.type === "image_url"),
+          ),
+          isAgent:
+            lastMessage?.role &&
+            ["tool", "assistant"].includes(lastMessage.role),
+        };
+      }
+
+      if (body?.input) {
+        const lastInput = body.input[body.input.length - 1];
+        const isAssistant = lastInput?.role === "assistant";
+        const hasAgentType = lastInput?.type
+          ? RESPONSES_API_ALTERNATE_INPUT_TYPES.includes(lastInput.type)
+          : false;
+
+        return {
+          isVision:
+            Array.isArray(lastInput?.content) &&
+            lastInput.content.some((part) => part.type === "input_image"),
+          isAgent: isAssistant || hasAgentType,
+        };
+      }
+    } catch {} // intentional: return safe defaults on any parse/inspection error
+
+    return {
+      isVision: false,
+      isAgent: false,
+    };
+  }
+
+  function getRequestedRawModelId(init) {
+    try {
+      const body = typeof init?.body === "string" ? JSON.parse(init.body) : init?.body;
+      return typeof body?.model === "string" && body.model.trim() ? body.model.trim() : undefined;
+    } catch { // intentional: return undefined on body parse error
+      return undefined;
+    }
+  }
+
+  function applyBaseURLToRequestInput(input, baseURL) {
+    if (!baseURL) {
+      return input;
+    }
+
+    try {
+      const original =
+        typeof input === "string" || input instanceof URL
+          ? new URL(String(input))
+          : typeof Request !== "undefined" && input instanceof Request
+            ? new URL(input.url)
+            : null;
+
+      if (!original) {
+        return input;
+      }
+
+      const nextBase = new URL(baseURL);
+      const nextUrl = new URL(`${original.pathname}${original.search}${original.hash}`, nextBase);
+
+      if (typeof Request !== "undefined" && input instanceof Request) {
+        return new Request(nextUrl.toString(), input);
+      }
+
+      return nextUrl.toString();
+    } catch { // intentional: return original input on URL rewrite error
+      return input;
+    }
+  }
+
+  function buildHeaders(init, info, isVision, isAgent) {
+    const explicitInitiator = getHeader(init?.headers, "x-initiator");
+    const headers = {
+      ...(init?.headers ?? {}),
+      Authorization: `Bearer ${info.refresh}`,
+      "Copilot-Integration-Id": "copilot-developer-cli",
+      "Openai-Intent": "conversation-agent",
+      "User-Agent": "opencode-copilot-cli-auth/0.0.16",
+      "X-GitHub-Api-Version": API_VERSION,
+      "X-Initiator": explicitInitiator ?? (isAgent ? "agent" : "user"),
+      "X-Interaction-Id": crypto.randomUUID(),
+      "X-Interaction-Type": "conversation-agent",
+      "X-Request-Id": crypto.randomUUID(),
+    };
+
+    if (isVision) {
+      headers["Copilot-Vision-Request"] = "true";
+    }
+
+    delete headers["x-api-key"];
+    delete headers["authorization"];
+    delete headers["x-initiator"];
+
+    return stripRoutingHeaders(headers);
+  }
+
+  function getSelectedAccountMissingError() {
+    return new Error(
+      "[opencode-copilot-cli-auth] Selected account is disabled or not found; re-login required",
+    );
+  }
+
+  function getSelectedAccountExpiredError(accountKey) {
+    return new Error(
+      `[opencode-copilot-cli-auth] Account auth expired for ${accountKey}; re-login required`,
+    );
+  }
+
+  function isValidBaseURL(value) {
+    if (typeof value !== "string" || !value.trim()) {
+      return false;
+    }
+
+    try {
+      new URL(value);
+      return true;
+    } catch { // intentional: invalid URL means value is not a valid URL
+      return false;
+    }
+  }
+
+  function resolveSelectedPoolAccount(pool, accountKey, requestedRawModelId) {
+    const accounts = Array.isArray(pool?.accounts) ? pool.accounts : [];
+
+    if (accounts.length === 0) {
+      return null;
+    }
+
+    let selectedAccount = null;
+
+    if (accountKey) {
+      const headerAccount = accounts.find((account) => account?.key === accountKey);
+      if (!headerAccount || headerAccount.enabled === false) {
+        throw getSelectedAccountMissingError();
+      }
+      selectedAccount = headerAccount;
+    }
+
+    if (requestedRawModelId) {
+      const winner = resolveWinnerAccount(requestedRawModelId, pool);
+      if (!winner) {
+        throw new Error(
+          `[opencode-copilot-cli-auth] No eligible account found for model ${requestedRawModelId}; re-login required`,
+        );
+      }
+
+      if (selectedAccount && winner.key !== selectedAccount.key) {
+        throw new Error(
+          `[opencode-copilot-cli-auth] Selected account cannot serve model ${requestedRawModelId}; re-login required`,
+        );
+      }
+
+      selectedAccount = winner;
+    }
+
+    if (!selectedAccount) {
+      throw new Error("[opencode-copilot-cli-auth] No eligible account found for routed request; re-login required");
+    }
+
+    if (
+      selectedAccount.auth?.type !== "oauth"
+      || typeof selectedAccount.auth.refresh !== "string"
+      || !selectedAccount.auth.refresh.trim()
+    ) {
+      throw getSelectedAccountExpiredError(selectedAccount.key ?? "unknown");
+    }
+
+    return selectedAccount;
+  }
+
+  async function refreshSelectedAccountBaseURL(accountKey) {
+    const currentPool = readPool();
+    const accountIndex = currentPool.accounts.findIndex((account) => account?.key === accountKey);
+    const currentAccount = accountIndex >= 0 ? currentPool.accounts[accountIndex] : null;
+
+    if (!currentAccount || currentAccount.enabled === false) {
+      throw getSelectedAccountMissingError();
+    }
+
+    if (
+      currentAccount.auth?.type !== "oauth"
+      || typeof currentAccount.auth.refresh !== "string"
+      || !currentAccount.auth.refresh.trim()
+    ) {
+      throw getSelectedAccountExpiredError(currentAccount.key ?? accountKey ?? "unknown");
+    }
+
+    let entitlement;
+    try {
+      entitlement = await fetchEntitlement({
+        refresh: currentAccount.auth.refresh,
+        enterpriseUrl: currentAccount.enterpriseUrl ?? null,
+      });
+    } catch { // intentional: entitlement fetch failure means account is expired/invalid; propagate as account error
+      throw getSelectedAccountExpiredError(currentAccount.key);
+    }
+
+    const nextBaseURL = entitlement?.endpoints?.api;
+    if (!isValidBaseURL(nextBaseURL)) {
+      throw getSelectedAccountExpiredError(currentAccount.key);
+    }
+
+    const updatedPool = {
+      ...currentPool,
+      accounts: currentPool.accounts.map((account, index) =>
+        index === accountIndex
+          ? {
+            ...account,
+            baseUrl: nextBaseURL,
+            updatedAt: new Date().toISOString(),
+          }
+          : account
+      ),
+    };
+
+    writePool(updatedPool);
+    return updatedPool.accounts[accountIndex];
+  }
+
+  async function fetchWithSelectedAccount(input, init, selectedAccount) {
+    const { isVision, isAgent } = getConversationMetadata(init);
+
+    const dispatch = async (account) => {
+      const headers = buildHeaders(init, account.auth, isVision, isAgent);
+      const requestInput = applyBaseURLToRequestInput(input, account.baseUrl);
+
+      return fetch(requestInput, {
+        ...init,
+        headers,
+      });
+    };
+
+    let activeAccount = selectedAccount;
+    if (!isValidBaseURL(activeAccount.baseUrl)) {
+      activeAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
+    }
+
+    const response = await dispatch(activeAccount);
+    if (![401, 403].includes(response.status)) {
+      return response;
+    }
+
+    const refreshedAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
+    const retryResponse = await dispatch(refreshedAccount);
+    if ([401, 403].includes(retryResponse.status)) {
+      throw getSelectedAccountExpiredError(refreshedAccount.key);
+    }
+
+    return retryResponse;
+  }
+
+  function resolveClaudeThinkingBudget(model, variant) {
+    if (!model?.id?.includes("claude")) return undefined;
+    return variant === "thinking" ? 16000 : undefined;
+  }
+
+  return {
+    provider: {
+      id: "github-copilot",
+      models: async (provider, ctx) => {
+        try {
+          const pool = readPool();
+          if (pool.accounts.length > 0) {
+            return await buildPoolBackedModels(provider.models, pool);
+          }
+
+          return await resolveProviderModels(provider.models, ctx.auth);
+        } catch (error) {
+          console.warn("[opencode-copilot-cli-auth] Failed to sync live Copilot models.", error?.message ?? error);
+          return normalizeExistingModels(provider.models);
+        }
+      },
+    },
+    auth: {
+      provider: "github-copilot",
+      loader: async (getAuth) => {
+        const info = await getAuth();
+        let poolFirstEnabled;
+
+        try {
+          const currentPool = readPool();
+          poolFirstEnabled = currentPool.accounts.find((account) => account?.enabled !== false);
+          if (currentPool.accounts.length === 0 && info && info.type === "oauth") {
+            // Best-effort migration bridge for legacy single-account auth.
+            // We intentionally avoid identity lookup here because loader runs on hot paths,
+            // and we do not have a stable userId without making a network request.
+            // The next successful OAuth authorize callback performs canonical persistence.
+          }
+        } catch {} // intentional: pool read/parse errors fall back to legacy singleton auth
+
+        const baseSource =
+          poolFirstEnabled?.auth?.type === "oauth"
+            ? poolFirstEnabled.auth
+            : info && info.type === "oauth"
+              ? info
+              : null;
+        if (!baseSource) return {};
+
+        const baseURL = poolFirstEnabled?.baseUrl ?? await getBaseURL(baseSource);
+
+        return {
+          ...(baseURL && { baseURL }),
+          apiKey: "",
+          async fetch(input, init) {
+            const pool = readPool();
+            const accountKey = getHeader(init?.headers, ROUTING_ACCOUNT_KEY_HEADER);
+            const requestedRawModelId = getRequestedRawModelId(init);
+
+            if (pool.accounts.length > 0) {
+              const selectedAccount = resolveSelectedPoolAccount(pool, accountKey, requestedRawModelId);
+              if (selectedAccount?.auth?.type === "oauth") {
+                return fetchWithSelectedAccount(input, init, selectedAccount);
+              }
+            }
+
+            const auth = await getAuth();
+            if (!auth || auth.type !== "oauth") {
+              return fetch(input, init);
+            }
+
+            const { isVision, isAgent } = getConversationMetadata(init);
+            const headers = buildHeaders(init, auth, isVision, isAgent);
+
+            return fetch(input, {
+              ...init,
+              headers,
+            });
+          },
+        };
+      },
+      methods: [
+        {
+          type: "oauth",
+          label: "Login with GitHub Copilot CLI",
+          prompts: [
+            {
+              type: "select",
+              key: "deploymentType",
+              message: "Select GitHub deployment type",
+              options: [
+                {
+                  label: "GitHub.com (Add)",
+                  value: "github.com",
+                  hint: "Public",
+                },
+                {
+                  label: "GitHub Enterprise (Add)",
+                  value: "enterprise",
+                  hint: "Data residency or self-hosted",
+                },
+              ],
+            },
+            {
+              type: "text",
+              key: "enterpriseUrl",
+              message: "Enter your GitHub Enterprise URL or domain",
+              placeholder: "github.com or https://github.com (default: github.com)",
+              condition: (inputs) => inputs.deploymentType === "enterprise",
+              validate: (value) => {
+                if (!value || !String(value).trim()) {
+                  return undefined;
+                }
+                try {
+                  const url = value.includes("://")
+                    ? new URL(value)
+                    : new URL(`https://${value}`);
+                  if (!url.hostname) {
+                    return "Please enter a valid URL or domain";
+                  }
+                  return undefined;
+                } catch { // intentional: invalid URL input returns a user-facing validation error message
+                  return "Please enter a valid URL (e.g., company.ghe.com or https://company.ghe.com)";
+                }
+              },
+            },
+          ],
+          async authorize(inputs = {}) {
+            const deploymentType = inputs.deploymentType || "github.com";
+
+            let domain = "github.com";
+            let actualProvider = "github-copilot";
+
+            if (deploymentType === "enterprise") {
+              domain = normalizeDomain(inputs.enterpriseUrl);
+              actualProvider = "github-copilot-enterprise";
+            }
+
+            const urls = getUrls(domain);
+
+            const deviceResponse = await fetch(urls.DEVICE_CODE_URL, {
+              method: "POST",
+              headers: {
+                Accept: "application/json",
+                "Content-Type": "application/json",
+                "User-Agent": "opencode-copilot-cli-auth/0.0.16",
+              },
+              body: JSON.stringify({
+                client_id: CLIENT_ID,
+                scope: OAUTH_SCOPES,
+              }),
+            });
+
+            if (!deviceResponse.ok) {
+              throw new Error("[opencode-copilot-cli-auth] Failed to initiate device authorization");
+            }
+
+            const deviceData = await deviceResponse.json();
+
+            return {
+              url: deviceData.verification_uri,
+              instructions: `Enter code: ${deviceData.user_code}`,
+              method: "auto",
+              callback: async () => {
+                while (true) {
+                  const response = await fetch(urls.ACCESS_TOKEN_URL, {
+                    method: "POST",
+                    headers: {
+                      Accept: "application/json",
+                      "Content-Type": "application/json",
+                      "User-Agent": "opencode-copilot-cli-auth/0.0.16",
+                    },
+                    body: JSON.stringify({
+                      client_id: CLIENT_ID,
+                      device_code: deviceData.device_code,
+                      grant_type:
+                        "urn:ietf:params:oauth:grant-type:device_code",
+                    }),
+                  });
+
+                  if (!response.ok) return { type: "failed" };
+
+                  const data = await response.json();
+
+                  if (data.access_token) {
+                    const entitlement = await fetchEntitlement({
+                      refresh: data.access_token,
+                      enterpriseUrl:
+                        actualProvider === "github-copilot-enterprise"
+                          ? domain
+                          : undefined,
+                    });
+
+                    const result = {
+                      type: "success",
+                      refresh: data.access_token,
+                      access: data.access_token,
+                      expires: 0,
+                      baseUrl: entitlement?.endpoints?.api,
+                    };
+
+                    if (actualProvider === "github-copilot-enterprise") {
+                      result.provider = "github-copilot-enterprise";
+                      result.enterpriseUrl = domain;
+                    }
+
+                    try {
+                      const identity = await lookupGitHubIdentity(
+                        data.access_token,
+                        actualProvider === "github-copilot-enterprise" ? domain : undefined,
+                      );
+                      const deployment = actualProvider === "github-copilot-enterprise" ? domain : "github.com";
+                      const key = deriveAccountKey(deployment, identity.userId);
+                      const pool = readPool();
+                      const updatedPool = upsertAccount(pool, {
+                        key,
+                        deployment,
+                        domain: deployment,
+                        identity,
+                        enterpriseUrl: actualProvider === "github-copilot-enterprise" ? domain : null,
+                        baseUrl: result.baseUrl,
+                        auth: {
+                          type: "oauth",
+                          refresh: data.access_token,
+                          access: data.access_token,
+                          expires: 0,
+                          baseUrl: result.baseUrl ?? null,
+                          ...(result.provider && { provider: result.provider }),
+                          ...(result.enterpriseUrl && { enterpriseUrl: result.enterpriseUrl }),
+                        },
+                      });
+                      writePool(updatedPool);
+                    } catch (persistError) {
+                      console.warn(
+                        "[opencode-copilot-cli-auth] Failed to persist account to pool:",
+                        persistError?.message ?? persistError,
+                      );
+                      // Non-fatal: continue with the login flow.
+                    }
+
+                    return result;
+                  }
+
+                  if (data.error === "authorization_pending") {
+                    await new Promise((resolve) =>
+                      setTimeout(
+                        resolve,
+                        deviceData.interval * 1000
+                          + OAUTH_POLLING_SAFETY_MARGIN_MS,
+                      ),
+                    );
+                    continue;
+                  }
+
+                  if (data.error === "slow_down") {
+                    const nextInterval =
+                      (typeof data.interval === "number" && data.interval > 0 ?
+                        data.interval
+                      : deviceData.interval + 5) * 1000;
+                    await new Promise((resolve) =>
+                      setTimeout(
+                        resolve,
+                        nextInterval + OAUTH_POLLING_SAFETY_MARGIN_MS,
+                      ),
+                    );
+                    continue;
+                  }
+
+                  if (data.error) return { type: "failed" };
+
+                  await new Promise((resolve) =>
+                    setTimeout(
+                      resolve,
+                      deviceData.interval * 1000
+                        + OAUTH_POLLING_SAFETY_MARGIN_MS,
+                    ),
+                  );
+                }
+              },
+            };
+          },
+        },
+      ],
+    },
+    "chat.params": async (input, output) => {
+      if (input.model.providerID !== "github-copilot") return;
+      if (input.model.api?.npm !== "@ai-sdk/github-copilot") return;
+      if (!input.model.id.includes("claude")) return;
+
+      const thinkingBudget = resolveClaudeThinkingBudget(input.model, input.message.variant);
+      if (thinkingBudget === undefined) return;
+
+      output.options.thinking_budget = thinkingBudget;
+    },
+    "chat.headers": async (incoming, output) => {
+      if (!incoming.model.providerID.includes("github-copilot")) return;
+
+      const sdk = input.client;
+      if (sdk?.session?.message && sdk?.session?.get) {
+        const parts = await sdk.session
+          .message({
+            path: {
+              id: incoming.message.sessionID,
+              messageID: incoming.message.id,
+            },
+            query: {
+              directory: input.directory,
+            },
+            throwOnError: true,
+          })
+          .catch(() => undefined);
+
+        if (parts?.data?.parts?.some((part) => part.type === "compaction")) {
+          output.headers["x-initiator"] = "agent";
+        } else {
+          const session = await sdk.session
+            .get({
+              path: {
+                id: incoming.sessionID,
+              },
+              query: {
+                directory: input.directory,
+              },
+              throwOnError: true,
+            })
+            .catch(() => undefined);
+
+          if (session?.data?.parentID) {
+            output.headers["x-initiator"] = "agent";
+          }
+        }
+      }
+
+      try {
+        const pool = readPool();
+        if (pool.accounts.length > 0) {
+          const winner = resolveWinnerAccount(incoming.model.id, pool);
+          if (winner) {
+            output.headers[ROUTING_ACCOUNT_KEY_HEADER] = winner.key;
+            output.headers[ROUTING_SOURCE_HEADER] = "model-resolution";
+          }
+        }
+      } catch {} // intentional: routing header injection is best-effort; missing header falls back to request-time model resolution
+    },
+  };
+}

package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "@gnahz77/opencode-copilot-multi-auth",
+  "version": "0.1.0",
+  "main": "./index.mjs",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@opencode-ai/plugin": "^0.4.45"
+  },
+  "dependencies": {}
+}