feat(account): add Azure & GitHub OAuth sign-in and cross-fork PRs

.gitignore

@@ -62,3 +62,5 @@ research/
 .release-notes-v1.5.0.md
 website/.vitepress/.temp
 .claude/worktrees/
+
+.gitwandrc

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- **Cross-fork pull requests** — when the repo's `origin` is a fork, the PR create view shows a target-repository selector (upstream parent vs your fork), defaulting to upstream. Works on both the REST (token) path — head is qualified as `fork-owner:branch` — and the `gh` path (`--repo`). New `gh_fork_info` command detects the relationship.
+- **Fork PRs in the list** — on the REST (token) path, the PR list for a fork now also includes the PRs you opened on the upstream repo (head repo == your fork), merged and sorted with origin's own PRs. PR detail/diff/checks/merge transparently resolve to the upstream repo for those entries.
+- **Sign in with GitHub (no `gh` CLI required)** — Settings → Accounts now offers a "Sign in with GitHub" button using the OAuth device flow. The resulting token is stored in the OS keychain; once present, the GitHub PR workflow (list, count, detail, diff, checks, files, create, merge, checkout, mark-ready) routes through the GitHub REST API instead of shelling out to `gh`. The `gh` CLI still works as before when no Settings token is configured — the ambient `GH_TOKEN`/`GITHUB_TOKEN` env path is unchanged.
+- **Azure DevOps support (new forge)** — Settings → Accounts now offers "Sign in with Azure" using the Entra ID OAuth device flow (same UX as GitHub), with automatic access-token refresh via the stored refresh token. The tokens are stored in the OS keychain (`gitwand:azure/oauth` + `oauth-refresh`). Azure DevOps remotes (`dev.azure.com`, `*.visualstudio.com`) are auto-detected and routed to a new `AzureProvider` backed by the Azure DevOps REST API (api-version 7.1): PR list/count/detail/diff/files/create/merge/checkout, draft→ready, comments (threads), CI checks (branch-policy evaluations) and reviewer-vote reviews — so the merge-readiness chip reflects real build + approval state. Diff, file lists and change stats are produced from local git (Azure has no unified-patch endpoint). Comment edit/delete, line-anchored comment creation, reviewer pickers and submitting reviews are not wired yet and degrade gracefully.
+
+### Notes
+
+- Ships with GitWand's registered GitHub OAuth App `client_id` (`Ov23licwiCpPiRPRodWN`, public — device flow enabled) baked into `github_api.rs`. Override at runtime or build time via `GITWAND_GH_CLIENT_ID` if needed.
+- Azure DevOps sign-in ships with a **temporary** default Entra ID client id — the well-known Azure CLI public client (`04b07795-8ddb-461a-bbee-02f9e1bf7b46`, device flow enabled) — so it works without registering an app. Stop-gap only: the consent screen reads "Microsoft Azure CLI" and Microsoft may restrict reuse. Override with a dedicated GitWand Entra app via `GITWAND_AZURE_CLIENT_ID` (runtime or build time) before shipping.
+
 ## [2.17.0] - 2026-06-04
 
 v2.17 rounds out the agent-CLI lineup with **opencode** as a first-class AI provider, and gives every CLI agent its own model picker — a second select under the provider dropdown, scoped per provider so switching back restores the previous choice.

apps/desktop/dev-server.mjs

@@ -152,6 +152,12 @@ function gitSpawn(args, cwd) {
   });
 }
 
+// ── Mock state: GitHub OAuth device flow (dev:web only) ──────────────────────
+// The real flow lives in Rust (`github_api.rs`). In the browser mock we fake it
+// so the Settings > Accounts UI can be exercised without Tauri. It does NOT log
+// you in — it just returns a static code then "succeeds" after a couple polls.
+let _mockGithubPolls = 0;
+
 /**
  * Get a GitHub OAuth token — tries in order:
  *  1. GH_TOKEN / GITHUB_TOKEN env vars
@@ -2179,6 +2185,39 @@ async function handleRequest(req, res) {
 
     // ─── GitHub REST API endpoints (no gh binary needed) ──────
 
+    // POST /api/github-device-start — MOCK device flow (dev:web only).
+    // Returns a static user code + verification URL. The frontend opens the URL
+    // and starts polling; see /api/github-device-poll below.
+    if (url.pathname === "/api/github-device-start" && req.method === "POST") {
+      _mockGithubPolls = 0;
+      // NOTE: verification_uri intentionally does NOT point at the real
+      // github.com/login/device — this is a fake flow and a real code is never
+      // issued. Sending the user to GitHub with a bogus code only confuses.
+      return jsonResponse(req, res, {
+        device_code: "mock-device-code",
+        user_code: "DEV-MOCK",
+        verification_uri: "about:blank#gitwand-dev-mock",
+        verification_uri_complete: "",
+        expires_in: 900,
+        interval: 1,
+      });
+    }
+
+    // POST /api/github-device-poll — MOCK: "pending" twice, then "success".
+    // No real token is stored; this only unblocks UI iteration in dev:web.
+    if (url.pathname === "/api/github-device-poll" && req.method === "POST") {
+      _mockGithubPolls += 1;
+      if (_mockGithubPolls < 3) {
+        return jsonResponse(req, res, { status: "pending", login: "", error: "" });
+      }
+      return jsonResponse(req, res, { status: "success", login: "dev-user", error: "" });
+    }
+
+    // POST /api/github-token-present — MOCK: never "logged in" in dev:web.
+    if (url.pathname === "/api/github-token-present" && req.method === "POST") {
+      return jsonResponse(req, res, false);
+    }
+
     // GET /api/gh-current-user — returns the authenticated GitHub login
     if (url.pathname === "/api/gh-current-user" && req.method === "GET") {
       try {
@@ -2572,6 +2611,41 @@ async function handleRequest(req, res) {
       }
     }
 
+    // GET /api/gh-pr-issue-comments?cwd=<path>&number=<n>
+    // Issue-level (conversation) comments — not anchored to a diff line.
+    if (url.pathname === "/api/gh-pr-issue-comments" && req.method === "GET") {
+      const cwd = url.searchParams.get("cwd");
+      const number = url.searchParams.get("number");
+      if (!cwd || !number) return jsonResponse(req, res, { error: "Missing cwd or number" }, 400);
+      try {
+        const token = getGithubToken();
+        if (!token) return jsonResponse(req, res, { error: "No GitHub token" }, 401);
+        const nwo = getRepoNwo(resolve(cwd));
+        if (!nwo) return jsonResponse(req, res, { error: "Could not determine GitHub repo" }, 400);
+        const resp = await githubFetch(`/repos/${nwo}/issues/${number}/comments?per_page=100`, token);
+        if (!resp.ok) return jsonResponse(req, res, { error: `GitHub API ${resp.status}` }, 500);
+        const raw = await resp.json();
+        return jsonResponse(req, res, raw.map((c) => ({
+          id: c.id,
+          body: c.body,
+          author: c.user?.login ?? "",
+          created_at: c.created_at,
+          updated_at: c.updated_at,
+          path: "",
+          line: null,
+          original_line: null,
+          side: "RIGHT",
+          start_line: null,
+          start_side: null,
+          in_reply_to_id: null,
+          diff_hunk: "",
+          url: c.html_url ?? "",
+        })));
+      } catch (err) {
+        return jsonResponse(req, res, { error: err.stderr?.toString() || err.message }, 500);
+      }
+    }
+
     // POST /api/gh-pr-comment  — create or reply
     // Body: { cwd, number, body, path, line, side, start_line?, start_side?, in_reply_to_id? }
     if (url.pathname === "/api/gh-pr-comment" && req.method === "POST") {

apps/desktop/src-tauri/src/commands/ai.rs

@@ -124,7 +124,7 @@ fn resolve_codex_binary() -> Option<String> {
 /// stderr surfaces a clear "please log in" message that the calling
 /// command (`claude_cli_prompt`) propagates as an error.
 #[tauri::command]
-pub(crate) fn detect_claude_cli() -> Result<ClaudeCliInfo, String> {
+pub(crate) async fn detect_claude_cli() -> Result<ClaudeCliInfo, String> {
     let binary = match resolve_claude_binary() {
         Some(b) => b,
         None => {
@@ -165,7 +165,7 @@ pub(crate) fn detect_claude_cli() -> Result<ClaudeCliInfo, String> {
 /// The CLI already handles auth via the user's subscription — we just pipe
 /// text in and get text back.
 #[tauri::command]
-pub(crate) fn claude_cli_prompt(
+pub(crate) async fn claude_cli_prompt(
     prompt: String,
     system_prompt: Option<String>,
     cwd: Option<String>,
@@ -244,7 +244,7 @@ pub(crate) fn claude_cli_prompt(
 /// for a prompt they never asked for. Auth verifies implicitly on the
 /// first real prompt via `codex_cli_prompt`.
 #[tauri::command]
-pub(crate) fn detect_codex_cli() -> Result<CodexCliInfo, String> {
+pub(crate) async fn detect_codex_cli() -> Result<CodexCliInfo, String> {
     let binary = match resolve_codex_binary() {
         Some(b) => b,
         None => {
@@ -277,7 +277,7 @@ pub(crate) fn detect_codex_cli() -> Result<CodexCliInfo, String> {
 }
 
 #[tauri::command]
-pub(crate) fn codex_cli_prompt(
+pub(crate) async fn codex_cli_prompt(
     prompt: String,
     system_prompt: Option<String>,
     cwd: Option<String>,
@@ -381,7 +381,7 @@ fn resolve_opencode_binary() -> Option<String> {
 /// Claude / Codex detectors: no prompt is sent to verify auth — that is
 /// confirmed implicitly on the first real `opencode_cli_prompt`.
 #[tauri::command]
-pub(crate) fn detect_opencode_cli() -> Result<OpencodeCliInfo, String> {
+pub(crate) async fn detect_opencode_cli() -> Result<OpencodeCliInfo, String> {
     let binary = match resolve_opencode_binary() {
         Some(b) => b,
         None => {
@@ -414,7 +414,7 @@ pub(crate) fn detect_opencode_cli() -> Result<OpencodeCliInfo, String> {
 }
 
 #[tauri::command]
-pub(crate) fn opencode_cli_prompt(
+pub(crate) async fn opencode_cli_prompt(
     prompt: String,
     system_prompt: Option<String>,
     cwd: Option<String>,
@@ -471,7 +471,7 @@ pub(crate) fn opencode_cli_prompt(
 /// when the binary is missing or the command fails, so the UI can fall back
 /// to free-text entry gracefully.
 #[tauri::command]
-pub(crate) fn opencode_list_models() -> Result<Vec<String>, String> {
+pub(crate) async fn opencode_list_models() -> Result<Vec<String>, String> {
     let binary = match resolve_opencode_binary() {
         Some(b) => b,
         None => return Ok(Vec::new()),
@@ -501,7 +501,7 @@ pub(crate) fn opencode_list_models() -> Result<Vec<String>, String> {
 /// embed a PTY because this is a one-shot setup flow: the user validates
 /// in their browser and comes back to GitWand.
 #[tauri::command]
-pub(crate) fn claude_cli_login() -> Result<(), String> {
+pub(crate) async fn claude_cli_login() -> Result<(), String> {
     let binary = resolve_claude_binary()
         .ok_or_else(|| "Binaire `claude` introuvable. Installez-le d'abord.".to_string())?;