@gnahz77/opencode-copilot-multi-auth 0.1.0 → 0.1.2

package/README.md

@@ -12,26 +12,73 @@ Add the plugin to your `opencode` config:
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.0"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.2"
   ]
 }
 ```
 
 Then start `opencode` and log in to the `github-copilot` provider. The plugin handles the Copilot CLI-style device flow and will reuse the stored GitHub OAuth token afterward.
 
+If you also want the TUI command support provided by this package, add the same plugin to your `tui.json` or `tui.jsonc`:
+
+```json
+{
+  "$schema": "https://opencode.ai/tui.json",
+  "plugin": [
+    "@gnahz77/opencode-copilot-multi-auth@0.1.2"
+  ]
+}
+```
+
+After restarting OpenCode TUI, you can open the command palette and run `copilot-usage`, or type `/copilot-usage`.
+The plugin will open a popup dialog showing all accounts currently stored in `~/.local/share/opencode/copilot-auth.json`.
+
 For local development before publishing, you can load the file directly:
 
 ```json
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "file:///absolute/path/to/index.mjs"
+    "file:///absolute/path/to/dist/index.js"
   ]
 }
 ```
 
 Important: if the file path contains `opencode-copilot-auth`, current `opencode` builds may skip loading it because of a hardcoded plugin-name filter. Use a path that does not contain that substring.
 
+If you are loading the plugin locally during development and want to use `copilot-usage`, add the built TUI entry to your TUI config as well:
+
+```json
+{
+  "$schema": "https://opencode.ai/tui.json",
+  "plugin": [
+    "file:///absolute/path/to/dist/tui.js"
+  ]
+}
+```
+
+## `copilot-usage` command
+
+This package now includes a TUI command named `copilot-usage`.
+
+- Command palette entry: `copilot-usage`
+- Slash command: `/copilot-usage`
+
+What it does:
+
+- Reads every Copilot account stored in `~/.local/share/opencode/copilot-auth.json`
+- Calls the GitHub Copilot entitlement endpoint `/copilot_internal/user` for each account using that account's OAuth token
+- Opens a popup dialog showing, for each account:
+  - account name
+  - used / total usage bar
+  - used percentage
+
+Notes:
+
+- The command is part of the package's TUI target, so `opencode.json` alone is not enough; `tui.json` must also load the plugin.
+- Disabled accounts are still shown in the popup and are marked as disabled.
+- If one account fails to load usage data, the popup still shows the other accounts and includes the per-account error message inline.
+
 ## What changed in this fork
 
 - Auth flow: uses the Copilot CLI-style OAuth client flow and keeps the GitHub OAuth token directly.
@@ -110,11 +157,13 @@ The pool stores one object per account under `accounts` in a `version: 1` docume
 | `id` | Stable human-friendly identifier stored with the account record. |
 | `name` | Display name for the account. |
 | `enabled` | Whether the account can participate in automatic routing. Disabled accounts stay stored but are ignored for winner selection. |
-| `priority` | Higher values win when multiple enabled accounts can serve the same raw model ID. |
-| `allowlist` | Exact raw model IDs this account is allowed to serve. Empty means no allowlist restriction. |
-| `blocklist` | Exact raw model IDs this account must never serve, even if its allowlist or priority would otherwise match. |
+| `priority` | Lower values win when multiple enabled accounts can serve the same raw model ID. |
+| `allowlist` | Raw model IDs or `*` wildcard patterns this account is allowed to serve. If non-empty, the account can only serve models that match one of these entries. |
+| `blocklist` | Raw model IDs or `*` wildcard patterns this account must never serve. If both `allowlist` and `blocklist` are non-empty, the plugin checks `allowlist` first and then applies `blocklist`. |
+
+Automatic routing works on the raw Copilot model IDs that `opencode` already uses. The plugin filters eligible accounts by `enabled`, then checks `allowlist` first (when non-empty, the model must match one of its exact entries or wildcard patterns), then applies `blocklist`, and finally picks exactly one winning account by lowest `priority` (with a stable key-based tie-breaker). The model ID itself is not rewritten, so account identity does not appear in model IDs.
 
-Automatic routing works on the raw Copilot model IDs that `opencode` already uses. The plugin filters eligible accounts by `enabled`, then applies `allowlist` and `blocklist`, and finally picks exactly one winning account by highest `priority` (with a stable key-based tie-breaker). The model ID itself is not rewritten, so account identity does not appear in model IDs.
+Wildcard matching is case-sensitive and currently supports `*` for zero or more characters anywhere in the pattern. For example, `claude-*` matches `claude-sonnet-4.6` and `claude-opus-4.6`.
 
 Example pool file:
 
@@ -128,7 +177,7 @@ Example pool file:
       "name": "Work",
       "enabled": true,
       "priority": 100,
-      "allowlist": ["claude-sonnet-4.6"],
+      "allowlist": ["claude-*"],
       "blocklist": [],
       "deployment": "github.com",
       "domain": "github.com",

package/dist/auth.d.ts

@@ -0,0 +1,18 @@
+import type { AccountPool, AuthInput, PoolAccount } from "./types.js";
+export declare function getUrls(domain: string): {
+    DEVICE_CODE_URL: string;
+    ACCESS_TOKEN_URL: string;
+    COPILOT_ENTITLEMENT_URL: string;
+};
+export declare function lookupGitHubIdentity(accessToken: string, enterpriseUrl?: string): Promise<{
+    login: any;
+    userId: number;
+}>;
+export declare function fetchEntitlement(info: AuthInput): Promise<any>;
+export declare function getBaseURL(info: AuthInput): Promise<any>;
+export declare function buildHeaders(init: RequestInit | undefined, info: AuthInput, isVision: boolean, isAgent: boolean): {
+    [k: string]: string;
+};
+export declare function resolveSelectedPoolAccount(pool: AccountPool, accountKey?: string, requestedRawModelId?: string): PoolAccount | null;
+export declare function refreshSelectedAccountBaseURL(accountKey: string): Promise<PoolAccount>;
+export declare function fetchWithSelectedAccount(input: RequestInfo | URL, init: RequestInit | undefined, selectedAccount: PoolAccount): Promise<Response>;

package/dist/auth.js

@@ -0,0 +1,195 @@
+import { API_VERSION } from "./constants.js";
+import { getSelectedAccountExpiredError, getSelectedAccountMissingError } from "./errors.js";
+import { readPool, resolveWinnerAccount, writePool } from "./pool.js";
+import { stripRoutingHeaders } from "./routing.js";
+import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, normalizeHeaderObject, } from "./utils.js";
+export function getUrls(domain) {
+    const apiDomain = domain === "github.com" ? "api.github.com" : `api.${domain}`;
+    return {
+        DEVICE_CODE_URL: `https://${domain}/login/device/code`,
+        ACCESS_TOKEN_URL: `https://${domain}/login/oauth/access_token`,
+        COPILOT_ENTITLEMENT_URL: `https://${apiDomain}/copilot_internal/user`,
+    };
+}
+export async function lookupGitHubIdentity(accessToken, enterpriseUrl) {
+    const deployment = enterpriseUrl ? normalizeDomain(enterpriseUrl) : "github.com";
+    const apiDomain = deployment === "github.com" ? "api.github.com" : `api.${deployment}`;
+    const identityUrl = `https://${apiDomain}/user`;
+    const response = await fetch(identityUrl, {
+        method: "GET",
+        headers: {
+            Accept: "application/json",
+            Authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`[opencode-copilot-cli-auth] Failed to lookup GitHub identity from ${identityUrl}: ${response.status} ${response.statusText}`);
+    }
+    const payload = await response.json();
+    const userId = Number(payload?.id);
+    if (!Number.isFinite(userId)) {
+        throw new Error("[opencode-copilot-cli-auth] Failed to lookup GitHub identity: response did not include a numeric user id.");
+    }
+    return {
+        login: typeof payload?.login === "string" ? payload.login : "",
+        userId,
+    };
+}
+export async function fetchEntitlement(info) {
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    const urls = getUrls(domain);
+    const response = await fetch(urls.COPILOT_ENTITLEMENT_URL, {
+        headers: {
+            Accept: "application/json",
+            Authorization: `Bearer ${info.refresh}`,
+            "User-Agent": "GithubCopilot/1.155.0",
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`[opencode-copilot-cli-auth] Entitlement fetch failed: ${response.status}`);
+    }
+    return response.json();
+}
+export async function getBaseURL(info) {
+    if (info.baseUrl)
+        return info.baseUrl;
+    const entitlement = await fetchEntitlement(info);
+    return entitlement?.endpoints?.api;
+}
+function getHeader(headers, name) {
+    if (!headers)
+        return undefined;
+    const target = name.toLowerCase();
+    if (typeof Headers !== "undefined" && headers instanceof Headers) {
+        return headers.get(name) ?? headers.get(target) ?? undefined;
+    }
+    if (Array.isArray(headers)) {
+        const found = headers.find(([key]) => String(key).toLowerCase() === target);
+        return typeof found?.[1] === "string" ? found[1] : undefined;
+    }
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() === target) {
+            return value;
+        }
+    }
+    return undefined;
+}
+export function buildHeaders(init, info, isVision, isAgent) {
+    const explicitInitiator = getHeader(init?.headers, "x-initiator");
+    const headers = {
+        ...normalizeHeaderObject(init?.headers),
+        Authorization: `Bearer ${info.refresh}`,
+        "Copilot-Integration-Id": "copilot-developer-cli",
+        "Openai-Intent": "conversation-agent",
+        "User-Agent": "opencode-copilot-cli-auth/0.0.16",
+        "X-GitHub-Api-Version": API_VERSION,
+        "X-Initiator": explicitInitiator ?? (isAgent ? "agent" : "user"),
+        "X-Interaction-Id": crypto.randomUUID(),
+        "X-Interaction-Type": "conversation-agent",
+        "X-Request-Id": crypto.randomUUID(),
+    };
+    if (isVision) {
+        headers["Copilot-Vision-Request"] = "true";
+    }
+    delete headers["x-api-key"];
+    delete headers.authorization;
+    delete headers["x-initiator"];
+    return stripRoutingHeaders(headers);
+}
+export function resolveSelectedPoolAccount(pool, accountKey, requestedRawModelId) {
+    const accounts = Array.isArray(pool?.accounts) ? pool.accounts : [];
+    if (accounts.length === 0) {
+        return null;
+    }
+    let selectedAccount = null;
+    if (accountKey) {
+        const headerAccount = accounts.find((account) => account?.key === accountKey);
+        if (!headerAccount || headerAccount.enabled === false) {
+            throw getSelectedAccountMissingError();
+        }
+        selectedAccount = headerAccount;
+    }
+    if (requestedRawModelId) {
+        const winner = resolveWinnerAccount(requestedRawModelId, pool);
+        if (!winner) {
+            throw new Error(`[opencode-copilot-cli-auth] No eligible account found for model ${requestedRawModelId}; re-login required`);
+        }
+        if (selectedAccount && winner.key !== selectedAccount.key) {
+            throw new Error(`[opencode-copilot-cli-auth] Selected account cannot serve model ${requestedRawModelId}; re-login required`);
+        }
+        selectedAccount = winner;
+    }
+    if (!selectedAccount) {
+        throw new Error("[opencode-copilot-cli-auth] No eligible account found for routed request; re-login required");
+    }
+    if (selectedAccount.auth?.type !== "oauth"
+        || typeof selectedAccount.auth.refresh !== "string"
+        || !selectedAccount.auth.refresh.trim()) {
+        throw getSelectedAccountExpiredError(selectedAccount.key ?? "unknown");
+    }
+    return selectedAccount;
+}
+export async function refreshSelectedAccountBaseURL(accountKey) {
+    const currentPool = readPool();
+    const accountIndex = currentPool.accounts.findIndex((account) => account?.key === accountKey);
+    const currentAccount = accountIndex >= 0 ? currentPool.accounts[accountIndex] : null;
+    if (!currentAccount || currentAccount.enabled === false) {
+        throw getSelectedAccountMissingError();
+    }
+    if (currentAccount.auth?.type !== "oauth"
+        || typeof currentAccount.auth.refresh !== "string"
+        || !currentAccount.auth.refresh.trim()) {
+        throw getSelectedAccountExpiredError(currentAccount.key ?? accountKey ?? "unknown");
+    }
+    let entitlement;
+    try {
+        entitlement = await fetchEntitlement({
+            refresh: currentAccount.auth.refresh,
+            enterpriseUrl: currentAccount.enterpriseUrl ?? null,
+        });
+    }
+    catch {
+        throw getSelectedAccountExpiredError(currentAccount.key);
+    }
+    const nextBaseURL = entitlement?.endpoints?.api;
+    if (!isValidBaseURL(nextBaseURL)) {
+        throw getSelectedAccountExpiredError(currentAccount.key);
+    }
+    const updatedPool = {
+        ...currentPool,
+        accounts: currentPool.accounts.map((account, index) => index === accountIndex
+            ? {
+                ...account,
+                baseUrl: nextBaseURL,
+                updatedAt: new Date().toISOString(),
+            }
+            : account),
+    };
+    writePool(updatedPool);
+    return updatedPool.accounts[accountIndex];
+}
+export async function fetchWithSelectedAccount(input, init, selectedAccount) {
+    const { isVision, isAgent } = getConversationMetadata(init);
+    const dispatch = async (account) => {
+        const headers = buildHeaders(init, account.auth, isVision, isAgent);
+        const requestInput = applyBaseURLToRequestInput(input, account.baseUrl);
+        return fetch(requestInput, {
+            ...init,
+            headers,
+        });
+    };
+    let activeAccount = selectedAccount;
+    if (!isValidBaseURL(activeAccount.baseUrl)) {
+        activeAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
+    }
+    const response = await dispatch(activeAccount);
+    if (![401, 403].includes(response.status)) {
+        return response;
+    }
+    const refreshedAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
+    const retryResponse = await dispatch(refreshedAccount);
+    if ([401, 403].includes(retryResponse.status)) {
+        throw getSelectedAccountExpiredError(refreshedAccount.key);
+    }
+    return retryResponse;
+}

package/dist/constants.d.ts

@@ -0,0 +1,9 @@
+export declare const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export declare const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
+export declare const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
+export declare const INTERNAL_ROUTING_HEADERS: Set<string>;
+export declare const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export declare const API_VERSION = "2025-05-01";
+export declare const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+export declare const OAUTH_SCOPES = "read:user read:org repo gist";
+export declare const RESPONSES_API_ALTERNATE_INPUT_TYPES: readonly ["file_search_call", "computer_call", "computer_call_output", "web_search_call", "function_call", "function_call_output", "image_generation_call", "code_interpreter_call", "local_shell_call", "local_shell_call_output", "mcp_list_tools", "mcp_approval_request", "mcp_approval_response", "mcp_call", "reasoning"];

package/dist/constants.js

@@ -0,0 +1,28 @@
+export const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
+export const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
+export const INTERNAL_ROUTING_HEADERS = new Set([
+    ROUTING_ACCOUNT_KEY_HEADER,
+    ROUTING_SOURCE_HEADER,
+]);
+export const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export const API_VERSION = "2025-05-01";
+export const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
+export const OAUTH_SCOPES = "read:user read:org repo gist";
+export const RESPONSES_API_ALTERNATE_INPUT_TYPES = [
+    "file_search_call",
+    "computer_call",
+    "computer_call_output",
+    "web_search_call",
+    "function_call",
+    "function_call_output",
+    "image_generation_call",
+    "code_interpreter_call",
+    "local_shell_call",
+    "local_shell_call_output",
+    "mcp_list_tools",
+    "mcp_approval_request",
+    "mcp_approval_response",
+    "mcp_call",
+    "reasoning",
+];

package/dist/errors.d.ts

@@ -0,0 +1,2 @@
+export declare function getSelectedAccountMissingError(): Error;
+export declare function getSelectedAccountExpiredError(accountKey: string): Error;

package/dist/errors.js

@@ -0,0 +1,6 @@
+export function getSelectedAccountMissingError() {
+    return new Error("[opencode-copilot-cli-auth] Selected account is disabled or not found; re-login required");
+}
+export function getSelectedAccountExpiredError(accountKey) {
+    return new Error(`[opencode-copilot-cli-auth] Account auth expired for ${accountKey}; re-login required`);
+}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+import type { Plugin } from "@opencode-ai/plugin";
+import { lookupGitHubIdentity } from "./auth.js";
+import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
+import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
+export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { injectRoutingHeaders, stripRoutingHeaders };
+export declare const CopilotAuthPlugin: Plugin;