copillm 0.2.7 → 0.2.9

package/README.md

@@ -55,7 +55,7 @@ Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-d
 | Topic | Description |
 | --- | --- |
 | [Getting started](https://jcjc-dev.github.io/copillm/getting-started/) | Installation, authentication, and first run |
-| [CLI reference](https://jcjc-dev.github.io/copillm/cli-reference/) | Commands and flags |
+| [CLI reference](https://jcjc-dev.github.io/copillm/commands/) | Commands and flags |
 | [Using with Claude Code](https://jcjc-dev.github.io/copillm/claude-code/) | Environment wiring, gateway discovery, the `[1m]` 1M-context alias |
 | [Using with Codex CLI](https://jcjc-dev.github.io/copillm/codex/) | Environment wiring and `config.toml` generation |
 | [HTTP API reference](https://jcjc-dev.github.io/copillm/http-api/) | Endpoints and translation behaviour |

package/dist/agentconfig/render.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { parse as parseToml, stringify as stringifyToml, TomlError } from "smol-toml";
 import { AgentConfigError } from "./load.js";
-import { getCopillmHome } from "../config/home.js";
+import { getCopillmHome, piAgentDir } from "../config/home.js";
 import { HASH_COMMENT, HTML_COMMENT, upsertManagedBlock } from "./markerBlock.js";
 // ─── Codex ────────────────────────────────────────────────────────────────
 export function renderCodex(input) {
@@ -292,8 +292,8 @@ const PI_EXTENSION_DIRNAME = "copillm-mcp";
 export function renderPi(input) {
     const writes = [];
     const notes = [];
-    const piHome = path.join(process.env.HOME ?? "", ".pi");
-    const extensionDir = path.join(piHome, "agent", "extensions", PI_EXTENSION_DIRNAME);
+    const piAgent = piAgentDir();
+    const extensionDir = path.join(piAgent, "extensions", PI_EXTENSION_DIRNAME);
     // 1. servers.json — the resolved server list the extension reads at startup.
     const serversJson = renderPiServersJson(input.resolved.mcpServers);
     writes.push({
@@ -311,7 +311,7 @@ export function renderPi(input) {
     });
     // 3. instructions prompt registered by the extension on session_start.
     if (input.resolved.instructions) {
-        const promptPath = path.join(piHome, "agent", "prompts", "copillm-profile.md");
+        const promptPath = path.join(piAgent, "prompts", "copillm-profile.md");
         writes.push({
             path: promptPath,
             content: `${input.resolved.instructions.body.trim()}\n`,
@@ -369,7 +369,10 @@ export default function activate(pi: PiApi): void {
     return "copillm-managed MCP servers:\\n" + names.map((n) => "  - " + n).join("\\n");
   });
 
-  const promptPath = path.join(process.env.HOME ?? "", ".pi", "agent", "prompts", "copillm-profile.md");
+  // Resolve the prompt relative to this extension's own directory. copillm
+  // owns the pi agent dir (via PI_CODING_AGENT_DIR), and the extension lives at
+  // <agentDir>/extensions/<name>/, so the prompt is two levels up under prompts/.
+  const promptPath = path.join(__dirname, "..", "..", "prompts", "copillm-profile.md");
   if (fs.existsSync(promptPath) && typeof pi.on === "function") {
     pi.on("session_start", () => {
       try {
@@ -384,18 +387,67 @@ export default function activate(pi: PiApi): void {
   }
 }
 `;
-// ─── Copilot CLI (stub) ───────────────────────────────────────────────────
-export function renderCopilot(_input) {
+// ─── Copilot CLI ──────────────────────────────────────────────────────────
+export function renderCopilot(input) {
+    const writes = [];
+    const notes = [];
+    const cliArgs = [];
+    const mcpConfigPath = path.join(getCopillmHome(), "copilot", "mcp-config.json");
+    const serverCount = Object.keys(input.resolved.mcpServers).length;
+    if (serverCount > 0) {
+        const content = renderCopilotMcp(input.resolved.mcpServers);
+        const existing = fs.existsSync(mcpConfigPath) ? fs.readFileSync(mcpConfigPath, "utf8") : null;
+        if (existing !== content) {
+            writes.push({
+                path: mcpConfigPath,
+                content,
+                mode: 0o600,
+                description: "Copilot CLI MCP config (copillm-managed)"
+            });
+        }
+        cliArgs.push("--additional-mcp-config", `@${mcpConfigPath}`);
+    }
+    else if (fs.existsSync(mcpConfigPath)) {
+        fs.rmSync(mcpConfigPath, { force: true });
+        notes.push(`Removed stale ${mcpConfigPath} (no MCP servers in active profile).`);
+    }
     return {
-        writes: [],
+        writes,
         envOverlay: {},
-        cliArgs: [],
-        notes: [
-            "Copilot CLI: native MCP config format is not yet documented publicly. " +
-                "Skipping fan-out. Track upstream and remove this stub when the path is known."
-        ]
+        cliArgs,
+        notes
     };
 }
+function renderCopilotMcp(servers) {
+    const out = {};
+    for (const [name, server] of Object.entries(servers)) {
+        if (server.transport === "stdio") {
+            const entry = {
+                type: "local",
+                command: server.command,
+                tools: ["*"]
+            };
+            if (server.args)
+                entry.args = server.args;
+            if (server.env)
+                entry.env = server.env;
+            if (server.cwd)
+                entry.cwd = server.cwd;
+            out[name] = entry;
+        }
+        else {
+            const entry = {
+                type: server.transport,
+                url: server.url,
+                tools: ["*"]
+            };
+            if (server.headers)
+                entry.headers = server.headers;
+            out[name] = entry;
+        }
+    }
+    return `${JSON.stringify({ mcpServers: out }, null, 2)}\n`;
+}
 export function planRender(opts, load) {
     const baseInput = { resolved: load.resolved, cwd: opts.cwd };
     switch (opts.agent) {

package/dist/auth/copilotToken.js

@@ -1,6 +1,10 @@
+import { setTimeout as defaultSleep } from "node:timers/promises";
 import { tokenExchangeUrl } from "../config/upstream.js";
+import { isRetryableStatus, isRetryableTransportError, retryDelayMs } from "../server/upstream/retryPolicy.js";
 const DEFAULT_REFRESH_THRESHOLD_SECONDS = 300;
 const MIN_ACCEPTABLE_TTL_SECONDS = 30;
+const DEFAULT_ATTEMPT_TIMEOUT_MS = 10_000;
+const DEFAULT_MAX_ATTEMPTS = 3;
 export class CopilotTokenManagerError extends Error {
     constructor(message) {
         super(message);
@@ -29,12 +33,29 @@ export class CopilotTokenExpiredError extends CopilotTokenManagerError {
         this.name = "CopilotTokenExpiredError";
     }
 }
+/**
+ * `CopilotTokenExchangeError` is thrown both for "retryable" upstream statuses
+ * (after retries are exhausted) and for terminal credential failures (401/403
+ * — bad OAuth token, never retried). Tests and error-mapping code can use
+ * this helper to keep the classification consistent across surfaces.
+ */
+export function isTerminalCredentialStatus(status) {
+    return status === 401 || status === 403 || status === 404;
+}
 export class CopilotTokenManager {
     githubToken;
     state = null;
     refreshInFlight = null;
-    constructor(githubToken) {
+    fetchImpl;
+    sleepImpl;
+    attemptTimeoutMs;
+    maxAttempts;
+    constructor(githubToken, deps) {
         this.githubToken = githubToken;
+        this.fetchImpl = deps?.fetchImpl ?? ((input, init) => fetch(input, init));
+        this.sleepImpl = deps?.sleepImpl ?? ((ms) => defaultSleep(ms));
+        this.attemptTimeoutMs = deps?.attemptTimeoutMs ?? DEFAULT_ATTEMPT_TIMEOUT_MS;
+        this.maxAttempts = deps?.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
     }
     get current() {
         return this.state;
@@ -63,33 +84,81 @@ export class CopilotTokenManager {
         this.state = null;
         this.refreshInFlight = null;
     }
+    /**
+     * Perform the upstream token exchange with bounded retries.
+     *
+     * Retry policy mirrors `src/server/upstream/copilotClient.ts`:
+     *   - 3 attempts max (configurable via constructor deps)
+     *   - exponential backoff: 200ms, 400ms (no sleep after final attempt)
+     *   - retry on status ∈ {408, 409, 425, 429, 500, 502, 503, 504}
+     *   - retry on transient transport errors (ECONNRESET / EAI_AGAIN / ...)
+     *   - 401/403/404 are terminal: bad credentials, not a blip — fail fast
+     *
+     * Each attempt gets its own `AbortSignal.timeout(attemptTimeoutMs)` so a
+     * hung upstream can't freeze `copillm start` for the lifetime of the
+     * whole process. The previous version had no timeout at all.
+     */
     async exchange() {
-        const response = await fetch(tokenExchangeUrl(), {
-            method: "GET",
-            headers: {
-                Authorization: `token ${this.githubToken}`,
-                "User-Agent": "copillm/0.1.0",
-                Accept: "application/json"
+        let lastErrorThrown;
+        let lastStatusError = null;
+        for (let attempt = 1; attempt <= this.maxAttempts; attempt += 1) {
+            let response;
+            try {
+                response = await this.fetchImpl(tokenExchangeUrl(), {
+                    method: "GET",
+                    headers: {
+                        Authorization: `token ${this.githubToken}`,
+                        "User-Agent": "copillm/0.1.0",
+                        Accept: "application/json"
+                    },
+                    signal: AbortSignal.timeout(this.attemptTimeoutMs)
+                });
+            }
+            catch (error) {
+                lastErrorThrown = error;
+                if (isRetryableTransportError(error) && attempt < this.maxAttempts) {
+                    await this.sleepImpl(retryDelayMs(attempt));
+                    continue;
+                }
+                throw error;
+            }
+            if (response.ok) {
+                const payload = (await response.json());
+                if (!payload.token || !payload.expires_at || !Number.isFinite(payload.expires_at)) {
+                    throw new CopilotTokenPayloadError("Token exchange response was missing required fields.");
+                }
+                const now = this.nowUnix();
+                const ttl = payload.expires_at - now;
+                if (ttl <= MIN_ACCEPTABLE_TTL_SECONDS) {
+                    throw new CopilotTokenExpiredError(`Received near-expired Copilot token (ttl_seconds=${Math.max(0, ttl)}).`);
+                }
+                return {
+                    token: payload.token,
+                    expiresAtUnix: payload.expires_at
+                };
             }
-        });
-        if (!response.ok) {
+            // Non-OK response. Capture body once so the error message is informative
+            // whether we retry or fail here.
             const responseBody = await response.text();
             const snippet = responseBody.slice(0, 256);
-            throw new CopilotTokenExchangeError(`Copilot token exchange failed (${response.status}).`, response.status, snippet);
-        }
-        const payload = (await response.json());
-        if (!payload.token || !payload.expires_at || !Number.isFinite(payload.expires_at)) {
-            throw new CopilotTokenPayloadError("Token exchange response was missing required fields.");
-        }
-        const now = this.nowUnix();
-        const ttl = payload.expires_at - now;
-        if (ttl <= MIN_ACCEPTABLE_TTL_SECONDS) {
-            throw new CopilotTokenExpiredError(`Received near-expired Copilot token (ttl_seconds=${Math.max(0, ttl)}).`);
+            lastStatusError = new CopilotTokenExchangeError(`Copilot token exchange failed (${response.status}).`, response.status, snippet);
+            if (isTerminalCredentialStatus(response.status)) {
+                // Bad OAuth token, account disabled, or endpoint missing — no amount
+                // of retry will fix any of these. Throw immediately so the user gets
+                // a fast, actionable signal.
+                throw lastStatusError;
+            }
+            if (isRetryableStatus(response.status) && attempt < this.maxAttempts) {
+                await this.sleepImpl(retryDelayMs(attempt));
+                continue;
+            }
+            throw lastStatusError;
         }
-        return {
-            token: payload.token,
-            expiresAtUnix: payload.expires_at
-        };
+        // Unreachable: every loop iteration either returns, throws, or continues
+        // (and the continue branch is gated by `attempt < this.maxAttempts`, so
+        // the final iteration always takes one of the throwing branches). Defend
+        // anyway so a future refactor doesn't silently drop the error.
+        throw lastStatusError ?? lastErrorThrown ?? new Error("Copilot token exchange exhausted retries without error context.");
     }
     normalizeEnsureTokenOptions(input) {
         if (typeof input === "boolean") {

package/dist/auth/credentials.js

@@ -204,6 +204,53 @@ export async function loadStoredCredential() {
     }
     return { token, accountType: "individual", source: "keyring" };
 }
+/**
+ * Coalesced inspect + load for status surfaces. Returns the same fields
+ * `inspectStoredCredential` exposes (`stored` + `backend`) AND the
+ * `token` — but performs only ONE backend probe.
+ *
+ * Previously, `auth status` with user-lookup enabled did:
+ *   1. `inspectStoredCredential` → one `keyring.getPassword` (backend probe)
+ *   2. `loadStoredCredential` (inside `inspectGithubIdentity`) → another
+ *      `keyring.getPassword` (full token read)
+ *
+ * On macOS, each call is its own keychain audit-log entry and (on a
+ * misconfigured system) its own permission prompt. This helper folds both
+ * into a single backend probe + single read.
+ *
+ * SECURITY: callers MUST treat the `token` field as sensitive — do not log,
+ * print, or persist it. The status JSON output and `formatHumanAuthStatusLine`
+ * only consume `backend` (and the upstream identity summary returned by
+ * `inspectGithubIdentity`), never `token` directly. Enforced at the call
+ * site (`tests/integration/authStatusCli.test.ts` runs a substring-leak
+ * guard on the printed output).
+ */
+export async function loadStoredCredentialForStatus() {
+    if (sessionCredential) {
+        return { stored: true, backend: "session", token: sessionCredential.token };
+    }
+    if (fs.existsSync(credentialsReadPath())) {
+        const parsed = parseCredentialFile();
+        return { stored: true, backend: "file", token: parsed.token };
+    }
+    const { keyring } = await resolveKeyring();
+    if (!keyring) {
+        return { stored: false, backend: null, token: null };
+    }
+    try {
+        const token = await keyring.getPassword(SERVICE, ACCOUNT);
+        if (token) {
+            return { stored: true, backend: "keyring", token };
+        }
+        return { stored: false, backend: null, token: null };
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to read token from OS keychain: ${error.message}`);
+        }
+        throw new Error("Failed to read token from OS keychain.");
+    }
+}
 export async function saveStoredCredential(token, accountType, options = {}) {
     const mode = options.mode ?? "auto";
     if (mode === "session") {

package/dist/auth/deviceFlow.js

@@ -1,32 +1,67 @@
+import { setTimeout as defaultSleep } from "node:timers/promises";
+import { isRetryableStatus, isRetryableTransportError, retryDelayMs } from "../server/upstream/retryPolicy.js";
 const GITHUB_CLIENT_ID = "Iv1.b507a08c87ecfe98";
 const DEVICE_CODE_URL = "https://github.com/login/device/code";
 const ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
-export async function loginViaDeviceFlow() {
-    const start = await fetch(DEVICE_CODE_URL, {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
-        body: new URLSearchParams({ client_id: GITHUB_CLIENT_ID, scope: "read:user" })
-    });
-    if (!start.ok) {
-        throw new Error(`Device flow init failed (${start.status}).`);
-    }
-    const payload = parseDeviceCodeResponse((await start.json()));
+/**
+ * Per-attempt timeout for the init POST + each poll POST. GitHub's device-
+ * flow endpoints typically respond in <500ms; 10s leaves room for slow
+ * networks without freezing the login flow for a full minute on a network
+ * black-hole. Previously the fetches had no timeout at all.
+ */
+const DEFAULT_FETCH_TIMEOUT_MS = 10_000;
+const DEFAULT_INIT_MAX_ATTEMPTS = 3;
+export async function loginViaDeviceFlow(deps) {
+    const fetchImpl = deps?.fetchImpl ?? ((input, init) => fetch(input, init));
+    const sleepImpl = deps?.sleepImpl ?? ((ms) => defaultSleep(ms));
+    const stdout = deps?.stdout ?? process.stdout;
+    const fetchTimeoutMs = deps?.fetchTimeoutMs ?? DEFAULT_FETCH_TIMEOUT_MS;
+    const initMaxAttempts = deps?.initMaxAttempts ?? DEFAULT_INIT_MAX_ATTEMPTS;
+    // Phase 1: init POST. Retried up to `initMaxAttempts` on transient HTTP
+    // statuses + transport errors. A single 502 used to abort the whole
+    // device-flow login — the user would have to start over from a new code.
+    const payload = await initDeviceFlow({ fetchImpl, sleepImpl, fetchTimeoutMs, initMaxAttempts });
     const verificationUrl = payload.verification_uri_complete ?? payload.verification_uri;
-    process.stdout.write(`Open ${verificationUrl} and enter code ${payload.user_code}\n`);
+    stdout.write(`Open ${verificationUrl} and enter code ${payload.user_code}\n`);
+    // Phase 2: poll loop. The device-flow `expires_in` is the natural deadline.
+    // Inside the loop, transient HTTP / transport failures `continue` instead
+    // of throwing — the loop's own `await sleep(intervalMs)` IS the backoff,
+    // and the `deadline` IS the budget. Previously, a single 503 from
+    // `github.com/login/oauth/access_token` aborted the whole login.
     const deadline = Date.now() + payload.expires_in * 1000;
     let intervalMs = Math.max(1, payload.interval) * 1000;
     while (Date.now() < deadline) {
-        await sleep(intervalMs);
-        const poll = await fetch(ACCESS_TOKEN_URL, {
-            method: "POST",
-            headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
-            body: new URLSearchParams({
-                client_id: GITHUB_CLIENT_ID,
-                device_code: payload.device_code,
-                grant_type: "urn:ietf:params:oauth:grant-type:device_code"
-            })
-        });
+        await sleepImpl(intervalMs);
+        let poll;
+        try {
+            poll = await fetchImpl(ACCESS_TOKEN_URL, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+                body: new URLSearchParams({
+                    client_id: GITHUB_CLIENT_ID,
+                    device_code: payload.device_code,
+                    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+                }),
+                signal: AbortSignal.timeout(fetchTimeoutMs)
+            });
+        }
+        catch (error) {
+            if (isRetryableTransportError(error)) {
+                // Transient — the next loop iteration will retry naturally. Don't
+                // abort the user's login over an ECONNRESET / DNS soft-fail.
+                continue;
+            }
+            throw error;
+        }
         if (!poll.ok) {
+            // Transient HTTP errors (5xx, 429) keep polling — same justification
+            // as transport errors. Permanent errors (4xx other than 429) abort,
+            // because the device code itself is bad and no amount of polling
+            // will fix it.
+            if (isRetryableStatus(poll.status)) {
+                await discardResponseBody(poll);
+                continue;
+            }
             throw new Error(`Access token poll failed (${poll.status}).`);
         }
         const tokenPayload = parseAccessTokenResponse((await poll.json()));
@@ -51,8 +86,60 @@ export async function loginViaDeviceFlow() {
     }
     throw new Error("Device authorization timed out.");
 }
-function sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+/**
+ * Init POST with bounded retries. Retries on retryable HTTP statuses (5xx,
+ * 429, 408, 409, 425) and on transient transport errors (ECONNRESET, DNS
+ * soft-fails, undici timeouts). Fast-fails on 4xx-other so a misconfigured
+ * client_id or missing scope shows up immediately instead of after three
+ * pointless retries.
+ *
+ * Throws the last error if the budget is exhausted. The wrapping
+ * `loginViaDeviceFlow` does not retry the init separately — this is the
+ * only init retry layer.
+ */
+async function initDeviceFlow(opts) {
+    let lastError;
+    for (let attempt = 1; attempt <= opts.initMaxAttempts; attempt += 1) {
+        let response;
+        try {
+            response = await opts.fetchImpl(DEVICE_CODE_URL, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+                body: new URLSearchParams({ client_id: GITHUB_CLIENT_ID, scope: "read:user" }),
+                signal: AbortSignal.timeout(opts.fetchTimeoutMs)
+            });
+        }
+        catch (error) {
+            lastError = error;
+            if (isRetryableTransportError(error) && attempt < opts.initMaxAttempts) {
+                await opts.sleepImpl(retryDelayMs(attempt));
+                continue;
+            }
+            throw error;
+        }
+        if (response.ok) {
+            return parseDeviceCodeResponse((await response.json()));
+        }
+        lastError = new Error(`Device flow init failed (${response.status}).`);
+        if (isRetryableStatus(response.status) && attempt < opts.initMaxAttempts) {
+            await discardResponseBody(response);
+            await opts.sleepImpl(retryDelayMs(attempt));
+            continue;
+        }
+        throw lastError;
+    }
+    // Unreachable: every iteration either returns, throws, or continues
+    // (with continue gated on `attempt < initMaxAttempts`). Defend anyway.
+    throw lastError ?? new Error("Device flow init exhausted retries without error context.");
+}
+async function discardResponseBody(response) {
+    try {
+        await response.arrayBuffer();
+    }
+    catch {
+        // Best-effort body drain; ignore failures so we don't surface a
+        // response-cleanup error in place of the real one we already captured.
+    }
 }
 function parseDeviceCodeResponse(value) {
     if (!value || typeof value !== "object") {

package/dist/auth/githubIdentity.js

@@ -14,18 +14,22 @@ import { getGithubUserSummary, GithubUserFetchError } from "../server/debugInfo.
  * null so callers can gracefully fall back to existing offline output.
  */
 export async function inspectGithubIdentity(options = {}) {
-    let credential;
-    try {
-        credential = await loadStoredCredential();
-    }
-    catch {
-        return null;
-    }
-    if (!credential) {
-        return null;
+    let token = options.token;
+    if (typeof token !== "string") {
+        let credential;
+        try {
+            credential = await loadStoredCredential();
+        }
+        catch {
+            return null;
+        }
+        if (!credential) {
+            return null;
+        }
+        token = credential.token;
     }
     try {
-        const summary = await getGithubUserSummary(credential.token, {
+        const summary = await getGithubUserSummary(token, {
             timeoutMs: options.timeoutMs ?? 4_000
         });
         if (!summary.login) {

package/dist/cli/agentEnv.js

@@ -1,10 +1,14 @@
 import { computeAnthropicDefaults, readModelIdsFromCache } from "../models/anthropicDefaults.js";
+import { claudeConfigDir, piAgentDir } from "../config/home.js";
 export function buildClaudeEnvBundle(input) {
     const defaults = input.defaults ?? computeAnthropicDefaults(readModelIdsFromCache());
     const enableGateway = input.enableGatewayDiscovery !== false;
     const env = {
         ANTHROPIC_BASE_URL: `http://127.0.0.1:${input.port}/anthropic`,
-        ANTHROPIC_AUTH_TOKEN: input.callerSecret ?? "copillm-local"
+        ANTHROPIC_AUTH_TOKEN: input.callerSecret ?? "copillm-local",
+        // Point Claude at a copillm-owned config home so copillm-launched Claude
+        // never reads/writes the user's real ~/.claude (and dev mode isolates it).
+        CLAUDE_CONFIG_DIR: claudeConfigDir()
     };
     const trailingNotes = [];
     if (defaults.opus) {
@@ -38,18 +42,19 @@ export function buildCodexEnvBundle(absHomeDir) {
     };
 }
 /**
- * Pi has no environment-variable override for its config directory; it reads
- * `~/.pi/agent/models.json` unconditionally. So this bundle is intentionally
- * empty — the real configuration work happens in `generatePiHome()` writing
- * that file. We expose the helper for symmetry with the other agents and to
- * carry a trailing note explaining what to look at when debugging.
+ * pi reads its config from `<PI_CODING_AGENT_DIR>/models.json`. copillm owns
+ * that directory (see `piAgentDir()` in src/config/home.ts) and exports
+ * `PI_CODING_AGENT_DIR` so the launched pi reads the catalog copillm just wrote
+ * there — never the user's real `~/.pi`. This is also what makes dev mode
+ * isolate pi for free (the dev COPILLM_HOME relocates the agent dir).
  */
 export function buildPiEnvBundle(absMirrorDir) {
+    const agentDir = piAgentDir();
     return {
-        env: {},
+        env: { PI_CODING_AGENT_DIR: agentDir },
         inlineComments: {},
         trailingNotes: [
-            `pi reads ~/.pi/agent/models.json directly (no env var override).`,
+            `pi reads ${agentDir}/models.json (copillm sets PI_CODING_AGENT_DIR).`,
             `copillm regenerated it on \`copillm start\` and mirrored it at ${absMirrorDir}/models.json.`
         ]
     };

package/dist/cli/commands/auth.js

@@ -1,4 +1,4 @@
-import { inspectStoredCredential } from "../../auth/credentials.js";
+import { inspectStoredCredential, loadStoredCredentialForStatus } from "../../auth/credentials.js";
 import { inspectGithubIdentity } from "../../auth/githubIdentity.js";
 import { ensureAuthenticatedInteractive } from "../auth/ensure.js";
 import { runAuthLogin, runAuthLogout } from "../auth/runAuth.js";
@@ -48,9 +48,36 @@ export function register(program) {
         .option("--json", "JSON output")
         .option("--no-user", "Skip the GitHub /user lookup that fetches the login name")
         .action(async (opts) => {
+        // commander's --no-user toggles opts.user to false; when the flag is
+        // omitted opts.user is undefined and we treat that as "fetch by default".
+        const wantUserLookup = opts.user !== false;
+        // Two paths to minimize keychain probes:
+        //   - With user lookup (default): `loadStoredCredentialForStatus()`
+        //     does ONE keychain read that yields backend + token. Pass the
+        //     token into `inspectGithubIdentity({ token })` so it doesn't
+        //     re-read the keychain.
+        //   - Without user lookup (--no-user): `inspectStoredCredential()`
+        //     does ONE keychain probe and never sees the token. Preserves
+        //     the no-token invariant for the surface where it matters most.
+        //
+        // Previously, the user-lookup path made TWO keychain reads — one in
+        // `inspectStoredCredential` then another in `inspectGithubIdentity` →
+        // `loadStoredCredential`. That doubled macOS keychain audit-log
+        // entries and doubled permission-prompt exposure on misconfigured
+        // systems.
         let info;
+        let token;
         try {
-            info = await inspectStoredCredential();
+            if (wantUserLookup) {
+                const loaded = await loadStoredCredentialForStatus();
+                info = { stored: loaded.stored, backend: loaded.backend };
+                if (loaded.stored) {
+                    token = loaded.token;
+                }
+            }
+            else {
+                info = await inspectStoredCredential();
+            }
         }
         catch (error) {
             const message = error instanceof Error ? error.message : "unknown_error";
@@ -62,9 +89,7 @@ export function register(program) {
             }
             process.exit(1);
         }
-        // commander's --no-user toggles opts.user to false; when the flag is
-        // omitted opts.user is undefined and we treat that as "fetch by default".
-        const userLookupEnabled = info.stored && opts.user !== false;
+        const userLookupEnabled = info.stored && wantUserLookup;
         let identity = null;
         if (userLookupEnabled) {
             // inspectGithubIdentity is designed to return null on any failure, but
@@ -74,7 +99,7 @@ export function register(program) {
             // must never break the auth-status command. Status output should always
             // succeed even when the network is broken.
             try {
-                identity = await inspectGithubIdentity();
+                identity = await inspectGithubIdentity({ token });
             }
             catch {
                 identity = null;