fix: only strip classic PATs (ghp_) from Copilot ACP child env

Root cause: Copilot CLI uses its own credential store and doesn't need
env tokens. But when GITHUB_TOKEN contains a classic PAT (ghp_), Copilot
tries to use it, fails ('Authentication required'), and does NOT fall
back to its credential store.

Fix: only delete GITHUB_TOKEN/GH_TOKEN when they contain classic PATs
(ghp_ prefix). Keep OAuth tokens (gho_) and fine-grained PATs
(github_pat_) intact since Copilot supports those.

Also tighten classifyAcpError auth detection regex — the old /login/i
pattern could false-match informational messages.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Long Chen (from Dev Box)

src/adapters/AcpAdapter.ts

@@ -147,10 +147,14 @@ export class AcpAdapter implements AgentAdapter {
         const code = error.code;
         const data = error.data ? ` Details: ${JSON.stringify(error.data)}` : '';
 
-        // Authentication
-        if (/auth/i.test(msg) || /unauthorized/i.test(msg) || /login/i.test(msg)) {
+        // Debug: log raw ACP error for diagnosis
+        console.error(`[AcpAdapter] Raw ACP error: code=${code}, message="${msg}", data=${JSON.stringify(error.data)}`);
+
+        // Authentication — require explicit auth keywords, not generic "login" which
+        // can appear in informational messages (e.g. "Run copilot login")
+        if (/unauthorized|403|401/i.test(msg) || /authentication required/i.test(msg)) {
             return new Error(
-                `ACP auth_failed: ${msg}. Fix: for Copilot run \`gh auth login\` (uses gh CLI auth, not env vars). For Claude run \`claude login\` or set ANTHROPIC_API_KEY.`
+                `ACP auth_failed: ${msg}. Fix: check that .env GITHUB_TOKEN is not a classic PAT (ghp_) — Copilot doesn't support those. For Claude run \`claude login\` or set ANTHROPIC_API_KEY.`
             );
         }
 

src/utils/copilotAuthEnv.ts

@@ -0,0 +1,33 @@
+import * as path from 'path';
+
+function normalizeExecutable(executable: string): string {
+    return path.basename(executable).toLowerCase();
+}
+
+export function isCopilotCliExecutable(executable: string): boolean {
+    const normalized = normalizeExecutable(executable);
+    return normalized === 'copilot' || normalized === 'copilot.exe' || normalized === 'copilot.cmd';
+}
+
+/**
+ * Sanitize env for Copilot CLI child processes.
+ *
+ * Copilot CLI uses its own credential store and does NOT need env tokens.
+ * However, if GITHUB_TOKEN contains a classic PAT (ghp_), Copilot will
+ * try to use it, fail, and report "Authentication required" instead of
+ * falling back to its credential store. So we must remove classic PATs.
+ */
+export function sanitizeCopilotAuthEnv(env: NodeJS.ProcessEnv): void {
+    if (env.COPILOT_GITHUB_TOKEN) {
+        return;
+    }
+
+    // Remove classic PATs (ghp_) — they poison Copilot's auth flow.
+    // Keep OAuth tokens (gho_) and fine-grained PATs (github_pat_) intact.
+    if (env.GITHUB_TOKEN?.startsWith('ghp_')) {
+        delete env.GITHUB_TOKEN;
+    }
+    if (env.GH_TOKEN?.startsWith('ghp_')) {
+        delete env.GH_TOKEN;
+    }
+}