Merge pull request #107 from rithulkamesh/main

feat: GitHub Models provider + interactive onboard (keychain-backed)
2026-04-02 20:14:51 +08:00
parent 6b7c0e5339 0a42839475
commit 903a30916a
24 changed files with 1064 additions and 44 deletions
--- a/src/utils/auth.ts
+++ b/src/utils/auth.ts
@@ -117,7 +117,8 @@ export function isAnthropicAuthEnabled(): boolean {
    isEnvTruthy(process.env.CLAUDE_CODE_USE_VERTEX) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_FOUNDRY) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_OPENAI) ||
-    isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI)
+    isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI) ||
+    isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)

  // Check if user has configured an external API key source
  // This allows externally-provided API keys to work (without requiring proxy configuration)
@@ -1731,14 +1732,15 @@ export function getSubscriptionName(): string {
  }
 }

-/** Check if using third-party services (Bedrock or Vertex or Foundry or OpenAI-compatible or Gemini) */
+/** Check if using third-party services (Bedrock or Vertex or Foundry or OpenAI-compatible or Gemini or GitHub Models) */
 export function isUsing3PServices(): boolean {
  return !!(
    isEnvTruthy(process.env.CLAUDE_CODE_USE_BEDROCK) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_VERTEX) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_FOUNDRY) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_OPENAI) ||
-    isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI)
+    isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI) ||
+    isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)
  )
 }

--- a/src/utils/context.ts
+++ b/src/utils/context.ts
@@ -77,7 +77,9 @@ export function getContextWindowForModel(
    process.env.CLAUDE_CODE_USE_OPENAI === '1' ||
    process.env.CLAUDE_CODE_USE_OPENAI === 'true' ||
    process.env.CLAUDE_CODE_USE_GEMINI === '1' ||
-    process.env.CLAUDE_CODE_USE_GEMINI === 'true'
+    process.env.CLAUDE_CODE_USE_GEMINI === 'true' ||
+    process.env.CLAUDE_CODE_USE_GITHUB === '1' ||
+    process.env.CLAUDE_CODE_USE_GITHUB === 'true'
  ) {
    const openaiWindow = getOpenAIContextWindow(model)
    if (openaiWindow !== undefined) {
@@ -181,7 +183,9 @@ export function getModelMaxOutputTokens(model: string): {
    process.env.CLAUDE_CODE_USE_OPENAI === '1' ||
    process.env.CLAUDE_CODE_USE_OPENAI === 'true' ||
    process.env.CLAUDE_CODE_USE_GEMINI === '1' ||
-    process.env.CLAUDE_CODE_USE_GEMINI === 'true'
+    process.env.CLAUDE_CODE_USE_GEMINI === 'true' ||
+    process.env.CLAUDE_CODE_USE_GITHUB === '1' ||
+    process.env.CLAUDE_CODE_USE_GITHUB === 'true'
  ) {
    const openaiMax = getOpenAIMaxOutputTokens(model)
    if (openaiMax !== undefined) {
--- a/src/utils/githubModelsCredentials.hydrate.test.ts
+++ b/src/utils/githubModelsCredentials.hydrate.test.ts
@@ -0,0 +1,66 @@
+/**
+ * Hydrate tests live in a separate file with no static import of
+ * githubModelsCredentials so Bun's mock.module can replace secureStorage
+ * before that module is first loaded.
+ */
+import { afterEach, describe, expect, mock, test } from 'bun:test'
+
+describe('hydrateGithubModelsTokenFromSecureStorage', () => {
+  const orig = {
+    CLAUDE_CODE_USE_GITHUB: process.env.CLAUDE_CODE_USE_GITHUB,
+    GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+    GH_TOKEN: process.env.GH_TOKEN,
+    CLAUDE_CODE_SIMPLE: process.env.CLAUDE_CODE_SIMPLE,
+  }
+
+  afterEach(() => {
+    mock.restore()
+    for (const [k, v] of Object.entries(orig)) {
+      if (v === undefined) {
+        delete process.env[k as keyof typeof orig]
+      } else {
+        process.env[k as keyof typeof orig] = v
+      }
+    }
+  })
+
+  test('sets GITHUB_TOKEN from secure storage when USE_GITHUB and env token empty', async () => {
+    process.env.CLAUDE_CODE_USE_GITHUB = '1'
+    delete process.env.GITHUB_TOKEN
+    delete process.env.GH_TOKEN
+    delete process.env.CLAUDE_CODE_SIMPLE
+
+    mock.module('./secureStorage/index.js', () => ({
+      getSecureStorage: () => ({
+        read: () => ({
+          githubModels: { accessToken: 'stored-secret' },
+        }),
+      }),
+    }))
+
+    const { hydrateGithubModelsTokenFromSecureStorage } = await import(
+      './githubModelsCredentials.js'
+    )
+    hydrateGithubModelsTokenFromSecureStorage()
+    expect(process.env.GITHUB_TOKEN).toBe('stored-secret')
+  })
+
+  test('does not override existing GITHUB_TOKEN', async () => {
+    process.env.CLAUDE_CODE_USE_GITHUB = '1'
+    process.env.GITHUB_TOKEN = 'already'
+
+    mock.module('./secureStorage/index.js', () => ({
+      getSecureStorage: () => ({
+        read: () => ({
+          githubModels: { accessToken: 'stored-secret' },
+        }),
+      }),
+    }))
+
+    const { hydrateGithubModelsTokenFromSecureStorage } = await import(
+      './githubModelsCredentials.js'
+    )
+    hydrateGithubModelsTokenFromSecureStorage()
+    expect(process.env.GITHUB_TOKEN).toBe('already')
+  })
+})
--- a/src/utils/githubModelsCredentials.test.ts
+++ b/src/utils/githubModelsCredentials.test.ts
@@ -0,0 +1,47 @@
+import { describe, expect, test } from 'bun:test'
+
+import {
+  clearGithubModelsToken,
+  readGithubModelsToken,
+  saveGithubModelsToken,
+} from './githubModelsCredentials.js'
+
+describe('readGithubModelsToken', () => {
+  test('returns undefined in bare mode', () => {
+    const prev = process.env.CLAUDE_CODE_SIMPLE
+    process.env.CLAUDE_CODE_SIMPLE = '1'
+    expect(readGithubModelsToken()).toBeUndefined()
+    if (prev === undefined) {
+      delete process.env.CLAUDE_CODE_SIMPLE
+    } else {
+      process.env.CLAUDE_CODE_SIMPLE = prev
+    }
+  })
+})
+
+describe('saveGithubModelsToken / clearGithubModelsToken', () => {
+  test('save returns failure in bare mode', () => {
+    const prev = process.env.CLAUDE_CODE_SIMPLE
+    process.env.CLAUDE_CODE_SIMPLE = '1'
+    const r = saveGithubModelsToken('abc')
+    expect(r.success).toBe(false)
+    expect(r.warning).toContain('Bare mode')
+    if (prev === undefined) {
+      delete process.env.CLAUDE_CODE_SIMPLE
+    } else {
+      process.env.CLAUDE_CODE_SIMPLE = prev
+    }
+  })
+
+  test('clear succeeds in bare mode', () => {
+    const prev = process.env.CLAUDE_CODE_SIMPLE
+    process.env.CLAUDE_CODE_SIMPLE = '1'
+    expect(clearGithubModelsToken().success).toBe(true)
+    if (prev === undefined) {
+      delete process.env.CLAUDE_CODE_SIMPLE
+    } else {
+      process.env.CLAUDE_CODE_SIMPLE = prev
+    }
+  })
+})
+
--- a/src/utils/githubModelsCredentials.ts
+++ b/src/utils/githubModelsCredentials.ts
@@ -0,0 +1,73 @@
+import { isBareMode, isEnvTruthy } from './envUtils.js'
+import { getSecureStorage } from './secureStorage/index.js'
+
+/** JSON key in the shared OpenClaude secure storage blob. */
+export const GITHUB_MODELS_STORAGE_KEY = 'githubModels' as const
+
+export type GithubModelsCredentialBlob = {
+  accessToken: string
+}
+
+export function readGithubModelsToken(): string | undefined {
+  if (isBareMode()) return undefined
+  try {
+    const data = getSecureStorage().read() as
+      | ({ githubModels?: GithubModelsCredentialBlob } & Record<string, unknown>)
+      | null
+    const t = data?.githubModels?.accessToken?.trim()
+    return t || undefined
+  } catch {
+    return undefined
+  }
+}
+
+/**
+ * If GitHub Models mode is on and no token is in the environment, copy the
+ * stored token into process.env so the OpenAI shim and validation see it.
+ */
+export function hydrateGithubModelsTokenFromSecureStorage(): void {
+  if (!isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)) {
+    return
+  }
+  if (process.env.GITHUB_TOKEN?.trim() || process.env.GH_TOKEN?.trim()) {
+    return
+  }
+  if (isBareMode()) {
+    return
+  }
+  const t = readGithubModelsToken()
+  if (t) {
+    process.env.GITHUB_TOKEN = t
+  }
+}
+
+export function saveGithubModelsToken(token: string): {
+  success: boolean
+  warning?: string
+} {
+  if (isBareMode()) {
+    return { success: false, warning: 'Bare mode: secure storage is disabled.' }
+  }
+  const trimmed = token.trim()
+  if (!trimmed) {
+    return { success: false, warning: 'Token is empty.' }
+  }
+  const secureStorage = getSecureStorage()
+  const prev = secureStorage.read() || {}
+  const merged = {
+    ...(prev as Record<string, unknown>),
+    [GITHUB_MODELS_STORAGE_KEY]: { accessToken: trimmed },
+  }
+  return secureStorage.update(merged as typeof prev)
+}
+
+export function clearGithubModelsToken(): { success: boolean; warning?: string } {
+  if (isBareMode()) {
+    return { success: true }
+  }
+  const secureStorage = getSecureStorage()
+  const prev = secureStorage.read() || {}
+  const next = { ...(prev as Record<string, unknown>) }
+  delete next[GITHUB_MODELS_STORAGE_KEY]
+  return secureStorage.update(next as typeof prev)
+}
--- a/src/utils/managedEnvConstants.ts
+++ b/src/utils/managedEnvConstants.ts
@@ -18,6 +18,7 @@ const PROVIDER_MANAGED_ENV_VARS = new Set([
  'CLAUDE_CODE_USE_BEDROCK',
  'CLAUDE_CODE_USE_VERTEX',
  'CLAUDE_CODE_USE_FOUNDRY',
+  'CLAUDE_CODE_USE_GITHUB',
  // Endpoint config (base URLs, project/resource identifiers)
  'ANTHROPIC_BASE_URL',
  'ANTHROPIC_BEDROCK_BASE_URL',
@@ -147,6 +148,7 @@ export const SAFE_ENV_VARS = new Set([
  'CLAUDE_CODE_SUBAGENT_MODEL',
  'CLAUDE_CODE_USE_BEDROCK',
  'CLAUDE_CODE_USE_FOUNDRY',
+  'CLAUDE_CODE_USE_GITHUB',
  'CLAUDE_CODE_USE_VERTEX',
  'DISABLE_AUTOUPDATER',
  'DISABLE_BUG_COMMAND',
--- a/src/utils/model/providers.test.ts
+++ b/src/utils/model/providers.test.ts
@@ -7,6 +7,7 @@ import {

 const originalEnv = {
  CLAUDE_CODE_USE_GEMINI: process.env.CLAUDE_CODE_USE_GEMINI,
+  CLAUDE_CODE_USE_GITHUB: process.env.CLAUDE_CODE_USE_GITHUB,
  CLAUDE_CODE_USE_OPENAI: process.env.CLAUDE_CODE_USE_OPENAI,
  CLAUDE_CODE_USE_BEDROCK: process.env.CLAUDE_CODE_USE_BEDROCK,
  CLAUDE_CODE_USE_VERTEX: process.env.CLAUDE_CODE_USE_VERTEX,
@@ -15,6 +16,7 @@ const originalEnv = {

 afterEach(() => {
  process.env.CLAUDE_CODE_USE_GEMINI = originalEnv.CLAUDE_CODE_USE_GEMINI
+  process.env.CLAUDE_CODE_USE_GITHUB = originalEnv.CLAUDE_CODE_USE_GITHUB
  process.env.CLAUDE_CODE_USE_OPENAI = originalEnv.CLAUDE_CODE_USE_OPENAI
  process.env.CLAUDE_CODE_USE_BEDROCK = originalEnv.CLAUDE_CODE_USE_BEDROCK
  process.env.CLAUDE_CODE_USE_VERTEX = originalEnv.CLAUDE_CODE_USE_VERTEX
@@ -23,6 +25,7 @@ afterEach(() => {

 function clearProviderEnv(): void {
  delete process.env.CLAUDE_CODE_USE_GEMINI
+  delete process.env.CLAUDE_CODE_USE_GITHUB
  delete process.env.CLAUDE_CODE_USE_OPENAI
  delete process.env.CLAUDE_CODE_USE_BEDROCK
  delete process.env.CLAUDE_CODE_USE_VERTEX
@@ -38,6 +41,7 @@ test('first-party provider keeps Anthropic account setup flow enabled', () => {

 test.each([
  ['CLAUDE_CODE_USE_OPENAI', 'openai'],
+  ['CLAUDE_CODE_USE_GITHUB', 'github'],
  ['CLAUDE_CODE_USE_GEMINI', 'gemini'],
  ['CLAUDE_CODE_USE_BEDROCK', 'bedrock'],
  ['CLAUDE_CODE_USE_VERTEX', 'vertex'],
@@ -52,3 +56,11 @@ test.each([
    expect(usesAnthropicAccountFlow()).toBe(false)
  },
 )
+
+test('GEMINI takes precedence over GitHub when both are set', () => {
+  clearProviderEnv()
+  process.env.CLAUDE_CODE_USE_GEMINI = '1'
+  process.env.CLAUDE_CODE_USE_GITHUB = '1'
+
+  expect(getAPIProvider()).toBe('gemini')
+})
--- a/src/utils/model/providers.ts
+++ b/src/utils/model/providers.ts
@@ -1,20 +1,29 @@
 import type { AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS } from '../../services/analytics/index.js'
 import { isEnvTruthy } from '../envUtils.js'

-export type APIProvider = 'firstParty' | 'bedrock' | 'vertex' | 'foundry' | 'openai' | 'gemini'
+export type APIProvider =
+  | 'firstParty'
+  | 'bedrock'
+  | 'vertex'
+  | 'foundry'
+  | 'openai'
+  | 'gemini'
+  | 'github'

 export function getAPIProvider(): APIProvider {
  return isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI)
    ? 'gemini'
-    : isEnvTruthy(process.env.CLAUDE_CODE_USE_OPENAI)
-      ? 'openai'
-      : isEnvTruthy(process.env.CLAUDE_CODE_USE_BEDROCK)
-        ? 'bedrock'
-        : isEnvTruthy(process.env.CLAUDE_CODE_USE_VERTEX)
-          ? 'vertex'
-          : isEnvTruthy(process.env.CLAUDE_CODE_USE_FOUNDRY)
-            ? 'foundry'
-            : 'firstParty'
+    : isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)
+      ? 'github'
+      : isEnvTruthy(process.env.CLAUDE_CODE_USE_OPENAI)
+        ? 'openai'
+        : isEnvTruthy(process.env.CLAUDE_CODE_USE_BEDROCK)
+          ? 'bedrock'
+          : isEnvTruthy(process.env.CLAUDE_CODE_USE_VERTEX)
+            ? 'vertex'
+            : isEnvTruthy(process.env.CLAUDE_CODE_USE_FOUNDRY)
+              ? 'foundry'
+              : 'firstParty'
 }

 export function usesAnthropicAccountFlow(): boolean {
--- a/src/utils/providerProfile.ts
+++ b/src/utils/providerProfile.ts
@@ -205,6 +205,7 @@ export async function buildLaunchEnv(options: {
    }

    delete env.CLAUDE_CODE_USE_OPENAI
+    delete env.CLAUDE_CODE_USE_GITHUB

    env.GEMINI_MODEL =
      processEnv.GEMINI_MODEL ||
@@ -239,6 +240,7 @@ export async function buildLaunchEnv(options: {
  }

  delete env.CLAUDE_CODE_USE_GEMINI
+  delete env.CLAUDE_CODE_USE_GITHUB
  delete env.GEMINI_API_KEY
  delete env.GEMINI_MODEL
  delete env.GEMINI_BASE_URL
--- a/src/utils/swarm/spawnUtils.ts
+++ b/src/utils/swarm/spawnUtils.ts
@@ -99,6 +99,18 @@ const TEAMMATE_ENV_VARS = [
  'CLAUDE_CODE_USE_BEDROCK',
  'CLAUDE_CODE_USE_VERTEX',
  'CLAUDE_CODE_USE_FOUNDRY',
+  'CLAUDE_CODE_USE_GITHUB',
+  'CLAUDE_CODE_USE_GEMINI',
+  'CLAUDE_CODE_USE_OPENAI',
+  'GITHUB_TOKEN',
+  'GH_TOKEN',
+  'OPENAI_API_KEY',
+  'OPENAI_BASE_URL',
+  'OPENAI_MODEL',
+  'GEMINI_API_KEY',
+  'GEMINI_BASE_URL',
+  'GEMINI_MODEL',
+  'GOOGLE_API_KEY',
  // Custom API endpoint
  'ANTHROPIC_BASE_URL',
  // Config directory override