feat: add GitHub Copilot CLI support

Dockerfile.copilot

@@ -0,0 +1,33 @@
+# --- Build stage ---
+FROM rust:1-bookworm AS builder
+WORKDIR /build
+COPY Cargo.toml Cargo.lock ./
+RUN mkdir src && echo 'fn main() {}' > src/main.rs && cargo build --release && rm -rf src
+COPY src/ src/
+RUN touch src/main.rs && cargo build --release
+
+# --- Runtime stage ---
+FROM node:22-bookworm-slim
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl && rm -rf /var/lib/apt/lists/*
+
+# Install GitHub Copilot CLI via npm (pinned version)
+RUN npm install -g @github/copilot@1 --retry 3
+
+# Install gh CLI (for auth and token management)
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+      -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+      > /etc/apt/sources.list.d/github-cli.list && \
+    apt-get update && apt-get install -y --no-install-recommends gh && \
+    rm -rf /var/lib/apt/lists/*
+
+ENV HOME=/home/node
+WORKDIR /home/node
+
+COPY --from=builder --chown=node:node /build/target/release/openab /usr/local/bin/openab
+
+USER node
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
+  CMD pgrep -x openab || exit 1
+ENTRYPOINT ["openab"]
+CMD ["/etc/openab/config.toml"]

README.md

@@ -1,6 +1,6 @@
 # OpenAB — Open Agent Broker
 
-A lightweight, secure, cloud-native ACP harness that bridges Discord and any [Agent Client Protocol](https://github.com/anthropics/agent-protocol)-compatible coding CLI (Kiro CLI, Claude Code, Codex, Gemini, etc.) over stdio JSON-RPC — delivering the next-generation development experience.
+A lightweight, secure, cloud-native ACP harness that bridges Discord and any [Agent Client Protocol](https://github.com/anthropics/agent-protocol)-compatible coding CLI (Kiro CLI, Claude Code, Codex, Gemini, Copilot CLI, etc.) over stdio JSON-RPC — delivering the next-generation development experience.
 
 🪼 **Join our community!** Come say hi on Discord — we'd love to have you: **[🪼 OpenAB — Official](https://discord.gg/YNksK9M6)** 🎉
 
@@ -17,7 +17,7 @@ A lightweight, secure, cloud-native ACP harness that bridges Discord and any [Ag
 
 ## Features
 
-- **Pluggable agent backend** — swap between Kiro CLI, Claude Code, Codex, Gemini via config
+- **Pluggable agent backend** — swap between Kiro CLI, Claude Code, Codex, Gemini, Copilot CLI via config
 - **@mention trigger** — mention the bot in an allowed channel to start a conversation
 - **Thread-based multi-turn** — auto-creates threads; no @mention needed for follow-ups
 - **Edit-streaming** — live-updates the Discord message every 1.5s as tokens arrive
@@ -68,6 +68,7 @@ The bot creates a thread. After that, just type in the thread — no @mention ne
 | Claude Code | `claude-agent-acp` | [@agentclientprotocol/claude-agent-acp](https://github.com/agentclientprotocol/claude-agent-acp) | [docs/claude-code.md](docs/claude-code.md) |
 | Codex | `codex-acp` | [@zed-industries/codex-acp](https://github.com/zed-industries/codex-acp) | [docs/codex.md](docs/codex.md) |
 | Gemini | `gemini --acp` | Native | [docs/gemini.md](docs/gemini.md) |
+| Copilot CLI ⚠️ | `copilot --acp --stdio` | Native | [docs/copilot.md](docs/copilot.md) |
 
 > 🔧 Running multiple agents? See [docs/multi-agent.md](docs/multi-agent.md)
 

config.toml.example

@@ -26,6 +26,12 @@ working_dir = "/home/agent"
 # working_dir = "/home/agent"
 # env = { GEMINI_API_KEY = "${GEMINI_API_KEY}" }
 
+# [agent]
+# command = "copilot"
+# args = ["--acp", "--stdio"]
+# working_dir = "/home/agent"
+# env = {}  # Auth via: kubectl exec -it <pod> -- gh auth login -p https -w
+
 [pool]
 max_sessions = 10
 session_ttl_hours = 24

docs/copilot.md

@@ -0,0 +1,94 @@
+# GitHub Copilot CLI — Agent Backend Guide
+
+How to run OpenAB with [GitHub Copilot CLI](https://github.com/github/copilot-cli) as the agent backend.
+
+## Prerequisites
+
+- A paid [GitHub Copilot](https://github.com/features/copilot/plans) subscription (**Pro, Pro+, Business, or Enterprise** — Free tier does not include CLI/ACP access)
+- Copilot CLI ACP support is in [public preview](https://github.blog/changelog/2026-01-28-acp-support-in-copilot-cli-is-now-in-public-preview/) since Jan 28, 2026
+
+## Architecture
+
+```
+┌──────────────┐  Gateway WS   ┌──────────────┐  ACP stdio    ┌──────────────────────┐
+│   Discord    │◄─────────────►│ openab       │──────────────►│ copilot --acp --stdio │
+│   User       │               │   (Rust)     │◄── JSON-RPC ──│ (Copilot CLI)         │
+└──────────────┘               └──────────────┘               └──────────────────────┘
+```
+
+OpenAB spawns `copilot --acp --stdio` as a child process and communicates via stdio JSON-RPC. No intermediate layers.
+
+## Configuration
+
+```toml
+[agent]
+command = "copilot"
+args = ["--acp", "--stdio"]
+working_dir = "/home/agent"
+# Auth via: kubectl exec -it <pod> -- gh auth login -p https -w
+```
+
+## Docker
+
+Build with the Copilot-specific Dockerfile:
+
+```bash
+docker build -f Dockerfile.copilot -t openab-copilot .
+```
+
+## Authentication
+
+Copilot CLI uses GitHub OAuth (same as `gh` CLI). In a headless container, use device flow:
+
+```bash
+# 1. Exec into the running pod/container
+kubectl exec -it deployment/openab-copilot -- bash
+
+# 2. Authenticate via device flow
+gh auth login --hostname github.com --git-protocol https -p https -w
+
+# 3. Follow the device code flow in your browser
+
+# 4. Verify
+gh auth status
+
+# 5. Restart the pod (token is persisted via PVC)
+kubectl rollout restart deployment/openab-copilot
+```
+
+The OAuth token is stored under `~/.config/gh/` and persisted across pod restarts via PVC.
+
+> **Note**: See [docs/gh-auth-device-flow.md](gh-auth-device-flow.md) for details on device flow in headless environments.
+
+## Helm Install
+
+> **Note**: The `ghcr.io/openabdev/openab-copilot` image is not published yet. You must build it locally first with `docker build -f Dockerfile.copilot -t openab-copilot .` and push to your own registry, or use a local image.
+
+```bash
+helm install openab openab/openab \
+  --set agents.kiro.enabled=false \
+  --set agents.copilot.discord.botToken="$DISCORD_BOT_TOKEN" \
+  --set-string 'agents.copilot.discord.allowedChannels[0]=YOUR_CHANNEL_ID' \
+  --set agents.copilot.image=ghcr.io/openabdev/openab-copilot:latest \
+  --set agents.copilot.command=copilot \
+  --set 'agents.copilot.args={--acp,--stdio}' \
+  --set agents.copilot.persistence.enabled=true \
+  --set agents.copilot.workingDir=/home/node
+```
+
+## Model Selection
+
+Copilot CLI defaults to Claude Sonnet 4.6. Other available models include:
+
+- Claude Opus 4.6, Claude Haiku 4.5 (Anthropic)
+- GPT-5.3-Codex (OpenAI)
+- Gemini 3 Pro (Google)
+
+Model selection is controlled by Copilot CLI itself (via `/model` in interactive mode). In ACP mode, the default model is used.
+
+## Known Limitations
+
+- ⚠️ ACP support is in **public preview** — behavior may change
+- ⚠️ Headless auth with `GITHUB_TOKEN` env var has not been fully validated; device flow via `gh auth login` is the recommended path
+- Copilot CLI requires an active Copilot subscription per user/org
+- For Copilot Business/Enterprise, an admin must enable Copilot CLI from the Policies page