feat(auth): GitHub Enterprise Copilot support

[HearthCore]

Summary

Adds full GitHub Enterprise (GHE) Copilot support by making all Copilot OAuth and API URLs configurable via environment variables. All defaults remain unchanged — public github.com users are unaffected.

Motivation

Organizations using GitHub Enterprise with Copilot cannot use Hermes today because OAuth endpoints, API base URLs, and token exchange URLs are hardcoded to github.com / api.githubcopilot.com. This PR makes all of those configurable.

Changes

Core: configurable Copilot endpoints (copilot_auth.py)

• COPILOT_API_BASE_URL, COPILOT_DEVICE_CODE_URL, COPILOT_ACCESS_TOKEN_URL, COPILOT_TOKEN_EXCHANGE_URL, COPILOT_OAUTH_CLIENT_ID — all read from env vars with public GitHub defaults
• New is_copilot_url() helper matches both public and custom GHE endpoints

Auth improvements (copilot_auth.py)

• COPILOT_AUTH_MODE=oauth — forces OAuth device-code flow, skipping env vars and gh auth token. Solves the problem where existing tokens from a different GitHub host block re-authentication
• COPILOT_GH_HOST — passes --hostname to gh auth token so the correct host's token is used when logged into both public GitHub and GHE simultaneously

Provider resolution (auth.py)

• Added base_url_env_var="COPILOT_API_BASE_URL" to copilot ProviderConfig so the standard provider resolution pipeline picks up the custom base URL

Agent endpoint matching (run_agent.py)

• New _is_copilot_base() helper replaces 5 hardcoded "api.githubcopilot.com" in ... checks
• Copilot headers, reasoning effort detection, and response mode detection all now work with custom GHE endpoints

Setup UX (main.py)

• hermes models setup now offers a re-auth prompt when a Copilot token already exists: continue / OAuth re-login / enter token manually

Model catalog (models.py)

• COPILOT_BASE_URL reads from COPILOT_API_BASE_URL env var
• Added debug logging for catalog fetch attempts and failures

Config (config.py)

• Registered COPILOT_API_BASE_URL, COPILOT_GH_HOST, COPILOT_AUTH_MODE in OPTIONAL_ENV_VARS (advanced/provider category)

Documentation (.env.example)

• Added a full "GitHub Enterprise Copilot" section with all env vars, placeholder values, and explanatory comments

GHE Setup Example

# In ~/.hermes/.env
COPILOT_API_BASE_URL=https://copilot-api.your-ghe.com
COPILOT_DEVICE_CODE_URL=https://your-ghe.com/login/device/code
COPILOT_ACCESS_TOKEN_URL=https://your-ghe.com/login/oauth/access_token
COPILOT_GH_HOST=your-ghe.com

# Optional: force OAuth flow even when tokens exist
# COPILOT_AUTH_MODE=oauth

# Optional: override OAuth client ID for your GHE app
# COPILOT_OAUTH_CLIENT_ID=your-client-id

# Explicit token (if not using OAuth or gh CLI)
# COPILOT_GITHUB_TOKEN=gho_xxxxxxxxxxxxxxxxxxxx

Then run hermes models setup → select Copilot → OAuth login targets the GHE instance automatically.

Files Changed

File	Change
hermes_cli/copilot_auth.py	Configurable URLs, is_copilot_url(), COPILOT_AUTH_MODE, COPILOT_GH_HOST
hermes_cli/auth.py	base_url_env_var on copilot provider, env-aware base URL default
hermes_cli/models.py	Env-aware COPILOT_BASE_URL, debug logging
hermes_cli/main.py	Re-auth prompt in hermes models setup
hermes_cli/config.py	New OPTIONAL_ENV_VARS entries
run_agent.py	_is_copilot_base() helper, 5 hardcoded checks replaced
.env.example	Full GHE Copilot documentation section
tests/hermes_cli/test_api_key_providers.py	Updated assertion for new base_url_env_var

Testing

• All existing tests pass (pytest tests/ -q: 4446 passed, 3 pre-existing flaky skipped)
• Updated test_copilot_env_vars to expect new base_url_env_var
• Tested manually against a GitHub Enterprise instance with Copilot

Platform

Tested on Linux (WSL2/Debian).

[HearthCore]

Update: Added a second commit (docs: add GitHub Enterprise Copilot section to .env.example) — documents all GHE-related env vars in .env.example with placeholder values and inline comments so users can discover the configuration without digging into source code. PR description updated accordingly with a files-changed table.

[steromano87]

This PR would implement #6455

[teknium1]

@HearthCore — thanks for the GHE support contribution. We merged a foundational Copilot auth overhaul in #15114 (cherry-picked #12876 token exchange, #10179 401 refresh, #12840 live context, #11285 HOME env).

Your PR touches auth.py, config.py, main.py, models.py — several of which now have conflicting diffs from #15114. Rather than trying to cherry-pick a stale branch, could you rebase on current main and resubmit? The GHE feature is still wanted, it just needs to land on top of the updated Copilot auth code.

Key rebase targets:

• hermes_cli/copilot_auth.py now has exchange_copilot_token() — your COPILOT_TOKEN_EXCHANGE_URL env var should route through it
• hermes_cli/auth.py stores Copilot state in the Hermes auth store now (see fix(copilot): exchange raw GitHub token for Copilot API JWT #12876's changes to _login_copilot flow)

No rush — leaving this open pending your rebase.

[alt-glitch]

Related to #11527 (similar GHE fix) and #6455/#11442 (feature requests). #15114 (merged) adds token exchange but not full GHE endpoint configurability.

[moro-no-kimi]

checking in to see if there's anyway my team can contribute to getting this merged? Our team has been waiting to upgrade to enterprise solely on account of the lack of hermes support.