wispy-cli 2.5.1 → 2.6.0

package/bin/wispy.mjs

@@ -130,8 +130,14 @@ ${_bold("Cron & Automation:")}
   ${_cyan("wispy cron add")}                Add a cron job
   ${_cyan("wispy cron start")}              Start scheduler
 
+${_bold("Auth:")}
+  ${_cyan("wispy auth")}                    Show auth status for all providers
+  ${_cyan("wispy auth github-copilot")}     Sign in with GitHub (Copilot OAuth)
+  ${_cyan("wispy auth refresh <provider>")} Refresh expired OAuth token
+  ${_cyan("wispy auth revoke <provider>")}  Remove saved auth token
+
 ${_bold("Config & Maintenance:")}
-  ${_cyan("wispy setup")}                   Configure wispy interactively ${_dim("(29 AI providers)")}
+  ${_cyan("wispy setup")}                   Configure wispy interactively ${_dim("(30 AI providers)")}
   ${_cyan("wispy model")}                   Show / switch AI model
   ${_cyan("wispy model list")}              List available models per provider
   ${_cyan("wispy model set <p:model>")}     Switch model (e.g. xai:grok-3)
@@ -346,6 +352,7 @@ if (args[0] === "completion") {
     { cmd: "status",     desc: "Show wispy status & remote connection info" },
     { cmd: "connect",    desc: "Connect to a remote Wispy server" },
     { cmd: "disconnect", desc: "Disconnect from remote server (go back to local)" },
+    { cmd: "auth",       desc: "OAuth auth management (github-copilot, refresh, revoke)" },
   ];
 
   // Sub-command completions for nested commands
@@ -359,6 +366,7 @@ if (args[0] === "completion") {
     channel:    ["setup", "list", "test"],
     node:       ["pair", "connect", "list", "status", "remove"],
     sync:       ["push", "pull", "status", "auto"],
+    auth:       ["github-copilot", "refresh", "revoke"],
     server:     ["start", "stop", "status"],
     completion: ["bash", "zsh", "fish"],
     help:       cmdSpecs.map(c => c.cmd),
@@ -1797,13 +1805,111 @@ if (args[0] === "channel") {
   process.exit(0);
 }
 
+// ── auth sub-command ──────────────────────────────────────────────────────────
+if (args[0] === "auth") {
+  const { AuthManager } = await import(
+    path.join(__dirname, "..", "core", "auth.mjs")
+  );
+  const { WISPY_DIR } = await import(
+    path.join(__dirname, "..", "core", "config.mjs")
+  );
+
+  const sub = args[1]; // provider name | "refresh" | "revoke" | undefined
+
+  const auth = new AuthManager(WISPY_DIR);
+
+  // wispy auth — show status for all providers
+  if (!sub) {
+    const statuses = await auth.allStatus();
+    if (statuses.length === 0) {
+      console.log(_dim("\n  No saved auth tokens. Run: wispy auth <provider>\n"));
+    } else {
+      console.log(`\n${_bold("🔑 Auth Status")}\n`);
+      for (const s of statuses) {
+        const expiryStr = s.expiresAt ? _dim(` (expires ${new Date(s.expiresAt).toLocaleString()})`) : "";
+        const statusIcon = s.expired ? _yellow("⚠️  expired") : _green("✅ valid");
+        console.log(`  ${_cyan(s.provider.padEnd(20))} ${s.type.padEnd(8)} ${statusIcon}${expiryStr}`);
+      }
+      console.log("");
+      console.log(_dim("  wispy auth <provider>           — re-authenticate"));
+      console.log(_dim("  wispy auth refresh <provider>   — refresh token"));
+      console.log(_dim("  wispy auth revoke <provider>    — remove saved token"));
+    }
+    console.log("");
+    process.exit(0);
+  }
+
+  // wispy auth refresh <provider>
+  if (sub === "refresh" && args[2]) {
+    const provider = args[2];
+    console.log(`\n🔄 Refreshing token for ${_cyan(provider)}...`);
+    try {
+      await auth.refreshToken(provider);
+      console.log(_green(`✅ Token refreshed for ${provider}\n`));
+    } catch (err) {
+      console.error(_red(`❌ ${err.message}\n`));
+      process.exit(1);
+    }
+    process.exit(0);
+  }
+
+  // wispy auth revoke <provider>
+  if (sub === "revoke" && args[2]) {
+    const provider = args[2];
+    await auth.revokeToken(provider);
+    console.log(_green(`✅ Revoked auth for ${provider}\n`));
+    process.exit(0);
+  }
+
+  // wispy auth <provider> — run OAuth or re-authenticate
+  if (sub && sub !== "refresh" && sub !== "revoke") {
+    const provider = sub;
+
+    if (provider === "github-copilot") {
+      console.log(`\n🔑 ${_bold("GitHub Copilot")} — OAuth sign-in\n`);
+      try {
+        const result = await auth.oauth("github-copilot");
+        if (result.valid) {
+          console.log(_green(`✅ GitHub Copilot authenticated!\n`));
+          console.log(_dim("  Token saved to ~/.wispy/auth/github-copilot.json"));
+          console.log(_dim("  Run: wispy auth  to verify status\n"));
+        }
+      } catch (err) {
+        console.error(_red(`\n❌ ${err.message}\n`));
+        process.exit(1);
+      }
+    } else {
+      console.error(_red(`\n❌ Unknown provider for auth: ${provider}`));
+      console.log(_dim(`  Currently OAuth is supported for: github-copilot\n`));
+      process.exit(1);
+    }
+    process.exit(0);
+  }
+
+  // Help
+  console.log(`
+${_bold("🔑 Wispy Auth Commands")}
+
+  ${_cyan("wispy auth")}                          — show auth status for all providers
+  ${_cyan("wispy auth github-copilot")}           — sign in with GitHub (Copilot OAuth)
+  ${_cyan("wispy auth refresh <provider>")}       — refresh expired token
+  ${_cyan("wispy auth revoke <provider>")}        — remove saved auth
+
+${_bold("Examples:")}
+  wispy auth github-copilot
+  wispy auth refresh github-copilot
+  wispy auth revoke github-copilot
+`);
+  process.exit(0);
+}
+
 // ── Unknown command detection ─────────────────────────────────────────────────
 // Any non-flag argument that wasn't matched above is an unknown command
 const _KNOWN_COMMANDS = new Set([
   "ws", "trust", "where", "handoff", "skill", "teach", "improve", "dry",
   "setup", "init", "update", "status", "connect", "disconnect", "sync",
   "deploy", "migrate", "cron", "audit", "log", "server", "node", "channel",
-  "tui", "help", "doctor", "completion", "version",
+  "auth", "tui", "help", "doctor", "completion", "version",
   // serve flags (handled below)
   "--serve", "--telegram", "--discord", "--slack", "--server",
   "--help", "-h", "--version", "-v", "--debug", "--tui",
@@ -1903,7 +2009,8 @@ const isInteractiveStart = !args.some(a =>
   ["--serve", "--telegram", "--discord", "--slack", "--server",
    "status", "setup", "init", "connect", "disconnect", "deploy",
    "cron", "audit", "log", "server", "node", "channel", "sync", "tui",
-   "ws", "trust", "where", "handoff", "skill", "teach", "improve", "dry"].includes(a)
+   "ws", "trust", "where", "handoff", "skill", "teach", "improve", "dry",
+   "auth"].includes(a)
 );
 
 if (isInteractiveStart) {

package/core/auth.mjs

@@ -0,0 +1,369 @@
+/**
+ * core/auth.mjs — Auth manager for Wispy
+ *
+ * Handles OAuth device flow, subscription checks, and API key auth.
+ * Tokens stored in ~/.wispy/auth/<provider>.json (separate from config.json)
+ *
+ * class AuthManager:
+ *   constructor(wispyDir)
+ *   async apiKey(provider, key) → { valid, token }
+ *   async oauth(provider) → { valid, token }          // OAuth device flow
+ *   async subscription(provider) → { valid, token }   // subscription check
+ *   saveToken(provider, tokenData)
+ *   loadToken(provider) → tokenData | null
+ *   async refreshToken(provider) → tokenData
+ *   isExpired(provider) → boolean
+ *   getActiveToken(provider) → string | null
+ */
+
+import os from "node:os";
+import path from "node:path";
+import { mkdir, writeFile, readFile, unlink } from "node:fs/promises";
+import { existsSync, readFileSync } from "node:fs";
+
+import { WISPY_DIR } from "./config.mjs";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ──────────────────────────────────────────────────────────────────────────────
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+const bold  = (s) => `\x1b[1m${s}\x1b[0m`;
+const dim   = (s) => `\x1b[2m${s}\x1b[0m`;
+const green = (s) => `\x1b[32m${s}\x1b[0m`;
+const cyan  = (s) => `\x1b[36m${s}\x1b[0m`;
+const yellow= (s) => `\x1b[33m${s}\x1b[0m`;
+const red   = (s) => `\x1b[31m${s}\x1b[0m`;
+
+// ──────────────────────────────────────────────────────────────────────────────
+// GitHub Copilot OAuth constants
+// ──────────────────────────────────────────────────────────────────────────────
+
+const GITHUB_COPILOT_CLIENT_ID = "Iv1.b507a08c87ecfe98";
+const GITHUB_DEVICE_CODE_URL   = "https://github.com/login/device/code";
+const GITHUB_ACCESS_TOKEN_URL  = "https://github.com/login/oauth/access_token";
+const COPILOT_TOKEN_URL        = "https://api.github.com/copilot_internal/v2/token";
+
+// ──────────────────────────────────────────────────────────────────────────────
+// GitHub device flow
+// ──────────────────────────────────────────────────────────────────────────────
+
+/**
+ * Run GitHub OAuth device flow. Returns { access_token, token_type, scope }.
+ */
+async function githubDeviceFlow() {
+  // 1. Request device code
+  const resp = await fetch(GITHUB_DEVICE_CODE_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "Accept": "application/json" },
+    body: JSON.stringify({ client_id: GITHUB_COPILOT_CLIENT_ID, scope: "copilot" }),
+  });
+
+  if (!resp.ok) {
+    const err = await resp.text();
+    throw new Error(`Failed to get device code: ${resp.status} ${err.slice(0, 200)}`);
+  }
+
+  const { device_code, user_code, verification_uri, expires_in, interval: rawInterval } = await resp.json();
+  let pollInterval = rawInterval ?? 5;
+
+  // 2. Show user instructions
+  console.log(`\n  ${bold("GitHub Copilot Authorization")}`);
+  console.log(`\n  1. Open: ${cyan(verification_uri)}`);
+  console.log(`  2. Enter code: ${bold(green(user_code))}\n`);
+  console.log(`  ${dim("Waiting for authorization... (Ctrl+C to cancel)")}`);
+
+  // 3. Poll for token
+  const deadline = Date.now() + (expires_in ?? 900) * 1000;
+  while (Date.now() < deadline) {
+    await sleep(pollInterval * 1000);
+
+    const tokenResp = await fetch(GITHUB_ACCESS_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "Accept": "application/json" },
+      body: JSON.stringify({
+        client_id: GITHUB_COPILOT_CLIENT_ID,
+        device_code,
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+      }),
+    });
+
+    const result = await tokenResp.json();
+
+    if (result.access_token) {
+      console.log(green("\n  ✅ GitHub authorization successful!\n"));
+      return result;
+    }
+    if (result.error === "authorization_pending") continue;
+    if (result.error === "slow_down") { pollInterval += 5; continue; }
+    if (result.error === "expired_token") throw new Error("Authorization code expired. Please try again.");
+    if (result.error === "access_denied") throw new Error("Authorization denied by user.");
+    throw new Error(result.error_description ?? result.error ?? "Unknown OAuth error");
+  }
+
+  throw new Error("Authorization timed out. Please try again.");
+}
+
+/**
+ * Exchange a GitHub OAuth token for a Copilot-specific token.
+ * Returns { token, expires_at } — token is the Copilot bearer token.
+ */
+async function getCopilotToken(githubToken) {
+  const resp = await fetch(COPILOT_TOKEN_URL, {
+    headers: {
+      "Authorization": `token ${githubToken}`,
+      "Accept": "application/json",
+      "User-Agent": "wispy-cli",
+    },
+    signal: AbortSignal.timeout(10000),
+  });
+
+  if (resp.status === 403) {
+    throw new Error("GitHub Copilot not available — you need an active GitHub Copilot subscription.");
+  }
+  if (!resp.ok) {
+    const err = await resp.text();
+    throw new Error(`Failed to get Copilot token: ${resp.status} ${err.slice(0, 200)}`);
+  }
+
+  return await resp.json(); // { token: "tid=xxx;...", expires_at: 1234567890 }
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// AuthManager class
+// ──────────────────────────────────────────────────────────────────────────────
+
+export class AuthManager {
+  constructor(wispyDir = WISPY_DIR) {
+    this._authDir = path.join(wispyDir, "auth");
+    // Cache loaded tokens in memory (keyed by provider)
+    this._cache = {};
+  }
+
+  // ── Token file helpers ─────────────────────────────────────────────────────
+
+  _tokenPath(provider) {
+    return path.join(this._authDir, `${provider}.json`);
+  }
+
+  /**
+   * Save token data to ~/.wispy/auth/<provider>.json
+   */
+  async saveToken(provider, tokenData) {
+    await mkdir(this._authDir, { recursive: true });
+    const data = { ...tokenData, provider, savedAt: new Date().toISOString() };
+    await writeFile(this._tokenPath(provider), JSON.stringify(data, null, 2) + "\n", { mode: 0o600 });
+    this._cache[provider] = data;
+  }
+
+  /**
+   * Load token from disk synchronously. Returns null if not found.
+   * Prefer loadTokenAsync when in async context.
+   */
+  loadToken(provider) {
+    if (this._cache[provider]) return this._cache[provider];
+    const p = this._tokenPath(provider);
+    if (!existsSync(p)) return null;
+    try {
+      const data = JSON.parse(readFileSync(p, "utf8"));
+      this._cache[provider] = data;
+      return data;
+    } catch { return null; }
+  }
+
+  /**
+   * Async version of loadToken (preferred)
+   */
+  async loadTokenAsync(provider) {
+    if (this._cache[provider]) return this._cache[provider];
+    try {
+      const raw = await readFile(this._tokenPath(provider), "utf8");
+      const data = JSON.parse(raw);
+      this._cache[provider] = data;
+      return data;
+    } catch { return null; }
+  }
+
+  /**
+   * Remove saved auth token
+   */
+  async revokeToken(provider) {
+    delete this._cache[provider];
+    try { await unlink(this._tokenPath(provider)); } catch { /* ignore */ }
+  }
+
+  // ── Token validation ───────────────────────────────────────────────────────
+
+  /**
+   * Check if the saved token for a provider is expired.
+   */
+  async isExpired(provider) {
+    const token = await this.loadTokenAsync(provider);
+    if (!token) return true;
+    if (!token.expiresAt) return false; // no expiry = never expires
+    return new Date(token.expiresAt) <= new Date(Date.now() + 60_000); // 1-min buffer
+  }
+
+  /**
+   * Get the active bearer token string for a provider.
+   * For github-copilot: returns the Copilot API token (not the GitHub OAuth token).
+   */
+  async getActiveToken(provider) {
+    const token = await this.loadTokenAsync(provider);
+    if (!token) return null;
+
+    if (provider === "github-copilot") {
+      // Copilot token is in token.copilotToken; GitHub OAuth token in token.accessToken
+      if (token.copilotToken && !this._isCopilotTokenExpired(token)) {
+        return token.copilotToken;
+      }
+      // Refresh Copilot token from stored GitHub OAuth token
+      if (token.accessToken) {
+        try {
+          const copilotData = await getCopilotToken(token.accessToken);
+          const updated = {
+            ...token,
+            copilotToken: copilotData.token,
+            copilotExpiresAt: new Date(copilotData.expires_at * 1000).toISOString(),
+          };
+          await this.saveToken(provider, updated);
+          return copilotData.token;
+        } catch {
+          return null;
+        }
+      }
+      return null;
+    }
+
+    return token.accessToken ?? null;
+  }
+
+  _isCopilotTokenExpired(token) {
+    if (!token.copilotExpiresAt) return true;
+    return new Date(token.copilotExpiresAt) <= new Date(Date.now() + 60_000);
+  }
+
+  // ── Auth methods ───────────────────────────────────────────────────────────
+
+  /**
+   * API key auth — validate and store.
+   */
+  async apiKey(provider, key) {
+    if (!key || key.trim() === "") return { valid: false, token: null };
+    const tokenData = {
+      type: "apikey",
+      accessToken: key.trim(),
+      provider,
+    };
+    await this.saveToken(provider, tokenData);
+    return { valid: true, token: key.trim() };
+  }
+
+  /**
+   * OAuth device flow auth.
+   * Currently only supports github-copilot.
+   */
+  async oauth(provider) {
+    if (provider === "github-copilot") {
+      return this._oauthGitHubCopilot();
+    }
+    throw new Error(`OAuth not implemented for provider: ${provider}`);
+  }
+
+  async _oauthGitHubCopilot() {
+    // 1. Run device flow to get GitHub OAuth token
+    const oauthResult = await githubDeviceFlow();
+    const githubToken = oauthResult.access_token;
+
+    // 2. Exchange for Copilot token
+    console.log(dim("  Getting Copilot token..."));
+    const copilotData = await getCopilotToken(githubToken);
+
+    // 3. Save tokens (never log full tokens)
+    const tokenData = {
+      type: "oauth",
+      accessToken: githubToken,
+      scope: oauthResult.scope ?? "copilot",
+      copilotToken: copilotData.token,
+      copilotExpiresAt: new Date(copilotData.expires_at * 1000).toISOString(),
+      provider: "github-copilot",
+    };
+
+    await this.saveToken("github-copilot", tokenData);
+
+    console.log(green("  ✅ GitHub Copilot authenticated!\n"));
+    return { valid: true, token: copilotData.token };
+  }
+
+  /**
+   * Subscription check auth (for providers that use existing subscription tokens).
+   */
+  async subscription(provider) {
+    throw new Error(`Subscription auth not implemented for: ${provider}`);
+  }
+
+  /**
+   * Refresh an expired OAuth token.
+   * For github-copilot: gets a fresh Copilot token using stored GitHub OAuth token.
+   */
+  async refreshToken(provider) {
+    const token = await this.loadTokenAsync(provider);
+    if (!token) throw new Error(`No saved auth for ${provider}. Run: wispy auth ${provider}`);
+
+    if (provider === "github-copilot") {
+      if (!token.accessToken) {
+        throw new Error("GitHub OAuth token missing. Re-run: wispy auth github-copilot");
+      }
+      const copilotData = await getCopilotToken(token.accessToken);
+      const updated = {
+        ...token,
+        copilotToken: copilotData.token,
+        copilotExpiresAt: new Date(copilotData.expires_at * 1000).toISOString(),
+      };
+      await this.saveToken(provider, updated);
+      return updated;
+    }
+
+    throw new Error(`Token refresh not supported for: ${provider}`);
+  }
+
+  // ── Status helpers ─────────────────────────────────────────────────────────
+
+  /**
+   * Get auth status for all providers (for wispy auth status display).
+   */
+  async allStatus() {
+    const authDir = this._authDir;
+    const results = [];
+
+    let files = [];
+    try {
+      const { readdir } = await import("node:fs/promises");
+      files = (await readdir(authDir)).filter(f => f.endsWith(".json"));
+    } catch { /* no auth dir yet */ }
+
+    for (const file of files) {
+      const provider = file.replace(/\.json$/, "");
+      const token = await this.loadTokenAsync(provider);
+      if (!token) continue;
+
+      const expired = await this.isExpired(provider);
+      results.push({
+        provider,
+        type: token.type ?? "unknown",
+        expired,
+        expiresAt: token.expiresAt ?? token.copilotExpiresAt ?? null,
+        savedAt: token.savedAt,
+      });
+    }
+
+    return results;
+  }
+}
+
+// ──────────────────────────────────────────────────────────────────────────────
+// Exports for use in providers.mjs and onboarding.mjs
+// ──────────────────────────────────────────────────────────────────────────────
+
+export { githubDeviceFlow, getCopilotToken };

package/core/config.mjs

@@ -52,6 +52,9 @@ export const PROVIDERS = {
   dashscope:   { envKeys: ["DASHSCOPE_API_KEY"],                                            defaultModel: "qwen-max",                              label: "DashScope (Alibaba)",         signupUrl: "https://dashscope.aliyun.com/" },
   xiaomi:      { envKeys: ["XIAOMI_API_KEY"],                                               defaultModel: "MiMo-7B-RL",                            label: "Xiaomi AI",                  signupUrl: "https://ai.xiaomi.com/" },
 
+  // ── OAuth / subscription-based ────────────────────────────────────────────
+  "github-copilot": { envKeys: ["GITHUB_COPILOT_TOKEN"],                                    defaultModel: "gpt-4o",                                label: "GitHub Copilot",             signupUrl: "https://github.com/features/copilot", auth: "oauth" },
+
   // ── Local / self-hosted ─────────────────────────────────────────────────────
   ollama:      { envKeys: [],                                                                defaultModel: "llama3.2",                              label: "Ollama (local)",             signupUrl: null, local: true },
   vllm:        { envKeys: [],                                                                defaultModel: "meta-llama/Llama-3.3-70B-Instruct",     label: "vLLM (self-hosted)",         signupUrl: "https://docs.vllm.ai/", local: true },
@@ -164,5 +167,21 @@ export async function detectProvider() {
     }
   }
 
+  // 5. OAuth providers: check auth token file
+  const githubCopilotAuthPath = path.join(WISPY_DIR, "auth", "github-copilot.json");
+  try {
+    const { existsSync } = await import("node:fs");
+    if (existsSync(githubCopilotAuthPath)) {
+      const tokenData = JSON.parse(await readFile(githubCopilotAuthPath, "utf8"));
+      if (tokenData?.accessToken || tokenData?.copilotToken) {
+        return {
+          provider: "github-copilot",
+          key: tokenData.copilotToken ?? tokenData.accessToken,
+          model: process.env.WISPY_MODEL ?? PROVIDERS["github-copilot"].defaultModel,
+        };
+      }
+    }
+  } catch { /* ignore */ }
+
   return null;
 }

package/core/onboarding.mjs

@@ -37,6 +37,7 @@ import {
   loadConfig,
   saveConfig,
 } from "./config.mjs";
+import { AuthManager } from "./auth.mjs";
 
 // ──────────────────────────────────────────────────────────────────────────────
 // ANSI helpers (no extra deps)
@@ -55,6 +56,7 @@ const red    = (s) => `\x1b[31m${s}\x1b[0m`;
 
 const PROVIDER_LIST = [
   // ── Popular ─────────────────────────────────────────────────────────────────
+  { key: "github-copilot", label: "🌟 GitHub Copilot — free with GitHub subscription", defaultModel: "gpt-4o",               signupUrl: "https://github.com/features/copilot", auth: "oauth", tag: "free with GitHub subscription" },
   { key: "google",      label: "🌟 Google AI (Gemini) — free tier",   defaultModel: "gemini-2.5-flash",                         signupUrl: "https://aistudio.google.com/apikey" },
   { key: "anthropic",   label: "🌟 Anthropic (Claude) — best quality", defaultModel: "claude-sonnet-4-20250514",                 signupUrl: "https://console.anthropic.com/settings/keys" },
   { key: "openai",      label: "🌟 OpenAI (GPT-4o)",                   defaultModel: "gpt-4o",                                   signupUrl: "https://platform.openai.com/api-keys" },
@@ -423,6 +425,85 @@ export class OnboardingWizard {
         continue;
       }
 
+      // ── OAuth providers (e.g. GitHub Copilot) ───────────────────────────
+      if (info?.auth === "oauth" && provKey === "github-copilot") {
+        console.log("");
+        console.log(`  ${bold("GitHub Copilot")} — requires a GitHub account with Copilot subscription`);
+        console.log(dim(`  Get one at: ${info?.signupUrl}`));
+        console.log("");
+
+        let authMethod = "oauth";
+        try {
+          authMethod = await select({
+            message: "GitHub Copilot auth method:",
+            choices: [
+              { name: "Sign in with GitHub (recommended)", value: "oauth" },
+              { name: "Paste GitHub token manually",       value: "token" },
+            ],
+          });
+        } catch {
+          console.log(dim("  Skipping github-copilot.\n"));
+          continue;
+        }
+
+        const authMgr = new AuthManager(WISPY_DIR);
+
+        if (authMethod === "oauth") {
+          try {
+            const result = await authMgr.oauth("github-copilot");
+            if (result.valid) {
+              providers["github-copilot"] = { model: info?.defaultModel ?? "gpt-4o", auth: "oauth" };
+              console.log(green(`  ✅ GitHub Copilot connected (${info?.defaultModel ?? "gpt-4o"})`));
+            }
+          } catch (err) {
+            if (err?.name === "ExitPromptError" || err?.code === "ERR_USE_AFTER_CLOSE") {
+              console.log(dim("  Skipping github-copilot."));
+            } else {
+              console.log(red(`  ✗ ${err.message}`));
+              console.log(yellow("  You can re-run: wispy auth github-copilot"));
+            }
+          }
+        } else {
+          // Manual token paste
+          let githubToken = null;
+          try {
+            githubToken = await password({
+              message: "  GitHub token (ghp_... or ghu_...):",
+              mask: "*",
+            });
+          } catch { console.log(dim("  Skipping.")); continue; }
+
+          if (githubToken && githubToken.trim()) {
+            try {
+              process.stdout.write("  Verifying Copilot access...");
+              const { getCopilotToken } = await import("./auth.mjs");
+              const copilotData = await getCopilotToken(githubToken.trim());
+              await authMgr.saveToken("github-copilot", {
+                type: "token",
+                accessToken: githubToken.trim(),
+                copilotToken: copilotData.token,
+                copilotExpiresAt: new Date(copilotData.expires_at * 1000).toISOString(),
+                provider: "github-copilot",
+              });
+              providers["github-copilot"] = { model: info?.defaultModel ?? "gpt-4o", auth: "oauth" };
+              console.log(green(` ✅ Copilot access confirmed!`));
+            } catch (err) {
+              console.log(red(` ✗ ${err.message}`));
+              console.log(yellow("  Saving token anyway — check it later with: wispy auth github-copilot"));
+              await authMgr.saveToken("github-copilot", {
+                type: "token",
+                accessToken: githubToken.trim(),
+                provider: "github-copilot",
+              });
+              providers["github-copilot"] = { model: info?.defaultModel ?? "gpt-4o", auth: "oauth" };
+            }
+          } else {
+            console.log(dim("  Skipping github-copilot."));
+          }
+        }
+        continue;
+      }
+
       // ── Special: Cloudflare needs account_id ─────────────────────────────
       if (provKey === "cloudflare") {
         console.log("");

package/core/providers.mjs

@@ -11,7 +11,8 @@
  * Each provider: { name, label, models, chat(messages, tools, opts) }
  */
 
-import { PROVIDERS, detectProvider } from "./config.mjs";
+import { PROVIDERS, detectProvider, WISPY_DIR } from "./config.mjs";
+import { AuthManager } from "./auth.mjs";
 
 const OPENAI_COMPAT_ENDPOINTS = {
   // ── Tier 1: Popular ───────────────────────────────────────────────────────
@@ -39,6 +40,8 @@ const OPENAI_COMPAT_ENDPOINTS = {
   zai:         "https://open.bigmodel.cn/api/paas/v4/chat/completions",
   dashscope:   "https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions",
   xiaomi:      "https://api.api2d.com/v1/chat/completions", // placeholder
+  // ── GitHub Copilot ─────────────────────────────────────────────────────────
+  "github-copilot": "https://api.githubcopilot.com/chat/completions",
   // ── Local / self-hosted ───────────────────────────────────────────────────
   ollama:      null, // set from OLLAMA_HOST
   vllm:        null, // set from VLLM_BASE_URL
@@ -53,6 +56,8 @@ export class ProviderRegistry {
     this._apiKey = null;
     this._model = null;
     this._sessionTokens = { input: 0, output: 0 };
+    this._auth = new AuthManager(WISPY_DIR);
+    this._authType = null; // "apikey" | "oauth"
   }
 
   /**
@@ -67,6 +72,19 @@ export class ProviderRegistry {
     this._apiKey = overrides.key ?? detected?.key;
     this._model = overrides.model ?? detected?.model;
     this._detected = detected;
+
+    // Check provider auth type
+    const providerInfo = PROVIDERS[this._provider];
+    this._authType = providerInfo?.auth ?? "apikey";
+
+    // For OAuth providers, try to load token from auth store
+    if (this._authType === "oauth") {
+      const activeToken = await this._auth.getActiveToken(this._provider);
+      if (activeToken) {
+        this._apiKey = activeToken;
+      }
+    }
+
     return { provider: this._provider, key: this._apiKey, model: this._model };
   }
 
@@ -109,6 +127,20 @@ export class ProviderRegistry {
    * Returns: { type: "text"|"tool_calls", text?, calls? }
    */
   async chat(messages, tools = [], opts = {}) {
+    // Auto-refresh expired OAuth tokens before making API calls
+    if (this._authType === "oauth" && await this._auth.isExpired(this._provider)) {
+      try {
+        await this._auth.refreshToken(this._provider);
+        const newToken = await this._auth.getActiveToken(this._provider);
+        if (newToken) this._apiKey = newToken;
+      } catch (err) {
+        // Token refresh failed — proceed with existing key and let API return auth error
+        if (process.env.WISPY_DEBUG) {
+          console.error(`[wispy] Token refresh failed: ${err.message}`);
+        }
+      }
+    }
+
     const model = opts.model ?? this._model;
     if (this._provider === "google") {
       return this._chatGemini(messages, tools, opts, model);
@@ -387,6 +419,11 @@ export class ProviderRegistry {
     if (this._apiKey) headers["Authorization"] = `Bearer ${this._apiKey}`;
     if (this._provider === "openrouter") headers["HTTP-Referer"] = "https://wispy.dev";
     if (this._provider === "cloudflare") headers["Authorization"] = `Bearer ${process.env.CF_API_TOKEN ?? this._apiKey}`;
+    if (this._provider === "github-copilot") {
+      headers["Copilot-Integration-Id"] = "vscode-chat";
+      headers["Editor-Version"] = "vscode/1.85.0";
+      headers["Editor-Plugin-Version"] = "copilot-chat/0.12.0";
+    }
 
     const supportsTools = !["ollama", "vllm", "sglang", "minimax", "huggingface"].includes(this._provider);
     const body = { model, messages: openaiMessages, temperature: 0.7, max_tokens: 4096, stream: true };

package/lib/wispy-tui.mjs

@@ -38,11 +38,11 @@ const SIDEBAR_WIDTH = 16;
 const TIMELINE_LINES = 3;
 
 const TOOL_ICONS = {
-  read_file: "📖", write_file: "✏️", file_edit: "✏️", run_command: "⚙️",
-  git: "🌿", web_search: "🔍", web_fetch: "🌐", list_directory: "📁",
-  spawn_subagent: "🤖", spawn_agent: "🤖", memory_save: "💾",
-  memory_search: "🔍", memory_list: "📝", delete_file: "🗑️",
-  node_execute: "🖥️", update_work_context: "📝",
+  read_file: "[file]", write_file: "[edit]", file_edit: "[edit]", run_command: "[exec]",
+  git: "[git]", web_search: "[search]", web_fetch: "[web]", list_directory: "[dir]",
+  spawn_subagent: "[sub-agent]", spawn_agent: "[agent]", memory_save: "[save]",
+  memory_search: "[find]", memory_list: "[list]", delete_file: "[delete]",
+  node_execute: "[run]", update_work_context: "[update]",
 };
 
 // ─── Utilities ───────────────────────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wispy-cli",
-  "version": "2.5.1",
+  "version": "2.6.0",
   "description": "🌿 Wispy — AI workspace assistant with trustworthy execution (harness, receipts, approvals, diffs)",
   "license": "MIT",
   "author": "Minseo & Poropo",