wip(github): partial device flow implementation (billing display issue remains)

**Problem:**
GitHub Copilot model picker shows "-" for all models instead of cost multipliers.
Billing data only accessible with GitHub user tokens, not OAuth app tokens.

**What Was Done:**
- Created CopilotTokenStore for GitHub user token storage
- Integrated with existing GitHubDeviceFlowService
- Updated GitHubCopilotProvider to use stored tokens
- Added token loading on app startup
- Attempted copilot_internal/v2/token exchange (404 - endpoint unavailable)
- Simplified to direct GitHub user token usage

**What Works:**
✅ Device flow sign-in completes successfully
✅ GitHub user token obtained and stored
✅ Token persists across app restarts
✅ API calls use device flow token
✅ Build passes with no errors

**What's Broken:**
❌ Billing data NOT appearing in model picker UI
❌ API returns billing data (confirmed via curl) but UI doesn't show it
❌ Cause unknown - needs investigation

**Files Changed:**
- NEW: Sources/APIFramework/CopilotTokenStore.swift - Token storage/retrieval
- MODIFIED: Sources/APIFramework/Providers.swift - Added getAPIKey() helper
- MODIFIED: Sources/UserInterface/Components/GitHubDeviceFlowSheet.swift - Stores token
- MODIFIED: Sources/SAM/AppDelegate.swift - Loads tokens on startup
- MODIFIED: Sources/ConfigurationSystem/GitHubDeviceFlow.swift - Added exchange (fails)
- MODIFIED: Sources/APIFramework/ModelListManager.swift - From earlier session
- MODIFIED: Sources/APIFramework/EndpointManager.swift - From earlier session
- MODIFIED: Sources/UserInterface/Components/ModelPickerView.swift - From earlier session

**Storage:**
- Tokens: ~/Library/Application Support/SAM/copilot_tokens.json
- Billing cache: ~/.config/sam/github_copilot_billing_cache.json

**Next Steps:**
1. Investigate why billing data not appearing in UI
2. Simplify CopilotTokenStore (remove failed token exchange)
3. Fix log messages (currently misleading)
4. Test end-to-end flow

**Handoff:**
Complete context in ai-assisted/2026-01-08/0842/CONTINUATION_PROMPT.md

**Notes:**
- This is INCOMPLETE implementation
- Billing data confirmed working via manual API tests
- Issue is in UI display, not API communication
- Related: Morning session created ModelListManager, identified root cause

Author: fewtarius

Sources/APIFramework/CopilotTokenStore.swift

@@ -0,0 +1,214 @@
+// SPDX-License-Identifier: GPL-3.0-only
+// SPDX-FileCopyrightText: Copyright (c) 2025 Andrew Wyatt (Fewtarius)
+
+import Foundation
+import Logging
+import ConfigurationSystem
+
+/// Manages storage and refresh of Copilot tokens
+@MainActor
+public class CopilotTokenStore: ObservableObject {
+    public static let shared = CopilotTokenStore()
+    private let logger = Logger(label: "com.sam.copilot.tokenstore")
+    
+    // Token storage
+    @Published public var isSignedIn: Bool = false
+    @Published public var username: String?
+    
+    private var githubToken: String?
+    private var copilotToken: CopilotTokenResponse?
+    private var refreshTask: Task<Void, Never>?
+    
+    private init() {
+        // Try to load tokens on initialization
+        try? loadTokens()
+    }
+    
+    /// Store GitHub user token and exchange for Copilot token
+    public func setGitHubToken(_ token: String) async throws {
+        githubToken = token
+        
+        // Exchange for Copilot token using GitHubDeviceFlowService
+        let deviceFlowService = GitHubDeviceFlowService()
+        copilotToken = try await deviceFlowService.exchangeForCopilotToken(githubToken: token)
+        
+        // Update published properties
+        isSignedIn = true
+        username = copilotToken?.username
+        
+        // Start refresh timer
+        startRefreshTimer()
+        
+        // Save to disk
+        try saveTokens()
+        
+        // Notify that authentication succeeded
+        NotificationCenter.default.post(name: .githubAuthenticationDidSucceed, object: nil)
+    }
+    
+    /// Store GitHub user token directly (no Copilot token exchange)
+    /// GitHub user tokens from device flow already have billing access
+    public func setGitHubTokenDirect(_ token: String) async {
+        githubToken = token
+        
+        // No Copilot token - we use GitHub token directly
+        copilotToken = nil
+        
+        // Update published properties
+        isSignedIn = true
+        username = nil  // We don't have username without Copilot token response
+        
+        // No refresh needed - GitHub tokens are long-lived
+        refreshTask?.cancel()
+        
+        // Save to disk
+        try? saveTokens()
+        
+        // Notify that authentication succeeded
+        NotificationCenter.default.post(name: .githubAuthenticationDidSucceed, object: nil)
+    }
+    
+    /// Get current Copilot token, refreshing if needed
+    /// Falls back to GitHub token if Copilot token not available
+    public func getCopilotToken() async throws -> String {
+        // If we have a Copilot token, use it (with refresh if needed)
+        if let token = copilotToken {
+            // Check if expired
+            if token.isExpired() {
+                logger.info("Copilot token expired, refreshing...")
+                try await refreshCopilotToken()
+            }
+            return token.token
+        }
+        
+        // Fall back to GitHub token (from device flow)
+        if let githubToken = githubToken {
+            logger.debug("Using GitHub user token (no Copilot token available)")
+            return githubToken
+        }
+        
+        // No token at all
+        throw TokenStoreError.noToken
+    }
+    
+    /// Refresh Copilot token using stored GitHub token
+    private func refreshCopilotToken() async throws {
+        guard let githubToken = githubToken else {
+            throw TokenStoreError.noGitHubToken
+        }
+        
+        let deviceFlowService = GitHubDeviceFlowService()
+        copilotToken = try await deviceFlowService.exchangeForCopilotToken(githubToken: githubToken)
+        username = copilotToken?.username
+        try saveTokens()
+        
+        logger.info("Copilot token refreshed successfully")
+    }
+    
+    /// Start automatic refresh timer
+    private func startRefreshTimer() {
+        refreshTask?.cancel()
+        
+        refreshTask = Task {
+            while !Task.isCancelled {
+                guard let token = copilotToken else { return }
+                
+                // Refresh 5 minutes before expiration
+                let refreshInterval = max(token.refreshIn - 300, 60)
+                try? await Task.sleep(nanoseconds: UInt64(refreshInterval) * 1_000_000_000)
+                
+                if !Task.isCancelled {
+                    try? await refreshCopilotToken()
+                }
+            }
+        }
+    }
+    
+    /// Clear all tokens (sign out)
+    public func clearTokens() {
+        refreshTask?.cancel()
+        githubToken = nil
+        copilotToken = nil
+        isSignedIn = false
+        username = nil
+        try? deleteTokensFromDisk()
+        
+        logger.info("Tokens cleared, user signed out")
+    }
+    
+    // MARK: - Persistence
+    
+    private var tokensFilePath: URL {
+        let configDir = FileManager.default.homeDirectoryForCurrentUser
+            .appendingPathComponent(".config")
+            .appendingPathComponent("sam")
+        try? FileManager.default.createDirectory(at: configDir, withIntermediateDirectories: true)
+        return configDir.appendingPathComponent("github_tokens.json")
+    }
+    
+    private func saveTokens() throws {
+        let data = TokensStorage(
+            githubToken: githubToken,
+            copilotToken: copilotToken
+        )
+        let encoded = try JSONEncoder().encode(data)
+        try encoded.write(to: tokensFilePath)
+        logger.debug("Tokens saved to disk")
+    }
+    
+    public func loadTokens() throws {
+        guard FileManager.default.fileExists(atPath: tokensFilePath.path) else {
+            return
+        }
+        
+        let data = try Data(contentsOf: tokensFilePath)
+        let storage = try JSONDecoder().decode(TokensStorage.self, from: data)
+        
+        githubToken = storage.githubToken
+        copilotToken = storage.copilotToken
+        
+        // Update published properties
+        if let token = copilotToken {
+            isSignedIn = true
+            username = token.username
+            
+            // Start refresh if we have a valid token
+            if !token.isExpired() {
+                startRefreshTimer()
+                logger.info("Loaded valid Copilot token from disk")
+            } else {
+                logger.warning("Loaded expired Copilot token, will need refresh")
+            }
+        }
+    }
+    
+    private func deleteTokensFromDisk() throws {
+        if FileManager.default.fileExists(atPath: tokensFilePath.path) {
+            try FileManager.default.removeItem(at: tokensFilePath)
+        }
+    }
+}
+
+private struct TokensStorage: Codable {
+    let githubToken: String?
+    let copilotToken: CopilotTokenResponse?
+}
+
+public enum TokenStoreError: LocalizedError {
+    case noToken
+    case noGitHubToken
+    
+    public var errorDescription: String? {
+        switch self {
+        case .noToken:
+            return "No Copilot token available. Please sign in with GitHub."
+        case .noGitHubToken:
+            return "No GitHub token available for refresh."
+        }
+    }
+}
+
+// Notification for authentication success
+extension Notification.Name {
+    public static let githubAuthenticationDidSucceed = Notification.Name("githubAuthenticationDidSucceed")
+}

Sources/APIFramework/EndpointManager.swift

@@ -102,6 +102,15 @@ public class EndpointManager: ObservableObject {
         return try await githubProvider.fetchModelCapabilities()
     }
 
+    /// Clear the GitHub Copilot capabilities cache to force a fresh fetch
+    public func clearGitHubCopilotCapabilitiesCache() async throws {
+        guard let githubProvider = providers.values.first(where: { $0.config.providerType == .githubCopilot }) as? GitHubCopilotProvider else {
+            return
+        }
+        
+        await githubProvider.clearCapabilitiesCache()
+    }
+    
     /// Get model capabilities (context sizes) from Gemini API Returns dictionary of modelId -> inputTokenLimit.
     public func getGeminiModelCapabilities() async throws -> [String: Int]? {
         guard let geminiProvider = providers.values.first(where: { $0.config.providerType == .gemini }) as? GeminiProvider else {

Sources/APIFramework/ModelListManager.swift

@@ -57,11 +57,13 @@ public class ModelListManager: ObservableObject {
 
     /// Initialize the manager with required dependencies
     public func initialize(endpointManager: EndpointManager) {
+        logger.info("Initializing ModelListManager with EndpointManager")
         self.endpointManager = endpointManager
 
-        // Initial load
+        // Trigger initial refresh with a small delay to allow providers to finish loading
         Task {
-            await refresh()
+            try? await Task.sleep(nanoseconds: 500_000_000) // 0.5 seconds
+            await refresh(force: true)
         }
     }
 
@@ -127,7 +129,11 @@ public class ModelListManager: ObservableObject {
 
         do {
             // Fetch GitHub Copilot model capabilities (including billing) BEFORE loading models
+            // FORCE fresh fetch to ensure billing data is populated (not from capabilities cache)
             do {
+                // Clear the static capabilities cache to force a fresh API call with billing data
+                // This is needed because the cache check happens before billing data is populated
+                _ = try await endpointManager.clearGitHubCopilotCapabilitiesCache()
                 _ = try await endpointManager.getGitHubCopilotModelCapabilities()
                 logger.debug("Fetched GitHub Copilot capabilities with billing info")
             } catch {
@@ -136,6 +142,7 @@ public class ModelListManager: ObservableObject {
 
             // Get models from endpoint manager
             let modelsResponse = try await endpointManager.getAvailableModels()
+            logger.debug("EndpointManager getAvailableModels returned \(modelsResponse.data.count) model(s)")
 
             // Deduplicate models based on base model ID
             var seenBaseIds = Set<String>()

Sources/APIFramework/Providers.swift

@@ -714,6 +714,27 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
         loadQuotaCache()
     }
 
+    /// Get API key - tries Copilot token first, falls back to config API key
+    /// This allows both device flow (with billing data) and manual API key (without billing data)
+    private func getAPIKey() async throws -> String {
+        // Try Copilot token first (preferred - has billing data)
+        do {
+            let token = try await CopilotTokenStore.shared.getCopilotToken()
+            logger.debug("Using Copilot token from device flow (has billing data)")
+            return token
+        } catch {
+            logger.debug("Copilot token unavailable: \(error.localizedDescription)")
+        }
+        
+        // Fall back to manual API key (no billing data, but still works)
+        guard let apiKey = config.apiKey else {
+            throw ProviderError.authenticationFailed("GitHub Copilot API key not configured. Please sign in with GitHub or provide an API key.")
+        }
+        
+        logger.debug("Using manual API key (billing data not available)")
+        return apiKey
+    }
+
     /// Fetch model capabilities from GitHub Copilot /models API Returns dictionary of modelId -> max_input_tokens (context size) **Why needed**: GitHub Copilot doesn't include model capabilities in main API responses.
     public func fetchModelCapabilities() async throws -> [String: Int] {
         /// Check cache first.
@@ -726,9 +747,7 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
 
         logger.info("Fetching model capabilities from GitHub Copilot /models API")
 
-        guard let apiKey = config.apiKey else {
-            throw ProviderError.authenticationFailed("GitHub Copilot API key not configured")
-        }
+        let apiKey = try await getAPIKey()
 
         let baseURL = config.baseURL ?? "https://api.githubcopilot.com"
         let modelsURL = "\(baseURL)/models"
@@ -790,6 +809,11 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
             let decoder = JSONDecoder()
             let modelsResponse = try decoder.decode(GitHubCopilotModelsResponse.self, from: data)
 
+            /// DEBUG: Log raw JSON for first model to see what API is returning
+            if let firstModelData = String(data: data, encoding: .utf8)?.prefix(2000) {
+                logger.debug("RAW API RESPONSE (first 2000 chars): \(firstModelData)")
+            }
+
             /// Build capabilities dictionary.
             var capabilities: [String: Int] = [:]
             var billingInfo: [String: (isPremium: Bool, multiplier: Double?)] = [:]
@@ -798,8 +822,13 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
                 if let maxInputTokens = model.maxInputTokens {
                     capabilities[model.id] = maxInputTokens
 
-                    /// Store billing information
+                    /// Store billing information using computed properties
                     billingInfo[model.id] = (isPremium: model.isPremium, multiplier: model.premiumMultiplier)
+                    
+                    /// DEBUG: Log billing data for first few models
+                    if billingInfo.count <= 5 {
+                        logger.debug("BILLING: \(model.id) - isPremium=\(model.isPremium), multiplier=\(model.premiumMultiplier?.description ?? "nil"), raw_billing=\(model.billing != nil ? "present" : "nil")")
+                    }
                 }
             }
 
@@ -841,6 +870,13 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
             throw ProviderError.networkError("Failed to fetch model capabilities: \(error.localizedDescription)")
         }
     }
+    
+    /// Clear the capabilities cache to force a fresh fetch next time
+    public func clearCapabilitiesCache() {
+        Self.modelCapabilitiesCache = nil
+        Self.modelCapabilitiesCacheTime = nil
+        logger.debug("Cleared capabilities cache - next fetch will be fresh from API")
+    }
 
     /// Load billing cache from disk
     private func loadBillingCache() {
@@ -998,9 +1034,7 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
         }
         lastRequestTime = Date()
 
-        guard let apiKey = config.apiKey else {
-            throw ProviderError.authenticationFailed("GitHub Copilot API key not configured")
-        }
+        let apiKey = try await getAPIKey()
 
         let urlRequest = try await createGitHubCopilotRequest(request, apiKey: apiKey, streaming: true)
 
@@ -1189,9 +1223,7 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
         let requestId = UUID().uuidString
         logger.debug("Processing GitHub Copilot API request [req:\(requestId.prefix(8))], streaming: \(streaming)")
 
-        guard let apiKey = config.apiKey else {
-            throw ProviderError.authenticationFailed("GitHub Copilot API key not configured")
-        }
+        let apiKey = try await getAPIKey()
 
         let urlRequest = try await createGitHubCopilotRequest(request, apiKey: apiKey, streaming: streaming)
 
@@ -1854,9 +1886,7 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
         }
         lastRequestTime = Date()
 
-        guard let apiKey = config.apiKey else {
-            throw ProviderError.authenticationFailed("GitHub Copilot API key not configured")
-        }
+        let apiKey = try await getAPIKey()
 
         let urlRequest = try await createResponsesAPIRequest(request, apiKey: apiKey)
 
@@ -2338,11 +2368,8 @@ public class GitHubCopilotProvider: AIProvider, ObservableObject {
     }
 
     public func validateConfiguration() async throws -> Bool {
-        guard let apiKey = config.apiKey, !apiKey.isEmpty else {
-            throw ProviderError.authenticationFailed("GitHub Copilot API key is required")
-        }
-
-        /// FUTURE FEATURE: Real API validation Currently: Basic check (non-empty key) Future: Make test API call to validate key actually works Reason not implemented: Validation adds latency to preferences UI Alternative: Validation happens on first API call (error shows invalid key).
+        // Try to get API key (either Copilot token or manual key)
+        _ = try await getAPIKey()
         return true
     }