copilot-reverse 0.4.0 → 0.5.1

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { probeSupervisor } from "../daemon/lifecycle.js";
 import { startSupervisor } from "../supervisor/index.js";
 import { runAssistantTurn } from "../tui/assistant/runtime.js";
 import { makeOnChat } from "../tui/assistant/on-chat.js";
-import { readGhToken, clearGhToken } from "../shared/creds.js";
+import { readGhToken, clearGhToken, hasGhTokenFile } from "../shared/creds.js";
 import { writeWebIqKey, readWebIqKey, clearWebIqKey, readWebSearchMode, writeWebSearchMode, resolveWebSearchBackend } from "../shared/webiq-key.js";
 import { readClientSetup, writeClientSetup } from "../shared/client-setup.js";
 import { readChatModel, writeChatModel } from "../shared/prefs.js";
@@ -24,13 +24,42 @@ import { claudeCopilotReverseEnv } from "../tui/setup/clients.js";
 import { dataDir } from "../shared/paths.js";
 import { defaultConfig } from "../shared/config.js";
 import { APP_VERSION } from "../version.js";
+import { appendCrashLog } from "../shared/crash-log.js";
 const delay = (ms) => new Promise((r) => setTimeout(r, ms));
 const DEFAULT_MODEL = "gpt-4o"; // a valid Copilot model id; pass-through routing uses it as-is
 // Conservative context budget that drives the assistant's auto-compaction. Sized below the
 // common Copilot prompt window (gpt-4o ≈ 128K) so the engine compacts before the upstream
 // rejects an over-long turn. TODO: read each model's real max_prompt_tokens from /models.
 const DEFAULT_MAX_INPUT_TOKENS = 110_000;
+// Process-level backstop. The TUI and the supervisor run in ONE process, so a stray throw or an
+// unhandled rejection anywhere (a dead SSE socket, a bad creds read, an SDK stream) would otherwise
+// terminate the whole app and drop the user back to the shell — especially on Node ≥15, where an
+// unhandled rejection is fatal by default. We log to a file (Ink owns stdout, so console writes would
+// corrupt the render) and keep running; the specific throw sites are also guarded at their source.
+//
+// uncaughtException is treated differently from unhandledRejection: Node documents the process as
+// being in an undefined state afterward, so swallowing it indefinitely risks spinning forever on a
+// recurring throw against corrupted state. A circuit breaker counts exceptions in a short window and
+// lets the process die once they storm, so a user/supervisor restart gets a clean process — while a
+// lone transient exception is still survived.
+const UNCAUGHT_STORM_COUNT = 5;
+const UNCAUGHT_STORM_WINDOW_MS = 10_000;
+function installProcessBackstop() {
+    process.on("unhandledRejection", (reason) => appendCrashLog("unhandledRejection", reason));
+    let recent = [];
+    process.on("uncaughtException", (err) => {
+        appendCrashLog("uncaughtException", err);
+        const now = Date.now();
+        recent = recent.filter((t) => now - t < UNCAUGHT_STORM_WINDOW_MS);
+        recent.push(now);
+        if (recent.length >= UNCAUGHT_STORM_COUNT) {
+            appendCrashLog("uncaughtException", `${UNCAUGHT_STORM_COUNT} exceptions within ${UNCAUGHT_STORM_WINDOW_MS}ms — exiting for a clean restart`);
+            process.exit(1);
+        }
+    });
+}
 async function launchTui() {
+    installProcessBackstop();
     const cfg = defaultConfig();
     const existingToken = readGhToken(dataDir());
     if (!existingToken) {
@@ -90,15 +119,19 @@ async function launchTui() {
         const { code, complete } = await beginDeviceLogin(dataDir());
         show([`Open ${code.verification_uri} and enter code: ${code.user_code}`, "waiting for authorization…"]);
         await complete();
-        // Re-point the token store at the freshly written GitHub token; the old store still holds the
-        // expired one and would 401 once its cached Copilot token rotates, breaking the model picker.
-        tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+        // Drop the cached Copilot token so the next get() does a fresh exchange with the just-written
+        // GitHub token (the store re-reads the token on each exchange, so a new instance isn't required —
+        // but resetting clears any Copilot token cached against the old login).
+        tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
         await client.restart().catch(() => { });
         return ["GitHub authorization complete — worker restarting with the new token"];
     };
     // Filled in below once we have a token; the assistant prefers a model's real window over the default.
     const modelLimits = {};
-    let tokenStore = new CopilotTokenStore(readGhToken(dataDir()));
+    // Provider form: the store re-reads the GitHub token on each exchange, so a transient unreadable
+    // creds.json (Windows lock / partial write) can't poison the store for the session — it recovers on
+    // the next clean read, and a genuinely absent token surfaces as a 401 instead of a `token null` send.
+    let tokenStore = new CopilotTokenStore(() => readGhToken(dataDir()));
     const loadModels = async () => {
         const token = await tokenStore.get();
         const [ids, limits] = await Promise.all([fetchCopilotModels(token), fetchModelLimits(token)]);
@@ -137,7 +170,7 @@ async function launchTui() {
     // hangs until the turn timeout. Reuses the long-lived tokenStore so a valid login is a cached,
     // round-trip-free check between message bursts (its get() caches with a 60s skew).
     async () => {
-        if (!readGhToken(dataDir()))
+        if (!hasGhTokenFile(dataDir()))
             return "you're signed out — run /login to sign in before chatting";
         try {
             await tokenStore.get();

package/dist/core/responses-inbound.js

@@ -50,13 +50,21 @@ export function responsesRequestToCanonical(req) {
     }
     return {
         model: req.model, stream: Boolean(req.stream), temperature: req.temperature, maxTokens: req.max_output_tokens,
-        tools: req.tools?.filter((t) => t.type === "function" && t.name).map((t) => ({ name: t.name, description: t.description, parameters: t.parameters ?? {} })),
-        // Hosted tools (web_search etc.) Codex requests for Copilot to run server-side. Keep them so the
-        // outbound /responses translator forwards them verbatim, instead of dropping them like before.
-        hostedTools: req.tools?.filter((t) => t.type !== "function" && t.type).map((t) => t.type),
+        // Function tools and `custom` tools (e.g. Codex's apply_patch) both carry a name — keep them as
+        // named tools so Copilot doesn't reject a nameless tool. Only the KNOWN nameless server-side tools
+        // pass through as hostedTools; an unrecognized nameless tool is dropped rather than forwarded as a
+        // bare {type} (which makes Copilot 400 "Missing required parameter: tools[N].name" and kills the
+        // whole stream — surfaced to the Codex CLI as "stream closed before response.completed").
+        tools: req.tools?.filter((t) => (t.type === "function" || t.type === "custom") && t.name).map((t) => ({ name: t.name, description: t.description, parameters: t.parameters ?? {} })),
+        hostedTools: req.tools?.filter((t) => HOSTED_TOOL_TYPES.has(t.type ?? "")).map((t) => t.type),
         messages,
     };
 }
+// Copilot's /responses accepts these as standalone nameless hosted tools. NOTE: `tool_search` is
+// deliberately excluded — Copilot rejects it unless the request also defines "deferred" tools
+// ("tools.tool_search requires at least one deferred tool"), which we can't satisfy, so forwarding it
+// 400s the whole request. web_search is the one Codex hosted tool we can pass straight through.
+const HOSTED_TOOL_TYPES = new Set(["web_search", "web_search_preview"]);
 // Build the non-stream Responses object: text -> an output_text message item, tool_use -> function_call items.
 export function canonicalToResponsesResponse(r) {
     const output = [];
@@ -84,6 +92,7 @@ export class ResponsesSSE {
     nextIndex = 0;
     textIndex;
     textItemId;
+    accumulatedText = ""; // the full assistant text, replayed in the terminal done events
     toolIndex = new Map();
     constructor(responseId, model) {
         this.responseId = responseId;
@@ -107,6 +116,7 @@ export class ResponsesSSE {
             out.push(this.ev("response.content_part.added", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text: "", annotations: [] } }));
         }
         out.push(this.ev("response.output_text.delta", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, delta }));
+        this.accumulatedText += delta;
         return out;
     }
     toolStart(copilotIdx, callId, name) {
@@ -127,9 +137,10 @@ export class ResponsesSSE {
     finish(usage, _finishReason, argsByIdx) {
         const out = [];
         if (this.textIndex !== undefined) {
-            out.push(this.ev("response.output_text.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, text: "" }));
-            out.push(this.ev("response.content_part.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text: "", annotations: [] } }));
-            out.push(this.ev("response.output_item.done", { output_index: this.textIndex, item: { type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [] } }));
+            const text = this.accumulatedText;
+            out.push(this.ev("response.output_text.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, text }));
+            out.push(this.ev("response.content_part.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text, annotations: [] } }));
+            out.push(this.ev("response.output_item.done", { output_index: this.textIndex, item: { type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [{ type: "output_text", text, annotations: [] }] } }));
         }
         for (const [copilotIdx, t] of this.toolIndex) {
             const args = argsByIdx?.get(copilotIdx) ?? "";
@@ -137,7 +148,14 @@ export class ResponsesSSE {
             out.push(this.ev("response.output_item.done", { output_index: t.outputIndex, item: { type: "function_call", id: t.itemId, status: "completed" } }));
         }
         const u = usage ? { input_tokens: usage.promptTokens, output_tokens: usage.completionTokens, total_tokens: usage.promptTokens + usage.completionTokens } : undefined;
-        out.push(this.ev("response.completed", { response: { ...this.envelope("completed"), ...(u ? { usage: u } : {}) } }));
+        // Spec-correct clients reconstruct the final response from response.completed.response.output, so
+        // include the finished items (the text message + any function calls), not just an empty envelope.
+        const output = [];
+        if (this.textIndex !== undefined)
+            output.push({ type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [{ type: "output_text", text: this.accumulatedText, annotations: [] }] });
+        for (const [copilotIdx, t] of this.toolIndex)
+            output.push({ type: "function_call", id: t.itemId, call_id: t.itemId.replace(/^fc_/, ""), arguments: argsByIdx?.get(copilotIdx) ?? "", status: "completed" });
+        out.push(this.ev("response.completed", { response: { ...this.envelope("completed"), output, ...(u ? { usage: u } : {}) } }));
         return out;
     }
 }

package/dist/providers/copilot/token.js

@@ -12,24 +12,33 @@ export class CopilotAuthError extends Error {
     }
 }
 export class CopilotTokenStore {
-    ghToken;
     fetchFn;
     nowMs;
     cached;
+    readGhToken;
+    // Accepts either a fixed token string or a provider that is re-read on each exchange. The provider
+    // form matters when the GitHub token can change or be momentarily unreadable: a captured-once null
+    // (e.g. from a transient locked-file read at construction) would otherwise poison the store for its
+    // whole lifetime, sending `authorization: token null` forever. Re-reading recovers on the next call.
     constructor(ghToken, fetchFn = fetch, nowMs = () => Date.now()) {
-        this.ghToken = ghToken;
         this.fetchFn = fetchFn;
         this.nowMs = nowMs;
+        this.readGhToken = typeof ghToken === "function" ? ghToken : () => ghToken;
     }
     async get() {
         const skewMs = 60_000;
         if (this.cached && this.cached.expiresAtMs - skewMs > this.nowMs())
             return this.cached.token;
+        const ghToken = this.readGhToken();
+        // No GitHub token (absent / unreadable on this read) is an auth failure, not a request with a
+        // literal "null" credential — surface it the same way an expired token would be.
+        if (!ghToken)
+            throw new CopilotAuthError(401);
         const ctrl = new AbortController();
         const timer = setTimeout(() => ctrl.abort(), 8000);
         let res;
         try {
-            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${this.ghToken}`, accept: "application/json" }, signal: ctrl.signal });
+            res = await this.fetchFn(COPILOT_TOKEN_URL, { headers: { authorization: `token ${ghToken}`, accept: "application/json" }, signal: ctrl.signal });
         }
         finally {
             clearTimeout(timer);
@@ -41,13 +50,23 @@ export class CopilotTokenStore {
         return data.token;
     }
 }
-// True if the stored GitHub token still exchanges for a Copilot token.
+// True if the stored GitHub token still exchanges for a Copilot token. A thin wrapper over
+// probeGithubAuth so the token-exchange logic lives in exactly one place.
 export async function isCopilotTokenValid(ghToken, fetchFn = fetch) {
+    return (await probeGithubAuth(ghToken, fetchFn)).ok;
+}
+export async function probeGithubAuth(ghToken, fetchFn = fetch) {
     try {
         await new CopilotTokenStore(ghToken, fetchFn).get();
-        return true;
+        return { ok: true, transient: false, detail: "token valid" };
     }
-    catch {
-        return false;
+    catch (e) {
+        // CopilotTokenStore throws CopilotAuthError(status) for any non-ok response, and other errors
+        // (AbortError on timeout, network failures) for the rest. We treat 401/403 as definitive auth
+        // failures; everything else is transient. See the limitations noted above.
+        if (e instanceof CopilotAuthError && (e.status === 401 || e.status === 403)) {
+            return { ok: false, transient: false, detail: e.message };
+        }
+        return { ok: false, transient: true, detail: e instanceof Error ? e.message : String(e) };
     }
 }

package/dist/shared/crash-log.js

@@ -0,0 +1,28 @@
+import { appendFileSync, mkdirSync, renameSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { dataDir } from "./paths.js";
+export const CRASH_LOG_NAME = "crash.log";
+// Cap the log so a high-frequency error source can't fill the disk: at the limit we roll the file to
+// `crash.log.1` (one generation kept) and start fresh. Sized small — this is a diagnostics tail, not
+// an archive.
+export const CRASH_LOG_MAX_BYTES = 1_000_000;
+function rollIfTooBig(path) {
+    try {
+        if (statSync(path).size >= CRASH_LOG_MAX_BYTES)
+            renameSync(path, `${path}.1`);
+    }
+    catch { /* file absent or stat/rename raced — nothing to roll */ }
+}
+// Append one diagnostics line to ~/.copilot-reverse/crash.log. Best-effort and never throws: logging
+// must never itself crash a backstop or a swallowed-error path. Rotates at CRASH_LOG_MAX_BYTES. The
+// dir is injectable for tests; production uses the real data dir.
+export function appendCrashLog(kind, err, dir = dataDir()) {
+    const detail = err instanceof Error ? `${err.message}\n${err.stack ?? ""}` : String(err);
+    try {
+        mkdirSync(dir, { recursive: true });
+        const path = join(dir, CRASH_LOG_NAME);
+        rollIfTooBig(path);
+        appendFileSync(path, `[${new Date().toISOString()}] ${kind}: ${detail}\n`);
+    }
+    catch { /* logging is best-effort */ }
+}

package/dist/shared/creds.js

@@ -10,7 +10,23 @@ export function writeGhToken(token, dir) {
 export function readGhToken(dir) {
     if (!existsSync(file(dir)))
         return null;
-    return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    // A corrupt creds.json (partial write) or a transient read failure (Windows EBUSY/EPERM when an
+    // antivirus or a concurrent /login write holds the file) must not throw: this is called from the
+    // 60s heartbeat tick whose rejection would otherwise reach the process top level and kill the TUI.
+    // Treat an unreadable file as "no token" — the next clean read recovers it.
+    try {
+        return JSON.parse(readFileSync(file(dir), "utf8")).ghToken ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// Whether a stored-token file exists at all — distinct from readGhToken, which also returns null when
+// the file is present but momentarily unreadable. The "are you signed out?" gate wants existence (a
+// transient lock on a real login should not read as signed out); the actual token validity is checked
+// separately by exchanging it.
+export function hasGhTokenFile(dir) {
+    return existsSync(file(dir));
 }
 // Remove the stored token (logout). No-op if there's nothing to remove.
 export function clearGhToken(dir) {

package/dist/supervisor/api.js

@@ -5,7 +5,7 @@ export function createControlApp(deps) {
     const app = express();
     app.use(express.json());
     app.get("/", (_req, res) => res.type("html").send(dashboardHtml()));
-    app.get("/api/status", (_req, res) => res.json({ workerState: deps.getState(), restarts: listRestarts(deps.db, 50) }));
+    app.get("/api/status", (_req, res) => res.json({ workerState: deps.getState(), restarts: listRestarts(deps.db, 50), github: deps.github() }));
     app.post("/api/restart", (_req, res) => { deps.restart(); res.json({ ok: true }); });
     app.post("/api/stop", (_req, res) => { deps.stop(); res.json({ ok: true }); });
     app.post("/api/start", (_req, res) => { deps.start(); res.json({ ok: true }); });
@@ -15,9 +15,24 @@ export function createControlApp(deps) {
         res.setHeader("content-type", "text/event-stream");
         res.setHeader("cache-control", "no-cache");
         res.flushHeaders?.();
-        const send = (event, data) => res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+        let off = () => { };
+        // Writing to a socket that died between broadcasts throws synchronously (ERR_STREAM_DESTROYED /
+        // EPIPE). emit() calls this on the worker-message path, so an uncaught throw would crash the
+        // in-process supervisor + TUI. Swallow the write error and unsubscribe — a dead connection should
+        // be dropped, not retried.
+        const send = (event, data) => {
+            try {
+                res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+            }
+            catch {
+                off();
+            }
+        };
+        // Subscribe BEFORE the first write so that if the hello frame throws (socket already dead), the
+        // catch's off() refers to the real unsubscribe rather than the no-op default — otherwise a dead
+        // connection would stay subscribed until the next emit or 'close'.
+        off = deps.subscribe(send);
         send("hello", { state: deps.getState() });
-        const off = deps.subscribe(send);
         req.on("close", off);
     });
     return app;

package/dist/supervisor/events.js

@@ -1,6 +1,18 @@
 export class EventBus {
     listeners = new Set();
     subscribe(fn) { this.listeners.add(fn); return () => this.listeners.delete(fn); }
-    emit(event, data) { for (const fn of this.listeners)
-        fn(event, data); }
+    // Isolate each listener: a throwing subscriber (e.g. an SSE write to a socket that died between
+    // broadcasts) must not abort the broadcast to the others, nor escape to the process top level —
+    // emit() is called synchronously from worker-message handling, so an uncaught throw here would
+    // kill the in-process supervisor + TUI. A faulting listener is dropped so it isn't retried.
+    emit(event, data) {
+        for (const fn of this.listeners) {
+            try {
+                fn(event, data);
+            }
+            catch {
+                this.listeners.delete(fn);
+            }
+        }
+    }
 }

package/dist/supervisor/github-heartbeat.js

@@ -0,0 +1,90 @@
+import { probeGithubAuth } from "../providers/copilot/token.js";
+import { appendCrashLog } from "../shared/crash-log.js";
+// How often the supervisor re-checks the GitHub token. Token failure is rare (revoke / re-auth) and
+// GitHub rate-limits, so a slow cadence is plenty; an initial short delay populates the status soon
+// after boot without racing worker startup.
+export const GITHUB_HEARTBEAT_INTERVAL_MS = 60_000;
+export const GITHUB_HEARTBEAT_INITIAL_DELAY_MS = 2_000;
+// Shared so /doctor and the heartbeat show the same remediation hint for the signed-out state.
+export const SIGNED_OUT_DETAIL = "not logged in — run /login";
+// Pure reducer: given the prior cached status, whether a token is on disk, and the latest probe
+// result, decide the next cached status. Transient errors are sticky — they keep the prior status —
+// so a brief blip doesn't flip a connected session to "expired". Caveat (see probeGithubAuth): the
+// stickiness is unbounded, and if the FIRST probe is transient (prev still undefined) the status stays
+// undefined / "pending", so /api/status omits `github` and the HUD shows no badge until a non-transient
+// result lands.
+export function nextGithubStatus(prev, hasToken, probe, now) {
+    if (!hasToken)
+        return { ok: false, hasToken: false, checkedAt: now, detail: SIGNED_OUT_DETAIL };
+    if (probe && probe.transient)
+        return prev; // keep last-known-good (or stay pending if none yet)
+    if (!probe)
+        return prev;
+    return { ok: probe.ok, hasToken: true, checkedAt: now, detail: probe.detail };
+}
+// Periodically probes the GitHub token in the supervisor process and caches a GithubStatus the control
+// API exposes via /api/status. Dependencies are injected for testing (token reader, probe, clock).
+export class GithubHeartbeat {
+    readToken;
+    probe;
+    now;
+    status;
+    timer;
+    stopped = false;
+    inFlight = false;
+    intervalMs;
+    initialDelayMs;
+    constructor(readToken, probe = probeGithubAuth, now = () => Date.now(), opts = {}) {
+        this.readToken = readToken;
+        this.probe = probe;
+        this.now = now;
+        this.intervalMs = opts.intervalMs ?? GITHUB_HEARTBEAT_INTERVAL_MS;
+        this.initialDelayMs = opts.initialDelayMs ?? GITHUB_HEARTBEAT_INITIAL_DELAY_MS;
+    }
+    current() { return this.status; }
+    // One probe cycle. Reads the token first: no token → signed-out, and the network probe is skipped.
+    // Guarded so a slow probe (up to ~8s) can't overlap the next tick.
+    async runOnce() {
+        if (this.inFlight)
+            return;
+        this.inFlight = true;
+        try {
+            const token = this.readToken();
+            const probe = token ? await this.probe(token) : null;
+            if (this.stopped)
+                return; // a late result after stop() must not resurrect the timer/state
+            this.status = nextGithubStatus(this.status, Boolean(token), probe, this.now());
+        }
+        catch (e) {
+            // Defense in depth: readToken()/probe() are not expected to throw (readGhToken returns null on a
+            // bad read, probeGithubAuth never throws), but the timer fires this as `void runOnce()` — an
+            // unhandled rejection here would kill the in-process supervisor + TUI. Keep the last-known status,
+            // but log it: a throw here means a real (unexpected) defect, and swallowing it silently would
+            // freeze the badge with no trace.
+            appendCrashLog("github-heartbeat", e);
+        }
+        finally {
+            this.inFlight = false;
+        }
+    }
+    start() {
+        if (this.timer)
+            return; // idempotent: don't leak a second timer if start() is called twice
+        this.stopped = false;
+        const tick = () => { void this.runOnce(); };
+        this.timer = setTimeout(() => {
+            tick();
+            this.timer = setInterval(tick, this.intervalMs);
+        }, this.initialDelayMs);
+    }
+    stop() {
+        this.stopped = true;
+        // The timer handle is either the initial setTimeout or the later setInterval; clearing both kinds
+        // is safe with either function in Node.
+        if (this.timer) {
+            clearTimeout(this.timer);
+            clearInterval(this.timer);
+            this.timer = undefined;
+        }
+    }
+}

package/dist/supervisor/index.js

@@ -8,7 +8,8 @@ import { createControlApp } from "./api.js";
 import { defaultConfig } from "../shared/config.js";
 import { dataDir, dbPath } from "../shared/paths.js";
 import { readGhToken } from "../shared/creds.js";
-import { CopilotTokenStore } from "../providers/copilot/token.js";
+import { probeGithubAuth } from "../providers/copilot/token.js";
+import { GithubHeartbeat, SIGNED_OUT_DETAIL } from "./github-heartbeat.js";
 export function startSupervisor() {
     const config = defaultConfig();
     mkdirSync(dataDir(), { recursive: true });
@@ -34,32 +35,33 @@ export function startSupervisor() {
         const gh = readGhToken(dataDir());
         let auth;
         if (!gh) {
-            auth = { name: "github-auth", ok: false, detail: "not logged in — restart copilot-reverse to log in" };
+            auth = { name: "github-auth", ok: false, detail: SIGNED_OUT_DETAIL };
         }
         else {
-            // Validate the token actually exchanges, not just that it exists on disk.
-            try {
-                await new CopilotTokenStore(gh).get();
-                auth = { name: "github-auth", ok: true, detail: "token valid" };
-            }
-            catch (e) {
-                auth = { name: "github-auth", ok: false, detail: e instanceof Error ? e.message : String(e) };
-            }
+            // Validate the token actually exchanges, not just that it exists on disk. Shares the heartbeat's
+            // classifier so on-demand /doctor and the periodic probe agree.
+            const probe = await probeGithubAuth(gh);
+            auth = { name: "github-auth", ok: probe.ok, detail: probe.detail };
         }
         return [auth, { name: "worker", ok: state === "ready", detail: `worker is ${state}` }];
     };
+    // Periodically re-check the GitHub token so the UI reflects an expired/revoked login within ~60s,
+    // instead of only on the next failed request or a manual /status.
+    const heartbeat = new GithubHeartbeat(() => readGhToken(dataDir()));
     const app = createControlApp({
         db, getState: () => state,
         restart: () => monitor.restartManually(),
         stop: () => monitor.stop(),
         start: () => monitor.start(),
         doctor,
+        github: () => heartbeat.current(),
         subscribe: (send) => bus.subscribe(send),
     });
     app.listen(config.supervisorPort, config.bindHost, () => monitor.start());
-    process.on("SIGINT", () => { monitor.stop(); process.exit(0); });
-    process.on("SIGTERM", () => { monitor.stop(); process.exit(0); });
-    return { stop: () => monitor.stop() };
+    heartbeat.start();
+    process.on("SIGINT", () => { heartbeat.stop(); monitor.stop(); process.exit(0); });
+    process.on("SIGTERM", () => { heartbeat.stop(); monitor.stop(); process.exit(0); });
+    return { stop: () => { heartbeat.stop(); monitor.stop(); } };
 }
 // Allow `node dist/supervisor/index.js` to boot the daemon directly.
 if (process.argv[1] && process.argv[1].endsWith(join("supervisor", "index.js")))

package/dist/tui/app.js

@@ -1,4 +1,4 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
 import { useEffect, useRef, useState } from "react";
 import { Box, Text, useInput } from "ink";
 import { loadingVerb } from "../shared/format.js";
@@ -7,7 +7,7 @@ import { SetupWizard } from "./setup/wizard.js";
 import { ModelScreen } from "./screens/model.js";
 import { ConfigScreen } from "./screens/config.js";
 import { WebIqKeyScreen } from "./screens/webiq-key.js";
-import { summarizeStatus } from "./status-summary.js";
+import { summarizeStatus, githubLoginState } from "./status-summary.js";
 import { theme } from "./theme.js";
 const stateColor = {
     ready: theme.ready, starting: theme.starting, crashed: theme.crashed, unhealthy: theme.unhealthy,
@@ -63,6 +63,8 @@ export function App({ registry, title, workerState = "starting", initialModel =
     const [state, setState] = useState(workerState);
     const [status, setStatus] = useState(() => readStatus?.() ?? EMPTY_STATUS);
     const [webBackend, setWebBackend] = useState(() => webSearchBackend?.() ?? "unavailable");
+    // GitHub login state, kept fresh by the supervisor heartbeat surfaced through the 2s status poll.
+    const [github, setGithub] = useState(startupStatus?.github);
     const [model, setModel] = useState(initialModel);
     const [screen, setScreen] = useState(pickModelOnStart && loadModels ? { kind: "model" } : null);
     const [, setNow] = useState(0); // ticks the live loading line while the assistant streams
@@ -82,8 +84,11 @@ export function App({ registry, title, workerState = "starting", initialModel =
         const tick = async () => {
             try {
                 const s = await statusSource?.();
-                if (alive && s)
+                if (alive && s) {
                     setState(s.workerState);
+                    if (s.github)
+                        setGithub(githubLoginState(s.github.hasToken, s.github.ok)); // live login badge
+                }
             }
             catch { /* daemon momentarily down */ }
             if (alive)
@@ -127,7 +132,9 @@ export function App({ registry, title, workerState = "starting", initialModel =
         }
         if (t === "/status" && (startupStatus || githubStatus || webSearchBackend)) {
             // Render the live status overview (same card as startup), then the worker restart history.
-            const github = githubStatus ? await githubStatus() : (startupStatus?.github ?? "signed-out");
+            // /status is an explicit "is my login OK right now?" — do the live check when wired (the cached
+            // heartbeat can be up to ~60s stale), falling back to the cached/seed value only if it isn't.
+            const ghState = githubStatus ? await githubStatus() : (github ?? startupStatus?.github ?? "signed-out");
             let worker = state, restarts = [];
             try {
                 const s = await statusSource?.();
@@ -138,7 +145,7 @@ export function App({ registry, title, workerState = "starting", initialModel =
             }
             catch { /* daemon momentarily down — show what we have */ }
             const summary = summarizeStatus({
-                hasToken: github !== "signed-out", tokenValid: github === "connected",
+                hasToken: ghState !== "signed-out", tokenValid: ghState === "connected",
                 webSearch: webSearchBackend?.() ?? webBackend, worker,
                 clients: { claude: status.claude.user || status.claude.project, codex: status.codex.user || status.codex.project },
             });
@@ -253,5 +260,5 @@ export function App({ registry, title, workerState = "starting", initialModel =
                         return (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { color: theme.accent, children: ["\u273D ", _jsxs(Text, { color: theme.muted, children: [frame, " ", loadingVerb(elapsed), "\u2026 (esc to interrupt \u00B7 ", fmtElapsed(elapsed), " \u00B7 \u2193 ", fmtTokens(tokens), " tokens \u00B7 thinking)"] })] }), e.text ? _jsx(Text, { color: color, children: e.text }) : null] }, i));
                     }
                     return _jsx(Text, { color: color, children: e.text }, i);
-                }) }), body, _jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsxs(Box, { children: [_jsx(Text, { color: theme.muted, children: "model " }), _jsx(Text, { color: theme.accent, children: model }), _jsx(Text, { color: theme.muted, children: "  \u00B7  daemon " }), _jsx(Text, { color: stateColor[state], children: state }), _jsx(Text, { color: theme.muted, children: "  \u00B7  web " }), _jsx(Text, { color: webBackend === "unavailable" ? theme.muted : theme.ready, children: webBackend === "webiq" ? "✓ webiq" : webBackend === "copilot" ? "✓ copilot" : "✗ /webiq" })] }), _jsxs(Box, { children: [_jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] })] }));
+                }) }), body, _jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsxs(Box, { children: [github && _jsxs(_Fragment, { children: [_jsx(Text, { color: theme.muted, children: "github " }), _jsx(Text, { color: github === "connected" ? theme.ready : theme.error, children: github === "connected" ? "✓" : "✗ /login" })] }), _jsxs(Text, { color: theme.muted, children: [github ? "  ·  " : "", "daemon "] }), _jsx(Text, { color: stateColor[state], children: state })] }), _jsxs(Box, { children: [_jsx(Text, { color: theme.muted, children: "web " }), _jsx(Text, { color: webBackend === "unavailable" ? theme.muted : theme.ready, children: webBackend === "webiq" ? "✓ webiq" : webBackend === "copilot" ? "✓ copilot" : "✗ /webiq" }), _jsx(Text, { color: theme.muted, children: "  \u00B7  " }), _jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] })] }));
 }

package/dist/version.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED by scripts/gen-version.mjs from package.json — do not edit.
-export const APP_VERSION = "0.4.0";
+export const APP_VERSION = "0.5.1";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copilot-reverse",
-  "version": "0.4.0",
+  "version": "0.5.1",
   "description": "Interactive terminal app that exposes your GitHub Copilot subscription as local OpenAI- and Anthropic-compatible endpoints, with a self-healing daemon and a built-in assistant.",
   "type": "module",
   "license": "MIT",