@gnahz77/opencode-copilot-multi-auth 0.1.1 → 0.1.3

package/README.md

@@ -12,7 +12,7 @@ Add the plugin to your `opencode` config:
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.1"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
   ]
 }
 ```
@@ -25,7 +25,7 @@ If you also want the TUI command support provided by this package, add the same
 {
   "$schema": "https://opencode.ai/tui.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.1"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
   ]
 }
 ```
@@ -157,11 +157,13 @@ The pool stores one object per account under `accounts` in a `version: 1` docume
 | `id` | Stable human-friendly identifier stored with the account record. |
 | `name` | Display name for the account. |
 | `enabled` | Whether the account can participate in automatic routing. Disabled accounts stay stored but are ignored for winner selection. |
-| `priority` | Higher values win when multiple enabled accounts can serve the same raw model ID. |
-| `allowlist` | Exact raw model IDs this account is allowed to serve. If non-empty, the account can only serve models listed here. |
-| `blocklist` | Exact raw model IDs this account must never serve. If both `allowlist` and `blocklist` are non-empty, the plugin checks `allowlist` first and then applies `blocklist`. |
+| `priority` | Lower values win when multiple enabled accounts can serve the same raw model ID. |
+| `allowlist` | Raw model IDs or `*` wildcard patterns this account is allowed to serve. If non-empty, the account can only serve models that match one of these entries. |
+| `blocklist` | Raw model IDs or `*` wildcard patterns this account must never serve. If both `allowlist` and `blocklist` are non-empty, the plugin checks `allowlist` first and then applies `blocklist`. |
 
-Automatic routing works on the raw Copilot model IDs that `opencode` already uses. The plugin filters eligible accounts by `enabled`, then checks `allowlist` first (when non-empty, the model must be listed there), then applies `blocklist`, and finally picks exactly one winning account by highest `priority` (with a stable key-based tie-breaker). The model ID itself is not rewritten, so account identity does not appear in model IDs.
+Automatic routing works on the raw Copilot model IDs that `opencode` already uses. The plugin filters eligible accounts by `enabled`, then checks `allowlist` first (when non-empty, the model must match one of its exact entries or wildcard patterns), then applies `blocklist`, and finally picks exactly one winning account by lowest `priority` (with a stable key-based tie-breaker). The model ID itself is not rewritten, so account identity does not appear in model IDs.
+
+Wildcard matching is case-sensitive and currently supports `*` for zero or more characters anywhere in the pattern. For example, `claude-*` matches `claude-sonnet-4.6` and `claude-opus-4.6`.
 
 Example pool file:
 
@@ -175,7 +177,7 @@ Example pool file:
       "name": "Work",
       "enabled": true,
       "priority": 100,
-      "allowlist": ["claude-sonnet-4.6"],
+      "allowlist": ["claude-*"],
       "blocklist": [],
       "deployment": "github.com",
       "domain": "github.com",

package/dist/auth.d.ts

@@ -3,6 +3,7 @@ export declare function getUrls(domain: string): {
     DEVICE_CODE_URL: string;
     ACCESS_TOKEN_URL: string;
     COPILOT_ENTITLEMENT_URL: string;
+    COPILOT_TOKEN_URL: string;
 };
 export declare function lookupGitHubIdentity(accessToken: string, enterpriseUrl?: string): Promise<{
     login: any;
@@ -10,7 +11,8 @@ export declare function lookupGitHubIdentity(accessToken: string, enterpriseUrl?
 }>;
 export declare function fetchEntitlement(info: AuthInput): Promise<any>;
 export declare function getBaseURL(info: AuthInput): Promise<any>;
-export declare function buildHeaders(init: RequestInit | undefined, info: AuthInput, isVision: boolean, isAgent: boolean): {
+export declare function getCopilotToken(info: AuthInput, forceRefresh?: boolean): Promise<any>;
+export declare function buildHeaders(init: RequestInit | undefined, copilotToken: string, isVision: boolean, isAgent: boolean): {
     [k: string]: string;
 };
 export declare function resolveSelectedPoolAccount(pool: AccountPool, accountKey?: string, requestedRawModelId?: string): PoolAccount | null;

package/dist/auth.js

@@ -1,16 +1,25 @@
-import { API_VERSION } from "./constants.js";
+import { API_VERSION, COPILOT_TOKEN_EXPIRY_BUFFER_MS, DEFAULT_COPILOT_BASE_URL, VSCODE_HEADERS, } from "./constants.js";
 import { getSelectedAccountExpiredError, getSelectedAccountMissingError } from "./errors.js";
 import { readPool, resolveWinnerAccount, writePool } from "./pool.js";
 import { stripRoutingHeaders } from "./routing.js";
-import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, } from "./utils.js";
+import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, normalizeHeaderObject, } from "./utils.js";
 export function getUrls(domain) {
     const apiDomain = domain === "github.com" ? "api.github.com" : `api.${domain}`;
     return {
         DEVICE_CODE_URL: `https://${domain}/login/device/code`,
         ACCESS_TOKEN_URL: `https://${domain}/login/oauth/access_token`,
         COPILOT_ENTITLEMENT_URL: `https://${apiDomain}/copilot_internal/user`,
+        COPILOT_TOKEN_URL: `https://${apiDomain}/copilot_internal/v2/token`,
     };
 }
+const cachedCopilotTokens = new Map();
+function getCopilotTokenCacheKey(info) {
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    return `${domain}:${info.refresh}`;
+}
+function isReusableCopilotToken(token, expiresAt, now) {
+    return Boolean(token && expiresAt && expiresAt - COPILOT_TOKEN_EXPIRY_BUFFER_MS > now);
+}
 export async function lookupGitHubIdentity(accessToken, enterpriseUrl) {
     const deployment = enterpriseUrl ? normalizeDomain(enterpriseUrl) : "github.com";
     const apiDomain = deployment === "github.com" ? "api.github.com" : `api.${deployment}`;
@@ -42,7 +51,7 @@ export async function fetchEntitlement(info) {
         headers: {
             Accept: "application/json",
             Authorization: `Bearer ${info.refresh}`,
-            "User-Agent": "GithubCopilot/1.155.0",
+            ...VSCODE_HEADERS,
         },
     });
     if (!response.ok) {
@@ -54,7 +63,41 @@ export async function getBaseURL(info) {
     if (info.baseUrl)
         return info.baseUrl;
     const entitlement = await fetchEntitlement(info);
-    return entitlement?.endpoints?.api;
+    return entitlement?.endpoints?.api ?? DEFAULT_COPILOT_BASE_URL;
+}
+export async function getCopilotToken(info, forceRefresh = false) {
+    const now = Date.now();
+    if (!forceRefresh && isReusableCopilotToken(info.access, info.expires, now)) {
+        return info.access;
+    }
+    const cacheKey = getCopilotTokenCacheKey(info);
+    const cachedToken = cachedCopilotTokens.get(cacheKey);
+    if (!forceRefresh && cachedToken && isReusableCopilotToken(cachedToken.token, cachedToken.expiresAt, now)) {
+        return cachedToken.token;
+    }
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    const urls = getUrls(domain);
+    const response = await fetch(urls.COPILOT_TOKEN_URL, {
+        headers: {
+            Accept: "application/json",
+            Authorization: `Bearer ${info.refresh}`,
+            ...VSCODE_HEADERS,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`[opencode-copilot-cli-auth] Copilot token exchange failed: ${response.status}`);
+    }
+    const data = await response.json();
+    const token = typeof data?.token === "string" ? data.token : "";
+    const expiresAt = typeof data?.expires_at === "number" ? data.expires_at * 1000 : 0;
+    if (!token || !expiresAt) {
+        throw new Error("[opencode-copilot-cli-auth] Copilot token exchange returned an invalid payload.");
+    }
+    cachedCopilotTokens.set(cacheKey, {
+        token,
+        expiresAt,
+    });
+    return token;
 }
 function getHeader(headers, name) {
     if (!headers)
@@ -74,14 +117,13 @@ function getHeader(headers, name) {
     }
     return undefined;
 }
-export function buildHeaders(init, info, isVision, isAgent) {
+export function buildHeaders(init, copilotToken, isVision, isAgent) {
     const explicitInitiator = getHeader(init?.headers, "x-initiator");
     const headers = {
-        ...(init?.headers ?? {}),
-        Authorization: `Bearer ${info.refresh}`,
-        "Copilot-Integration-Id": "copilot-developer-cli",
+        ...normalizeHeaderObject(init?.headers),
+        Authorization: `Bearer ${copilotToken}`,
+        ...VSCODE_HEADERS,
         "Openai-Intent": "conversation-agent",
-        "User-Agent": "opencode-copilot-cli-auth/0.0.16",
         "X-GitHub-Api-Version": API_VERSION,
         "X-Initiator": explicitInitiator ?? (isAgent ? "agent" : "user"),
         "X-Interaction-Id": crypto.randomUUID(),
@@ -93,6 +135,7 @@ export function buildHeaders(init, info, isVision, isAgent) {
     }
     delete headers["x-api-key"];
     delete headers.authorization;
+    delete headers["authorization"];
     delete headers["x-initiator"];
     return stripRoutingHeaders(headers);
 }
@@ -170,8 +213,9 @@ export async function refreshSelectedAccountBaseURL(accountKey) {
 }
 export async function fetchWithSelectedAccount(input, init, selectedAccount) {
     const { isVision, isAgent } = getConversationMetadata(init);
-    const dispatch = async (account) => {
-        const headers = buildHeaders(init, account.auth, isVision, isAgent);
+    const dispatch = async (account, forceRefreshToken = false) => {
+        const copilotToken = await getCopilotToken(account.auth, forceRefreshToken);
+        const headers = buildHeaders(init, copilotToken, isVision, isAgent);
         const requestInput = applyBaseURLToRequestInput(input, account.baseUrl);
         return fetch(requestInput, {
             ...init,
@@ -187,7 +231,7 @@ export async function fetchWithSelectedAccount(input, init, selectedAccount) {
         return response;
     }
     const refreshedAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
-    const retryResponse = await dispatch(refreshedAccount);
+    const retryResponse = await dispatch(refreshedAccount, true);
     if ([401, 403].includes(retryResponse.status)) {
         throw getSelectedAccountExpiredError(refreshedAccount.key);
     }

package/dist/constants.d.ts

@@ -2,8 +2,16 @@ export declare const ACCOUNT_POOL_SCHEMA_VERSION = 1;
 export declare const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export declare const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export declare const INTERNAL_ROUTING_HEADERS: Set<string>;
-export declare const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export declare const CLIENT_ID = "Iv1.b507a08c87ecfe98";
 export declare const API_VERSION = "2025-05-01";
 export declare const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
 export declare const OAUTH_SCOPES = "read:user read:org repo gist";
+export declare const DEFAULT_COPILOT_BASE_URL = "https://api.githubcopilot.com";
+export declare const COPILOT_TOKEN_EXPIRY_BUFFER_MS: number;
+export declare const VSCODE_HEADERS: {
+    readonly "User-Agent": "GitHubCopilotChat/0.38.0";
+    readonly "Editor-Version": "vscode/1.110.1";
+    readonly "Editor-Plugin-Version": "copilot-chat/0.38.0";
+    readonly "Copilot-Integration-Id": "vscode-chat";
+};
 export declare const RESPONSES_API_ALTERNATE_INPUT_TYPES: readonly ["file_search_call", "computer_call", "computer_call_output", "web_search_call", "function_call", "function_call_output", "image_generation_call", "code_interpreter_call", "local_shell_call", "local_shell_call_output", "mcp_list_tools", "mcp_approval_request", "mcp_approval_response", "mcp_call", "reasoning"];

package/dist/constants.js

@@ -5,10 +5,18 @@ export const INTERNAL_ROUTING_HEADERS = new Set([
     ROUTING_ACCOUNT_KEY_HEADER,
     ROUTING_SOURCE_HEADER,
 ]);
-export const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export const CLIENT_ID = "Iv1.b507a08c87ecfe98";
 export const API_VERSION = "2025-05-01";
 export const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
 export const OAUTH_SCOPES = "read:user read:org repo gist";
+export const DEFAULT_COPILOT_BASE_URL = "https://api.githubcopilot.com";
+export const COPILOT_TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1000;
+export const VSCODE_HEADERS = {
+    "User-Agent": "GitHubCopilotChat/0.38.0",
+    "Editor-Version": "vscode/1.110.1",
+    "Editor-Plugin-Version": "copilot-chat/0.38.0",
+    "Copilot-Integration-Id": "vscode-chat",
+};
 export const RESPONSES_API_ALTERNATE_INPUT_TYPES = [
     "file_search_call",
     "computer_call",

package/dist/index.d.ts

@@ -1,5 +1,7 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { lookupGitHubIdentity } from "./auth.js";
 import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
+import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
 export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { injectRoutingHeaders, stripRoutingHeaders };
 export declare const CopilotAuthPlugin: Plugin;

package/dist/index.js

@@ -1,9 +1,11 @@
 import { CLIENT_ID, OAUTH_POLLING_SAFETY_MARGIN_MS, OAUTH_SCOPES, ROUTING_ACCOUNT_KEY_HEADER, ROUTING_SOURCE_HEADER, } from "./constants.js";
-import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
+import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getCopilotToken, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
 import { buildPoolBackedModels, normalizeExistingModels, resolveProviderModels } from "./models.js";
 import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
-import { getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
+import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
+import { applyBaseURLToRequestInput, getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
 export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { injectRoutingHeaders, stripRoutingHeaders };
 export const CopilotAuthPlugin = async (input) => {
     return {
         provider: {
@@ -67,8 +69,10 @@ export const CopilotAuthPlugin = async (input) => {
                             return fetch(inputRequest, init);
                         }
                         const { isVision, isAgent } = getConversationMetadata(init);
-                        const headers = buildHeaders(init, auth, isVision, isAgent);
-                        return fetch(inputRequest, {
+                        const copilotToken = await getCopilotToken(auth);
+                        const headers = buildHeaders(init, copilotToken, isVision, isAgent);
+                        const requestInput = applyBaseURLToRequestInput(inputRequest, baseURL);
+                        return fetch(requestInput, {
                             ...init,
                             headers,
                         });

package/dist/models.d.ts

@@ -130,5 +130,64 @@ export declare function resolveProviderModels(existingModels: Record<string, SDK
     };
 }>;
 export declare function buildPoolBackedModels(existingModels: Record<string, SDKModel> | undefined, pool: AccountPool): Promise<{
-    [k: string]: SDKModel;
+    [k: string]: {
+        cost: {
+            input: number;
+            output: number;
+            cache: {
+                read: number;
+                write: number;
+            };
+        };
+        api: {
+            url: string;
+            npm: string;
+            id: string;
+        };
+        id: string;
+        providerID: string;
+        name: string;
+        family?: string;
+        capabilities: {
+            temperature: boolean;
+            reasoning: boolean;
+            attachment: boolean;
+            toolcall: boolean;
+            input: {
+                text: boolean;
+                audio: boolean;
+                image: boolean;
+                video: boolean;
+                pdf: boolean;
+            };
+            output: {
+                text: boolean;
+                audio: boolean;
+                image: boolean;
+                video: boolean;
+                pdf: boolean;
+            };
+            interleaved: boolean | {
+                field: "reasoning_content" | "reasoning_details";
+            };
+        };
+        limit: {
+            context: number;
+            input?: number;
+            output: number;
+        };
+        status: "alpha" | "beta" | "deprecated" | "active";
+        options: {
+            [key: string]: unknown;
+        };
+        headers: {
+            [key: string]: string;
+        };
+        release_date: string;
+        variants?: {
+            [key: string]: {
+                [key: string]: unknown;
+            };
+        };
+    };
 }>;

package/dist/models.js

@@ -1,14 +1,15 @@
-import { getBaseURL } from "./auth.js";
+import { getBaseURL, getCopilotToken } from "./auth.js";
+import { API_VERSION, VSCODE_HEADERS } from "./constants.js";
 import { resolveWinnerAccount } from "./pool.js";
 import { getReleaseDate, isPickerModel, zeroCost } from "./utils.js";
 export async function fetchModels(info, baseURL) {
+    const copilotToken = await getCopilotToken(info);
     const response = await fetch(`${baseURL}/models`, {
         headers: {
-            Authorization: `Bearer ${info.refresh}`,
-            "Copilot-Integration-Id": "copilot-developer-cli",
+            Authorization: `Bearer ${copilotToken}`,
+            ...VSCODE_HEADERS,
             "Openai-Intent": "model-access",
-            "User-Agent": "opencode-copilot-cli-auth/0.0.16",
-            "X-GitHub-Api-Version": "2025-05-01",
+            "X-GitHub-Api-Version": API_VERSION,
             "X-Interaction-Type": "model-access",
             "X-Request-Id": crypto.randomUUID(),
         },
@@ -115,7 +116,7 @@ export async function buildPoolBackedModels(existingModels, pool) {
     const enabledAccounts = (Array.isArray(pool?.accounts) ? pool.accounts : [])
         .filter((account) => account?.enabled !== false);
     if (enabledAccounts.length === 0) {
-        return {};
+        return normalizeExistingModels(existingModels);
     }
     const candidatesByModel = new Map();
     for (const account of enabledAccounts) {
@@ -138,6 +139,9 @@ export async function buildPoolBackedModels(existingModels, pool) {
         }
     }
     const existingById = new Map(Object.values(existingModels ?? {}).map((model) => [model?.api?.id ?? model?.id, model]));
+    if (candidatesByModel.size === 0) {
+        return normalizeExistingModels(existingModels);
+    }
     return Object.fromEntries([...candidatesByModel.entries()]
         .sort(([left], [right]) => left.localeCompare(right))
         .map(([rawModelId, { liveModel, baseURL }]) => [

package/dist/pool.js

@@ -2,7 +2,7 @@ import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSy
 import { homedir } from "os";
 import { dirname } from "path";
 import { ACCOUNT_POOL_SCHEMA_VERSION } from "./constants.js";
-import { normalizeDomain, normalizeIdSource, normalizeList, normalizePriority, preserveStringOrDefault } from "./utils.js";
+import { matchesAnyModelIdPattern, normalizeDomain, normalizeIdSource, normalizeList, normalizePriority, preserveStringOrDefault, } from "./utils.js";
 export function getPoolPath() {
     return `${homedir()}/.local/share/opencode/copilot-auth.json`;
 }
@@ -137,17 +137,17 @@ export function upsertAccount(pool, accountData) {
 export function resolveWinnerAccount(rawModelId, pool) {
     const canAccountServeModel = (account) => {
         const allowlist = normalizeList(account?.allowlist);
-        if (allowlist.length > 0 && !allowlist.includes(rawModelId)) {
+        if (allowlist.length > 0 && !matchesAnyModelIdPattern(allowlist, rawModelId)) {
             return false;
         }
         const blocklist = normalizeList(account?.blocklist);
-        return !blocklist.includes(rawModelId);
+        return !matchesAnyModelIdPattern(blocklist, rawModelId);
     };
     const candidates = (Array.isArray(pool?.accounts) ? pool.accounts : [])
         .filter((account) => account?.enabled !== false)
         .filter(canAccountServeModel)
         .sort((left, right) => {
-        const priorityDelta = normalizePriority(right?.priority) - normalizePriority(left?.priority);
+        const priorityDelta = normalizePriority(left?.priority) - normalizePriority(right?.priority);
         if (priorityDelta !== 0) {
             return priorityDelta;
         }

package/dist/types.d.ts

@@ -111,6 +111,8 @@ export interface ProviderModel {
 export type HeaderObject = Headers | Array<[string, string]> | Record<string, string> | undefined;
 export interface AuthInput {
     refresh: string;
+    access?: string;
+    expires?: number;
     enterpriseUrl?: string | null;
     baseUrl?: string | null;
     type?: string;

package/dist/utils.d.ts

@@ -1,6 +1,8 @@
 import type { ConversationMetadata, HeaderObject } from "./types.js";
 export declare function normalizeHeaderObject(headers: HeaderObject): Record<string, string>;
 export declare function normalizeList(value: unknown): string[];
+export declare function matchesModelIdPattern(pattern: unknown, rawModelId: string): boolean;
+export declare function matchesAnyModelIdPattern(patterns: unknown, rawModelId: string): boolean;
 export declare function normalizePriority(value: unknown): number;
 export declare function normalizeDomain(urlOrDomain: unknown): string;
 export declare function normalizeIdSource(value: unknown): string;

package/dist/utils.js

@@ -28,6 +28,19 @@ export function normalizeHeaderObject(headers) {
 export function normalizeList(value) {
     return Array.isArray(value) ? value : [];
 }
+function escapeRegex(value) {
+    return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}
+export function matchesModelIdPattern(pattern, rawModelId) {
+    if (typeof pattern !== "string") {
+        return false;
+    }
+    const matcher = new RegExp(`^${escapeRegex(pattern).replaceAll("*", ".*")}$`);
+    return matcher.test(rawModelId);
+}
+export function matchesAnyModelIdPattern(patterns, rawModelId) {
+    return normalizeList(patterns).some((pattern) => matchesModelIdPattern(pattern, rawModelId));
+}
 export function normalizePriority(value) {
     return Number.isInteger(value) ? value : 0;
 }

package/index.mjs

@@ -2,9 +2,11 @@ export {
   CopilotAuthPlugin,
   deriveAccountKey,
   getPoolPath,
+  injectRoutingHeaders,
   lookupGitHubIdentity,
   readPool,
   resolveWinnerAccount,
+  stripRoutingHeaders,
   upsertAccount,
   writePool,
 } from "./dist/index.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gnahz77/opencode-copilot-multi-auth",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",