@slkiser/opencode-quota 2.4.1 → 2.5.0

package/dist/lib/copilot.js

@@ -1,119 +1,172 @@
 /**
- * GitHub Copilot quota fetcher
+ * GitHub Copilot premium request usage fetcher.
  *
- * Strategy (new Copilot API reality):
- *
- * 1) Preferred: GitHub public billing API using a fine-grained PAT
- *    configured in ~/.config/opencode/copilot-quota-token.json.
- * 2) Best-effort: internal endpoint using OpenCode's stored OAuth token
- *    (legacy formats or via token exchange).
+ * The plugin only uses documented GitHub billing APIs:
+ * - /users/{username}/settings/billing/premium_request/usage
+ * - /organizations/{org}/settings/billing/premium_request/usage
+ * - /enterprises/{enterprise}/settings/billing/premium_request/usage
  */
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
 import { fetchWithTimeout } from "./http.js";
 import { readAuthFile } from "./opencode-auth.js";
 import { getOpencodeRuntimeDirCandidates } from "./opencode-runtime-paths.js";
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-// =============================================================================
-// Constants
-// =============================================================================
 const GITHUB_API_BASE_URL = "https://api.github.com";
-const COPILOT_INTERNAL_USER_URL = `${GITHUB_API_BASE_URL}/copilot_internal/user`;
-const COPILOT_TOKEN_EXCHANGE_URL = `${GITHUB_API_BASE_URL}/copilot_internal/v2/token`;
-// Keep these aligned with current Copilot/VSC versions to avoid API heuristics.
-const COPILOT_VERSION = "0.35.0";
-const EDITOR_VERSION = "vscode/1.107.0";
-const EDITOR_PLUGIN_VERSION = `copilot-chat/${COPILOT_VERSION}`;
-const USER_AGENT = `GitHubCopilotChat/${COPILOT_VERSION}`;
+const GITHUB_API_VERSION = "2022-11-28";
 const COPILOT_QUOTA_CONFIG_FILENAME = "copilot-quota-token.json";
-// =============================================================================
-// Helpers
-// =============================================================================
-/**
- * Build headers for GitHub API requests
- */
-const COPILOT_HEADERS = {
-    "User-Agent": USER_AGENT,
-    "Editor-Version": EDITOR_VERSION,
-    "Editor-Plugin-Version": EDITOR_PLUGIN_VERSION,
-    "Copilot-Integration-Id": "vscode-chat",
+const USER_AGENT = "opencode-quota/copilot-billing";
+const COPILOT_PLAN_LIMITS = {
+    free: 50,
+    pro: 300,
+    "pro+": 1500,
+    business: 300,
+    enterprise: 1000,
 };
-function buildBearerHeaders(token) {
-    return {
-        Accept: "application/json",
-        Authorization: `Bearer ${token}`,
-        ...COPILOT_HEADERS,
-    };
-}
-function buildLegacyTokenHeaders(token) {
-    return {
-        Accept: "application/json",
-        Authorization: `token ${token}`,
-        ...COPILOT_HEADERS,
-    };
-}
-function classifyPatTokenKind(token) {
-    const trimmed = token.trim();
-    if (trimmed.startsWith("github_pat_"))
-        return "github_pat";
-    if (trimmed.startsWith("ghp_"))
-        return "ghp";
-    return "other";
-}
-function dedupePaths(paths) {
+function dedupeStrings(values) {
     const out = [];
     const seen = new Set();
-    for (const path of paths) {
-        if (!path)
+    for (const value of values) {
+        const trimmed = value?.trim();
+        if (!trimmed || seen.has(trimmed))
             continue;
-        if (seen.has(path))
-            continue;
-        seen.add(path);
-        out.push(path);
+        seen.add(trimmed);
+        out.push(trimmed);
     }
     return out;
 }
-export function getCopilotPatConfigCandidatePaths() {
-    const candidates = getOpencodeRuntimeDirCandidates();
-    return dedupePaths(candidates.configDirs.map((configDir) => join(configDir, COPILOT_QUOTA_CONFIG_FILENAME)));
+function classifyPatTokenKind(token) {
+    if (token.startsWith("github_pat_"))
+        return "github_pat";
+    if (token.startsWith("ghp_"))
+        return "ghp";
+    if (token.startsWith("ghu_"))
+        return "ghu";
+    if (token.startsWith("ghs_"))
+        return "ghs";
+    return "other";
 }
-function buildGitHubRestHeaders(token, scheme) {
+function getCurrentBillingPeriod(now = new Date()) {
     return {
-        Accept: "application/vnd.github+json",
-        Authorization: scheme === "bearer" ? `Bearer ${token}` : `token ${token}`,
-        "X-GitHub-Api-Version": "2022-11-28",
-        "User-Agent": USER_AGENT,
+        year: now.getFullYear(),
+        month: now.getMonth() + 1,
     };
 }
-function preferredSchemesForToken(token) {
-    const t = token.trim();
-    // Fine-grained PATs usually prefer Bearer.
-    if (t.startsWith("github_pat_")) {
-        return ["bearer", "token"];
+function buildBillingPeriodQueryParams(period, options) {
+    const searchParams = new URLSearchParams();
+    searchParams.set("year", String(period.year));
+    searchParams.set("month", String(period.month));
+    if (options?.includeDay && typeof period.day === "number") {
+        searchParams.set("day", String(period.day));
     }
-    // Classic PATs historically prefer legacy `token`.
-    if (t.startsWith("ghp_")) {
-        return ["token", "bearer"];
+    if (options?.organization) {
+        searchParams.set("organization", options.organization);
     }
-    return ["bearer", "token"];
+    if (options?.username) {
+        searchParams.set("user", options.username);
+    }
+    return searchParams;
 }
-async function readGitHubRestErrorMessage(response) {
-    const text = await response.text();
-    try {
-        const parsed = JSON.parse(text);
-        if (parsed && typeof parsed === "object") {
-            const obj = parsed;
-            const msg = typeof obj.message === "string" ? obj.message : null;
-            const doc = typeof obj.documentation_url === "string" ? obj.documentation_url : null;
-            if (msg && doc)
-                return `${msg} (${doc})`;
-            if (msg)
-                return msg;
+function getBillingModeForTarget(target) {
+    if (!target)
+        return "none";
+    if (target.scope === "organization")
+        return "organization_usage";
+    if (target.scope === "enterprise")
+        return "enterprise_usage";
+    return "user_quota";
+}
+function getBillingScopeForTarget(target) {
+    return target?.scope ?? "none";
+}
+function getRemainingTotalsStateForTarget(target) {
+    if (!target)
+        return "unavailable";
+    if (target.scope === "organization")
+        return "not_available_from_org_usage";
+    if (target.scope === "enterprise")
+        return "not_available_from_enterprise_usage";
+    return "available";
+}
+function resolvePatBillingTarget(config) {
+    const billingPeriod = getCurrentBillingPeriod();
+    if (config.tier === "business") {
+        if (config.enterprise) {
+            return {
+                target: null,
+                error: 'Copilot business usage is organization-scoped. Remove "enterprise" and keep "organization" in copilot-quota-token.json.',
+            };
         }
+        if (!config.organization) {
+            return {
+                target: null,
+                error: 'Copilot business usage requires an organization-scoped billing report. Add "organization": "your-org-slug" to copilot-quota-token.json.',
+            };
+        }
+        return {
+            target: {
+                scope: "organization",
+                organization: config.organization,
+                username: config.username,
+                billingPeriod,
+            },
+        };
     }
-    catch {
-        // ignore
+    if (config.tier === "enterprise") {
+        if (config.enterprise) {
+            return {
+                target: {
+                    scope: "enterprise",
+                    enterprise: config.enterprise,
+                    organization: config.organization,
+                    username: config.username,
+                    billingPeriod,
+                },
+            };
+        }
+        if (config.organization) {
+            return {
+                target: {
+                    scope: "organization",
+                    organization: config.organization,
+                    username: config.username,
+                    billingPeriod,
+                },
+            };
+        }
+        return {
+            target: null,
+            error: 'Copilot enterprise usage requires an enterprise- or organization-scoped billing report. Add "enterprise": "your-enterprise-slug" or "organization": "your-org-slug" to copilot-quota-token.json.',
+        };
     }
-    return text.slice(0, 160);
+    if (config.organization || config.enterprise) {
+        return {
+            target: null,
+            error: `Copilot ${config.tier} usage is user-scoped. Remove "organization"/"enterprise" from copilot-quota-token.json or switch to a managed tier.`,
+        };
+    }
+    return {
+        target: {
+            scope: "user",
+            username: config.username,
+        },
+    };
+}
+function validatePatTargetCompatibility(target, tokenKind) {
+    if (target.scope !== "enterprise" || !tokenKind) {
+        return null;
+    }
+    if (tokenKind === "github_pat") {
+        return ("GitHub's enterprise premium usage endpoint does not support fine-grained personal access tokens. " +
+            "Use a classic PAT or another supported non-fine-grained token for enterprise billing.");
+    }
+    if (tokenKind === "ghu" || tokenKind === "ghs") {
+        return ("GitHub's enterprise premium usage endpoint does not support GitHub App user or installation access tokens.");
+    }
+    return null;
+}
+export function getCopilotPatConfigCandidatePaths() {
+    const { configDirs } = getOpencodeRuntimeDirCandidates();
+    return dedupeStrings(configDirs.map((configDir) => join(configDir, COPILOT_QUOTA_CONFIG_FILENAME)));
 }
 function validateQuotaConfig(raw) {
     if (!raw || typeof raw !== "object") {
@@ -121,34 +174,48 @@ function validateQuotaConfig(raw) {
     }
     const obj = raw;
     const token = typeof obj.token === "string" ? obj.token.trim() : "";
-    const tierRaw = typeof obj.tier === "string" ? obj.tier.trim() : "";
-    const usernameRaw = obj.username;
+    const tier = typeof obj.tier === "string" ? obj.tier.trim() : "";
     if (!token) {
         return { config: null, error: "Missing required string field: token" };
     }
     const validTiers = ["free", "pro", "pro+", "business", "enterprise"];
-    if (!validTiers.includes(tierRaw)) {
+    if (!validTiers.includes(tier)) {
         return {
             config: null,
             error: "Invalid tier; expected one of: free, pro, pro+, business, enterprise",
         };
     }
+    const usernameRaw = obj.username;
     let username;
     if (usernameRaw != null) {
-        if (typeof usernameRaw !== "string") {
+        if (typeof usernameRaw !== "string" || !usernameRaw.trim()) {
             return { config: null, error: "username must be a non-empty string when provided" };
         }
-        const trimmed = usernameRaw.trim();
-        if (!trimmed) {
-            return { config: null, error: "username must be a non-empty string when provided" };
+        username = usernameRaw.trim();
+    }
+    const organizationRaw = obj.organization;
+    let organization;
+    if (organizationRaw != null) {
+        if (typeof organizationRaw !== "string" || !organizationRaw.trim()) {
+            return { config: null, error: "organization must be a non-empty string when provided" };
+        }
+        organization = organizationRaw.trim();
+    }
+    const enterpriseRaw = obj.enterprise;
+    let enterprise;
+    if (enterpriseRaw != null) {
+        if (typeof enterpriseRaw !== "string" || !enterpriseRaw.trim()) {
+            return { config: null, error: "enterprise must be a non-empty string when provided" };
         }
-        username = trimmed;
+        enterprise = enterpriseRaw.trim();
     }
     return {
         config: {
             token,
-            tier: tierRaw,
+            tier: tier,
             username,
+            organization,
+            enterprise,
         },
     };
 }
@@ -177,46 +244,17 @@ export function readQuotaConfigWithMeta() {
                 tokenKind: classifyPatTokenKind(validated.config.token),
             };
         }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : String(err);
+        catch (error) {
             return {
                 state: "invalid",
                 checkedPaths,
                 selectedPath: path,
-                error: msg,
+                error: error instanceof Error ? error.message : String(error),
             };
         }
     }
-    return {
-        state: "absent",
-        checkedPaths,
-    };
-}
-async function fetchGitHubRestJsonOnce(url, token, scheme) {
-    const response = await fetchWithTimeout(url, {
-        headers: buildGitHubRestHeaders(token, scheme),
-    });
-    if (response.ok) {
-        return { ok: true, status: response.status, data: (await response.json()) };
-    }
-    return {
-        ok: false,
-        status: response.status,
-        message: await readGitHubRestErrorMessage(response),
-    };
-}
-/**
- * Read Copilot auth data from auth.json
- *
- * Tries multiple key names to handle different OpenCode versions/configs.
- */
-async function readCopilotAuth() {
-    const authData = await readAuthFile();
-    return selectCopilotAuth(authData).auth;
+    return { state: "absent", checkedPaths };
 }
-/**
- * Select Copilot OAuth auth entry from auth.json-shaped data.
- */
 function selectCopilotAuth(authData) {
     if (!authData) {
         return { auth: null, keyName: null };
@@ -225,286 +263,370 @@ function selectCopilotAuth(authData) {
         ["github-copilot", authData["github-copilot"]],
         ["copilot", authData.copilot],
         ["copilot-chat", authData["copilot-chat"]],
+        ["github-copilot-chat", authData["github-copilot-chat"]],
     ];
-    for (const [keyName, candidate] of candidates) {
-        if (!candidate)
-            continue;
-        if (candidate.type !== "oauth")
+    for (const [keyName, auth] of candidates) {
+        if (!auth || auth.type !== "oauth")
             continue;
-        if (!candidate.refresh)
+        if (!auth.access && !auth.refresh)
             continue;
-        return { auth: candidate, keyName };
+        return { auth, keyName };
     }
     return { auth: null, keyName: null };
 }
 export function getCopilotQuotaAuthDiagnostics(authData) {
     const pat = readQuotaConfigWithMeta();
     const { auth, keyName } = selectCopilotAuth(authData);
-    const oauthConfigured = Boolean(auth);
+    const resolvedPatTarget = pat.state === "valid" && pat.config ? resolvePatBillingTarget(pat.config) : { target: null };
+    const tokenCompatibilityError = pat.state === "valid" && resolvedPatTarget.target
+        ? validatePatTargetCompatibility(resolvedPatTarget.target, pat.tokenKind)
+        : null;
+    const patBlocksOAuth = pat.state !== "absent";
     let effectiveSource = "none";
-    if (pat.state === "valid") {
+    if (patBlocksOAuth)
         effectiveSource = "pat";
-    }
-    else if (oauthConfigured) {
+    else if (auth)
         effectiveSource = "oauth";
-    }
+    const billingTarget = pat.state === "valid" ? resolvedPatTarget.target : !patBlocksOAuth && auth ? { scope: "user" } : null;
+    const billingMode = getBillingModeForTarget(billingTarget);
     return {
         pat,
         oauth: {
-            configured: oauthConfigured,
+            configured: Boolean(auth),
             keyName,
             hasRefreshToken: Boolean(auth?.refresh),
             hasAccessToken: Boolean(auth?.access),
         },
         effectiveSource,
-        override: pat.state === "valid" && oauthConfigured ? "pat_overrides_oauth" : "none",
+        override: patBlocksOAuth && auth ? "pat_overrides_oauth" : "none",
+        billingMode,
+        billingScope: getBillingScopeForTarget(billingTarget),
+        billingApiAccessLikely: effectiveSource === "pat"
+            ? Boolean(billingTarget) &&
+                !resolvedPatTarget.error &&
+                !tokenCompatibilityError
+            : effectiveSource === "oauth",
+        remainingTotalsState: getRemainingTotalsStateForTarget(billingTarget),
+        queryPeriod: billingTarget && billingTarget.scope !== "user"
+            ? billingTarget.billingPeriod
+            : undefined,
+        usernameFilter: pat.state === "valid" ? pat.config?.username : undefined,
+        billingTargetError: pat.state === "valid" ? resolvedPatTarget.error : undefined,
+        tokenCompatibilityError: tokenCompatibilityError ?? undefined,
     };
 }
-function computePercentRemainingFromUsed(params) {
-    const { used, total } = params;
-    if (!Number.isFinite(total) || total <= 0)
-        return 0;
-    if (!Number.isFinite(used) || used <= 0)
-        return 100;
-    const usedPct = Math.max(0, Math.min(100, Math.ceil((used / total) * 100)));
-    return 100 - usedPct;
+function buildGitHubRestHeaders(token, scheme) {
+    return {
+        Accept: "application/vnd.github+json",
+        Authorization: scheme === "bearer" ? `Bearer ${token}` : `token ${token}`,
+        "X-GitHub-Api-Version": GITHUB_API_VERSION,
+        "User-Agent": USER_AGENT,
+    };
 }
-const COPILOT_PLAN_LIMITS = {
-    free: 50,
-    pro: 300,
-    "pro+": 1500,
-    business: 300,
-    enterprise: 1000,
-};
-function getApproxNextResetIso(nowMs = Date.now()) {
-    const now = new Date(nowMs);
-    const year = now.getUTCFullYear();
-    const month = now.getUTCMonth();
-    return new Date(Date.UTC(year, month + 1, 1, 0, 0, 0, 0)).toISOString();
-}
-async function fetchPublicBillingUsage(config) {
-    const token = config.token;
-    const schemes = preferredSchemesForToken(token);
-    // Prefer authenticated-user endpoint; fall back to /users/{username} for older behavior.
-    const urls = [`${GITHUB_API_BASE_URL}/user/settings/billing/premium_request/usage`];
-    if (config.username) {
-        urls.push(`${GITHUB_API_BASE_URL}/users/${config.username}/settings/billing/premium_request/usage`);
-    }
-    for (const url of urls) {
-        let lastUnauthorized = null;
-        for (const scheme of schemes) {
-            const res = await fetchGitHubRestJsonOnce(url, token, scheme);
-            if (res.ok) {
-                return res.data;
-            }
-            if (res.status === 401) {
-                lastUnauthorized = { status: res.status, message: res.message };
-                continue; // retry with alternate scheme
-            }
-            // If /user/... isn't supported for some reason, fall back to /users/... when available.
-            if (res.status === 404 && url.includes("/user/")) {
-                break;
-            }
-            throw new Error(`GitHub API error ${res.status}: ${res.message}`);
+function preferredSchemesForToken(token) {
+    if (token.startsWith("ghp_")) {
+        return ["token", "bearer"];
+    }
+    return ["bearer", "token"];
+}
+async function readGitHubRestErrorMessage(response) {
+    const text = await response.text();
+    try {
+        const parsed = JSON.parse(text);
+        const message = typeof parsed.message === "string" ? parsed.message : null;
+        const documentationUrl = typeof parsed.documentation_url === "string" ? parsed.documentation_url : null;
+        if (message && documentationUrl) {
+            return `${message} (${documentationUrl})`;
         }
-        if (lastUnauthorized) {
-            throw new Error(`GitHub API error ${lastUnauthorized.status}: ${lastUnauthorized.message} (token rejected; verify PAT and permissions)`);
+        if (message) {
+            return message;
         }
     }
-    throw new Error("GitHub API error 404: Not Found");
+    catch {
+        // ignore parse failures
+    }
+    return text.slice(0, 160);
 }
-function toQuotaResultFromBilling(data, tier) {
-    const items = Array.isArray(data.usageItems) ? data.usageItems : [];
-    const premiumItems = items.filter((item) => item &&
-        typeof item === "object" &&
-        typeof item.sku === "string" &&
-        (item.sku === "Copilot Premium Request" || item.sku.includes("Premium")));
-    const used = premiumItems.reduce((sum, item) => sum + (item.grossQuantity || 0), 0);
-    const limits = premiumItems
-        .map((item) => item.limit)
-        .filter((n) => typeof n === "number" && n > 0);
-    // Prefer API-provided limits when available (more future-proof than hardcoding).
-    const total = limits.length ? Math.max(...limits) : COPILOT_PLAN_LIMITS[tier];
-    if (!total || total <= 0) {
-        throw new Error(`Unsupported Copilot tier: ${tier}`);
+async function fetchGitHubRestJsonOnce(url, token, scheme) {
+    const response = await fetchWithTimeout(url, {
+        headers: buildGitHubRestHeaders(token, scheme),
+    });
+    if (response.ok) {
+        return { ok: true, status: response.status, data: (await response.json()) };
     }
-    const normalizedUsed = Math.max(0, used);
-    const percentRemaining = computePercentRemainingFromUsed({ used: normalizedUsed, total });
     return {
-        success: true,
-        used: normalizedUsed,
-        total,
-        percentRemaining,
-        resetTimeIso: getApproxNextResetIso(),
+        ok: false,
+        status: response.status,
+        message: await readGitHubRestErrorMessage(response),
     };
 }
-async function exchangeForCopilotToken(oauthToken) {
-    try {
-        const response = await fetchWithTimeout(COPILOT_TOKEN_EXCHANGE_URL, {
-            headers: {
-                Accept: "application/json",
-                Authorization: `Bearer ${oauthToken}`,
-                ...COPILOT_HEADERS,
-            },
-        });
-        if (!response.ok) {
-            return null;
+async function resolveGitHubUsername(token) {
+    const url = `${GITHUB_API_BASE_URL}/user`;
+    let unauthorized = null;
+    for (const scheme of preferredSchemesForToken(token)) {
+        const result = await fetchGitHubRestJsonOnce(url, token, scheme);
+        if (result.ok) {
+            const login = result.data.login?.trim();
+            if (login)
+                return login;
+            throw new Error("GitHub /user response did not include a login");
+        }
+        if (result.status === 401) {
+            unauthorized = { status: result.status, message: result.message };
+            continue;
         }
-        const tokenData = (await response.json());
-        if (!tokenData || typeof tokenData.token !== "string")
-            return null;
-        return tokenData.token;
+        throw new Error(`GitHub API error ${result.status}: ${result.message}`);
     }
-    catch {
-        return null;
+    if (unauthorized) {
+        throw new Error(`GitHub API error ${unauthorized.status}: ${unauthorized.message} (token rejected while resolving username)`);
     }
+    throw new Error("Unable to resolve GitHub username for Copilot billing request");
 }
-/**
- * Fetch Copilot usage from GitHub internal API.
- * Tries multiple authentication methods to handle old/new token formats.
- */
-async function fetchCopilotUsage(authData) {
-    const oauthToken = authData.refresh || authData.access;
-    if (!oauthToken) {
-        throw new Error("No OAuth token found in auth data");
-    }
-    const cachedAccessToken = authData.access;
-    const tokenExpiry = authData.expires || 0;
-    // Strategy 1: If we have a valid cached access token (from previous exchange), use it.
-    if (cachedAccessToken && cachedAccessToken !== oauthToken && tokenExpiry > Date.now()) {
-        const response = await fetchWithTimeout(COPILOT_INTERNAL_USER_URL, {
-            headers: buildBearerHeaders(cachedAccessToken),
+function getBillingRequestUrl(target) {
+    if (target.scope === "enterprise") {
+        const base = `${GITHUB_API_BASE_URL}/enterprises/${encodeURIComponent(target.enterprise)}/settings/billing/premium_request/usage`;
+        const searchParams = buildBillingPeriodQueryParams(target.billingPeriod, {
+            organization: target.organization,
+            username: target.username,
+        });
+        return `${base}?${searchParams.toString()}`;
+    }
+    if (target.scope === "organization") {
+        const base = `${GITHUB_API_BASE_URL}/organizations/${encodeURIComponent(target.organization)}/settings/billing/premium_request/usage`;
+        const searchParams = buildBillingPeriodQueryParams(target.billingPeriod, {
+            username: target.username,
         });
-        if (response.ok) {
-            return response.json();
+        return `${base}?${searchParams.toString()}`;
+    }
+    return `${GITHUB_API_BASE_URL}/users/${encodeURIComponent(target.username)}/settings/billing/premium_request/usage`;
+}
+async function fetchPremiumRequestUsage(params) {
+    const requestTarget = params.target.scope === "user"
+        ? {
+            scope: "user",
+            username: params.target.username ?? (await resolveGitHubUsername(params.token)),
         }
+        : params.target;
+    const url = getBillingRequestUrl(requestTarget);
+    let unauthorized = null;
+    for (const scheme of preferredSchemesForToken(params.token)) {
+        const result = await fetchGitHubRestJsonOnce(url, params.token, scheme);
+        if (result.ok) {
+            return {
+                response: result.data,
+                billingPeriod: requestTarget.scope === "user" ? undefined : requestTarget.billingPeriod,
+            };
+        }
+        if (result.status === 401) {
+            unauthorized = { status: result.status, message: result.message };
+            continue;
+        }
+        throw new Error(`GitHub API error ${result.status}: ${result.message}`);
     }
-    // Strategy 2: Try direct call with OAuth token (newer tokens generally expect Bearer).
-    const directBearerResponse = await fetchWithTimeout(COPILOT_INTERNAL_USER_URL, {
-        headers: buildBearerHeaders(oauthToken),
-    });
-    if (directBearerResponse.ok) {
-        return directBearerResponse.json();
+    if (unauthorized) {
+        throw new Error(`GitHub API error ${unauthorized.status}: ${unauthorized.message} (token rejected for Copilot premium request usage)`);
     }
-    // Strategy 2b: Legacy auth format.
-    const directLegacyResponse = await fetchWithTimeout(COPILOT_INTERNAL_USER_URL, {
-        headers: buildLegacyTokenHeaders(oauthToken),
+    throw new Error("Unable to fetch Copilot premium request usage");
+}
+function getApproxNextResetIso(nowMs = Date.now()) {
+    const now = new Date(nowMs);
+    return new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth() + 1, 1)).toISOString();
+}
+function computePercentRemainingFromUsed(params) {
+    const { used, total } = params;
+    if (!Number.isFinite(total) || total <= 0)
+        return 0;
+    if (!Number.isFinite(used) || used <= 0)
+        return 100;
+    const remaining = Math.max(0, total - Math.max(0, used));
+    return Math.max(0, Math.min(100, Math.floor((remaining * 100) / total)));
+}
+function getPremiumUsageItems(response, options) {
+    const items = Array.isArray(response.usageItems)
+        ? response.usageItems
+        : Array.isArray(response.usage_items)
+            ? response.usage_items
+            : [];
+    const premiumItems = items.filter((item) => {
+        if (!item || typeof item !== "object")
+            return false;
+        if (typeof item.sku !== "string")
+            return false;
+        return item.sku === "Copilot Premium Request" || item.sku.includes("Premium");
     });
-    if (directLegacyResponse.ok) {
-        return directLegacyResponse.json();
+    if (premiumItems.length === 0 && items.length > 0) {
+        const skus = items.map((item) => (typeof item?.sku === "string" ? item.sku : "?")).join(", ");
+        throw new Error(`No premium-request items found in billing response (${items.length} items, SKUs: ${skus}). Expected an item with SKU containing "Premium".`);
     }
-    // Strategy 3: Exchange OAuth token for Copilot session token (new auth flow).
-    const copilotToken = await exchangeForCopilotToken(oauthToken);
-    if (!copilotToken) {
-        const errorText = await directLegacyResponse.text();
-        throw new Error(`GitHub Copilot quota unavailable: ${errorText.slice(0, 160)}`);
+    if (premiumItems.length === 0 && options?.allowEmpty) {
+        return [];
     }
-    const exchangedResponse = await fetchWithTimeout(COPILOT_INTERNAL_USER_URL, {
-        headers: buildBearerHeaders(copilotToken),
-    });
-    if (!exchangedResponse.ok) {
-        const errorText = await exchangedResponse.text();
-        throw new Error(`GitHub API error ${exchangedResponse.status}: ${errorText.slice(0, 160)}`);
+    if (premiumItems.length === 0) {
+        throw new Error("Billing API returned empty usageItems array for Copilot premium requests.");
+    }
+    return premiumItems;
+}
+function sumUsedUnits(items) {
+    return items.reduce((sum, item) => {
+        const used = item.grossQuantity ??
+            item.gross_quantity ??
+            item.netQuantity ??
+            item.net_quantity ??
+            0;
+        return sum + (typeof used === "number" ? used : 0);
+    }, 0);
+}
+function formatBillingPeriod(period) {
+    return `${period.year}-${String(period.month).padStart(2, "0")}`;
+}
+function getBillingResponsePeriod(response, fallbackPeriod) {
+    const timePeriod = response.timePeriod ?? response.time_period;
+    const year = typeof timePeriod?.year === "number" ? timePeriod.year : fallbackPeriod.year;
+    const month = typeof timePeriod?.month === "number" ? timePeriod.month : fallbackPeriod.month;
+    return { year, month };
+}
+function toUserQuotaResultFromBilling(response, fallbackTier) {
+    const premiumItems = getPremiumUsageItems(response);
+    const used = sumUsedUnits(premiumItems);
+    const apiLimits = premiumItems
+        .map((item) => item.limit)
+        .filter((limit) => typeof limit === "number" && limit > 0);
+    const total = apiLimits.length > 0 ? Math.max(...apiLimits) : fallbackTier ? COPILOT_PLAN_LIMITS[fallbackTier] : undefined;
+    if (!total || total <= 0) {
+        throw new Error("Copilot billing response did not include a limit. Configure copilot-quota-token.json with your tier so the plugin can compute quota totals.");
     }
-    return exchangedResponse.json();
+    return {
+        success: true,
+        mode: "user_quota",
+        used,
+        total,
+        percentRemaining: computePercentRemainingFromUsed({ used, total }),
+        resetTimeIso: getApproxNextResetIso(),
+    };
+}
+function toOrganizationUsageResultFromBilling(params) {
+    const premiumItems = getPremiumUsageItems(params.response, { allowEmpty: true });
+    return {
+        success: true,
+        mode: "organization_usage",
+        organization: params.organization,
+        username: params.username,
+        period: getBillingResponsePeriod(params.response, params.billingPeriod),
+        used: sumUsedUnits(premiumItems),
+        resetTimeIso: getApproxNextResetIso(),
+    };
+}
+function toEnterpriseUsageResultFromBilling(params) {
+    const premiumItems = getPremiumUsageItems(params.response, { allowEmpty: true });
+    return {
+        success: true,
+        mode: "enterprise_usage",
+        enterprise: params.enterprise,
+        organization: params.organization,
+        username: params.username,
+        period: getBillingResponsePeriod(params.response, params.billingPeriod),
+        used: sumUsedUnits(premiumItems),
+        resetTimeIso: getApproxNextResetIso(),
+    };
+}
+function getOAuthTokenCandidates(auth) {
+    return dedupeStrings([auth.access, auth.refresh]);
+}
+function toQuotaError(message) {
+    return { success: false, error: message };
 }
-// =============================================================================
-// Export
-// =============================================================================
 /**
- * Query GitHub Copilot premium requests quota
+ * Query GitHub Copilot premium request usage.
  *
- * @returns Quota result, error, or null if not configured
+ * PAT configuration wins over OpenCode OAuth auth when both are present.
  */
 export async function queryCopilotQuota() {
-    // Strategy 1: Try public billing API with user's fine-grained PAT.
-    const quotaConfigRead = readQuotaConfigWithMeta();
-    if (quotaConfigRead.state === "valid" && quotaConfigRead.config) {
+    const pat = readQuotaConfigWithMeta();
+    if (pat.state === "invalid") {
+        return toQuotaError(`Invalid copilot-quota-token.json: ${pat.error ?? "unknown error"}${pat.selectedPath ? ` (${pat.selectedPath})` : ""}`);
+    }
+    if (pat.state === "valid" && pat.config) {
+        const resolvedTarget = resolvePatBillingTarget(pat.config);
+        if (!resolvedTarget.target) {
+            return toQuotaError(resolvedTarget.error ?? "Unable to resolve Copilot billing scope.");
+        }
+        const tokenCompatibilityError = validatePatTargetCompatibility(resolvedTarget.target, pat.tokenKind);
+        if (tokenCompatibilityError) {
+            return toQuotaError(tokenCompatibilityError);
+        }
         try {
-            const billing = await fetchPublicBillingUsage(quotaConfigRead.config);
-            return toQuotaResultFromBilling(billing, quotaConfigRead.config.tier);
+            const { response, billingPeriod } = await fetchPremiumRequestUsage({
+                token: pat.config.token,
+                target: resolvedTarget.target,
+            });
+            if (resolvedTarget.target.scope === "organization") {
+                return toOrganizationUsageResultFromBilling({
+                    response,
+                    organization: resolvedTarget.target.organization,
+                    username: resolvedTarget.target.username,
+                    billingPeriod: billingPeriod ?? resolvedTarget.target.billingPeriod,
+                });
+            }
+            if (resolvedTarget.target.scope === "enterprise") {
+                return toEnterpriseUsageResultFromBilling({
+                    response,
+                    enterprise: resolvedTarget.target.enterprise,
+                    organization: resolvedTarget.target.organization,
+                    username: resolvedTarget.target.username,
+                    billingPeriod: billingPeriod ?? resolvedTarget.target.billingPeriod,
+                });
+            }
+            return toUserQuotaResultFromBilling(response, pat.config.tier);
         }
-        catch (err) {
-            return {
-                success: false,
-                error: err instanceof Error ? err.message : String(err),
-            };
+        catch (error) {
+            return toQuotaError(error instanceof Error ? error.message : String(error));
         }
     }
-    // Strategy 2: Best-effort internal API using OpenCode auth.
-    const auth = await readCopilotAuth();
+    const authData = await readAuthFile();
+    const { auth } = selectCopilotAuth(authData);
     if (!auth) {
-        return null; // Not configured
+        return null;
     }
-    try {
-        const data = await fetchCopilotUsage(auth);
-        const premium = data.quota_snapshots.premium_interactions;
-        if (!premium) {
-            return {
-                success: false,
-                error: "No premium quota data",
-            };
-        }
-        if (premium.unlimited) {
-            return {
-                success: true,
-                used: 0,
-                total: -1, // Indicate unlimited
-                percentRemaining: 100,
-                resetTimeIso: data.quota_reset_date,
-            };
-        }
-        const total = premium.entitlement;
-        if (!Number.isFinite(total) || total <= 0) {
-            return {
-                success: false,
-                error: "Invalid premium quota entitlement",
-            };
+    const tokenCandidates = getOAuthTokenCandidates(auth);
+    if (tokenCandidates.length === 0) {
+        return null;
+    }
+    let lastError = null;
+    for (const token of tokenCandidates) {
+        try {
+            const { response } = await fetchPremiumRequestUsage({
+                token,
+                target: { scope: "user" },
+            });
+            return toUserQuotaResultFromBilling(response);
         }
-        const remainingRaw = typeof premium.remaining === "number"
-            ? premium.remaining
-            : typeof premium.quota_remaining === "number"
-                ? premium.quota_remaining
-                : NaN;
-        if (!Number.isFinite(remainingRaw)) {
-            return {
-                success: false,
-                error: "Invalid premium quota remaining value",
-            };
+        catch (error) {
+            lastError = error instanceof Error ? error.message : String(error);
         }
-        const remaining = Math.max(0, Math.min(total, remainingRaw));
-        const used = Math.max(0, total - remaining);
-        const percentRemaining = computePercentRemainingFromUsed({ used, total });
-        return {
-            success: true,
-            used,
-            total,
-            percentRemaining,
-            resetTimeIso: data.quota_reset_date,
-        };
-    }
-    catch (err) {
-        return {
-            success: false,
-            error: err instanceof Error ? err.message : String(err),
-        };
     }
+    return toQuotaError(lastError ??
+        "Copilot billing usage could not be fetched from OpenCode auth. Configure copilot-quota-token.json to provide an explicit tier and PAT.");
 }
-/**
- * Format Copilot quota for toast display
- *
- * @param result - Copilot quota result
- * @returns Formatted string like "Copilot 229/300 (24%)" or null
- */
 export function formatCopilotQuota(result) {
-    if (!result) {
+    if (!result || !result.success) {
         return null;
     }
-    if (!result.success) {
-        return null;
+    if (result.mode === "organization_usage") {
+        const details = [`${result.used} used`, formatBillingPeriod(result.period)];
+        if (result.username) {
+            details.push(`user=${result.username}`);
+        }
+        return `Copilot Org (${result.organization}) ${details.join(" | ")}`;
     }
-    if (result.total === -1) {
-        return "Copilot Unlimited";
+    if (result.mode === "enterprise_usage") {
+        const details = [`${result.used} used`, formatBillingPeriod(result.period)];
+        if (result.organization) {
+            details.push(`org=${result.organization}`);
+        }
+        if (result.username) {
+            details.push(`user=${result.username}`);
+        }
+        return `Copilot Enterprise (${result.enterprise}) ${details.join(" | ")}`;
     }
     const percentUsed = 100 - result.percentRemaining;
     return `Copilot ${result.used}/${result.total} (${percentUsed}%)`;