openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/concepts/memory-search.md‎
Lines changed: 13 additions & 11 deletions b/‎docs/concepts/memory-search.md‎
Lines changed: 13 additions & 11 deletions
diff --git a/‎docs/providers/github-copilot.md‎
Lines changed: 40 additions & 0 deletions b/‎docs/providers/github-copilot.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎docs/reference/memory-config.md‎
Lines changed: 21 additions & 19 deletions b/‎docs/reference/memory-config.md‎
Lines changed: 21 additions & 19 deletions
diff --git a/‎extensions/github-copilot/auth.test.ts‎
Lines changed: 96 additions & 0 deletions b/‎extensions/github-copilot/auth.test.ts‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎extensions/github-copilot/auth.ts‎
Lines changed: 65 additions & 0 deletions b/‎extensions/github-copilot/auth.ts‎
Lines changed: 65 additions & 0 deletions
@@ -12,6 +12,7 @@ Docs: https://docs.openclaw.ai
 - Control UI/Overview: add a Model Auth status card showing OAuth token health and provider rate-limit pressure at a glance, with attention callouts when OAuth tokens are expiring or expired. Backed by a new `models.authStatus` gateway method that strips credentials and caches for 60s. (#66211) Thanks @omarshahine.
 - docs-i18n: add behavior baseline fixtures (#64073). Thanks @hxy91819
 - docs-i18n: harden behavior fixture path reads (#67046). Thanks @hxy91819
+- GitHub Copilot/memory search: add a GitHub Copilot embedding provider for memory search, and expose a dedicated Copilot embedding host helper so plugins can reuse the transport while honoring remote overrides, token refresh, and safer payload validation. (#61718) Thanks @feiskyer and @vincentkoc.
 
 ### Fixes
 
 
@@ -15,8 +15,9 @@ chunks and searching them using embeddings, keywords, or both.
 
 ## Quick start
 
-If you have an OpenAI, Gemini, Voyage, or Mistral API key configured, memory
-search works automatically. To set a provider explicitly:
+If you have a GitHub Copilot subscription, OpenAI, Gemini, Voyage, or Mistral
+API key configured, memory search works automatically. To set a provider
+explicitly:
 
 ```json5
 {
@@ -35,15 +36,16 @@ node-llama-cpp).
 
 ## Supported providers
 
-| Provider | ID        | Needs API key | Notes                                                |
-| -------- | --------- | ------------- | ---------------------------------------------------- |
-| OpenAI   | `openai`  | Yes           | Auto-detected, fast                                  |
-| Gemini   | `gemini`  | Yes           | Supports image/audio indexing                        |
-| Voyage   | `voyage`  | Yes           | Auto-detected                                        |
-| Mistral  | `mistral` | Yes           | Auto-detected                                        |
-| Bedrock  | `bedrock` | No            | Auto-detected when the AWS credential chain resolves |
-| Ollama   | `ollama`  | No            | Local, must set explicitly                           |
-| Local    | `local`   | No            | GGUF model, ~0.6 GB download                         |
+| Provider       | ID               | Needs API key | Notes                                                |
+| -------------- | ---------------- | ------------- | ---------------------------------------------------- |
+| Bedrock        | `bedrock`        | No            | Auto-detected when the AWS credential chain resolves |
+| Gemini         | `gemini`         | Yes           | Supports image/audio indexing                        |
+| GitHub Copilot | `github-copilot` | No            | Auto-detected, uses Copilot subscription             |
+| Local          | `local`          | No            | GGUF model, ~0.6 GB download                         |
+| Mistral        | `mistral`        | Yes           | Auto-detected                                        |
+| Ollama         | `ollama`         | No            | Local, must set explicitly                           |
+| OpenAI         | `openai`         | Yes           | Auto-detected, fast                                  |
+| Voyage         | `voyage`         | Yes           | Auto-detected                                        |
 
 ## How search works
 
 
@@ -119,6 +119,46 @@ Requires an interactive TTY. Run the login command directly in a terminal, not
 inside a headless script or CI job.
 </Warning>
 
+## Memory search embeddings
+
+GitHub Copilot can also serve as an embedding provider for
+[memory search](/concepts/memory-search). If you have a Copilot subscription and
+have logged in, OpenClaw can use it for embeddings without a separate API key.
+
+### Auto-detection
+
+When `memorySearch.provider` is `"auto"` (the default), GitHub Copilot is tried
+at priority 15 -- after local embeddings but before OpenAI and other paid
+providers. If a GitHub token is available, OpenClaw discovers available
+embedding models from the Copilot API and picks the best one automatically.
+
+### Explicit config
+
+```json5
+{
+  agents: {
+    defaults: {
+      memorySearch: {
+        provider: "github-copilot",
+        // Optional: override the auto-discovered model
+        model: "text-embedding-3-small",
+      },
+    },
+  },
+}
+```
+
+### How it works
+
+1. OpenClaw resolves your GitHub token (from env vars or auth profile).
+2. Exchanges it for a short-lived Copilot API token.
+3. Queries the Copilot `/models` endpoint to discover available embedding models.
+4. Picks the best model (prefers `text-embedding-3-small`).
+5. Sends embedding requests to the Copilot `/embeddings` endpoint.
+
+Model availability depends on your GitHub plan. If no embedding models are
+available, OpenClaw skips Copilot and tries the next provider.
+
 ## Related
 
 <CardGroup cols={2}>
 
@@ -37,23 +37,24 @@ plugin-owned config, transcript persistence, and safe rollout pattern.
 
 ## Provider selection
 
-| Key        | Type      | Default          | Description                                                                                 |
-| ---------- | --------- | ---------------- | ------------------------------------------------------------------------------------------- |
-| `provider` | `string`  | auto-detected    | Embedding adapter ID: `openai`, `gemini`, `voyage`, `mistral`, `bedrock`, `ollama`, `local` |
-| `model`    | `string`  | provider default | Embedding model name                                                                        |
-| `fallback` | `string`  | `"none"`         | Fallback adapter ID when the primary fails                                                  |
-| `enabled`  | `boolean` | `true`           | Enable or disable memory search                                                             |
+| Key        | Type      | Default          | Description                                                                                                   |
+| ---------- | --------- | ---------------- | ------------------------------------------------------------------------------------------------------------- |
+| `provider` | `string`  | auto-detected    | Embedding adapter ID: `bedrock`, `gemini`, `github-copilot`, `local`, `mistral`, `ollama`, `openai`, `voyage` |
+| `model`    | `string`  | provider default | Embedding model name                                                                                          |
+| `fallback` | `string`  | `"none"`         | Fallback adapter ID when the primary fails                                                                    |
+| `enabled`  | `boolean` | `true`           | Enable or disable memory search                                                                               |
 
 ### Auto-detection order
 
 When `provider` is not set, OpenClaw selects the first available:
 
 1. `local` -- if `memorySearch.local.modelPath` is configured and the file exists.
-2. `openai` -- if an OpenAI key can be resolved.
-3. `gemini` -- if a Gemini key can be resolved.
-4. `voyage` -- if a Voyage key can be resolved.
-5. `mistral` -- if a Mistral key can be resolved.
-6. `bedrock` -- if the AWS SDK credential chain resolves (instance role, access keys, profile, SSO, web identity, or shared config).
+2. `github-copilot` -- if a GitHub Copilot token can be resolved (env var or auth profile).
+3. `openai` -- if an OpenAI key can be resolved.
+4. `gemini` -- if a Gemini key can be resolved.
+5. `voyage` -- if a Voyage key can be resolved.
+6. `mistral` -- if a Mistral key can be resolved.
+7. `bedrock` -- if the AWS SDK credential chain resolves (instance role, access keys, profile, SSO, web identity, or shared config).
 
 `ollama` is supported but not auto-detected (set it explicitly).
 
@@ -62,14 +63,15 @@ When `provider` is not set, OpenClaw selects the first available:
 Remote embeddings require an API key. Bedrock uses the AWS SDK default
 credential chain instead (instance roles, SSO, access keys).
 
-| Provider | Env var                        | Config key                        |
-| -------- | ------------------------------ | --------------------------------- |
-| OpenAI   | `OPENAI_API_KEY`               | `models.providers.openai.apiKey`  |
-| Gemini   | `GEMINI_API_KEY`               | `models.providers.google.apiKey`  |
-| Voyage   | `VOYAGE_API_KEY`               | `models.providers.voyage.apiKey`  |
-| Mistral  | `MISTRAL_API_KEY`              | `models.providers.mistral.apiKey` |
-| Bedrock  | AWS credential chain           | No API key needed                 |
-| Ollama   | `OLLAMA_API_KEY` (placeholder) | --                                |
+| Provider       | Env var                                            | Config key                        |
+| -------------- | -------------------------------------------------- | --------------------------------- |
+| Bedrock        | AWS credential chain                               | No API key needed                 |
+| Gemini         | `GEMINI_API_KEY`                                   | `models.providers.google.apiKey`  |
+| GitHub Copilot | `COPILOT_GITHUB_TOKEN`, `GH_TOKEN`, `GITHUB_TOKEN` | Auth profile via device login     |
+| Mistral        | `MISTRAL_API_KEY`                                  | `models.providers.mistral.apiKey` |
+| Ollama         | `OLLAMA_API_KEY` (placeholder)                     | --                                |
+| OpenAI         | `OPENAI_API_KEY`                                   | `models.providers.openai.apiKey`  |
+| Voyage         | `VOYAGE_API_KEY`                                   | `models.providers.voyage.apiKey`  |
 
 Codex OAuth covers chat/completions only and does not satisfy embedding
 requests.
 
@@ -0,0 +1,96 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+const ensureAuthProfileStoreMock = vi.hoisted(() => vi.fn());
+const listProfilesForProviderMock = vi.hoisted(() => vi.fn());
+const coerceSecretRefMock = vi.hoisted(() => vi.fn());
+const resolveRequiredConfiguredSecretRefInputStringMock = vi.hoisted(() => vi.fn());
+
+vi.mock("openclaw/plugin-sdk/provider-auth", () => ({
+  coerceSecretRef: coerceSecretRefMock,
+  ensureAuthProfileStore: ensureAuthProfileStoreMock,
+  listProfilesForProvider: listProfilesForProviderMock,
+}));
+
+vi.mock("openclaw/plugin-sdk/config-runtime", () => ({
+  resolveRequiredConfiguredSecretRefInputString: resolveRequiredConfiguredSecretRefInputStringMock,
+}));
+
+import { resolveFirstGithubToken } from "./auth.js";
+
+describe("resolveFirstGithubToken", () => {
+  beforeEach(() => {
+    ensureAuthProfileStoreMock.mockReturnValue({
+      profiles: {
+        "github-copilot:github": {
+          type: "token",
+          tokenRef: { source: "file", provider: "default", id: "/providers/github-copilot/token" },
+        },
+      },
+    });
+    listProfilesForProviderMock.mockReturnValue(["github-copilot:github"]);
+    coerceSecretRefMock.mockReturnValue({
+      source: "file",
+      provider: "default",
+      id: "/providers/github-copilot/token",
+    });
+    resolveRequiredConfiguredSecretRefInputStringMock.mockResolvedValue("resolved-profile-token");
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    ensureAuthProfileStoreMock.mockReset();
+    listProfilesForProviderMock.mockReset();
+    coerceSecretRefMock.mockReset();
+    resolveRequiredConfiguredSecretRefInputStringMock.mockReset();
+  });
+
+  it("prefers env tokens when available", async () => {
+    const result = await resolveFirstGithubToken({
+      env: { GH_TOKEN: "env-token" } as NodeJS.ProcessEnv,
+    });
+
+    expect(result).toEqual({
+      githubToken: "env-token",
+      hasProfile: true,
+    });
+    expect(resolveRequiredConfiguredSecretRefInputStringMock).not.toHaveBeenCalled();
+  });
+
+  it("returns direct profile tokens before resolving SecretRefs", async () => {
+    ensureAuthProfileStoreMock.mockReturnValue({
+      profiles: {
+        "github-copilot:github": {
+          type: "token",
+          token: "profile-token",
+        },
+      },
+    });
+    coerceSecretRefMock.mockReturnValue(null);
+
+    const result = await resolveFirstGithubToken({
+      env: {} as NodeJS.ProcessEnv,
+    });
+
+    expect(result).toEqual({
+      githubToken: "profile-token",
+      hasProfile: true,
+    });
+  });
+
+  it("resolves non-env SecretRefs when config is available", async () => {
+    const result = await resolveFirstGithubToken({
+      config: { secrets: { defaults: { provider: "default" } } } as never,
+      env: {} as NodeJS.ProcessEnv,
+    });
+
+    expect(result).toEqual({
+      githubToken: "resolved-profile-token",
+      hasProfile: true,
+    });
+    expect(resolveRequiredConfiguredSecretRefInputStringMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        path: "providers.github-copilot.authProfiles.github-copilot:github.tokenRef",
+      }),
+    );
+  });
+});
@@ -0,0 +1,65 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
+import { resolveRequiredConfiguredSecretRefInputString } from "openclaw/plugin-sdk/config-runtime";
+import {
+  coerceSecretRef,
+  ensureAuthProfileStore,
+  listProfilesForProvider,
+} from "openclaw/plugin-sdk/provider-auth";
+import { PROVIDER_ID } from "./models.js";
+
+export async function resolveFirstGithubToken(params: {
+  agentDir?: string;
+  config?: OpenClawConfig;
+  env: NodeJS.ProcessEnv;
+}): Promise<{
+  githubToken: string;
+  hasProfile: boolean;
+}> {
+  const authStore = ensureAuthProfileStore(params.agentDir, {
+    allowKeychainPrompt: false,
+  });
+  const profileIds = listProfilesForProvider(authStore, PROVIDER_ID);
+  const hasProfile = profileIds.length > 0;
+  const envToken =
+    params.env.COPILOT_GITHUB_TOKEN ?? params.env.GH_TOKEN ?? params.env.GITHUB_TOKEN ?? "";
+  const githubToken = envToken.trim();
+  if (githubToken || !hasProfile) {
+    return { githubToken, hasProfile };
+  }
+
+  const profileId = profileIds[0];
+  const profile = profileId ? authStore.profiles[profileId] : undefined;
+  if (profile?.type !== "token") {
+    return { githubToken: "", hasProfile };
+  }
+  const directToken = profile.token?.trim() ?? "";
+  if (directToken) {
+    return { githubToken: directToken, hasProfile };
+  }
+  const tokenRef = coerceSecretRef(profile.tokenRef);
+  if (tokenRef?.source === "env" && tokenRef.id.trim()) {
+    return {
+      githubToken: (params.env[tokenRef.id] ?? process.env[tokenRef.id] ?? "").trim(),
+      hasProfile,
+    };
+  }
+
+  if (tokenRef && params.config) {
+    try {
+      const resolved = await resolveRequiredConfiguredSecretRefInputString({
+        config: params.config,
+        env: params.env,
+        value: profile.tokenRef,
+        path: `providers.github-copilot.authProfiles.${profileId ?? "default"}.tokenRef`,
+      });
+      return {
+        githubToken: resolved?.trim() ?? "",
+        hasProfile,
+      };
+    } catch {
+      return { githubToken: "", hasProfile };
+    }
+  }
+
+  return { githubToken: "", hasProfile };
+}