Copilot CLI rejects valid credentials when token value doesn't match expected format (blocks proxy-based credential injection)

[htekdev]

Summary

The Copilot CLI validates the COPILOT_GITHUB_TOKEN (and GH_TOKEN/GITHUB_TOKEN) environment variable client-side before making any HTTP requests. If the token value does not match the expected GitHub PAT format, the CLI rejects it immediately with:

Error: No authentication information found.

This prevents the CLI from working in sandboxed environments that use proxy-based credential injection — a pattern where the real token is held by a proxy and the child process receives a placeholder value (e.g., openshell:resolve:env:COPILOT_GITHUB_TOKEN) that gets rewritten to the real token at the HTTP header level.

Reproduction Steps

1. Set COPILOT_GITHUB_TOKEN to any non-PAT-formatted string:

   export COPILOT_GITHUB_TOKEN="placeholder-token-value"
   copilot -sp "Hello"

2. The CLI immediately errors with "No authentication information found" — no HTTP request is made.

3. By contrast, setting it to a real PAT:

   export COPILOT_GITHUB_TOKEN="github_pat_<valid_token>"
   copilot -sp "Hello"

   The CLI proceeds to make HTTP requests with Authorization: token <PAT>.

Observed Behavior

• The CLI performs client-side token format validation — it checks that the env var looks like a valid GitHub PAT before even attempting an API call.
• When validation fails, the CLI exits without making any network request.
• When validation passes, the CLI sends Authorization: token <PAT> to api.gh.umua.top.

Expected Behavior

The CLI should accept any non-empty string as a token value from COPILOT_GITHUB_TOKEN and pass it through in HTTP requests. Server-side validation (401/403 responses) is sufficient to reject invalid tokens.

This would allow the CLI to work in environments where:

• A proxy intercepts outgoing requests and rewrites placeholder credentials with real ones
• The token is injected at the transport layer rather than the application layer
• Enterprise credential managers provide tokens in non-standard formats

Context

This was discovered while integrating the Copilot CLI with NVIDIA OpenShell sandboxed environments, which use L7 proxy credential injection to avoid exposing real secrets to child processes. The proxy TLS-terminates outgoing connections and rewrites Authorization headers containing placeholder values with real credentials before forwarding upstream.

The proxy credential injection works correctly for other tools (e.g., curl, gh, API clients) — only the Copilot CLI is affected because it validates the token format locally.

Additional Details

• The Copilot CLI uses Authorization: token <PAT> (not Bearer) when authenticating to api.gh.umua.top
• The client-side validation appears to check the token format/structure beyond just the github_pat_ prefix
• The undici HTTP agent is used for requests (visible in user-agent: undici header)

[htekdev]

Additional Context from Live Testing

Verified this from the OpenShell sandbox environment. When COPILOT_GITHUB_TOKEN is set to any non-PAT string (including the openshell:resolve:env:* proxy placeholder), the CLI exits immediately with "No authentication information found" — zero HTTP requests are made.

We also tried prepending github_pat_ to the placeholder to trick the format check:

COPILOT_GITHUB_TOKEN=github_pat_openshell:resolve:env:COPILOT_GITHUB_TOKEN

Still rejected — the CLI appears to validate more than just the prefix (likely the token structure/length/checksum).

By contrast, when the real PAT is set, the CLI makes requests with Authorization: token <PAT> to api.gh.umua.top — and our proxy-based credential injection successfully rewrites those headers. So the proxy side works fine; the blocker is purely the client-side validation.

For reference, all other auth formats work with the proxy injection:

• Bearer $PLACEHOLDER ✅
• token $PLACEHOLDER ✅
• Basic base64(user:$PLACEHOLDER) ✅
• ?key=$PLACEHOLDER (query param) ✅

[htekdev]

Full Context: Why This Matters for Sandboxed Environments

For context on the broader effort — here are the related issues and PRs on the NVIDIA/OpenShell side:

OpenShell Issues & PRs

Item	Description	Status
PR #476	Added Copilot as a supported provider (credential discovery, network policy)	✅ Merged
Issue #707	Missing Copilot CLI enum variant (fix available)	Open
PR #631	L7 credential injection — Basic auth + query param rewriting	Draft
Issue #630	Credential injection gap tracking	Open

How OpenShell Credential Injection Works

OpenShell sandboxes never expose real secrets to child processes. Instead:

1. Child process receives placeholder env vars: COPILOT_GITHUB_TOKEN=openshell:resolve:env:COPILOT_GITHUB_TOKEN
2. When the child makes an HTTP request, the L7 proxy TLS-terminates and inspects headers
3. The proxy replaces placeholder values with real credentials before forwarding upstream

This works for every tool we have tested — curl, gh, git, API clients — because they blindly pass the env var value into HTTP headers. We verified all auth formats:

• Authorization: Bearer <placeholder> ✅
• Authorization: token <placeholder> ✅
• Authorization: Basic base64(user:<placeholder>) ✅
• ?key=<placeholder> (query param) ✅

The Copilot CLI is the only tool that rejects the placeholder before making any network request. If the CLI accepted any non-empty string as a token and let the server validate it, the proxy injection would handle the rest — the Authorization: token <PAT> format the CLI uses is already fully supported by our rewriter.