feat: add GitHub Copilot provider with per-user token authentication

Author: ssncferreira

api.go

@@ -17,6 +17,7 @@ import (
 const (
 	ProviderAnthropic = config.ProviderAnthropic
 	ProviderOpenAI    = config.ProviderOpenAI
+	ProviderCopilot   = config.ProviderCopilot
 )
 
 type (
@@ -35,6 +36,7 @@ type (
 	AnthropicConfig  = config.Anthropic
 	AWSBedrockConfig = config.AWSBedrock
 	OpenAIConfig     = config.OpenAI
+	CopilotConfig    = config.Copilot
 )
 
 func AsActor(ctx context.Context, actorID string, metadata recorder.Metadata) context.Context {
@@ -49,6 +51,12 @@ func NewOpenAIProvider(cfg config.OpenAI) provider.Provider {
 	return provider.NewOpenAI(cfg)
 }
 
+func NewCopilotProvider(cfg config.Copilot) provider.Provider {
+	return provider.NewCopilot(provider.CopilotConfig{
+		CircuitBreaker: cfg.CircuitBreaker,
+	})
+}
+
 func NewMetrics(reg prometheus.Registerer) *metrics.Metrics {
 	return metrics.NewMetrics(reg)
 }

config/config.go

@@ -5,6 +5,7 @@ import "time"
 const (
 	ProviderAnthropic = "anthropic"
 	ProviderOpenAI    = "openai"
+	ProviderCopilot   = "copilot"
 )
 
 // CircuitBreaker holds configuration for circuit breakers.
@@ -57,4 +58,9 @@ type OpenAI struct {
 	Key            string
 	APIDumpDir     string
 	CircuitBreaker *CircuitBreaker
+	ExtraHeaders   map[string]string
+}
+
+type Copilot struct {
+	CircuitBreaker *CircuitBreaker
 }

intercept/chatcompletions/base.go

@@ -39,6 +39,11 @@ type interceptionBase struct {
 func (i *interceptionBase) newCompletionsService() openai.ChatCompletionService {
 	opts := []option.RequestOption{option.WithAPIKey(i.cfg.Key), option.WithBaseURL(i.cfg.BaseURL)}
 
+	// Add extra headers if configured
+	for key, value := range i.cfg.ExtraHeaders {
+		opts = append(opts, option.WithHeader(key, value))
+	}
+
 	// Add API dump middleware if configured
 	if mw := apidump.NewMiddleware(i.cfg.APIDumpDir, config.ProviderOpenAI, i.Model(), i.id, i.logger, quartz.NewReal()); mw != nil {
 		opts = append(opts, option.WithMiddleware(mw))

provider/copilot.go

@@ -0,0 +1,175 @@
+package provider
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/coder/aibridge/config"
+	"github.com/coder/aibridge/intercept"
+	"github.com/coder/aibridge/intercept/chatcompletions"
+	"github.com/coder/aibridge/intercept/responses"
+	"github.com/coder/aibridge/tracing"
+	"github.com/google/uuid"
+	"go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
+)
+
+const (
+	copilotBaseURL              = "https://api.individual.githubcopilot.com"
+	routeCopilotChatCompletions = "/copilot/chat/completions"
+	routeCopilotResponses       = "/copilot/responses"
+)
+
+var copilotOpenErrorResponse = func() []byte {
+	return []byte(`{"error":{"message":"circuit breaker is open","type":"server_error","code":"service_unavailable"}}`)
+}
+
+// CopilotConfig configures the Copilot provider.
+type CopilotConfig struct {
+	CircuitBreaker *config.CircuitBreaker
+}
+
+// Copilot implements the Provider interface for GitHub Copilot.
+// Unlike other providers, Copilot uses per-user API keys that are passed through
+// the request headers rather than configured statically.
+type Copilot struct {
+	circuitBreaker *config.CircuitBreaker
+}
+
+var _ Provider = &Copilot{}
+
+func NewCopilot(cfg CopilotConfig) *Copilot {
+	if cfg.CircuitBreaker != nil {
+		cfg.CircuitBreaker.OpenErrorResponse = copilotOpenErrorResponse
+	}
+	return &Copilot{
+		circuitBreaker: cfg.CircuitBreaker,
+	}
+}
+
+func (p *Copilot) Name() string {
+	return config.ProviderCopilot
+}
+
+func (p *Copilot) BaseURL() string {
+	return copilotBaseURL
+}
+
+func (p *Copilot) BridgedRoutes() []string {
+	return []string{
+		routeCopilotChatCompletions,
+		routeCopilotResponses,
+	}
+}
+
+func (p *Copilot) PassthroughRoutes() []string {
+	return []string{
+		"/models",
+		"/models/",
+		"/agents/",
+		"/mcp/",
+	}
+}
+
+func (p *Copilot) AuthHeader() string {
+	return "Authorization"
+}
+
+// InjectAuthHeader is a no-op for Copilot.
+// Copilot uses per-user tokens passed in the original Authorization header,
+// rather than a global key configured at the provider level.
+// The original Authorization header flows through untouched from the client.
+func (p *Copilot) InjectAuthHeader(_ *http.Header) {}
+
+func (p *Copilot) CircuitBreakerConfig() *config.CircuitBreaker {
+	return p.circuitBreaker
+}
+
+func (p *Copilot) CreateInterceptor(_ http.ResponseWriter, r *http.Request, tracer trace.Tracer) (_ intercept.Interceptor, outErr error) {
+	_, span := tracer.Start(r.Context(), "Intercept.CreateInterceptor")
+	defer tracing.EndSpanErr(span, &outErr)
+
+	// Extract the per-user Copilot key from the Authorization header.
+	key := extractBearerToken(r.Header.Get("Authorization"))
+	if key == "" {
+		span.SetStatus(codes.Error, "missing authorization")
+		return nil, fmt.Errorf("missing Copilot authorization: Authorization header not found or invalid")
+	}
+
+	payload, err := io.ReadAll(r.Body)
+	if err != nil {
+		return nil, fmt.Errorf("read body: %w", err)
+	}
+
+	id := uuid.New()
+
+	// Capture headers that need to be forwarded to Copilot API
+	extraHeaders := make(map[string]string)
+	if editorVersion := r.Header.Get("Editor-Version"); editorVersion != "" {
+		extraHeaders["Editor-Version"] = editorVersion
+	}
+	if copilotIntegrationID := r.Header.Get("Copilot-Integration-Id"); copilotIntegrationID != "" {
+		extraHeaders["Copilot-Integration-Id"] = copilotIntegrationID
+	}
+
+	// Build config for the interceptor using the per-request key.
+	// Copilot's API is OpenAI-compatible, so it uses the OpenAI interceptors
+	// that require a config.OpenAI.
+	cfg := config.OpenAI{
+		BaseURL:        copilotBaseURL,
+		Key:            key,
+		APIDumpDir:     os.Getenv("BRIDGE_DUMP_DIR"),
+		CircuitBreaker: p.circuitBreaker,
+		ExtraHeaders:   extraHeaders,
+	}
+
+	var interceptor intercept.Interceptor
+
+	switch r.URL.Path {
+	case routeCopilotChatCompletions:
+		var req chatcompletions.ChatCompletionNewParamsWrapper
+		if err := json.Unmarshal(payload, &req); err != nil {
+			return nil, fmt.Errorf("unmarshal chat completions request body: %w", err)
+		}
+
+		if req.Stream {
+			interceptor = chatcompletions.NewStreamingInterceptor(id, &req, cfg, tracer)
+		} else {
+			interceptor = chatcompletions.NewBlockingInterceptor(id, &req, cfg, tracer)
+		}
+
+	case routeCopilotResponses:
+		var req responses.ResponsesNewParamsWrapper
+		if err := json.Unmarshal(payload, &req); err != nil {
+			return nil, fmt.Errorf("unmarshal responses request body: %w", err)
+		}
+
+		if req.Stream {
+			interceptor = responses.NewStreamingInterceptor(id, &req, payload, cfg, req.Model, tracer)
+		} else {
+			interceptor = responses.NewBlockingInterceptor(id, &req, payload, cfg, req.Model, tracer)
+		}
+
+	default:
+		span.SetStatus(codes.Error, "unknown route: "+r.URL.Path)
+		return nil, UnknownRoute
+	}
+
+	span.SetAttributes(interceptor.TraceAttributes(r)...)
+	return interceptor, nil
+}
+
+// extractBearerToken extracts the token from a "Bearer <token>" authorization header.
+func extractBearerToken(auth string) string {
+	if auth := strings.TrimSpace(auth); auth != "" {
+		fields := strings.Fields(auth)
+		if len(fields) == 2 && strings.EqualFold(fields[0], "Bearer") {
+			return fields[1]
+		}
+	}
+	return ""
+}