fix: forward GitHub token to headless server for Keychain-inaccessible environments

Root cause: when copilot login stores credentials in macOS Keychain,
the headless server spawned by PolyPilot may not have Keychain access
(ACL dialog can't be shown for background processes). The server starts
without auth, causing 'session was not created with authentication info'.

Fix: ResolveGitHubTokenForServer() checks COPILOT_GITHUB_TOKEN,
GH_TOKEN, GITHUB_TOKEN env vars, then falls back to 'gh auth token'
CLI. The resolved token is passed to StartServerAsync() which sets
GITHUB_TOKEN on the headless server process environment.

- Add githubToken parameter to IServerManager.StartServerAsync
- Resolve token once at init, cache in _resolvedGitHubToken
- Re-resolve on ReauthenticateAsync (user may have just logged in)
- Forward to all 7 StartServerAsync call sites
- Add 3 tests for token resolution and parameter forwarding

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: PureWeen

PolyPilot.Tests/ServerRecoveryTests.cs

@@ -148,6 +148,38 @@ public async Task ReauthenticateAsync_NonPersistentMode_SetsFailureNotice()
         Assert.Contains("restart failed", svc.AuthNotice!, StringComparison.OrdinalIgnoreCase);
     }
 
+    // ===== ResolveGitHubTokenForServer =====
+
+    [Fact]
+    public void ResolveGitHubTokenForServer_ReturnsNull_WhenNoTokenAvailable()
+    {
+        // In test environment, no env vars should be set and gh CLI may not be available.
+        // The method should return null gracefully without throwing.
+        var token = CopilotService.ResolveGitHubTokenForServer();
+        // We can't assert null because the test runner might have GH_TOKEN set.
+        // Just verify it doesn't throw and returns a string or null.
+        Assert.True(token == null || token.Length > 0);
+    }
+
+    [Fact]
+    public void ServerManager_AcceptsGitHubToken_InStartServerAsync()
+    {
+        // Verify the stub properly records the token parameter
+        var mgr = new StubServerManager();
+        mgr.StartServerResult = true;
+        mgr.StartServerAsync(4321, "test-token-123").GetAwaiter().GetResult();
+        Assert.Equal("test-token-123", mgr.LastGitHubToken);
+    }
+
+    [Fact]
+    public void ServerManager_AcceptsNullGitHubToken_InStartServerAsync()
+    {
+        var mgr = new StubServerManager();
+        mgr.StartServerResult = true;
+        mgr.StartServerAsync(4321).GetAwaiter().GetResult();
+        Assert.Null(mgr.LastGitHubToken);
+    }
+
     // ===== IsConnectionError now catches auth errors =====
 
     [Theory]

PolyPilot.Tests/TestStubs.cs

@@ -46,11 +46,13 @@ internal class StubServerManager : IServerManager
 
     public bool CheckServerRunning(string host = "localhost", int? port = null) => IsServerRunning;
 
-    public Task<bool> StartServerAsync(int port)
+    public Task<bool> StartServerAsync(int port, string? githubToken = null)
     {
         ServerPort = port;
+        LastGitHubToken = githubToken;
         return Task.FromResult(StartServerResult);
     }
+    public string? LastGitHubToken { get; private set; }
 
     public void StopServer() { IsServerRunning = false; StopServerCallCount++; }
     public int StopServerCallCount { get; private set; }

PolyPilot/Models/ErrorMessageHelper.cs

@@ -68,7 +68,7 @@ public static string HumanizeMessage(string message)
 
         // Authentication errors from the CLI SDK
         if (message.Contains("not created with authentication info", StringComparison.OrdinalIgnoreCase))
-            return "Not authenticated — run `copilot login` in your terminal, then reconnect in Settings.";
+            return "Not authenticated — run `copilot login` (or `gh auth login`) in your terminal, then click Re-authenticate.";
 
         // Catch-all for any other net_webstatus_ codes we haven't mapped
         if (message.Contains("net_webstatus_", StringComparison.OrdinalIgnoreCase))

PolyPilot/Services/CopilotService.Utilities.cs

@@ -941,4 +941,59 @@ private void StopAuthPolling()
             }
         }
     }
+
+    /// <summary>
+    /// Attempts to resolve a GitHub token that can be forwarded to the headless server
+    /// via the GITHUB_TOKEN env var. This helps when the server can't access the macOS
+    /// Keychain (e.g., Keychain entry ACL blocks headless processes).
+    /// Checks, in order: COPILOT_GITHUB_TOKEN, GH_TOKEN, GITHUB_TOKEN env vars,
+    /// then falls back to `gh auth token` if the gh CLI is available.
+    /// </summary>
+    internal static string? ResolveGitHubTokenForServer()
+    {
+        // Check environment variables (same precedence as copilot CLI)
+        foreach (var envVar in new[] { "COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN" })
+        {
+            var val = Environment.GetEnvironmentVariable(envVar);
+            if (!string.IsNullOrEmpty(val))
+            {
+                Console.WriteLine($"[AUTH] Resolved token from ${envVar}");
+                return val;
+            }
+        }
+
+        // Try the gh CLI as a fallback
+        try
+        {
+            var psi = new System.Diagnostics.ProcessStartInfo
+            {
+                FileName = "gh",
+                UseShellExecute = false,
+                RedirectStandardOutput = true,
+                RedirectStandardError = true,
+                CreateNoWindow = true
+            };
+            psi.ArgumentList.Add("auth");
+            psi.ArgumentList.Add("token");
+
+            using var proc = System.Diagnostics.Process.Start(psi);
+            if (proc != null)
+            {
+                var token = proc.StandardOutput.ReadToEnd().Trim();
+                proc.WaitForExit(5000);
+                if (proc.ExitCode == 0 && !string.IsNullOrEmpty(token))
+                {
+                    Console.WriteLine("[AUTH] Resolved token from `gh auth token`");
+                    return token;
+                }
+            }
+        }
+        catch
+        {
+            // gh CLI not available — that's fine
+        }
+
+        Console.WriteLine("[AUTH] No GitHub token could be resolved for server forwarding");
+        return null;
+    }
 }

PolyPilot/Services/CopilotService.cs

@@ -82,6 +82,7 @@ internal void SetTurnEndGuardForTesting(string sessionName, bool active)
     private CancellationTokenSource? _codespaceHealthCts;
     private CancellationTokenSource? _authPollCts;
     private readonly object _authPollLock = new();
+    private string? _resolvedGitHubToken;
     private Task? _codespaceHealthTask;
     // Cached dotfiles status — checked once when first SetupRequired state is encountered
     private CodespaceService.DotfilesStatus? _dotfilesStatus;
@@ -318,6 +319,8 @@ public async Task ReauthenticateAsync()
     {
         StopAuthPolling();
         Debug("[AUTH] Re-authenticate requested — forcing server restart to pick up new credentials");
+        // Re-resolve the token in case the user just ran `copilot login` or `gh auth login`
+        _resolvedGitHubToken = ResolveGitHubTokenForServer();
         var recovered = await TryRecoverPersistentServerAsync();
         if (recovered)
         {
@@ -917,10 +920,15 @@ public async Task InitializeAsync(CancellationToken cancellationToken = default)
         // In Persistent mode, auto-start the server if not already running
         if (settings.Mode == ConnectionMode.Persistent)
         {
+            // Resolve a GitHub token that can be forwarded to the headless server.
+            // This handles the case where the Keychain entry created by `copilot login`
+            // is inaccessible to a headless process (macOS Keychain ACL restriction).
+            _resolvedGitHubToken ??= ResolveGitHubTokenForServer();
+
             if (!_serverManager.CheckServerRunning("127.0.0.1", settings.Port))
             {
                 Debug($"Persistent server not running, auto-starting on port {settings.Port}...");
-                var started = await _serverManager.StartServerAsync(settings.Port);
+                var started = await _serverManager.StartServerAsync(settings.Port, _resolvedGitHubToken);
                 if (!started)
                 {
                     Debug("Failed to auto-start server, falling back to Embedded mode");
@@ -967,7 +975,7 @@ public async Task InitializeAsync(CancellationToken cancellationToken = default)
                 await Task.Delay(250, cancellationToken);
             }
 
-            var restarted = await _serverManager.StartServerAsync(settings.Port);
+            var restarted = await _serverManager.StartServerAsync(settings.Port, _resolvedGitHubToken);
             if (restarted)
             {
                 Debug("Server restarted, retrying connection...");
@@ -1284,7 +1292,7 @@ internal async Task<bool> TryRecoverPersistentServerAsync()
             }
 
             // Start a fresh server — this forces the CLI to re-authenticate with GitHub
-            var started = await _serverManager.StartServerAsync(settings.Port);
+            var started = await _serverManager.StartServerAsync(settings.Port, _resolvedGitHubToken);
             if (!started)
             {
                 Debug("[SERVER-RECOVERY] Failed to restart persistent server");
@@ -1381,7 +1389,7 @@ public async Task RestartServerAsync(CancellationToken cancellationToken = defau
             }
 
             // 5. Start fresh server (will extract current native modules)
-            var started = await _serverManager.StartServerAsync(restartSettings.Port);
+            var started = await _serverManager.StartServerAsync(restartSettings.Port, _resolvedGitHubToken);
             if (!started)
             {
                 Debug("[SERVER-RESTART] Failed to restart server");
@@ -2496,7 +2504,7 @@ ALWAYS run the relaunch script as the final step after making changes to this pr
                 if (!_serverManager.CheckServerRunning("127.0.0.1", settings.Port))
                 {
                     Debug("Persistent server not running, restarting...");
-                    var started = await _serverManager.StartServerAsync(settings.Port);
+                    var started = await _serverManager.StartServerAsync(settings.Port, _resolvedGitHubToken);
                     if (!started)
                     {
                         Debug("Failed to restart persistent server");
@@ -3242,7 +3250,7 @@ public async Task<string> SendPromptAsync(string sessionName, string prompt, Lis
                             if (CurrentMode == ConnectionMode.Persistent &&
                                 !_serverManager.CheckServerRunning("127.0.0.1", reinitSettings.Port))
                             {
-                                await _serverManager.StartServerAsync(reinitSettings.Port);
+                                await _serverManager.StartServerAsync(reinitSettings.Port, _resolvedGitHubToken);
                             }
                             _client = CreateClient(reinitSettings);
                             await _client.StartAsync(cancellationToken);
@@ -3283,7 +3291,7 @@ public async Task<string> SendPromptAsync(string sessionName, string prompt, Lis
                                     !_serverManager.CheckServerRunning("127.0.0.1", connSettings.Port))
                                 {
                                     Debug("Persistent server not running, restarting...");
-                                    var started = await _serverManager.StartServerAsync(connSettings.Port);
+                                    var started = await _serverManager.StartServerAsync(connSettings.Port, _resolvedGitHubToken);
                                     if (!started)
                                     {
                                         Debug("Failed to restart persistent server");

PolyPilot/Services/IServerManager.cs

@@ -13,7 +13,7 @@ public interface IServerManager
     event Action? OnStatusChanged;
 
     bool CheckServerRunning(string host = "127.0.0.1", int? port = null);
-    Task<bool> StartServerAsync(int port);
+    Task<bool> StartServerAsync(int port, string? githubToken = null);
     void StopServer();
     bool DetectExistingServer();
 }

PolyPilot/Services/ServerManager.cs

@@ -50,7 +50,7 @@ public bool CheckServerRunning(string host = "127.0.0.1", int? port = null)
     /// <summary>
     /// Start copilot in headless server mode, detached from app lifecycle
     /// </summary>
-    public async Task<bool> StartServerAsync(int port = 4321)
+    public async Task<bool> StartServerAsync(int port = 4321, string? githubToken = null)
     {
         ServerPort = port;
         LastError = null;
@@ -76,6 +76,16 @@ public async Task<bool> StartServerAsync(int port = 4321)
                 RedirectStandardInput = false
             };
 
+            // Forward the GitHub token via environment variable so the headless server
+            // can authenticate even when the macOS Keychain is inaccessible (e.g., the
+            // Keychain entry was created in a terminal session and the ACL dialog can't
+            // be shown for a background process).
+            if (!string.IsNullOrEmpty(githubToken))
+            {
+                psi.Environment["GITHUB_TOKEN"] = githubToken;
+                Console.WriteLine("[ServerManager] Passing GITHUB_TOKEN to headless server");
+            }
+
             // Use ArgumentList for proper escaping (especially MCP JSON)
             psi.ArgumentList.Add("--headless");
             psi.ArgumentList.Add("--no-auto-update");