copillm 0.2.8 → 0.3.0-beta.1

package/README.md

@@ -28,6 +28,18 @@ Alternatively, you can invoke it directly with `npx` without a global install:
 npx copillm --help
 ```
 
+### Preview (beta) releases
+
+Experimental builds are published to the `beta` channel ahead of a stable
+release. They let you try in-progress features early; expect rough edges. Stable
+installs are never affected unless you explicitly opt in:
+
+```bash
+npm install -g copillm@beta
+```
+
+To return to the stable channel, reinstall without the tag: `npm install -g copillm@latest`.
+
 ## Quick start
 
 ```bash
@@ -48,6 +60,62 @@ copillm claude --model opus
 copillm codex --help
 ```
 
+## Multiple accounts
+
+copillm can hold more than one GitHub account at once and serve them from the
+same daemon. If you only ever use one account, nothing changes — you never see
+any of this.
+
+```bash
+# Your first login is the default account (no naming needed).
+copillm auth login
+
+# Add another account under a name of your choice.
+copillm auth login --as work
+copillm auth login --as work --account-type business   # set its plan type
+
+# See every account; the default is marked with *.
+copillm auth status
+
+# Change which account is the default.
+copillm auth switch work
+
+# Log out of one account, or all of them.
+copillm auth logout --account work
+copillm auth logout --all
+```
+
+The **default account** is what every agent and the model endpoints use unless
+told otherwise. `copillm auth status` lists each account with its plan type and
+whether a credential is stored; tokens are never printed.
+
+Different accounts can be entitled to different models, so each account keeps
+its own model list.
+
+### Launching an agent against a specific account
+
+Point any agent at a non-default account for a single launch with `--account`,
+or set `COPILLM_ACCOUNT` in the environment:
+
+```bash
+copillm codex --account work
+COPILLM_ACCOUNT=work copillm claude
+```
+
+To make it automatic, pin an account to a profile in `~/.copillm/agent.toml`
+(or a project's `.copillm/agent.toml`):
+
+```toml
+[profiles.work]
+account = "work"
+```
+
+Then `copillm codex --profile work` always uses the `work` account. Precedence
+is `--account` > `COPILLM_ACCOUNT` > the profile's pinned account > the default
+account. copillm prints a short notice such as `using account "work" (from
+profile)` so you always know which account a launch is using, and refuses to
+launch with a clear error if the account isn't one you've logged into.
+
 ## Documentation
 
 Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-dev.github.io/copillm/)**.
@@ -55,7 +123,7 @@ Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-d
 | Topic | Description |
 | --- | --- |
 | [Getting started](https://jcjc-dev.github.io/copillm/getting-started/) | Installation, authentication, and first run |
-| [CLI reference](https://jcjc-dev.github.io/copillm/cli-reference/) | Commands and flags |
+| [CLI reference](https://jcjc-dev.github.io/copillm/commands/) | Commands and flags |
 | [Using with Claude Code](https://jcjc-dev.github.io/copillm/claude-code/) | Environment wiring, gateway discovery, the `[1m]` 1M-context alias |
 | [Using with Codex CLI](https://jcjc-dev.github.io/copillm/codex/) | Environment wiring and `config.toml` generation |
 | [HTTP API reference](https://jcjc-dev.github.io/copillm/http-api/) | Endpoints and translation behaviour |
@@ -63,7 +131,7 @@ Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-d
 
 ## Contributing
 
-Bug reports and pull requests are welcome. Please read the [development guide](https://jcjc-dev.github.io/copillm/development/) before opening a pull request.
+Bug reports and pull requests are welcome. Develop against an isolated dev daemon (`npm run dev:start`) so you don't disturb a running copillm, and run `npm run lint && npm test && npm run test:e2e:pr` before opening a pull request. See the [development guide](https://jcjc-dev.github.io/copillm/development/) for the full workflow.
 
 ## Disclaimer
 

package/dist/agentconfig/load.js

@@ -97,6 +97,14 @@ function mergeAndResolve(input) {
     const instructions = instructionsBody !== null && instructionsBody.trim().length > 0
         ? { body: instructionsBody }
         : null;
+    // Merge the pinned account: later layers (project over global, profile over
+    // defaults) win. Empty string is treated as unset.
+    let account = null;
+    for (const layer of layers) {
+        if (layer.account !== undefined && layer.account.trim().length > 0) {
+            account = layer.account.trim();
+        }
+    }
     // Merge mcp.servers map; later layers replace earlier same-named entries.
     // Defaults are always-on: a profile may override a default by name but
     // cannot remove it.
@@ -114,7 +122,7 @@ function mergeAndResolve(input) {
         permissions: mergeRecord(layers, "permissions")
     };
     const yolo = mergeYolo(layers);
-    return { instructions, mcpServers: servers, yolo, reserved };
+    return { instructions, mcpServers: servers, account, yolo, reserved };
 }
 /**
  * Layer yolo blocks across defaults + active profile. Later layers (project

package/dist/agentconfig/render.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { parse as parseToml, stringify as stringifyToml, TomlError } from "smol-toml";
 import { AgentConfigError } from "./load.js";
-import { getCopillmHome } from "../config/home.js";
+import { getCopillmHome, piAgentDir } from "../config/home.js";
 import { HASH_COMMENT, HTML_COMMENT, upsertManagedBlock } from "./markerBlock.js";
 // ─── Codex ────────────────────────────────────────────────────────────────
 export function renderCodex(input) {
@@ -292,8 +292,8 @@ const PI_EXTENSION_DIRNAME = "copillm-mcp";
 export function renderPi(input) {
     const writes = [];
     const notes = [];
-    const piHome = path.join(process.env.HOME ?? "", ".pi");
-    const extensionDir = path.join(piHome, "agent", "extensions", PI_EXTENSION_DIRNAME);
+    const piAgent = piAgentDir();
+    const extensionDir = path.join(piAgent, "extensions", PI_EXTENSION_DIRNAME);
     // 1. servers.json — the resolved server list the extension reads at startup.
     const serversJson = renderPiServersJson(input.resolved.mcpServers);
     writes.push({
@@ -311,7 +311,7 @@ export function renderPi(input) {
     });
     // 3. instructions prompt registered by the extension on session_start.
     if (input.resolved.instructions) {
-        const promptPath = path.join(piHome, "agent", "prompts", "copillm-profile.md");
+        const promptPath = path.join(piAgent, "prompts", "copillm-profile.md");
         writes.push({
             path: promptPath,
             content: `${input.resolved.instructions.body.trim()}\n`,
@@ -369,7 +369,10 @@ export default function activate(pi: PiApi): void {
     return "copillm-managed MCP servers:\\n" + names.map((n) => "  - " + n).join("\\n");
   });
 
-  const promptPath = path.join(process.env.HOME ?? "", ".pi", "agent", "prompts", "copillm-profile.md");
+  // Resolve the prompt relative to this extension's own directory. copillm
+  // owns the pi agent dir (via PI_CODING_AGENT_DIR), and the extension lives at
+  // <agentDir>/extensions/<name>/, so the prompt is two levels up under prompts/.
+  const promptPath = path.join(__dirname, "..", "..", "prompts", "copillm-profile.md");
   if (fs.existsSync(promptPath) && typeof pi.on === "function") {
     pi.on("session_start", () => {
       try {

package/dist/agentconfig/schema.js

@@ -69,6 +69,12 @@ const SectionSchema = z
     instructions: InstructionsSchema.optional(),
     mcp: McpSchema.optional(),
     yolo: YoloSchema.optional(),
+    /**
+     * Pin a copillm account for launches that use this profile. The launcher
+     * routes the agent at this account unless overridden by `--account` /
+     * `COPILLM_ACCOUNT`. Must name an account from `copillm auth status`.
+     */
+    account: z.string().min(1).optional(),
     // v1 reserved sections: validated as objects but not interpreted.
     skills: PassthroughRecord.optional(),
     agents: PassthroughRecord.optional(),

package/dist/auth/accountManager.js

@@ -0,0 +1,118 @@
+import { findAccount, readAccountsIndex, removeAccount, setDefaultAccountId, upsertAccount, assertValidAccountId } from "./accounts.js";
+import { clearStoredCredential, clearStoredCredentialForAccount, inspectStoredCredentialForAccount, saveStoredCredentialForAccount } from "./credentials.js";
+/**
+ * Add or update an explicitly-identified account, materializing/extending the
+ * accounts index, and store its credential.
+ *
+ * Storage scheme follows the credential-store invariant: the **first** account
+ * (no index yet) takes legacy storage so it keeps the original keychain entry /
+ * `credentials.json`; every account added afterwards is namespaced. An existing
+ * account keeps whatever storage it already has.
+ */
+export async function addAccount(input) {
+    assertValidAccountId(input.id);
+    const index = readAccountsIndex();
+    const existing = findAccount(input.id);
+    const storage = existing ? existing.storage : index ? "namespaced" : "legacy";
+    upsertAccount({
+        id: input.id,
+        accountType: input.accountType,
+        storage,
+        addedAt: existing?.addedAt ?? new Date().toISOString()
+    });
+    // saveStoredCredentialForAccount resolves storage from the index record we
+    // just wrote, so it lands in the right (legacy vs namespaced) location.
+    const backend = await saveStoredCredentialForAccount(input.id, input.token, input.accountType, {
+        mode: input.mode ?? "auto"
+    });
+    let isDefault = readAccountsIndex()?.defaultAccount === input.id;
+    if (input.makeDefault && !isDefault) {
+        setDefaultAccountId(input.id);
+        isDefault = true;
+    }
+    return { id: input.id, accountType: input.accountType, storage, backend, isDefault };
+}
+/**
+ * Detailed, token-free view of every registered account for `auth status`.
+ * Returns `hasIndex: false` for single-account installs so the caller can use
+ * the legacy single-account output unchanged.
+ */
+export async function listAccountsDetailed() {
+    const index = readAccountsIndex();
+    if (!index) {
+        return { hasIndex: false, defaultAccount: null, accounts: [] };
+    }
+    const accounts = [];
+    for (const record of index.accounts) {
+        const info = await inspectStoredCredentialForAccount(record.id);
+        accounts.push({
+            id: record.id,
+            accountType: record.accountType,
+            storage: record.storage,
+            isDefault: record.id === index.defaultAccount,
+            stored: info.stored,
+            backend: info.backend
+        });
+    }
+    return { hasIndex: true, defaultAccount: index.defaultAccount, accounts };
+}
+/**
+ * Remove one account: clear its credential first (while its index record still
+ * exists, so the correct storage location is targeted), then drop it from the
+ * index (which reassigns the default, or deletes the index when it was the
+ * last account). Clearing is best-effort — an absent credential is reported as
+ * `removed: false` rather than failing the removal.
+ */
+export async function removeAccountAndCredential(id) {
+    assertValidAccountId(id);
+    let removed = false;
+    let backend = "file";
+    try {
+        const cleared = await clearStoredCredentialForAccount(id);
+        removed = cleared.removed;
+        backend = cleared.backend;
+    }
+    catch {
+        // No backend available to clear (e.g. nothing was stored). The account is
+        // still removed from the index below.
+        removed = false;
+    }
+    const index = removeAccount(id);
+    return {
+        id,
+        removed,
+        backend,
+        newDefault: index?.defaultAccount ?? null,
+        indexDeleted: index === null
+    };
+}
+/**
+ * Remove every account and delete the index. For a single-account install (no
+ * index) this just clears the legacy credential.
+ */
+export async function removeAllAccounts() {
+    const index = readAccountsIndex();
+    if (!index) {
+        const cleared = await clearStoredCredential();
+        return { clearedCount: cleared.removed ? 1 : 0, removedAccountIds: [], indexDeleted: false };
+    }
+    const ids = index.accounts.map((account) => account.id);
+    let clearedCount = 0;
+    for (const id of ids) {
+        try {
+            const cleared = await clearStoredCredentialForAccount(id);
+            if (cleared.removed) {
+                clearedCount += 1;
+            }
+        }
+        catch {
+            // Best-effort: an account with nothing stored still gets removed.
+        }
+        removeAccount(id);
+    }
+    return { clearedCount, removedAccountIds: ids, indexDeleted: true };
+}
+/** Point the default at an existing account. Throws `UnknownAccountError`. */
+export function switchDefaultAccount(id) {
+    return setDefaultAccountId(id);
+}

package/dist/auth/accounts.js

@@ -0,0 +1,161 @@
+import fs from "node:fs";
+import { z } from "zod";
+import { ensureAppHome } from "../config/config.js";
+import { accountsIndexPath, accountsIndexReadPath } from "../config/home.js";
+import { writeFileSecureAtomic } from "../config/fsSecurity.js";
+import { ACCOUNT_ID_PATTERN, MAX_ACCOUNT_ID_LENGTH, assertValidAccountId, InvalidAccountIdError } from "../config/accountId.js";
+// Re-exported for callers that historically imported account-id validation
+// from this module (e.g. `credentials.ts`). The canonical definition now lives
+// in `config/accountId.ts` so the `models` layer can share it.
+export { assertValidAccountId, InvalidAccountIdError };
+// GitHub logins are `[A-Za-z0-9-]` and copillm allows `.` / `_` for synthetic
+// ids. The id is embedded in a filename (`credentials.<id>.json`) and a
+// keychain account string; the canonical validation lives in
+// `config/accountId.ts` (shared with the models layer).
+const AccountRecordSchema = z.object({
+    id: z.string().min(1).max(MAX_ACCOUNT_ID_LENGTH).regex(ACCOUNT_ID_PATTERN),
+    accountType: z.enum(["individual", "business", "enterprise"]),
+    storage: z.enum(["legacy", "namespaced"]),
+    addedAt: z.string().min(1)
+});
+const AccountsIndexSchema = z
+    .object({
+    version: z.literal(1),
+    defaultAccount: z.string().min(1),
+    accounts: z.array(AccountRecordSchema)
+})
+    .superRefine((value, ctx) => {
+    const ids = value.accounts.map((account) => account.id);
+    if (new Set(ids).size !== ids.length) {
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "accounts.json contains duplicate account ids." });
+    }
+    if (!ids.includes(value.defaultAccount)) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: `accounts.json defaultAccount "${value.defaultAccount}" is not present in accounts.`
+        });
+    }
+    if (value.accounts.filter((account) => account.storage === "legacy").length > 1) {
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "accounts.json may declare at most one legacy-storage account." });
+    }
+});
+/**
+ * Read and validate the accounts index. Returns `null` when no index exists
+ * (the single-account / legacy case). Throws if the file exists but is
+ * corrupt, so a damaged index surfaces loudly rather than silently dropping
+ * accounts.
+ */
+export function readAccountsIndex() {
+    const path = accountsIndexReadPath();
+    if (!fs.existsSync(path)) {
+        return null;
+    }
+    let raw;
+    try {
+        raw = JSON.parse(fs.readFileSync(path, "utf8"));
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : "unknown error";
+        throw new Error(`Accounts index exists but contains invalid JSON at ${path}: ${detail}`);
+    }
+    const parsed = AccountsIndexSchema.safeParse(raw);
+    if (!parsed.success) {
+        throw new Error(`Accounts index exists but is invalid at ${path}: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    return parsed.data;
+}
+export function writeAccountsIndex(index) {
+    const validated = AccountsIndexSchema.parse(index);
+    ensureAppHome();
+    writeFileSecureAtomic(accountsIndexPath(), JSON.stringify(validated, null, 2), 0o600);
+}
+export function listAccounts() {
+    return readAccountsIndex()?.accounts ?? [];
+}
+/**
+ * The default account id, or `null` when no index exists. A `null` return is
+ * the signal to callers to use the legacy single-account storage path.
+ */
+export function getDefaultAccountId() {
+    return readAccountsIndex()?.defaultAccount ?? null;
+}
+export function findAccount(accountId) {
+    return readAccountsIndex()?.accounts.find((account) => account.id === accountId) ?? null;
+}
+/**
+ * Insert or update an account record, then persist the index. When the index
+ * does not yet exist it is created with this account as the default. Returns
+ * the resulting index.
+ */
+export function upsertAccount(record) {
+    assertValidAccountId(record.id);
+    AccountRecordSchema.parse(record);
+    const existing = readAccountsIndex();
+    if (!existing) {
+        const index = { version: 1, defaultAccount: record.id, accounts: [record] };
+        writeAccountsIndex(index);
+        return index;
+    }
+    const accounts = existing.accounts.filter((account) => account.id !== record.id);
+    accounts.push(record);
+    const index = { ...existing, accounts };
+    writeAccountsIndex(index);
+    return index;
+}
+export class UnknownAccountError extends Error {
+    accountId;
+    constructor(accountId) {
+        super(`Unknown account "${accountId}".`);
+        this.accountId = accountId;
+        this.name = "UnknownAccountError";
+    }
+}
+/**
+ * Point the default at an existing account. Throws `UnknownAccountError` if the
+ * id isn't registered, so a typo can't silently orphan the default.
+ */
+export function setDefaultAccountId(accountId) {
+    const existing = readAccountsIndex();
+    if (!existing || !existing.accounts.some((account) => account.id === accountId)) {
+        throw new UnknownAccountError(accountId);
+    }
+    const index = { ...existing, defaultAccount: accountId };
+    writeAccountsIndex(index);
+    return index;
+}
+/**
+ * Remove an account from the index. Returns the updated index, or `null` if no
+ * index existed. When the removed account was the default, the default falls
+ * back to the first remaining account (or the index is deleted entirely if no
+ * accounts remain). Token removal is the caller's responsibility.
+ */
+export function removeAccount(accountId) {
+    const existing = readAccountsIndex();
+    if (!existing) {
+        return null;
+    }
+    const accounts = existing.accounts.filter((account) => account.id !== accountId);
+    if (accounts.length === existing.accounts.length) {
+        return existing;
+    }
+    if (accounts.length === 0) {
+        deleteAccountsIndex();
+        return null;
+    }
+    const defaultAccount = accounts.some((account) => account.id === existing.defaultAccount)
+        ? existing.defaultAccount
+        : accounts[0].id;
+    const index = { ...existing, defaultAccount, accounts };
+    writeAccountsIndex(index);
+    return index;
+}
+function deleteAccountsIndex() {
+    const canonical = accountsIndexPath();
+    if (fs.existsSync(canonical)) {
+        fs.unlinkSync(canonical);
+    }
+    const readable = accountsIndexReadPath();
+    if (readable !== canonical && fs.existsSync(readable)) {
+        fs.unlinkSync(readable);
+    }
+}

package/dist/auth/copilotToken.js

@@ -1,6 +1,10 @@
+import { setTimeout as defaultSleep } from "node:timers/promises";
 import { tokenExchangeUrl } from "../config/upstream.js";
+import { isRetryableStatus, isRetryableTransportError, retryDelayMs } from "../server/upstream/retryPolicy.js";
 const DEFAULT_REFRESH_THRESHOLD_SECONDS = 300;
 const MIN_ACCEPTABLE_TTL_SECONDS = 30;
+const DEFAULT_ATTEMPT_TIMEOUT_MS = 10_000;
+const DEFAULT_MAX_ATTEMPTS = 3;
 export class CopilotTokenManagerError extends Error {
     constructor(message) {
         super(message);
@@ -29,12 +33,29 @@ export class CopilotTokenExpiredError extends CopilotTokenManagerError {
         this.name = "CopilotTokenExpiredError";
     }
 }
+/**
+ * `CopilotTokenExchangeError` is thrown both for "retryable" upstream statuses
+ * (after retries are exhausted) and for terminal credential failures (401/403
+ * — bad OAuth token, never retried). Tests and error-mapping code can use
+ * this helper to keep the classification consistent across surfaces.
+ */
+export function isTerminalCredentialStatus(status) {
+    return status === 401 || status === 403 || status === 404;
+}
 export class CopilotTokenManager {
     githubToken;
     state = null;
     refreshInFlight = null;
-    constructor(githubToken) {
+    fetchImpl;
+    sleepImpl;
+    attemptTimeoutMs;
+    maxAttempts;
+    constructor(githubToken, deps) {
         this.githubToken = githubToken;
+        this.fetchImpl = deps?.fetchImpl ?? ((input, init) => fetch(input, init));
+        this.sleepImpl = deps?.sleepImpl ?? ((ms) => defaultSleep(ms));
+        this.attemptTimeoutMs = deps?.attemptTimeoutMs ?? DEFAULT_ATTEMPT_TIMEOUT_MS;
+        this.maxAttempts = deps?.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
     }
     get current() {
         return this.state;
@@ -63,33 +84,81 @@ export class CopilotTokenManager {
         this.state = null;
         this.refreshInFlight = null;
     }
+    /**
+     * Perform the upstream token exchange with bounded retries.
+     *
+     * Retry policy mirrors `src/server/upstream/copilotClient.ts`:
+     *   - 3 attempts max (configurable via constructor deps)
+     *   - exponential backoff: 200ms, 400ms (no sleep after final attempt)
+     *   - retry on status ∈ {408, 409, 425, 429, 500, 502, 503, 504}
+     *   - retry on transient transport errors (ECONNRESET / EAI_AGAIN / ...)
+     *   - 401/403/404 are terminal: bad credentials, not a blip — fail fast
+     *
+     * Each attempt gets its own `AbortSignal.timeout(attemptTimeoutMs)` so a
+     * hung upstream can't freeze `copillm start` for the lifetime of the
+     * whole process. The previous version had no timeout at all.
+     */
     async exchange() {
-        const response = await fetch(tokenExchangeUrl(), {
-            method: "GET",
-            headers: {
-                Authorization: `token ${this.githubToken}`,
-                "User-Agent": "copillm/0.1.0",
-                Accept: "application/json"
+        let lastErrorThrown;
+        let lastStatusError = null;
+        for (let attempt = 1; attempt <= this.maxAttempts; attempt += 1) {
+            let response;
+            try {
+                response = await this.fetchImpl(tokenExchangeUrl(), {
+                    method: "GET",
+                    headers: {
+                        Authorization: `token ${this.githubToken}`,
+                        "User-Agent": "copillm/0.1.0",
+                        Accept: "application/json"
+                    },
+                    signal: AbortSignal.timeout(this.attemptTimeoutMs)
+                });
+            }
+            catch (error) {
+                lastErrorThrown = error;
+                if (isRetryableTransportError(error) && attempt < this.maxAttempts) {
+                    await this.sleepImpl(retryDelayMs(attempt));
+                    continue;
+                }
+                throw error;
+            }
+            if (response.ok) {
+                const payload = (await response.json());
+                if (!payload.token || !payload.expires_at || !Number.isFinite(payload.expires_at)) {
+                    throw new CopilotTokenPayloadError("Token exchange response was missing required fields.");
+                }
+                const now = this.nowUnix();
+                const ttl = payload.expires_at - now;
+                if (ttl <= MIN_ACCEPTABLE_TTL_SECONDS) {
+                    throw new CopilotTokenExpiredError(`Received near-expired Copilot token (ttl_seconds=${Math.max(0, ttl)}).`);
+                }
+                return {
+                    token: payload.token,
+                    expiresAtUnix: payload.expires_at
+                };
             }
-        });
-        if (!response.ok) {
+            // Non-OK response. Capture body once so the error message is informative
+            // whether we retry or fail here.
             const responseBody = await response.text();
             const snippet = responseBody.slice(0, 256);
-            throw new CopilotTokenExchangeError(`Copilot token exchange failed (${response.status}).`, response.status, snippet);
-        }
-        const payload = (await response.json());
-        if (!payload.token || !payload.expires_at || !Number.isFinite(payload.expires_at)) {
-            throw new CopilotTokenPayloadError("Token exchange response was missing required fields.");
-        }
-        const now = this.nowUnix();
-        const ttl = payload.expires_at - now;
-        if (ttl <= MIN_ACCEPTABLE_TTL_SECONDS) {
-            throw new CopilotTokenExpiredError(`Received near-expired Copilot token (ttl_seconds=${Math.max(0, ttl)}).`);
+            lastStatusError = new CopilotTokenExchangeError(`Copilot token exchange failed (${response.status}).`, response.status, snippet);
+            if (isTerminalCredentialStatus(response.status)) {
+                // Bad OAuth token, account disabled, or endpoint missing — no amount
+                // of retry will fix any of these. Throw immediately so the user gets
+                // a fast, actionable signal.
+                throw lastStatusError;
+            }
+            if (isRetryableStatus(response.status) && attempt < this.maxAttempts) {
+                await this.sleepImpl(retryDelayMs(attempt));
+                continue;
+            }
+            throw lastStatusError;
         }
-        return {
-            token: payload.token,
-            expiresAtUnix: payload.expires_at
-        };
+        // Unreachable: every loop iteration either returns, throws, or continues
+        // (and the continue branch is gated by `attempt < this.maxAttempts`, so
+        // the final iteration always takes one of the throwing branches). Defend
+        // anyway so a future refactor doesn't silently drop the error.
+        throw lastStatusError ?? lastErrorThrown ?? new Error("Copilot token exchange exhausted retries without error context.");
     }
     normalizeEnsureTokenOptions(input) {
         if (typeof input === "boolean") {