Skip to content

feat: enhanced GitHub Copilot integration — SDK provider, CLI backend, and thinking signature fix#3

Open
tag-assistant wants to merge 1058 commits intomainfrom
copilot
Open

feat: enhanced GitHub Copilot integration — SDK provider, CLI backend, and thinking signature fix#3
tag-assistant wants to merge 1058 commits intomainfrom
copilot

Conversation

@tag-assistant
Copy link
Owner

@tag-assistant tag-assistant commented Feb 15, 2026

Summary

  • Problem: OpenClaw's existing Copilot support lacks SDK-based auth/model discovery, CLI backend support, and has a critical bug where multi-turn conversations crash with HTTP 400 when Claude models replay thinking blocks with field-name-as-signature through the openai-completions API.
  • Why it matters: Users leveraging GitHub Copilot as a model provider (Claude Opus 4.6, GPT-5.3, etc.) get proper token management, automatic model discovery, CLI-mode support, and reliable multi-turn conversations without crashes.
  • What changed: (1) Full Copilot SDK provider with auth and model discovery, (2) Copilot CLI backend for terminal usage, (3) Sanitizer that strips thinking blocks with fake signatures before they poison future turns.
  • What did NOT change: No modifications to existing Copilot provider behavior — these are additive enhancements. Direct Anthropic/OpenAI/Google API paths are untouched.

Change Type (select all)

  • Bug fix
  • Feature

Scope (select all touched areas)

  • Auth / tokens
  • Integrations
  • API / contracts

Linked Issue/PR

Commits

  1. feat: add GitHub Copilot SDK as CLI backend — Copilot credentials, SDK wrapper, CLI runner with streaming + tool call support (22 tests)
  2. feat: add Copilot SDK provider for auth and model discovery — Full provider registration, token management, auto model discovery (31 tests)
  3. fix: strip thinking blocks with field-name-as-signature — Sanitizer + transcript policy for the openai-completions thinking signature bug (15 tests)

User-visible / Behavior Changes

  • New provider github-copilot available for model configuration with SDK-based auth
  • Copilot models (Claude Opus 4.6, GPT-5.3, etc.) auto-discovered from the API
  • copilot CLI backend available for terminal usage
  • Multi-turn conversations with Claude models via Copilot no longer crash with "Invalid signature in thinking block" errors
  • New stripCompletionsReasoningFieldSignatures transcript policy flag — enabled automatically for non-native providers using openai-completions

Security Impact (required)

  • New permissions/capabilities? Yes — Copilot SDK auth reads/refreshes tokens from GitHub
  • Secrets/tokens handling changed? Yes — new Copilot token management flow
  • New/changed network calls? Yes — calls to Copilot API for auth and model discovery
  • Command/tool execution surface changed? No
  • Data access scope changed? No
  • Risk + mitigation: Token handling follows existing auth profile patterns. Tokens stored in standard credential store, not logged. API calls use HTTPS only.

Evidence

68 tests passing across 6 test files. Live-tested all models: Claude Opus 4.6 ✅, 4.6 Fast ✅, 4.6 1M ✅, GPT-5.3 Codex ✅

Human Verification (required)

  • Verified: Multi-turn conversations with all Copilot Claude models, thinking block replay, fallback chain, CLI backend streaming
  • Edge cases: Real signatures preserved (not stripped), non-Copilot providers unaffected, mixed thinking/non-thinking turns
  • Not verified: Windows, Docker sandbox mode

Compatibility / Migration

  • Backward compatible? Yes
  • Config/env changes? Yes — new optional github-copilot provider config
  • Migration needed? No

Failure Recovery (if this breaks)

  • Remove github-copilot provider from config, switch to another provider
  • Known symptoms: Auth failures if token expires (auto-refreshes)

Risks and Mitigations

  • Risk: Copilot API changes model IDs or auth flow
    • Mitigation: SDK-based discovery adapts automatically
  • Risk: Thinking signature stripping too aggressive
    • Mitigation: Only targets field-name patterns, real cryptographic signatures preserved. Policy only activates for non-native providers.

@github-actions
Copy link

github-actions bot commented Feb 15, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

1 similar comment
@github-actions
Copy link

github-actions bot commented Feb 15, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 15, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

1 similar comment
@github-actions
Copy link

github-actions bot commented Feb 15, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 15, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

11 similar comments
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

@austenstone austenstone requested a review from Copilot February 16, 2026 13:58
@github-actions
Copy link

github-actions bot commented Feb 16, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

康熙 and others added 6 commits February 17, 2026 00:00
@steipete
feat: add post-compaction read audit (Layer 3)
811c4f5
@steipete
fix: normalize paths to forward slashes for Windows RegExp compatibility
65a1787 
Windows path.relative() produces backslashes (e.g., memory\2026-02-16.md)
which fail to match RegExp patterns using forward slashes.

Normalize relative paths to forward slashes before RegExp matching
using rel.split(path.sep).join('/').

Fixes 4 test failures on Windows CI.
@aether-ai-agent @steipete
fix(security): OC-09 credential theft via environment variable injection
235794d 
Implement comprehensive environment variable sanitization before Docker
container creation to prevent credential theft via post-exploitation
environment access.

Security Impact:
- Blocks 39+ sensitive credential patterns (API keys, tokens, passwords)
- Prevents exfiltration of ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.
- Fail-secure validation with audit logging

Changes:
- Add sanitize-env-vars.ts with blocklist/allowlist validation
- Integrate sanitization into docker.ts (lines 273-294)
- Add validateEnvVars() to security validation
- Comprehensive test suite (62 tests, 100% pass rate)

Test Results: 62/62 passing
Code Review: 9.5/10 approved
Severity: HIGH (CWE-200, CVSS 7.5)

Signed-off-by: Aether AI Agent <github@tryaether.ai>
@steipete
fix(subagent): route nested announce to parent even when parent run e…
6931ca7 
…nded

When a depth-2 subagent (Birdie) completes and its parent (Newton) is a
depth-1 subagent, the announce should go to Newton, not bypass to the
grandparent (Jaris).

Previously, isSubagentSessionRunActive(Newton) returned false because
Newton's agent turn completed after spawning Birdie. This triggered the
fallback to grandparent even though Newton's SESSION was still alive and
waiting for child results.

Now we only fallback to grandparent if the parent SESSION is actually
deleted (no sessionId in session store). If the parent session exists,
we inject into it even if the current run has ended — this starts a new
agent turn to process the child result.

Fixes openclaw#18037

Test Plan:
- Added regression test: routes to parent when run ended but session alive
- Added regression test: falls back to grandparent only when session deleted
@steipete
fix(discord): strip user:/discord:/pk: prefixes in command allowFrom
1fca7c3 
Discord's formatAllowFrom now strips these prefixes before matching,
aligning with normalizeDiscordAllowList behavior used in DM admission.

Before: commands.allowFrom: ["user:123"] → no match (senderCandidates: ["123", "discord:123"])
After: commands.allowFrom: ["user:123"] → "123" → matches sender "123"

Fixes openclaw#17937
@steipete
refactor(model): share normalized provider map lookups
9f0fc74
sebslight and others added 28 commits February 16, 2026 22:59
@sebslight
Revert "fix(whatsapp): allow per-message link preview override\n\nWha…
65fa529 
…tsApp messages default to enabling link previews for URLs. This adds\nsupport for overriding this behavior per-message via the \nparameter (e.g. from tool options), consistent with Telegram.\n\nFix: Updated internal WhatsApp Web API layers to pass option\ndown to Baileys ."

This reverts commit 1bef2fc.
@sebslight
fix(telegram): clear offsets on token change
4b40bdb
@sebslight
test(agents): cover exec non-zero exits
f8adfcf
@thewilloftheshadow
CI: use self-hosted for labeler/automation
e391827
@sebslight
Revert "channels: migrate extension account listing to factory"
ca19745 
This reverts commit d24340d.
@sebslight
chore(format)
ed11e93
@tag-assistant
feat: add GitHub Copilot SDK as CLI backend
b693dc2
@tag-assistant
fix: address review feedback — alias resolution, image warning, avail…
16c75d0 
…ability cache
@tag-assistant
feat: add Copilot SDK provider for auth and model discovery
a3d77ed
@tag-assistant
fix: clear poisoned client promise on failure, warn on missing SDK au…
b0edf61 
…th token
@tag-assistant
fix: strip thinking blocks with field-name-as-signature from openai-c…
23a10df 
…ompletions sessions
@tag-assistant
fix: widen thinking signature strip to all OpenAI-compat APIs (not ju…
198a884 
…st completions)
@tag-assistant
feat: default Claude models to anthropic-messages API for Copilot
8c0f04a
@tag-assistant
fix: use SDK_MANAGED_TOKEN constant instead of hardcoded string
7e18e46
@tag-assistant
chore: add @github/copilot-sdk dependency
eb4702f
@tag-assistant
feat: use Copilot SDK as stream provider for github-copilot models
736788b
@tag-assistant
feat: per-model cooldown tracking for single-identity providers
096c4ce
@tag-assistant
feat: add SDK error retry hook, structured statusCode, debug logging
1a2f286
@tag-assistant
fix: startup error recovery, abort wiring, double-emit guard, dead co…
7565751 
…de cleanup
@tag-assistant
test: add 42 tests for SDK stream helpers and per-model cooldown
023de47
@tag-assistant
feat: use 15s fixed cooldown for per-model rate limits (matches VS Code)
6dab745
@tag-assistant
fix: thread raw GitHub token to Copilot SDK for auth
a9fda2a
@tag-assistant
fix: filter SDK_MANAGED_TOKEN marker, support device-flow auth
63a7d52
@tag-assistant
revert: disable SDK stream fn (hanging in production)
218de8f
@tag-assistant
chore: remove dormant SDK stream adapter and unused params
b1d52a0
@tag-assistant
auth-profiles: remove per-model cooldowns
315dc03
@tag-assistant
copilot: add Anthropic-equivalent model pricing
7088594
@tag-assistant
auth-profiles: skip cooldown on timeout (not an auth failure)
1fed689
@github-actions
Copy link

github-actions bot commented Feb 17, 2026

⚠️ Formal models conformance drift detected

The formal models extracted constants (generated/*) do not match this openclaw PR.

This check is informational (not blocking merges yet).
See the formal-models-conformance-drift artifact for the diff.

If this change is intentional, follow up by updating the formal models repo or regenerating the extracted artifacts there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Comments