Add optional Copilot budget extras

[Quicksaver]

Summary

This PR adds an opt-in Copilot budget extras feature. When enabled, CodexBar keeps the existing Copilot usage fetch via the GitHub Copilot internal API, then best-effort fetches the user's configured GitHub billing budgets from the logged-in GitHub web billing endpoint and renders matching Copilot budgets as extra menu bars.

The feature is disabled by default. If the budget fetch fails, is unauthenticated, or returns no positive Copilot-related budgets, the normal Copilot usage bars remain unchanged.

Note: I cannot test organization-based budgets, therefore I have not implemented them. These would be more easily fetched via the documented API endpoints, without requiring web-based cookie auth. Leaving this note here in case anyone cares to implement it in a follow-up.

Motivation

Budgets play an increasing crucial role now, with the coming (now present) changes to Github Copilot billing, becoming token-usage based, as it'll become much easier to hit the plan's included usage and trigger configured budgets.

What Changed

• Added CopilotBudgetWebFetcher, which fetches https://github.com/settings/billing/budgets?page=<page>&page_size=10&scope=customer using github.com web cookies and maps positive Copilot-related budgets into extraRateWindows.
• Supports the observed GitHub web response shape, including payload.budgets, uuid, pricingTargetId, pricingTargetType, targetName, targetAmount, and currentAmount.
• Normalizes Copilot budget selectors for product-level, bundled premium request, cloud/coding agent premium request, and Spark premium request budgets.
• Adds budget bar titles in the form Budget - <budget type>, for example Budget - All Premium Request SKUs.
• Adds Copilot provider settings for:
  • Budget extras, disabled by default.
  • GitHub cookie source selection, defaulting to automatic Chrome-only import to avoid prompting unrelated browsers.
  • Manual GitHub Cookie header entry with an explicit refresh action.
  • Menu bar secondary metric, allowing the icon's second meter to use Chat or a specific budget bar.
• Ensures budget extras are hidden when disabled, including the settings preview, menu card, and reset snapshot state.
• Documents the Copilot data sources and the optional GitHub web budget endpoint in docs/copilot.md.

Safety And Fallbacks

• Budget fetching is best-effort and does not block primary Copilot usage.
• Public GitHub REST billing APIs are not used here because they did not expose the tested personal budget list.
• Manual cookie headers are only used in manual mode; automatic mode ignores stale manual values and uses cached/imported browser cookies.
• Invalid budget JSON maps to a controlled invalidResponse error.
• Cached cookie non-auth failures are surfaced instead of silently falling through to browser import.
• GitHub nonce lookup is best-effort; if unavailable, the budget request is still attempted.

Tests

Validated during the review/assessment pass:

• swift test --filter CopilotBudgetWebFetcherTests
• swift test --filter CopilotBudgetCookieRoutingTests
• swift test --filter BrowserCookieOrderStatusStringTests
• swift test --filter ProviderSettingsDescriptorTests
• swift test --filter ProvidersPaneCoverageTests
• swift test --filter MenuCardModelTests
• make check
• swift test

Final full-suite rerun passed with 3,235 tests in 386 suites.

Review Notes

Main agent was GPT-5.5 on high reasoning with user oversight.

Code was assessed with CodeRabbit, Codex review, and LGTM (Copilot Code Review + Gemini 3.1 Pro Preview + Claude Sonnet 4.6 + Claude Opus 4.8 + Raptor mini). Review fixes landed for cookie import defaults, cookie routing, fetch error handling, malformed amount parsing, manual-cookie refresh UX, budget extras default state, docs, settings preview behavior, centralized UsageSnapshot extra-window copying, reset-baseline cleanup, pagination cap logging, and dead overload removal. The final Codex review reported no remaining findings.

Proof

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 2, 2026, 5:14 AM ET / 09:14 UTC.

Summary
The PR adds opt-in Copilot budget bars fetched from GitHub billing web cookies, with settings, menu/icon integration, docs, and tests.

Reproducibility: not applicable. this is an opt-in feature PR rather than a bug report with a failing current-main path. Source and screenshots show the new behavior path, but there is no current-main failure to reproduce.

Review metrics: 2 noteworthy metrics.

• Diff scope: 29 files, +2210/-17. The feature spans provider fetching, settings persistence, menu/icon rendering, docs, and tests, so the sign-off needs to cover the full flow.
• Current-main drift: 3 main-only commits. The branch is behind current main, so maintainers should verify the final merge result after accepting the auth/privacy behavior.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🐚 platinum hermit ✨ media proof bonus
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Obtain explicit maintainer sign-off for the opt-in GitHub web-cookie billing surface.
• Refresh or inspect the merge result against current main before landing.

Risk before merge

• [P1] The feature intentionally adds GitHub browser/manual cookie access to the Copilot provider, so maintainer privacy/auth sign-off remains required before merge.
• [P1] The PR branch is behind current main by recent Copilot token-billing and changelog commits; the merge result should be refreshed or inspected before landing.

Maintainer options:

1. Approve the auth surface (recommended)
   A maintainer should explicitly accept the opt-in use of github.com browser/manual cookies for Copilot billing budgets before this lands.
2. Refresh the merge result
   After sign-off, refresh or inspect the merge result against current main so the recent Copilot token-billing fix remains intact.

Next step before merge

• [P2] The remaining action is maintainer product/security approval for GitHub web-cookie billing access, not a narrow automated repair.

Security
Needs attention: The diff intentionally expands Copilot into GitHub web-cookie billing access, which is security-sensitive and needs maintainer acceptance before merge.

Review details

Best possible solution:

Merge only after a maintainer explicitly accepts the opt-in GitHub billing-cookie surface and the branch is refreshed or checked against current main.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is an opt-in feature PR rather than a bug report with a failing current-main path. Source and screenshots show the new behavior path, but there is no current-main failure to reproduce.

Is this the best way to solve the issue?

Mostly yes at the implementation level: the fetch is opt-in, best-effort, Chrome-only by default, and account-bound. It still needs maintainer product/security approval because the chosen solution relies on GitHub web billing cookies.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against dc4e4835bc6e.

Label changes

Label changes:

• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🐚 platinum hermit and patch quality is 🦐 gold shrimp.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.

Label justifications:

• P2: This is a bounded provider feature with meaningful auth/privacy review needs but no urgent regression signal.
• merge-risk: 🚨 auth-provider: The PR adds browser/manual GitHub cookie routing to the Copilot provider, changing how auth material is selected for an optional fetch.
• merge-risk: 🚨 security-boundary: The PR uses github.com billing web cookies and manual Cookie headers, expanding the sensitive credential surface.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🐚 platinum hermit and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The attached screenshots were inspected and show after-change Copilot budget bars/settings controls in the real app UI.
• proof: sufficient: Contributor real behavior proof is sufficient. The attached screenshots were inspected and show after-change Copilot budget bars/settings controls in the real app UI.
• proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The attached screenshots were inspected and show after-change Copilot budget bars/settings controls in the real app UI.

Evidence reviewed

Security concerns:

• [medium] New GitHub billing-cookie surface needs sign-off — Sources/CodexBarCore/Providers/Copilot/CopilotBudgetWebFetcher.swift:349
  The PR uses browser or manual github.com Cookie headers for billing budget requests; even opt-in and account-bound, this changes the provider credential boundary and should be explicitly accepted by maintainers.
  Confidence: 0.86

What I checked:

• Repository policy: AGENTS.md was read fully; its Chrome-only cookie import guidance, provider data siloing note, and no-live-provider-probe test guidance are relevant to this Copilot provider review. (AGENTS.md:1, dc4e4835bc6e)
• Product policy: VISION.md says new features and behavior affecting provider auth, data storage, or user privacy need sign-off. (VISION.md:1, dc4e4835bc6e)
• Current main search: Current main has no Copilot budget fetcher, Copilot budget settings, Budget extras label, or GitHub billing budgets endpoint implementation; existing extra-window hits are other providers/shared plumbing. (dc4e4835bc6e)
• Account binding implementation: The PR resolves the active Copilot token identity, passes the expected GitHub account identifier to the budget fetcher, and keeps budget fetch failures from replacing normal Copilot usage. (Sources/CodexBarCore/Providers/Copilot/CopilotProviderDescriptor.swift:91, a9c969478a12)
• Cookie identity guard: The budget fetcher verifies the GitHub web identity before requesting budget JSON and clears cached cookies on account mismatch. (Sources/CodexBarCore/Providers/Copilot/CopilotBudgetWebFetcher.swift:354, a9c969478a12)
• Mismatch coverage: The PR adds tests proving mismatched manual/cached GitHub cookies do not reach the budget JSON endpoint and leave normal Copilot usage unchanged. (Tests/CodexBarTests/CopilotBudgetWebFetcherTests.swift:306, a9c969478a12)

Likely related people:

• steipete: Current-main Copilot provider descriptor, usage fetcher, provider settings snapshot, cookie import defaults, and settings infrastructure largely trace to commit 3f41906 by Peter Steinberger. (role: introduced behavior; confidence: medium; commits: 3f419060f875; files: Sources/CodexBarCore/Providers/Copilot/CopilotUsageFetcher.swift, Sources/CodexBarCore/Providers/Copilot/CopilotProviderDescriptor.swift, Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift)
• Yash Raj Pandey: Recent current-main Copilot usage handling work changed CopilotUsageFetcher and its tests for token-billing quota behavior. (role: recent area contributor; confidence: medium; commits: ffd8d75a9f39; files: Sources/CodexBarCore/Providers/Copilot/CopilotUsageFetcher.swift, Tests/CodexBarTests/CopilotUsageFetcherTests.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Quicksaver]

Findings

• [P1] Bind budget cookies to the selected Copilot token/account: valid, fixed. Copilot budget extras now derive the expected GitHub account from the active Copilot OAuth token, ignore stale selected-account identifiers, and require cached/imported/manual GitHub billing cookies to match before fetching budget JSON. Mismatched cached cookies are cleared so browser fallback can continue, imported mismatches are skipped, and manual mismatches leave normal Copilot usage unchanged. See CopilotProviderDescriptor.swift and CopilotBudgetWebFetcher.swift.
• [P1] Maintainer sign-off for opt-in GitHub web-cookie billing surface: valid, still a process gate. The account-binding risk is repaired, but privacy/product sign-off is still needed before merge because the feature intentionally accesses GitHub billing via browser/manual cookies.

Proof Added

• Mismatch and match coverage for GitHub web identity binding.
• Provider-level tests proving mismatched manual cookies do not append budget windows or hit the budget JSON endpoint while normal Copilot usage remains intact.
• Regression coverage proving stale selected-account identifiers are ignored in favor of the active token identity.
• Cached-cookie fallback coverage for account mismatch and missing GitHub identity.
• Settings snapshot coverage proving selected Copilot account identifiers flow into provider settings.

Validation

• swift test --filter CopilotBudgetWebFetcherTests passed.
• swift test --filter CopilotBudgetCookieRoutingTests --filter SettingsStoreCoverageTests passed.
• make check passed.
• swift test passed: 3243 tests in 386 suites.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26809980060
• Updated: 2026-06-02T09:15:17.588Z