npm - @gnahz77/opencode-copilot-multi-auth - Versions diffs - 0.1.3 → 0.1.4 - Mend

@gnahz77/opencode-copilot-multi-auth 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md CHANGED Viewed

@@ -12,7 +12,7 @@ Add the plugin to your `opencode` config:
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.4"
   ]
 }
 ```
@@ -25,13 +25,16 @@ If you also want the TUI command support provided by this package, add the same
 {
   "$schema": "https://opencode.ai/tui.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.4"
   ]
 }
 ```
 After restarting OpenCode TUI, you can open the command palette and run `copilot-usage`, or type `/copilot-usage`.
-The plugin will open a popup dialog showing all accounts currently stored in `~/.local/share/opencode/copilot-auth.json`.
+The plugin will open a popup dialog showing all accounts currently loaded from split local storage:
+- OAuth/account data: `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy: `~/.config/opencode/copilot-auth.json`
 For local development before publishing, you can load the file directly:
@@ -66,7 +69,9 @@ This package now includes a TUI command named `copilot-usage`.
 What it does:
-- Reads every Copilot account stored in `~/.local/share/opencode/copilot-auth.json`
+- Reads every Copilot account from the merged local pool assembled from:
+  - `~/.local/share/opencode/copilot-auth.json` (OAuth/account data)
+  - `~/.config/opencode/copilot-auth.json` (routing policy)
 - Calls the GitHub Copilot entitlement endpoint `/copilot_internal/user` for each account using that account's OAuth token
 - Opens a popup dialog showing, for each account:
   - account name
@@ -147,10 +152,16 @@ The plugin intentionally does not try to change the `opencode` core UI. So the v
 ## Multi-Account Support
-This fork can keep a pool of Copilot logins in `~/.local/share/opencode/copilot-auth.json`.
+This fork keeps Copilot account state in split local files:
+- OAuth-required account data in `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy in `~/.config/opencode/copilot-auth.json`
+On startup, the plugin automatically migrates legacy single-file storage into this two-file layout.
 Each successful OAuth login updates that pool automatically: logging in with a new deployment-scoped account appends a new record, and logging in again with the same GitHub identity on the same deployment updates the existing record instead of creating a duplicate.
-The pool stores one object per account under `accounts` in a `version: 1` document.
+At runtime, the plugin merges both files into the same in-memory `version: 2` pool shape (`accounts`) used for routing.
 | Field | Meaning |
 | --- | --- |
@@ -165,20 +176,14 @@ Automatic routing works on the raw Copilot model IDs that `opencode` already use
 Wildcard matching is case-sensitive and currently supports `*` for zero or more characters anywhere in the pattern. For example, `claude-*` matches `claude-sonnet-4.6` and `claude-opus-4.6`.
-Example pool file:
+Example auth file (`~/.local/share/opencode/copilot-auth.json`):
 ```json
 {
-  "version": 1,
+  "version": 2,
   "accounts": [
     {
       "key": "github.com:12345678",
-      "id": "work",
-      "name": "Work",
-      "enabled": true,
-      "priority": 100,
-      "allowlist": ["claude-*"],
-      "blocklist": [],
       "deployment": "github.com",
       "domain": "github.com",
       "baseUrl": "https://api.githubcopilot.com",
@@ -196,3 +201,20 @@ Example pool file:
   ]
 }
 ```
+Example policy file (`~/.config/opencode/copilot-auth.json`):
+```json
+{
+  "version": 2,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "enabled": true,
+      "priority": 100,
+      "allowlist": ["claude-*"],
+      "blocklist": []
+    }
+  ]
+}
+```

package/dist/auth.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { API_VERSION, COPILOT_TOKEN_EXPIRY_BUFFER_MS, DEFAULT_COPILOT_BASE_URL, VSCODE_HEADERS, } from "./constants.js";
 import { getSelectedAccountExpiredError, getSelectedAccountMissingError } from "./errors.js";
-import { readPool, resolveWinnerAccount, writePool } from "./pool.js";
+import { readPool, resolveWinnerAccount, writePoolAuthData } from "./pool.js";
 import { stripRoutingHeaders } from "./routing.js";
 import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, normalizeHeaderObject, } from "./utils.js";
 export function getUrls(domain) {
@@ -208,7 +208,7 @@ export async function refreshSelectedAccountBaseURL(accountKey) {
             }
             : account),
     };
-    writePool(updatedPool);
+    writePoolAuthData(updatedPool);
     return updatedPool.accounts[accountIndex];
 }
 export async function fetchWithSelectedAccount(input, init, selectedAccount) {

package/dist/constants.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export declare const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export declare const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export declare const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export declare const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export declare const INTERNAL_ROUTING_HEADERS: Set<string>;

package/dist/constants.js CHANGED Viewed

@@ -1,4 +1,4 @@
-export const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export const INTERNAL_ROUTING_HEADERS = new Set([

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { lookupGitHubIdentity } from "./auth.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export declare const CopilotAuthPlugin: Plugin;

package/dist/index.js CHANGED Viewed

@@ -1,12 +1,18 @@
 import { CLIENT_ID, OAUTH_POLLING_SAFETY_MARGIN_MS, OAUTH_SCOPES, ROUTING_ACCOUNT_KEY_HEADER, ROUTING_SOURCE_HEADER, } from "./constants.js";
 import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getCopilotToken, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
 import { buildPoolBackedModels, normalizeExistingModels, resolveProviderModels } from "./models.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
 import { applyBaseURLToRequestInput, getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export const CopilotAuthPlugin = async (input) => {
+    try {
+        migrateLegacyPoolStorageIfNeeded();
+    }
+    catch (error) {
+        console.warn("[opencode-copilot-cli-auth] Failed to run pool storage migration:", error instanceof Error ? error.message : String(error));
+    }
     return {
         provider: {
             id: "github-copilot",

package/dist/pool.d.ts CHANGED Viewed

@@ -1,8 +1,11 @@
 import type { AccountPool, PoolAccount, UpsertAccountData } from "./types.js";
 export declare function getPoolPath(): string;
+export declare function getPolicyPath(): string;
 export declare function validatePoolSchema(pool: unknown, context: string): AccountPool;
 export declare function readPool(): AccountPool;
 export declare function writePool(pool: AccountPool): void;
+export declare function writePoolAuthData(pool: AccountPool): void;
+export declare function migrateLegacyPoolStorageIfNeeded(): void;
 export declare function deriveAccountKey(deployment: string, userId: number): string;
 export declare function upsertAccount(pool: AccountPool, accountData: UpsertAccountData): AccountPool;
 export declare function resolveWinnerAccount(rawModelId: string, pool: AccountPool): PoolAccount;

package/dist/pool.js CHANGED Viewed

@@ -6,44 +6,344 @@ import { matchesAnyModelIdPattern, normalizeDomain, normalizeIdSource, normalize
 export function getPoolPath() {
     return `${homedir()}/.local/share/opencode/copilot-auth.json`;
 }
-export function validatePoolSchema(pool, context) {
-    if (!pool
-        || typeof pool !== "object"
-        || pool.version !== ACCOUNT_POOL_SCHEMA_VERSION
-        || !Array.isArray(pool.accounts)) {
+export function getPolicyPath() {
+    return `${homedir()}/.config/opencode/copilot-auth.json`;
+}
+function assertObject(value, context) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected object.`);
+    }
+    return value;
+}
+function assertString(value, context) {
+    if (typeof value !== "string") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string.`);
+    }
+    return value;
+}
+function assertNumber(value, context) {
+    if (typeof value !== "number" || !Number.isFinite(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected finite number.`);
+    }
+    return value;
+}
+function assertBoolean(value, context) {
+    if (typeof value !== "boolean") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected boolean.`);
+    }
+    return value;
+}
+function assertNullableString(value, context) {
+    if (value === null) {
+        return null;
+    }
+    return assertString(value, context);
+}
+function assertStringArray(value, context) {
+    if (!Array.isArray(value) || value.some((item) => typeof item !== "string")) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string[].`);
+    }
+    return value;
+}
+function parsePoolIdentity(value, context) {
+    const identityObject = assertObject(value, context);
+    return {
+        login: assertString(identityObject.login, `${context}.login`),
+        userId: assertNumber(identityObject.userId, `${context}.userId`),
+    };
+}
+function parseOAuthAuth(value, context) {
+    const authObject = assertObject(value, context);
+    if (authObject.type !== "oauth") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}.type: expected \"oauth\".`);
+    }
+    const parsed = {
+        type: "oauth",
+        refresh: assertString(authObject.refresh, `${context}.refresh`),
+    };
+    if (typeof authObject.access === "string") {
+        parsed.access = authObject.access;
+    }
+    if (typeof authObject.expires === "number" && Number.isFinite(authObject.expires)) {
+        parsed.expires = authObject.expires;
+    }
+    if (authObject.baseUrl === null || typeof authObject.baseUrl === "string") {
+        parsed.baseUrl = authObject.baseUrl;
+    }
+    if (typeof authObject.provider === "string") {
+        parsed.provider = authObject.provider;
+    }
+    if (typeof authObject.enterpriseUrl === "string") {
+        parsed.enterpriseUrl = authObject.enterpriseUrl;
+    }
+    return parsed;
+}
+function parseAuthPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        deployment: assertString(account.deployment, `${context}.deployment`),
+        domain: assertString(account.domain, `${context}.domain`),
+        identity: parsePoolIdentity(account.identity, `${context}.identity`),
+        enterpriseUrl: assertNullableString(account.enterpriseUrl, `${context}.enterpriseUrl`),
+        baseUrl: assertNullableString(account.baseUrl, `${context}.baseUrl`),
+        auth: parseOAuthAuth(account.auth, `${context}.auth`),
+        createdAt: assertString(account.createdAt, `${context}.createdAt`),
+        updatedAt: assertString(account.updatedAt, `${context}.updatedAt`),
+    };
+}
+function parsePolicyPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        enabled: assertBoolean(account.enabled, `${context}.enabled`),
+        priority: assertNumber(account.priority, `${context}.priority`),
+        allowlist: assertStringArray(account.allowlist, `${context}.allowlist`),
+        blocklist: assertStringArray(account.blocklist, `${context}.blocklist`),
+    };
+}
+function parseVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== ACCOUNT_POOL_SCHEMA_VERSION || !Array.isArray(document.accounts)) {
         throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected { version: ${ACCOUNT_POOL_SCHEMA_VERSION}, accounts: [] } schema.`);
     }
-    return pool;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
 }
-export function readPool() {
-    const poolPath = getPoolPath();
-    if (!existsSync(poolPath)) {
-        const defaultPool = {
-            version: ACCOUNT_POOL_SCHEMA_VERSION,
-            accounts: [],
-        };
-        writePool(defaultPool);
-        return defaultPool;
+function parseLegacyVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== 1 || !Array.isArray(document.accounts)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected legacy { version: 1, accounts: [] } schema.`);
     }
-    const raw = readFileSync(poolPath, "utf8");
-    let parsed;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
+}
+function validateAuthPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parseAuthPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validatePolicyPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parsePolicyPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validateLegacyPoolSchema(pool, context) {
+    const parsed = parseLegacyVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+function toDefaultPolicyAccount(account) {
+    return {
+        key: account.key,
+        enabled: true,
+        priority: 0,
+        allowlist: [],
+        blocklist: [],
+    };
+}
+function parseJsonFile(filePath, context) {
+    const raw = readFileSync(filePath, "utf8");
     try {
-        parsed = JSON.parse(raw);
+        return JSON.parse(raw);
     }
     catch (error) {
-        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in account pool file at ${poolPath}: ${error instanceof Error ? error.message : String(error)}`);
+        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in ${context} at ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+function writeJsonAtomic(filePath, payload) {
+    const directoryPath = dirname(filePath);
+    const tmpPath = `${filePath}.tmp`;
+    mkdirSync(directoryPath, { recursive: true });
+    writeFileSync(tmpPath, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
+    renameSync(tmpPath, filePath);
+    chmodSync(filePath, 0o600);
+}
+function buildAuthPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            deployment: account.deployment,
+            domain: account.domain,
+            identity: account.identity,
+            enterpriseUrl: account.enterpriseUrl,
+            baseUrl: account.baseUrl,
+            auth: account.auth,
+            createdAt: account.createdAt,
+            updatedAt: account.updatedAt,
+        })),
+    };
+}
+function buildPolicyPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            enabled: account.enabled,
+            priority: account.priority,
+            allowlist: account.allowlist,
+            blocklist: account.blocklist,
+        })),
+    };
+}
+function mergePoolDocuments(authPool, policyPool) {
+    const policyByKey = new Map(policyPool.accounts.map((account) => [account.key, account]));
+    const merged = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((authAccount) => {
+            const policy = policyByKey.get(authAccount.key) ?? toDefaultPolicyAccount(authAccount);
+            const userIdText = String(authAccount.identity.userId);
+            const fallbackId = normalizeIdSource(authAccount.identity.login || userIdText) || userIdText;
+            const fallbackName = authAccount.identity.login || userIdText;
+            return {
+                key: authAccount.key,
+                id: fallbackId,
+                name: fallbackName,
+                enabled: policy.enabled,
+                priority: policy.priority,
+                deployment: authAccount.deployment,
+                domain: authAccount.domain,
+                identity: authAccount.identity,
+                enterpriseUrl: authAccount.enterpriseUrl,
+                baseUrl: authAccount.baseUrl,
+                allowlist: policy.allowlist,
+                blocklist: policy.blocklist,
+                auth: authAccount.auth,
+                createdAt: authAccount.createdAt,
+                updatedAt: authAccount.updatedAt,
+            };
+        }),
+    };
+    return validatePoolSchema(merged, "merged account pool");
+}
+export function validatePoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+export function readPool() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    const defaultDocument = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: [],
+    };
+    if (!existsSync(authPath)) {
+        writeJsonAtomic(authPath, defaultDocument);
     }
-    return validatePoolSchema(parsed, `account pool file at ${poolPath}`);
+    if (!existsSync(policyPath)) {
+        writeJsonAtomic(policyPath, defaultDocument);
+    }
+    const parsedAuth = parseJsonFile(authPath, "Copilot auth file");
+    const parsedPolicy = parseJsonFile(policyPath, "Copilot routing policy file");
+    const authPool = validateAuthPoolSchema(parsedAuth, `auth pool file at ${authPath}`);
+    const policyPool = validatePolicyPoolSchema(parsedPolicy, `policy pool file at ${policyPath}`);
+    return mergePoolDocuments(authPool, policyPool);
 }
 export function writePool(pool) {
     const validatedPool = validatePoolSchema(pool, "account pool payload");
-    const poolPath = getPoolPath();
-    const dirPath = dirname(poolPath);
-    const tmpPath = `${poolPath}.tmp`;
-    mkdirSync(dirPath, { recursive: true });
-    writeFileSync(tmpPath, `${JSON.stringify(validatedPool, null, 2)}\n`, "utf8");
-    renameSync(tmpPath, poolPath);
-    chmodSync(poolPath, 0o600);
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    const policyDocument = validatePolicyPoolSchema(buildPolicyPoolDocument(validatedPool), "policy pool payload");
+    writeJsonAtomic(getPolicyPath(), policyDocument);
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function writePoolAuthData(pool) {
+    const validatedPool = validatePoolSchema(pool, "account pool payload");
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function migrateLegacyPoolStorageIfNeeded() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    if (!existsSync(authPath)) {
+        return;
+    }
+    const parsed = parseJsonFile(authPath, "Copilot account pool file");
+    try {
+        const legacyPool = validateLegacyPoolSchema(parsed, `legacy account pool file at ${authPath}`);
+        const existingPolicy = existsSync(policyPath)
+            ? validatePolicyPoolSchema(parseJsonFile(policyPath, "Copilot routing policy file"), `policy pool file at ${policyPath}`)
+            : null;
+        const migratedPolicy = {
+            version: ACCOUNT_POOL_SCHEMA_VERSION,
+            accounts: legacyPool.accounts.map((account) => {
+                const existingPolicyAccount = existingPolicy?.accounts.find((candidate) => candidate.key === account.key);
+                return existingPolicyAccount ?? {
+                    key: account.key,
+                    enabled: account.enabled,
+                    priority: account.priority,
+                    allowlist: account.allowlist,
+                    blocklist: account.blocklist,
+                };
+            }),
+        };
+        writeJsonAtomic(policyPath, validatePolicyPoolSchema(migratedPolicy, "migrated policy pool payload"));
+        writeJsonAtomic(authPath, validateAuthPoolSchema(buildAuthPoolDocument(legacyPool), "migrated auth pool payload"));
+        return;
+    }
+    catch {
+        // Intentionally continue: file may already be auth-only format or a non-legacy document.
+    }
+    if (existsSync(policyPath)) {
+        return;
+    }
+    const authPool = validateAuthPoolSchema(parsed, `auth pool file at ${authPath}`);
+    const defaultPolicyPool = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((account) => toDefaultPolicyAccount(account)),
+    };
+    writeJsonAtomic(policyPath, validatePolicyPoolSchema(defaultPolicyPool, "default policy pool payload"));
 }
 function deriveDefaultAccountId(accounts, key, identity) {
     const userIdText = String(identity.userId);

package/dist/types.d.ts CHANGED Viewed

@@ -28,6 +28,24 @@ export interface PoolAccount {
     createdAt: string;
     updatedAt: string;
 }
+export interface AuthPoolAccount {
+    key: string;
+    deployment: string;
+    domain: string;
+    identity: PoolIdentity;
+    enterpriseUrl: string | null;
+    baseUrl: string | null;
+    auth: OAuthAuth;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface PolicyPoolAccount {
+    key: string;
+    enabled: boolean;
+    priority: number;
+    allowlist: string[];
+    blocklist: string[];
+}
 export interface UpsertAccountData {
     key: string;
     deployment?: string;
@@ -42,6 +60,14 @@ export interface AccountPool {
     version: number;
     accounts: PoolAccount[];
 }
+export interface AuthPoolDocument {
+    version: number;
+    accounts: AuthPoolAccount[];
+}
+export interface PolicyPoolDocument {
+    version: number;
+    accounts: PolicyPoolAccount[];
+}
 export interface LiveModel {
     id: string;
     name?: string;

package/dist/usage.js CHANGED Viewed

@@ -106,7 +106,7 @@ export async function getCopilotUsageDialogMessage() {
     const pool = readPool();
     const accounts = [...pool.accounts].sort((left, right) => left.key.localeCompare(right.key));
     if (accounts.length === 0) {
-        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json.");
+        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json (auth) and ~/.config/opencode/copilot-auth.json (policy).");
     }
     const sections = await Promise.all(accounts.map((account) => getCopilotUsageSummary(account)));
     return sections.join("\n\n");

package/index.mjs CHANGED Viewed

@@ -1,9 +1,11 @@
 export {
   CopilotAuthPlugin,
   deriveAccountKey,
+  getPolicyPath,
   getPoolPath,
   injectRoutingHeaders,
   lookupGitHubIdentity,
+  migrateLegacyPoolStorageIfNeeded,
   readPool,
   resolveWinnerAccount,
   stripRoutingHeaders,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gnahz77/opencode-copilot-multi-auth",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",