fix(macos): auto-trigger Copilot device-code reauth on 401

kody-w · claude · kody-w · commit 7ae30a5f4565 · 2026-05-15T17:24:40.000-04:00
When the gateway reports a Copilot auth failure (401/403), the chat
panel now starts the device-code flow inline and posts the user code
into the chat instead of showing a raw error bubble that tells the user
to run a CLI command.

- ChatViewModel: detect Copilot auth errors, invoke onAuthRequired,
  latch to avoid retry storms; expose authFlowFinished() to reset.
- ChatWindowManager: wire onAuthRequired -&gt; handleReauth() in init.
- copilot-token.ts: drop "Run 'openrappter onboard'" tail from the
  error message; UI handles it now.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/macos/Sources/OpenRappterBar/ViewModels/ChatViewModel.swift b/macos/Sources/OpenRappterBar/ViewModels/ChatViewModel.swift
@@ -17,6 +17,14 @@ public final class ChatViewModel {
     private var rpcClient: RpcClient?
     private var sessionStore: SessionStore?
 
+    /// Called when the gateway reports a GitHub/Copilot auth failure. The host
+    /// should kick off the device-code flow inline (no manual button click).
+    public var onAuthRequired: (() -> Void)?
+
+    /// Guard so we only auto-trigger reauth once per failing burst, not on every
+    /// retry until the device-code flow completes.
+    private var isAutoReauthing: Bool = false
+
     // MARK: - Computed
 
     public var canSend: Bool {
@@ -132,16 +140,45 @@ public final class ChatViewModel {
         case .error:
             let errorMsg = payload.errorMessage ?? "Unknown error"
             chatState = .error(errorMsg)
+            streamingText = ""
+
+            if isCopilotAuthError(errorMsg), let trigger = onAuthRequired {
+                // Inline auth flow: skip the raw error bubble, show a friendly
+                // status line, and kick off the device-code flow ourselves.
+                if !isAutoReauthing {
+                    isAutoReauthing = true
+                    addSystemMessage("🔑 GitHub Copilot needs re-authentication — starting sign-in…")
+                    trigger()
+                }
+                return
+            }
+
             let msg = ChatMessage(
                 role: .error,
                 content: "Agent error: \(errorMsg)",
                 sessionKey: payload.sessionKey
             )
             messages.append(msg)
-            streamingText = ""
         }
     }
 
+    /// Reset the auto-reauth latch once the host knows the device-code flow has
+    /// resolved (success or failure), so a later failure can trigger it again.
+    public func authFlowFinished() {
+        isAutoReauthing = false
+    }
+
+    /// True for the gateway's Copilot 401/403 errors. Matches the exact phrase
+    /// from `resolveCopilotApiToken` plus a generic fallback for related cases.
+    private func isCopilotAuthError(_ text: String) -> Bool {
+        let lowered = text.lowercased()
+        if lowered.contains("copilot api access") { return true }
+        if lowered.contains("copilot") && (lowered.contains("401") || lowered.contains("403")) {
+            return true
+        }
+        return false
+    }
+
     // MARK: - Session Switching
 
     public func switchToSession(sessionKey: String) {
diff --git a/macos/Sources/OpenRappterBar/Views/Chat/ChatWindowManager.swift b/macos/Sources/OpenRappterBar/Views/Chat/ChatWindowManager.swift
@@ -38,6 +38,13 @@ public final class ChatWindowManager {
     public init(viewModel: AppViewModel, settingsViewModel: SettingsViewModel) {
         self.viewModel = viewModel
         self.settingsViewModel = settingsViewModel
+
+        // Auto-trigger the device-code flow whenever the gateway reports a
+        // Copilot auth failure — no manual button click required.
+        viewModel.chatViewModel.onAuthRequired = { [weak self] in
+            guard let self else { return }
+            self.handleReauth()
+        }
     }
 
     /// Re-auth handler: starts device code flow, shows code in chat, restarts gateway
@@ -72,6 +79,8 @@ public final class ChatWindowManager {
             } else if let error = auth.error {
                 viewModel.chatViewModel.addSystemMessage("❌ Auth failed: \(error)")
             }
+
+            viewModel.chatViewModel.authFlowFinished()
         }
     }
 
diff --git a/typescript/src/providers/copilot-token.ts b/typescript/src/providers/copilot-token.ts
@@ -170,8 +170,7 @@ export async function resolveCopilotApiToken(params: {
     if (res.status === 404 || res.status === 401 || res.status === 403) {
       throw new Error(
         `GitHub token does not have Copilot API access (HTTP ${res.status}). ` +
-        `The token may be from the gh CLI which uses a different OAuth app. ` +
-        `Run 'openrappter onboard' to authenticate with the Copilot device code flow.`
+        `Sign in with a GitHub account that has Copilot enabled.`
       );
     }
     throw new Error(`Copilot token exchange failed: HTTP ${res.status}${body ? ` — ${body}` : ''}`);

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,13 @@ public final class ChatWindowManager {`
`38`	`38`	`public init(viewModel: AppViewModel, settingsViewModel: SettingsViewModel) {`
`39`	`39`	`self.viewModel = viewModel`
`40`	`40`	`self.settingsViewModel = settingsViewModel`
	`41`	`+`
	`42`	`+ // Auto-trigger the device-code flow whenever the gateway reports a`
	`43`	`+ // Copilot auth failure — no manual button click required.`
	`44`	`+ viewModel.chatViewModel.onAuthRequired = { [weak self] in`
	`45`	`+ guard let self else { return }`
	`46`	`+ self.handleReauth()`
	`47`	`+ }`
`41`	`48`	`}`
`42`	`49`
`43`	`50`	`/// Re-auth handler: starts device code flow, shows code in chat, restarts gateway`
`@@ -72,6 +79,8 @@ public final class ChatWindowManager {`
`72`	`79`	`} else if let error = auth.error {`
`73`	`80`	`viewModel.chatViewModel.addSystemMessage("❌ Auth failed: \(error)")`
`74`	`81`	`}`
	`82`	`+`
	`83`	`+ viewModel.chatViewModel.authFlowFinished()`
`75`	`84`	`}`
`76`	`85`	`}`
`77`	`86`