Skip to content

feat: GitHub Copilot provider with proper OAuth auth and token validation#1896

Merged
teknium1 merged 1 commit intomainfrom
hermes/hermes-eab76047
Mar 18, 2026
Merged

feat: GitHub Copilot provider with proper OAuth auth and token validation#1896
teknium1 merged 1 commit intomainfrom
hermes/hermes-eab76047

Conversation

@teknium1
Copy link
Copy Markdown
Contributor

@teknium1 teknium1 commented Mar 18, 2026
edited
Loading

Summary

Integrates GitHub Copilot as a first-class provider in Hermes, building on PR #1879 from @mchzimm with critical auth improvements modeled after opencode's implementation.

What's included

From PR #1879 (merged into this branch):

  • copilot and copilot-acp as first-class providers
  • Live GitHub Copilot model catalog support
  • Model ID normalization and API mode detection (chat_completions vs codex_responses)
  • Reasoning effort configuration per model
  • Full propagation through CLI, gateway, cron, delegation, ACP adapter, smart routing
  • Copilot Responses API payload trimming
  • [SILENT] cron marker for suppressing empty deliveries
  • Fixes delegate_tool _saved_tool_names NameError (fixed 17 test failures on main)

New in this branch (auth improvements):

  • hermes_cli/copilot_auth.py — dedicated Copilot auth module:
    • OAuth device code flow using the same client_id as opencode and Copilot CLI
    • Token type validation — rejects classic PATs (ghp_*) with clear error messages explaining supported types
    • Correct env var priority: COPILOT_GITHUB_TOKENGH_TOKENGITHUB_TOKEN (matching Copilot CLI docs)
    • Proper API headers: Openai-Intent: conversation-edits, x-initiator: agent|user, Copilot-Vision-Request: true (matching opencode)
  • hermes model copilot flow offers OAuth device code login when no token is found
  • 22 new auth tests

Why the auth changes matter

The Copilot API explicitly rejects classic PATs (ghp_*) with 400: Personal Access Tokens are not supported. Per GitHub docs:

Token type Prefix Supported
OAuth token gho_
Fine-grained PAT github_pat_
GitHub App token ghu_
Classic PAT ghp_

Without validation, users with classic PATs (common default for gh auth login --with-token) get an opaque API error. The device code flow provides a direct way to get a proper OAuth token.

Tests

  • 5394 passed (full suite)
  • 7 failed (all pre-existing: whatsapp config bridge + anthropic env leak)
  • 22 new copilot auth tests
  • 0 regressions
fix: respect model.default from config.yaml for openai-codex provider
a8132d1 
When config.yaml had a non-default model (e.g. gpt-5.3-codex) and the
provider was openai-codex, _normalize_model_for_provider() would replace
it with the latest available codex model because _model_is_default only
checked the CLI argument, not the config value.

Now _model_is_default is False when config.yaml has a model that differs
from the global fallback (anthropic/claude-opus-4.6), so the user's
explicit config choice is preserved.

Fixes #1887
@teknium1 teknium1 merged commit 24ac577 into main Mar 18, 2026
1 check failed
@teknium1 teknium1 changed the title fix: respect model.default from config.yaml for openai-codex provider Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@teknium1