fix(sandbox): stage opencode copilot auth in cluster mode

Author: linuxdevel

crates/openshell-providers/src/context.rs

@@ -3,6 +3,7 @@
 
 pub trait DiscoveryContext {
     fn env_var(&self, key: &str) -> Option<String>;
+    fn read_file(&self, path: &std::path::Path) -> Option<String>;
 }
 
 pub struct RealDiscoveryContext;
@@ -11,4 +12,8 @@ impl DiscoveryContext for RealDiscoveryContext {
     fn env_var(&self, key: &str) -> Option<String> {
         std::env::var(key).ok()
     }
+
+    fn read_file(&self, path: &std::path::Path) -> Option<String> {
+        std::fs::read_to_string(path).ok()
+    }
 }

crates/openshell-providers/src/providers/github.rs

@@ -4,8 +4,10 @@
 use crate::{
     discover_with_spec, ProviderDiscoverySpec, ProviderError, ProviderPlugin, RealDiscoveryContext,
 };
+use std::path::PathBuf;
 
 pub struct GithubProvider;
+const OPENCODE_AUTH_JSON_CREDENTIAL_KEY: &str = "OPENCODE_AUTH_JSON";
 
 pub const SPEC: ProviderDiscoverySpec = ProviderDiscoverySpec {
     id: "github",
@@ -18,14 +20,40 @@ impl ProviderPlugin for GithubProvider {
     }
 
     fn discover_existing(&self) -> Result<Option<crate::DiscoveredProvider>, ProviderError> {
-        discover_with_spec(&SPEC, &RealDiscoveryContext)
+        discover_existing_with_context(&RealDiscoveryContext)
     }
 
     fn credential_env_vars(&self) -> &'static [&'static str] {
         SPEC.credential_env_vars
     }
 }
 
+fn discover_existing_with_context(
+    context: &dyn crate::DiscoveryContext,
+) -> Result<Option<crate::DiscoveredProvider>, ProviderError> {
+    let mut discovered = discover_with_spec(&SPEC, context)?.unwrap_or_default();
+
+    let auth_path = context
+        .env_var("HOME")
+        .map(PathBuf::from)
+        .unwrap_or_else(|| PathBuf::from("/"))
+        .join(".local/share/opencode/auth.json");
+
+    if let Some(contents) = context.read_file(&auth_path)
+        && !contents.trim().is_empty()
+    {
+        discovered
+            .credentials
+            .insert(OPENCODE_AUTH_JSON_CREDENTIAL_KEY.to_string(), contents);
+    }
+
+    if discovered.is_empty() {
+        Ok(None)
+    } else {
+        Ok(Some(discovered))
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::SPEC;
@@ -75,4 +103,25 @@ mod tests {
             ])
         );
     }
+
+    #[test]
+    fn discovers_opencode_auth_json_as_additional_github_credential() {
+        let ctx = MockDiscoveryContext::new()
+            .with_env("HOME", "/home/alice")
+            .with_file(
+            "/home/alice/.local/share/opencode/auth.json",
+            r#"{"github-copilot":{"type":"oauth","access":"tok","refresh":"tok","expires":0}}"#,
+        );
+
+        let discovered = super::discover_existing_with_context(&ctx)
+            .expect("discovery")
+            .expect("provider");
+
+        assert_eq!(
+            discovered
+                .credentials
+                .get(super::OPENCODE_AUTH_JSON_CREDENTIAL_KEY),
+            Some(&r#"{"github-copilot":{"type":"oauth","access":"tok","refresh":"tok","expires":0}}"#.to_string())
+        );
+    }
 }

crates/openshell-providers/src/test_helpers.rs

@@ -3,10 +3,12 @@
 
 use crate::DiscoveryContext;
 use std::collections::HashMap;
+use std::path::{Path, PathBuf};
 
 #[derive(Default)]
 pub struct MockDiscoveryContext {
     env: HashMap<String, String>,
+    files: HashMap<PathBuf, String>,
 }
 
 impl MockDiscoveryContext {
@@ -18,10 +20,19 @@ impl MockDiscoveryContext {
         self.env.insert(key.to_string(), value.to_string());
         self
     }
+
+    pub fn with_file(mut self, path: &str, value: &str) -> Self {
+        self.files.insert(PathBuf::from(path), value.to_string());
+        self
+    }
 }
 
 impl DiscoveryContext for MockDiscoveryContext {
     fn env_var(&self, key: &str) -> Option<String> {
         self.env.get(key).cloned()
     }
+
+    fn read_file(&self, path: &Path) -> Option<String> {
+        self.files.get(path).cloned()
+    }
 }

crates/openshell-sandbox/src/child_env.rs

@@ -8,6 +8,7 @@ const LOCAL_NO_PROXY: &str = "127.0.0.1,localhost,::1";
 const OPENCODE_AUTH_RELATIVE_PATH: &str = ".local/share/opencode/auth.json";
 const SANDBOX_XDG_DATA_HOME: &str = "/sandbox/.local/share";
 const SANDBOX_OPENCODE_AUTH_PATH: &str = "/sandbox/.local/share/opencode/auth.json";
+const OPENCODE_AUTH_JSON_CREDENTIAL_KEY: &str = "OPENCODE_AUTH_JSON";
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub(crate) enum ToolAdapter {
@@ -65,8 +66,22 @@ pub(crate) fn tool_runtime_env_vars(
     }
 }
 
+pub(crate) fn suppressed_provider_env_keys(
+    command: &[String],
+    provider_env: &std::collections::HashMap<String, String>,
+) -> &'static [&'static str] {
+    match detect_tool_adapter(command) {
+        Some(ToolAdapter::OpenCode) if is_github_copilot_targeted(provider_env) => {
+            &["GITHUB_TOKEN", "GH_TOKEN"]
+        }
+        _ => &[],
+    }
+}
+
 fn is_github_copilot_targeted(provider_env: &std::collections::HashMap<String, String>) -> bool {
-    provider_env.contains_key("GITHUB_TOKEN") || provider_env.contains_key("GH_TOKEN")
+    provider_env.contains_key("GITHUB_TOKEN")
+        || provider_env.contains_key("GH_TOKEN")
+        || provider_env.contains_key(OPENCODE_AUTH_JSON_CREDENTIAL_KEY)
 }
 
 pub(crate) fn proxy_env_vars(proxy_url: &str) -> [(&'static str, String); 9] {
@@ -229,6 +244,27 @@ mod tests {
         assert_eq!(tool_runtime_env_vars(&command, &provider_env), None);
     }
 
+    #[test]
+    fn opencode_auth_json_only_requests_auth_projection_and_xdg_override() {
+        let command = vec!["opencode".to_string(), "run".to_string()];
+        let provider_env = std::collections::HashMap::from([(
+            "OPENCODE_AUTH_JSON".to_string(),
+            r#"{"github-copilot":{"type":"oauth"}}"#.to_string(),
+        )]);
+
+        assert_eq!(
+            auth_file_projection(&command, Path::new("/home/alice"), &provider_env),
+            Some((
+                PathBuf::from("/home/alice/.local/share/opencode/auth.json"),
+                PathBuf::from("/sandbox/.local/share/opencode/auth.json"),
+            ))
+        );
+        assert_eq!(
+            tool_runtime_env_vars(&command, &provider_env),
+            Some([("XDG_DATA_HOME", "/sandbox/.local/share".to_string())])
+        );
+    }
+
     #[test]
     fn opencode_without_github_provider_does_not_request_auth_projection_or_xdg_override() {
         let command = vec!["opencode".to_string(), "run".to_string()];
@@ -240,4 +276,28 @@ mod tests {
         );
         assert_eq!(tool_runtime_env_vars(&command, &provider_env), None);
     }
+
+    #[test]
+    fn opencode_github_path_suppresses_placeholder_github_env_keys() {
+        let command = vec!["opencode".to_string(), "run".to_string()];
+        let provider_env =
+            std::collections::HashMap::from([("GITHUB_TOKEN".to_string(), "ghu-test".to_string())]);
+
+        assert_eq!(
+            suppressed_provider_env_keys(&command, &provider_env),
+            ["GITHUB_TOKEN", "GH_TOKEN"]
+        );
+    }
+
+    #[test]
+    fn unsupported_tools_do_not_suppress_provider_env_keys() {
+        let command = vec!["python".to_string(), "script.py".to_string()];
+        let provider_env =
+            std::collections::HashMap::from([("GITHUB_TOKEN".to_string(), "ghu-test".to_string())]);
+
+        assert_eq!(
+            suppressed_provider_env_keys(&command, &provider_env),
+            &[] as &[&str]
+        );
+    }
 }