Copilot driver auth is broken - requires OAuth device flow token, not PAT

[dmbutko]

Description

The GitHub Copilot LLM driver does not work with any standard GitHub token type. The code says it exchanges a GitHub PAT for a Copilot API token, but the copilot_internal/v2/token endpoint rejects all standard token types:

• Classic PATs (ghp_) - 403 Forbidden
• Fine-grained PATs (github_pat_) with Copilot permission - 403 Forbidden
• gh CLI OAuth tokens (gho_) with copilot scope - 404 Not Found

The only token type that works is a ghu_ token obtained via the OAuth device flow using the VS Code Copilot extension's client ID (Iv1.b507a08c87ecfe98). There is no way for users to generate this through the GitHub website or standard tooling.

Reproduction

1. Install OpenFang, configure github-copilot provider with any standard token
2. Any chat or message attempt fails with 403 or 404 on token exchange

Working workaround

Manually run the OAuth device flow:

curl -s -X POST -H "Accept: application/json" \
  -d "client_id=Iv1.b507a08c87ecfe98&scope=copilot" \
  https://github.com/login/device/code
# authorize at github.com/login/device
curl -s -X POST -H "Accept: application/json" \
  -d "client_id=Iv1.b507a08c87ecfe98&device_code=DEVICE_CODE&grant_type=urn:ietf:params:oauth:grant-type:device_code" \
  https://github.com/login/oauth/access_token

This returns a ghu_ token that works. But it is short-lived and requires manual renewal.

Additional issue

Default config sets model to copilot/gpt-4 which returns model_not_supported. The API expects bare names like gpt-4o or claude-sonnet-4.6.

Proposed fix

1. Implement OAuth device flow directly in the driver
2. Auto-refresh the ghu_ token before expiry
3. openfang config set-key github-copilot should trigger the device flow
4. openfang doctor should check GITHUB_TOKEN when Copilot provider is configured
5. Default model names should use bare names not prefixed ones

Environment

• OpenFang v0.5.5
• Linux Debian amd64
• Copilot Enterprise
• Source: crates/openfang-runtime/src/drivers/copilot.rs

[dmbutko]

Suggestion: use the official Copilot SDK or its auth logic

The official GitHub Copilot SDK (Node.js, Python, Go, .NET, Java) and the community Rust port handle all of this correctly. The current copilot.rs is a hand-rolled implementation that bypasses the SDK's auth chain entirely.

What the official SDK supports

From the SDK auth docs, the authentication priority is:

1. Explicit githubToken passed to constructor
2. HMAC key (CAPI_HMAC_KEY / COPILOT_HMAC_KEY)
3. Direct API token (GITHUB_COPILOT_API_TOKEN + COPILOT_API_URL)
4. Environment variable tokens: COPILOT_GITHUB_TOKEN > GH_TOKEN > GITHUB_TOKEN
5. Stored OAuth credentials from copilot CLI login
6. gh auth credentials

Supported token types: gho_, ghu_, github_pat_ (fine-grained). Not supported: ghp_ (classic PATs, deprecated).

The SDK handles the device flow, token exchange, caching, and refresh internally via the Copilot CLI runtime (JSON-RPC over stdio).

Proposed approach

Rather than fixing the hand-rolled token exchange in copilot.rs, consider integrating the copilot-sdk-rust crate, or at minimum porting the SDK's auth chain logic:

# Cargo.toml
[dependencies]
copilot-sdk = { git = "https://github.com/copilot-community-sdk/copilot-sdk-rust" }

This would give OpenFang:

• Proper device flow authentication
• Automatic token refresh
• Support for all token types (gho_, ghu_, github_pat_)
• Correct endpoint routing for Individual vs Business vs Enterprise plans
• BYOK support (use your own OpenAI/Anthropic/Azure keys through Copilot)

The Rust SDK requires the Copilot CLI to be installed, but that's a much smaller ask than the current situation where auth is fundamentally broken.