Skip to content

Add optional Copilot budget extras#1273

Open
Quicksaver wants to merge 11 commits into
steipete:mainfrom
Quicksaver:feature/copilot-budgets
Open

Add optional Copilot budget extras#1273
Quicksaver wants to merge 11 commits into
steipete:mainfrom
Quicksaver:feature/copilot-budgets

Conversation

@Quicksaver

@Quicksaver Quicksaver commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds an opt-in Copilot budget extras feature. When enabled, CodexBar keeps the existing Copilot usage fetch via the GitHub Copilot internal API, then best-effort fetches the user's configured GitHub billing budgets from the logged-in GitHub web billing endpoint and renders matching Copilot budgets as extra menu bars.

The feature is disabled by default. If the budget fetch fails, is unauthenticated, or returns no positive Copilot-related budgets, the normal Copilot usage bars remain unchanged.

Note: I cannot test organization-based budgets, therefore I have not implemented them. These would be more easily fetched via the documented API endpoints, without requiring web-based cookie auth. Leaving this note here in case anyone cares to implement it in a follow-up.

Motivation

Budgets play an increasing crucial role now, with the coming (now present) changes to Github Copilot billing, becoming token-usage based, as it'll become much easier to hit the plan's included usage and trigger configured budgets.

What Changed

  • Added CopilotBudgetWebFetcher, which fetches https://github.com/settings/billing/budgets?page=<page>&page_size=10&scope=customer using github.com web cookies and maps positive Copilot-related budgets into extraRateWindows.
  • Supports the observed GitHub web response shape, including payload.budgets, uuid, pricingTargetId, pricingTargetType, targetName, targetAmount, and currentAmount.
  • Normalizes Copilot budget selectors for product-level, bundled premium request, cloud/coding agent premium request, and Spark premium request budgets.
  • Adds budget bar titles in the form Budget - <budget type>, for example Budget - All Premium Request SKUs.
  • Adds Copilot provider settings for:
    • Budget extras, disabled by default.
    • GitHub cookie source selection, defaulting to automatic Chrome-only import to avoid prompting unrelated browsers.
    • Manual GitHub Cookie header entry with an explicit refresh action.
    • Menu bar secondary metric, allowing the icon's second meter to use Chat or a specific budget bar.
  • Ensures budget extras are hidden when disabled, including the settings preview, menu card, and reset snapshot state.
  • Documents the Copilot data sources and the optional GitHub web budget endpoint in docs/copilot.md.

Safety And Fallbacks

  • Budget fetching is best-effort and does not block primary Copilot usage.
  • Public GitHub REST billing APIs are not used here because they did not expose the tested personal budget list.
  • Manual cookie headers are only used in manual mode; automatic mode ignores stale manual values and uses cached/imported browser cookies.
  • Invalid budget JSON maps to a controlled invalidResponse error.
  • Cached cookie non-auth failures are surfaced instead of silently falling through to browser import.
  • GitHub nonce lookup is best-effort; if unavailable, the budget request is still attempted.

Tests

Validated during the review/assessment pass:

  • swift test --filter CopilotBudgetWebFetcherTests
  • swift test --filter CopilotBudgetCookieRoutingTests
  • swift test --filter BrowserCookieOrderStatusStringTests
  • swift test --filter ProviderSettingsDescriptorTests
  • swift test --filter ProvidersPaneCoverageTests
  • swift test --filter MenuCardModelTests
  • make check
  • swift test

Final full-suite rerun passed with 3,235 tests in 386 suites.

Review Notes

Main agent was GPT-5.5 on high reasoning with user oversight.

Code was assessed with CodeRabbit, Codex review, and LGTM (Copilot Code Review + Gemini 3.1 Pro Preview + Claude Sonnet 4.6 + Claude Opus 4.8 + Raptor mini). Review fixes landed for cookie import defaults, cookie routing, fetch error handling, malformed amount parsing, manual-cookie refresh UX, budget extras default state, docs, settings preview behavior, centralized UsageSnapshot extra-window copying, reset-baseline cleanup, pagination cap logging, and dead overload removal. The final Codex review reported no remaining findings.

Proof

Screenshot 2026-06-01 at 19 08 18 Screenshot 2026-06-01 at 19 08 54 Screenshot 2026-06-01 at 19 09 33

@clawsweeper

clawsweeper Bot commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 5:25 AM ET / 09:25 UTC.

Summary
This PR adds opt-in Copilot budget extra bars fetched from GitHub web billing budgets, plus Copilot settings, cookie routing, icon secondary metric selection, docs, and tests.

Reproducibility: not applicable. this is a new opt-in feature, not a broken current-main behavior. The PR body screenshots show the after-change menu/settings state, and source/tests cover the fetch path.

Review metrics: 2 noteworthy metrics.

  • Changed Surface: 29 files, +2217/-17. The PR spans provider core, settings UI, menu/icon presentation, docs, and tests, so the credential-boundary decision affects more than one file.
  • Proof Artifacts: 3 screenshots inspected. The screenshots directly show the visible budget bar and settings states that this feature adds.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster ✨ media proof bonus
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Get explicit maintainer approval for the GitHub web-cookie billing surface before merge.

Risk before merge

  • [P1] Merging expands the Copilot provider from OAuth/API-token usage into optional github.com browser-cookie import/cache and manual Cookie header handling for billing budgets, which needs explicit maintainer approval.
  • [P1] The budget source is an observed GitHub web billing endpoint plus HTML-derived nonce/identity metadata rather than a documented API contract, so GitHub page/API changes may hide budget extras while primary usage still works.
  • [P1] Organization-based budgets are explicitly unimplemented and untested; this PR covers personal customer-scope budgets only.

Maintainer options:

  1. Land After Explicit Credential Approval (recommended)
    A maintainer can approve the opt-in github.com web-cookie billing surface and merge with the current default-off behavior and account-binding tests.
  2. Pause For Documented API Direction
    If the project does not want to depend on the GitHub web billing page, hold this PR until a documented API or narrower org/personal budget design is chosen.
  3. Request A Narrower Credential Design
    Maintainers can ask for a reduced approach, such as manual-only cookies or a separately documented experimental mode, before reconsidering merge.

Next step before merge

  • [P2] Human maintainer approval is needed for the new GitHub web-cookie billing surface; there is no narrow code repair for ClawSweeper to queue.

Security
Needs attention: Needs maintainer attention because the diff broadens Copilot from OAuth-only usage to optional github.com browser/manual cookie access for billing budgets.

Review details

Best possible solution:

Merge only if a maintainer explicitly approves the opt-in GitHub web-cookie billing boundary; keep the feature disabled by default and treat organization budgets as separate follow-up work.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a new opt-in feature, not a broken current-main behavior. The PR body screenshots show the after-change menu/settings state, and source/tests cover the fetch path.

Is this the best way to solve the issue?

Unclear until maintainer approval; the implementation is opt-in and best-effort with account-binding coverage, but whether CodexBar should use GitHub web billing cookies is a product/security decision.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4f278d91fe4.

Label changes

Label justifications:

  • P2: This is a useful opt-in provider feature with bounded blast radius, but it is not an urgent regression or release emergency.
  • merge-risk: 🚨 auth-provider: The diff changes Copilot credential routing by adding github.com cookie source selection, cached/imported cookies, and manual Cookie header handling.
  • merge-risk: 🚨 security-boundary: The diff broadens access to sensitive github.com web cookies and GitHub billing data, which green tests cannot approve as a product/security boundary.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (screenshot): The PR body includes inspected screenshots showing the Copilot menu budget bar, provider settings with cached Chrome cookies and secondary metric selection, and the Budget extras toggle after enabling.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes inspected screenshots showing the Copilot menu budget bar, provider settings with cached Chrome cookies and secondary metric selection, and the Budget extras toggle after enabling.
  • proof: 📸 screenshot: Contributor real behavior proof includes screenshot evidence. The PR body includes inspected screenshots showing the Copilot menu budget bar, provider settings with cached Chrome cookies and secondary metric selection, and the Budget extras toggle after enabling.
Evidence reviewed

Security concerns:

  • [medium] Approve the new github.com cookie credential path — Sources/CodexBarCore/Providers/Copilot/CopilotBudgetWebFetcher.swift:349
    When enabled, the fetcher can use cached or imported github.com cookies and the settings UI accepts a manual Cookie header; this widens the Copilot auth boundary beyond the existing OAuth token usage.
    Confidence: 0.89
  • [medium] Own the observed GitHub web billing endpoint dependency — Sources/CodexBarCore/Providers/Copilot/CopilotBudgetWebFetcher.swift:473
    The budget request relies on GitHub web billing page metadata and a customer-scope web JSON endpoint rather than a documented public API, so maintainers need to accept the privacy and stability tradeoff.
    Confidence: 0.84

What I checked:

Likely related people:

  • steipete: Local shallow-main blame for the central Copilot descriptor, usage fetcher, and docs points to Peter Steinberger's release/current-main commits, and the PR discussion already asks @steipete for explicit approval of the new credential surface. (role: current Copilot/provider area routing owner; confidence: medium; commits: 920997c6a365, a4f278d91fe4; files: Sources/CodexBarCore/Providers/Copilot/CopilotProviderDescriptor.swift, Sources/CodexBarCore/Providers/Copilot/CopilotUsageFetcher.swift, docs/copilot.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. labels Jun 1, 2026
@Quicksaver

Quicksaver commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

Findings

  • [P1] Bind budget cookies to the selected Copilot token/account: valid, fixed. Copilot budget extras now derive the expected GitHub account from the active Copilot OAuth token, ignore stale selected-account identifiers, and require cached/imported/manual GitHub billing cookies to match before fetching budget JSON. Mismatched cached cookies are cleared so browser fallback can continue, imported mismatches are skipped, and manual mismatches leave normal Copilot usage unchanged. See CopilotProviderDescriptor.swift and CopilotBudgetWebFetcher.swift.
  • [P1] Maintainer sign-off for opt-in GitHub web-cookie billing surface: valid, still a process gate. The account-binding risk is repaired, but privacy/product sign-off is still needed before merge because the feature intentionally accesses GitHub billing via browser/manual cookies.

Proof Added

  • Mismatch and match coverage for GitHub web identity binding.
  • Provider-level tests proving mismatched manual cookies do not append budget windows or hit the budget JSON endpoint while normal Copilot usage remains intact.
  • Regression coverage proving stale selected-account identifiers are ignored in favor of the active token identity.
  • Cached-cookie fallback coverage for account mismatch and missing GitHub identity.
  • Settings snapshot coverage proving selected Copilot account identifiers flow into provider settings.

Validation

  • swift test --filter CopilotBudgetWebFetcherTests passed.
  • swift test --filter CopilotBudgetCookieRoutingTests --filter SettingsStoreCoverageTests passed.
  • make check passed.
  • swift test passed: 3243 tests in 386 suites.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. labels Jun 2, 2026
@Quicksaver Quicksaver force-pushed the feature/copilot-budgets branch from a9c9694 to 3b902c6 Compare June 2, 2026 10:12
@Quicksaver

Quicksaver commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. labels Jun 2, 2026
@Quicksaver Quicksaver force-pushed the feature/copilot-budgets branch from 3b902c6 to e6aeb62 Compare June 2, 2026 16:58
@Quicksaver

Quicksaver commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

Rebased with no changes to fix a bogus workflow error, to get the green checkmark.

@Quicksaver Quicksaver force-pushed the feature/copilot-budgets branch from e6aeb62 to 445bcf3 Compare June 8, 2026 10:43
@Quicksaver

Quicksaver commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Get explicit maintainer approval for the opt-in GitHub web-cookie billing surface.

@steipete need your explicit approval for this

Quicksaver added 9 commits June 9, 2026 10:06
@Quicksaver
Add Copilot budget extras
caca15c 
- Import optional GitHub web budget windows for Copilot
- Add settings for budget extras, cookies, and icon selection
- Cover the new resolver, fetcher, and settings persistence
@Quicksaver
Fix Copilot budget cookie imports
da9ffdb 
- Default Copilot budget cookie import to Chrome only

- Surface budget fetch and decode failures consistently

- Cover cookie defaults and invalid budget JSON
@Quicksaver
Fix Copilot budget cookie routing
fc03196 
- Ignore stale manual cookies when budget cookies are auto
- Cover Copilot budget cookie source routing
@Quicksaver
Fix Copilot budget review issues
8e68147 
- Default budget extras off unless explicitly enabled
- Harden budget web fetch and manual cookie refresh
- Document budget cookie and reset heuristics
@Quicksaver
Fix Copilot budget settings preview
e43dbc3 
- Forward the budget extras setting into provider previews

- Cover Copilot preview budget visibility
@Quicksaver
Add helper for Copilot budget snapshot copies
903c57b 
- Centralize UsageSnapshot extra-window copying
- Clear Copilot reset baselines consistently
- Remove dead Copilot budget overloads
- Log when budget pagination hits the page cap
@Quicksaver
Prevent Copilot budget cookies from crossing accounts
e2065e0 
- Thread selected Copilot account identity into settings

- Reject budget cookie sessions for a different GitHub account

- Cover the matching and mismatched account flows in tests
@Quicksaver
Bind Copilot budgets to token identity
d961c46 
- Resolve GitHub identity from the active token before cookie checks
- Cover stale selected account identifiers in budget tests
@Quicksaver
Harden Copilot budget identity parsing
740fe08 
- Treat missing budget identity metadata as invalid response

- Reuse compiled meta parsing regexes and tighten test stubs
Quicksaver added 2 commits June 9, 2026 10:06
@Quicksaver
Fix Copilot budget cookie fallback
624a312 
- Clear mismatched cached budget cookies before browser fallback
- Treat missing GitHub identity as an unknown account mismatch
- Cover cached mismatch and missing-identity fallback behavior
@Quicksaver
Move Copilot menu card test
06eb61b
@Quicksaver Quicksaver force-pushed the feature/copilot-budgets branch from 445bcf3 to 06eb61b Compare June 9, 2026 09:18
@Quicksaver

Quicksaver commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

merge-risk: 🚨 auth-provider 🚨 Merging this PR could break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. proof: 📸 screenshot Contributor real behavior proof includes screenshot evidence. proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Quicksaver