+ Ki?&Rt^RIHt^RIt^RIt^RIt^RIt^RIt^RIt^RI H t ^RI H t ]P!]4tRtRtRtRtR tR tR!tR"t^t^tR R ltR RltRRltRRltRRltRRRR/RRlltRRRR/RR llt R#)#uGitHub Copilot authentication utilities. Implements the OAuth device code flow used by the Copilot CLI and handles token validation/exchange for the Copilot API. Token type support (per GitHub docs): gho_ OAuth token ✓ (default via copilot login) github_pat_ Fine-grained PAT ✓ (needs Copilot Requests permission) ghu_ GitHub App token ✓ (via environment variable) ghp_ Classic PAT ✗ NOT SUPPORTED Credential search order (matching Copilot CLI behaviour): 1. COPILOT_GITHUB_TOKEN env var 2. GH_TOKEN env var 3. GITHUB_TOKEN env var 4. gh auth token CLI fallback ) annotationsN)Path)OptionalOv23li8tweQw6odWQebzz$https://github.com/login/device/codez+https://github.com/login/oauth/access_tokenz0https://api.github.com/copilot_internal/v2/tokenzhttps://api.githubcopilot.comghp_c V^8dQhRRRR/#)tokenstrreturnbool)formats"4/home/ubuntu/hermes-agent/hermes_cli/copilot_auth.py __annotate__r5s99#9$9cHVP4P\4#)zICheck if a token is a classic PAT (ghp_*), which Copilot doesn't support.strip startswith_CLASSIC_PAT_PREFIXr s&ris_classic_patr5s ;;= # #$7 88rc V^8dQhRRRR/#)rr r r ztuple[bool, str]r )rs"rrr:s#*:rctVP4pV'gR#VP\4'dR#R#)zQValidate that a token is usable with the Copilot API. Returns (valid, message). )Fz Empty token)Fu3Classic Personal Access Tokens (ghp_*) are not supported by the Copilot API. Use one of: → `copilot login` or `hermes model` to authenticate via OAuth → A fine-grained PAT (github_pat_*) with Copilot Requests permission → `gh auth login` with the default device code flow (produces gho_* tokens))TOKrrs&rvalidate_copilot_tokenr:s< KKME ## +,,   rcV^8dQhRR/#)rr ztuple[str, str]r )rs"rrrOsrcP\Fbp\P!VR4P4pV'gK2\ V4wr#V'g\ P RW4K_W3u# \4pV'd(\ V4wr#V'g\RV 24hVR3#R#)zResolve a GitHub token suitable for Copilot API use. Returns (token, source) where source describes where the token came from. Raises ValueError if only a classic PAT is available. z"Token from %s is not supported: %sz5Token from `gh auth token` is a classic PAT (ghp_*). z gh auth token)rr) COPILOT_ENV_VARSosgetenvrrloggerwarning_try_gh_cli_token ValueError)env_varvalvalidmsgr s rresolve_copilot_tokenr+Os$ii$**, 3/4JE8'< $  E +E2 GuM o%% MrcV^8dQhRR/#)rr z list[str]r )rs"rrrnsIrc.p\P!R4pV'dVPV4RR\\P !4R, R, R, 43FppW 9dK \ PPV4'gK2\ P!V\ P4'gK_VPV4Kr V#)zIReturn candidate ``gh`` binary paths, including common Homebrew installs.ghz/opt/homebrew/bin/ghz/usr/local/bin/ghz.localbin) shutilwhichappendr rhomer!pathisfileaccessX_OK) candidatesresolved candidates r_gh_cli_candidatesr;nsJ||D!H(#  DIIK( "U *T 12  "  77>>) $ $9bgg)F)F   i ( rcV^8dQhRR/#)rr Optional[str]r )rs"rrrs=rc\4Fpp\P!VRR.RR^R7pTP^8XgK4TPP4'gKVTPP4u# R# \\P3d"p\ P RY4Rp?KRp?ii;i)zGReturn a token from ``gh auth token`` when the GitHub CLI is available.authr T)capture_outputtexttimeoutz#gh CLI token lookup failed (%s): %sN) r; subprocessrunFileNotFoundErrorTimeoutExpiredr#debug returncodestdoutr)gh_pathresultexcs rr%r%s%' ^^&'*# F    !fmm&9&9&;&;==&&( ((  ":#<#<=  LL> M  sBB=B88B=hostz github.comtimeout_secondsi,c$V^8dQhRRRRRR/#)rrMr rNfloatr r=r )rs"rrrs-xx xx xrc ^RIp^RIpVPR4pRV R2pRV R2pVPP R\ RR/4P 4pVPPVVR R R R R R/R7pVPPV^R7;_uu_4p\P!VP4P44p RRR4X P%RR4p T P%RR4p T P%RR4p \'T P%R\(4^4pT 'd T 'g\#R4R#\#4\#RT 24\#RT 24\#4\#RRRR7\*P*!4T,p\*P*!4T8Ed\*P,!T\.,4TPP R\ RT RR /4P 4pTPPTTR R R R R R/R7pTPPT^ R7;_uu_4p\P!TP4P44pRRR4XP%R"4'd\#R#4TR",#TP%R$R4pTR%8Xd\#R!RRR7EKITR&8Xd[TP%R4p\1T\2\434'dT^8d \3T4pM T^, p\#R!RRR7EKTR'8Xd\#4\#R(4R#TR)8Xd\#4\#R*4R#T'gEK\#4\#R+T 24R#\#4\#R,4R# +'giEL;i \d0p \P!RT 4\#RT 24Rp ? R#Rp ? ii;i +'giEL;i \d\#R!RRR7EKi;i)-zRun the GitHub OAuth device code flow for Copilot. Prints instructions for the user, polls for completion, and returns the OAuth access token on success, or None on failure/cancellation. This replicates the flow used by opencode and the Copilot CLI. N/zhttps://z/login/device/codez/login/oauth/access_token client_idscopez read:userAcceptzapplication/jsonz Content-Typez!application/x-www-form-urlencoded User-AgentHermesAgent/1.0)dataheaders)rBz+Failed to initiate device authorization: %su, ✗ Failed to start device authorization: verification_urizhttps://github.com/login/device user_coder device_codeintervalu* ✗ GitHub did not return a device code.z! Open this URL in your browser: z Enter this code: z Waiting for authorization...T)endflush grant_typez,urn:ietf:params:oauth:grant-type:device_code. access_tokenu ✓errorauthorization_pending slow_down expired_tokenu, ✗ Device code expired. Please try again. access_deniedu ✗ Authorization was denied.u ✗ Authorization failed: u* ✗ Timed out waiting for authorization.)urllib.request urllib.parserstripparse urlencodeCOPILOT_OAUTH_CLIENT_IDencoderequestRequesturlopenjsonloadsreaddecode Exceptionr#rcprintgetmax_DEVICE_CODE_POLL_INTERVALtimesleep_DEVICE_CODE_POLL_SAFETY_MARGIN isinstanceintrP)rMrNurllibdomaindevice_code_urlaccess_token_urlrXreqresp device_datarLrZr[r\r]deadline poll_datapoll_reqrKrcserver_intervals$$ rcopilot_device_code_loginrs [[ F (:;O!&)BC << ! !,# vx ..   ( ? +  ! C ^^ # #C # 4 4**TYY[%7%7%9:K5#'9;\] R0I//-4K;??:/IJANH i :; G -.>-? @A  { +, G *$?yy{_,H ))+  8==>LL** 0 ; H,   68  >>)) , C/*  ''"'==DIIK$6$6$89> ::n % % &M.) ) 7B' + + #2T *  k !$jj4O/C<88_q=P/A  #2T *  o % G @ A o % G 3 4 U G 08 9 G 67 i5 4 4  BCH ==  #2T *  sf<%O!3O O=%P0"3PP0 O OO P*$PP P- 'P0-P00Q Q is_agent_turnT is_visionFc$V^8dQhRRRRRR/#)rrr rr zdict[str, str]r )rs"rrrs( rcHRRRRRRRV'dRMR /pV'dR VR &V#) zvBuild the standard headers for Copilot API requests. Replicates the header set used by opencode and the Copilot CLI. zEditor-Versionzvscode/1.104.1rVrWz Openai-Intentzconversation-editsz x-initiatoragentusertruezCopilot-Vision-Requestr )rrrYs$$ rcopilot_request_headersrs; *'--wV G ,2() Nr)gho_ github_pat_ghu_)COPILOT_GITHUB_TOKENGH_TOKEN GITHUB_TOKEN)!__doc__ __future__rrrloggingr!r0rCr{pathlibrtypingr getLogger__name__r#rmCOPILOT_DEVICE_CODE_URLCOPILOT_ACCESS_TOKEN_URLCOPILOT_TOKEN_EXCHANGE_URLCOPILOT_API_BASE_URLr_SUPPORTED_PREFIXESr rzr}rrr+r;r%rrr rrrs$#      8 $1@HP65H"#9 *>*(xx!xzr