@gnahz77/opencode-copilot-multi-auth 0.1.2 → 0.1.4

package/README.md

@@ -12,7 +12,7 @@ Add the plugin to your `opencode` config:
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.2"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.4"
   ]
 }
 ```
@@ -25,13 +25,16 @@ If you also want the TUI command support provided by this package, add the same
 {
   "$schema": "https://opencode.ai/tui.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.2"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.4"
   ]
 }
 ```
 
 After restarting OpenCode TUI, you can open the command palette and run `copilot-usage`, or type `/copilot-usage`.
-The plugin will open a popup dialog showing all accounts currently stored in `~/.local/share/opencode/copilot-auth.json`.
+The plugin will open a popup dialog showing all accounts currently loaded from split local storage:
+
+- OAuth/account data: `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy: `~/.config/opencode/copilot-auth.json`
 
 For local development before publishing, you can load the file directly:
 
@@ -66,7 +69,9 @@ This package now includes a TUI command named `copilot-usage`.
 
 What it does:
 
-- Reads every Copilot account stored in `~/.local/share/opencode/copilot-auth.json`
+- Reads every Copilot account from the merged local pool assembled from:
+  - `~/.local/share/opencode/copilot-auth.json` (OAuth/account data)
+  - `~/.config/opencode/copilot-auth.json` (routing policy)
 - Calls the GitHub Copilot entitlement endpoint `/copilot_internal/user` for each account using that account's OAuth token
 - Opens a popup dialog showing, for each account:
   - account name
@@ -147,10 +152,16 @@ The plugin intentionally does not try to change the `opencode` core UI. So the v
 
 ## Multi-Account Support
 
-This fork can keep a pool of Copilot logins in `~/.local/share/opencode/copilot-auth.json`.
+This fork keeps Copilot account state in split local files:
+
+- OAuth-required account data in `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy in `~/.config/opencode/copilot-auth.json`
+
+On startup, the plugin automatically migrates legacy single-file storage into this two-file layout.
+
 Each successful OAuth login updates that pool automatically: logging in with a new deployment-scoped account appends a new record, and logging in again with the same GitHub identity on the same deployment updates the existing record instead of creating a duplicate.
 
-The pool stores one object per account under `accounts` in a `version: 1` document.
+At runtime, the plugin merges both files into the same in-memory `version: 2` pool shape (`accounts`) used for routing.
 
 | Field | Meaning |
 | --- | --- |
@@ -165,20 +176,14 @@ Automatic routing works on the raw Copilot model IDs that `opencode` already use
 
 Wildcard matching is case-sensitive and currently supports `*` for zero or more characters anywhere in the pattern. For example, `claude-*` matches `claude-sonnet-4.6` and `claude-opus-4.6`.
 
-Example pool file:
+Example auth file (`~/.local/share/opencode/copilot-auth.json`):
 
 ```json
 {
-  "version": 1,
+  "version": 2,
   "accounts": [
     {
       "key": "github.com:12345678",
-      "id": "work",
-      "name": "Work",
-      "enabled": true,
-      "priority": 100,
-      "allowlist": ["claude-*"],
-      "blocklist": [],
       "deployment": "github.com",
       "domain": "github.com",
       "baseUrl": "https://api.githubcopilot.com",
@@ -196,3 +201,20 @@ Example pool file:
   ]
 }
 ```
+
+Example policy file (`~/.config/opencode/copilot-auth.json`):
+
+```json
+{
+  "version": 2,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "enabled": true,
+      "priority": 100,
+      "allowlist": ["claude-*"],
+      "blocklist": []
+    }
+  ]
+}
+```

package/dist/auth.d.ts

@@ -3,6 +3,7 @@ export declare function getUrls(domain: string): {
     DEVICE_CODE_URL: string;
     ACCESS_TOKEN_URL: string;
     COPILOT_ENTITLEMENT_URL: string;
+    COPILOT_TOKEN_URL: string;
 };
 export declare function lookupGitHubIdentity(accessToken: string, enterpriseUrl?: string): Promise<{
     login: any;
@@ -10,7 +11,8 @@ export declare function lookupGitHubIdentity(accessToken: string, enterpriseUrl?
 }>;
 export declare function fetchEntitlement(info: AuthInput): Promise<any>;
 export declare function getBaseURL(info: AuthInput): Promise<any>;
-export declare function buildHeaders(init: RequestInit | undefined, info: AuthInput, isVision: boolean, isAgent: boolean): {
+export declare function getCopilotToken(info: AuthInput, forceRefresh?: boolean): Promise<any>;
+export declare function buildHeaders(init: RequestInit | undefined, copilotToken: string, isVision: boolean, isAgent: boolean): {
     [k: string]: string;
 };
 export declare function resolveSelectedPoolAccount(pool: AccountPool, accountKey?: string, requestedRawModelId?: string): PoolAccount | null;

package/dist/auth.js

@@ -1,6 +1,6 @@
-import { API_VERSION } from "./constants.js";
+import { API_VERSION, COPILOT_TOKEN_EXPIRY_BUFFER_MS, DEFAULT_COPILOT_BASE_URL, VSCODE_HEADERS, } from "./constants.js";
 import { getSelectedAccountExpiredError, getSelectedAccountMissingError } from "./errors.js";
-import { readPool, resolveWinnerAccount, writePool } from "./pool.js";
+import { readPool, resolveWinnerAccount, writePoolAuthData } from "./pool.js";
 import { stripRoutingHeaders } from "./routing.js";
 import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, normalizeHeaderObject, } from "./utils.js";
 export function getUrls(domain) {
@@ -9,8 +9,17 @@ export function getUrls(domain) {
         DEVICE_CODE_URL: `https://${domain}/login/device/code`,
         ACCESS_TOKEN_URL: `https://${domain}/login/oauth/access_token`,
         COPILOT_ENTITLEMENT_URL: `https://${apiDomain}/copilot_internal/user`,
+        COPILOT_TOKEN_URL: `https://${apiDomain}/copilot_internal/v2/token`,
     };
 }
+const cachedCopilotTokens = new Map();
+function getCopilotTokenCacheKey(info) {
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    return `${domain}:${info.refresh}`;
+}
+function isReusableCopilotToken(token, expiresAt, now) {
+    return Boolean(token && expiresAt && expiresAt - COPILOT_TOKEN_EXPIRY_BUFFER_MS > now);
+}
 export async function lookupGitHubIdentity(accessToken, enterpriseUrl) {
     const deployment = enterpriseUrl ? normalizeDomain(enterpriseUrl) : "github.com";
     const apiDomain = deployment === "github.com" ? "api.github.com" : `api.${deployment}`;
@@ -42,7 +51,7 @@ export async function fetchEntitlement(info) {
         headers: {
             Accept: "application/json",
             Authorization: `Bearer ${info.refresh}`,
-            "User-Agent": "GithubCopilot/1.155.0",
+            ...VSCODE_HEADERS,
         },
     });
     if (!response.ok) {
@@ -54,7 +63,41 @@ export async function getBaseURL(info) {
     if (info.baseUrl)
         return info.baseUrl;
     const entitlement = await fetchEntitlement(info);
-    return entitlement?.endpoints?.api;
+    return entitlement?.endpoints?.api ?? DEFAULT_COPILOT_BASE_URL;
+}
+export async function getCopilotToken(info, forceRefresh = false) {
+    const now = Date.now();
+    if (!forceRefresh && isReusableCopilotToken(info.access, info.expires, now)) {
+        return info.access;
+    }
+    const cacheKey = getCopilotTokenCacheKey(info);
+    const cachedToken = cachedCopilotTokens.get(cacheKey);
+    if (!forceRefresh && cachedToken && isReusableCopilotToken(cachedToken.token, cachedToken.expiresAt, now)) {
+        return cachedToken.token;
+    }
+    const domain = info.enterpriseUrl ? normalizeDomain(info.enterpriseUrl) : "github.com";
+    const urls = getUrls(domain);
+    const response = await fetch(urls.COPILOT_TOKEN_URL, {
+        headers: {
+            Accept: "application/json",
+            Authorization: `Bearer ${info.refresh}`,
+            ...VSCODE_HEADERS,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`[opencode-copilot-cli-auth] Copilot token exchange failed: ${response.status}`);
+    }
+    const data = await response.json();
+    const token = typeof data?.token === "string" ? data.token : "";
+    const expiresAt = typeof data?.expires_at === "number" ? data.expires_at * 1000 : 0;
+    if (!token || !expiresAt) {
+        throw new Error("[opencode-copilot-cli-auth] Copilot token exchange returned an invalid payload.");
+    }
+    cachedCopilotTokens.set(cacheKey, {
+        token,
+        expiresAt,
+    });
+    return token;
 }
 function getHeader(headers, name) {
     if (!headers)
@@ -74,14 +117,13 @@ function getHeader(headers, name) {
     }
     return undefined;
 }
-export function buildHeaders(init, info, isVision, isAgent) {
+export function buildHeaders(init, copilotToken, isVision, isAgent) {
     const explicitInitiator = getHeader(init?.headers, "x-initiator");
     const headers = {
         ...normalizeHeaderObject(init?.headers),
-        Authorization: `Bearer ${info.refresh}`,
-        "Copilot-Integration-Id": "copilot-developer-cli",
+        Authorization: `Bearer ${copilotToken}`,
+        ...VSCODE_HEADERS,
         "Openai-Intent": "conversation-agent",
-        "User-Agent": "opencode-copilot-cli-auth/0.0.16",
         "X-GitHub-Api-Version": API_VERSION,
         "X-Initiator": explicitInitiator ?? (isAgent ? "agent" : "user"),
         "X-Interaction-Id": crypto.randomUUID(),
@@ -93,6 +135,7 @@ export function buildHeaders(init, info, isVision, isAgent) {
     }
     delete headers["x-api-key"];
     delete headers.authorization;
+    delete headers["authorization"];
     delete headers["x-initiator"];
     return stripRoutingHeaders(headers);
 }
@@ -165,13 +208,14 @@ export async function refreshSelectedAccountBaseURL(accountKey) {
             }
             : account),
     };
-    writePool(updatedPool);
+    writePoolAuthData(updatedPool);
     return updatedPool.accounts[accountIndex];
 }
 export async function fetchWithSelectedAccount(input, init, selectedAccount) {
     const { isVision, isAgent } = getConversationMetadata(init);
-    const dispatch = async (account) => {
-        const headers = buildHeaders(init, account.auth, isVision, isAgent);
+    const dispatch = async (account, forceRefreshToken = false) => {
+        const copilotToken = await getCopilotToken(account.auth, forceRefreshToken);
+        const headers = buildHeaders(init, copilotToken, isVision, isAgent);
         const requestInput = applyBaseURLToRequestInput(input, account.baseUrl);
         return fetch(requestInput, {
             ...init,
@@ -187,7 +231,7 @@ export async function fetchWithSelectedAccount(input, init, selectedAccount) {
         return response;
     }
     const refreshedAccount = await refreshSelectedAccountBaseURL(activeAccount.key);
-    const retryResponse = await dispatch(refreshedAccount);
+    const retryResponse = await dispatch(refreshedAccount, true);
     if ([401, 403].includes(retryResponse.status)) {
         throw getSelectedAccountExpiredError(refreshedAccount.key);
     }

package/dist/constants.d.ts

@@ -1,9 +1,17 @@
-export declare const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export declare const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export declare const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export declare const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export declare const INTERNAL_ROUTING_HEADERS: Set<string>;
-export declare const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export declare const CLIENT_ID = "Iv1.b507a08c87ecfe98";
 export declare const API_VERSION = "2025-05-01";
 export declare const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
 export declare const OAUTH_SCOPES = "read:user read:org repo gist";
+export declare const DEFAULT_COPILOT_BASE_URL = "https://api.githubcopilot.com";
+export declare const COPILOT_TOKEN_EXPIRY_BUFFER_MS: number;
+export declare const VSCODE_HEADERS: {
+    readonly "User-Agent": "GitHubCopilotChat/0.38.0";
+    readonly "Editor-Version": "vscode/1.110.1";
+    readonly "Editor-Plugin-Version": "copilot-chat/0.38.0";
+    readonly "Copilot-Integration-Id": "vscode-chat";
+};
 export declare const RESPONSES_API_ALTERNATE_INPUT_TYPES: readonly ["file_search_call", "computer_call", "computer_call_output", "web_search_call", "function_call", "function_call_output", "image_generation_call", "code_interpreter_call", "local_shell_call", "local_shell_call_output", "mcp_list_tools", "mcp_approval_request", "mcp_approval_response", "mcp_call", "reasoning"];

package/dist/constants.js

@@ -1,14 +1,22 @@
-export const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export const INTERNAL_ROUTING_HEADERS = new Set([
     ROUTING_ACCOUNT_KEY_HEADER,
     ROUTING_SOURCE_HEADER,
 ]);
-export const CLIENT_ID = "Ov23ctDVkRmgkPke0Mmm";
+export const CLIENT_ID = "Iv1.b507a08c87ecfe98";
 export const API_VERSION = "2025-05-01";
 export const OAUTH_POLLING_SAFETY_MARGIN_MS = 3000;
 export const OAUTH_SCOPES = "read:user read:org repo gist";
+export const DEFAULT_COPILOT_BASE_URL = "https://api.githubcopilot.com";
+export const COPILOT_TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1000;
+export const VSCODE_HEADERS = {
+    "User-Agent": "GitHubCopilotChat/0.38.0",
+    "Editor-Version": "vscode/1.110.1",
+    "Editor-Plugin-Version": "copilot-chat/0.38.0",
+    "Copilot-Integration-Id": "vscode-chat",
+};
 export const RESPONSES_API_ALTERNATE_INPUT_TYPES = [
     "file_search_call",
     "computer_call",

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { lookupGitHubIdentity } from "./auth.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export declare const CopilotAuthPlugin: Plugin;

package/dist/index.js

@@ -1,12 +1,18 @@
 import { CLIENT_ID, OAUTH_POLLING_SAFETY_MARGIN_MS, OAUTH_SCOPES, ROUTING_ACCOUNT_KEY_HEADER, ROUTING_SOURCE_HEADER, } from "./constants.js";
-import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
+import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getCopilotToken, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
 import { buildPoolBackedModels, normalizeExistingModels, resolveProviderModels } from "./models.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
-import { getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+import { applyBaseURLToRequestInput, getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export const CopilotAuthPlugin = async (input) => {
+    try {
+        migrateLegacyPoolStorageIfNeeded();
+    }
+    catch (error) {
+        console.warn("[opencode-copilot-cli-auth] Failed to run pool storage migration:", error instanceof Error ? error.message : String(error));
+    }
     return {
         provider: {
             id: "github-copilot",
@@ -69,8 +75,10 @@ export const CopilotAuthPlugin = async (input) => {
                             return fetch(inputRequest, init);
                         }
                         const { isVision, isAgent } = getConversationMetadata(init);
-                        const headers = buildHeaders(init, auth, isVision, isAgent);
-                        return fetch(inputRequest, {
+                        const copilotToken = await getCopilotToken(auth);
+                        const headers = buildHeaders(init, copilotToken, isVision, isAgent);
+                        const requestInput = applyBaseURLToRequestInput(inputRequest, baseURL);
+                        return fetch(requestInput, {
                             ...init,
                             headers,
                         });

package/dist/models.js

@@ -1,14 +1,15 @@
-import { getBaseURL } from "./auth.js";
+import { getBaseURL, getCopilotToken } from "./auth.js";
+import { API_VERSION, VSCODE_HEADERS } from "./constants.js";
 import { resolveWinnerAccount } from "./pool.js";
 import { getReleaseDate, isPickerModel, zeroCost } from "./utils.js";
 export async function fetchModels(info, baseURL) {
+    const copilotToken = await getCopilotToken(info);
     const response = await fetch(`${baseURL}/models`, {
         headers: {
-            Authorization: `Bearer ${info.refresh}`,
-            "Copilot-Integration-Id": "copilot-developer-cli",
+            Authorization: `Bearer ${copilotToken}`,
+            ...VSCODE_HEADERS,
             "Openai-Intent": "model-access",
-            "User-Agent": "opencode-copilot-cli-auth/0.0.16",
-            "X-GitHub-Api-Version": "2025-05-01",
+            "X-GitHub-Api-Version": API_VERSION,
             "X-Interaction-Type": "model-access",
             "X-Request-Id": crypto.randomUUID(),
         },

package/dist/pool.d.ts

@@ -1,8 +1,11 @@
 import type { AccountPool, PoolAccount, UpsertAccountData } from "./types.js";
 export declare function getPoolPath(): string;
+export declare function getPolicyPath(): string;
 export declare function validatePoolSchema(pool: unknown, context: string): AccountPool;
 export declare function readPool(): AccountPool;
 export declare function writePool(pool: AccountPool): void;
+export declare function writePoolAuthData(pool: AccountPool): void;
+export declare function migrateLegacyPoolStorageIfNeeded(): void;
 export declare function deriveAccountKey(deployment: string, userId: number): string;
 export declare function upsertAccount(pool: AccountPool, accountData: UpsertAccountData): AccountPool;
 export declare function resolveWinnerAccount(rawModelId: string, pool: AccountPool): PoolAccount;

package/dist/pool.js

@@ -6,44 +6,344 @@ import { matchesAnyModelIdPattern, normalizeDomain, normalizeIdSource, normalize
 export function getPoolPath() {
     return `${homedir()}/.local/share/opencode/copilot-auth.json`;
 }
-export function validatePoolSchema(pool, context) {
-    if (!pool
-        || typeof pool !== "object"
-        || pool.version !== ACCOUNT_POOL_SCHEMA_VERSION
-        || !Array.isArray(pool.accounts)) {
+export function getPolicyPath() {
+    return `${homedir()}/.config/opencode/copilot-auth.json`;
+}
+function assertObject(value, context) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected object.`);
+    }
+    return value;
+}
+function assertString(value, context) {
+    if (typeof value !== "string") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string.`);
+    }
+    return value;
+}
+function assertNumber(value, context) {
+    if (typeof value !== "number" || !Number.isFinite(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected finite number.`);
+    }
+    return value;
+}
+function assertBoolean(value, context) {
+    if (typeof value !== "boolean") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected boolean.`);
+    }
+    return value;
+}
+function assertNullableString(value, context) {
+    if (value === null) {
+        return null;
+    }
+    return assertString(value, context);
+}
+function assertStringArray(value, context) {
+    if (!Array.isArray(value) || value.some((item) => typeof item !== "string")) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string[].`);
+    }
+    return value;
+}
+function parsePoolIdentity(value, context) {
+    const identityObject = assertObject(value, context);
+    return {
+        login: assertString(identityObject.login, `${context}.login`),
+        userId: assertNumber(identityObject.userId, `${context}.userId`),
+    };
+}
+function parseOAuthAuth(value, context) {
+    const authObject = assertObject(value, context);
+    if (authObject.type !== "oauth") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}.type: expected \"oauth\".`);
+    }
+    const parsed = {
+        type: "oauth",
+        refresh: assertString(authObject.refresh, `${context}.refresh`),
+    };
+    if (typeof authObject.access === "string") {
+        parsed.access = authObject.access;
+    }
+    if (typeof authObject.expires === "number" && Number.isFinite(authObject.expires)) {
+        parsed.expires = authObject.expires;
+    }
+    if (authObject.baseUrl === null || typeof authObject.baseUrl === "string") {
+        parsed.baseUrl = authObject.baseUrl;
+    }
+    if (typeof authObject.provider === "string") {
+        parsed.provider = authObject.provider;
+    }
+    if (typeof authObject.enterpriseUrl === "string") {
+        parsed.enterpriseUrl = authObject.enterpriseUrl;
+    }
+    return parsed;
+}
+function parseAuthPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        deployment: assertString(account.deployment, `${context}.deployment`),
+        domain: assertString(account.domain, `${context}.domain`),
+        identity: parsePoolIdentity(account.identity, `${context}.identity`),
+        enterpriseUrl: assertNullableString(account.enterpriseUrl, `${context}.enterpriseUrl`),
+        baseUrl: assertNullableString(account.baseUrl, `${context}.baseUrl`),
+        auth: parseOAuthAuth(account.auth, `${context}.auth`),
+        createdAt: assertString(account.createdAt, `${context}.createdAt`),
+        updatedAt: assertString(account.updatedAt, `${context}.updatedAt`),
+    };
+}
+function parsePolicyPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        enabled: assertBoolean(account.enabled, `${context}.enabled`),
+        priority: assertNumber(account.priority, `${context}.priority`),
+        allowlist: assertStringArray(account.allowlist, `${context}.allowlist`),
+        blocklist: assertStringArray(account.blocklist, `${context}.blocklist`),
+    };
+}
+function parseVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== ACCOUNT_POOL_SCHEMA_VERSION || !Array.isArray(document.accounts)) {
         throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected { version: ${ACCOUNT_POOL_SCHEMA_VERSION}, accounts: [] } schema.`);
     }
-    return pool;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
 }
-export function readPool() {
-    const poolPath = getPoolPath();
-    if (!existsSync(poolPath)) {
-        const defaultPool = {
-            version: ACCOUNT_POOL_SCHEMA_VERSION,
-            accounts: [],
-        };
-        writePool(defaultPool);
-        return defaultPool;
+function parseLegacyVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== 1 || !Array.isArray(document.accounts)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected legacy { version: 1, accounts: [] } schema.`);
     }
-    const raw = readFileSync(poolPath, "utf8");
-    let parsed;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
+}
+function validateAuthPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parseAuthPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validatePolicyPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parsePolicyPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validateLegacyPoolSchema(pool, context) {
+    const parsed = parseLegacyVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+function toDefaultPolicyAccount(account) {
+    return {
+        key: account.key,
+        enabled: true,
+        priority: 0,
+        allowlist: [],
+        blocklist: [],
+    };
+}
+function parseJsonFile(filePath, context) {
+    const raw = readFileSync(filePath, "utf8");
     try {
-        parsed = JSON.parse(raw);
+        return JSON.parse(raw);
     }
     catch (error) {
-        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in account pool file at ${poolPath}: ${error instanceof Error ? error.message : String(error)}`);
+        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in ${context} at ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function writeJsonAtomic(filePath, payload) {
+    const directoryPath = dirname(filePath);
+    const tmpPath = `${filePath}.tmp`;
+    mkdirSync(directoryPath, { recursive: true });
+    writeFileSync(tmpPath, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
+    renameSync(tmpPath, filePath);
+    chmodSync(filePath, 0o600);
+}
+function buildAuthPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            deployment: account.deployment,
+            domain: account.domain,
+            identity: account.identity,
+            enterpriseUrl: account.enterpriseUrl,
+            baseUrl: account.baseUrl,
+            auth: account.auth,
+            createdAt: account.createdAt,
+            updatedAt: account.updatedAt,
+        })),
+    };
+}
+function buildPolicyPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            enabled: account.enabled,
+            priority: account.priority,
+            allowlist: account.allowlist,
+            blocklist: account.blocklist,
+        })),
+    };
+}
+function mergePoolDocuments(authPool, policyPool) {
+    const policyByKey = new Map(policyPool.accounts.map((account) => [account.key, account]));
+    const merged = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((authAccount) => {
+            const policy = policyByKey.get(authAccount.key) ?? toDefaultPolicyAccount(authAccount);
+            const userIdText = String(authAccount.identity.userId);
+            const fallbackId = normalizeIdSource(authAccount.identity.login || userIdText) || userIdText;
+            const fallbackName = authAccount.identity.login || userIdText;
+            return {
+                key: authAccount.key,
+                id: fallbackId,
+                name: fallbackName,
+                enabled: policy.enabled,
+                priority: policy.priority,
+                deployment: authAccount.deployment,
+                domain: authAccount.domain,
+                identity: authAccount.identity,
+                enterpriseUrl: authAccount.enterpriseUrl,
+                baseUrl: authAccount.baseUrl,
+                allowlist: policy.allowlist,
+                blocklist: policy.blocklist,
+                auth: authAccount.auth,
+                createdAt: authAccount.createdAt,
+                updatedAt: authAccount.updatedAt,
+            };
+        }),
+    };
+    return validatePoolSchema(merged, "merged account pool");
+}
+export function validatePoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+export function readPool() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    const defaultDocument = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: [],
+    };
+    if (!existsSync(authPath)) {
+        writeJsonAtomic(authPath, defaultDocument);
     }
-    return validatePoolSchema(parsed, `account pool file at ${poolPath}`);
+    if (!existsSync(policyPath)) {
+        writeJsonAtomic(policyPath, defaultDocument);
+    }
+    const parsedAuth = parseJsonFile(authPath, "Copilot auth file");
+    const parsedPolicy = parseJsonFile(policyPath, "Copilot routing policy file");
+    const authPool = validateAuthPoolSchema(parsedAuth, `auth pool file at ${authPath}`);
+    const policyPool = validatePolicyPoolSchema(parsedPolicy, `policy pool file at ${policyPath}`);
+    return mergePoolDocuments(authPool, policyPool);
 }
 export function writePool(pool) {
     const validatedPool = validatePoolSchema(pool, "account pool payload");
-    const poolPath = getPoolPath();
-    const dirPath = dirname(poolPath);
-    const tmpPath = `${poolPath}.tmp`;
-    mkdirSync(dirPath, { recursive: true });
-    writeFileSync(tmpPath, `${JSON.stringify(validatedPool, null, 2)}\n`, "utf8");
-    renameSync(tmpPath, poolPath);
-    chmodSync(poolPath, 0o600);
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    const policyDocument = validatePolicyPoolSchema(buildPolicyPoolDocument(validatedPool), "policy pool payload");
+    writeJsonAtomic(getPolicyPath(), policyDocument);
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function writePoolAuthData(pool) {
+    const validatedPool = validatePoolSchema(pool, "account pool payload");
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function migrateLegacyPoolStorageIfNeeded() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    if (!existsSync(authPath)) {
+        return;
+    }
+    const parsed = parseJsonFile(authPath, "Copilot account pool file");
+    try {
+        const legacyPool = validateLegacyPoolSchema(parsed, `legacy account pool file at ${authPath}`);
+        const existingPolicy = existsSync(policyPath)
+            ? validatePolicyPoolSchema(parseJsonFile(policyPath, "Copilot routing policy file"), `policy pool file at ${policyPath}`)
+            : null;
+        const migratedPolicy = {
+            version: ACCOUNT_POOL_SCHEMA_VERSION,
+            accounts: legacyPool.accounts.map((account) => {
+                const existingPolicyAccount = existingPolicy?.accounts.find((candidate) => candidate.key === account.key);
+                return existingPolicyAccount ?? {
+                    key: account.key,
+                    enabled: account.enabled,
+                    priority: account.priority,
+                    allowlist: account.allowlist,
+                    blocklist: account.blocklist,
+                };
+            }),
+        };
+        writeJsonAtomic(policyPath, validatePolicyPoolSchema(migratedPolicy, "migrated policy pool payload"));
+        writeJsonAtomic(authPath, validateAuthPoolSchema(buildAuthPoolDocument(legacyPool), "migrated auth pool payload"));
+        return;
+    }
+    catch {
+        // Intentionally continue: file may already be auth-only format or a non-legacy document.
+    }
+    if (existsSync(policyPath)) {
+        return;
+    }
+    const authPool = validateAuthPoolSchema(parsed, `auth pool file at ${authPath}`);
+    const defaultPolicyPool = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((account) => toDefaultPolicyAccount(account)),
+    };
+    writeJsonAtomic(policyPath, validatePolicyPoolSchema(defaultPolicyPool, "default policy pool payload"));
 }
 function deriveDefaultAccountId(accounts, key, identity) {
     const userIdText = String(identity.userId);

package/dist/types.d.ts

@@ -28,6 +28,24 @@ export interface PoolAccount {
     createdAt: string;
     updatedAt: string;
 }
+export interface AuthPoolAccount {
+    key: string;
+    deployment: string;
+    domain: string;
+    identity: PoolIdentity;
+    enterpriseUrl: string | null;
+    baseUrl: string | null;
+    auth: OAuthAuth;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface PolicyPoolAccount {
+    key: string;
+    enabled: boolean;
+    priority: number;
+    allowlist: string[];
+    blocklist: string[];
+}
 export interface UpsertAccountData {
     key: string;
     deployment?: string;
@@ -42,6 +60,14 @@ export interface AccountPool {
     version: number;
     accounts: PoolAccount[];
 }
+export interface AuthPoolDocument {
+    version: number;
+    accounts: AuthPoolAccount[];
+}
+export interface PolicyPoolDocument {
+    version: number;
+    accounts: PolicyPoolAccount[];
+}
 export interface LiveModel {
     id: string;
     name?: string;
@@ -111,6 +137,8 @@ export interface ProviderModel {
 export type HeaderObject = Headers | Array<[string, string]> | Record<string, string> | undefined;
 export interface AuthInput {
     refresh: string;
+    access?: string;
+    expires?: number;
     enterpriseUrl?: string | null;
     baseUrl?: string | null;
     type?: string;

package/dist/usage.js

@@ -106,7 +106,7 @@ export async function getCopilotUsageDialogMessage() {
     const pool = readPool();
     const accounts = [...pool.accounts].sort((left, right) => left.key.localeCompare(right.key));
     if (accounts.length === 0) {
-        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json.");
+        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json (auth) and ~/.config/opencode/copilot-auth.json (policy).");
     }
     const sections = await Promise.all(accounts.map((account) => getCopilotUsageSummary(account)));
     return sections.join("\n\n");

package/index.mjs

@@ -1,9 +1,11 @@
 export {
   CopilotAuthPlugin,
   deriveAccountKey,
+  getPolicyPath,
   getPoolPath,
   injectRoutingHeaders,
   lookupGitHubIdentity,
+  migrateLegacyPoolStorageIfNeeded,
   readPool,
   resolveWinnerAccount,
   stripRoutingHeaders,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gnahz77/opencode-copilot-multi-auth",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",