npm - @gnahz77/opencode-copilot-multi-auth - Versions diffs - 0.1.3 → 0.1.5 - Mend

@gnahz77/opencode-copilot-multi-auth 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,7 @@
 # opencode-copilot-multi-auth
+[中文文档](README.zh.md)
 Package on npm: https://www.npmjs.com/package/@gnahz77/opencode-copilot-multi-auth
 This fork replaces the older GitHub Copilot chat-auth flow with the newer Copilot CLI-style OAuth flow and makes `opencode` use the live Copilot model metadata for your account.
@@ -12,7 +14,7 @@ Add the plugin to your `opencode` config:
 {
   "$schema": "https://opencode.ai/config.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.5"
   ]
 }
 ```
@@ -25,13 +27,16 @@ If you also want the TUI command support provided by this package, add the same
 {
   "$schema": "https://opencode.ai/tui.json",
   "plugin": [
-    "@gnahz77/opencode-copilot-multi-auth@0.1.3"
+    "@gnahz77/opencode-copilot-multi-auth@0.1.5"
   ]
 }
 ```
 After restarting OpenCode TUI, you can open the command palette and run `copilot-usage`, or type `/copilot-usage`.
-The plugin will open a popup dialog showing all accounts currently stored in `~/.local/share/opencode/copilot-auth.json`.
+The plugin will open a popup dialog showing all accounts currently loaded from split local storage:
+- OAuth/account data: `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy: `~/.config/opencode/copilot-auth.json`
 For local development before publishing, you can load the file directly:
@@ -66,7 +71,9 @@ This package now includes a TUI command named `copilot-usage`.
 What it does:
-- Reads every Copilot account stored in `~/.local/share/opencode/copilot-auth.json`
+- Reads every Copilot account from the merged local pool assembled from:
+  - `~/.local/share/opencode/copilot-auth.json` (OAuth/account data)
+  - `~/.config/opencode/copilot-auth.json` (routing policy)
 - Calls the GitHub Copilot entitlement endpoint `/copilot_internal/user` for each account using that account's OAuth token
 - Opens a popup dialog showing, for each account:
   - account name
@@ -147,10 +154,16 @@ The plugin intentionally does not try to change the `opencode` core UI. So the v
 ## Multi-Account Support
-This fork can keep a pool of Copilot logins in `~/.local/share/opencode/copilot-auth.json`.
+This fork keeps Copilot account state in split local files:
+- OAuth-required account data in `~/.local/share/opencode/copilot-auth.json`
+- Per-account routing policy in `~/.config/opencode/copilot-auth.json`
+On startup, the plugin automatically migrates legacy single-file storage into this two-file layout.
 Each successful OAuth login updates that pool automatically: logging in with a new deployment-scoped account appends a new record, and logging in again with the same GitHub identity on the same deployment updates the existing record instead of creating a duplicate.
-The pool stores one object per account under `accounts` in a `version: 1` document.
+At runtime, the plugin merges both files into the same in-memory `version: 2` pool shape (`accounts`) used for routing.
 | Field | Meaning |
 | --- | --- |
@@ -165,20 +178,14 @@ Automatic routing works on the raw Copilot model IDs that `opencode` already use
 Wildcard matching is case-sensitive and currently supports `*` for zero or more characters anywhere in the pattern. For example, `claude-*` matches `claude-sonnet-4.6` and `claude-opus-4.6`.
-Example pool file:
+Example auth file (`~/.local/share/opencode/copilot-auth.json`):
 ```json
 {
-  "version": 1,
+  "version": 2,
   "accounts": [
     {
       "key": "github.com:12345678",
-      "id": "work",
-      "name": "Work",
-      "enabled": true,
-      "priority": 100,
-      "allowlist": ["claude-*"],
-      "blocklist": [],
       "deployment": "github.com",
       "domain": "github.com",
       "baseUrl": "https://api.githubcopilot.com",
@@ -196,3 +203,20 @@ Example pool file:
   ]
 }
 ```
+Example policy file (`~/.config/opencode/copilot-auth.json`):
+```json
+{
+  "version": 2,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "enabled": true,
+      "priority": 100,
+      "allowlist": ["claude-*"],
+      "blocklist": []
+    }
+  ]
+}
+```

package/README.zh.md ADDED Viewed

@@ -0,0 +1,218 @@
+# opencode-copilot-multi-auth
+[English](README.md)
+npm 上的包主页: https://www.npmjs.com/package/@gnahz77/opencode-copilot-multi-auth
+这个分支（fork）将旧的 GitHub Copilot chat-auth 流程替换为更新的 Copilot CLI 风格的 OAuth 流程，并使 `opencode` 使用您的账户实时获取的 Copilot 模型元数据。
+## 如何使用
+将该插件添加到您的 `opencode` 配置中：
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": [
+    "@gnahz77/opencode-copilot-multi-auth@0.1.5"
+  ]
+}
+```
+然后启动 `opencode` 并登录到 `github-copilot` 供应商。该插件处理类似 Copilot CLI 风格的设备授权流程，并在之后重用存储的 GitHub OAuth 令牌。
+如果您还希望使用该包提供的 TUI 命令支持，请将相同的插件添加到您的 `tui.json` 或 `tui.jsonc` 中：
+```json
+{
+  "$schema": "https://opencode.ai/tui.json",
+  "plugin": [
+    "@gnahz77/opencode-copilot-multi-auth@0.1.5"
+  ]
+}
+```
+重新启动 OpenCode TUI 后，您可以打开命令面板并运行 `copilot-usage`，或直接输入 `/copilot-usage`。
+插件会打开一个弹窗，显示从拆分的本地存储中加载的所有账户：
+- OAuth/账户数据：`~/.local/share/opencode/copilot-auth.json`
+- 单账户路由策略：`~/.config/opencode/copilot-auth.json`
+对于发布前的本地开发，您可以直接加载该文件：
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": [
+    "file:///absolute/path/to/dist/index.js"
+  ]
+}
+```
+重要提示：如果文件路径包含 `opencode-copilot-auth`，当前的 `opencode` 构建可能会因为硬编码的插件名称过滤器而跳过加载它。请使用不包含该子字符串的路径。
+如果您在开发过程中在本地加载插件并希望使用 `copilot-usage`，请同时将构建的 TUI 入口添加到您的 TUI 配置中：
+```json
+{
+  "$schema": "https://opencode.ai/tui.json",
+  "plugin": [
+    "file:///absolute/path/to/dist/tui.js"
+  ]
+}
+```
+## `copilot-usage` 命令
+此包现在包含一个名为 `copilot-usage` 的 TUI 命令。
+- 命令面板入口：`copilot-usage`
+- Slash 命令：`/copilot-usage`
+它的功能：
+- 从合并后的本地池中读取每个 Copilot 账户，池子组装自：
+  - `~/.local/share/opencode/copilot-auth.json` (OAuth/账户数据)
+  - `~/.config/opencode/copilot-auth.json` (路由策略)
+- 使用该账户的 OAuth 令牌，为每个账户调用 GitHub Copilot 的配额端点 `/copilot_internal/user`
+- 打开一个弹窗界面，为每个账户显示：
+  - 账户名称
+  - 已使用 / 总额度条
+  - 使用百分比
+注意事项：
+- 该命令是此包 TUI 目标的一部分，所以只配置 `opencode.json` 是不够的；`tui.json` 必须也加载此插件。
+- 被禁用的账户仍然会显示在弹窗中，并会被标记为已禁用。
+- 如果某个账户加载使用数据失败，弹窗仍会显示其他账户，并在行内包含该账户的错误消息。
+## 这个分支有什么改变
+- 授权流程：使用了类似 Copilot CLI 风格的 OAuth 客户端流程，并直接保留了 GitHub OAuth 令牌。
+- 授权配额：获取 `/copilot_internal/user`，并使用授权提供的 Copilot API 基础 URL。
+- 令牌交换：不再调用 `/copilot_internal/v2/token`。
+- 请求配置：使用较新的 `copilot-developer-cli` 请求头，替代了旧版的聊天配置。
+- 模型元数据：通过插件的 `provider.models` 钩子获取实时的 Copilot `/models` 响应，以便最终的 `opencode` 模型列表来源于 Copilot API 所支持的实时配额。
+## 上下文窗口与模型限制
+与上游的主要实际区别在于，此分支从 Copilot 动态应用实时的按模型限制，而不是仅依赖静态元数据。
+这意味着 `opencode` 可以看到 Copilot 宣告的以下各项的值：
+- `limit.context`
+- `limit.input`
+- `limit.output`
+截至 2026 年 3 月 10 日，此分支使用的实时 GitHub Copilot `/models` 响应暴露了 Copilot CLI 的模型配置。下表比较了实时 Copilot CLI 的上下文窗口与 [`models.dev`](https://models.dev) 上的静态 `github-copilot` 目录。
+| 模型                  | 此分支 (CLI 上下文) | `models.dev` 上下文 | 差异    |
+| ------------------- | ----------------------: | -------------------: | ---------: |
+| `claude-opus-4.6`   |                 200,000 |              128,000 |    +72,000 |
+| `claude-sonnet-4.6` |                 200,000 |              128,000 |    +72,000 |
+| `claude-haiku-4.5`  |                 144,000 |              128,000 |    +16,000 |
+实际收获是，该分支比静态的 `models.dev` 值提供了更大的实时 Claude 上下文窗口。
+此分支观察到的例子：
+- `claude-sonnet-4.6`
+  - context window (上下文窗口): `200000`
+  - prompt/input limit (提示/输入限制): `168000`
+  - output limit (输出限制): `32000`
+- `claude-opus-4.6`
+  - context window (上下文窗口): `200000`
+  - prompt/input limit (提示/输入限制): `168000`
+  - output limit (输出限制): `64000`
+- `claude-haiku-4.5`
+  - context window (上下文窗口): `144000`
+  - prompt/input limit (提示/输入限制): `128000`
+  - output limit (输出限制): `32000`
+如果不打这些补丁，`opencode` 可能会因为其使用的初始静态模型目录而显示过期或偏小的限制。
+## Claude 思考预算 (thinking budget) 行为
+此分支还改变了 Copilot Claude 请求的行为：
+- 当选择 `thinking` 变体时，它发送 `thinking_budget: 16000`
+- 当未选择变体时，它完全省略 `thinking_budget`
+这不同于上游的 `opencode`，上游目前为内置的 `thinking` 变体发送 `thinking_budget: 4000`。
+该插件故意不尝试修改 `opencode` 的核心 UI。所以可见的 Claude 变体列表依然由 `opencode` 本身控制；该分支改变的是请求行为，而不是内置变体选择器的标签。
+## 发布 (Publishing)
+```zsh
+./script/publish.ts
+```
+## 多账户支持
+此分支在分离的本地文件中保存 Copilot 的账户状态：
+- OAuth 必需的账户数据：`~/.local/share/opencode/copilot-auth.json`
+- 单账户路由策略：`~/.config/opencode/copilot-auth.json`
+在启动时，该插件会自动将旧版的单文件存储迁移到这种双文件布局中。
+每次成功的 OAuth 登录都会自动更新该池：用一个具有特定作用域部署的新账户登录会追加一条新记录，而在同一部署上用相同的 GitHub 身份再次登录会更新现有记录，而不是创建重复项。
+在运行时，插件将这两个文件合并为路由所用的同一内存中 `version: 2` 池结构 (`accounts`)。
+| 字段 | 含义 |
+| --- | --- |
+| `id` | 与账户记录一起存储的稳定的人类友好标识符。 |
+| `name` | 账户的显示名称。 |
+| `enabled` | 该账户是否能参与自动路由。被禁用的账户依然会保存，但在挑选赢家时会被忽略。 |
+| `priority` | 当多个已启用的账户都可以提供同一个原始模型 ID 的服务时，较低的值优先（即数字越小优先级越高）。 |
+| `allowlist` | 此账户获准提供服务的原始模型 ID 或 `*` 通配符模式。如果不为空，则账户只能提供与这些条目之一匹配的模型。 |
+| `blocklist` | 此账户绝对不能提供服务的原始模型 ID 或 `*` 通配符模式。如果 `allowlist` 和 `blocklist` 均不为空，插件会首先检查 `allowlist`，然后应用 `blocklist`。 |
+自动路由是基于 `opencode` 已经使用的原始 Copilot 模型 ID 来工作的。插件根据 `enabled` 过滤合格的账户，然后首先检查 `allowlist`（当不为空时，模型必须匹配其精确条目或通配符模式之一），然后应用 `blocklist`，最后通过最低的 `priority` 挑选出唯一的一个获胜账户（带有一个稳定的基于 key 的平局决胜机制）。模型 ID 本身没有被重写，因此账户标识不会出现在模型 ID 中。
+通配符匹配区分大小写，且目前支持用 `*` 表示模式中任意位置的零个或多个字符。例如，`claude-*` 可以匹配 `claude-sonnet-4.6` 和 `claude-opus-4.6`。
+示例授权文件 (`~/.local/share/opencode/copilot-auth.json`)：
+```json
+{
+  "version": 2,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "deployment": "github.com",
+      "domain": "github.com",
+      "baseUrl": "https://api.githubcopilot.com",
+      "identity": {
+        "login": "octocat",
+        "userId": 12345678
+      },
+      "auth": {
+        "type": "oauth",
+        "refresh": "<oauth token>"
+      },
+      "createdAt": "2026-04-15T00:00:00.000Z",
+      "updatedAt": "2026-04-15T00:00:00.000Z"
+    }
+  ]
+}
+```
+示例策略文件 (`~/.config/opencode/copilot-auth.json`)：
+```json
+{
+  "version": 2,
+  "accounts": [
+    {
+      "key": "github.com:12345678",
+      "enabled": true,
+      "priority": 100,
+      "allowlist": ["claude-*"],
+      "blocklist": []
+    }
+  ]
+}
+```

package/dist/auth.d.ts CHANGED Viewed

@@ -18,3 +18,4 @@ export declare function buildHeaders(init: RequestInit | undefined, copilotToken
 export declare function resolveSelectedPoolAccount(pool: AccountPool, accountKey?: string, requestedRawModelId?: string): PoolAccount | null;
 export declare function refreshSelectedAccountBaseURL(accountKey: string): Promise<PoolAccount>;
 export declare function fetchWithSelectedAccount(input: RequestInfo | URL, init: RequestInit | undefined, selectedAccount: PoolAccount): Promise<Response>;
+export declare function fetchWithAccountFallback(input: RequestInfo | URL, init: RequestInit | undefined, candidates: PoolAccount[]): Promise<Response>;

package/dist/auth.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { API_VERSION, COPILOT_TOKEN_EXPIRY_BUFFER_MS, DEFAULT_COPILOT_BASE_URL, VSCODE_HEADERS, } from "./constants.js";
 import { getSelectedAccountExpiredError, getSelectedAccountMissingError } from "./errors.js";
-import { readPool, resolveWinnerAccount, writePool } from "./pool.js";
+import { readPool, resolveWinnerAccount, writePoolAuthData } from "./pool.js";
 import { stripRoutingHeaders } from "./routing.js";
 import { applyBaseURLToRequestInput, getConversationMetadata, isValidBaseURL, normalizeDomain, normalizeHeaderObject, } from "./utils.js";
 export function getUrls(domain) {
@@ -208,7 +208,7 @@ export async function refreshSelectedAccountBaseURL(accountKey) {
             }
             : account),
     };
-    writePool(updatedPool);
+    writePoolAuthData(updatedPool);
     return updatedPool.accounts[accountIndex];
 }
 export async function fetchWithSelectedAccount(input, init, selectedAccount) {
@@ -237,3 +237,19 @@ export async function fetchWithSelectedAccount(input, init, selectedAccount) {
     }
     return retryResponse;
 }
+export async function fetchWithAccountFallback(input, init, candidates) {
+    if (candidates.length === 0) {
+        throw new Error("[opencode-copilot-cli-auth] No eligible accounts available for this model; re-login required");
+    }
+    let lastError;
+    for (const account of candidates) {
+        try {
+            return await fetchWithSelectedAccount(input, init, account);
+        }
+        catch (error) {
+            lastError = error;
+            console.warn(`[opencode-copilot-cli-auth] Account ${account.key ?? "unknown"} failed, trying next:`, error instanceof Error ? error.message : String(error));
+        }
+    }
+    throw lastError ?? new Error("[opencode-copilot-cli-auth] All candidate accounts exhausted; re-login required");
+}

package/dist/constants.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export declare const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export declare const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export declare const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export declare const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export declare const INTERNAL_ROUTING_HEADERS: Set<string>;

package/dist/constants.js CHANGED Viewed

@@ -1,4 +1,4 @@
-export const ACCOUNT_POOL_SCHEMA_VERSION = 1;
+export const ACCOUNT_POOL_SCHEMA_VERSION = 2;
 export const ROUTING_ACCOUNT_KEY_HEADER = "x-opencode-copilot-account-key";
 export const ROUTING_SOURCE_HEADER = "x-opencode-copilot-route-source";
 export const INTERNAL_ROUTING_HEADERS = new Set([

package/dist/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import { lookupGitHubIdentity } from "./auth.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveCandidateAccounts, resolveWinnerAccount, upsertAccount, writePool } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveCandidateAccounts, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export declare const CopilotAuthPlugin: Plugin;

package/dist/index.js CHANGED Viewed

@@ -1,12 +1,18 @@
 import { CLIENT_ID, OAUTH_POLLING_SAFETY_MARGIN_MS, OAUTH_SCOPES, ROUTING_ACCOUNT_KEY_HEADER, ROUTING_SOURCE_HEADER, } from "./constants.js";
-import { buildHeaders, fetchEntitlement, fetchWithSelectedAccount, getBaseURL, getCopilotToken, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
+import { buildHeaders, fetchEntitlement, fetchWithAccountFallback, fetchWithSelectedAccount, getBaseURL, getCopilotToken, getUrls, lookupGitHubIdentity, resolveSelectedPoolAccount, } from "./auth.js";
 import { buildPoolBackedModels, normalizeExistingModels, resolveProviderModels } from "./models.js";
-import { deriveAccountKey, getPoolPath, readPool, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
+import { deriveAccountKey, getPolicyPath, getPoolPath, migrateLegacyPoolStorageIfNeeded, readPool, resolveCandidateAccounts, resolveWinnerAccount, upsertAccount, writePool, } from "./pool.js";
 import { injectRoutingHeaders, stripRoutingHeaders } from "./routing.js";
 import { applyBaseURLToRequestInput, getHeader, getConversationMetadata, getRequestedRawModelId, normalizeDomain, resolveClaudeThinkingBudget, } from "./utils.js";
-export { getPoolPath, readPool, writePool, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveWinnerAccount };
+export { getPoolPath, getPolicyPath, readPool, writePool, migrateLegacyPoolStorageIfNeeded, deriveAccountKey, lookupGitHubIdentity, upsertAccount, resolveCandidateAccounts, resolveWinnerAccount, };
 export { injectRoutingHeaders, stripRoutingHeaders };
 export const CopilotAuthPlugin = async (input) => {
+    try {
+        migrateLegacyPoolStorageIfNeeded();
+    }
+    catch (error) {
+        console.warn("[opencode-copilot-cli-auth] Failed to run pool storage migration:", error instanceof Error ? error.message : String(error));
+    }
     return {
         provider: {
             id: "github-copilot",
@@ -59,6 +65,15 @@ export const CopilotAuthPlugin = async (input) => {
                         const accountKey = getHeader(init?.headers, ROUTING_ACCOUNT_KEY_HEADER);
                         const requestedRawModelId = getRequestedRawModelId(init);
                         if (pool.accounts.length > 0) {
+                            if (requestedRawModelId) {
+                                const candidates = resolveCandidateAccounts(requestedRawModelId, pool);
+                                const oauthCandidates = candidates.filter((account) => account.auth?.type === "oauth"
+                                    && typeof account.auth.refresh === "string"
+                                    && account.auth.refresh.trim());
+                                if (oauthCandidates.length > 0) {
+                                    return fetchWithAccountFallback(inputRequest, init, oauthCandidates);
+                                }
+                            }
                             const selectedAccount = resolveSelectedPoolAccount(pool, accountKey, requestedRawModelId);
                             if (selectedAccount?.auth?.type === "oauth") {
                                 return fetchWithSelectedAccount(inputRequest, init, selectedAccount);

package/dist/pool.d.ts CHANGED Viewed

@@ -1,8 +1,12 @@
 import type { AccountPool, PoolAccount, UpsertAccountData } from "./types.js";
 export declare function getPoolPath(): string;
+export declare function getPolicyPath(): string;
 export declare function validatePoolSchema(pool: unknown, context: string): AccountPool;
 export declare function readPool(): AccountPool;
 export declare function writePool(pool: AccountPool): void;
+export declare function writePoolAuthData(pool: AccountPool): void;
+export declare function migrateLegacyPoolStorageIfNeeded(): void;
 export declare function deriveAccountKey(deployment: string, userId: number): string;
 export declare function upsertAccount(pool: AccountPool, accountData: UpsertAccountData): AccountPool;
+export declare function resolveCandidateAccounts(rawModelId: string, pool: AccountPool): PoolAccount[];
 export declare function resolveWinnerAccount(rawModelId: string, pool: AccountPool): PoolAccount;

package/dist/pool.js CHANGED Viewed

@@ -6,44 +6,344 @@ import { matchesAnyModelIdPattern, normalizeDomain, normalizeIdSource, normalize
 export function getPoolPath() {
     return `${homedir()}/.local/share/opencode/copilot-auth.json`;
 }
-export function validatePoolSchema(pool, context) {
-    if (!pool
-        || typeof pool !== "object"
-        || pool.version !== ACCOUNT_POOL_SCHEMA_VERSION
-        || !Array.isArray(pool.accounts)) {
+export function getPolicyPath() {
+    return `${homedir()}/.config/opencode/copilot-auth.json`;
+}
+function assertObject(value, context) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected object.`);
+    }
+    return value;
+}
+function assertString(value, context) {
+    if (typeof value !== "string") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string.`);
+    }
+    return value;
+}
+function assertNumber(value, context) {
+    if (typeof value !== "number" || !Number.isFinite(value)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected finite number.`);
+    }
+    return value;
+}
+function assertBoolean(value, context) {
+    if (typeof value !== "boolean") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected boolean.`);
+    }
+    return value;
+}
+function assertNullableString(value, context) {
+    if (value === null) {
+        return null;
+    }
+    return assertString(value, context);
+}
+function assertStringArray(value, context) {
+    if (!Array.isArray(value) || value.some((item) => typeof item !== "string")) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected string[].`);
+    }
+    return value;
+}
+function parsePoolIdentity(value, context) {
+    const identityObject = assertObject(value, context);
+    return {
+        login: assertString(identityObject.login, `${context}.login`),
+        userId: assertNumber(identityObject.userId, `${context}.userId`),
+    };
+}
+function parseOAuthAuth(value, context) {
+    const authObject = assertObject(value, context);
+    if (authObject.type !== "oauth") {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}.type: expected \"oauth\".`);
+    }
+    const parsed = {
+        type: "oauth",
+        refresh: assertString(authObject.refresh, `${context}.refresh`),
+    };
+    if (typeof authObject.access === "string") {
+        parsed.access = authObject.access;
+    }
+    if (typeof authObject.expires === "number" && Number.isFinite(authObject.expires)) {
+        parsed.expires = authObject.expires;
+    }
+    if (authObject.baseUrl === null || typeof authObject.baseUrl === "string") {
+        parsed.baseUrl = authObject.baseUrl;
+    }
+    if (typeof authObject.provider === "string") {
+        parsed.provider = authObject.provider;
+    }
+    if (typeof authObject.enterpriseUrl === "string") {
+        parsed.enterpriseUrl = authObject.enterpriseUrl;
+    }
+    return parsed;
+}
+function parseAuthPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        deployment: assertString(account.deployment, `${context}.deployment`),
+        domain: assertString(account.domain, `${context}.domain`),
+        identity: parsePoolIdentity(account.identity, `${context}.identity`),
+        enterpriseUrl: assertNullableString(account.enterpriseUrl, `${context}.enterpriseUrl`),
+        baseUrl: assertNullableString(account.baseUrl, `${context}.baseUrl`),
+        auth: parseOAuthAuth(account.auth, `${context}.auth`),
+        createdAt: assertString(account.createdAt, `${context}.createdAt`),
+        updatedAt: assertString(account.updatedAt, `${context}.updatedAt`),
+    };
+}
+function parsePolicyPoolAccount(value, context) {
+    const account = assertObject(value, context);
+    return {
+        key: assertString(account.key, `${context}.key`),
+        enabled: assertBoolean(account.enabled, `${context}.enabled`),
+        priority: assertNumber(account.priority, `${context}.priority`),
+        allowlist: assertStringArray(account.allowlist, `${context}.allowlist`),
+        blocklist: assertStringArray(account.blocklist, `${context}.blocklist`),
+    };
+}
+function parseVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== ACCOUNT_POOL_SCHEMA_VERSION || !Array.isArray(document.accounts)) {
         throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected { version: ${ACCOUNT_POOL_SCHEMA_VERSION}, accounts: [] } schema.`);
     }
-    return pool;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
 }
-export function readPool() {
-    const poolPath = getPoolPath();
-    if (!existsSync(poolPath)) {
-        const defaultPool = {
-            version: ACCOUNT_POOL_SCHEMA_VERSION,
-            accounts: [],
-        };
-        writePool(defaultPool);
-        return defaultPool;
+function parseLegacyVersionedAccountsDocument(value, context) {
+    const document = assertObject(value, context);
+    if (document.version !== 1 || !Array.isArray(document.accounts)) {
+        throw new Error(`[opencode-copilot-cli-auth] Invalid ${context}: expected legacy { version: 1, accounts: [] } schema.`);
     }
-    const raw = readFileSync(poolPath, "utf8");
-    let parsed;
+    return {
+        version: document.version,
+        accounts: document.accounts,
+    };
+}
+function validateAuthPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parseAuthPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validatePolicyPoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => parsePolicyPoolAccount(account, `${context}.accounts[${index}]`)),
+    };
+}
+function validateLegacyPoolSchema(pool, context) {
+    const parsed = parseLegacyVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+function toDefaultPolicyAccount(account) {
+    return {
+        key: account.key,
+        enabled: true,
+        priority: 0,
+        allowlist: [],
+        blocklist: [],
+    };
+}
+function parseJsonFile(filePath, context) {
+    const raw = readFileSync(filePath, "utf8");
     try {
-        parsed = JSON.parse(raw);
+        return JSON.parse(raw);
     }
     catch (error) {
-        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in account pool file at ${poolPath}: ${error instanceof Error ? error.message : String(error)}`);
+        throw new Error(`[opencode-copilot-cli-auth] Malformed JSON in ${context} at ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
     }
-    return validatePoolSchema(parsed, `account pool file at ${poolPath}`);
+}
+function writeJsonAtomic(filePath, payload) {
+    const directoryPath = dirname(filePath);
+    const tmpPath = `${filePath}.tmp`;
+    mkdirSync(directoryPath, { recursive: true });
+    writeFileSync(tmpPath, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
+    renameSync(tmpPath, filePath);
+    chmodSync(filePath, 0o600);
+}
+function buildAuthPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            deployment: account.deployment,
+            domain: account.domain,
+            identity: account.identity,
+            enterpriseUrl: account.enterpriseUrl,
+            baseUrl: account.baseUrl,
+            auth: account.auth,
+            createdAt: account.createdAt,
+            updatedAt: account.updatedAt,
+        })),
+    };
+}
+function buildPolicyPoolDocument(pool) {
+    return {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: pool.accounts.map((account) => ({
+            key: account.key,
+            enabled: account.enabled,
+            priority: account.priority,
+            allowlist: account.allowlist,
+            blocklist: account.blocklist,
+        })),
+    };
+}
+function mergePoolDocuments(authPool, policyPool) {
+    const policyByKey = new Map(policyPool.accounts.map((account) => [account.key, account]));
+    const merged = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((authAccount) => {
+            const policy = policyByKey.get(authAccount.key) ?? toDefaultPolicyAccount(authAccount);
+            const userIdText = String(authAccount.identity.userId);
+            const fallbackId = normalizeIdSource(authAccount.identity.login || userIdText) || userIdText;
+            const fallbackName = authAccount.identity.login || userIdText;
+            return {
+                key: authAccount.key,
+                id: fallbackId,
+                name: fallbackName,
+                enabled: policy.enabled,
+                priority: policy.priority,
+                deployment: authAccount.deployment,
+                domain: authAccount.domain,
+                identity: authAccount.identity,
+                enterpriseUrl: authAccount.enterpriseUrl,
+                baseUrl: authAccount.baseUrl,
+                allowlist: policy.allowlist,
+                blocklist: policy.blocklist,
+                auth: authAccount.auth,
+                createdAt: authAccount.createdAt,
+                updatedAt: authAccount.updatedAt,
+            };
+        }),
+    };
+    return validatePoolSchema(merged, "merged account pool");
+}
+export function validatePoolSchema(pool, context) {
+    const parsed = parseVersionedAccountsDocument(pool, context);
+    return {
+        version: parsed.version,
+        accounts: parsed.accounts.map((account, index) => {
+            const accountObject = assertObject(account, `${context}.accounts[${index}]`);
+            return {
+                key: assertString(accountObject.key, `${context}.accounts[${index}].key`),
+                id: assertString(accountObject.id, `${context}.accounts[${index}].id`),
+                name: assertString(accountObject.name, `${context}.accounts[${index}].name`),
+                enabled: assertBoolean(accountObject.enabled, `${context}.accounts[${index}].enabled`),
+                priority: assertNumber(accountObject.priority, `${context}.accounts[${index}].priority`),
+                deployment: assertString(accountObject.deployment, `${context}.accounts[${index}].deployment`),
+                domain: assertString(accountObject.domain, `${context}.accounts[${index}].domain`),
+                identity: parsePoolIdentity(accountObject.identity, `${context}.accounts[${index}].identity`),
+                enterpriseUrl: assertNullableString(accountObject.enterpriseUrl, `${context}.accounts[${index}].enterpriseUrl`),
+                baseUrl: assertNullableString(accountObject.baseUrl, `${context}.accounts[${index}].baseUrl`),
+                allowlist: assertStringArray(accountObject.allowlist, `${context}.accounts[${index}].allowlist`),
+                blocklist: assertStringArray(accountObject.blocklist, `${context}.accounts[${index}].blocklist`),
+                auth: parseOAuthAuth(accountObject.auth, `${context}.accounts[${index}].auth`),
+                createdAt: assertString(accountObject.createdAt, `${context}.accounts[${index}].createdAt`),
+                updatedAt: assertString(accountObject.updatedAt, `${context}.accounts[${index}].updatedAt`),
+            };
+        }),
+    };
+}
+export function readPool() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    const defaultDocument = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: [],
+    };
+    if (!existsSync(authPath)) {
+        writeJsonAtomic(authPath, defaultDocument);
+    }
+    if (!existsSync(policyPath)) {
+        writeJsonAtomic(policyPath, defaultDocument);
+    }
+    const parsedAuth = parseJsonFile(authPath, "Copilot auth file");
+    const parsedPolicy = parseJsonFile(policyPath, "Copilot routing policy file");
+    const authPool = validateAuthPoolSchema(parsedAuth, `auth pool file at ${authPath}`);
+    const policyPool = validatePolicyPoolSchema(parsedPolicy, `policy pool file at ${policyPath}`);
+    return mergePoolDocuments(authPool, policyPool);
 }
 export function writePool(pool) {
     const validatedPool = validatePoolSchema(pool, "account pool payload");
-    const poolPath = getPoolPath();
-    const dirPath = dirname(poolPath);
-    const tmpPath = `${poolPath}.tmp`;
-    mkdirSync(dirPath, { recursive: true });
-    writeFileSync(tmpPath, `${JSON.stringify(validatedPool, null, 2)}\n`, "utf8");
-    renameSync(tmpPath, poolPath);
-    chmodSync(poolPath, 0o600);
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    const policyDocument = validatePolicyPoolSchema(buildPolicyPoolDocument(validatedPool), "policy pool payload");
+    writeJsonAtomic(getPolicyPath(), policyDocument);
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function writePoolAuthData(pool) {
+    const validatedPool = validatePoolSchema(pool, "account pool payload");
+    const authDocument = validateAuthPoolSchema(buildAuthPoolDocument(validatedPool), "auth pool payload");
+    writeJsonAtomic(getPoolPath(), authDocument);
+}
+export function migrateLegacyPoolStorageIfNeeded() {
+    const authPath = getPoolPath();
+    const policyPath = getPolicyPath();
+    if (!existsSync(authPath)) {
+        return;
+    }
+    const parsed = parseJsonFile(authPath, "Copilot account pool file");
+    try {
+        const legacyPool = validateLegacyPoolSchema(parsed, `legacy account pool file at ${authPath}`);
+        const existingPolicy = existsSync(policyPath)
+            ? validatePolicyPoolSchema(parseJsonFile(policyPath, "Copilot routing policy file"), `policy pool file at ${policyPath}`)
+            : null;
+        const migratedPolicy = {
+            version: ACCOUNT_POOL_SCHEMA_VERSION,
+            accounts: legacyPool.accounts.map((account) => {
+                const existingPolicyAccount = existingPolicy?.accounts.find((candidate) => candidate.key === account.key);
+                return existingPolicyAccount ?? {
+                    key: account.key,
+                    enabled: account.enabled,
+                    priority: account.priority,
+                    allowlist: account.allowlist,
+                    blocklist: account.blocklist,
+                };
+            }),
+        };
+        writeJsonAtomic(policyPath, validatePolicyPoolSchema(migratedPolicy, "migrated policy pool payload"));
+        writeJsonAtomic(authPath, validateAuthPoolSchema(buildAuthPoolDocument(legacyPool), "migrated auth pool payload"));
+        return;
+    }
+    catch {
+        // Intentionally continue: file may already be auth-only format or a non-legacy document.
+    }
+    if (existsSync(policyPath)) {
+        return;
+    }
+    const authPool = validateAuthPoolSchema(parsed, `auth pool file at ${authPath}`);
+    const defaultPolicyPool = {
+        version: ACCOUNT_POOL_SCHEMA_VERSION,
+        accounts: authPool.accounts.map((account) => toDefaultPolicyAccount(account)),
+    };
+    writeJsonAtomic(policyPath, validatePolicyPoolSchema(defaultPolicyPool, "default policy pool payload"));
 }
 function deriveDefaultAccountId(accounts, key, identity) {
     const userIdText = String(identity.userId);
@@ -134,7 +434,7 @@ export function upsertAccount(pool, accountData) {
         accounts: nextAccounts,
     };
 }
-export function resolveWinnerAccount(rawModelId, pool) {
+export function resolveCandidateAccounts(rawModelId, pool) {
     const canAccountServeModel = (account) => {
         const allowlist = normalizeList(account?.allowlist);
         if (allowlist.length > 0 && !matchesAnyModelIdPattern(allowlist, rawModelId)) {
@@ -143,7 +443,7 @@ export function resolveWinnerAccount(rawModelId, pool) {
         const blocklist = normalizeList(account?.blocklist);
         return !matchesAnyModelIdPattern(blocklist, rawModelId);
     };
-    const candidates = (Array.isArray(pool?.accounts) ? pool.accounts : [])
+    return (Array.isArray(pool?.accounts) ? pool.accounts : [])
         .filter((account) => account?.enabled !== false)
         .filter(canAccountServeModel)
         .sort((left, right) => {
@@ -153,5 +453,7 @@ export function resolveWinnerAccount(rawModelId, pool) {
         }
         return String(left?.key ?? "").localeCompare(String(right?.key ?? ""));
     });
-    return candidates[0] ?? null;
+}
+export function resolveWinnerAccount(rawModelId, pool) {
+    return resolveCandidateAccounts(rawModelId, pool)[0] ?? null;
 }

package/dist/tui.js CHANGED Viewed

@@ -22,7 +22,7 @@ async function showCopilotUsageDialog(api) {
     }
 }
 const tui = async (api) => {
-    api.command.register(() => [
+    api.command?.register(() => [
         {
             title: "Copilot Usage",
             value: "copilot-usage",

package/dist/types.d.ts CHANGED Viewed

@@ -28,6 +28,24 @@ export interface PoolAccount {
     createdAt: string;
     updatedAt: string;
 }
+export interface AuthPoolAccount {
+    key: string;
+    deployment: string;
+    domain: string;
+    identity: PoolIdentity;
+    enterpriseUrl: string | null;
+    baseUrl: string | null;
+    auth: OAuthAuth;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface PolicyPoolAccount {
+    key: string;
+    enabled: boolean;
+    priority: number;
+    allowlist: string[];
+    blocklist: string[];
+}
 export interface UpsertAccountData {
     key: string;
     deployment?: string;
@@ -42,6 +60,14 @@ export interface AccountPool {
     version: number;
     accounts: PoolAccount[];
 }
+export interface AuthPoolDocument {
+    version: number;
+    accounts: AuthPoolAccount[];
+}
+export interface PolicyPoolDocument {
+    version: number;
+    accounts: PolicyPoolAccount[];
+}
 export interface LiveModel {
     id: string;
     name?: string;

package/dist/usage.js CHANGED Viewed

@@ -106,7 +106,7 @@ export async function getCopilotUsageDialogMessage() {
     const pool = readPool();
     const accounts = [...pool.accounts].sort((left, right) => left.key.localeCompare(right.key));
     if (accounts.length === 0) {
-        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json.");
+        throw new Error("No Copilot accounts found in the account pool. Log in again to populate ~/.local/share/opencode/copilot-auth.json (auth) and ~/.config/opencode/copilot-auth.json (policy).");
     }
     const sections = await Promise.all(accounts.map((account) => getCopilotUsageSummary(account)));
     return sections.join("\n\n");

package/index.mjs CHANGED Viewed

@@ -1,9 +1,11 @@
 export {
   CopilotAuthPlugin,
   deriveAccountKey,
+  getPolicyPath,
   getPoolPath,
   injectRoutingHeaders,
   lookupGitHubIdentity,
+  migrateLegacyPoolStorageIfNeeded,
   readPool,
   resolveWinnerAccount,
   stripRoutingHeaders,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gnahz77/opencode-copilot-multi-auth",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",