Support `pass` (GPG-based password store) as a credential backend for headless servers

[ashutoshkbharti]

Describe the feature or problem you'd like to solve

On headless Linux servers (no desktop environment, no D-Bus session), copilot login cannot detect a system credential store and falls back to storing the OAuth token in plaintext under ~/.copilot/. This is a security concern for server environments.

Many headless server users already have GPG and pass (the standard Unix password manager) installed and configured. pass stores secrets encrypted with GPG and requires no desktop environment or D-Bus — it is the de facto credential store for headless Linux.

Tools like git (git-credential-pass), docker (docker-credential-pass), and the GitHub CLI (gh) already support pass as a credential backend.

Proposed solution

Add pass as a supported credential backend in the copilot login flow. The detection order could be:

1. libsecret / GNOME Keyring / KDE Wallet (existing behavior, for desktop environments)
2. pass (if the pass binary and a GPG key are available — ideal for headless servers)
3. Plaintext fallback (existing behavior, last resort)

This would allow copilot login to automatically store and retrieve the OAuth token via pass insert copilot-cli/token and pass show copilot-cli/token, keeping it encrypted at rest with the user's GPG key.

Example prompts or workflows

1. Headless server login (current — insecure):

   $ copilot login
   # Token stored in plaintext at ~/.copilot/
   

2. Headless server login (proposed — secure):

   $ copilot login
   # Detects pass + GPG keyring → stores token via pass insert copilot-cli/token
   # Token encrypted at rest with user's GPG key
   

3. SSH into server, token auto-retrieved:

   $ ssh myserver
   $ copilot
   # Token retrieved via pass show copilot-cli/token — no re-login needed
   

4. User with existing pass setup for git/docker:

   $ pass
   Password Store
   ├── git/github.com
   ├── docker/registry
   └── copilot-cli/token    # ← new, auto-managed by copilot login
   

5. Explicit opt-in via flag (alternative design):

   $ copilot login --credential-store pass
   

Additional context

• Environment: Linux headless server, no D-Bus session, no GNOME/KDE
• Current behavior: copilot login does not detect pass/GPG and falls back to plaintext storage
• Copilot CLI version: 1.0.5
• pass is widely used on headless Linux and is the POSIX-standard password manager: https://www.passwordstore.org/
• The gh CLI already supports pass as a credential helper