@ottocode/server 0.1.224 → 0.1.226

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ottocode/server",
-	"version": "0.1.224",
+	"version": "0.1.226",
 	"description": "HTTP API server for ottocode",
 	"type": "module",
 	"main": "./src/index.ts",
@@ -49,8 +49,8 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
-		"@ottocode/sdk": "0.1.224",
-		"@ottocode/database": "0.1.224",
+		"@ottocode/sdk": "0.1.226",
+		"@ottocode/database": "0.1.226",
 		"drizzle-orm": "^0.44.5",
 		"hono": "^4.9.9",
 		"zod": "^4.3.6"

package/src/openapi/paths/auth.ts

@@ -35,6 +35,8 @@ export const authPaths = {
 												},
 												label: { type: 'string' },
 												supportsOAuth: { type: 'boolean' },
+												supportsToken: { type: 'boolean' },
+												supportsGhImport: { type: 'boolean' },
 												modelCount: { type: 'integer' },
 												costRange: {
 													type: 'object',
@@ -473,6 +475,194 @@ export const authPaths = {
 			},
 		},
 	},
+	'/v1/auth/copilot/methods': {
+		get: {
+			tags: ['auth'],
+			operationId: 'getCopilotAuthMethods',
+			summary: 'Get available Copilot auth methods',
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									oauth: { type: 'boolean' },
+									token: { type: 'boolean' },
+									ghImport: {
+										type: 'object',
+										properties: {
+											available: { type: 'boolean' },
+											authenticated: { type: 'boolean' },
+											reason: { type: 'string' },
+										},
+										required: ['available', 'authenticated'],
+									},
+								},
+								required: ['oauth', 'token', 'ghImport'],
+							},
+						},
+					},
+				},
+			},
+		},
+	},
+	'/v1/auth/copilot/token': {
+		post: {
+			tags: ['auth'],
+			operationId: 'saveCopilotToken',
+			summary: 'Save Copilot token after validating model access',
+			requestBody: {
+				required: true,
+				content: {
+					'application/json': {
+						schema: {
+							type: 'object',
+							properties: {
+								token: { type: 'string' },
+							},
+							required: ['token'],
+						},
+					},
+				},
+			},
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: { type: 'boolean' },
+									provider: { type: 'string' },
+									source: { type: 'string', enum: ['token'] },
+									modelCount: { type: 'integer' },
+									hasGpt52Codex: { type: 'boolean' },
+									sampleModels: {
+										type: 'array',
+										items: { type: 'string' },
+									},
+								},
+								required: [
+									'success',
+									'provider',
+									'source',
+									'modelCount',
+									'hasGpt52Codex',
+									'sampleModels',
+								],
+							},
+						},
+					},
+				},
+				400: errorResponse(),
+			},
+		},
+	},
+	'/v1/auth/copilot/gh/import': {
+		post: {
+			tags: ['auth'],
+			operationId: 'importCopilotTokenFromGh',
+			summary: 'Import Copilot token from GitHub CLI (gh)',
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: { type: 'boolean' },
+									provider: { type: 'string' },
+									source: { type: 'string', enum: ['gh'] },
+									modelCount: { type: 'integer' },
+									hasGpt52Codex: { type: 'boolean' },
+									sampleModels: {
+										type: 'array',
+										items: { type: 'string' },
+									},
+								},
+								required: [
+									'success',
+									'provider',
+									'source',
+									'modelCount',
+									'hasGpt52Codex',
+									'sampleModels',
+								],
+							},
+						},
+					},
+				},
+				400: errorResponse(),
+			},
+		},
+	},
+	'/v1/auth/copilot/diagnostics': {
+		get: {
+			tags: ['auth'],
+			operationId: 'getCopilotDiagnostics',
+			summary: 'Get Copilot token diagnostics and model visibility',
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									tokenSources: {
+										type: 'array',
+										items: {
+											type: 'object',
+											properties: {
+												source: {
+													type: 'string',
+													enum: ['env', 'stored'],
+												},
+												configured: { type: 'boolean' },
+												modelCount: { type: 'integer' },
+												hasGpt52Codex: { type: 'boolean' },
+												sampleModels: {
+													type: 'array',
+													items: { type: 'string' },
+												},
+												restrictedByOrgPolicy: { type: 'boolean' },
+												restrictedOrg: { type: 'string' },
+												restrictionMessage: { type: 'string' },
+												error: { type: 'string' },
+											},
+											required: ['source', 'configured'],
+										},
+									},
+									methods: {
+										type: 'object',
+										properties: {
+											oauth: { type: 'boolean' },
+											token: { type: 'boolean' },
+											ghImport: {
+												type: 'object',
+												properties: {
+													available: { type: 'boolean' },
+													authenticated: { type: 'boolean' },
+													reason: { type: 'string' },
+												},
+												required: ['available', 'authenticated'],
+											},
+										},
+										required: ['oauth', 'token', 'ghImport'],
+									},
+								},
+								required: ['tokenSources', 'methods'],
+							},
+						},
+					},
+				},
+			},
+		},
+	},
 	'/v1/auth/onboarding/complete': {
 		post: {
 			tags: ['auth'],

package/src/openapi/paths/setu.ts

@@ -447,4 +447,148 @@ export const setuPaths = {
 			},
 		},
 	},
+	'/v1/setu/topup/razorpay/estimate': {
+		get: {
+			tags: ['setu'],
+			operationId: 'getRazorpayTopupEstimate',
+			summary: 'Get estimated fees for a Razorpay topup',
+			parameters: [
+				{
+					in: 'query',
+					name: 'amount',
+					required: true,
+					schema: { type: 'number' },
+					description: 'Amount in USD',
+				},
+			],
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									creditAmountUsd: { type: 'number' },
+									chargeAmountInr: { type: 'number' },
+									feeAmountInr: { type: 'number' },
+									currency: { type: 'string' },
+									exchangeRate: { type: 'number' },
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	},
+	'/v1/setu/topup/razorpay': {
+		post: {
+			tags: ['setu'],
+			operationId: 'createRazorpayOrder',
+			summary: 'Create a Razorpay order for topping up',
+			requestBody: {
+				required: true,
+				content: {
+					'application/json': {
+						schema: {
+							type: 'object',
+							properties: {
+								amount: { type: 'number' },
+							},
+							required: ['amount'],
+						},
+					},
+				},
+			},
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: { type: 'boolean' },
+									orderId: { type: 'string' },
+									amount: { type: 'number' },
+									currency: { type: 'string' },
+									creditAmountUsd: { type: 'number' },
+									keyId: { type: 'string' },
+								},
+							},
+						},
+					},
+				},
+				401: {
+					description: 'Wallet not configured',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: { error: { type: 'string' } },
+								required: ['error'],
+							},
+						},
+					},
+				},
+			},
+		},
+	},
+	'/v1/setu/topup/razorpay/verify': {
+		post: {
+			tags: ['setu'],
+			operationId: 'verifyRazorpayPayment',
+			summary: 'Verify Razorpay payment and credit balance',
+			requestBody: {
+				required: true,
+				content: {
+					'application/json': {
+						schema: {
+							type: 'object',
+							properties: {
+								razorpay_order_id: { type: 'string' },
+								razorpay_payment_id: { type: 'string' },
+								razorpay_signature: { type: 'string' },
+							},
+							required: [
+								'razorpay_order_id',
+								'razorpay_payment_id',
+								'razorpay_signature',
+							],
+						},
+					},
+				},
+			},
+			responses: {
+				200: {
+					description: 'OK',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: {
+									success: { type: 'boolean' },
+									credited: { type: 'number' },
+									newBalance: { type: 'number' },
+								},
+							},
+						},
+					},
+				},
+				401: {
+					description: 'Wallet not configured',
+					content: {
+						'application/json': {
+							schema: {
+								type: 'object',
+								properties: { error: { type: 'string' } },
+								required: ['error'],
+							},
+						},
+					},
+				},
+			},
+		},
+	},
 } as const;

package/src/routes/auth.ts

@@ -1,6 +1,7 @@
 import type { Hono } from 'hono';
 import {
 	getAllAuth,
+	getAuth,
 	setAuth,
 	removeAuth,
 	ensureSetuWallet,
@@ -8,6 +9,7 @@ import {
 	importWallet,
 	loadConfig,
 	catalog,
+	readEnvKey,
 	getOnboardingComplete,
 	setOnboardingComplete,
 	authorize,
@@ -20,6 +22,7 @@ import {
 	pollForCopilotTokenOnce,
 	type ProviderId,
 } from '@ottocode/sdk';
+import { execFileSync, spawnSync } from 'node:child_process';
 import { logger } from '@ottocode/sdk';
 import { serializeError } from '../runtime/errors/api-error.ts';
 
@@ -33,6 +36,172 @@ const copilotDeviceSessions = new Map<
 	{ deviceCode: string; interval: number; provider: string; createdAt: number }
 >();
 
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+const GH_CAPABILITY_CACHE_TTL_MS = 60 * 1000;
+
+let ghCapabilityCache: {
+	expiresAt: number;
+	value: { available: boolean; authenticated: boolean; reason?: string };
+} = {
+	expiresAt: 0,
+	value: {
+		available: false,
+		authenticated: false,
+		reason: 'Not checked yet',
+	},
+};
+
+function getGhImportCapability() {
+	if (ghCapabilityCache.expiresAt > Date.now()) return ghCapabilityCache.value;
+
+	const version = spawnSync('gh', ['--version'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (version.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: false,
+				authenticated: false,
+				reason: 'GitHub CLI (gh) is not installed',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	const authStatus = spawnSync('gh', ['auth', 'status', '-h', 'github.com'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (authStatus.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: true,
+				authenticated: false,
+				reason: 'Run `gh auth login` first',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	ghCapabilityCache = {
+		expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+		value: {
+			available: true,
+			authenticated: true,
+		},
+	};
+	return ghCapabilityCache.value;
+}
+
+function parseErrorMessageFromBody(text: string): string | undefined {
+	if (!text) return undefined;
+	try {
+		const parsed = JSON.parse(text) as {
+			message?: string;
+			error?: { message?: string };
+		};
+		return parsed.error?.message ?? parsed.message;
+	} catch {
+		return undefined;
+	}
+}
+
+async function fetchCopilotModels(token: string): Promise<
+	| {
+			ok: true;
+			models: Set<string>;
+	  }
+	| {
+			ok: false;
+			status: number;
+			message: string;
+	  }
+> {
+	try {
+		const response = await fetch(COPILOT_MODELS_URL, {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'Openai-Intent': 'conversation-edits',
+				'User-Agent': 'ottocode',
+			},
+		});
+		const text = await response.text();
+		if (!response.ok) {
+			return {
+				ok: false,
+				status: response.status,
+				message:
+					parseErrorMessageFromBody(text) ||
+					`Copilot models endpoint returned ${response.status}`,
+			};
+		}
+
+		const payload = JSON.parse(text) as {
+			data?: Array<{ id?: string }>;
+		};
+		const models = new Set(
+			(payload.data ?? [])
+				.map((item) => item.id)
+				.filter((id): id is string => Boolean(id)),
+		);
+		return { ok: true, models };
+	} catch (error) {
+		const message =
+			error instanceof Error ? error.message : 'Failed to fetch Copilot models';
+		return { ok: false, status: 0, message };
+	}
+}
+
+async function detectOAuthOrgRestriction(token: string): Promise<{
+	restricted: boolean;
+	org?: string;
+	message?: string;
+}> {
+	try {
+		const orgsResponse = await fetch('https://api.github.com/user/orgs', {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'User-Agent': 'ottocode',
+				Accept: 'application/vnd.github+json',
+			},
+		});
+		if (!orgsResponse.ok) {
+			return { restricted: false };
+		}
+
+		const orgs = (await orgsResponse.json()) as Array<{ login?: string }>;
+		for (const org of orgs) {
+			if (!org.login) continue;
+			const membershipResponse = await fetch(
+				`https://api.github.com/user/memberships/orgs/${org.login}`,
+				{
+					headers: {
+						Authorization: `Bearer ${token}`,
+						'User-Agent': 'ottocode',
+						Accept: 'application/vnd.github+json',
+					},
+				},
+			);
+			if (membershipResponse.status !== 403) continue;
+
+			const bodyText = await membershipResponse.text();
+			const message = parseErrorMessageFromBody(bodyText) || bodyText;
+			if (message.includes('enabled OAuth App access restrictions')) {
+				return {
+					restricted: true,
+					org: org.login,
+					message,
+				};
+			}
+		}
+	} catch {}
+
+	return { restricted: false };
+}
+
 setInterval(() => {
 	const now = Date.now();
 	for (const [key, value] of oauthVerifiers.entries()) {
@@ -55,6 +224,7 @@ export function registerAuthRoutes(app: Hono) {
 			const cfg = await loadConfig(projectRoot);
 			const onboardingComplete = await getOnboardingComplete(projectRoot);
 			const setuWallet = await getSetuWallet(projectRoot);
+			const ghImportCapability = getGhImportCapability();
 
 			const providers: Record<
 				string,
@@ -63,6 +233,8 @@ export function registerAuthRoutes(app: Hono) {
 					type?: 'api' | 'oauth' | 'wallet';
 					label: string;
 					supportsOAuth: boolean;
+					supportsToken?: boolean;
+					supportsGhImport?: boolean;
 					modelCount: number;
 					costRange?: { min: number; max: number };
 				}
@@ -81,6 +253,9 @@ export function registerAuthRoutes(app: Hono) {
 					label: entry.label || id,
 					supportsOAuth:
 						id === 'anthropic' || id === 'openai' || id === 'copilot',
+					supportsToken: id === 'copilot',
+					supportsGhImport:
+						id === 'copilot' ? ghImportCapability.available : false,
 					modelCount: models.length,
 					costRange:
 						costs.length > 0
@@ -213,15 +388,15 @@ export function registerAuthRoutes(app: Hono) {
 	app.post('/v1/auth/:provider/oauth/url', async (c) => {
 		try {
 			const provider = c.req.param('provider');
-			const { mode = 'max' } = await c.req
-				.json<{ mode?: string }>()
-				.catch(() => ({}));
+			const body = await c.req.json<{ mode?: string }>().catch(() => undefined);
+			const mode: 'max' | 'console' =
+				body?.mode === 'console' ? 'console' : 'max';
 
 			let url: string;
 			let verifier: string;
 
 			if (provider === 'anthropic') {
-				const result = await authorize(mode as 'max' | 'console');
+				const result = await authorize(mode);
 				url = result.url;
 				verifier = result.verifier;
 			} else if (provider === 'openai') {
@@ -585,6 +760,215 @@ export function registerAuthRoutes(app: Hono) {
 		}
 	});
 
+	app.get('/v1/auth/copilot/methods', async (c) => {
+		const ghImport = getGhImportCapability();
+		return c.json({
+			oauth: true,
+			token: true,
+			ghImport,
+		});
+	});
+
+	app.post('/v1/auth/copilot/token', async (c) => {
+		try {
+			const { token } = await c.req.json<{ token: string }>();
+			const sanitized = token?.trim();
+			if (!sanitized) {
+				return c.json({ error: 'Copilot token is required' }, 400);
+			}
+
+			const modelsResult = await fetchCopilotModels(sanitized);
+			if (!modelsResult.ok) {
+				return c.json(
+					{
+						error: `Invalid Copilot token: ${modelsResult.message}`,
+					},
+					400,
+				);
+			}
+
+			await setAuth(
+				'copilot',
+				{
+					type: 'oauth',
+					refresh: sanitized,
+					access: sanitized,
+					expires: 0,
+				},
+				undefined,
+				'global',
+			);
+
+			const models = Array.from(modelsResult.models).sort();
+			return c.json({
+				success: true,
+				provider: 'copilot',
+				source: 'token',
+				modelCount: models.length,
+				hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+				sampleModels: models.slice(0, 25),
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error ? error.message : 'Failed to save Copilot token';
+			logger.error('Failed to save Copilot token', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
+	app.post('/v1/auth/copilot/gh/import', async (c) => {
+		try {
+			const ghImport = getGhImportCapability();
+			if (!ghImport.available) {
+				return c.json(
+					{
+						error: ghImport.reason || 'GitHub CLI is not available',
+					},
+					400,
+				);
+			}
+			if (!ghImport.authenticated) {
+				return c.json(
+					{
+						error: ghImport.reason || 'GitHub CLI is not authenticated',
+					},
+					400,
+				);
+			}
+
+			const ghToken = execFileSync('gh', ['auth', 'token'], {
+				encoding: 'utf8',
+				stdio: ['ignore', 'pipe', 'pipe'],
+			}).trim();
+			if (!ghToken) {
+				return c.json({ error: 'GitHub CLI returned an empty token' }, 400);
+			}
+
+			const modelsResult = await fetchCopilotModels(ghToken);
+			if (!modelsResult.ok) {
+				return c.json(
+					{
+						error: `Imported gh token is not valid for Copilot: ${modelsResult.message}`,
+					},
+					400,
+				);
+			}
+
+			await setAuth(
+				'copilot',
+				{
+					type: 'oauth',
+					refresh: ghToken,
+					access: ghToken,
+					expires: 0,
+				},
+				undefined,
+				'global',
+			);
+
+			const models = Array.from(modelsResult.models).sort();
+			return c.json({
+				success: true,
+				provider: 'copilot',
+				source: 'gh',
+				modelCount: models.length,
+				hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+				sampleModels: models.slice(0, 25),
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error
+					? error.message
+					: 'Failed to import GitHub CLI token';
+			logger.error('Failed to import Copilot token from GitHub CLI', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
+	app.get('/v1/auth/copilot/diagnostics', async (c) => {
+		try {
+			const projectRoot = process.cwd();
+			const entries: Array<{
+				source: 'env' | 'stored';
+				configured: boolean;
+				modelCount?: number;
+				hasGpt52Codex?: boolean;
+				sampleModels?: string[];
+				restrictedByOrgPolicy?: boolean;
+				restrictedOrg?: string;
+				restrictionMessage?: string;
+				error?: string;
+			}> = [];
+
+			const envToken = readEnvKey('copilot');
+			if (envToken) {
+				const modelsResult = await fetchCopilotModels(envToken);
+				if (modelsResult.ok) {
+					const models = Array.from(modelsResult.models).sort();
+					entries.push({
+						source: 'env',
+						configured: true,
+						modelCount: models.length,
+						hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+						sampleModels: models.slice(0, 25),
+					});
+				} else {
+					entries.push({
+						source: 'env',
+						configured: true,
+						error: modelsResult.message,
+					});
+				}
+			} else {
+				entries.push({ source: 'env', configured: false });
+			}
+
+			const storedAuth = await getAuth('copilot', projectRoot);
+			if (storedAuth?.type === 'oauth') {
+				const modelsResult = await fetchCopilotModels(storedAuth.refresh);
+				const restriction = await detectOAuthOrgRestriction(storedAuth.refresh);
+				if (modelsResult.ok) {
+					const models = Array.from(modelsResult.models).sort();
+					entries.push({
+						source: 'stored',
+						configured: true,
+						modelCount: models.length,
+						hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+						sampleModels: models.slice(0, 25),
+						restrictedByOrgPolicy: restriction.restricted,
+						restrictedOrg: restriction.org,
+						restrictionMessage: restriction.message,
+					});
+				} else {
+					entries.push({
+						source: 'stored',
+						configured: true,
+						error: modelsResult.message,
+						restrictedByOrgPolicy: restriction.restricted,
+						restrictedOrg: restriction.org,
+						restrictionMessage: restriction.message,
+					});
+				}
+			} else {
+				entries.push({ source: 'stored', configured: false });
+			}
+
+			return c.json({
+				tokenSources: entries,
+				methods: {
+					oauth: true,
+					token: true,
+					ghImport: getGhImportCapability(),
+				},
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error ? error.message : 'Failed to inspect Copilot';
+			logger.error('Failed to build Copilot diagnostics', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
 	app.post('/v1/auth/onboarding/complete', async (c) => {
 		try {
 			await setOnboardingComplete();

package/src/routes/config/models.ts

@@ -2,11 +2,13 @@ import type { Hono } from 'hono';
 import {
 	loadConfig,
 	catalog,
+	getAuth,
+	logger,
+	readEnvKey,
 	type ProviderId,
 	filterModelsForAuthType,
 } from '@ottocode/sdk';
 import type { EmbeddedAppConfig } from '../../index.ts';
-import { logger } from '@ottocode/sdk';
 import { serializeError } from '../../runtime/errors/api-error.ts';
 import {
 	isProviderAuthorizedHybrid,
@@ -15,6 +17,68 @@ import {
 	getAuthTypeForProvider,
 } from './utils.ts';
 
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+
+function filterCopilotAvailability<T extends { id: string }>(
+	provider: ProviderId,
+	models: T[],
+	copilotAllowedModels: Set<string> | null,
+): T[] {
+	if (provider !== 'copilot') return models;
+	if (!copilotAllowedModels || copilotAllowedModels.size === 0) return models;
+	return models.filter((m) => copilotAllowedModels.has(m.id));
+}
+
+async function getCopilotAuthTokens(projectRoot: string): Promise<string[]> {
+	const tokens: string[] = [];
+
+	const envToken = readEnvKey('copilot');
+	if (envToken) tokens.push(envToken);
+
+	const auth = await getAuth('copilot', projectRoot);
+	if (auth?.type === 'oauth' && auth.refresh) {
+		if (auth.refresh !== envToken) {
+			tokens.push(auth.refresh);
+		}
+	}
+
+	return tokens;
+}
+
+async function getAuthorizedCopilotModels(
+	projectRoot: string,
+): Promise<Set<string> | null> {
+	const tokens = await getCopilotAuthTokens(projectRoot);
+	if (!tokens.length) return null;
+
+	const merged = new Set<string>();
+	let successful = false;
+
+	for (const token of tokens) {
+		try {
+			const response = await fetch(COPILOT_MODELS_URL, {
+				headers: {
+					Authorization: `Bearer ${token}`,
+					'Openai-Intent': 'conversation-edits',
+					'User-Agent': 'ottocode',
+				},
+			});
+			if (!response.ok) continue;
+
+			successful = true;
+			const payload = (await response.json()) as {
+				data?: Array<{ id?: string }>;
+			};
+
+			for (const id of (payload.data ?? []).map((item) => item.id)) {
+				if (id) merged.add(id);
+			}
+		} catch {}
+	}
+
+	return successful ? merged : null;
+}
+
 export function registerModelsRoutes(app: Hono) {
 	app.get('/v1/config/providers/:provider/models', async (c) => {
 		try {
@@ -53,9 +117,19 @@ export function registerModelsRoutes(app: Hono) {
 				providerCatalog.models,
 				authType,
 			);
+			const copilotAllowedModels =
+				provider === 'copilot'
+					? await getAuthorizedCopilotModels(projectRoot)
+					: null;
+
+			const availableModels = filterCopilotAvailability(
+				provider,
+				filteredModels,
+				copilotAllowedModels,
+			);
 
 			return c.json({
-				models: filteredModels.map((m) => ({
+				models: availableModels.map((m) => ({
 					id: m.id,
 					label: m.label || m.id,
 					toolCall: m.toolCall,
@@ -94,6 +168,7 @@ export function registerModelsRoutes(app: Hono) {
 				string,
 				{
 					label: string;
+					authType?: 'api' | 'oauth' | 'wallet';
 					models: Array<{
 						id: string;
 						label: string;

package/src/routes/setu.ts

@@ -369,4 +369,120 @@ export function registerSetuRoutes(app: Hono) {
 			return c.json(errorResponse, errorResponse.error.status || 500);
 		}
 	});
+
+	app.get('/v1/setu/topup/razorpay/estimate', async (c) => {
+		try {
+			const amount = c.req.query('amount');
+			if (!amount) {
+				return c.json({ error: 'Missing amount parameter' }, 400);
+			}
+
+			const baseUrl = getSetuBaseUrl();
+			const response = await fetch(
+				`${baseUrl}/v1/topup/razorpay/estimate?amount=${amount}`,
+				{
+					method: 'GET',
+					headers: { 'Content-Type': 'application/json' },
+				},
+			);
+
+			const data = await response.json();
+			if (!response.ok) {
+				return c.json(data, response.status as 400 | 500);
+			}
+
+			return c.json(data);
+		} catch (error) {
+			logger.error('Failed to get Razorpay estimate', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, errorResponse.error.status || 500);
+		}
+	});
+
+	app.post('/v1/setu/topup/razorpay', async (c) => {
+		try {
+			const privateKey = await getSetuPrivateKey();
+			if (!privateKey) {
+				return c.json({ error: 'Setu wallet not configured' }, 401);
+			}
+
+			const body = await c.req.json();
+			const { amount } = body as { amount: number };
+
+			if (!amount || typeof amount !== 'number') {
+				return c.json({ error: 'Invalid amount' }, 400);
+			}
+
+			const walletHeaders = buildWalletHeaders(privateKey);
+			const baseUrl = getSetuBaseUrl();
+
+			const response = await fetch(`${baseUrl}/v1/topup/razorpay`, {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json',
+					...walletHeaders,
+				},
+				body: JSON.stringify({ amount }),
+			});
+
+			const data = await response.json();
+			if (!response.ok) {
+				return c.json(data, response.status as 400 | 500);
+			}
+
+			return c.json(data);
+		} catch (error) {
+			logger.error('Failed to create Razorpay order', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, errorResponse.error.status || 500);
+		}
+	});
+
+	app.post('/v1/setu/topup/razorpay/verify', async (c) => {
+		try {
+			const privateKey = await getSetuPrivateKey();
+			if (!privateKey) {
+				return c.json({ error: 'Setu wallet not configured' }, 401);
+			}
+
+			const body = await c.req.json();
+			const { razorpay_order_id, razorpay_payment_id, razorpay_signature } =
+				body as {
+					razorpay_order_id: string;
+					razorpay_payment_id: string;
+					razorpay_signature: string;
+				};
+
+			if (!razorpay_order_id || !razorpay_payment_id || !razorpay_signature) {
+				return c.json({ error: 'Missing payment details' }, 400);
+			}
+
+			const walletHeaders = buildWalletHeaders(privateKey);
+			const baseUrl = getSetuBaseUrl();
+
+			const response = await fetch(`${baseUrl}/v1/topup/razorpay/verify`, {
+				method: 'POST',
+				headers: {
+					'Content-Type': 'application/json',
+					...walletHeaders,
+				},
+				body: JSON.stringify({
+					razorpay_order_id,
+					razorpay_payment_id,
+					razorpay_signature,
+				}),
+			});
+
+			const data = await response.json();
+			if (!response.ok) {
+				return c.json(data, response.status as 400 | 500);
+			}
+
+			return c.json(data);
+		} catch (error) {
+			logger.error('Failed to verify Razorpay payment', error);
+			const errorResponse = serializeError(error);
+			return c.json(errorResponse, errorResponse.error.status || 500);
+		}
+	});
 }

package/src/runtime/agent/oauth-codex-continuation.ts

@@ -2,11 +2,14 @@ export type OauthCodexContinuationInput = {
 	provider: string;
 	isOpenAIOAuth: boolean;
 	finishObserved: boolean;
+	abortedByUser?: boolean;
 	continuationCount: number;
 	maxContinuations: number;
 	finishReason?: string;
 	rawFinishReason?: string;
 	firstToolSeen: boolean;
+	hasTrailingAssistantText: boolean;
+	endedWithToolActivity?: boolean;
 	droppedPseudoToolText: boolean;
 	lastAssistantText: string;
 };
@@ -40,6 +43,13 @@ function isTruncatedResponse(
 	return rawFinishReason === 'max_output_tokens';
 }
 
+function isMissingAssistantSummary(
+	input: OauthCodexContinuationInput,
+): boolean {
+	if (!input.firstToolSeen) return false;
+	return !input.hasTrailingAssistantText;
+}
+
 const MAX_UNCLEAN_EOF_RETRIES = 1;
 
 function isUncleanEof(input: OauthCodexContinuationInput): boolean {
@@ -60,6 +70,10 @@ export function decideOauthCodexContinuation(
 		return { shouldContinue: false };
 	}
 
+	if (input.abortedByUser) {
+		return { shouldContinue: false, reason: 'aborted-by-user' };
+	}
+
 	if (input.continuationCount >= input.maxContinuations) {
 		return { shouldContinue: false, reason: 'max-continuations-reached' };
 	}
@@ -68,6 +82,14 @@ export function decideOauthCodexContinuation(
 		return { shouldContinue: true, reason: 'truncated' };
 	}
 
+	if (input.endedWithToolActivity) {
+		return { shouldContinue: true, reason: 'ended-on-tool-activity' };
+	}
+
+	if (isMissingAssistantSummary(input)) {
+		return { shouldContinue: true, reason: 'no-trailing-assistant-text' };
+	}
+
 	if (
 		isUncleanEof(input) &&
 		input.continuationCount < MAX_UNCLEAN_EOF_RETRIES

package/src/runtime/agent/runner-setup.ts

@@ -211,6 +211,13 @@ export async function setupRunner(opts: RunOpts): Promise<SetupResult> {
 	const providerOptions = { ...adapted.providerOptions };
 	let effectiveMaxOutputTokens = maxOutputTokens;
 
+	if (opts.provider === 'copilot') {
+		providerOptions.openai = {
+			...((providerOptions.openai as Record<string, unknown>) || {}),
+			store: false,
+		};
+	}
+
 	if (opts.reasoningText) {
 		const underlyingProvider = getUnderlyingProviderKey(
 			opts.provider,

package/src/runtime/agent/runner.ts

@@ -180,7 +180,14 @@ async function runAssistant(opts: RunOpts) {
 	);
 
 	let _finishObserved = false;
+	let _toolActivityObserved = false;
+	let _trailingAssistantTextAfterTool = false;
+	let _abortedByUser = false;
 	const unsubscribeFinish = subscribe(opts.sessionId, (evt) => {
+		if (evt.type === 'tool.call' || evt.type === 'tool.result') {
+			_toolActivityObserved = true;
+			_trailingAssistantTextAfterTool = false;
+		}
 		if (evt.type !== 'tool.result') return;
 		try {
 			const name = (evt.payload as { name?: string } | undefined)?.name;
@@ -239,12 +246,19 @@ async function runAssistant(opts: RunOpts) {
 		runSessionLoop,
 	);
 
-	const onAbort = createAbortHandler(opts, db, getStepIndex, sharedCtx);
+	const baseOnAbort = createAbortHandler(opts, db, getStepIndex, sharedCtx);
+	const onAbort = async (event: Parameters<typeof baseOnAbort>[0]) => {
+		_abortedByUser = true;
+		await baseOnAbort(event);
+	};
 
 	const onFinish = createFinishHandler(opts, db, completeAssistantMessage);
-	const stopWhenCondition = isOpenAIOAuth
-		? stepCountIs(20)
-		: hasToolCall('finish');
+	const isCopilotResponsesApi =
+		opts.provider === 'copilot' && !opts.model.startsWith('gpt-5-mini');
+	const stopWhenCondition =
+		isOpenAIOAuth || isCopilotResponsesApi
+			? stepCountIs(20)
+			: hasToolCall('finish');
 
 	try {
 		const result = streamText({
@@ -287,6 +301,12 @@ async function runAssistant(opts: RunOpts) {
 				if (accumulated.trim()) {
 					latestAssistantText = accumulated;
 				}
+				if (
+					(delta.trim().length > 0 && _toolActivityObserved) ||
+					(delta.trim().length > 0 && firstToolSeen())
+				) {
+					_trailingAssistantTextAfterTool = true;
+				}
 
 				if (!currentPartId && !accumulated.trim()) {
 					continue;
@@ -404,20 +424,25 @@ async function runAssistant(opts: RunOpts) {
 		}
 
 		debugLog(
-			`[RUNNER] Stream finished. finishSeen=${_finishObserved}, firstToolSeen=${fs}, finishReason=${streamFinishReason}, rawFinishReason=${streamRawFinishReason}`,
+			`[RUNNER] Stream finished. finishSeen=${_finishObserved}, firstToolSeen=${fs}, trailingAssistantTextAfterTool=${_trailingAssistantTextAfterTool}, finishReason=${streamFinishReason}, rawFinishReason=${streamRawFinishReason}`,
 		);
 
 		const MAX_CONTINUATIONS = 6;
 		const continuationCount = opts.continuationCount ?? 0;
+		const endedWithToolActivity =
+			_toolActivityObserved && !_trailingAssistantTextAfterTool;
 		const continuationDecision = decideOauthCodexContinuation({
 			provider: opts.provider,
 			isOpenAIOAuth,
 			finishObserved: _finishObserved,
+			abortedByUser: _abortedByUser,
 			continuationCount,
 			maxContinuations: MAX_CONTINUATIONS,
 			finishReason: streamFinishReason,
 			rawFinishReason: streamRawFinishReason,
 			firstToolSeen: fs,
+			hasTrailingAssistantText: _trailingAssistantTextAfterTool,
+			endedWithToolActivity,
 			droppedPseudoToolText: oauthTextGuard?.dropped ?? false,
 			lastAssistantText: latestAssistantText,
 		});

package/src/runtime/provider/copilot.ts

@@ -1,12 +1,123 @@
-import { getAuth, createCopilotModel } from '@ottocode/sdk';
-import type { OttoConfig } from '@ottocode/sdk';
+import { getAuth, createCopilotModel, readEnvKey } from '@ottocode/sdk';
+import type { OttoConfig, OAuth } from '@ottocode/sdk';
 
-export async function resolveCopilotModel(model: string, cfg: OttoConfig) {
-	const auth = await getAuth('copilot', cfg.projectRoot);
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+const COPILOT_MODELS_CACHE_TTL_MS = 5 * 60 * 1000;
+
+type CachedCopilotModels = {
+	expiresAt: number;
+	models: Set<string>;
+};
+
+const copilotModelsCache = new Map<string, CachedCopilotModels>();
+
+type CopilotTokenCandidate = {
+	source: 'env' | 'oauth';
+	token: string;
+	oauth: OAuth;
+};
+
+async function getCopilotTokenCandidates(
+	projectRoot: string,
+): Promise<CopilotTokenCandidate[]> {
+	const candidates: CopilotTokenCandidate[] = [];
+
+	const envToken = readEnvKey('copilot');
+	if (envToken) {
+		candidates.push({
+			source: 'env',
+			token: envToken,
+			oauth: {
+				type: 'oauth',
+				access: envToken,
+				refresh: envToken,
+				expires: 0,
+			},
+		});
+	}
+
+	const auth = await getAuth('copilot', projectRoot);
 	if (auth?.type === 'oauth') {
-		return createCopilotModel(model, { oauth: auth });
+		if (auth.refresh !== envToken) {
+			candidates.push({ source: 'oauth', token: auth.refresh, oauth: auth });
+		}
+	}
+
+	return candidates;
+}
+
+async function getCopilotAvailableModels(
+	token: string,
+): Promise<Set<string> | null> {
+	const cached = copilotModelsCache.get(token);
+	if (cached && cached.expiresAt > Date.now()) {
+		return cached.models;
+	}
+
+	try {
+		const response = await fetch(COPILOT_MODELS_URL, {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'Openai-Intent': 'conversation-edits',
+				'User-Agent': 'ottocode',
+			},
+		});
+
+		if (!response.ok) return null;
+
+		const payload = (await response.json()) as {
+			data?: Array<{ id?: string }>;
+		};
+		const models = new Set(
+			(payload.data ?? [])
+				.map((item) => item.id)
+				.filter((id): id is string => Boolean(id)),
+		);
+
+		copilotModelsCache.set(token, {
+			expiresAt: Date.now() + COPILOT_MODELS_CACHE_TTL_MS,
+			models,
+		});
+
+		return models;
+	} catch {
+		return null;
+	}
+}
+
+export async function resolveCopilotModel(model: string, cfg: OttoConfig) {
+	const candidates = await getCopilotTokenCandidates(cfg.projectRoot);
+	if (!candidates.length) {
+		throw new Error(
+			'Copilot provider requires OAuth or GITHUB_TOKEN. Run `otto auth login copilot` or set GITHUB_TOKEN.',
+		);
+	}
+
+	let selected: CopilotTokenCandidate | null = null;
+	const unionAvailableModels = new Set<string>();
+
+	for (const candidate of candidates) {
+		const availableModels = await getCopilotAvailableModels(candidate.token);
+		if (!availableModels || availableModels.size === 0) continue;
+
+		for (const availableModel of availableModels) {
+			unionAvailableModels.add(availableModel);
+		}
+
+		if (!selected && availableModels.has(model)) {
+			selected = candidate;
+		}
+	}
+
+	if (selected) {
+		return createCopilotModel(model, { oauth: selected.oauth });
+	}
+
+	if (unionAvailableModels.size > 0) {
+		throw new Error(
+			`Copilot model '${model}' is not available for this account/organization token. Available models: ${Array.from(unionAvailableModels).join(', ')}`,
+		);
 	}
-	throw new Error(
-		'Copilot provider requires OAuth. Run `otto auth login copilot`.',
-	);
+
+	return createCopilotModel(model, { oauth: candidates[0].oauth });
 }

package/src/runtime/provider/oauth-adapter.ts

@@ -69,11 +69,10 @@ export function detectOAuth(
 ): OAuthContext {
 	const isOAuth = auth?.type === 'oauth';
 	const needsSpoof = !!isOAuth && provider === 'anthropic';
-	const isCopilot = provider === 'copilot';
 	return {
-		isOAuth: !!isOAuth || isCopilot,
+		isOAuth: !!isOAuth,
 		needsSpoof,
-		isOpenAIOAuth: (!!isOAuth && provider === 'openai') || isCopilot,
+		isOpenAIOAuth: !!isOAuth && provider === 'openai',
 		spoofPrompt: needsSpoof ? getProviderSpoofPrompt(provider) : undefined,
 	};
 }

package/src/runtime/utils/token.ts

@@ -10,6 +10,9 @@ export function getMaxOutputTokens(
 	provider: ProviderName,
 	modelId: string,
 ): number | undefined {
+	if (provider === 'copilot') {
+		return undefined;
+	}
 	try {
 		const providerCatalog = catalog[provider];
 		if (!providerCatalog) {