@ottocode/server 0.1.225 → 0.1.227

package/src/routes/auth.ts

@@ -1,6 +1,7 @@
 import type { Hono } from 'hono';
 import {
 	getAllAuth,
+	getAuth,
 	setAuth,
 	removeAuth,
 	ensureSetuWallet,
@@ -8,6 +9,7 @@ import {
 	importWallet,
 	loadConfig,
 	catalog,
+	readEnvKey,
 	getOnboardingComplete,
 	setOnboardingComplete,
 	authorize,
@@ -20,6 +22,7 @@ import {
 	pollForCopilotTokenOnce,
 	type ProviderId,
 } from '@ottocode/sdk';
+import { execFileSync, spawnSync } from 'node:child_process';
 import { logger } from '@ottocode/sdk';
 import { serializeError } from '../runtime/errors/api-error.ts';
 
@@ -33,6 +36,172 @@ const copilotDeviceSessions = new Map<
 	{ deviceCode: string; interval: number; provider: string; createdAt: number }
 >();
 
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+const GH_CAPABILITY_CACHE_TTL_MS = 60 * 1000;
+
+let ghCapabilityCache: {
+	expiresAt: number;
+	value: { available: boolean; authenticated: boolean; reason?: string };
+} = {
+	expiresAt: 0,
+	value: {
+		available: false,
+		authenticated: false,
+		reason: 'Not checked yet',
+	},
+};
+
+function getGhImportCapability() {
+	if (ghCapabilityCache.expiresAt > Date.now()) return ghCapabilityCache.value;
+
+	const version = spawnSync('gh', ['--version'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (version.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: false,
+				authenticated: false,
+				reason: 'GitHub CLI (gh) is not installed',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	const authStatus = spawnSync('gh', ['auth', 'status', '-h', 'github.com'], {
+		encoding: 'utf8',
+		stdio: ['ignore', 'pipe', 'pipe'],
+	});
+	if (authStatus.status !== 0) {
+		ghCapabilityCache = {
+			expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+			value: {
+				available: true,
+				authenticated: false,
+				reason: 'Run `gh auth login` first',
+			},
+		};
+		return ghCapabilityCache.value;
+	}
+
+	ghCapabilityCache = {
+		expiresAt: Date.now() + GH_CAPABILITY_CACHE_TTL_MS,
+		value: {
+			available: true,
+			authenticated: true,
+		},
+	};
+	return ghCapabilityCache.value;
+}
+
+function parseErrorMessageFromBody(text: string): string | undefined {
+	if (!text) return undefined;
+	try {
+		const parsed = JSON.parse(text) as {
+			message?: string;
+			error?: { message?: string };
+		};
+		return parsed.error?.message ?? parsed.message;
+	} catch {
+		return undefined;
+	}
+}
+
+async function fetchCopilotModels(token: string): Promise<
+	| {
+			ok: true;
+			models: Set<string>;
+	  }
+	| {
+			ok: false;
+			status: number;
+			message: string;
+	  }
+> {
+	try {
+		const response = await fetch(COPILOT_MODELS_URL, {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'Openai-Intent': 'conversation-edits',
+				'User-Agent': 'ottocode',
+			},
+		});
+		const text = await response.text();
+		if (!response.ok) {
+			return {
+				ok: false,
+				status: response.status,
+				message:
+					parseErrorMessageFromBody(text) ||
+					`Copilot models endpoint returned ${response.status}`,
+			};
+		}
+
+		const payload = JSON.parse(text) as {
+			data?: Array<{ id?: string }>;
+		};
+		const models = new Set(
+			(payload.data ?? [])
+				.map((item) => item.id)
+				.filter((id): id is string => Boolean(id)),
+		);
+		return { ok: true, models };
+	} catch (error) {
+		const message =
+			error instanceof Error ? error.message : 'Failed to fetch Copilot models';
+		return { ok: false, status: 0, message };
+	}
+}
+
+async function detectOAuthOrgRestriction(token: string): Promise<{
+	restricted: boolean;
+	org?: string;
+	message?: string;
+}> {
+	try {
+		const orgsResponse = await fetch('https://api.github.com/user/orgs', {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'User-Agent': 'ottocode',
+				Accept: 'application/vnd.github+json',
+			},
+		});
+		if (!orgsResponse.ok) {
+			return { restricted: false };
+		}
+
+		const orgs = (await orgsResponse.json()) as Array<{ login?: string }>;
+		for (const org of orgs) {
+			if (!org.login) continue;
+			const membershipResponse = await fetch(
+				`https://api.github.com/user/memberships/orgs/${org.login}`,
+				{
+					headers: {
+						Authorization: `Bearer ${token}`,
+						'User-Agent': 'ottocode',
+						Accept: 'application/vnd.github+json',
+					},
+				},
+			);
+			if (membershipResponse.status !== 403) continue;
+
+			const bodyText = await membershipResponse.text();
+			const message = parseErrorMessageFromBody(bodyText) || bodyText;
+			if (message.includes('enabled OAuth App access restrictions')) {
+				return {
+					restricted: true,
+					org: org.login,
+					message,
+				};
+			}
+		}
+	} catch {}
+
+	return { restricted: false };
+}
+
 setInterval(() => {
 	const now = Date.now();
 	for (const [key, value] of oauthVerifiers.entries()) {
@@ -55,6 +224,7 @@ export function registerAuthRoutes(app: Hono) {
 			const cfg = await loadConfig(projectRoot);
 			const onboardingComplete = await getOnboardingComplete(projectRoot);
 			const setuWallet = await getSetuWallet(projectRoot);
+			const ghImportCapability = getGhImportCapability();
 
 			const providers: Record<
 				string,
@@ -63,6 +233,8 @@ export function registerAuthRoutes(app: Hono) {
 					type?: 'api' | 'oauth' | 'wallet';
 					label: string;
 					supportsOAuth: boolean;
+					supportsToken?: boolean;
+					supportsGhImport?: boolean;
 					modelCount: number;
 					costRange?: { min: number; max: number };
 				}
@@ -81,6 +253,9 @@ export function registerAuthRoutes(app: Hono) {
 					label: entry.label || id,
 					supportsOAuth:
 						id === 'anthropic' || id === 'openai' || id === 'copilot',
+					supportsToken: id === 'copilot',
+					supportsGhImport:
+						id === 'copilot' ? ghImportCapability.available : false,
 					modelCount: models.length,
 					costRange:
 						costs.length > 0
@@ -213,15 +388,15 @@ export function registerAuthRoutes(app: Hono) {
 	app.post('/v1/auth/:provider/oauth/url', async (c) => {
 		try {
 			const provider = c.req.param('provider');
-			const { mode = 'max' } = await c.req
-				.json<{ mode?: string }>()
-				.catch(() => ({}));
+			const body = await c.req.json<{ mode?: string }>().catch(() => undefined);
+			const mode: 'max' | 'console' =
+				body?.mode === 'console' ? 'console' : 'max';
 
 			let url: string;
 			let verifier: string;
 
 			if (provider === 'anthropic') {
-				const result = await authorize(mode as 'max' | 'console');
+				const result = await authorize(mode);
 				url = result.url;
 				verifier = result.verifier;
 			} else if (provider === 'openai') {
@@ -585,6 +760,215 @@ export function registerAuthRoutes(app: Hono) {
 		}
 	});
 
+	app.get('/v1/auth/copilot/methods', async (c) => {
+		const ghImport = getGhImportCapability();
+		return c.json({
+			oauth: true,
+			token: true,
+			ghImport,
+		});
+	});
+
+	app.post('/v1/auth/copilot/token', async (c) => {
+		try {
+			const { token } = await c.req.json<{ token: string }>();
+			const sanitized = token?.trim();
+			if (!sanitized) {
+				return c.json({ error: 'Copilot token is required' }, 400);
+			}
+
+			const modelsResult = await fetchCopilotModels(sanitized);
+			if (!modelsResult.ok) {
+				return c.json(
+					{
+						error: `Invalid Copilot token: ${modelsResult.message}`,
+					},
+					400,
+				);
+			}
+
+			await setAuth(
+				'copilot',
+				{
+					type: 'oauth',
+					refresh: sanitized,
+					access: sanitized,
+					expires: 0,
+				},
+				undefined,
+				'global',
+			);
+
+			const models = Array.from(modelsResult.models).sort();
+			return c.json({
+				success: true,
+				provider: 'copilot',
+				source: 'token',
+				modelCount: models.length,
+				hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+				sampleModels: models.slice(0, 25),
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error ? error.message : 'Failed to save Copilot token';
+			logger.error('Failed to save Copilot token', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
+	app.post('/v1/auth/copilot/gh/import', async (c) => {
+		try {
+			const ghImport = getGhImportCapability();
+			if (!ghImport.available) {
+				return c.json(
+					{
+						error: ghImport.reason || 'GitHub CLI is not available',
+					},
+					400,
+				);
+			}
+			if (!ghImport.authenticated) {
+				return c.json(
+					{
+						error: ghImport.reason || 'GitHub CLI is not authenticated',
+					},
+					400,
+				);
+			}
+
+			const ghToken = execFileSync('gh', ['auth', 'token'], {
+				encoding: 'utf8',
+				stdio: ['ignore', 'pipe', 'pipe'],
+			}).trim();
+			if (!ghToken) {
+				return c.json({ error: 'GitHub CLI returned an empty token' }, 400);
+			}
+
+			const modelsResult = await fetchCopilotModels(ghToken);
+			if (!modelsResult.ok) {
+				return c.json(
+					{
+						error: `Imported gh token is not valid for Copilot: ${modelsResult.message}`,
+					},
+					400,
+				);
+			}
+
+			await setAuth(
+				'copilot',
+				{
+					type: 'oauth',
+					refresh: ghToken,
+					access: ghToken,
+					expires: 0,
+				},
+				undefined,
+				'global',
+			);
+
+			const models = Array.from(modelsResult.models).sort();
+			return c.json({
+				success: true,
+				provider: 'copilot',
+				source: 'gh',
+				modelCount: models.length,
+				hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+				sampleModels: models.slice(0, 25),
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error
+					? error.message
+					: 'Failed to import GitHub CLI token';
+			logger.error('Failed to import Copilot token from GitHub CLI', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
+	app.get('/v1/auth/copilot/diagnostics', async (c) => {
+		try {
+			const projectRoot = process.cwd();
+			const entries: Array<{
+				source: 'env' | 'stored';
+				configured: boolean;
+				modelCount?: number;
+				hasGpt52Codex?: boolean;
+				sampleModels?: string[];
+				restrictedByOrgPolicy?: boolean;
+				restrictedOrg?: string;
+				restrictionMessage?: string;
+				error?: string;
+			}> = [];
+
+			const envToken = readEnvKey('copilot');
+			if (envToken) {
+				const modelsResult = await fetchCopilotModels(envToken);
+				if (modelsResult.ok) {
+					const models = Array.from(modelsResult.models).sort();
+					entries.push({
+						source: 'env',
+						configured: true,
+						modelCount: models.length,
+						hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+						sampleModels: models.slice(0, 25),
+					});
+				} else {
+					entries.push({
+						source: 'env',
+						configured: true,
+						error: modelsResult.message,
+					});
+				}
+			} else {
+				entries.push({ source: 'env', configured: false });
+			}
+
+			const storedAuth = await getAuth('copilot', projectRoot);
+			if (storedAuth?.type === 'oauth') {
+				const modelsResult = await fetchCopilotModels(storedAuth.refresh);
+				const restriction = await detectOAuthOrgRestriction(storedAuth.refresh);
+				if (modelsResult.ok) {
+					const models = Array.from(modelsResult.models).sort();
+					entries.push({
+						source: 'stored',
+						configured: true,
+						modelCount: models.length,
+						hasGpt52Codex: modelsResult.models.has('gpt-5.2-codex'),
+						sampleModels: models.slice(0, 25),
+						restrictedByOrgPolicy: restriction.restricted,
+						restrictedOrg: restriction.org,
+						restrictionMessage: restriction.message,
+					});
+				} else {
+					entries.push({
+						source: 'stored',
+						configured: true,
+						error: modelsResult.message,
+						restrictedByOrgPolicy: restriction.restricted,
+						restrictedOrg: restriction.org,
+						restrictionMessage: restriction.message,
+					});
+				}
+			} else {
+				entries.push({ source: 'stored', configured: false });
+			}
+
+			return c.json({
+				tokenSources: entries,
+				methods: {
+					oauth: true,
+					token: true,
+					ghImport: getGhImportCapability(),
+				},
+			});
+		} catch (error) {
+			const message =
+				error instanceof Error ? error.message : 'Failed to inspect Copilot';
+			logger.error('Failed to build Copilot diagnostics', error);
+			return c.json({ error: message }, 500);
+		}
+	});
+
 	app.post('/v1/auth/onboarding/complete', async (c) => {
 		try {
 			await setOnboardingComplete();

package/src/routes/config/agents.ts

@@ -8,9 +8,11 @@ import { discoverAllAgents, getDefault } from './utils.ts';
 export function registerAgentsRoute(app: Hono) {
 	app.get('/v1/config/agents', async (c) => {
 		try {
-			const embeddedConfig = c.get('embeddedConfig') as
-				| EmbeddedAppConfig
-				| undefined;
+			const embeddedConfig = (
+				c as unknown as {
+					get: (key: 'embeddedConfig') => EmbeddedAppConfig | undefined;
+				}
+			).get('embeddedConfig');
 
 			if (embeddedConfig) {
 				const agents = embeddedConfig.agents

package/src/routes/config/defaults.ts

@@ -1,5 +1,5 @@
 import type { Hono } from 'hono';
-import { setConfig, loadConfig } from '@ottocode/sdk';
+import { setConfig, loadConfig, type ProviderId } from '@ottocode/sdk';
 import { logger } from '@ottocode/sdk';
 import { serializeError } from '../../runtime/errors/api-error.ts';
 
@@ -21,7 +21,7 @@ export function registerDefaultsRoute(app: Hono) {
 			const scope = body.scope || 'global';
 			const updates: Partial<{
 				agent: string;
-				provider: string;
+				provider: ProviderId;
 				model: string;
 				toolApproval: 'auto' | 'dangerous' | 'all';
 				guidedMode: boolean;
@@ -30,7 +30,7 @@ export function registerDefaultsRoute(app: Hono) {
 			}> = {};
 
 			if (body.agent) updates.agent = body.agent;
-			if (body.provider) updates.provider = body.provider;
+			if (body.provider) updates.provider = body.provider as ProviderId;
 			if (body.model) updates.model = body.model;
 			if (body.toolApproval) updates.toolApproval = body.toolApproval;
 			if (body.guidedMode !== undefined) updates.guidedMode = body.guidedMode;

package/src/routes/config/main.ts

@@ -13,9 +13,11 @@ export function registerMainConfigRoute(app: Hono) {
 	app.get('/v1/config', async (c) => {
 		try {
 			const projectRoot = c.req.query('project') || process.cwd();
-			const embeddedConfig = c.get('embeddedConfig') as
-				| EmbeddedAppConfig
-				| undefined;
+			const embeddedConfig = (
+				c as unknown as {
+					get: (key: 'embeddedConfig') => EmbeddedAppConfig | undefined;
+				}
+			).get('embeddedConfig');
 
 			const cfg = await loadConfig(projectRoot);
 

package/src/routes/config/models.ts

@@ -2,11 +2,13 @@ import type { Hono } from 'hono';
 import {
 	loadConfig,
 	catalog,
+	getAuth,
+	logger,
+	readEnvKey,
 	type ProviderId,
 	filterModelsForAuthType,
 } from '@ottocode/sdk';
 import type { EmbeddedAppConfig } from '../../index.ts';
-import { logger } from '@ottocode/sdk';
 import { serializeError } from '../../runtime/errors/api-error.ts';
 import {
 	isProviderAuthorizedHybrid,
@@ -15,12 +17,76 @@ import {
 	getAuthTypeForProvider,
 } from './utils.ts';
 
+const COPILOT_MODELS_URL = 'https://api.githubcopilot.com/models';
+
+function filterCopilotAvailability<T extends { id: string }>(
+	provider: ProviderId,
+	models: T[],
+	copilotAllowedModels: Set<string> | null,
+): T[] {
+	if (provider !== 'copilot') return models;
+	if (!copilotAllowedModels || copilotAllowedModels.size === 0) return models;
+	return models.filter((m) => copilotAllowedModels.has(m.id));
+}
+
+async function getCopilotAuthTokens(projectRoot: string): Promise<string[]> {
+	const tokens: string[] = [];
+
+	const envToken = readEnvKey('copilot');
+	if (envToken) tokens.push(envToken);
+
+	const auth = await getAuth('copilot', projectRoot);
+	if (auth?.type === 'oauth' && auth.refresh) {
+		if (auth.refresh !== envToken) {
+			tokens.push(auth.refresh);
+		}
+	}
+
+	return tokens;
+}
+
+async function getAuthorizedCopilotModels(
+	projectRoot: string,
+): Promise<Set<string> | null> {
+	const tokens = await getCopilotAuthTokens(projectRoot);
+	if (!tokens.length) return null;
+
+	const merged = new Set<string>();
+	let successful = false;
+
+	for (const token of tokens) {
+		try {
+			const response = await fetch(COPILOT_MODELS_URL, {
+				headers: {
+					Authorization: `Bearer ${token}`,
+					'Openai-Intent': 'conversation-edits',
+					'User-Agent': 'ottocode',
+				},
+			});
+			if (!response.ok) continue;
+
+			successful = true;
+			const payload = (await response.json()) as {
+				data?: Array<{ id?: string }>;
+			};
+
+			for (const id of (payload.data ?? []).map((item) => item.id)) {
+				if (id) merged.add(id);
+			}
+		} catch {}
+	}
+
+	return successful ? merged : null;
+}
+
 export function registerModelsRoutes(app: Hono) {
 	app.get('/v1/config/providers/:provider/models', async (c) => {
 		try {
-			const embeddedConfig = c.get('embeddedConfig') as
-				| EmbeddedAppConfig
-				| undefined;
+			const embeddedConfig = (
+				c as unknown as {
+					get: (key: 'embeddedConfig') => EmbeddedAppConfig | undefined;
+				}
+			).get('embeddedConfig');
 			const provider = c.req.param('provider') as ProviderId;
 
 			const projectRoot = c.req.query('project') || process.cwd();
@@ -53,9 +119,19 @@ export function registerModelsRoutes(app: Hono) {
 				providerCatalog.models,
 				authType,
 			);
+			const copilotAllowedModels =
+				provider === 'copilot'
+					? await getAuthorizedCopilotModels(projectRoot)
+					: null;
+
+			const availableModels = filterCopilotAvailability(
+				provider,
+				filteredModels,
+				copilotAllowedModels,
+			);
 
 			return c.json({
-				models: filteredModels.map((m) => ({
+				models: availableModels.map((m) => ({
 					id: m.id,
 					label: m.label || m.id,
 					toolCall: m.toolCall,
@@ -78,9 +154,11 @@ export function registerModelsRoutes(app: Hono) {
 
 	app.get('/v1/config/models', async (c) => {
 		try {
-			const embeddedConfig = c.get('embeddedConfig') as
-				| EmbeddedAppConfig
-				| undefined;
+			const embeddedConfig = (
+				c as unknown as {
+					get: (key: 'embeddedConfig') => EmbeddedAppConfig | undefined;
+				}
+			).get('embeddedConfig');
 
 			const projectRoot = c.req.query('project') || process.cwd();
 			const cfg = await loadConfig(projectRoot);
@@ -94,6 +172,7 @@ export function registerModelsRoutes(app: Hono) {
 				string,
 				{
 					label: string;
+					authType?: 'api' | 'oauth' | 'wallet';
 					models: Array<{
 						id: string;
 						label: string;

package/src/routes/config/providers.ts

@@ -9,14 +9,18 @@ import { getAuthorizedProviders, getDefault } from './utils.ts';
 export function registerProvidersRoute(app: Hono) {
 	app.get('/v1/config/providers', async (c) => {
 		try {
-			const embeddedConfig = c.get('embeddedConfig') as
-				| EmbeddedAppConfig
-				| undefined;
+			const embeddedConfig = (
+				c as unknown as {
+					get: (key: 'embeddedConfig') => EmbeddedAppConfig | undefined;
+				}
+			).get('embeddedConfig');
 
 			if (embeddedConfig) {
 				const providers = embeddedConfig.auth
 					? (Object.keys(embeddedConfig.auth) as ProviderId[])
-					: [embeddedConfig.provider];
+					: embeddedConfig.provider
+						? [embeddedConfig.provider]
+						: [];
 
 				return c.json({
 					providers,