@prover-coder-ai/docker-git 1.0.30 → 1.0.31

package/dist/src/docker-git/main.js

@@ -846,6 +846,109 @@ const renderError = (error) => {
   }
   return renderNonParseError(error);
 };
+const resolveEnvValue = (key) => {
+  const value = process.env[key]?.trim();
+  return value && value.length > 0 ? value : null;
+};
+const trimTrailingSlash$1 = (value) => {
+  let end = value.length;
+  while (end > 0) {
+    const char = value[end - 1];
+    if (char !== "/" && char !== "\\") {
+      break;
+    }
+    end -= 1;
+  }
+  return value.slice(0, end);
+};
+const pathStartsWith = (candidate, prefix) => candidate === prefix || candidate.startsWith(`${prefix}/`) || candidate.startsWith(`${prefix}\\`);
+const translatePathPrefix = (candidate, sourcePrefix, targetPrefix) => pathStartsWith(candidate, sourcePrefix) ? `${targetPrefix}${candidate.slice(sourcePrefix.length)}` : null;
+const resolveContainerProjectsRoot = () => {
+  const explicit = resolveEnvValue("DOCKER_GIT_PROJECTS_ROOT");
+  if (explicit !== null) {
+    return explicit;
+  }
+  const home = resolveEnvValue("HOME") ?? resolveEnvValue("USERPROFILE");
+  return home === null ? null : `${trimTrailingSlash$1(home)}/.docker-git`;
+};
+const resolveProjectsRootHostOverride = () => resolveEnvValue("DOCKER_GIT_PROJECTS_ROOT_HOST");
+const resolveCurrentContainerId = (cwd) => {
+  const fromEnv = resolveEnvValue("HOSTNAME");
+  if (fromEnv !== null) {
+    return Effect.succeed(fromEnv);
+  }
+  return runCommandCapture(
+    {
+      cwd,
+      command: "hostname",
+      args: []
+    },
+    [0],
+    () => new Error("hostname failed")
+  ).pipe(
+    Effect.map((value) => value.trim()),
+    Effect.orElseSucceed(() => ""),
+    Effect.map((value) => value.length > 0 ? value : null)
+  );
+};
+const parseDockerInspectMounts = (raw) => raw.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).flatMap((line) => {
+  const separator = line.indexOf("	");
+  if (separator <= 0 || separator >= line.length - 1) {
+    return [];
+  }
+  const source = line.slice(0, separator).trim();
+  const destination = line.slice(separator + 1).trim();
+  if (source.length === 0 || destination.length === 0) {
+    return [];
+  }
+  return [{ source, destination }];
+});
+const remapDockerBindHostPathFromMounts = (hostPath, mounts) => {
+  let match = null;
+  for (const mount of mounts) {
+    if (!pathStartsWith(hostPath, mount.destination)) {
+      continue;
+    }
+    if (match === null || mount.destination.length > match.destination.length) {
+      match = mount;
+    }
+  }
+  if (match === null) {
+    return hostPath;
+  }
+  return `${match.source}${hostPath.slice(match.destination.length)}`;
+};
+const resolveDockerVolumeHostPath = (cwd, hostPath) => Effect.gen(function* (_) {
+  const containerProjectsRoot = resolveContainerProjectsRoot();
+  const hostProjectsRoot = resolveProjectsRootHostOverride();
+  if (containerProjectsRoot !== null && hostProjectsRoot !== null) {
+    const remapped = translatePathPrefix(hostPath, containerProjectsRoot, hostProjectsRoot);
+    if (remapped !== null) {
+      return remapped;
+    }
+  }
+  const containerId = yield* _(resolveCurrentContainerId(cwd));
+  if (containerId === null) {
+    return hostPath;
+  }
+  const mountsJson = yield* _(
+    runCommandCapture(
+      {
+        cwd,
+        command: "docker",
+        args: [
+          "inspect",
+          containerId,
+          "--format",
+          String.raw`{{range .Mounts}}{{println .Source "\t" .Destination}}{{end}}`
+        ]
+      },
+      [0],
+      () => new Error("docker inspect current container failed")
+    ).pipe(Effect.orElseSucceed(() => ""))
+  );
+  return remapDockerBindHostPathFromMounts(hostPath, parseDockerInspectMounts(mountsJson));
+});
 const resolveDefaultDockerUser = () => {
   const getUid = Reflect.get(process, "getuid");
   const getGid = Reflect.get(process, "getgid");
@@ -893,17 +996,44 @@ const buildDockerArgs = (spec) => {
   }
   return [...base, spec.image, ...spec.args];
 };
-const runDockerAuth = (spec, okExitCodes, onFailure) => runCommandWithExitCodes(
-  { cwd: spec.cwd, command: "docker", args: buildDockerArgs(spec) },
-  okExitCodes,
-  onFailure
-);
-const runDockerAuthCapture = (spec, okExitCodes, onFailure) => runCommandCapture(
-  { cwd: spec.cwd, command: "docker", args: buildDockerArgs(spec) },
-  okExitCodes,
-  onFailure
-);
-const runDockerAuthExitCode = (spec) => runCommandExitCode({ cwd: spec.cwd, command: "docker", args: buildDockerArgs(spec) });
+const runDockerAuth = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  yield* _(
+    runCommandWithExitCodes(
+      {
+        cwd: spec.cwd,
+        command: "docker",
+        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+      },
+      okExitCodes,
+      onFailure
+    )
+  );
+});
+const runDockerAuthCapture = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  return yield* _(
+    runCommandCapture(
+      {
+        cwd: spec.cwd,
+        command: "docker",
+        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+      },
+      okExitCodes,
+      onFailure
+    )
+  );
+});
+const runDockerAuthExitCode = (spec) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  return yield* _(
+    runCommandExitCode({
+      cwd: spec.cwd,
+      command: "docker",
+      args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+    })
+  );
+});
 const normalizeAccountLabel = (value, fallback) => {
   const trimmed = value?.trim() ?? "";
   if (trimmed.length === 0) {
@@ -2243,6 +2373,113 @@ EOF
 chmod 0644 "$DOCKER_GIT_SSHD_CONF" || true`;
 const renderEntrypointSshd = () => `# 5) Run sshd in foreground
 exec /usr/sbin/sshd -D`;
+const entrypointClaudeGlobalPromptTemplate = String.raw`# Claude Code: managed global memory (CLAUDE.md is auto-loaded by Claude Code)
+CLAUDE_GLOBAL_PROMPT_FILE="/home/__SSH_USER__/.claude/CLAUDE.md"
+CLAUDE_AUTO_SYSTEM_PROMPT="${"$"}{CLAUDE_AUTO_SYSTEM_PROMPT:-1}"
+CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: repository"
+REPO_REF_VALUE="${"$"}{REPO_REF:-__REPO_REF_DEFAULT__}"
+REPO_URL_VALUE="${"$"}{REPO_URL:-__REPO_URL_DEFAULT__}"
+
+if [[ "$REPO_REF_VALUE" == issue-* ]]; then
+  ISSUE_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -E 's#^issue-##')"
+  ISSUE_URL_VALUE=""
+  if [[ "$REPO_URL_VALUE" == https://github.com/* ]]; then
+    ISSUE_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$ISSUE_REPO_VALUE" ]]; then
+      ISSUE_URL_VALUE="https://github.com/$ISSUE_REPO_VALUE/issues/$ISSUE_ID_VALUE"
+    fi
+  fi
+  if [[ -n "$ISSUE_URL_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE ($ISSUE_URL_VALUE)"
+  else
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE"
+  fi
+elif [[ "$REPO_REF_VALUE" == refs/pull/*/head ]]; then
+  PR_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
+  PR_URL_VALUE=""
+  if [[ "$REPO_URL_VALUE" == https://github.com/* && -n "$PR_ID_VALUE" ]]; then
+    PR_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
+    if [[ -n "$PR_REPO_VALUE" ]]; then
+      PR_URL_VALUE="https://github.com/$PR_REPO_VALUE/pull/$PR_ID_VALUE"
+    fi
+  fi
+  if [[ -n "$PR_ID_VALUE" && -n "$PR_URL_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE ($PR_URL_VALUE)"
+  elif [[ -n "$PR_ID_VALUE" ]]; then
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE"
+  else
+    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF_VALUE)"
+  fi
+fi
+
+if [[ "$CLAUDE_AUTO_SYSTEM_PROMPT" == "1" ]]; then
+  mkdir -p "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")"
+  chown 1000:1000 "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")" 2>/dev/null || true
+  if [[ ! -f "$CLAUDE_GLOBAL_PROMPT_FILE" ]] || grep -q "^<!-- docker-git-managed:claude-md -->$" "$CLAUDE_GLOBAL_PROMPT_FILE"; then
+    cat <<EOF > "$CLAUDE_GLOBAL_PROMPT_FILE"
+<!-- docker-git-managed:claude-md -->
+Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, opencode, oh-my-opencode, claude, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
+Рабочая папка проекта (git clone): __TARGET_DIR__
+Доступные workspace пути: __TARGET_DIR__
+$CLAUDE_WORKSPACE_CONTEXT
+Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
+Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
+Если ты видишь файлы AGENTS.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
+<!-- /docker-git-managed:claude-md -->
+EOF
+    chmod 0644 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
+    chown 1000:1000 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
+  fi
+fi
+
+export CLAUDE_AUTO_SYSTEM_PROMPT`;
+const escapeForDoubleQuotes$1 = (value) => {
+  const backslash = String.fromCodePoint(92);
+  const quote = String.fromCodePoint(34);
+  const escapedBackslash = `${backslash}${backslash}`;
+  const escapedQuote = `${backslash}${quote}`;
+  return value.replaceAll(backslash, escapedBackslash).replaceAll(quote, escapedQuote);
+};
+const renderClaudeGlobalPromptSetup = (config) => entrypointClaudeGlobalPromptTemplate.replaceAll("__TARGET_DIR__", config.targetDir).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__REPO_REF_DEFAULT__", escapeForDoubleQuotes$1(config.repoRef)).replaceAll("__REPO_URL_DEFAULT__", escapeForDoubleQuotes$1(config.repoUrl));
+const renderClaudeWrapperSetup = () => String.raw`CLAUDE_WRAPPER_BIN="/usr/local/bin/claude"
+if command -v claude >/dev/null 2>&1; then
+  CURRENT_CLAUDE_BIN="$(command -v claude)"
+  CLAUDE_REAL_DIR="$(dirname "$CURRENT_CLAUDE_BIN")"
+  CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
+
+  # If a wrapper already exists but points to a missing real binary, recover from /usr/bin.
+  if [[ "$CURRENT_CLAUDE_BIN" == "$CLAUDE_WRAPPER_BIN" && ! -e "$CLAUDE_REAL_BIN" && -x "/usr/bin/claude" ]]; then
+    CURRENT_CLAUDE_BIN="/usr/bin/claude"
+    CLAUDE_REAL_DIR="/usr/bin"
+    CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
+  fi
+
+  # Keep the "real" binary in the same directory as the original command to preserve relative symlinks.
+  if [[ "$CURRENT_CLAUDE_BIN" != "$CLAUDE_REAL_BIN" && ! -e "$CLAUDE_REAL_BIN" ]]; then
+    mv "$CURRENT_CLAUDE_BIN" "$CLAUDE_REAL_BIN"
+  fi
+  if [[ -e "$CLAUDE_REAL_BIN" ]]; then
+    cat <<'EOF' > "$CLAUDE_WRAPPER_BIN"
+#!/usr/bin/env bash
+set -euo pipefail
+
+CLAUDE_REAL_BIN="__CLAUDE_REAL_BIN__"
+CLAUDE_CONFIG_DIR="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}"
+CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+
+if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+  CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
+  export CLAUDE_CODE_OAUTH_TOKEN
+else
+  unset CLAUDE_CODE_OAUTH_TOKEN || true
+fi
+
+exec "$CLAUDE_REAL_BIN" "$@"
+EOF
+    sed -i "s#__CLAUDE_REAL_BIN__#$CLAUDE_REAL_BIN#g" "$CLAUDE_WRAPPER_BIN" || true
+    chmod 0755 "$CLAUDE_WRAPPER_BIN" || true
+  fi
+fi`;
 const claudeAuthRootContainerPath = (sshUser) => `/home/${sshUser}/.docker-git/.orch/auth/claude`;
 const claudeAuthConfigTemplate = String.raw`# Claude Code: expose CLAUDE_CONFIG_DIR for SSH sessions (OAuth cache lives under ~/.docker-git/.orch/auth/claude)
 CLAUDE_LABEL_RAW="$CLAUDE_AUTH_LABEL"
@@ -2275,6 +2512,17 @@ mkdir -p "$CLAUDE_CONFIG_DIR" || true
 CLAUDE_HOME_DIR="__CLAUDE_HOME_DIR__"
 CLAUDE_HOME_JSON="__CLAUDE_HOME_JSON__"
 mkdir -p "$CLAUDE_HOME_DIR" || true
+CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
+CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
+CLAUDE_NESTED_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.claude/.credentials.json"
+
+docker_git_prepare_claude_auth_mode() {
+  if [[ -s "$CLAUDE_TOKEN_FILE" ]]; then
+    rm -f "$CLAUDE_CREDENTIALS_FILE" "$CLAUDE_NESTED_CREDENTIALS_FILE" "$CLAUDE_HOME_DIR/.credentials.json" || true
+  fi
+}
+
+docker_git_prepare_claude_auth_mode
 
 docker_git_link_claude_file() {
   local source_path="$1"
@@ -2302,17 +2550,13 @@ docker_git_link_claude_home_file() {
 docker_git_link_claude_home_file ".oauth-token"
 docker_git_link_claude_home_file ".config.json"
 docker_git_link_claude_home_file ".claude.json"
-docker_git_link_claude_home_file ".credentials.json"
+if [[ ! -s "$CLAUDE_TOKEN_FILE" ]]; then
+  docker_git_link_claude_home_file ".credentials.json"
+fi
 docker_git_link_claude_file "$CLAUDE_CONFIG_DIR/.claude.json" "$CLAUDE_HOME_JSON"
 
-CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
-CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
 docker_git_refresh_claude_oauth_token() {
   local token=""
-  if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
-    unset CLAUDE_CODE_OAUTH_TOKEN || true
-    return 0
-  fi
   if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
     token="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
   fi
@@ -2366,6 +2610,51 @@ EOF
 }
 
 docker_git_ensure_claude_cli`;
+const renderClaudePermissionSettingsConfig = () => String.raw`# Claude Code: keep permission settings in sync with docker-git defaults
+CLAUDE_PERMISSION_SETTINGS_FILE="$CLAUDE_CONFIG_DIR/settings.json"
+docker_git_sync_claude_permissions() {
+  CLAUDE_PERMISSION_SETTINGS_FILE="$CLAUDE_PERMISSION_SETTINGS_FILE" node - <<'NODE'
+const fs = require("node:fs")
+const path = require("node:path")
+
+const settingsPath = process.env.CLAUDE_PERMISSION_SETTINGS_FILE
+if (typeof settingsPath !== "string" || settingsPath.length === 0) {
+  process.exit(0)
+}
+
+const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value)
+
+let settings = {}
+try {
+  const raw = fs.readFileSync(settingsPath, "utf8")
+  const parsed = JSON.parse(raw)
+  settings = isRecord(parsed) ? parsed : {}
+} catch {
+  settings = {}
+}
+
+const currentPermissions = isRecord(settings.permissions) ? settings.permissions : {}
+const nextPermissions = {
+  ...currentPermissions,
+  defaultMode: "bypassPermissions"
+}
+const nextSettings = {
+  ...settings,
+  permissions: nextPermissions
+}
+
+if (JSON.stringify(settings) === JSON.stringify(nextSettings)) {
+  process.exit(0)
+}
+
+fs.mkdirSync(path.dirname(settingsPath), { recursive: true })
+fs.writeFileSync(settingsPath, JSON.stringify(nextSettings, null, 2) + "\n", { mode: 0o600 })
+NODE
+}
+
+docker_git_sync_claude_permissions
+chmod 0600 "$CLAUDE_PERMISSION_SETTINGS_FILE" 2>/dev/null || true
+chown 1000:1000 "$CLAUDE_PERMISSION_SETTINGS_FILE" 2>/dev/null || true`;
 const renderClaudeMcpPlaywrightConfig = () => String.raw`# Claude Code: keep Playwright MCP config in sync with container settings
 CLAUDE_SETTINGS_FILE="${"$"}{CLAUDE_HOME_JSON:-$CLAUDE_CONFIG_DIR/.claude.json}"
 docker_git_sync_claude_playwright_mcp() {
@@ -2421,126 +2710,13 @@ NODE
 
 docker_git_sync_claude_playwright_mcp
 chown 1000:1000 "$CLAUDE_SETTINGS_FILE" 2>/dev/null || true`;
-const entrypointClaudeGlobalPromptTemplate = String.raw`# Claude Code: managed global memory (CLAUDE.md is auto-loaded by Claude Code)
-CLAUDE_GLOBAL_PROMPT_FILE="/home/__SSH_USER__/.claude/CLAUDE.md"
-CLAUDE_AUTO_SYSTEM_PROMPT="${"$"}{CLAUDE_AUTO_SYSTEM_PROMPT:-1}"
-CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: repository"
-REPO_REF_VALUE="${"$"}{REPO_REF:-__REPO_REF_DEFAULT__}"
-REPO_URL_VALUE="${"$"}{REPO_URL:-__REPO_URL_DEFAULT__}"
-
-if [[ "$REPO_REF_VALUE" == issue-* ]]; then
-  ISSUE_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -E 's#^issue-##')"
-  ISSUE_URL_VALUE=""
-  if [[ "$REPO_URL_VALUE" == https://github.com/* ]]; then
-    ISSUE_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
-    if [[ -n "$ISSUE_REPO_VALUE" ]]; then
-      ISSUE_URL_VALUE="https://github.com/$ISSUE_REPO_VALUE/issues/$ISSUE_ID_VALUE"
-    fi
-  fi
-  if [[ -n "$ISSUE_URL_VALUE" ]]; then
-    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE ($ISSUE_URL_VALUE)"
-  else
-    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: issue #$ISSUE_ID_VALUE"
-  fi
-elif [[ "$REPO_REF_VALUE" == refs/pull/*/head ]]; then
-  PR_ID_VALUE="$(printf "%s" "$REPO_REF_VALUE" | sed -nE 's#^refs/pull/([0-9]+)/head$#\1#p')"
-  PR_URL_VALUE=""
-  if [[ "$REPO_URL_VALUE" == https://github.com/* && -n "$PR_ID_VALUE" ]]; then
-    PR_REPO_VALUE="$(printf "%s" "$REPO_URL_VALUE" | sed -E 's#^https://github.com/##; s#[.]git$##; s#/*$##')"
-    if [[ -n "$PR_REPO_VALUE" ]]; then
-      PR_URL_VALUE="https://github.com/$PR_REPO_VALUE/pull/$PR_ID_VALUE"
-    fi
-  fi
-  if [[ -n "$PR_ID_VALUE" && -n "$PR_URL_VALUE" ]]; then
-    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE ($PR_URL_VALUE)"
-  elif [[ -n "$PR_ID_VALUE" ]]; then
-    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: PR #$PR_ID_VALUE"
-  else
-    CLAUDE_WORKSPACE_CONTEXT="Контекст workspace: pull request ($REPO_REF_VALUE)"
-  fi
-fi
-
-if [[ "$CLAUDE_AUTO_SYSTEM_PROMPT" == "1" ]]; then
-  mkdir -p "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")"
-  chown 1000:1000 "$(dirname "$CLAUDE_GLOBAL_PROMPT_FILE")" 2>/dev/null || true
-  if [[ ! -f "$CLAUDE_GLOBAL_PROMPT_FILE" ]] || grep -q "^<!-- docker-git-managed:claude-md -->$" "$CLAUDE_GLOBAL_PROMPT_FILE"; then
-    cat <<EOF > "$CLAUDE_GLOBAL_PROMPT_FILE"
-<!-- docker-git-managed:claude-md -->
-Ты автономный агент, который имеет полностью все права управления контейнером. У тебя есть доступ к командам sudo, gh, codex, opencode, oh-my-opencode, claude, git, node, pnpm и всем остальным другим. Проекты с которыми идёт работа лежат по пути ~
-Рабочая папка проекта (git clone): __TARGET_DIR__
-Доступные workspace пути: __TARGET_DIR__
-$CLAUDE_WORKSPACE_CONTEXT
-Фокус задачи: работай только в workspace, который запрашивает пользователь. Текущий workspace: __TARGET_DIR__
-Доступ к интернету: есть. Если чего-то не знаешь — ищи в интернете или по кодовой базе.
-Если ты видишь файлы AGENTS.md или CLAUDE.md внутри проекта, ты обязан их читать и соблюдать инструкции.
-<!-- /docker-git-managed:claude-md -->
-EOF
-    chmod 0644 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
-    chown 1000:1000 "$CLAUDE_GLOBAL_PROMPT_FILE" || true
-  fi
-fi
-
-export CLAUDE_AUTO_SYSTEM_PROMPT`;
-const escapeForDoubleQuotes$1 = (value) => {
-  const backslash = String.fromCodePoint(92);
-  const quote = String.fromCodePoint(34);
-  const escapedBackslash = `${backslash}${backslash}`;
-  const escapedQuote = `${backslash}${quote}`;
-  return value.replaceAll(backslash, escapedBackslash).replaceAll(quote, escapedQuote);
-};
-const renderClaudeGlobalPromptSetup = (config) => entrypointClaudeGlobalPromptTemplate.replaceAll("__TARGET_DIR__", config.targetDir).replaceAll("__SSH_USER__", config.sshUser).replaceAll("__REPO_REF_DEFAULT__", escapeForDoubleQuotes$1(config.repoRef)).replaceAll("__REPO_URL_DEFAULT__", escapeForDoubleQuotes$1(config.repoUrl));
-const renderClaudeWrapperSetup = () => String.raw`CLAUDE_WRAPPER_BIN="/usr/local/bin/claude"
-if command -v claude >/dev/null 2>&1; then
-  CURRENT_CLAUDE_BIN="$(command -v claude)"
-  CLAUDE_REAL_DIR="$(dirname "$CURRENT_CLAUDE_BIN")"
-  CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
-
-  # If a wrapper already exists but points to a missing real binary, recover from /usr/bin.
-  if [[ "$CURRENT_CLAUDE_BIN" == "$CLAUDE_WRAPPER_BIN" && ! -e "$CLAUDE_REAL_BIN" && -x "/usr/bin/claude" ]]; then
-    CURRENT_CLAUDE_BIN="/usr/bin/claude"
-    CLAUDE_REAL_DIR="/usr/bin"
-    CLAUDE_REAL_BIN="$CLAUDE_REAL_DIR/.docker-git-claude-real"
-  fi
-
-  # Keep the "real" binary in the same directory as the original command to preserve relative symlinks.
-  if [[ "$CURRENT_CLAUDE_BIN" != "$CLAUDE_REAL_BIN" && ! -e "$CLAUDE_REAL_BIN" ]]; then
-    mv "$CURRENT_CLAUDE_BIN" "$CLAUDE_REAL_BIN"
-  fi
-  if [[ -e "$CLAUDE_REAL_BIN" ]]; then
-    cat <<'EOF' > "$CLAUDE_WRAPPER_BIN"
-#!/usr/bin/env bash
-set -euo pipefail
-
-CLAUDE_REAL_BIN="__CLAUDE_REAL_BIN__"
-CLAUDE_CONFIG_DIR="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}"
-CLAUDE_TOKEN_FILE="$CLAUDE_CONFIG_DIR/.oauth-token"
-CLAUDE_CREDENTIALS_FILE="$CLAUDE_CONFIG_DIR/.credentials.json"
-
-if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
-  unset CLAUDE_CODE_OAUTH_TOKEN || true
-elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
-  CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
-  export CLAUDE_CODE_OAUTH_TOKEN
-else
-  unset CLAUDE_CODE_OAUTH_TOKEN || true
-fi
-
-exec "$CLAUDE_REAL_BIN" "$@"
-EOF
-    sed -i "s#__CLAUDE_REAL_BIN__#$CLAUDE_REAL_BIN#g" "$CLAUDE_WRAPPER_BIN" || true
-    chmod 0755 "$CLAUDE_WRAPPER_BIN" || true
-  fi
-fi`;
 const renderClaudeProfileSetup = () => String.raw`CLAUDE_PROFILE="/etc/profile.d/claude-config.sh"
 printf "export CLAUDE_AUTH_LABEL=%q\n" "$CLAUDE_AUTH_LABEL" > "$CLAUDE_PROFILE"
 printf "export CLAUDE_CONFIG_DIR=%q\n" "$CLAUDE_CONFIG_DIR" >> "$CLAUDE_PROFILE"
 printf "export CLAUDE_AUTO_SYSTEM_PROMPT=%q\n" "$CLAUDE_AUTO_SYSTEM_PROMPT" >> "$CLAUDE_PROFILE"
 cat <<'EOF' >> "$CLAUDE_PROFILE"
 CLAUDE_TOKEN_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.oauth-token"
-CLAUDE_CREDENTIALS_FILE="${"$"}{CLAUDE_CONFIG_DIR:-$HOME/.claude}/.credentials.json"
-if [[ -s "$CLAUDE_CREDENTIALS_FILE" ]]; then
-  unset CLAUDE_CODE_OAUTH_TOKEN || true
-elif [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
+if [[ -f "$CLAUDE_TOKEN_FILE" ]]; then
   export CLAUDE_CODE_OAUTH_TOKEN="$(tr -d '\r\n' < "$CLAUDE_TOKEN_FILE")"
 else
   unset CLAUDE_CODE_OAUTH_TOKEN || true
@@ -2555,6 +2731,7 @@ docker_git_upsert_ssh_env "CLAUDE_AUTO_SYSTEM_PROMPT" "$CLAUDE_AUTO_SYSTEM_PROMP
 const renderEntrypointClaudeConfig = (config) => [
   renderClaudeAuthConfig(config),
   renderClaudeCliInstall(),
+  renderClaudePermissionSettingsConfig(),
   renderClaudeMcpPlaywrightConfig(),
   renderClaudeGlobalPromptSetup(config),
   renderClaudeWrapperSetup(),
@@ -4668,70 +4845,6 @@ const parseJsonRecord = (text) => Either.match(ParseResult.decodeUnknownEither(J
 const hasClaudeOauthAccount = (record) => record !== null && typeof record["oauthAccount"] === "object" && record["oauthAccount"] !== null;
 const hasClaudeCredentials = (record) => record !== null && typeof record["claudeAiOauth"] === "object" && record["claudeAiOauth"] !== null;
 const isGithubTokenKey = (key) => key === "GITHUB_TOKEN" || key === "GH_TOKEN" || key.startsWith("GITHUB_TOKEN__");
-const syncGithubAuthKeys = (sourceText, targetText) => {
-  const sourceTokenEntries = parseEnvEntries(sourceText).filter((entry) => isGithubTokenKey(entry.key));
-  if (sourceTokenEntries.length === 0) {
-    return targetText;
-  }
-  const targetTokenKeys = parseEnvEntries(targetText).filter((entry) => isGithubTokenKey(entry.key)).map((entry) => entry.key);
-  let next = targetText;
-  for (const key of targetTokenKeys) {
-    next = removeEnvKey(next, key);
-  }
-  for (const entry of sourceTokenEntries) {
-    next = upsertEnvKey(next, entry.key, entry.value);
-  }
-  return next;
-};
-const syncGithubTokenKeysInFile = (sourcePath, targetPath) => withFsPathContext(
-  ({ fs }) => Effect.gen(function* (_) {
-    const sourceExists = yield* _(fs.exists(sourcePath));
-    if (!sourceExists) {
-      return;
-    }
-    const targetExists = yield* _(fs.exists(targetPath));
-    if (!targetExists) {
-      return;
-    }
-    const sourceInfo = yield* _(fs.stat(sourcePath));
-    const targetInfo = yield* _(fs.stat(targetPath));
-    if (sourceInfo.type !== "File" || targetInfo.type !== "File") {
-      return;
-    }
-    const sourceText = yield* _(fs.readFileString(sourcePath));
-    const targetText = yield* _(fs.readFileString(targetPath));
-    const mergedText = syncGithubAuthKeys(sourceText, targetText);
-    if (mergedText !== targetText) {
-      yield* _(fs.writeFileString(targetPath, mergedText));
-      yield* _(Effect.log(`Synced GitHub auth keys from ${sourcePath} to ${targetPath}`));
-    }
-  })
-);
-const copyFileIfNeeded = (sourcePath, targetPath) => withFsPathContext(
-  ({ fs, path }) => Effect.gen(function* (_) {
-    const sourceExists = yield* _(fs.exists(sourcePath));
-    if (!sourceExists) {
-      return;
-    }
-    const sourceInfo = yield* _(fs.stat(sourcePath));
-    if (sourceInfo.type !== "File") {
-      return;
-    }
-    yield* _(fs.makeDirectory(path.dirname(targetPath), { recursive: true }));
-    const targetExists = yield* _(fs.exists(targetPath));
-    if (!targetExists) {
-      yield* _(fs.copyFile(sourcePath, targetPath));
-      yield* _(Effect.log(`Copied env file from ${sourcePath} to ${targetPath}`));
-      return;
-    }
-    const sourceText = yield* _(fs.readFileString(sourcePath));
-    const targetText = yield* _(fs.readFileString(targetPath));
-    if (shouldCopyEnv(sourceText, targetText) === "copy") {
-      yield* _(fs.writeFileString(targetPath, sourceText));
-      yield* _(Effect.log(`Synced env file from ${sourcePath} to ${targetPath}`));
-    }
-  })
-);
 const syncClaudeJsonFile = (fs, path, spec) => Effect.gen(function* (_) {
   const sourceExists = yield* _(fs.exists(spec.sourcePath));
   if (!sourceExists) {
@@ -4782,6 +4895,18 @@ const syncClaudeCredentialsJson = (fs, path, sourcePath, targetPath) => syncClau
   seedLabel: "Claude credentials",
   updateLabel: "Claude credentials"
 });
+const hasNonEmptyFile = (fs, filePath) => Effect.gen(function* (_) {
+  const exists = yield* _(fs.exists(filePath));
+  if (!exists) {
+    return false;
+  }
+  const info = yield* _(fs.stat(filePath));
+  if (info.type !== "File") {
+    return false;
+  }
+  const text = yield* _(fs.readFileString(filePath), Effect.orElseSucceed(() => ""));
+  return text.trim().length > 0;
+});
 const ensureClaudeAuthSeedFromHome = (baseDir, claudeAuthPath) => withFsPathContext(
   ({ fs, path }) => Effect.gen(function* (_) {
     const homeDir = (process.env["HOME"] ?? "").trim();
@@ -4793,10 +4918,78 @@ const ensureClaudeAuthSeedFromHome = (baseDir, claudeAuthPath) => withFsPathCont
     const claudeRoot = resolvePathFromBase$1(path, baseDir, claudeAuthPath);
     const targetAccountDir = path.join(claudeRoot, "default");
     const targetClaudeJson = path.join(targetAccountDir, ".claude.json");
+    const targetOauthToken = path.join(targetAccountDir, ".oauth-token");
     const targetCredentials = path.join(targetAccountDir, ".credentials.json");
+    const hasTargetOauthToken = yield* _(hasNonEmptyFile(fs, targetOauthToken));
     yield* _(fs.makeDirectory(targetAccountDir, { recursive: true }));
     yield* _(syncClaudeHomeJson(fs, path, sourceClaudeJson, targetClaudeJson));
-    yield* _(syncClaudeCredentialsJson(fs, path, sourceCredentials, targetCredentials));
+    if (!hasTargetOauthToken) {
+      yield* _(syncClaudeCredentialsJson(fs, path, sourceCredentials, targetCredentials));
+    }
+  })
+);
+const syncGithubAuthKeys = (sourceText, targetText) => {
+  const sourceTokenEntries = parseEnvEntries(sourceText).filter((entry) => isGithubTokenKey(entry.key));
+  if (sourceTokenEntries.length === 0) {
+    return targetText;
+  }
+  const targetTokenKeys = parseEnvEntries(targetText).filter((entry) => isGithubTokenKey(entry.key)).map((entry) => entry.key);
+  let next = targetText;
+  for (const key of targetTokenKeys) {
+    next = removeEnvKey(next, key);
+  }
+  for (const entry of sourceTokenEntries) {
+    next = upsertEnvKey(next, entry.key, entry.value);
+  }
+  return next;
+};
+const syncGithubTokenKeysInFile = (sourcePath, targetPath) => withFsPathContext(
+  ({ fs }) => Effect.gen(function* (_) {
+    const sourceExists = yield* _(fs.exists(sourcePath));
+    if (!sourceExists) {
+      return;
+    }
+    const targetExists = yield* _(fs.exists(targetPath));
+    if (!targetExists) {
+      return;
+    }
+    const sourceInfo = yield* _(fs.stat(sourcePath));
+    const targetInfo = yield* _(fs.stat(targetPath));
+    if (sourceInfo.type !== "File" || targetInfo.type !== "File") {
+      return;
+    }
+    const sourceText = yield* _(fs.readFileString(sourcePath));
+    const targetText = yield* _(fs.readFileString(targetPath));
+    const mergedText = syncGithubAuthKeys(sourceText, targetText);
+    if (mergedText !== targetText) {
+      yield* _(fs.writeFileString(targetPath, mergedText));
+      yield* _(Effect.log(`Synced GitHub auth keys from ${sourcePath} to ${targetPath}`));
+    }
+  })
+);
+const copyFileIfNeeded = (sourcePath, targetPath) => withFsPathContext(
+  ({ fs, path }) => Effect.gen(function* (_) {
+    const sourceExists = yield* _(fs.exists(sourcePath));
+    if (!sourceExists) {
+      return;
+    }
+    const sourceInfo = yield* _(fs.stat(sourcePath));
+    if (sourceInfo.type !== "File") {
+      return;
+    }
+    yield* _(fs.makeDirectory(path.dirname(targetPath), { recursive: true }));
+    const targetExists = yield* _(fs.exists(targetPath));
+    if (!targetExists) {
+      yield* _(fs.copyFile(sourcePath, targetPath));
+      yield* _(Effect.log(`Copied env file from ${sourcePath} to ${targetPath}`));
+      return;
+    }
+    const sourceText = yield* _(fs.readFileString(sourcePath));
+    const targetText = yield* _(fs.readFileString(targetPath));
+    if (shouldCopyEnv(sourceText, targetText) === "copy") {
+      yield* _(fs.writeFileString(targetPath, sourceText));
+      yield* _(Effect.log(`Synced env file from ${sourcePath} to ${targetPath}`));
+    }
   })
 );
 const ensureCodexConfigFile = (baseDir, codexAuthPath) => withFsPathContext(
@@ -6057,7 +6250,8 @@ const runClaudeOauthLoginWithPrompt = (cwd, accountPath, options) => {
   return Effect.scoped(
     Effect.gen(function* (_) {
       const executor = yield* _(CommandExecutor.CommandExecutor);
-      const spec = buildDockerSetupTokenSpec(cwd, accountPath, options.image, options.containerPath);
+      const hostPath = yield* _(resolveDockerVolumeHostPath(cwd, accountPath));
+      const spec = buildDockerSetupTokenSpec(cwd, hostPath, options.image, options.containerPath);
       const proc = yield* _(startDockerProcess(executor, spec));
       const tokenBox = { value: null };
       const stdoutFiber = yield* _(Effect.forkScoped(pumpDockerOutput(proc.stdout, 1, tokenBox)));
@@ -6106,6 +6300,10 @@ const syncClaudeCredentialsFile = (fs, accountPath) => Effect.gen(function* (_)
     yield* _(fs.chmod(nestedPath, 384), Effect.orElseSucceed(() => void 0));
   }
 });
+const clearClaudeSessionCredentials = (fs, accountPath) => Effect.gen(function* (_) {
+  yield* _(fs.remove(claudeCredentialsPath(accountPath), { force: true }));
+  yield* _(fs.remove(claudeNestedCredentialsPath(accountPath), { force: true }));
+});
 const hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
   const tokenPath = claudeOauthTokenPath(accountPath);
   const hasToken = yield* _(isRegularFile(fs, tokenPath));
@@ -6115,7 +6313,30 @@ const hasNonEmptyOauthToken$1 = (fs, accountPath) => Effect.gen(function* (_) {
   const tokenText = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""));
   return tokenText.trim().length > 0;
 });
-const buildClaudeAuthEnv = (interactive) => interactive ? [`HOME=${claudeContainerHomeDir}`, `CLAUDE_CONFIG_DIR=${claudeContainerHomeDir}`, "BROWSER=echo"] : [`HOME=${claudeContainerHomeDir}`, `CLAUDE_CONFIG_DIR=${claudeContainerHomeDir}`];
+const readOauthToken = (fs, accountPath) => Effect.gen(function* (_) {
+  const tokenPath = claudeOauthTokenPath(accountPath);
+  const hasToken = yield* _(isRegularFile(fs, tokenPath));
+  if (!hasToken) {
+    return null;
+  }
+  const tokenText = yield* _(fs.readFileString(tokenPath), Effect.orElseSucceed(() => ""));
+  const token = tokenText.trim();
+  return token.length > 0 ? token : null;
+});
+const resolveClaudeAuthMethod = (fs, accountPath) => Effect.gen(function* (_) {
+  const hasOauthToken = yield* _(hasNonEmptyOauthToken$1(fs, accountPath));
+  if (hasOauthToken) {
+    yield* _(clearClaudeSessionCredentials(fs, accountPath));
+    return "oauth-token";
+  }
+  yield* _(syncClaudeCredentialsFile(fs, accountPath));
+  const hasCredentials = yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)));
+  return hasCredentials ? "claude-ai-session" : "none";
+});
+const buildClaudeAuthEnv = (interactive, oauthToken = null) => [
+  ...[`HOME=${claudeContainerHomeDir}`, `CLAUDE_CONFIG_DIR=${claudeContainerHomeDir}`],
+  ...oauthToken === null ? [] : [`CLAUDE_CODE_OAUTH_TOKEN=${oauthToken}`]
+];
 const ensureClaudeOrchLayout = (cwd) => migrateLegacyOrchLayout(cwd, {
   envGlobalPath: defaultTemplateConfig.envGlobalPath,
   envProjectPath: defaultTemplateConfig.envProjectPath,
@@ -6164,7 +6385,7 @@ const runClaudeAuthCommand = (cwd, accountPath, args, commandLabel, interactive)
     image: claudeImageName,
     hostPath: accountPath,
     containerPath: claudeContainerHomeDir,
-    env: buildClaudeAuthEnv(interactive),
+    env: buildClaudeAuthEnv(),
     args,
     interactive
   }),
@@ -6172,13 +6393,13 @@ const runClaudeAuthCommand = (cwd, accountPath, args, commandLabel, interactive)
   (exitCode) => new CommandFailedError({ command: commandLabel, exitCode })
 );
 const runClaudeLogout = (cwd, accountPath) => runClaudeAuthCommand(cwd, accountPath, ["auth", "logout"], "claude auth logout", false);
-const runClaudePingProbeExitCode = (cwd, accountPath) => runDockerAuthExitCode(
+const runClaudePingProbeExitCode = (cwd, accountPath, oauthToken) => runDockerAuthExitCode(
   buildDockerAuthSpec({
     cwd,
     image: claudeImageName,
     hostPath: accountPath,
     containerPath: claudeContainerHomeDir,
-    env: buildClaudeAuthEnv(false),
+    env: buildClaudeAuthEnv(false, oauthToken),
     args: ["-p", "ping"],
     interactive: false
   })
@@ -6195,8 +6416,8 @@ const authClaudeLogin = (command) => {
     yield* _(fs.writeFileString(claudeOauthTokenPath(accountPath), `${token}
 `));
     yield* _(fs.chmod(claudeOauthTokenPath(accountPath), 384), Effect.orElseSucceed(() => void 0));
-    yield* _(syncClaudeCredentialsFile(fs, accountPath));
-    const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath));
+    yield* _(resolveClaudeAuthMethod(fs, accountPath));
+    const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath, token));
     if (probeExitCode !== 0) {
       yield* _(
         Effect.fail(
@@ -6212,20 +6433,17 @@ const authClaudeLogin = (command) => {
   );
 };
 const authClaudeStatus = (command) => withClaudeAuth(command, ({ accountLabel, accountPath, cwd, fs }) => Effect.gen(function* (_) {
-  yield* _(syncClaudeCredentialsFile(fs, accountPath));
-  const hasOauthToken = yield* _(hasNonEmptyOauthToken$1(fs, accountPath));
-  const hasCredentials = yield* _(isRegularFile(fs, claudeCredentialsPath(accountPath)));
-  if (!hasOauthToken && !hasCredentials) {
+  const method = yield* _(resolveClaudeAuthMethod(fs, accountPath));
+  if (method === "none") {
     yield* _(Effect.log(`Claude not connected (${accountLabel}).`));
     return;
   }
-  const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath));
+  const oauthToken = method === "oauth-token" ? yield* _(readOauthToken(fs, accountPath)) : null;
+  const probeExitCode = yield* _(runClaudePingProbeExitCode(cwd, accountPath, oauthToken));
   if (probeExitCode === 0) {
-    const method2 = hasCredentials ? "claude-ai-session" : "oauth-token";
-    yield* _(Effect.log(`Claude connected (${accountLabel}, ${method2}).`));
+    yield* _(Effect.log(`Claude connected (${accountLabel}, ${method}).`));
     return;
   }
-  const method = hasCredentials ? "claude-ai-session" : "oauth-token";
   yield* _(
     Effect.logWarning(
       `Claude session exists but API probe failed (${accountLabel}, ${method}, exit=${probeExitCode}). Run 'docker-git auth claude login'.`