feat(onboard): support non-interactive GitHub Copilot token auth

Add manifest-owned GitHub Copilot token support for non-interactive onboarding, including documented env fallback, ref-mode tokenRef storage, saved-profile reuse, and default model wiring that preserves existing primary model configuration.

Validation:
- pnpm test extensions/github-copilot/index.test.ts src/plugins/contracts/registry.contract.test.ts src/commands/onboard-non-interactive/local/auth-choice-inference.test.ts
- pnpm check:changed
- CI green on aadac2c8d4

CHANGELOG.md

@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
 
 - Matrix/E2EE: stabilize recovery and broken-device QA flows while avoiding Matrix device-cleanup sync races that could leave shutdown-time crypto work running. Thanks @gumadeiras.
 - Cron: classify isolated runs as errors from structured embedded-run execution-denial metadata, with final-output marker fallback for `SYSTEM_RUN_DENIED`, `INVALID_REQUEST`, and approval-binding refusals, so blocked commands no longer appear green in cron history. Fixes #67172; carries forward #67186. Thanks @oc-gh-dr, @hclsys, and @1yihui.
+- Onboarding/GitHub Copilot: add manifest-owned `--github-copilot-token` support for non-interactive setup, including env fallback, tokenRef storage in ref mode, saved-profile reuse, and current Copilot default-model wiring. Refs #50002 and supersedes #50003. Thanks @scottgl9.
 - Gateway/install: add a validated `--wrapper`/`OPENCLAW_WRAPPER` service install path that persists executable LaunchAgent/systemd wrappers across forced reinstalls, updates, and doctor repairs instead of falling back to raw node/bun `ProgramArguments`. Fixes #69400. (#72445) Thanks @willtmc.
 - macOS Gateway: write launchd services with a state-dir `WorkingDirectory`, use a durable state-dir temp path instead of freezing macOS session `TMPDIR`, create that temp directory before bootstrap, and label abort-shaped launchd exits as `SIGABRT/abort` in status output. Fixes #53679 and #70223; refs #71848. Thanks @dlturock, @stammi922, and @palladius.
 - Exec approvals: accept runtime-owned `source: "allow-always"` and `commandText` allowlist metadata in gateway and node approval-set payloads so Control UI round-trips no longer fail with `unexpected property 'source'`. Fixes #60000; carries forward #60064. Thanks @sd1471123, @sharkqwy, and @luoyanglang.

docs/providers/github-copilot.md

@@ -1,5 +1,5 @@
 ---
-summary: "Sign in to GitHub Copilot from OpenClaw using the device flow"
+summary: "Sign in to GitHub Copilot from OpenClaw using the device flow or non-interactive token import"
 read_when:
   - You want to use GitHub Copilot as a model provider
   - You need the `openclaw models auth login-github-copilot` flow
@@ -73,6 +73,24 @@ openclaw models auth login-github-copilot --yes
 openclaw models auth login --provider github-copilot --method device --set-default
 ```
 
+## Non-interactive onboarding
+
+If you already have a GitHub OAuth access token for Copilot, import it during
+headless setup with `openclaw onboard --non-interactive`:
+
+```bash
+openclaw onboard --non-interactive --accept-risk \
+  --auth-choice github-copilot \
+  --github-copilot-token "$COPILOT_GITHUB_TOKEN" \
+  --skip-channels --skip-health
+```
+
+You can also omit `--auth-choice`; passing `--github-copilot-token` infers the
+GitHub Copilot provider auth choice. If the flag is omitted, onboarding falls
+back to `COPILOT_GITHUB_TOKEN`, `GH_TOKEN`, then `GITHUB_TOKEN`. Use
+`--secret-input-mode ref` with `COPILOT_GITHUB_TOKEN` set to store an env-backed
+`tokenRef` instead of plaintext in `auth-profiles.json`.
+
 <AccordionGroup>
   <Accordion title="Interactive TTY required">
     The device-login flow requires an interactive TTY. Run it directly in a
@@ -122,8 +140,8 @@ openclaw models auth login --provider github-copilot --method device --set-defau
 </AccordionGroup>
 
 <Warning>
-Requires an interactive TTY. Run the login command directly in a terminal, not
+The device-login command requires an interactive TTY. Use non-interactive
-inside a headless script or CI job.
+onboarding when you need headless setup.
 </Warning>
 
 ## Memory search embeddings

extensions/github-copilot/index.test.ts

@@ -1,4 +1,11 @@
-import { describe, expect, it, vi } from "vitest";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  clearRuntimeAuthProfileStoreSnapshots,
+  ensureAuthProfileStore,
+} from "../../src/agents/auth-profiles.js";
 import { createTestPluginApi } from "../../test/helpers/plugins/plugin-api.js";
 
 const resolveCopilotApiTokenMock = vi.hoisted(() => vi.fn());
@@ -12,6 +19,19 @@ vi.mock("./register.runtime.js", () => ({
 
 import plugin from "./index.js";
 
+const tempDirs: string[] = [];
+
+afterEach(async () => {
+  clearRuntimeAuthProfileStoreSnapshots();
+  await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
+});
+
+async function createAgentDir() {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-github-copilot-test-"));
+  tempDirs.push(dir);
+  return dir;
+}
+
 function _registerProvider() {
   return registerProviderWithPluginConfig({});
 }
@@ -116,4 +136,234 @@ describe("github-copilot plugin", () => {
       },
     });
   });
+
+  it("stores GitHub Copilot token from non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: { githubCopilotToken: "ghu_test\r\n123" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_test123",
+        source: "flag" as const,
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+    expect(result?.agents?.defaults?.model).toEqual({
+      primary: "github-copilot/claude-opus-4.7",
+    });
+    expect(result?.agents?.defaults?.models?.["github-copilot/claude-opus-4.7"]).toEqual({});
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      token: "ghu_test123",
+    });
+  });
+
+  it("stores env-backed token refs for non-interactive onboarding ref mode", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: { agents: { defaults: { model: { fallbacks: ["openai/gpt-5.4"] } } } },
+      baseConfig: {},
+      opts: { secretInputMode: "ref" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_from_env",
+        source: "env" as const,
+        envVarName: "COPILOT_GITHUB_TOKEN",
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.agents?.defaults?.model).toEqual({
+      fallbacks: ["openai/gpt-5.4"],
+      primary: "github-copilot/claude-opus-4.7",
+    });
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      tokenRef: {
+        source: "env",
+        provider: "default",
+        id: "COPILOT_GITHUB_TOKEN",
+      },
+    });
+  });
+
+  it("falls back to GH_TOKEN during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+    const resolveApiKey = vi.fn(async ({ envVar }: { envVar?: string }) =>
+      envVar === "GH_TOKEN"
+        ? {
+            key: "ghu_from_gh_token",
+            source: "env" as const,
+            envVarName: "GH_TOKEN",
+          }
+        : null,
+    );
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {},
+      runtime,
+      agentDir,
+      resolveApiKey,
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(resolveApiKey).toHaveBeenCalledWith(
+      expect.objectContaining({ envVar: "COPILOT_GITHUB_TOKEN" }),
+    );
+    expect(resolveApiKey).toHaveBeenCalledWith(expect.objectContaining({ envVar: "GH_TOKEN" }));
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+
+    const profile = ensureAuthProfileStore(agentDir).profiles["github-copilot:github"];
+    expect(profile).toEqual({
+      type: "token",
+      provider: "github-copilot",
+      token: "ghu_from_gh_token",
+    });
+  });
+
+  it("preserves an existing primary model during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {
+        agents: {
+          defaults: {
+            model: {
+              primary: "github-copilot/gpt-5.4",
+              fallbacks: ["openai/gpt-5.4"],
+            },
+            models: {
+              "github-copilot/gpt-5.4": { label: "Existing" },
+            },
+          },
+        },
+      },
+      baseConfig: {},
+      opts: { githubCopilotToken: "ghu_test" },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => ({
+        key: "ghu_test",
+        source: "flag" as const,
+      })),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.agents?.defaults?.model).toEqual({
+      primary: "github-copilot/gpt-5.4",
+      fallbacks: ["openai/gpt-5.4"],
+    });
+    expect(result?.agents?.defaults?.models).toEqual({
+      "github-copilot/gpt-5.4": { label: "Existing" },
+    });
+  });
+
+  it("reuses an existing token profile during non-interactive onboarding", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+    await fs.writeFile(
+      path.join(agentDir, "auth-profiles.json"),
+      JSON.stringify({
+        version: 1,
+        profiles: {
+          "github-copilot:github": {
+            type: "token",
+            provider: "github-copilot",
+            token: "existing-token",
+          },
+        },
+      }),
+    );
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {},
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => null),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(runtime.error).not.toHaveBeenCalled();
+    expect(result?.auth?.profiles?.["github-copilot:github"]).toEqual({
+      provider: "github-copilot",
+      mode: "token",
+    });
+  });
+
+  it("does not emit a second missing-token error after ref-mode flag validation fails", async () => {
+    const provider = registerProviderWithPluginConfig({});
+    const method = provider.auth[0];
+    const agentDir = await createAgentDir();
+    const runtime = { error: vi.fn(), exit: vi.fn() };
+
+    const result = await method.runNonInteractive({
+      authChoice: "github-copilot",
+      config: {},
+      baseConfig: {},
+      opts: {
+        githubCopilotToken: "ghu_secret",
+        secretInputMode: "ref",
+      },
+      runtime,
+      agentDir,
+      resolveApiKey: vi.fn(async () => null),
+      toApiKeyCredential: vi.fn(),
+    });
+
+    expect(result).toBeNull();
+    expect(runtime.error).toHaveBeenCalledTimes(1);
+    expect(runtime.error).toHaveBeenCalledWith(
+      [
+        "--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
+        "Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
+      ].join("\n"),
+    );
+  });
 });

extensions/github-copilot/index.ts

@@ -1,6 +1,18 @@
 import { resolvePluginConfigObject, type OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
-import { definePluginEntry, type ProviderAuthContext } from "openclaw/plugin-sdk/plugin-entry";
+import {
-import { ensureAuthProfileStore } from "openclaw/plugin-sdk/provider-auth";
+  definePluginEntry,
+  type ProviderAuthContext,
+  type ProviderAuthMethodNonInteractiveContext,
+} from "openclaw/plugin-sdk/plugin-entry";
+import {
+  applyAuthProfileConfig,
+  coerceSecretRef,
+  ensureAuthProfileStore,
+  listProfilesForProvider,
+  normalizeOptionalSecretInput,
+  resolveDefaultSecretProviderAlias,
+  upsertAuthProfileWithLock,
+} from "openclaw/plugin-sdk/provider-auth";
 import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
 import { resolveFirstGithubToken } from "./auth.js";
 import { githubCopilotMemoryEmbeddingProviderAdapter } from "./embeddings.js";
@@ -9,6 +21,8 @@ import { buildGithubCopilotReplayPolicy } from "./replay-policy.js";
 import { wrapCopilotProviderStream } from "./stream.js";
 
 const COPILOT_ENV_VARS = ["COPILOT_GITHUB_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
+const DEFAULT_COPILOT_MODEL = "github-copilot/claude-opus-4.7";
+const DEFAULT_COPILOT_PROFILE_ID = "github-copilot:github";
 const COPILOT_XHIGH_MODEL_IDS = ["gpt-5.4", "gpt-5.3-codex", "gpt-5.2", "gpt-5.2-codex"] as const;
 
 type GithubCopilotPluginConfig = {
@@ -20,6 +34,187 @@ type GithubCopilotPluginConfig = {
 async function loadGithubCopilotRuntime() {
   return await import("./register.runtime.js");
 }
+
+function applyCopilotDefaultModel(cfg: OpenClawConfig): OpenClawConfig {
+  const defaults = cfg.agents?.defaults;
+  const existingModel = defaults?.model;
+  const existingPrimary =
+    typeof existingModel === "string"
+      ? existingModel.trim()
+      : typeof existingModel === "object" && typeof existingModel?.primary === "string"
+        ? existingModel.primary.trim()
+        : "";
+  if (existingPrimary) {
+    return cfg;
+  }
+  const fallbacks =
+    typeof existingModel === "object" && existingModel !== null && "fallbacks" in existingModel
+      ? (existingModel as { fallbacks?: string[] }).fallbacks
+      : undefined;
+  return {
+    ...cfg,
+    agents: {
+      ...cfg.agents,
+      defaults: {
+        ...defaults,
+        model: {
+          ...(fallbacks ? { fallbacks } : undefined),
+          primary: DEFAULT_COPILOT_MODEL,
+        },
+        models: {
+          ...defaults?.models,
+          [DEFAULT_COPILOT_MODEL]: defaults?.models?.[DEFAULT_COPILOT_MODEL] ?? {},
+        },
+      },
+    },
+  };
+}
+
+function resolveExistingCopilotTokenProfileId(agentDir?: string): string | undefined {
+  const authStore = ensureAuthProfileStore(agentDir, {
+    allowKeychainPrompt: false,
+  });
+  return listProfilesForProvider(authStore, PROVIDER_ID).find((profileId) => {
+    const profile = authStore.profiles[profileId];
+    if (profile?.type !== "token") {
+      return false;
+    }
+    return Boolean(
+      normalizeOptionalSecretInput(profile.token) || coerceSecretRef(profile.tokenRef)?.id.trim(),
+    );
+  });
+}
+
+async function resolveCopilotNonInteractiveToken(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+  flagValue: string | undefined,
+) {
+  const resolveFromEnvChain = async () => {
+    for (const envVar of COPILOT_ENV_VARS) {
+      const resolved = await ctx.resolveApiKey({
+        provider: PROVIDER_ID,
+        flagName: "--github-copilot-token",
+        envVar,
+        envVarName: envVar,
+        allowProfile: false,
+        required: false,
+      });
+      if (resolved) {
+        return resolved;
+      }
+    }
+    return null;
+  };
+
+  if (ctx.opts.secretInputMode === "ref") {
+    const resolved = await resolveFromEnvChain();
+    if (resolved) {
+      return resolved;
+    }
+    if (flagValue) {
+      ctx.runtime.error(
+        [
+          "--github-copilot-token cannot be used with --secret-input-mode ref unless COPILOT_GITHUB_TOKEN, GH_TOKEN, or GITHUB_TOKEN is set in env.",
+          "Set one of those env vars and omit --github-copilot-token, or use --secret-input-mode plaintext.",
+        ].join("\n"),
+      );
+      ctx.runtime.exit(1);
+    }
+    return null;
+  }
+
+  const primary = await ctx.resolveApiKey({
+    provider: PROVIDER_ID,
+    flagValue,
+    flagName: "--github-copilot-token",
+    envVar: COPILOT_ENV_VARS[0],
+    envVarName: COPILOT_ENV_VARS[0],
+    allowProfile: false,
+    required: false,
+  });
+  if (primary || flagValue) {
+    return primary;
+  }
+
+  for (const envVar of COPILOT_ENV_VARS.slice(1)) {
+    const resolved = await ctx.resolveApiKey({
+      provider: PROVIDER_ID,
+      flagName: "--github-copilot-token",
+      envVar,
+      envVarName: envVar,
+      allowProfile: false,
+      required: false,
+    });
+    if (resolved) {
+      return resolved;
+    }
+  }
+  return null;
+}
+
+async function runGitHubCopilotNonInteractiveAuth(
+  ctx: ProviderAuthMethodNonInteractiveContext,
+): Promise<OpenClawConfig | null> {
+  const opts = ctx.opts as Record<string, unknown> | undefined;
+  const flagValue = normalizeOptionalSecretInput(opts?.githubCopilotToken);
+  const resolved = await resolveCopilotNonInteractiveToken(ctx, flagValue);
+
+  let profileId = DEFAULT_COPILOT_PROFILE_ID;
+  if (resolved) {
+    const useTokenRef = ctx.opts.secretInputMode === "ref" && resolved.source === "env";
+    if (useTokenRef && !resolved.envVarName) {
+      ctx.runtime.error(
+        [
+          '--secret-input-mode ref requires an explicit environment variable for provider "github-copilot".',
+          "Set COPILOT_GITHUB_TOKEN in env and retry, or use --secret-input-mode plaintext.",
+        ].join("\n"),
+      );
+      ctx.runtime.exit(1);
+      return null;
+    }
+    await upsertAuthProfileWithLock({
+      profileId,
+      credential: {
+        type: "token",
+        provider: PROVIDER_ID,
+        ...(useTokenRef
+          ? {
+              tokenRef: {
+                source: "env",
+                provider: resolveDefaultSecretProviderAlias(ctx.baseConfig, "env", {
+                  preferFirstProviderForSource: true,
+                }),
+                id: resolved.envVarName!,
+              },
+            }
+          : { token: resolved.key }),
+      },
+      agentDir: ctx.agentDir,
+    });
+  } else {
+    if (flagValue && ctx.opts.secretInputMode === "ref") {
+      return null;
+    }
+    const existingProfileId = resolveExistingCopilotTokenProfileId(ctx.agentDir);
+    if (!existingProfileId) {
+      ctx.runtime.error(
+        "Missing --github-copilot-token (or COPILOT_GITHUB_TOKEN / GH_TOKEN / GITHUB_TOKEN env var) for --auth-choice github-copilot.",
+      );
+      ctx.runtime.exit(1);
+      return null;
+    }
+    profileId = existingProfileId;
+  }
+
+  return applyCopilotDefaultModel(
+    applyAuthProfileConfig(ctx.config, {
+      profileId,
+      provider: PROVIDER_ID,
+      mode: "token",
+    }),
+  );
+}
+
 export default definePluginEntry({
   id: "github-copilot",
   name: "GitHub Copilot Provider",
@@ -74,11 +269,11 @@ export default definePluginEntry({
       return {
         profiles: [
           {
-            profileId: "github-copilot:github",
+            profileId: DEFAULT_COPILOT_PROFILE_ID,
             credential,
           },
         ],
-        defaultModel: "github-copilot/claude-opus-4.7",
+        defaultModel: DEFAULT_COPILOT_MODEL,
       };
     }
 
@@ -96,6 +291,7 @@ export default definePluginEntry({
           hint: "Browser device-code flow",
           kind: "device_code",
           run: async (ctx) => await runGitHubCopilotAuth(ctx),
+          runNonInteractive: async (ctx) => await runGitHubCopilotNonInteractiveAuth(ctx),
         },
       ],
       wizard: {

extensions/github-copilot/openclaw.plugin.json

@@ -17,7 +17,11 @@
       "choiceHint": "Device login with your GitHub account",
       "groupId": "copilot",
       "groupLabel": "Copilot",
-      "groupHint": "GitHub + local proxy"
+      "groupHint": "GitHub + local proxy",
+      "optionKey": "githubCopilotToken",
+      "cliFlag": "--github-copilot-token",
+      "cliOption": "--github-copilot-token <token>",
+      "cliDescription": "GitHub Copilot OAuth token"
     }
   ],
   "configSchema": {

src/plugins/contracts/registry.contract.test.ts

@@ -120,6 +120,26 @@ describe("plugin contract registry", () => {
     }
   });
 
+  it("exposes the GitHub Copilot non-interactive onboarding token flag from manifest metadata", () => {
+    const registry = loadPluginManifestRegistry({});
+    const plugin = registry.plugins.find(
+      (entry) => entry.origin === "bundled" && entry.id === "github-copilot",
+    );
+
+    expect(plugin?.providerAuthChoices).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          provider: "github-copilot",
+          method: "device",
+          choiceId: "github-copilot",
+          optionKey: "githubCopilotToken",
+          cliFlag: "--github-copilot-token",
+          cliOption: "--github-copilot-token <token>",
+        }),
+      ]),
+    );
+  });
+
   it("covers every bundled speech plugin discovered from manifests", () => {
     expectRegistryPluginIds({
       actualPluginIds: pluginRegistrationContractRegistry