@prover-coder-ai/docker-git 1.0.26 → 1.0.28

package/dist/src/docker-git/main.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { NodeContext, NodeRuntime } from "@effect/platform-node";
-import { Either, Effect, pipe, Data, Match, Option, Schedule, Duration, Fiber as Fiber$1 } from "effect";
+import { Either, Effect, pipe, Data, Schedule, Duration, Match, Option, Fiber as Fiber$1 } from "effect";
 import * as FileSystem from "@effect/platform/FileSystem";
 import * as Path from "@effect/platform/Path";
 import * as Command from "@effect/platform/Command";
@@ -467,6 +467,50 @@ const ensureDockerDaemonAccess = (cwd) => Effect.scoped(
     );
   })
 );
+const publishedHostPortPattern = /:(\d+)->/g;
+const parsePublishedHostPortsFromLine = (line) => {
+  const parsed = [];
+  for (const match of line.matchAll(publishedHostPortPattern)) {
+    const rawPort = match[1];
+    if (rawPort === void 0) {
+      continue;
+    }
+    const value = Number.parseInt(rawPort, 10);
+    if (Number.isInteger(value) && value > 0 && value <= 65535) {
+      parsed.push(value);
+    }
+  }
+  return parsed;
+};
+const parseDockerPublishedHostPorts = (output) => {
+  const unique = /* @__PURE__ */ new Set();
+  const parsed = [];
+  for (const line of output.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0) {
+      continue;
+    }
+    for (const port of parsePublishedHostPortsFromLine(trimmed)) {
+      if (!unique.has(port)) {
+        unique.add(port);
+        parsed.push(port);
+      }
+    }
+  }
+  return parsed;
+};
+const runDockerPsPublishedHostPorts = (cwd) => pipe(
+  runCommandCapture(
+    {
+      cwd,
+      command: "docker",
+      args: ["ps", "--format", "{{.Ports}}"]
+    },
+    [Number(ExitCode(0))],
+    (exitCode) => new CommandFailedError({ command: "docker ps", exitCode })
+  ),
+  Effect.map((output) => parseDockerPublishedHostPorts(output))
+);
 const composeSpec = (cwd, args) => ({
   cwd,
   command: "docker",
@@ -495,14 +539,32 @@ const runComposeCapture = (cwd, args, okExitCodes) => runCommandCapture(
   okExitCodes,
   (exitCode) => new DockerCommandError({ exitCode })
 );
-const runDockerComposeUp = (cwd) => runCompose(cwd, ["up", "-d", "--build"], [Number(ExitCode(0))]);
+const dockerComposeUpRetrySchedule = Schedule.addDelay(
+  Schedule.recurs(2),
+  () => Duration.seconds(2)
+);
+const retryDockerComposeUp = (cwd, effect) => effect.pipe(
+  Effect.tapError(
+    () => Effect.logWarning(
+      `docker compose up failed in ${cwd}; retrying (possible transient Docker Hub/DNS issue)...`
+    )
+  ),
+  Effect.retry(dockerComposeUpRetrySchedule)
+);
+const runDockerComposeUp = (cwd) => retryDockerComposeUp(
+  cwd,
+  runCompose(cwd, ["up", "-d", "--build"], [Number(ExitCode(0))])
+);
 const dockerComposeUpRecreateArgs = [
   "up",
   "-d",
   "--build",
   "--force-recreate"
 ];
-const runDockerComposeUpRecreate = (cwd) => runCompose(cwd, dockerComposeUpRecreateArgs, [Number(ExitCode(0))]);
+const runDockerComposeUpRecreate = (cwd) => retryDockerComposeUp(
+  cwd,
+  runCompose(cwd, dockerComposeUpRecreateArgs, [Number(ExitCode(0))])
+);
 const runDockerComposeDown = (cwd) => runCompose(cwd, ["down"], [Number(ExitCode(0))]);
 const runDockerComposeDownVolumes = (cwd) => runCompose(cwd, ["down", "-v"], [Number(ExitCode(0))]);
 const runDockerComposePs = (cwd) => runCompose(cwd, ["ps"], [Number(ExitCode(0))]);
@@ -596,6 +658,15 @@ const runDockerNetworkCreateBridge = (cwd, networkName) => runCommandWithExitCod
   [Number(ExitCode(0))],
   (exitCode) => new DockerCommandError({ exitCode })
 );
+const runDockerNetworkCreateBridgeWithSubnet = (cwd, networkName, subnet) => runCommandWithExitCodes(
+  {
+    cwd,
+    command: "docker",
+    args: ["network", "create", "--driver", "bridge", "--subnet", subnet, networkName]
+  },
+  [Number(ExitCode(0))],
+  (exitCode) => new DockerCommandError({ exitCode })
+);
 const runDockerNetworkContainerCount = (cwd, networkName) => runCommandCapture(
   {
     cwd,
@@ -633,50 +704,6 @@ const runDockerPsNames = (cwd) => pipe(
     (output) => output.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0)
   )
 );
-const publishedHostPortPattern = /:(\d+)->/g;
-const parsePublishedHostPortsFromLine = (line) => {
-  const parsed = [];
-  for (const match of line.matchAll(publishedHostPortPattern)) {
-    const rawPort = match[1];
-    if (rawPort === void 0) {
-      continue;
-    }
-    const value = Number.parseInt(rawPort, 10);
-    if (Number.isInteger(value) && value > 0 && value <= 65535) {
-      parsed.push(value);
-    }
-  }
-  return parsed;
-};
-const parseDockerPublishedHostPorts = (output) => {
-  const unique = /* @__PURE__ */ new Set();
-  const parsed = [];
-  for (const line of output.split(/\r?\n/)) {
-    const trimmed = line.trim();
-    if (trimmed.length === 0) {
-      continue;
-    }
-    for (const port of parsePublishedHostPortsFromLine(trimmed)) {
-      if (!unique.has(port)) {
-        unique.add(port);
-        parsed.push(port);
-      }
-    }
-  }
-  return parsed;
-};
-const runDockerPsPublishedHostPorts = (cwd) => pipe(
-  runCommandCapture(
-    {
-      cwd,
-      command: "docker",
-      args: ["ps", "--format", "{{.Ports}}"]
-    },
-    [Number(ExitCode(0))],
-    (exitCode) => new CommandFailedError({ command: "docker ps", exitCode })
-  ),
-  Effect.map((output) => parseDockerPublishedHostPorts(output))
-);
 const deriveDockerDnsName = (repoUrl) => {
   const parts = deriveRepoPathParts(repoUrl).pathParts;
   return ["docker", ...parts].join(".");
@@ -756,7 +783,8 @@ const renderPrimaryError = (error) => Match.value(error).pipe(
     `docker compose failed with exit code ${exitCode}`,
     "Hint: ensure Docker daemon is running and current user can access /var/run/docker.sock (for example via the docker group).",
     "Hint: if output above contains 'port is already allocated', retry with a free SSH port via --ssh-port <port> (for example --ssh-port 2235), or stop the conflicting project/container.",
-    "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`)."
+    "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`).",
+    "Hint: if output above contains 'lookup auth.docker.io' or 'read udp ... [::1]:53 ... connection refused', fix Docker DNS resolver (set working DNS in host/daemon config) and retry."
   ].join("\n")),
   Match.when({ _tag: "DockerAccessError" }, ({ details, issue }) => [
     renderDockerAccessHeadline(issue),
@@ -818,6 +846,19 @@ const renderError = (error) => {
   }
   return renderNonParseError(error);
 };
+const resolveDefaultDockerUser = () => {
+  const getUid = Reflect.get(process, "getuid");
+  const getGid = Reflect.get(process, "getgid");
+  if (typeof getUid !== "function" || typeof getGid !== "function") {
+    return null;
+  }
+  const uid = getUid.call(process);
+  const gid = getGid.call(process);
+  if (typeof uid !== "number" || typeof gid !== "number") {
+    return null;
+  }
+  return `${uid}:${gid}`;
+};
 const appendEnvArgs = (base, env) => {
   if (typeof env === "string") {
     const trimmed = env.trim();
@@ -836,6 +877,10 @@ const appendEnvArgs = (base, env) => {
 };
 const buildDockerArgs = (spec) => {
   const base = ["run", "--rm"];
+  const dockerUser = (spec.user ?? "").trim() || resolveDefaultDockerUser();
+  if (dockerUser !== null) {
+    base.push("--user", dockerUser);
+  }
   if (spec.interactive) {
     base.push("-it");
   }
@@ -1746,6 +1791,15 @@ const ensureStateGitignore = (fs, path, root) => Effect.gen(function* (_) {
   yield* _(fs.writeFileString(gitignorePath, appendManagedBlocks(prev, missing)));
 });
 const dockerGitPromptScript = `docker_git_branch() { git rev-parse --abbrev-ref HEAD 2>/dev/null; }
+docker_git_terminal_sanitize() {
+  # Recover interactive TTY settings after abrupt exits from fullscreen/raw-mode tools.
+  if [ -t 0 ]; then
+    stty sane 2>/dev/null || true
+  fi
+  if [ -t 1 ]; then
+    printf "\\033[0m\\033[?25h\\033[?1l\\033>\\033[?1000l\\033[?1002l\\033[?1003l\\033[?1005l\\033[?1006l\\033[?1015l\\033[?1007l\\033[?1004l\\033[?2004l\\033[>4;0m\\033[>4m\\033[<u"
+  fi
+}
 docker_git_short_pwd() {
   local full_path
   full_path="\${PWD:-}"
@@ -1798,6 +1852,7 @@ docker_git_short_pwd() {
   printf "%s" "$result"
 }
 docker_git_prompt_apply() {
+  docker_git_terminal_sanitize
   local b
   b="$(docker_git_branch)"
   local short_pwd
@@ -1867,6 +1922,15 @@ zstyle ':completion:*' tag-order builtins commands aliases reserved-words functi
 
 autoload -Uz add-zsh-hook
 docker_git_branch() { git rev-parse --abbrev-ref HEAD 2>/dev/null; }
+docker_git_terminal_sanitize() {
+  # Recover interactive TTY settings after abrupt exits from fullscreen/raw-mode tools.
+  if [[ -t 0 ]]; then
+    stty sane 2>/dev/null || true
+  fi
+  if [[ -t 1 ]]; then
+    printf "\\033[0m\\033[?25h\\033[?1l\\033>\\033[?1000l\\033[?1002l\\033[?1003l\\033[?1005l\\033[?1006l\\033[?1015l\\033[?1007l\\033[?1004l\\033[?2004l\\033[>4;0m\\033[>4m\\033[<u"
+  fi
+}
 docker_git_short_pwd() {
   local full_path="\${PWD:-}"
   if [[ -z "$full_path" ]]; then
@@ -1924,6 +1988,7 @@ docker_git_short_pwd() {
   print -r -- "$result"
 }
 docker_git_prompt_apply() {
+  docker_git_terminal_sanitize
   local b
   b="$(docker_git_branch)"
   local short_pwd
@@ -2179,7 +2244,7 @@ chmod 0644 "$DOCKER_GIT_SSHD_CONF" || true`;
 const renderEntrypointSshd = () => `# 5) Run sshd in foreground
 exec /usr/sbin/sshd -D`;
 const claudeAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/claude`;
-const renderClaudeAuthConfig = (config) => String.raw`# Claude Code: expose CLAUDE_CONFIG_DIR for SSH sessions (OAuth cache lives under ~/.docker-git/.orch/auth/claude)
+const claudeAuthConfigTemplate = String.raw`# Claude Code: expose CLAUDE_CONFIG_DIR for SSH sessions (OAuth cache lives under ~/.docker-git/.orch/auth/claude)
 CLAUDE_LABEL_RAW="$CLAUDE_AUTH_LABEL"
 if [[ -z "$CLAUDE_LABEL_RAW" ]]; then
   CLAUDE_LABEL_RAW="default"
@@ -2192,39 +2257,268 @@ if [[ -z "$CLAUDE_LABEL_NORM" ]]; then
   CLAUDE_LABEL_NORM="default"
 fi
 
-CLAUDE_AUTH_ROOT="${claudeAuthRootContainerPath(config.sshUser)}"
+CLAUDE_AUTH_ROOT="__CLAUDE_AUTH_ROOT__"
 CLAUDE_CONFIG_DIR="$CLAUDE_AUTH_ROOT/$CLAUDE_LABEL_NORM"
+
+# Backward compatibility: if default auth is stored directly under claude root, reuse it.
+if [[ "$CLAUDE_LABEL_NORM" == "default" ]]; then
+  CLAUDE_ROOT_TOKEN_FILE="$CLAUDE_AUTH_ROOT/.oauth-token"
+  CLAUDE_ROOT_CONFIG_FILE="$CLAUDE_AUTH_ROOT/.config.json"
+  if [[ -f "$CLAUDE_ROOT_TOKEN_FILE" ]] || [[ -f "$CLAUDE_ROOT_CONFIG_FILE" ]]; then
+    CLAUDE_CONFIG_DIR="$CLAUDE_AUTH_ROOT"
+  fi
+fi
+
 export CLAUDE_CONFIG_DIR
 
 mkdir -p "$CLAUDE_CONFIG_DIR" || true
+CLAUDE_HOME_DIR="__CLAUDE_HOME_DIR__"
+CLAUDE_HOME_JSON="__CLAUDE_HOME_JSON__"
+mkdir -p "$CLAUDE_HOME_DIR" || true
+
+docker_git_link_claude_file() {
+  local source_path="$1"
+  local link_path="$2"
+
+  # Preserve user-created regular files and seed config dir once.
+  if [[ -e "$link_path" && ! -L "$link_path" ]]; then
+    if [[ -f "$link_path" && ! -e "$source_path" ]]; then
+      cp "$link_path" "$source_path" || true
+      chmod 0600 "$source_path" || true
+    fi
+    return 0
+  fi
+
+  ln -sfn "$source_path" "$link_path" || true
+}
+
+docker_git_link_claude_home_file() {
+  local relative_path="$1"
+  local source_path="$CLAUDE_CONFIG_DIR/$relative_path"
+  local link_path="$CLAUDE_HOME_DIR/$relative_path"
+  docker_git_link_claude_file "$source_path" "$link_path"
+}
+
+docker_git_link_claude_home_file ".oauth-token"
+docker_git_link_claude_home_file ".config.json"
+docker_git_link_claude_home_file ".claude.json"
+docker_git_link_claude_home_file ".credentials.json"
+docker_git_link_claude_file "$CLAUDE_CONFIG_DIR/.claude.json" "$CLAUDE_HOME_JSON"
 
 CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
 docker_git_refresh_claude_oauth_token() {
   local token=""
+  if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+    unset CLAUDE_CODE_OAUTH_TOKEN || true
+    return 0
+  fi
   if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
     token="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
   fi
-  export CLAUDE_CODE_OAUTH_TOKEN="$token"
+  if [[ -n "$token" ]]; then
+    export CLAUDE_CODE_OAUTH_TOKEN="$token"
+  else
+    unset CLAUDE_CODE_OAUTH_TOKEN || true
+  fi
 }
 
 docker_git_refresh_claude_oauth_token`;
-const renderClaudeWrapperSetup = () => String.raw`CLAUDE_REAL_BIN="/usr/local/bin/.docker-git-claude-real"
-CLAUDE_WRAPPER_BIN="/usr/local/bin/claude"
+const renderClaudeAuthConfig = (config) => claudeAuthConfigTemplate.replaceAll("__CLAUDE_AUTH_ROOT__", claudeAuthRootContainerPath(config.sshUser)).replaceAll("__CLAUDE_HOME_DIR__", `/home/${config.sshUser}/.claude`).replaceAll("__CLAUDE_HOME_JSON__", `/home/${config.sshUser}/.claude.json`);
+const renderClaudeCliInstall = () => String.raw`# Claude Code: ensure CLI command exists (non-blocking startup self-heal)
+docker_git_ensure_claude_cli() {
+  if command -v claude >/dev/null 2>&1; then
+    return 0
+  fi
+
+  if ! command -v npm >/dev/null 2>&1; then
+    return 0
+  fi
+
+  NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+  CLAUDE_CLI_JS="$NPM_ROOT/@anthropic-ai/claude-code/cli.js"
+  if [[ -z "$NPM_ROOT" || ! -f "$CLAUDE_CLI_JS" ]]; then
+    echo "docker-git: claude cli.js not found under npm global root; skip shim restore" >&2
+    return 0
+  fi
+
+  # Rebuild a minimal shim when npm package exists but binary link is missing.
+  cat <<'EOF' > /usr/local/bin/claude
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v npm >/dev/null 2>&1; then
+  echo "claude: npm is required but missing" >&2
+  exit 127
+fi
+
+NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+CLAUDE_CLI_JS="$NPM_ROOT/@anthropic-ai/claude-code/cli.js"
+if [[ -z "$NPM_ROOT" || ! -f "$CLAUDE_CLI_JS" ]]; then
+  echo "claude: cli.js not found under npm global root" >&2
+  exit 127
+fi
+
+exec node "$CLAUDE_CLI_JS" "$@"
+EOF
+  chmod 0755 /usr/local/bin/claude || true
+  ln -sf /usr/local/bin/claude /usr/bin/claude || true
+}
+
+docker_git_ensure_claude_cli`;
+const renderClaudeMcpPlaywrightConfig = () => String.raw`# Claude Code: keep Playwright MCP config in sync with container settings
+CLAUDE_SETTINGS_FILE="${"$"}{CLAUDE_HOME_JSON:-$CLAUDE_CONFIG_DIR/.claude.json}"
+docker_git_sync_claude_playwright_mcp() {
+  CLAUDE_SETTINGS_FILE="$CLAUDE_SETTINGS_FILE" MCP_PLAYWRIGHT_ENABLE="$MCP_PLAYWRIGHT_ENABLE" node - <<'NODE'
+const fs = require("node:fs")
+const path = require("node:path")
+
+const settingsPath = process.env.CLAUDE_SETTINGS_FILE
+if (typeof settingsPath !== "string" || settingsPath.length === 0) {
+  process.exit(0)
+}
+
+const enablePlaywright = process.env.MCP_PLAYWRIGHT_ENABLE === "1"
+const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value)
+
+let settings = {}
+try {
+  const raw = fs.readFileSync(settingsPath, "utf8")
+  const parsed = JSON.parse(raw)
+  settings = isRecord(parsed) ? parsed : {}
+} catch {
+  settings = {}
+}
+
+const currentServers = isRecord(settings.mcpServers) ? settings.mcpServers : {}
+const nextServers = { ...currentServers }
+if (enablePlaywright) {
+  nextServers.playwright = {
+    type: "stdio",
+    command: "docker-git-playwright-mcp",
+    args: [],
+    env: {}
+  }
+} else {
+  delete nextServers.playwright
+}
+
+const nextSettings = { ...settings }
+if (Object.keys(nextServers).length > 0) {
+  nextSettings.mcpServers = nextServers
+} else {
+  delete nextSettings.mcpServers
+}
+
+if (JSON.stringify(settings) === JSON.stringify(nextSettings)) {
+  process.exit(0)
+}
+
+fs.mkdirSync(path.dirname(settingsPath), { recursive: true })
+fs.writeFileSync(settingsPath, JSON.stringify(nextSettings, null, 2) + "\n", { mode: 0o600 })
+NODE
+}
+
+docker_git_sync_claude_playwright_mcp
+chown 1000:1000 "$CLAUDE_SETTINGS_FILE" 2>/dev/null || true`;
+const entrypointClaudeGlobalPromptTemplate = String.raw`# Claude Code: managed global memory (CLAUDE.md is auto-loaded by Claude Code)
+CLAUDE_GLOBAL_PROMPT_FILE="/home/__SSH_USER__/.claude/CLAUDE.md"
+CLAUDE_AUTO_SYSTEM_PROMPT="${"$"}{CLAUDE_AUTO_SYSTEM_PROMPT:-1}"
+CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: repository"
+REPO_REF_VALUE="${"$"}{REPO_REF:-__REPO_REF_DEFAULT__}"
+REPO_URL_VALUE="${"$"}{REPO_URL:-__REPO_URL_DEFAULT__}"
+
+if [[ "$REPO_REF_VALUE" == issue-* ]]; then
+  ISSUE_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -E 's#^issue-##')"
+  ISSUE_URL_VALUE=""
+  if [[ "$REPO_URL_VALUE" == https://github.com/* ]]; then
+    ISSUE_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO_VALUE" ]]; then
+      ISSUE_URL_VALUE="https://github.com/$ISSUE_REPO_VALUE/issues/$ISSUE_ID_VALUE"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE ($ISSUE_URL_VALUE)"
+  else
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE"
+  fi
+elif [[ "$REPO_REF_VALUE" == refs/pull/*/head ]]; then
+  PR_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL_VALUE=""
+  if [[ "$REPO_URL_VALUE" == https://github.com/* && -n "$PR_ID_VALUE" ]]; then
+    PR_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO_VALUE" ]]; then
+      PR_URL_VALUE="https://github.com/$PR_REPO_VALUE/pull/$PR_ID_VALUE"
+    fi
+  fi
+  if [[ -n "$PR_ID_VALUE" && -n "$PR_URL_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE ($PR_URL_VALUE)"
+  elif [[ -n "$PR_ID_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE"
+  else
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF_VALUE)"
+  fi
+fi
+
+if [[ "$CLAUDE_AUTO_SYSTEM_PROMPT" == "1" ]]; then
+  mkdir -p "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")"
+  chown 1000:1000 "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")" 2>/dev/null || true
+  if [[ ! -f "$CLAUDE_GLOBAL_PROMPT_FILE" ]] || grep -q "^<!-- docker-git-managed:claude-md -->$" "$CLAUDE_GLOBAL_PROMPT_FILE"; then
+    cat <<EOF > "$CLAUDE_GLOBAL_PROMPT_FILE"
+<!-- docker-git-managed:claude-md -->
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, opencode, oh-my-opencode, claude, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$CLAUDE_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Если ты видишь файлы AGENTS.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+<!-- /docker-git-managed:claude-md -->
+EOF
+    chmod 0644 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
+    chown 1000:1000 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
+  fi
+fi
+
+export CLAUDE_AUTO_SYSTEM_PROMPT`;
+const escapeForDoubleQuotes$1 = (value) => {
+  const backslash = String.fromCodePoint(92);
+  const quote = String.fromCodePoint(34);
+  const escapedBackslash = `${backslash}${backslash}`;
+  const escapedQuote = `${backslash}${quote}`;
+  return value.replaceAll(backslash, escapedBackslash).replaceAll(quote, escapedQuote);
+};
+const renderClaudeGlobalPromptSetup = (config) => entrypointClaudeGlobalPromptTemplate.replaceAll("__TARGET_DIR__", config.targetDir).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__REPO_REF_DEFAULT__", escapeForDoubleQuotes$1(config.repoRef)).replaceAll("__REPO_URL_DEFAULT__", escapeForDoubleQuotes$1(config.repoUrl));
+const renderClaudeWrapperSetup = () => String.raw`CLAUDE_WRAPPER_BIN="/usr/local/bin/claude"
 if command -v claude >/dev/null 2>&1; then
   CURRENT_CLAUDE_BIN="$(command -v claude)"
-  if [[ "$CURRENT_CLAUDE_BIN" != "$CLAUDE_REAL_BIN" && ! -f "$CLAUDE_REAL_BIN" ]]; then
+  CLAUDE_REAL_DIR="$(dirname "$CURRENT_CLAUDE_BIN")"
+  CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
+
+  # If a wrapper already exists but points to a missing real binary, recover from /usr/bin.
+  if [[ "$CURRENT_CLAUDE_BIN" == "$CLAUDE_WRAPPER_BIN" && ! -e "$CLAUDE_REAL_BIN" && -x "/usr/bin/claude" ]]; then
+    CURRENT_CLAUDE_BIN="/usr/bin/claude"
+    CLAUDE_REAL_DIR="/usr/bin"
+    CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
+  fi
+
+  # Keep the "real" binary in the same directory as the original command to preserve relative symlinks.
+  if [[ "$CURRENT_CLAUDE_BIN" != "$CLAUDE_REAL_BIN" && ! -e "$CLAUDE_REAL_BIN" ]]; then
     mv "$CURRENT_CLAUDE_BIN" "$CLAUDE_REAL_BIN"
   fi
-  if [[ -f "$CLAUDE_REAL_BIN" ]]; then
+  if [[ -e "$CLAUDE_REAL_BIN" ]]; then
     cat <<'EOF' > "$CLAUDE_WRAPPER_BIN"
 #!/usr/bin/env bash
 set -euo pipefail
 
-CLAUDE_REAL_BIN="/usr/local/bin/.docker-git-claude-real"
+CLAUDE_REAL_BIN="__CLAUDE_REAL_BIN__"
 CLAUDE_CONFIG_DIR="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}"
 CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
 
-if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+  unset CLAUDE_CODE_OAUTH_TOKEN || true
+elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
   CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
   export CLAUDE_CODE_OAUTH_TOKEN
 else
@@ -2233,15 +2527,20 @@ fi
 
 exec "$CLAUDE_REAL_BIN" "$@"
 EOF
+    sed -i "s#__CLAUDE_REAL_BIN__#$CLAUDE_REAL_BIN#g" "$CLAUDE_WRAPPER_BIN" || true
     chmod 0755 "$CLAUDE_WRAPPER_BIN" || true
   fi
 fi`;
 const renderClaudeProfileSetup = () => String.raw`CLAUDE_PROFILE="/etc/profile.d/claude-config.sh"
 printf "export CLAUDE_AUTH_LABEL=%q\n" "$CLAUDE_AUTH_LABEL" > "$CLAUDE_PROFILE"
 printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
+printf "export CLAUDE_AUTO_SYSTEM_PROMPT=%q\n" "$CLAUDE_AUTO_SYSTEM_PROMPT" >> "$CLAUDE_PROFILE"
 cat <<'EOF' >> "$CLAUDE_PROFILE"
 CLAUDE_TOKEN_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.oauth-token"
-if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+CLAUDE_CREDENTIALS_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.credentials.json"
+if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
+  unset CLAUDE_CODE_OAUTH_TOKEN || true
+elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
   export CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
 else
   unset CLAUDE_CODE_OAUTH_TOKEN || true
@@ -2251,9 +2550,13 @@ chmod 0644 "$CLAUDE_PROFILE" || true
 
 docker_git_upsert_ssh_env "CLAUDE_AUTH_LABEL" "$CLAUDE_AUTH_LABEL"
 docker_git_upsert_ssh_env "CLAUDE_CONFIG_DIR" "$CLAUDE_CONFIG_DIR"
-docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "$CLAUDE_CODE_OAUTH_TOKEN"`;
+docker_git_upsert_ssh_env "CLAUDE_CODE_OAUTH_TOKEN" "${"$"}{CLAUDE_CODE_OAUTH_TOKEN:-}"
+docker_git_upsert_ssh_env "CLAUDE_AUTO_SYSTEM_PROMPT" "$CLAUDE_AUTO_SYSTEM_PROMPT"`;
 const renderEntrypointClaudeConfig = (config) => [
   renderClaudeAuthConfig(config),
+  renderClaudeCliInstall(),
+  renderClaudeMcpPlaywrightConfig(),
+  renderClaudeGlobalPromptSetup(config),
   renderClaudeWrapperSetup(),
   renderClaudeProfileSetup()
 ].join("\n\n");
@@ -3210,22 +3513,15 @@ const renderCloneBodyRef = (config) => `  if [[ -n "$REPO_REF" ]]; then
       fi
     else
       if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS --branch '$REPO_REF' '$AUTH_REPO_URL' '$TARGET_DIR'"; then
-        DEFAULT_REF="$(git ls-remote --symref "$AUTH_REPO_URL" HEAD 2>/dev/null | awk '/^ref:/ {print $2}' | head -n 1 || true)"
-        DEFAULT_BRANCH="$(printf "%s" "$DEFAULT_REF" | sed 's#^refs/heads/##')"
-        if [[ -n "$DEFAULT_BRANCH" ]]; then
-          echo "[clone] branch '$REPO_REF' missing; retrying with '$DEFAULT_BRANCH'"
-          if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS --branch '$DEFAULT_BRANCH' '$AUTH_REPO_URL' '$TARGET_DIR'"; then
-            echo "[clone] git clone failed for $REPO_URL"
-            CLONE_OK=0
-          elif [[ "$REPO_REF" == issue-* ]]; then
-            if ! su - ${config.sshUser} -c "cd '$TARGET_DIR' && git checkout -B '$REPO_REF'"; then
-              echo "[clone] failed to create local branch '$REPO_REF'"
-              CLONE_OK=0
-            fi
-          fi
-        else
+        echo "[clone] branch '$REPO_REF' missing; retrying without --branch"
+        if ! su - ${config.sshUser} -c "GIT_TERMINAL_PROMPT=0 git clone --progress $CLONE_CACHE_ARGS '$AUTH_REPO_URL' '$TARGET_DIR'"; then
           echo "[clone] git clone failed for $REPO_URL"
           CLONE_OK=0
+        elif [[ "$REPO_REF" == issue-* ]]; then
+          if ! su - ${config.sshUser} -c "cd '$TARGET_DIR' && git checkout -B '$REPO_REF'"; then
+            echo "[clone] failed to create local branch '$REPO_REF'"
+            CLONE_OK=0
+          fi
         fi
       fi
     fi
@@ -3333,6 +3629,7 @@ const buildPlaywrightFragments = (config, networkName) => {
       context: .
       dockerfile: ${browserDockerfile}
     container_name: ${browserContainerName}
+    restart: unless-stopped
     environment:
       VNC_NOPW: "1"
     shm_size: "2gb"
@@ -3375,6 +3672,7 @@ const renderComposeServices = (config, fragments) => `services:
   ${config.serviceName}:
     build: .
     container_name: ${config.containerName}
+    restart: unless-stopped
     environment:
       REPO_URL: "${config.repoUrl}"
       REPO_REF: "${config.repoRef}"
@@ -3428,14 +3726,15 @@ const renderDockerfileNode = () => `# Tooling: Node 24 (NodeSource) + nvm
 RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash -   && apt-get install -y --no-install-recommends nodejs   && node -v   && npm -v   && corepack --version   && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /usr/local/nvm   && curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
 RUN printf "export NVM_DIR=/usr/local/nvm\\n[ -s /usr/local/nvm/nvm.sh ] && . /usr/local/nvm/nvm.sh\\n"   > /etc/profile.d/nvm.sh && chmod 0644 /etc/profile.d/nvm.sh`;
-const renderDockerfileBunPrelude = (config) => `# Tooling: pnpm + Codex CLI + oh-my-opencode (bun) + Claude Code CLI (npm)
+const renderDockerfileBunPrelude = (config) => `# Tooling: pnpm + Codex CLI (bun) + oh-my-opencode (npm + platform binary) + Claude Code CLI (npm)
 RUN corepack enable && corepack prepare pnpm@${config.pnpmVersion} --activate
 ENV TERM=xterm-256color
-RUN set -eu;   for attempt in 1 2 3 4 5; do     if curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 https://bun.sh/install -o /tmp/bun-install.sh       && BUN_INSTALL=/usr/local/bun bash /tmp/bun-install.sh; then       rm -f /tmp/bun-install.sh;       exit 0;     fi;     echo "bun install attempt \${attempt} failed; retrying..." >&2;     rm -f /tmp/bun-install.sh;     sleep $((attempt * 2));   done;   echo "bun install failed after retries" >&2;   exit 1
+RUN set -eu;   for attempt in 1 2 3 4 5; do     if curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 https://bun.sh/install -o /tmp/bun-install.sh       && BUN_INSTALL=/usr/local/bun bash /tmp/bun-install.sh; then       rm -f /tmp/bun-install.sh;       exit 0;     fi;     echo "bun install attempt \${attempt} failed; retrying..." >&2;       rm -f /tmp/bun-install.sh;     sleep $((attempt * 2));   done;   echo "bun install failed after retries" >&2;   exit 1
 RUN ln -sf /usr/local/bun/bin/bun /usr/local/bin/bun
-RUN BUN_INSTALL=/usr/local/bun script -q -e -c "bun add -g @openai/codex@latest oh-my-opencode@latest" /dev/null
+RUN BUN_INSTALL=/usr/local/bun script -q -e -c "bun add -g @openai/codex@latest" /dev/null
 RUN ln -sf /usr/local/bun/bin/codex /usr/local/bin/codex
-RUN ln -sf /usr/local/bun/bin/oh-my-opencode /usr/local/bin/oh-my-opencode
+RUN set -eu;   ARCH="$(uname -m)";   case "$ARCH" in     x86_64|amd64) OH_MY_OPENCODE_ARCH="x64" ;;     aarch64|arm64) OH_MY_OPENCODE_ARCH="arm64" ;;     *) echo "Unsupported arch for oh-my-opencode: $ARCH" >&2; exit 1 ;;   esac;   npm install -g oh-my-opencode@latest "oh-my-opencode-linux-\${OH_MY_OPENCODE_ARCH}@latest"
+RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
 RUN claude --version`;
 const renderDockerfileOpenCode = () => `# Tooling: OpenCode (binary)
@@ -4011,25 +4310,68 @@ const stateCommit = (message) => Effect.gen(function* (_) {
   }
   yield* _(git(root, ["commit", "-m", message], gitBaseEnv$1));
 }).pipe(Effect.asVoid);
-const cursorVisibleEscape = "\x1B[?25h";
+const terminalSaneEscape = "\x1B[0m\x1B[?25h\x1B[?1l\x1B>\x1B[?1000l\x1B[?1002l\x1B[?1003l\x1B[?1005l\x1B[?1006l\x1B[?1015l\x1B[?1007l\x1B[?1004l\x1B[?2004l\x1B[>4;0m\x1B[>4m\x1B[<u";
 const hasInteractiveTty = () => process.stdin.isTTY && process.stdout.isTTY;
 const ensureTerminalCursorVisible = () => Effect.sync(() => {
   if (!hasInteractiveTty()) {
     return;
   }
-  process.stdout.write(cursorVisibleEscape);
+  if (typeof process.stdin.setRawMode === "function") {
+    process.stdin.setRawMode(false);
+  }
+  process.stdout.write(terminalSaneEscape);
 });
 const protectedNetworkNames = /* @__PURE__ */ new Set(["bridge", "host", "none"]);
 const isProtectedNetwork = (networkName, sharedNetworkName) => protectedNetworkNames.has(networkName) || networkName === sharedNetworkName;
+const sharedNetworkFallbackSubnetSeeds = [
+  [10, 250, 0],
+  [10, 251, 0],
+  [10, 252, 0],
+  [10, 253, 0],
+  [172, 31, 250],
+  [172, 31, 251],
+  [172, 31, 252],
+  [172, 31, 253],
+  [192, 168, 250],
+  [192, 168, 251]
+];
+const formatSubnet24 = ([a, b, c]) => `${[a, b, c, 0].join(".")}/24`;
+const sharedNetworkFallbackSubnets = sharedNetworkFallbackSubnetSeeds.map(
+  (seed) => formatSubnet24(seed)
+);
+const createSharedNetworkWithSubnetFallback = (cwd, networkName) => Effect.gen(function* (_) {
+  for (const subnet of sharedNetworkFallbackSubnets) {
+    const created = yield* _(
+      runDockerNetworkCreateBridgeWithSubnet(cwd, networkName, subnet).pipe(
+        Effect.as(true),
+        Effect.catchTag("DockerCommandError", (error) => Effect.logWarning(
+          `Shared network create fallback failed (${networkName}, subnet ${subnet}, exit ${error.exitCode}); trying next subnet.`
+        ).pipe(Effect.as(false)))
+      )
+    );
+    if (created) {
+      yield* _(Effect.log(`Created shared Docker network ${networkName} with subnet ${subnet}.`));
+      return true;
+    }
+  }
+  return false;
+});
+const ensureSharedNetworkExists = (cwd, networkName) => runDockerNetworkCreateBridge(cwd, networkName).pipe(
+  Effect.catchTag("DockerCommandError", (error) => createSharedNetworkWithSubnetFallback(cwd, networkName).pipe(
+    Effect.flatMap((created) => created ? Effect.void : Effect.fail(error))
+  ))
+);
 const ensureComposeNetworkReady = (cwd, template) => {
   if (template.dockerNetworkMode !== "shared") {
     return Effect.void;
   }
   const networkName = resolveComposeNetworkName(template);
   return runDockerNetworkExists(cwd, networkName).pipe(
-    Effect.flatMap((exists) => exists ? Effect.void : Effect.log(`Creating shared Docker network: ${networkName}`).pipe(
-      Effect.zipRight(runDockerNetworkCreateBridge(cwd, networkName))
-    ))
+    Effect.flatMap(
+      (exists) => exists ? Effect.void : Effect.log(`Creating shared Docker network: ${networkName}`).pipe(
+        Effect.zipRight(ensureSharedNetworkExists(cwd, networkName))
+      )
+    )
   );
 };
 const gcNetworkByName = (cwd, networkName, sharedNetworkName) => {
@@ -4255,7 +4597,23 @@ const copyDirIfEmpty = (fs, path, sourceDir, targetDir, label) => Effect.gen(fun
   yield* _(copyDirRecursive(fs, path, sourceDir, targetDir));
   yield* _(Effect.log(`Copied ${label} from ${sourceDir} to ${targetDir}`));
 });
+const JsonValueSchema = Schema.suspend(
+  () => Schema.Union(
+    Schema.Null,
+    Schema.Boolean,
+    Schema.String,
+    Schema.JsonNumber,
+    Schema.Array(JsonValueSchema),
+    Schema.Record({ key: Schema.String, value: JsonValueSchema })
+  )
+);
+const JsonRecordSchema = Schema.Record({
+  key: Schema.String,
+  value: JsonValueSchema
+});
+const JsonRecordFromStringSchema = Schema.parseJson(JsonRecordSchema);
 const defaultEnvContents = "# docker-git env\n# KEY=value\n";
+const codexConfigMarker = "# docker-git codex config";
 const defaultCodexConfig = [
   "# docker-git codex config",
   'model = "gpt-5.3-codex"',
@@ -4273,7 +4631,10 @@ const defaultCodexConfig = [
   "shell_tool = true"
 ].join("\n");
 const resolvePathFromBase$1 = (path, baseDir, targetPath) => path.isAbsolute(targetPath) ? targetPath : path.resolve(baseDir, targetPath);
-const codexConfigMarker = "# docker-git codex config";
+const isPermissionDeniedSystemError = (error) => error._tag === "SystemError" && error.reason === "PermissionDenied";
+const skipCodexConfigPermissionDenied = (configPath, error) => isPermissionDeniedSystemError(error) ? Effect.logWarning(
+  `Skipped Codex config sync at ${configPath}: permission denied (${error.description ?? "no details"}).`
+) : Effect.fail(error);
 const normalizeConfigText = (text) => text.replaceAll("\r\n", "\n").trim();
 const shouldRewriteDockerGitCodexConfig = (existing) => {
   const normalized = normalizeConfigText(existing);
@@ -4297,6 +4658,12 @@ const shouldCopyEnv = (sourceText, targetText) => {
   }
   return "skip";
 };
+const parseJsonRecord = (text) => Either.match(ParseResult.decodeUnknownEither(JsonRecordFromStringSchema)(text), {
+  onLeft: () => Effect.succeed(null),
+  onRight: (record) => Effect.succeed(record)
+});
+const hasClaudeOauthAccount = (record) => record !== null && typeof record["oauthAccount"] === "object" && record["oauthAccount"] !== null;
+const hasClaudeCredentials = (record) => record !== null && typeof record["claudeAiOauth"] === "object" && record["claudeAiOauth"] !== null;
 const isGithubTokenKey = (key) => key === "GITHUB_TOKEN" || key === "GH_TOKEN" || key.startsWith("GITHUB_TOKEN__");
 const syncGithubAuthKeys = (sourceText, targetText) => {
   const sourceTokenEntries = parseEnvEntries(sourceText).filter((entry) => isGithubTokenKey(entry.key));
@@ -4362,23 +4729,100 @@ const copyFileIfNeeded = (sourcePath, targetPath) => withFsPathContext(
     }
   })
 );
+const syncClaudeJsonFile = (fs, path, spec) => Effect.gen(function* (_) {
+  const sourceExists = yield* _(fs.exists(spec.sourcePath));
+  if (!sourceExists) {
+    return;
+  }
+  const sourceInfo = yield* _(fs.stat(spec.sourcePath));
+  if (sourceInfo.type !== "File") {
+    return;
+  }
+  const sourceText = yield* _(fs.readFileString(spec.sourcePath));
+  const sourceJson = yield* _(parseJsonRecord(sourceText));
+  if (!spec.hasRequiredData(sourceJson)) {
+    return;
+  }
+  const targetExists = yield* _(fs.exists(spec.targetPath));
+  if (!targetExists) {
+    yield* _(fs.makeDirectory(path.dirname(spec.targetPath), { recursive: true }));
+    yield* _(fs.copyFile(spec.sourcePath, spec.targetPath));
+    yield* _(spec.onWrite(spec.targetPath));
+    yield* _(Effect.log(`Seeded ${spec.seedLabel} from ${spec.sourcePath} to ${spec.targetPath}`));
+    return;
+  }
+  const targetInfo = yield* _(fs.stat(spec.targetPath));
+  if (targetInfo.type !== "File") {
+    return;
+  }
+  const targetText = yield* _(fs.readFileString(spec.targetPath), Effect.orElseSucceed(() => ""));
+  const targetJson = yield* _(parseJsonRecord(targetText));
+  if (!spec.hasRequiredData(targetJson)) {
+    yield* _(fs.writeFileString(spec.targetPath, sourceText));
+    yield* _(spec.onWrite(spec.targetPath));
+    yield* _(Effect.log(`Updated ${spec.updateLabel} from ${spec.sourcePath} to ${spec.targetPath}`));
+  }
+});
+const syncClaudeHomeJson = (fs, path, sourcePath, targetPath) => syncClaudeJsonFile(fs, path, {
+  sourcePath,
+  targetPath,
+  hasRequiredData: hasClaudeOauthAccount,
+  onWrite: () => Effect.void,
+  seedLabel: "Claude auth file",
+  updateLabel: "Claude auth file"
+});
+const syncClaudeCredentialsJson = (fs, path, sourcePath, targetPath) => syncClaudeJsonFile(fs, path, {
+  sourcePath,
+  targetPath,
+  hasRequiredData: hasClaudeCredentials,
+  onWrite: (pathToChmod) => fs.chmod(pathToChmod, 384).pipe(Effect.orElseSucceed(() => void 0)),
+  seedLabel: "Claude credentials",
+  updateLabel: "Claude credentials"
+});
+const ensureClaudeAuthSeedFromHome = (baseDir, claudeAuthPath) => withFsPathContext(
+  ({ fs, path }) => Effect.gen(function* (_) {
+    const homeDir = (process.env["HOME"] ?? "").trim();
+    if (homeDir.length === 0) {
+      return;
+    }
+    const sourceClaudeJson = path.join(homeDir, ".claude.json");
+    const sourceCredentials = path.join(homeDir, ".claude", ".credentials.json");
+    const claudeRoot = resolvePathFromBase$1(path, baseDir, claudeAuthPath);
+    const targetAccountDir = path.join(claudeRoot, "default");
+    const targetClaudeJson = path.join(targetAccountDir, ".claude.json");
+    const targetCredentials = path.join(targetAccountDir, ".credentials.json");
+    yield* _(fs.makeDirectory(targetAccountDir, { recursive: true }));
+    yield* _(syncClaudeHomeJson(fs, path, sourceClaudeJson, targetClaudeJson));
+    yield* _(syncClaudeCredentialsJson(fs, path, sourceCredentials, targetCredentials));
+  })
+);
 const ensureCodexConfigFile = (baseDir, codexAuthPath) => withFsPathContext(
   ({ fs, path }) => Effect.gen(function* (_) {
     const resolved = resolvePathFromBase$1(path, baseDir, codexAuthPath);
     const configPath = path.join(resolved, "config.toml");
-    const exists = yield* _(fs.exists(configPath));
-    if (exists) {
-      const current = yield* _(fs.readFileString(configPath));
-      if (!shouldRewriteDockerGitCodexConfig(current)) {
+    const writeConfig = Effect.gen(function* (__) {
+      const exists = yield* __(fs.exists(configPath));
+      if (exists) {
+        const current = yield* __(fs.readFileString(configPath));
+        if (!shouldRewriteDockerGitCodexConfig(current)) {
+          return;
+        }
+        yield* __(fs.writeFileString(configPath, defaultCodexConfig));
+        yield* __(Effect.log(`Updated Codex config at ${configPath}`));
         return;
       }
-      yield* _(fs.writeFileString(configPath, defaultCodexConfig));
-      yield* _(Effect.log(`Updated Codex config at ${configPath}`));
-      return;
-    }
-    yield* _(fs.makeDirectory(resolved, { recursive: true }));
-    yield* _(fs.writeFileString(configPath, defaultCodexConfig));
-    yield* _(Effect.log(`Created Codex config at ${configPath}`));
+      yield* __(fs.makeDirectory(resolved, { recursive: true }));
+      yield* __(fs.writeFileString(configPath, defaultCodexConfig));
+      yield* __(Effect.log(`Created Codex config at ${configPath}`));
+    });
+    yield* _(
+      writeConfig.pipe(
+        Effect.matchEffect({
+          onFailure: (error) => skipCodexConfigPermissionDenied(configPath, error),
+          onSuccess: () => Effect.void
+        })
+      )
+    );
   })
 );
 const syncAuthArtifacts = (spec) => withFsPathContext(
@@ -4415,7 +4859,7 @@ const syncAuthArtifacts = (spec) => withFsPathContext(
     }
   })
 );
-const migrateLegacyOrchLayout = (baseDir, envGlobalPath, envProjectPath, codexAuthPath, ghAuthPath) => withFsPathContext(
+const migrateLegacyOrchLayout = (baseDir, paths) => withFsPathContext(
   ({ fs, path }) => Effect.gen(function* (_) {
     const legacyRoot = path.resolve(baseDir, ".orch");
     const legacyExists = yield* _(fs.exists(legacyRoot));
@@ -4430,14 +4874,17 @@ const migrateLegacyOrchLayout = (baseDir, envGlobalPath, envProjectPath, codexAu
     const legacyEnvProject = path.join(legacyRoot, "env", "project.env");
     const legacyCodex = path.join(legacyRoot, "auth", "codex");
     const legacyGh = path.join(legacyRoot, "auth", "gh");
-    const resolvedEnvGlobal = resolvePathFromBase$1(path, baseDir, envGlobalPath);
-    const resolvedEnvProject = resolvePathFromBase$1(path, baseDir, envProjectPath);
-    const resolvedCodex = resolvePathFromBase$1(path, baseDir, codexAuthPath);
-    const resolvedGh = resolvePathFromBase$1(path, baseDir, ghAuthPath);
+    const legacyClaude = path.join(legacyRoot, "auth", "claude");
+    const resolvedEnvGlobal = resolvePathFromBase$1(path, baseDir, paths.envGlobalPath);
+    const resolvedEnvProject = resolvePathFromBase$1(path, baseDir, paths.envProjectPath);
+    const resolvedCodex = resolvePathFromBase$1(path, baseDir, paths.codexAuthPath);
+    const resolvedGh = resolvePathFromBase$1(path, baseDir, paths.ghAuthPath);
+    const resolvedClaude = resolvePathFromBase$1(path, baseDir, paths.claudeAuthPath);
     yield* _(copyFileIfNeeded(legacyEnvGlobal, resolvedEnvGlobal));
     yield* _(copyFileIfNeeded(legacyEnvProject, resolvedEnvProject));
     yield* _(copyDirIfEmpty(fs, path, legacyCodex, resolvedCodex, "Codex auth"));
     yield* _(copyDirIfEmpty(fs, path, legacyGh, resolvedGh, "GH auth"));
+    yield* _(copyDirIfEmpty(fs, path, legacyClaude, resolvedClaude, "Claude auth"));
   })
 );
 const normalizeMessage = (error) => error.message;
@@ -4525,6 +4972,80 @@ const selectAvailablePort = (preferred, attempts, reserved) => Effect.gen(functi
   );
 });
 const maxPortAttempts$1 = 25;
+const syncManagedProjectFiles = (projectDir, template) => Effect.gen(function* (_) {
+  yield* _(Effect.log(`Applying docker-git templates in ${projectDir} before docker compose up...`));
+  yield* _(writeProjectFiles(projectDir, template, true));
+  yield* _(ensureCodexConfigFile(projectDir, template.codexAuthPath));
+});
+const claudeCliSelfHealScript = String.raw`set -eu
+if command -v claude >/dev/null 2>&1; then
+  exit 0
+fi
+
+if ! command -v npm >/dev/null 2>&1; then
+  exit 1
+fi
+
+NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+CLAUDE_JS="$NPM_ROOT/@anthropic-ai/claude-code/cli.js"
+if [ -z "$NPM_ROOT" ] || [ ! -f "$CLAUDE_JS" ]; then
+  echo "claude cli.js not found under npm global root" >&2
+  exit 1
+fi
+
+cat <<'EOF' > /usr/local/bin/claude
+#!/usr/bin/env bash
+set -euo pipefail
+
+NPM_ROOT="$(npm root -g 2>/dev/null || true)"
+CLAUDE_JS="$NPM_ROOT/@anthropic-ai/claude-code/cli.js"
+if [[ -z "$NPM_ROOT" || ! -f "$CLAUDE_JS" ]]; then
+  echo "claude: cli.js not found under npm global root" >&2
+  exit 127
+fi
+
+exec node "$CLAUDE_JS" "$@"
+EOF
+chmod 0755 /usr/local/bin/claude || true
+ln -sf /usr/local/bin/claude /usr/bin/claude || true
+
+command -v claude >/dev/null 2>&1`;
+const ensureClaudeCliReady = (projectDir, containerName) => pipe(
+  runDockerExecExitCode(projectDir, containerName, [
+    "bash",
+    "-lc",
+    "command -v claude >/dev/null 2>&1"
+  ]),
+  Effect.flatMap((probeExitCode) => {
+    if (probeExitCode === 0) {
+      return Effect.void;
+    }
+    return pipe(
+      Effect.logWarning(
+        `Claude CLI is missing in ${containerName}; running docker-git self-heal.`
+      ),
+      Effect.zipRight(
+        runDockerExecExitCode(projectDir, containerName, [
+          "bash",
+          "-lc",
+          claudeCliSelfHealScript
+        ])
+      ),
+      Effect.flatMap(
+        (healExitCode) => healExitCode === 0 ? Effect.log(`Claude CLI self-heal completed in ${containerName}.`) : Effect.logWarning(
+          `Claude CLI self-heal failed in ${containerName} (exit ${healExitCode}).`
+        )
+      ),
+      Effect.asVoid
+    );
+  }),
+  Effect.matchEffect({
+    onFailure: (error) => Effect.logWarning(
+      `Skipping Claude CLI self-heal check for ${containerName}: ${error instanceof Error ? error.message : String(error)}`
+    ),
+    onSuccess: () => Effect.void
+  })
+);
 const ensureAvailableSshPort = (projectDir, config) => Effect.gen(function* (_) {
   const reserved = yield* _(loadReservedPorts(projectDir));
   const reservedPorts = new Set(reserved.map((entry) => entry.port));
@@ -4550,10 +5071,10 @@ const runDockerComposeUpWithPortCheck = (projectDir) => Effect.gen(function* (_)
     )
   );
   const updated = alreadyRunning ? config.template : yield* _(ensureAvailableSshPort(projectDir, config));
-  yield* _(writeProjectFiles(projectDir, updated, true));
-  yield* _(ensureCodexConfigFile(projectDir, updated.codexAuthPath));
+  yield* _(syncManagedProjectFiles(projectDir, updated));
   yield* _(ensureComposeNetworkReady(projectDir, updated));
   yield* _(runDockerComposeUp(projectDir));
+  yield* _(ensureClaudeCliReady(projectDir, updated.containerName));
   const ensureBridgeAccess2 = (containerName) => runDockerInspectContainerBridgeIp(projectDir, containerName).pipe(
     Effect.flatMap(
       (bridgeIp) => bridgeIp.length > 0 ? Effect.void : runDockerNetworkConnectBridge(projectDir, containerName)
@@ -4656,7 +5177,8 @@ const connectProjectSsh = (item) => pipe(
       [0, 130],
       (exitCode) => new CommandFailedError({ command: "ssh", exitCode })
     )
-  )
+  ),
+  Effect.ensuring(ensureTerminalCursorVisible())
 );
 const connectProjectSshWithUp = (item) => pipe(
   Effect.log(`Starting docker compose for ${item.displayName} ...`),
@@ -4921,6 +5443,7 @@ const ensureEnvFile = (baseDir, envPath, defaultContents, overwrite = false) =>
   })
 );
 const prepareProjectFiles = (resolvedOutDir, baseDir, globalConfig, projectConfig, options) => Effect.gen(function* (_) {
+  const path = yield* _(Path.Path);
   const rewriteManagedFiles = options.force || options.forceEnv;
   const envOnlyRefresh = options.forceEnv && !options.force;
   const createdFiles = yield* _(
@@ -4937,6 +5460,8 @@ const prepareProjectFiles = (resolvedOutDir, baseDir, globalConfig, projectConfi
     )
   );
   yield* _(ensureCodexConfigFile(baseDir, globalConfig.codexAuthPath));
+  const globalClaudeAuthPath = path.join(path.dirname(globalConfig.codexAuthPath), "claude");
+  yield* _(ensureClaudeAuthSeedFromHome(baseDir, globalClaudeAuthPath));
   yield* _(
     syncAuthArtifacts({
       sourceBase: baseDir,
@@ -4956,13 +5481,13 @@ const prepareProjectFiles = (resolvedOutDir, baseDir, globalConfig, projectConfi
   yield* _(ensureCodexConfigFile(resolvedOutDir, projectConfig.codexAuthPath));
   return createdFiles;
 });
-const migrateProjectOrchLayout = (baseDir, globalConfig, resolveRootPath) => migrateLegacyOrchLayout(
-  baseDir,
-  globalConfig.envGlobalPath,
-  globalConfig.envProjectPath,
-  globalConfig.codexAuthPath,
-  resolveRootPath(".docker-git/.orch/auth/gh")
-);
+const migrateProjectOrchLayout = (baseDir, globalConfig, resolveRootPath) => migrateLegacyOrchLayout(baseDir, {
+  envGlobalPath: globalConfig.envGlobalPath,
+  envProjectPath: globalConfig.envProjectPath,
+  codexAuthPath: globalConfig.codexAuthPath,
+  ghAuthPath: resolveRootPath(".docker-git/.orch/auth/gh"),
+  claudeAuthPath: resolveRootPath(".docker-git/.orch/auth/claude")
+});
 const makeCreateContext = (path, baseDir) => {
   const projectsRoot = path.resolve(defaultProjectsRoot(baseDir));
   const resolveRootPath = (value) => resolveDockerGitRootRelativePath(path, projectsRoot, value);
@@ -5027,7 +5552,7 @@ const openSshBestEffort = (template) => Effect.gen(function* (_) {
       },
       [0, 130],
       (exitCode) => new CommandFailedError({ command: "ssh", exitCode })
-    )
+    ).pipe(Effect.ensuring(ensureTerminalCursorVisible()))
   );
 }).pipe(
   Effect.asVoid,
@@ -5152,6 +5677,7 @@ const applyProjectFiles = (projectDir, command) => Effect.gen(function* (_) {
   const resolvedTemplate = applyTemplateOverrides(config.template, command);
   yield* _(writeProjectFiles(projectDir, resolvedTemplate, true));
   yield* _(ensureCodexConfigFile(projectDir, resolvedTemplate.codexAuthPath));
+  yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
   return resolvedTemplate;
 });
 const gitSuccessExitCode = 0;
@@ -5337,6 +5863,7 @@ const runApplyForProjectDir = (projectDir, command) => command.runUp ? applyProj
 const applyProjectWithUp = (projectDir, command) => Effect.gen(function* (_) {
   yield* _(Effect.log(`Applying docker-git config and refreshing container in ${projectDir}...`));
   yield* _(ensureDockerDaemonAccess(process.cwd()));
+  yield* _(ensureClaudeAuthSeedFromHome(defaultProjectsRoot(projectDir), ".orch/auth/claude"));
   if (hasApplyOverrides(command)) {
     yield* _(applyProjectFiles(projectDir, command));
   }
@@ -5354,6 +5881,7 @@ const applyProjectConfig = (command) => runApplyForProjectDir(command.projectDir
 );
 const oauthTokenEnvKey = "DOCKER_GIT_CLAUDE_OAUTH_TOKEN";
 const tokenMarker = "Your OAuth token (valid for 1 year):";
+const tokenFooterMarker = "Store this token securely.";
 const outputWindowSize = 262144;
 const oauthTokenRegex = /([A-Za-z0-9][A-Za-z0-9._-]{20,})/u;
 const ansiEscape = "\x1B";
@@ -5417,8 +5945,15 @@ const extractOauthToken = (rawOutput) => {
     return null;
   }
   const tail = normalized.slice(markerIndex + tokenMarker.length);
-  const match = oauthTokenRegex.exec(tail);
-  return match?.[1] ?? null;
+  const footerIndex = tail.indexOf(tokenFooterMarker);
+  const tokenSection = footerIndex === -1 ? tail : tail.slice(0, footerIndex);
+  const compactSection = tokenSection.replaceAll(/\s+/gu, "");
+  const compactMatch = oauthTokenRegex.exec(compactSection);
+  if (compactMatch?.[1] !== void 0) {
+    return compactMatch[1];
+  }
+  const directMatch = oauthTokenRegex.exec(tokenSection);
+  return directMatch?.[1] ?? null;
 };
 const oauthTokenFromEnv = () => {
   const value = (process.env[oauthTokenEnvKey] ?? "").trim();
@@ -5433,11 +5968,15 @@ const buildDockerSetupTokenSpec = (cwd, accountPath, image, containerPath) => ({
   image,
   hostPath: accountPath,
   containerPath,
-  env: [`CLAUDE_CONFIG_DIR=${containerPath}`],
+  env: [`CLAUDE_CONFIG_DIR=${containerPath}`, `HOME=${containerPath}`, "BROWSER=echo"],
   args: ["setup-token"]
 });
 const buildDockerSetupTokenArgs = (spec) => {
   const base = ["run", "--rm", "-i", "-t", "-v", `${spec.hostPath}:${spec.containerPath}`];
+  const dockerUser = resolveDefaultDockerUser();
+  if (dockerUser !== null) {
+    base.push("--user", dockerUser);
+  }
   for (const entry of spec.env) {
     const trimmed = entry.trim();
     if (trimmed.length === 0) {
@@ -5486,12 +6025,27 @@ const pumpDockerOutput = (source, fd, tokenBox) => {
     )
   ).pipe(Effect.asVoid);
 };
-const ensureExitOk = (exitCode) => exitCode === 0 ? Effect.void : Effect.fail(new CommandFailedError({ command: "claude setup-token", exitCode }));
 const resolveCapturedToken = (token) => token === null ? Effect.fail(
   new AuthError({
     message: "Claude OAuth completed without a captured token. Retry login and ensure the flow reaches 'Long-lived authentication token created successfully'."
   })
 ) : ensureOauthToken(token);
+const resolveLoginResult = (token, exitCode) => Effect.gen(function* (_) {
+  if (token !== null) {
+    if (exitCode !== 0) {
+      yield* _(
+        Effect.logWarning(
+          `claude setup-token returned exit=${exitCode}, but OAuth token was captured; continuing.`
+        )
+      );
+    }
+    return yield* _(ensureOauthToken(token));
+  }
+  if (exitCode !== 0) {
+    yield* _(Effect.fail(new CommandFailedError({ command: "claude setup-token", exitCode })));
+  }
+  return yield* _(resolveCapturedToken(token));
+});
 const runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
   const envToken = oauthTokenFromEnv();
   if (envToken !== null) {
@@ -5508,24 +6062,64 @@ const runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
       const exitCode = yield* _(proc.exitCode.pipe(Effect.map(Number)));
       yield* _(Fiber.join(stdoutFiber));
       yield* _(Fiber.join(stderrFiber));
-      yield* _(ensureExitOk(exitCode));
-      return yield* _(resolveCapturedToken(tokenBox.value));
+      return yield* _(resolveLoginResult(tokenBox.value, exitCode));
     })
   );
 };
 const claudeAuthRoot = ".docker-git/.orch/auth/claude";
 const claudeImageName = "docker-git-auth-claude:latest";
 const claudeImageDir = ".docker-git/.orch/auth/claude/.image";
-const claudeConfigDir = "/claude-config";
+const claudeContainerHomeDir = "/claude-home";
 const claudeOauthTokenFileName = ".oauth-token";
+const claudeConfigFileName = ".claude.json";
+const claudeCredentialsFileName = ".credentials.json";
+const claudeCredentialsDirName = ".claude";
 const claudeOauthTokenPath = (accountPath) => `${accountPath}/${claudeOauthTokenFileName}`;
-const ensureClaudeOrchLayout = (cwd) => migrateLegacyOrchLayout(
-  cwd,
-  defaultTemplateConfig.envGlobalPath,
-  defaultTemplateConfig.envProjectPath,
-  defaultTemplateConfig.codexAuthPath,
-  ".docker-git/.orch/auth/gh"
-);
+const claudeConfigPath = (accountPath) => `${accountPath}/${claudeConfigFileName}`;
+const claudeCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsFileName}`;
+const claudeNestedCredentialsPath = (accountPath) => `${accountPath}/${claudeCredentialsDirName}/${claudeCredentialsFileName}`;
+const isRegularFile = (fs, filePath) => Effect.gen(function* (_) {
+  const exists = yield* _(fs.exists(filePath));
+  if (!exists) {
+    return false;
+  }
+  const info = yield* _(fs.stat(filePath));
+  return info.type === "File";
+});
+const syncClaudeCredentialsFile = (fs, accountPath) => Effect.gen(function* (_) {
+  const nestedPath = claudeNestedCredentialsPath(accountPath);
+  const rootPath = claudeCredentialsPath(accountPath);
+  const nestedExists = yield* _(isRegularFile(fs, nestedPath));
+  if (nestedExists) {
+    yield* _(fs.copyFile(nestedPath, rootPath));
+    yield* _(fs.chmod(rootPath, 384), Effect.orElseSucceed(() => void 0));
+    return;
+  }
+  const rootExists = yield* _(isRegularFile(fs, rootPath));
+  if (rootExists) {
+    const nestedDirPath = `${accountPath}/${claudeCredentialsDirName}`;
+    yield* _(fs.makeDirectory(nestedDirPath, { recursive: true }));
+    yield* _(fs.copyFile(rootPath, nestedPath));
+    yield* _(fs.chmod(nestedPath, 384), Effect.orElseSucceed(() => void 0));
+  }
+});
+const hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
+  const tokenPath = claudeOauthTokenPath(accountPath);
+  const hasToken = yield* _(isRegularFile(fs, tokenPath));
+  if (!hasToken) {
+    return false;
+  }
+  const tokenText = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""));
+  return tokenText.trim().length > 0;
+});
+const buildClaudeAuthEnv = (interactive) => interactive ? [`HOME=${claudeContainerHomeDir}`, `CLAUDE_CONFIG_DIR=${claudeContainerHomeDir}`, "BROWSER=echo"] : [`HOME=${claudeContainerHomeDir}`, `CLAUDE_CONFIG_DIR=${claudeContainerHomeDir}`];
+const ensureClaudeOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
+  envGlobalPath: defaultTemplateConfig.envGlobalPath,
+  envProjectPath: defaultTemplateConfig.envProjectPath,
+  codexAuthPath: defaultTemplateConfig.codexAuthPath,
+  ghAuthPath: ".docker-git/.orch/auth/gh",
+  claudeAuthPath: ".docker-git/.orch/auth/claude"
+});
 const renderClaudeDockerfile = () => String.raw`FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
@@ -5566,8 +6160,8 @@ const runClaudeAuthCommand = (cwd, accountPath, args, commandLabel, interactive)
     cwd,
     image: claudeImageName,
     hostPath: accountPath,
-    containerPath: claudeConfigDir,
-    env: [`CLAUDE_CONFIG_DIR=${claudeConfigDir}`, "BROWSER=echo"],
+    containerPath: claudeContainerHomeDir,
+    env: buildClaudeAuthEnv(interactive),
     args,
     interactive
   }),
@@ -5575,65 +6169,75 @@ const runClaudeAuthCommand = (cwd, accountPath, args, commandLabel, interactive)
   (exitCode) => new CommandFailedError({ command: commandLabel, exitCode })
 );
 const runClaudeLogout = (cwd, accountPath) => runClaudeAuthCommand(cwd, accountPath, ["auth", "logout"], "claude auth logout", false);
-const runClaudeStatusJson = (cwd, accountPath) => runDockerAuthCapture(
+const runClaudePingProbeExitCode = (cwd, accountPath) => runDockerAuthExitCode(
   buildDockerAuthSpec({
     cwd,
     image: claudeImageName,
     hostPath: accountPath,
-    containerPath: claudeConfigDir,
-    env: `CLAUDE_CONFIG_DIR=${claudeConfigDir}`,
-    args: ["auth", "status", "--json"],
+    containerPath: claudeContainerHomeDir,
+    env: buildClaudeAuthEnv(false),
+    args: ["-p", "ping"],
     interactive: false
-  }),
-  [0],
-  (exitCode) => new CommandFailedError({ command: "claude auth status --json", exitCode })
+  })
 );
-const ClaudeAuthStatusSchema = Schema.Struct({
-  loggedIn: Schema.Boolean,
-  authMethod: Schema.optional(Schema.String),
-  apiProvider: Schema.optional(Schema.String)
-});
-const ClaudeAuthStatusJsonSchema = Schema.parseJson(ClaudeAuthStatusSchema);
-const decodeClaudeAuthStatus = (raw) => Either.match(ParseResult.decodeUnknownEither(ClaudeAuthStatusJsonSchema)(raw), {
-  onLeft: () => Effect.fail(new CommandFailedError({ command: "claude auth status --json", exitCode: 1 })),
-  onRight: (value) => Effect.succeed(value)
-});
 const authClaudeLogin = (command) => {
   const accountLabel = normalizeAccountLabel(command.label, "default");
-  return withClaudeAuth(command, ({ accountPath, cwd, fs }) => runClaudeOauthLoginWithPrompt(cwd, accountPath, {
-    image: claudeImageName,
-    containerPath: claudeConfigDir
-  }).pipe(
-    Effect.flatMap((token) => fs.writeFileString(claudeOauthTokenPath(accountPath), `${token}
-`))
-  )).pipe(
+  return withClaudeAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_) {
+    const token = yield* _(
+      runClaudeOauthLoginWithPrompt(cwd, accountPath, {
+        image: claudeImageName,
+        containerPath: claudeContainerHomeDir
+      })
+    );
+    yield* _(fs.writeFileString(claudeOauthTokenPath(accountPath), `${token}
+`));
+    yield* _(fs.chmod(claudeOauthTokenPath(accountPath), 384), Effect.orElseSucceed(() => void 0));
+    yield* _(syncClaudeCredentialsFile(fs, accountPath));
+    const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath));
+    if (probeExitCode !== 0) {
+      yield* _(
+        Effect.fail(
+          new CommandFailedError({
+            command: "claude setup-token",
+            exitCode: probeExitCode
+          })
+        )
+      );
+    }
+  })).pipe(
     Effect.zipRight(autoSyncState(`chore(state): auth claude ${accountLabel}`))
   );
 };
 const authClaudeStatus = (command) => withClaudeAuth(command, ({ accountLabel, accountPath, cwd, fs }) => Effect.gen(function* (_) {
-  const tokenPath = claudeOauthTokenPath(accountPath);
-  const hasToken = yield* _(fs.exists(tokenPath));
-  if (hasToken) {
-    const tokenText = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""));
-    if (tokenText.trim().length > 0) {
-      yield* _(Effect.log(`Claude connected (${accountLabel}, oauth-token).`));
-      return;
-    }
+  yield* _(syncClaudeCredentialsFile(fs, accountPath));
+  const hasOauthToken = yield* _(hasNonEmptyOauthToken$1(fs, accountPath));
+  const hasCredentials = yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)));
+  if (!hasOauthToken && !hasCredentials) {
+    yield* _(Effect.log(`Claude not connected (${accountLabel}).`));
+    return;
   }
-  const raw = yield* _(runClaudeStatusJson(cwd, accountPath));
-  const status = yield* _(decodeClaudeAuthStatus(raw));
-  yield* status.loggedIn ? _(Effect.log(`Claude connected (${accountLabel}).`)) : _(Effect.log(`Claude not connected (${accountLabel}).`));
+  const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath));
+  if (probeExitCode === 0) {
+    const method2 = hasCredentials ? "claude-ai-session" : "oauth-token";
+    yield* _(Effect.log(`Claude connected (${accountLabel}, ${method2}).`));
+    return;
+  }
+  const method = hasCredentials ? "claude-ai-session" : "oauth-token";
+  yield* _(
+    Effect.logWarning(
+      `Claude session exists but API probe failed (${accountLabel}, ${method}, exit=${probeExitCode}). Run 'docker-git auth claude login'.`
+    )
+  );
 }));
 const authClaudeLogout = (command) => Effect.gen(function* (_) {
   const accountLabel = normalizeAccountLabel(command.label, "default");
   yield* _(
     withClaudeAuth(command, ({ accountPath, cwd, fs }) => Effect.gen(function* (_2) {
-      const tokenPath = claudeOauthTokenPath(accountPath);
-      const hasToken = yield* _2(fs.exists(tokenPath));
-      if (hasToken) {
-        yield* _2(fs.remove(tokenPath, { force: true }));
-      }
       yield* _2(runClaudeLogout(cwd, accountPath));
+      yield* _2(fs.remove(claudeOauthTokenPath(accountPath), { force: true }));
+      yield* _2(fs.remove(claudeCredentialsPath(accountPath), { force: true }));
+      yield* _2(fs.remove(claudeNestedCredentialsPath(accountPath), { force: true }));
+      yield* _2(fs.remove(claudeConfigPath(accountPath), { force: true }));
     }))
   );
   yield* _(autoSyncState(`chore(state): auth claude logout ${accountLabel}`));
@@ -5641,13 +6245,13 @@ const authClaudeLogout = (command) => Effect.gen(function* (_) {
 const codexImageName = "docker-git-auth-codex:latest";
 const codexImageDir = ".docker-git/.orch/auth/codex/.image";
 const codexHome = "/root/.codex";
-const ensureCodexOrchLayout = (cwd, codexAuthPath) => migrateLegacyOrchLayout(
-  cwd,
-  defaultTemplateConfig.envGlobalPath,
-  defaultTemplateConfig.envProjectPath,
+const ensureCodexOrchLayout = (cwd, codexAuthPath) => migrateLegacyOrchLayout(cwd, {
+  envGlobalPath: defaultTemplateConfig.envGlobalPath,
+  envProjectPath: defaultTemplateConfig.envProjectPath,
   codexAuthPath,
-  ".docker-git/.orch/auth/gh"
-);
+  ghAuthPath: ".docker-git/.orch/auth/gh",
+  claudeAuthPath: ".docker-git/.orch/auth/claude"
+});
 const renderCodexDockerfile = () => String.raw`FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
@@ -5743,13 +6347,13 @@ const authCodexStatus = (command) => withCodexAuth(command, ({ accountPath, cwd
 const authCodexLogout = (command) => withCodexAuth(command, ({ accountPath, cwd }) => runCodexLogout(cwd, accountPath)).pipe(
   Effect.zipRight(autoSyncState(`chore(state): auth codex logout ${normalizeAccountLabel(command.label, "default")}`))
 );
-const ensureGithubOrchLayout = (cwd, envGlobalPath) => migrateLegacyOrchLayout(
-  cwd,
+const ensureGithubOrchLayout = (cwd, envGlobalPath) => migrateLegacyOrchLayout(cwd, {
   envGlobalPath,
-  defaultTemplateConfig.envProjectPath,
-  defaultTemplateConfig.codexAuthPath,
-  ghAuthRoot
-);
+  envProjectPath: defaultTemplateConfig.envProjectPath,
+  codexAuthPath: defaultTemplateConfig.codexAuthPath,
+  ghAuthPath: ghAuthRoot,
+  claudeAuthPath: ".docker-git/.orch/auth/claude"
+});
 const normalizeGithubLabel = (value) => {
   const trimmed = value?.trim() ?? "";
   if (trimmed.length === 0) {
@@ -7357,6 +7961,7 @@ Options:
 Container runtime env (set via .orch/env/project.env):
   CODEX_SHARE_AUTH=1|0                  Share Codex auth.json across projects (default: 1)
   CODEX_AUTO_UPDATE=1|0                 Auto-update Codex CLI on container start (default: 1)
+  CLAUDE_AUTO_SYSTEM_PROMPT=1|0         Auto-attach docker-git managed system prompt to claude (default: 1)
   DOCKER_GIT_ZSH_AUTOSUGGEST=1|0        Enable zsh-autosuggestions (default: 1)
   DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=...  zsh-autosuggestions highlight style (default: fg=8,italic)
   DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=...  Suggestion sources (default: history completion)
@@ -7645,9 +8250,9 @@ const wrapWrite = (baseWrite) => (chunk, encoding, cb) => {
   }
   return baseWrite(chunk, encoding, cb);
 };
-const disableMouseModes = () => {
+const disableTerminalInputModes = () => {
   process.stdout.write(
-    "\x1B[?1000l\x1B[?1002l\x1B[?1003l\x1B[?1005l\x1B[?1006l\x1B[?1015l\x1B[?1007l"
+    "\x1B[0m\x1B[?25h\x1B[?1l\x1B>\x1B[?1000l\x1B[?1002l\x1B[?1003l\x1B[?1005l\x1B[?1006l\x1B[?1015l\x1B[?1007l\x1B[?1004l\x1B[?2004l\x1B[>4;0m\x1B[>4m\x1B[<u"
   );
 };
 const ensureStdoutPatched = () => {
@@ -7725,7 +8330,7 @@ const suspendTui = () => {
   if (!process.stdout.isTTY) {
     return;
   }
-  disableMouseModes();
+  disableTerminalInputModes();
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(false);
   }
@@ -7737,19 +8342,19 @@ const resumeTui = () => {
     return;
   }
   setStdoutMuted(false);
-  disableMouseModes();
+  disableTerminalInputModes();
   process.stdout.write("\x1B[?1049h\x1B[2J\x1B[H");
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(true);
   }
-  disableMouseModes();
+  disableTerminalInputModes();
 };
 const leaveTui = () => {
   if (!process.stdout.isTTY) {
     return;
   }
   setStdoutMuted(false);
-  disableMouseModes();
+  disableTerminalInputModes();
   process.stdout.write("\x1B[?1049l");
   if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
     process.stdin.setRawMode(false);
@@ -8472,6 +9077,8 @@ const loadRuntimeByProject = (items) => pipe(
 const runtimeForSelection = (view, selected) => view.runtimeByProject[selected.projectDir] ?? stoppedRuntime$1();
 const oauthTokenFileName = ".oauth-token";
 const legacyConfigFileName = ".config.json";
+const credentialsFileName = ".credentials.json";
+const nestedCredentialsFileName = ".claude/.credentials.json";
 const hasFileAtPath = (fs, filePath) => Effect.gen(function* (_) {
   const exists = yield* _(fs.exists(filePath));
   if (!exists) {
@@ -8501,7 +9108,19 @@ const hasLegacyClaudeAuthFile = (fs, accountPath) => Effect.gen(function* (_) {
   }
   return false;
 });
-const hasClaudeAccountCredentials = (fs, accountPath) => hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`).pipe(
+const hasClaudeAccountCredentials = (fs, accountPath) => hasFileAtPath(fs, `${accountPath}/${credentialsFileName}`).pipe(
+  Effect.flatMap((hasCredentialsFile) => {
+    if (hasCredentialsFile) {
+      return Effect.succeed(true);
+    }
+    return hasFileAtPath(fs, `${accountPath}/${nestedCredentialsFileName}`);
+  }),
+  Effect.flatMap((hasNestedCredentialsFile) => {
+    if (hasNestedCredentialsFile) {
+      return Effect.succeed(true);
+    }
+    return hasFileAtPath(fs, `${accountPath}/${legacyConfigFileName}`);
+  }),
   Effect.flatMap((hasConfig) => {
     if (hasConfig) {
       return Effect.succeed(true);
@@ -8636,20 +9255,23 @@ const updateProjectGitDisconnect = (spec) => {
   const withoutUser = upsertEnvKey(withoutToken, "GIT_AUTH_USER", "");
   return Effect.succeed(clearProjectGitLabels(withoutUser));
 };
+const resolveClaudeAccountCandidates = (claudeAuthPath, accountLabel) => accountLabel === "default" ? [`${claudeAuthPath}/default`, claudeAuthPath] : [`${claudeAuthPath}/${accountLabel}`];
 const updateProjectClaudeConnect = (spec) => {
   const accountLabel = normalizeAccountLabel(spec.rawLabel, "default");
-  const accountPath = `${spec.claudeAuthPath}/${accountLabel}`;
+  const accountCandidates = resolveClaudeAccountCandidates(spec.claudeAuthPath, accountLabel);
   return Effect.gen(function* (_) {
-    const exists = yield* _(spec.fs.exists(accountPath));
-    if (!exists) {
-      return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)));
-    }
-    const hasCredentials = yield* _(
-      hasClaudeAccountCredentials(spec.fs, accountPath),
-      Effect.orElseSucceed(() => false)
-    );
-    if (hasCredentials) {
-      return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel);
+    for (const accountPath of accountCandidates) {
+      const exists = yield* _(spec.fs.exists(accountPath));
+      if (!exists) {
+        continue;
+      }
+      const hasCredentials = yield* _(
+        hasClaudeAccountCredentials(spec.fs, accountPath),
+        Effect.orElseSucceed(() => false)
+      );
+      if (hasCredentials) {
+        return upsertEnvKey(spec.projectEnvText, projectClaudeLabelKey, spec.canonicalLabel);
+      }
     }
     return yield* _(Effect.fail(missingSecret("Claude Code login", spec.canonicalLabel, spec.claudeAuthPath)));
   });