i4UdZddlmZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z ej eZdZdZdZd Zd Zd Zd4dZd5dZd6dZd7dZdddd8dZiZded<d Zd!Zd"Zd#Z d9d%Z!d&d'd:d*Z"d9d+Z#d,d-d.d;d3Z$dS)>) $ $ )9bg)F)F )   i ( ( ( r Optional[str]ctjdd}dtjD}t D]}|ddg}|r|d|gz } t j|ddd| }n?#tt j f$r&}t d ||Yd }~bd }~wwxYw|j d kr4|j r|j cSd S) aaReturn a token from ``gh auth token`` when the GitHub CLI is available. When COPILOT_GH_HOST is set, passes ``--hostname`` so gh returns the correct host's token. Also strips GITHUB_TOKEN / GH_TOKEN from the subprocess environment so ``gh`` reads from its own credential store (hosts.yml) instead of just echoing the env var back. COPILOT_GH_HOSTrc"i|] \}}|dv || S))r r ).0kvs r z%_try_gh_cli_token..s3;;;$!Q999A999rauthrz --hostnameTr)capture_outputtexttimeoutenvz#gh CLI token lookup failed (%s): %sNr)r r!renvironitemsr: subprocessrunFileNotFoundErrorTimeoutExpiredr"debug returncodestdout)hostname clean_envgh_pathcmdresultexcs rr$r$wsAy*B//5577H;;"*"2"2"4"4;;;I&''))(  , L(+ +C ^# FF":#<=    LL> M M M HHHH    ! !fm&9&9&;&; !=&&(( ( ( ( 4s/B  CCCz github.comi,)hosttimeout_secondsrXrYfloatc8 ddl}ddl}|d}d|d}d|d}|jt dd}|j||d d d d  } |j |d5}tj | } dddn #1swxYwYnE#t$r8} td| t#d| Yd} ~ dSd} ~ wwxYw| dd} | dd} | dd} t'| dt(d}| r| st#ddSt#t#d| t#d| t#t#dddt+j|z}t+j|krKt+j|t.z|jt | dd }|j||d d d d  } |j |d!5}tj | }dddn #1swxYwYn##t$rt#d"ddYwxYw|d#rt#d$|d#S|d%d}|d&krt#d"ddw|d'kr`|d}t1|t2t4fr|dkrt3|}n|d(z }t#d"dd|d)krt#t#d*dS|d+krt#t#d,dS|r"t#t#d-|dSt+j|kKt#t#d.dS)/a Run the GitHub OAuth device code flow for Copilot. Prints instructions for the user, polls for completion, and returns the OAuth access token on success, or None on failure/cancellation. This replicates the flow used by opencode and the Copilot CLI. rN/zhttps://z/login/device/codez/login/oauth/access_tokenz read:user) client_idscopeapplication/jsonz!application/x-www-form-urlencodedHermesAgent/1.0)Acceptz Content-Type User-Agent)dataheadersrGz+Failed to initiate device authorization: %su, ✗ Failed to start device authorization: verification_urizhttps://github.com/login/device user_coder device_codeintervalu* ✗ GitHub did not return a device code.z! Open this URL in your browser: z Enter this code: z Waiting for authorization...T)endflushz,urn:ietf:params:oauth:grant-type:device_code)r]ri grant_type . access_tokenu ✓errorauthorization_pending slow_downr expired_tokenu, ✗ Device code expired. Please try again. access_deniedu ✗ Authorization was denied.u ✗ Authorization failed: u* ✗ Timed out waiting for authorization.)urllib.request urllib.parserstripparse urlencodeCOPILOT_OAUTH_CLIENT_IDencoderequestRequesturlopenjsonloadsreaddecode Exceptionr"rrprintgetmax_DEVICE_CODE_POLL_INTERVALtimesleep_DEVICE_CODE_POLL_SAFETY_MARGIN isinstanceintrZ)rXrYurllibdomaindevice_code_urlaccess_token_urlrcreqresp device_datarWrgrhrirjdeadline poll_datapoll_reqrVrrserver_intervals rcopilot_device_code_loginrsu [[  F;;;;OC&CCC < ! !,##  vxx .  (?+   !  C ^ # #C # 4 4 ;*TYY[[%7%7%9%9::K ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;  BCHHH BSBBCCCttttt #'9;\]] R00I//-44K;??:/IJJANNH i :;;;t GGG @.> @ @AAA + + +,,, GGG *$????y{{_,H )++  8==>>>L**0&H, ,    688  >)) , C/*   ''"'== :DIIKK$6$6$8$899 : : : : : : : : : : : : : : :    #2T * * * * H  ::n % % * &MMM.) ) 7B'' + + + #2T * * * *  k ! !$jj44O/C<88 _q=P=P//A  #2T * * * *  o % % GGG @ A A A4 o % % GGG 3 4 4 44   GGG 888 9 9 94m )++ p GGG 6777 4srC-9C! C-!C%%C-(C%)C-- D/7-D**D/%L9L: LL  L L LL21L2zdict[str, tuple[str, float]] _jwt_cachexz0https://api.github.com/copilot_internal/v2/tokenvscode/1.104.1zGitHubCopilotChat/0.26.7 raw_tokencddl}||ddS)zNShort fingerprint of a raw token for cache keying (avoids storing full token).rN)hashlibsha256r} hexdigest)rrs r_token_fingerprintr#s>NNN >>)**,, - - 7 7 9 9#2# >>rg$@rfrGtuple[str, float]c \ddl}t|}t|}|r(|\}}t j|t z kr||fS|jtdd|tdtd} |j ||5}tj |} dddn #1swxYwYn%#t $r} t#d | | d} ~ wwxYw| d d }| d d}|st#d |rt%|nt jdz}||ft|<t&d|||fS)aExchange a raw GitHub token for a short-lived Copilot API token. Calls ``GET https://api.github.com/copilot_internal/v2/token`` with the raw GitHub token and returns ``(api_token, expires_at)``. The returned token is a semicolon-separated string (not a standard JWT) used as ``Authorization: Bearer `` for Copilot API requests. Results are cached in-process and reused until close to expiry. Raises ``ValueError`` on failure. rNGETztoken r_) AuthorizationrbraEditor-Version)methodrdrfzCopilot token exchange failed: rr expires_atz+Copilot token exchange returned empty tokeniz&Copilot token exchanged, expires_at=%s)rwrrrr_JWT_REFRESH_MARGIN_SECONDSr~r_TOKEN_EXCHANGE_URL_EXCHANGE_USER_AGENT_EDITOR_VERSIONrrrrrrr%rZr"rO) rrGrfpcached api_tokenrrrrcrWs rexchange_copilot_tokenr)s I & &B^^B  F ) & : 9;;&AA A Aj( ( . 1i11.(-    !  CK ^ # #C # 9 9 4T:diikk002233D 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 KKK@3@@AAsJK"%%I,**J HFGGG'1Hz"""dikkD6HJ,JrN LL0 j  s< C:)9C." C:.C22C:5C26C:: DDDc|s|S t|\}}|S#t$r'}td||cYd}~Sd}~wwxYw)aExchange a raw GitHub token for a Copilot API token, with fallback. Convenience wrapper: returns the exchanged token on success, or the raw token unchanged if the exchange fails (e.g. network error, unsupported account type). This preserves existing behaviour for accounts that don't need exchange while enabling access to internal-only models for those that do. z2Copilot token exchange failed, using raw token: %sN)rrr"rO)rr_rWs rget_copilot_api_tokenrasw -i88 1  I3OOOs A AA A TF) is_agent_turn is_visionrboolrdict[str, str]c,dddd|rdndd}|rd|d <|S) z~Build the standard headers for Copilot API requests. Replicates the header set used by opencode and the Copilot CLI. rr`z vscode-chatzconversation-editsagentuser)rrbzCopilot-Integration-Idz Openai-Intentz x-initiatortruezCopilot-Vision-Requestr?)rrrds rcopilot_request_headersrusB+'"/-"/;wwV G3,2() Nr)rrrr)rr)rr+)rr;)rXrrYrZrr;)rrrr)rrrGrZrr)rrrrrr)%__doc__ __future__rrloggingr r/rKrpathlibrtypingr getLogger__name__r"r|r_SUPPORTED_PREFIXESrrrrr*r:r$rr__annotations__rrrrrrrrr?rrrs$#"""""     8 $ $15H"#*>*L xxxxxx~,. ----!I"1???? @D5!5!5!5!5!5!p,r