Prepare 1.0.0 release

Switch to mise tasks; add GoReleaser GH draft release config; optimize Go build sizes; add local release assets to dist via before hook; update Node launcher to execute correct binary.

Author: dvcrn

.gitignore

@@ -2,3 +2,6 @@ bin/
 .crush
 copilot-api
 /copilot-proxy
+
+# GoReleaser build output
+dist/

.goreleaser.yml

@@ -0,0 +1,47 @@
+# .goreleaser.yml
+version: 2
+project_name: copilot-proxy
+before:
+  hooks:
+    - mkdir -p dist && cp -v release/* dist/
+release:
+  github:
+    owner: dvcrn
+    name: copilot-api-proxy
+  draft: true
+builds:
+  - id: copilot-api-proxy
+    main: ./cmd/copilot-api-proxy/
+    binary: copilot-api-proxy
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+      - -buildvcs=false
+    ldflags:
+      - -s -w -buildid=
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      # For Apple Silicon (M1/M2)
+      - arm64
+archives:
+  - formats:
+      - tar.gz
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    files:
+      - src: ./release/package.json
+        dst: .
+      - src: ./release/index.js
+        dst: .
+checksum:
+  name_template: 'checksums.txt'
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'

AGENTS.md

@@ -1,2 +1,2 @@
-- Always run `just format` in between steps, this will auto-format and fix imports
-- Always run `just build` to confirm that everything is still compiling
+- Always run `mise run fmt` in between steps, this will auto-format and fix imports
+- Always run `mise run build` to confirm that everything is still compiling

auth_design_doc.md

@@ -0,0 +1,221 @@
+# Copilot Proxy - Authentication Design
+
+This document provides a detailed implementation plan for the authentication components of the Copilot Proxy. It refines the initial `design_doc.md` by specifying the architecture required to handle the full, dynamic lifecycle of a Copilot API token.
+
+## 1. Overview
+
+The authentication system will be responsible for:
+1.  Using a long-lived GitHub OAuth token.
+2.  Exchanging it for a short-lived Copilot API token.
+3.  Managing the Copilot token in memory.
+4.  Automatically refreshing the token before it expires.
+5.  Providing a valid token to the part of the proxy that forwards requests.
+
+To achieve this, the `pkg/copilot/` directory will be structured to separate the stateless API calls from the stateful token management.
+
+## 2. Proposed File Structure
+
+The `pkg/copilot/` directory will be organized as follows:
+
+```
+/pkg/copilot/
+├─── auth.go            # Stateless functions for the token exchange API call.
+├─── token_manager.go   # Stateful, thread-safe token lifecycle management.
+└─── client.go          # (Updated) The proxy client, which uses the TokenManager.
+```
+
+## 3. Component Deep Dive
+
+### `pkg/copilot/auth.go`
+
+**Responsibility:** Contains the low-level, stateless function for performing the GitHub-to-Copilot token exchange.
+
+**Implementation Details:**
+
+```go
+package copilot
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+)
+
+// ExchangeTokenResponse defines the structure of the JSON response from the token exchange endpoint.
+type ExchangeTokenResponse struct {
+	Token     string `json:"token"`
+	ExpiresAt int64  `json:"expires_at"`
+	RefreshIn int64  `json:"refresh_in"`
+}
+
+// ExchangeGitHubToken takes a GitHub OAuth token and exchanges it for a short-lived Copilot token.
+func ExchangeGitHubToken(ctx context.Context, githubToken string) (*ExchangeTokenResponse, error) {
+	// 1. Create a new GET request to the exchange endpoint.
+	url := "https://api.github.com/copilot_internal/v2/token"
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create token exchange request: %w", err)
+	}
+
+	// 2. Add the required headers.
+	req.Header.Set("Authorization", "Bearer "+githubToken)
+	req.Header.Set("Accept", "application/json")
+
+	// 3. Execute the request.
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute token exchange request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// 4. Handle non-successful status codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("token exchange request failed with status: %s", resp.Status)
+	}
+
+	// 5. Unmarshal the JSON response.
+	var tokenResponse ExchangeTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {
+		return nil, fmt.Errorf("failed to decode token exchange response: %w", err)
+	}
+
+	// 6. Return the response.
+	return &tokenResponse, nil
+}
+```
+
+### `pkg/copilot/token_manager.go`
+
+**Responsibility:** A stateful, thread-safe manager that holds the Copilot token and runs a background process to refresh it automatically.
+
+**Implementation Details:**
+
+```go
+package copilot
+
+import (
+	"context"
+	"log/slog"
+	"sync"
+	"time"
+)
+
+// TokenManager handles the Copilot token and its refresh cycle.
+type TokenManager struct {
+	mu           sync.RWMutex
+	githubToken  string
+	copilotToken string
+	refreshesAt  time.Time
+	logger       *slog.Logger
+	stopCh       chan struct{}
+}
+
+// NewTokenManager creates a manager, gets the initial token, and starts the refresh loop.
+func NewTokenManager(ctx context.Context, githubToken string, logger *slog.Logger) (*TokenManager, error) {
+	tm := &TokenManager{
+		githubToken: githubToken,
+		logger:      logger,
+		stopCh:      make(chan struct{}),
+	}
+
+	if err := tm.refresh(ctx); err != nil {
+		return nil, fmt.Errorf("initial token refresh failed: %w", err)
+	}
+
+	go tm.refreshTokenLoop()
+	return tm, nil
+}
+
+// GetToken returns the current, valid Copilot token in a thread-safe way.
+func (tm *TokenManager) GetToken() string {
+	tm.mu.RLock()
+	defer tm.mu.RUnlock()
+	return tm.copilotToken
+}
+
+// Close gracefully stops the background refresh loop.
+func (tm *TokenManager) Close() {
+	close(tm.stopCh)
+}
+
+// refreshTokenLoop runs in the background, refreshing the token before it expires.
+func (tm *TokenManager) refreshTokenLoop() {
+	for {
+		tm.mu.RLock()
+		duration := time.Until(tm.refreshesAt)
+		tm.mu.RUnlock()
+
+		select {
+		case <-time.After(duration):
+			tm.logger.Info("Refreshing Copilot token")
+			if err := tm.refresh(context.Background()); err != nil {
+				tm.logger.Error("Failed to refresh token", "error", err)
+			}
+		case <-tm.stopCh:
+			tm.logger.Info("Token refresh loop stopped")
+			return
+		}
+	}
+}
+
+// refresh executes the token exchange and updates the manager's state.
+func (tm *TokenManager) refresh(ctx context.Context) error {
+	resp, err := ExchangeGitHubToken(ctx, tm.githubToken)
+	if err != nil {
+		return err
+	}
+
+	tm.mu.Lock()
+	defer tm.mu.Unlock()
+
+	tm.copilotToken = resp.Token
+	// Refresh 60 seconds before the official refresh_in time as a buffer.
+	refreshDuration := time.Duration(resp.RefreshIn-60) * time.Second
+	tm.refreshesAt = time.Now().Add(refreshDuration)
+
+	tm.logger.Info("Successfully refreshed Copilot token", "expires_at", resp.ExpiresAt)
+	return nil
+}
+```
+
+### `pkg/copilot/client.go` (Updated)
+
+**Responsibility:** The proxy client, updated to use the `TokenManager`.
+
+**Implementation Details:**
+
+```go
+package copilot
+
+import (
+	"context"
+	"net/http"
+	"time"
+)
+
+// Client now holds a reference to the TokenManager.
+type Client struct {
+	httpClient   *http.Client
+	tokenManager *TokenManager
+}
+
+// NewClient is updated to accept the TokenManager.
+func NewClient(tokenManager *TokenManager, timeout time.Duration) *Client {
+	return &Client{
+		httpClient:   &http.Client{Timeout: timeout},
+		tokenManager: tokenManager,
+	}
+}
+
+// ForwardRequest gets the latest token from the manager before each request.
+func (c *Client) ForwardRequest(ctx context.Context, incomingReq *http.Request) (*http.Response, error) {
+	// ... (request creation logic remains the same)
+
+	// Get the latest valid token for this specific request.
+	token := c.tokenManager.GetToken()
+	upstreamReq.Header.Set("Authorization", "Bearer "+token)
+
+	// ... (request execution logic remains the same)
+}
+```

authentication_flow.md

@@ -0,0 +1,109 @@
+# GitHub Copilot Authentication Flow
+
+This document outlines the end-to-end authentication process used to obtain a valid token for making requests to the GitHub Copilot API. The flow consists of two main phases:
+
+1.  **GitHub Device Authorization Flow:** Obtaining a standard GitHub OAuth token by having the user authorize the application.
+2.  **Copilot Token Exchange:** Exchanging the GitHub OAuth token for a specific, short-lived Copilot API token.
+
+---
+
+## Phase 1: GitHub Device Authorization Flow
+
+This phase follows the standard GitHub OAuth Device Flow to get a user-authorized API token.
+
+### Step 1.1: Request Device and User Codes
+
+The application initiates the flow by making a `POST` request to GitHub.
+
+*   **Endpoint:** `POST https://github.com/login/device/code`
+*   **Headers:**
+    *   `Accept: application/json`
+*   **Body:**
+    ```json
+    {
+      "client_id": "<GITHUB_CLIENT_ID>",
+      "scope": "<REQUESTED_SCOPES>"
+    }
+    ```
+
+GitHub responds with a device code, a user code for verification, and a polling interval.
+
+*   **Example Response:**
+    ```json
+    {
+      "device_code": "...",
+      "user_code": "...",
+      "verification_uri": "https://github.com/login/device",
+      "expires_in": 900,
+      "interval": 5
+    }
+    ```
+
+### Step 1.2: Prompt User for Authorization
+
+The application shows the `user_code` to the user and instructs them to visit the `verification_uri` to authorize the device.
+
+### Step 1.3: Poll for Access Token
+
+While waiting for the user to authorize, the application begins polling the token endpoint at the specified `interval`.
+
+*   **Endpoint:** `POST https://github.com/login/oauth/access_token`
+*   **Headers:**
+    *   `Accept: application/json`
+*   **Body:**
+    ```json
+    {
+      "client_id": "<GITHUB_CLIENT_ID>",
+      "device_code": "<DEVICE_CODE_FROM_STEP_1>",
+      "grant_type": "urn:ietf:params:oauth:grant-type:device_code"
+    }
+    ```
+
+Once the user completes authorization in the browser, the polling request will succeed and GitHub will respond with the user's OAuth token.
+
+*   **Success Response:**
+    ```json
+    {
+      "access_token": "gho_...",
+      "token_type": "bearer",
+      "scope": "..."
+    }
+    ```
+
+This `access_token` is the **GitHub OAuth Token**.
+
+---
+
+## Phase 2: Copilot Token Exchange
+
+With a valid GitHub OAuth token, the application can now exchange it for a token that is valid for the Copilot API.
+
+### Step 2.1: Request Copilot Token
+
+The application makes an authenticated `GET` request to a private Copilot endpoint.
+
+*   **Endpoint:** `GET https://api.github.com/copilot_internal/v2/token`
+*   **Headers:**
+    *   `Authorization: Bearer <GITHUB_OAUTH_TOKEN_FROM_PHASE_1>`
+    *   `Accept: application/json`
+
+The response contains the final, short-lived Copilot token.
+
+*   **Success Response:**
+    ```json
+    {
+      "token": "tid=...;exp=...;...",
+      "expires_at": 1672531200,
+      "refresh_in": 1500
+    }
+    ```
+
+This `token` is the one used in the `Authorization` header for all subsequent requests to `api.individual.githubcopilot.com`.
+
+### Step 2.2: Automatic Token Refresh
+
+The Copilot token is short-lived (e.g., expires in 30 minutes). The application is responsible for refreshing it automatically before it expires.
+
+*   **Logic:** Use `setInterval` or a similar timer mechanism.
+*   **Interval:** The refresh should be triggered after `(refresh_in - 60)` seconds to provide a buffer.
+*   **Action:** The timer re-runs **Step 2.1** to get a new Copilot token and updates the application's state.