Ki?&dZddlmZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ej eZdZdZdZd Zd Zd Zd Zd ZdZdZd+dZd,dZd-dZd.dZd/dZdddd0d#Zd$d%d&d1d*Z dS)2uGitHub Copilot authentication utilities. Implements the OAuth device code flow used by the Copilot CLI and handles token validation/exchange for the Copilot API. Token type support (per GitHub docs): gho_ OAuth token ✓ (default via copilot login) github_pat_ Fine-grained PAT ✓ (needs Copilot Requests permission) ghu_ GitHub App token ✓ (via environment variable) ghp_ Classic PAT ✗ NOT SUPPORTED Credential search order (matching Copilot CLI behaviour): 1. COPILOT_GITHUB_TOKEN env var 2. GH_TOKEN env var 3. GITHUB_TOKEN env var 4. gh auth token CLI fallback ) annotationsN)Path)OptionalOv23li8tweQw6odWQebzz$https://github.com/login/device/codez+https://github.com/login/oauth/access_tokenz0https://api.github.com/copilot_internal/v2/tokenzhttps://api.githubcopilot.comghp_)gho_ github_pat_ghu_)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKENtokenstrreturnboolcZ|tS)zICheck if a token is a classic PAT (ghp_*), which Copilot doesn't support.strip startswith_CLASSIC_PAT_PREFIXrs 4/home/ubuntu/hermes-agent/hermes_cli/copilot_auth.pyis_classic_patr5s ;;== # #$7 8 88tuple[bool, str]cn|}|sdS|trdSdS)zYValidate that a token is usable with the Copilot API. Returns (valid, message). )Fz Empty token)Fu3Classic Personal Access Tokens (ghp_*) are not supported by the Copilot API. Use one of: → `copilot login` or `hermes model` to authenticate via OAuth → A fine-grained PAT (github_pat_*) with Copilot Requests permission → `gh auth login` with the default device code flow (produces gho_* tokens))TOKrrs rvalidate_copilot_tokenr :sG KKMME $## +,,    :rtuple[str, str]cNtD]b}tj|d}|r7t |\}}|st d||\||fcSct}|r*t |\}}|std||dfSdS)zResolve a GitHub token suitable for Copilot API use. Returns (token, source) where source describes where the token came from. Raises ValueError if only a classic PAT is available. z"Token from %s is not supported: %sz5Token from `gh auth token` is a classic PAT (ghp_*). z gh auth token)r#r#) COPILOT_ENV_VARSosgetenvrr loggerwarning_try_gh_cli_token ValueError)env_varvalvalidmsgrs rresolve_copilot_tokenr/Os$   i$$**,,  /44JE3 8'3<       E &+E22 s MMM o%% 6r list[str]cng}tjd}|r||ddtt jdz dz dz fD]Z}||vrt j|r4t j |t j r||[|S)zIReturn candidate ``gh`` binary paths, including common Homebrew installs.ghz/opt/homebrew/bin/ghz/usr/local/bin/ghz.localbin) shutilwhichappendrrhomer%pathisfileaccessX_OK) candidatesresolved candidates r_gh_cli_candidatesr?nsJ|D!!H$(###  DIKK( "U *T 122))  " "  7>>) $ $ )9bg)F)F )   i ( ( ( r Optional[str]c^tD]} tj|ddgddd}n?#ttjf$r&}t d||Yd}~Vd}~wwxYw|jdkr4|j r|j cSdS) zGReturn a token from ``gh auth token`` when the GitHub CLI is available.authrTr)capture_outputtexttimeoutz#gh CLI token lookup failed (%s): %sNr) r? subprocessrunFileNotFoundErrorTimeoutExpiredr'debug returncodestdoutr)gh_pathresultexcs rr)r)s%'' ) ) ^&'*# FF ":#<=    LL> M M M HHHH    ! !fm&9&9&;&; !=&&(( ( ( ( 4s.A*A%%A*z github.comi,)hosttimeout_secondsrPrQfloatc8 ddl}ddl}|d}d|d}d|d}|jt dd}|j||d d d d  } |j |d5}tj | } dddn #1swxYwYnE#t$r8} td| t#d| Yd} ~ dSd} ~ wwxYw| dd} | dd} | dd} t'| dt(d}| r| st#ddSt#t#d| t#d| t#t#dddt+j|z}t+j|krKt+j|t.z|jt | dd }|j||d d d d  } |j |d!5}tj | }dddn #1swxYwYn##t$rt#d"ddYwxYw|d#rt#d$|d#S|d%d}|d&krt#d"ddw|d'kr`|d}t1|t2t4fr|dkrt3|}n|d(z }t#d"dd|d)krt#t#d*dS|d+krt#t#d,dS|r"t#t#d-|dSt+j|kKt#t#d.dS)/a Run the GitHub OAuth device code flow for Copilot. Prints instructions for the user, polls for completion, and returns the OAuth access token on success, or None on failure/cancellation. This replicates the flow used by opencode and the Copilot CLI. rN/zhttps://z/login/device/codez/login/oauth/access_tokenz read:user) client_idscopezapplication/jsonz!application/x-www-form-urlencodedHermesAgent/1.0)Acceptz Content-Type User-Agent)dataheaders)rEz+Failed to initiate device authorization: %su, ✗ Failed to start device authorization: verification_urizhttps://github.com/login/device user_coder# device_codeintervalu* ✗ GitHub did not return a device code.z! Open this URL in your browser: z Enter this code: z Waiting for authorization...T)endflushz,urn:ietf:params:oauth:grant-type:device_code)rUr_ grant_type . access_tokenu ✓errorauthorization_pending slow_downr expired_tokenu, ✗ Device code expired. Please try again. access_deniedu ✗ Authorization was denied.u ✗ Authorization failed: u* ✗ Timed out waiting for authorization.)urllib.request urllib.parserstripparse urlencodeCOPILOT_OAUTH_CLIENT_IDencoderequestRequesturlopenjsonloadsreaddecode Exceptionr'rhprintgetmax_DEVICE_CODE_POLL_INTERVALtimesleep_DEVICE_CODE_POLL_SAFETY_MARGIN isinstanceintrR)rPrQurllibdomaindevice_code_urlaccess_token_urlrZreqresp device_datarOr]r^r_r`deadline poll_datapoll_reqrNrhserver_intervals rcopilot_device_code_loginrsu [[  F;;;;OC&CCC < ! !,##  vxx .  (?+   !  C ^ # #C # 4 4 ;*TYY[[%7%7%9%9::K ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;  BCHHH BSBBCCCttttt #'9;\]] R00I//-44K;??:/IJJANNH i :;;;t GGG @.> @ @AAA + + +,,, GGG *$????y{{_,H )++  8==>>>L**0&H, ,    688  >)) , C/*   ''"'== :DIIKK$6$6$8$899 : : : : : : : : : : : : : : :    #2T * * * * H  ::n % % * &MMM.) ) 7B'' + + + #2T * * * *  k ! !$jj44O/C<88 _q=P=P//A  #2T * * * *  o % % GGG @ A A A4 o % % GGG 3 4 4 44   GGG 888 9 9 94m )++ p GGG 6777 4srC-9C! C-!C%%C-(C%)C-- D/7-D**D/%L9L: LL  L L LL21L2TF) is_agent_turn is_visionrrdict[str, str]c*ddd|rdndd}|rd|d<|S) z~Build the standard headers for Copilot API requests. Replicates the header set used by opencode and the Copilot CLI. zvscode/1.104.1rWzconversation-editsagentuser)zEditor-VersionrYz Openai-Intentz x-initiatortruezCopilot-Vision-Request)rrr[s rcopilot_request_headersrs?+'-"/;wwV G 3,2() Nr)rrrr)rrrr)rr!)rr0)rr@)rPrrQrRrr@)rrrrrr)!__doc__ __future__rrwloggingr%r4rFrpathlibrtypingr getLogger__name__r'rrCOPILOT_DEVICE_CODE_URLCOPILOT_ACCESS_TOKEN_URLCOPILOT_TOKEN_EXCHANGE_URLCOPILOT_API_BASE_URLr_SUPPORTED_PREFIXESr$rrrr r/r?r)rrrrrrs$#"""""     8 $ $1@HP65H"#9999 *>*, xxxxxx~r