npm - @prover-coder-ai/docker-git - Versions diffs - 1.0.36 → 1.0.38 - Mend

@prover-coder-ai/docker-git 1.0.36 → 1.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/src/docker-git/main.js +593 -425
package/dist/src/docker-git/main.js.map +1 -1
package/package.json +1 -1

package/dist/src/docker-git/main.js CHANGED Viewed

@@ -345,6 +345,228 @@ const runCommandCapture = (spec, okExitCodes, onFailure) => Effect.scoped(
     return new TextDecoder("utf-8").decode(bytes);
   })
 );
+const resolveDockerEnvValue = (key) => {
+  const value = process.env[key]?.trim();
+  return value && value.length > 0 ? value : null;
+};
+const trimDockerPathTrailingSlash = (value) => {
+  let end = value.length;
+  while (end > 0) {
+    const char = value[end - 1];
+    if (char !== "/" && char !== "\\") {
+      break;
+    }
+    end -= 1;
+  }
+  return value.slice(0, end);
+};
+const pathStartsWith = (candidate, prefix) => candidate === prefix || candidate.startsWith(`${prefix}/`) || candidate.startsWith(`${prefix}\\`);
+const translatePathPrefix = (candidate, sourcePrefix, targetPrefix) => pathStartsWith(candidate, sourcePrefix) ? `${targetPrefix}${candidate.slice(sourcePrefix.length)}` : null;
+const resolveContainerProjectsRoot = () => {
+  const explicit = resolveDockerEnvValue("DOCKER_GIT_PROJECTS_ROOT");
+  if (explicit !== null) {
+    return explicit;
+  }
+  const home = resolveDockerEnvValue("HOME") ?? resolveDockerEnvValue("USERPROFILE");
+  return home === null ? null : `${trimDockerPathTrailingSlash(home)}/.docker-git`;
+};
+const resolveProjectsRootHostOverride = () => resolveDockerEnvValue("DOCKER_GIT_PROJECTS_ROOT_HOST");
+const resolveCurrentContainerId = (cwd) => {
+  const fromEnv = resolveDockerEnvValue("HOSTNAME");
+  if (fromEnv !== null) {
+    return Effect.succeed(fromEnv);
+  }
+  return runCommandCapture(
+    {
+      cwd,
+      command: "hostname",
+      args: []
+    },
+    [0],
+    () => new Error("hostname failed")
+  ).pipe(
+    Effect.map((value) => value.trim()),
+    Effect.orElseSucceed(() => ""),
+    Effect.map((value) => value.length > 0 ? value : null)
+  );
+};
+const parseDockerInspectMounts = (raw) => raw.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).flatMap((line) => {
+  const separator = line.indexOf("	");
+  if (separator <= 0 || separator >= line.length - 1) {
+    return [];
+  }
+  const source = line.slice(0, separator).trim();
+  const destination = line.slice(separator + 1).trim();
+  if (source.length === 0 || destination.length === 0) {
+    return [];
+  }
+  return [{ source, destination }];
+});
+const remapDockerBindHostPathFromMounts = (hostPath, mounts) => {
+  let match = null;
+  for (const mount of mounts) {
+    if (!pathStartsWith(hostPath, mount.destination)) {
+      continue;
+    }
+    if (match === null || mount.destination.length > match.destination.length) {
+      match = mount;
+    }
+  }
+  if (match === null) {
+    return hostPath;
+  }
+  return `${match.source}${hostPath.slice(match.destination.length)}`;
+};
+const resolveDockerVolumeHostPath = (cwd, hostPath) => Effect.gen(function* (_) {
+  const containerProjectsRoot = resolveContainerProjectsRoot();
+  const hostProjectsRoot = resolveProjectsRootHostOverride();
+  if (containerProjectsRoot !== null && hostProjectsRoot !== null) {
+    const remapped = translatePathPrefix(hostPath, containerProjectsRoot, hostProjectsRoot);
+    if (remapped !== null) {
+      return remapped;
+    }
+  }
+  const containerId = yield* _(resolveCurrentContainerId(cwd));
+  if (containerId === null) {
+    return hostPath;
+  }
+  const mountsJson = yield* _(
+    runCommandCapture(
+      {
+        cwd,
+        command: "docker",
+        args: [
+          "inspect",
+          containerId,
+          "--format",
+          String.raw`{{range .Mounts}}{{println .Source "\t" .Destination}}{{end}}`
+        ]
+      },
+      [0],
+      () => new Error("docker inspect current container failed")
+    ).pipe(Effect.orElseSucceed(() => ""))
+  );
+  return remapDockerBindHostPathFromMounts(hostPath, parseDockerInspectMounts(mountsJson));
+});
+const resolveDefaultDockerUser = () => {
+  const getUid = Reflect.get(process, "getuid");
+  const getGid = Reflect.get(process, "getgid");
+  if (typeof getUid !== "function" || typeof getGid !== "function") {
+    return null;
+  }
+  const uid = getUid.call(process);
+  const gid = getGid.call(process);
+  if (typeof uid !== "number" || typeof gid !== "number") {
+    return null;
+  }
+  return `${uid}:${gid}`;
+};
+const appendEnvArgs = (base, env) => {
+  if (typeof env === "string") {
+    const trimmed = env.trim();
+    if (trimmed.length > 0) {
+      base.push("-e", trimmed);
+    }
+    return;
+  }
+  for (const entry of env) {
+    const trimmed = entry.trim();
+    if (trimmed.length === 0) {
+      continue;
+    }
+    base.push("-e", trimmed);
+  }
+};
+const buildDockerArgs = (spec) => {
+  const base = ["run", "--rm"];
+  const dockerUser = (spec.user ?? "").trim() || resolveDefaultDockerUser();
+  if (dockerUser !== null) {
+    base.push("--user", dockerUser);
+  }
+  if (spec.interactive) {
+    base.push("-it");
+  }
+  if (spec.entrypoint && spec.entrypoint.length > 0) {
+    base.push("--entrypoint", spec.entrypoint);
+  }
+  base.push("-v", `${spec.volume.hostPath}:${spec.volume.containerPath}`);
+  if (spec.env !== void 0) {
+    appendEnvArgs(base, spec.env);
+  }
+  return [...base, spec.image, ...spec.args];
+};
+const runDockerAuth = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  yield* _(
+    runCommandWithExitCodes(
+      {
+        cwd: spec.cwd,
+        command: "docker",
+        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+      },
+      okExitCodes,
+      onFailure
+    )
+  );
+});
+const runDockerAuthCapture = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  return yield* _(
+    runCommandCapture(
+      {
+        cwd: spec.cwd,
+        command: "docker",
+        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+      },
+      okExitCodes,
+      onFailure
+    )
+  );
+});
+const runDockerAuthExitCode = (spec) => Effect.gen(function* (_) {
+  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
+  return yield* _(
+    runCommandExitCode({
+      cwd: spec.cwd,
+      command: "docker",
+      args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
+    })
+  );
+});
+const composeSpec = (cwd, args) => ({
+  cwd,
+  command: "docker",
+  args: ["compose", "--ansi", "never", "--progress", "plain", ...args]
+});
+const resolveProjectsRootCandidate = () => {
+  const explicit = resolveDockerEnvValue("DOCKER_GIT_PROJECTS_ROOT");
+  if (explicit !== null) {
+    return explicit;
+  }
+  const home = resolveDockerEnvValue("HOME") ?? resolveDockerEnvValue("USERPROFILE");
+  return home === null ? null : `${trimDockerPathTrailingSlash(home)}/.docker-git`;
+};
+const resolveDockerComposeEnv = (cwd) => Effect.gen(function* (_) {
+  const projectsRoot = resolveProjectsRootCandidate();
+  if (projectsRoot === null) {
+    return {};
+  }
+  const remappedProjectsRoot = yield* _(resolveDockerVolumeHostPath(cwd, projectsRoot));
+  return remappedProjectsRoot === projectsRoot ? {} : { DOCKER_GIT_PROJECTS_ROOT_HOST: remappedProjectsRoot };
+});
+const parseInspectNetworkEntry = (line) => {
+  const idx = line.indexOf("=");
+  if (idx <= 0) {
+    return [];
+  }
+  const network = line.slice(0, idx).trim();
+  const ip = line.slice(idx + 1).trim();
+  if (network.length === 0 || ip.length === 0) {
+    return [];
+  }
+  const entry = [network, ip];
+  return [entry];
+};
 class FileExistsError extends Data.TaggedError("FileExistsError") {
 }
 class ConfigNotFoundError extends Data.TaggedError("ConfigNotFoundError") {
@@ -513,34 +735,32 @@ const runDockerPsPublishedHostPorts = (cwd) => pipe(
   ),
   Effect.map((output) => parseDockerPublishedHostPorts(output))
 );
-const composeSpec = (cwd, args) => ({
-  cwd,
-  command: "docker",
-  args: ["compose", "--ansi", "never", "--progress", "plain", ...args]
+const runCompose = (cwd, args, okExitCodes) => Effect.gen(function* (_) {
+  const env = yield* _(resolveDockerComposeEnv(cwd));
+  yield* _(
+    runCommandWithExitCodes(
+      {
+        ...composeSpec(cwd, args),
+        ...Object.keys(env).length > 0 ? { env } : {}
+      },
+      okExitCodes,
+      (exitCode) => new DockerCommandError({ exitCode })
+    )
+  );
+});
+const runComposeCapture = (cwd, args, okExitCodes) => Effect.gen(function* (_) {
+  const env = yield* _(resolveDockerComposeEnv(cwd));
+  return yield* _(
+    runCommandCapture(
+      {
+        ...composeSpec(cwd, args),
+        ...Object.keys(env).length > 0 ? { env } : {}
+      },
+      okExitCodes,
+      (exitCode) => new DockerCommandError({ exitCode })
+    )
+  );
 });
-const parseInspectNetworkEntry = (line) => {
-  const idx = line.indexOf("=");
-  if (idx <= 0) {
-    return [];
-  }
-  const network = line.slice(0, idx).trim();
-  const ip = line.slice(idx + 1).trim();
-  if (network.length === 0 || ip.length === 0) {
-    return [];
-  }
-  const entry = [network, ip];
-  return [entry];
-};
-const runCompose = (cwd, args, okExitCodes) => runCommandWithExitCodes(
-  composeSpec(cwd, args),
-  okExitCodes,
-  (exitCode) => new DockerCommandError({ exitCode })
-);
-const runComposeCapture = (cwd, args, okExitCodes) => runCommandCapture(
-  composeSpec(cwd, args),
-  okExitCodes,
-  (exitCode) => new DockerCommandError({ exitCode })
-);
 const dockerComposeUpRetrySchedule = Schedule.addDelay(
   Schedule.recurs(2),
   () => Duration.seconds(2)
@@ -751,313 +971,291 @@ const logDockerAccessInfo = (cwd, config) => ensureDockerDnsHost(cwd, config.con
   Effect.zipRight(logDockerDnsAccess(config)),
   Effect.zipRight(logContainerIpAccess(cwd, config))
 );
-const formatParseError$1 = (error) => Match.value(error).pipe(
-  Match.when({ _tag: "UnknownCommand" }, ({ command }) => `Unknown command: ${command}`),
-  Match.when({ _tag: "UnknownOption" }, ({ option }) => `Unknown option: ${option}`),
-  Match.when({ _tag: "MissingOptionValue" }, ({ option }) => `Missing value for option: ${option}`),
-  Match.when({ _tag: "MissingRequiredOption" }, ({ option }) => `Missing required option: ${option}`),
-  Match.when({ _tag: "InvalidOption" }, ({ option, reason }) => `Invalid option ${option}: ${reason}`),
-  Match.when({ _tag: "UnexpectedArgument" }, ({ value }) => `Unexpected argument: ${value}`),
-  Match.exhaustive
-);
-const isParseError$1 = (error) => error._tag === "UnknownCommand" || error._tag === "UnknownOption" || error._tag === "MissingOptionValue" || error._tag === "MissingRequiredOption" || error._tag === "InvalidOption" || error._tag === "UnexpectedArgument";
-const renderDockerAccessHeadline = (issue) => issue === "PermissionDenied" ? "Cannot access Docker daemon socket: permission denied." : "Cannot connect to Docker daemon.";
-const renderDockerAccessActionPlan = (issue) => {
-  const permissionDeniedPlan = [
-    "Action plan:",
-    "1) In the same shell, run: `groups $USER` and make sure group `docker` is present.",
-    "2) Re-login to refresh group memberships and run command again.",
-    "3) If DOCKER_HOST is set to rootless socket, keep running: `export DOCKER_HOST=unix:///run/user/$UID/docker.sock`.",
-    "4) If using a dedicated socket not in /run/user, set DOCKER_HOST explicitly and re-run.",
-    "Tip: this app now auto-tries a rootless socket fallback on first permission error."
-  ];
-  const daemonUnavailablePlan = [
-    "Action plan:",
-    "1) Check daemon status: `systemctl --user status docker` or `systemctl status docker`.",
-    "2) Start daemon: `systemctl --user start docker` (or `systemctl start docker` for system Docker).",
-    "3) Retry command in a new shell."
-  ];
-  return issue === "PermissionDenied" ? permissionDeniedPlan.join("\n") : daemonUnavailablePlan.join("\n");
+const normalizeAccountLabel = (value, fallback) => {
+  const trimmed = value?.trim() ?? "";
+  if (trimmed.length === 0) {
+    return fallback;
+  }
+  const normalized = trimmed.toLowerCase().replaceAll(/[^a-z0-9]+/g, "-");
+  const withoutLeading = trimLeftChar(normalized, "-");
+  const cleaned = trimRightChar(withoutLeading, "-");
+  return cleaned.length > 0 ? cleaned : fallback;
 };
-const renderDockerCommandError = ({ exitCode }) => [
-  `docker compose failed with exit code ${exitCode}`,
-  "Hint: ensure Docker daemon is running and current user can access /var/run/docker.sock (for example via the docker group).",
-  "Hint: if output above contains 'port is already allocated', retry with a free SSH port via --ssh-port <port> (for example --ssh-port 2235), or stop the conflicting project/container.",
-  "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`).",
-  "Hint: if output above contains 'lookup auth.docker.io' or 'read udp ... [::1]:53 ... connection refused', fix Docker DNS resolver (set working DNS in host/daemon config) and retry."
-].join("\n");
-const renderDockerAccessError = ({ details, issue }) => [
-  renderDockerAccessHeadline(issue),
-  "Hint: ensure Docker daemon is running and current user can access the docker socket.",
-  "Hint: if you use rootless Docker, set DOCKER_HOST to your user socket (for example unix:///run/user/$UID/docker.sock).",
-  renderDockerAccessActionPlan(issue),
-  `Details: ${details}`
-].join("\n");
-const renderPrimaryError = (error) => Match.value(error).pipe(
-  Match.when({ _tag: "FileExistsError" }, ({ path }) => `File already exists: ${path} (use --force to overwrite)`),
-  Match.when({ _tag: "DockerCommandError" }, renderDockerCommandError),
-  Match.when({ _tag: "DockerAccessError" }, renderDockerAccessError),
-  Match.when({ _tag: "CloneFailedError" }, ({ repoRef, repoUrl, targetDir }) => `Clone failed for ${repoUrl} (${repoRef}) into ${targetDir}`),
-  Match.when({ _tag: "AgentFailedError" }, ({ agentMode, targetDir }) => `Agent (${agentMode}) failed in ${targetDir}`),
-  Match.when({ _tag: "PortProbeError" }, ({ message, port }) => `SSH port check failed for ${port}: ${message}`),
-  Match.when(
-    { _tag: "CommandFailedError" },
-    ({ command, exitCode }) => `${command} failed with exit code ${exitCode}`
-  ),
-  Match.when(
-    { _tag: "ScrapArchiveNotFoundError" },
-    ({ path }) => `Scrap archive not found: ${path} (run docker-git scrap export first)`
-  ),
-  Match.when(
-    { _tag: "ScrapArchiveInvalidError" },
-    ({ message, path }) => `Invalid scrap archive: ${path}
-Details: ${message}`
-  ),
-  Match.when({ _tag: "ScrapTargetDirUnsupportedError" }, ({ reason, targetDir }) => [
-    `Cannot use scrap with targetDir ${targetDir}.`,
-    `Reason: ${reason}`,
-    `Hint: scrap currently supports workspaces under the ssh home directory only (for example: ~/repo).`
-  ].join("\n")),
-  Match.when({ _tag: "ScrapWipeRefusedError" }, ({ reason, targetDir }) => [
-    `Refusing to wipe workspace for scrap import (targetDir ${targetDir}).`,
-    `Reason: ${reason}`,
-    "Hint: re-run with --no-wipe, or set a narrower --target-dir when creating the project."
-  ].join("\n")),
-  Match.when({ _tag: "AuthError" }, ({ message }) => message),
-  Match.orElse(() => null)
+const buildDockerAuthSpec = (input) => ({
+  cwd: input.cwd,
+  image: input.image,
+  volume: { hostPath: input.hostPath, containerPath: input.containerPath },
+  ...typeof input.entrypoint === "string" ? { entrypoint: input.entrypoint } : {},
+  ...input.env === void 0 ? {} : { env: input.env },
+  args: input.args,
+  interactive: input.interactive
+});
+const JsonValueSchema = Schema.suspend(
+  () => Schema.Union(
+    Schema.Null,
+    Schema.Boolean,
+    Schema.String,
+    Schema.JsonNumber,
+    Schema.Array(JsonValueSchema),
+    Schema.Record({ key: Schema.String, value: JsonValueSchema })
+  )
 );
-const renderConfigError = (error) => {
-  if (error._tag === "ConfigNotFoundError") {
-    return `docker-git.json not found: ${error.path} (run docker-git create in that directory)`;
+const JsonRecordSchema = Schema.Record({
+  key: Schema.String,
+  value: JsonValueSchema
+});
+const JsonRecordFromStringSchema = Schema.parseJson(JsonRecordSchema);
+const defaultEnvContents$1 = "# docker-git env\n# KEY=value\n";
+const codexConfigMarker = "# docker-git codex config";
+const defaultCodexConfig = [
+  "# docker-git codex config",
+  'model = "gpt-5.4"',
+  "model_context_window = 1050000",
+  "model_auto_compact_token_limit = 945000",
+  'model_reasoning_effort = "xhigh"',
+  'plan_mode_reasoning_effort = "xhigh"',
+  'personality = "pragmatic"',
+  "",
+  'approval_policy = "never"',
+  'sandbox_mode = "danger-full-access"',
+  'web_search = "live"',
+  "",
+  "[features]",
+  "shell_snapshot = true",
+  "multi_agent = true",
+  "apps = true",
+  "shell_tool = true"
+].join("\n");
+const resolvePathFromBase$1 = (path, baseDir, targetPath) => path.isAbsolute(targetPath) ? targetPath : path.resolve(baseDir, targetPath);
+const isPermissionDeniedSystemError = (error) => error._tag === "SystemError" && error.reason === "PermissionDenied";
+const skipCodexConfigPermissionDenied = (configPath, error) => isPermissionDeniedSystemError(error) ? Effect.logWarning(
+  `Skipped Codex config sync at ${configPath}: permission denied (${error.description ?? "no details"}).`
+) : Effect.fail(error);
+const normalizeConfigText = (text) => text.replaceAll("\r\n", "\n").trim();
+const shouldRewriteDockerGitCodexConfig = (existing) => {
+  const normalized = normalizeConfigText(existing);
+  if (normalized.length === 0) {
+    return true;
   }
-  if (error._tag === "ConfigDecodeError") {
-    return `Invalid docker-git.json at ${error.path}: ${error.message}`;
+  if (!normalized.startsWith(codexConfigMarker)) {
+    return false;
   }
-  return null;
+  return normalized !== normalizeConfigText(defaultCodexConfig);
 };
-const renderInputError = (error) => {
-  if (error._tag === "InputCancelledError") {
-    return "Input cancelled.";
+const shouldCopyEnv = (sourceText, targetText) => {
+  if (sourceText.trim().length === 0) {
+    return "skip";
   }
-  if (error._tag === "InputReadError") {
-    return `Input error: ${error.message}`;
+  if (targetText.trim().length === 0) {
+    return "copy";
   }
-  return null;
-};
-const renderNonParseError = (error) => renderPrimaryError(error) ?? renderConfigError(error) ?? renderInputError(error) ?? error.message;
-const renderError = (error) => {
-  if (isParseError$1(error)) {
-    return formatParseError$1(error);
+  if (targetText.trim() === defaultEnvContents$1.trim() && sourceText.trim() !== defaultEnvContents$1.trim()) {
+    return "copy";
   }
-  return renderNonParseError(error);
-};
-const resolveEnvValue = (key) => {
-  const value = process.env[key]?.trim();
-  return value && value.length > 0 ? value : null;
+  return "skip";
 };
-const trimTrailingSlash$1 = (value) => {
-  let end = value.length;
-  while (end > 0) {
-    const char = value[end - 1];
-    if (char !== "/" && char !== "\\") {
-      break;
-    }
-    end -= 1;
+const parseJsonRecord = (text) => Either.match(ParseResult.decodeUnknownEither(JsonRecordFromStringSchema)(text), {
+  onLeft: () => Effect.succeed(null),
+  onRight: (record) => Effect.succeed(record)
+});
+const hasClaudeOauthAccount = (record) => record !== null && typeof record["oauthAccount"] === "object" && record["oauthAccount"] !== null;
+const hasClaudeCredentials = (record) => record !== null && typeof record["claudeAiOauth"] === "object" && record["claudeAiOauth"] !== null;
+const isGithubTokenKey = (key) => key === "GITHUB_TOKEN" || key === "GH_TOKEN" || key.startsWith("GITHUB_TOKEN__");
+const hasNonEmptyFile = (fs, filePath) => Effect.gen(function* (_) {
+  const exists = yield* _(fs.exists(filePath));
+  if (!exists) {
+    return false;
   }
-  return value.slice(0, end);
-};
-const pathStartsWith = (candidate, prefix) => candidate === prefix || candidate.startsWith(`${prefix}/`) || candidate.startsWith(`${prefix}\\`);
-const translatePathPrefix = (candidate, sourcePrefix, targetPrefix) => pathStartsWith(candidate, sourcePrefix) ? `${targetPrefix}${candidate.slice(sourcePrefix.length)}` : null;
-const resolveContainerProjectsRoot = () => {
-  const explicit = resolveEnvValue("DOCKER_GIT_PROJECTS_ROOT");
-  if (explicit !== null) {
-    return explicit;
+  const info = yield* _(fs.stat(filePath));
+  if (info.type !== "File") {
+    return false;
   }
-  const home = resolveEnvValue("HOME") ?? resolveEnvValue("USERPROFILE");
-  return home === null ? null : `${trimTrailingSlash$1(home)}/.docker-git`;
-};
-const resolveProjectsRootHostOverride = () => resolveEnvValue("DOCKER_GIT_PROJECTS_ROOT_HOST");
-const resolveCurrentContainerId = (cwd) => {
-  const fromEnv = resolveEnvValue("HOSTNAME");
-  if (fromEnv !== null) {
-    return Effect.succeed(fromEnv);
+  const text = yield* _(fs.readFileString(filePath), Effect.orElseSucceed(() => ""));
+  return text.trim().length > 0;
+});
+const autoOptionError = (reason) => ({
+  _tag: "InvalidOption",
+  option: "--auto",
+  reason
+});
+const isRegularFile$1 = (fs, filePath) => Effect.gen(function* (_) {
+  const exists = yield* _(fs.exists(filePath));
+  if (!exists) {
+    return false;
   }
-  return runCommandCapture(
-    {
-      cwd,
-      command: "hostname",
-      args: []
-    },
-    [0],
-    () => new Error("hostname failed")
-  ).pipe(
-    Effect.map((value) => value.trim()),
-    Effect.orElseSucceed(() => ""),
-    Effect.map((value) => value.length > 0 ? value : null)
-  );
+  const info = yield* _(fs.stat(filePath));
+  return info.type === "File";
+});
+const hasCodexAuth = (fs, rootPath, label) => {
+  const normalized = normalizeAccountLabel(label ?? null, "default");
+  const authPath = normalized === "default" ? `${rootPath}/auth.json` : `${rootPath}/${normalized}/auth.json`;
+  return hasNonEmptyFile(fs, authPath);
 };
-const parseDockerInspectMounts = (raw) => raw.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).flatMap((line) => {
-  const separator = line.indexOf("	");
-  if (separator <= 0 || separator >= line.length - 1) {
-    return [];
-  }
-  const source = line.slice(0, separator).trim();
-  const destination = line.slice(separator + 1).trim();
-  if (source.length === 0 || destination.length === 0) {
-    return [];
+const resolveClaudeAccountPath$1 = (rootPath, label) => {
+  const normalized = normalizeAccountLabel(label ?? null, "default");
+  if (normalized !== "default") {
+    return [`${rootPath}/${normalized}`];
   }
-  return [{ source, destination }];
-});
-const remapDockerBindHostPathFromMounts = (hostPath, mounts) => {
-  let match = null;
-  for (const mount of mounts) {
-    if (!pathStartsWith(hostPath, mount.destination)) {
-      continue;
+  return [rootPath, `${rootPath}/default`];
+};
+const hasClaudeAuth = (fs, rootPath, label) => Effect.gen(function* (_) {
+  for (const accountPath of resolveClaudeAccountPath$1(rootPath, label)) {
+    const oauthToken = yield* _(hasNonEmptyFile(fs, `${accountPath}/.oauth-token`));
+    if (oauthToken) {
+      return true;
     }
-    if (match === null || mount.destination.length > match.destination.length) {
-      match = mount;
+    const credentials = yield* _(isRegularFile$1(fs, `${accountPath}/.credentials.json`));
+    if (credentials) {
+      return true;
     }
-  }
-  if (match === null) {
-    return hostPath;
-  }
-  return `${match.source}${hostPath.slice(match.destination.length)}`;
-};
-const resolveDockerVolumeHostPath = (cwd, hostPath) => Effect.gen(function* (_) {
-  const containerProjectsRoot = resolveContainerProjectsRoot();
-  const hostProjectsRoot = resolveProjectsRootHostOverride();
-  if (containerProjectsRoot !== null && hostProjectsRoot !== null) {
-    const remapped = translatePathPrefix(hostPath, containerProjectsRoot, hostProjectsRoot);
-    if (remapped !== null) {
-      return remapped;
+    const nestedCredentials = yield* _(isRegularFile$1(fs, `${accountPath}/.claude/.credentials.json`));
+    if (nestedCredentials) {
+      return true;
     }
   }
-  const containerId = yield* _(resolveCurrentContainerId(cwd));
-  if (containerId === null) {
-    return hostPath;
-  }
-  const mountsJson = yield* _(
-    runCommandCapture(
-      {
-        cwd,
-        command: "docker",
-        args: [
-          "inspect",
-          containerId,
-          "--format",
-          String.raw`{{range .Mounts}}{{println .Source "\t" .Destination}}{{end}}`
-        ]
-      },
-      [0],
-      () => new Error("docker inspect current container failed")
-    ).pipe(Effect.orElseSucceed(() => ""))
+  return false;
+});
+const resolveClaudeRoot = (codexSharedAuthPath) => `${codexSharedAuthPath.slice(0, codexSharedAuthPath.lastIndexOf("/"))}/claude`;
+const resolveAvailableAgentAuth = (fs, config) => Effect.gen(function* (_) {
+  const claudeAvailable = yield* _(
+    hasClaudeAuth(fs, resolveClaudeRoot(config.codexSharedAuthPath), config.claudeAuthLabel)
   );
-  return remapDockerBindHostPathFromMounts(hostPath, parseDockerInspectMounts(mountsJson));
+  const codexAvailable = yield* _(hasCodexAuth(fs, config.codexSharedAuthPath, config.codexAuthLabel));
+  return { claudeAvailable, codexAvailable };
 });
-const resolveDefaultDockerUser = () => {
-  const getUid = Reflect.get(process, "getuid");
-  const getGid = Reflect.get(process, "getgid");
-  if (typeof getUid !== "function" || typeof getGid !== "function") {
-    return null;
+const resolveExplicitAutoAgentMode = (available, mode) => {
+  if (mode === "claude") {
+    return available.claudeAvailable ? Effect.succeed("claude") : Effect.fail(autoOptionError("Claude auth not found"));
   }
-  const uid = getUid.call(process);
-  const gid = getGid.call(process);
-  if (typeof uid !== "number" || typeof gid !== "number") {
-    return null;
+  if (mode === "codex") {
+    return available.codexAvailable ? Effect.succeed("codex") : Effect.fail(autoOptionError("Codex auth not found"));
   }
-  return `${uid}:${gid}`;
+  return Effect.sync(() => mode);
 };
-const appendEnvArgs = (base, env) => {
-  if (typeof env === "string") {
-    const trimmed = env.trim();
-    if (trimmed.length > 0) {
-      base.push("-e", trimmed);
-    }
-    return;
+const pickRandomAutoAgentMode = (available) => {
+  if (!available.claudeAvailable && !available.codexAvailable) {
+    return Effect.fail(autoOptionError("no Claude or Codex auth found"));
   }
-  for (const entry of env) {
-    const trimmed = entry.trim();
-    if (trimmed.length === 0) {
-      continue;
-    }
-    base.push("-e", trimmed);
+  if (available.claudeAvailable && !available.codexAvailable) {
+    return Effect.succeed("claude");
+  }
+  if (!available.claudeAvailable && available.codexAvailable) {
+    return Effect.succeed("codex");
+  }
+  return Effect.sync(() => process.hrtime.bigint() % 2n === 0n ? "claude" : "codex");
+};
+const resolveAutoAgentMode = (config) => Effect.gen(function* (_) {
+  const fs = yield* _(FileSystem.FileSystem);
+  if (config.agentAuto !== true) {
+    return config.agentMode;
+  }
+  const available = yield* _(resolveAvailableAgentAuth(fs, config));
+  const explicitMode = yield* _(resolveExplicitAutoAgentMode(available, config.agentMode));
+  if (explicitMode !== void 0) {
+    return explicitMode;
   }
+  return yield* _(pickRandomAutoAgentMode(available));
+});
+const formatParseError$1 = (error) => Match.value(error).pipe(
+  Match.when({ _tag: "UnknownCommand" }, ({ command }) => `Unknown command: ${command}`),
+  Match.when({ _tag: "UnknownOption" }, ({ option }) => `Unknown option: ${option}`),
+  Match.when({ _tag: "MissingOptionValue" }, ({ option }) => `Missing value for option: ${option}`),
+  Match.when({ _tag: "MissingRequiredOption" }, ({ option }) => `Missing required option: ${option}`),
+  Match.when({ _tag: "InvalidOption" }, ({ option, reason }) => `Invalid option ${option}: ${reason}`),
+  Match.when({ _tag: "UnexpectedArgument" }, ({ value }) => `Unexpected argument: ${value}`),
+  Match.exhaustive
+);
+const isParseError$1 = (error) => error._tag === "UnknownCommand" || error._tag === "UnknownOption" || error._tag === "MissingOptionValue" || error._tag === "MissingRequiredOption" || error._tag === "InvalidOption" || error._tag === "UnexpectedArgument";
+const renderDockerAccessHeadline = (issue) => issue === "PermissionDenied" ? "Cannot access Docker daemon socket: permission denied." : "Cannot connect to Docker daemon.";
+const renderDockerAccessActionPlan = (issue) => {
+  const permissionDeniedPlan = [
+    "Action plan:",
+    "1) In the same shell, run: `groups $USER` and make sure group `docker` is present.",
+    "2) Re-login to refresh group memberships and run command again.",
+    "3) If DOCKER_HOST is set to rootless socket, keep running: `export DOCKER_HOST=unix:///run/user/$UID/docker.sock`.",
+    "4) If using a dedicated socket not in /run/user, set DOCKER_HOST explicitly and re-run.",
+    "Tip: this app now auto-tries a rootless socket fallback on first permission error."
+  ];
+  const daemonUnavailablePlan = [
+    "Action plan:",
+    "1) Check daemon status: `systemctl --user status docker` or `systemctl status docker`.",
+    "2) Start daemon: `systemctl --user start docker` (or `systemctl start docker` for system Docker).",
+    "3) Retry command in a new shell."
+  ];
+  return issue === "PermissionDenied" ? permissionDeniedPlan.join("\n") : daemonUnavailablePlan.join("\n");
 };
-const buildDockerArgs = (spec) => {
-  const base = ["run", "--rm"];
-  const dockerUser = (spec.user ?? "").trim() || resolveDefaultDockerUser();
-  if (dockerUser !== null) {
-    base.push("--user", dockerUser);
+const renderDockerCommandError = ({ exitCode }) => [
+  `docker compose failed with exit code ${exitCode}`,
+  "Hint: ensure Docker daemon is running and current user can access /var/run/docker.sock (for example via the docker group).",
+  "Hint: if output above contains 'port is already allocated', retry with a free SSH port via --ssh-port <port> (for example --ssh-port 2235), or stop the conflicting project/container.",
+  "Hint: if output above contains 'all predefined address pools have been fully subnetted', run `docker network prune -f`, configure Docker `default-address-pools`, or use shared network mode (`--network-mode shared`).",
+  "Hint: if output above contains 'lookup auth.docker.io' or 'read udp ... [::1]:53 ... connection refused', fix Docker DNS resolver (set working DNS in host/daemon config) and retry."
+].join("\n");
+const renderDockerAccessError = ({ details, issue }) => [
+  renderDockerAccessHeadline(issue),
+  "Hint: ensure Docker daemon is running and current user can access the docker socket.",
+  "Hint: if you use rootless Docker, set DOCKER_HOST to your user socket (for example unix:///run/user/$UID/docker.sock).",
+  renderDockerAccessActionPlan(issue),
+  `Details: ${details}`
+].join("\n");
+const renderPrimaryError = (error) => Match.value(error).pipe(
+  Match.when({ _tag: "FileExistsError" }, ({ path }) => `File already exists: ${path} (use --force to overwrite)`),
+  Match.when({ _tag: "DockerCommandError" }, renderDockerCommandError),
+  Match.when({ _tag: "DockerAccessError" }, renderDockerAccessError),
+  Match.when({ _tag: "CloneFailedError" }, ({ repoRef, repoUrl, targetDir }) => `Clone failed for ${repoUrl} (${repoRef}) into ${targetDir}`),
+  Match.when({ _tag: "AgentFailedError" }, ({ agentMode, targetDir }) => `Agent (${agentMode}) failed in ${targetDir}`),
+  Match.when({ _tag: "PortProbeError" }, ({ message, port }) => `SSH port check failed for ${port}: ${message}`),
+  Match.when(
+    { _tag: "CommandFailedError" },
+    ({ command, exitCode }) => `${command} failed with exit code ${exitCode}`
+  ),
+  Match.when(
+    { _tag: "ScrapArchiveNotFoundError" },
+    ({ path }) => `Scrap archive not found: ${path} (run docker-git scrap export first)`
+  ),
+  Match.when(
+    { _tag: "ScrapArchiveInvalidError" },
+    ({ message, path }) => `Invalid scrap archive: ${path}
+Details: ${message}`
+  ),
+  Match.when({ _tag: "ScrapTargetDirUnsupportedError" }, ({ reason, targetDir }) => [
+    `Cannot use scrap with targetDir ${targetDir}.`,
+    `Reason: ${reason}`,
+    `Hint: scrap currently supports workspaces under the ssh home directory only (for example: ~/repo).`
+  ].join("\n")),
+  Match.when({ _tag: "ScrapWipeRefusedError" }, ({ reason, targetDir }) => [
+    `Refusing to wipe workspace for scrap import (targetDir ${targetDir}).`,
+    `Reason: ${reason}`,
+    "Hint: re-run with --no-wipe, or set a narrower --target-dir when creating the project."
+  ].join("\n")),
+  Match.when({ _tag: "AuthError" }, ({ message }) => message),
+  Match.orElse(() => null)
+);
+const renderConfigError = (error) => {
+  if (error._tag === "ConfigNotFoundError") {
+    return `docker-git.json not found: ${error.path} (run docker-git create in that directory)`;
   }
-  if (spec.interactive) {
-    base.push("-it");
+  if (error._tag === "ConfigDecodeError") {
+    return `Invalid docker-git.json at ${error.path}: ${error.message}`;
   }
-  if (spec.entrypoint && spec.entrypoint.length > 0) {
-    base.push("--entrypoint", spec.entrypoint);
+  return null;
+};
+const renderInputError = (error) => {
+  if (error._tag === "InputCancelledError") {
+    return "Input cancelled.";
   }
-  base.push("-v", `${spec.volume.hostPath}:${spec.volume.containerPath}`);
-  if (spec.env !== void 0) {
-    appendEnvArgs(base, spec.env);
+  if (error._tag === "InputReadError") {
+    return `Input error: ${error.message}`;
   }
-  return [...base, spec.image, ...spec.args];
+  return null;
 };
-const runDockerAuth = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
-  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
-  yield* _(
-    runCommandWithExitCodes(
-      {
-        cwd: spec.cwd,
-        command: "docker",
-        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
-      },
-      okExitCodes,
-      onFailure
-    )
-  );
-});
-const runDockerAuthCapture = (spec, okExitCodes, onFailure) => Effect.gen(function* (_) {
-  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
-  return yield* _(
-    runCommandCapture(
-      {
-        cwd: spec.cwd,
-        command: "docker",
-        args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
-      },
-      okExitCodes,
-      onFailure
-    )
-  );
-});
-const runDockerAuthExitCode = (spec) => Effect.gen(function* (_) {
-  const hostPath = yield* _(resolveDockerVolumeHostPath(spec.cwd, spec.volume.hostPath));
-  return yield* _(
-    runCommandExitCode({
-      cwd: spec.cwd,
-      command: "docker",
-      args: buildDockerArgs({ ...spec, volume: { ...spec.volume, hostPath } })
-    })
-  );
-});
-const normalizeAccountLabel = (value, fallback) => {
-  const trimmed = value?.trim() ?? "";
-  if (trimmed.length === 0) {
-    return fallback;
+const renderNonParseError = (error) => renderPrimaryError(error) ?? renderConfigError(error) ?? renderInputError(error) ?? error.message;
+const renderError = (error) => {
+  if (isParseError$1(error)) {
+    return formatParseError$1(error);
   }
-  const normalized = trimmed.toLowerCase().replaceAll(/[^a-z0-9]+/g, "-");
-  const withoutLeading = trimLeftChar(normalized, "-");
-  const cleaned = trimRightChar(withoutLeading, "-");
-  return cleaned.length > 0 ? cleaned : fallback;
+  return renderNonParseError(error);
 };
-const buildDockerAuthSpec = (input) => ({
-  cwd: input.cwd,
-  image: input.image,
-  volume: { hostPath: input.hostPath, containerPath: input.containerPath },
-  ...typeof input.entrypoint === "string" ? { entrypoint: input.entrypoint } : {},
-  ...input.env === void 0 ? {} : { env: input.env },
-  args: input.args,
-  interactive: input.interactive
-});
 const splitLines = (input) => input.replaceAll("\r\n", "\n").replaceAll("\r", "\n").split("\n");
 const joinLines = (lines) => lines.join("\n");
 const normalizeEnvText = (input) => {
@@ -1149,23 +1347,23 @@ const upsertEnvKey = (input, key, value) => {
   return normalizeEnvText(joinLines([...cleaned, `${trimmedKey}=${value}`]));
 };
 const removeEnvKey = (input, key) => upsertEnvKey(input, key, "");
-const defaultEnvContents$1 = "# docker-git env\n# KEY=value\n";
+const defaultEnvContents = "# docker-git env\n# KEY=value\n";
 const ensureEnvFile$1 = (fs, path, envPath) => Effect.gen(function* (_) {
   const exists = yield* _(fs.exists(envPath));
   if (exists) {
     return;
   }
   yield* _(fs.makeDirectory(path.dirname(envPath), { recursive: true }));
-  yield* _(fs.writeFileString(envPath, defaultEnvContents$1));
+  yield* _(fs.writeFileString(envPath, defaultEnvContents));
 });
 const readEnvText = (fs, envPath) => Effect.gen(function* (_) {
   const exists = yield* _(fs.exists(envPath));
   if (!exists) {
-    return defaultEnvContents$1;
+    return defaultEnvContents;
   }
   const info = yield* _(fs.stat(envPath));
   if (info.type !== "File") {
-    return defaultEnvContents$1;
+    return defaultEnvContents;
   }
   return yield* _(fs.readFileString(envPath));
 });
@@ -3622,15 +3820,15 @@ if [[ -n "$AGENT_PROMPT" ]]; then
   chmod 644 "$AGENT_PROMPT_FILE"
 fi`
 ].join("\n\n");
-const renderAgentPromptCommand = (mode) => mode === "claude" ? String.raw`claude --dangerously-skip-permissions -p \"\$(cat $AGENT_PROMPT_FILE)\"` : String.raw`codex --approval-mode full-auto \"\$(cat $AGENT_PROMPT_FILE)\"`;
+const renderAgentPromptCommand = (mode) => mode === "claude" ? String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"` : String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`;
+const renderAgentAutoLaunchCommand = (config, mode) => String.raw`su - ${config.sshUser} -s /bin/bash -c "bash -lc '. /etc/profile 2>/dev/null || true; . \"$AGENT_ENV_FILE\" 2>/dev/null || true; cd \"$TARGET_DIR\" && ${renderAgentPromptCommand(mode)}'"`;
 const renderAgentModeBlock = (config, mode) => {
   const startMessage = `[agent] starting ${mode}...`;
   const interactiveMessage = `[agent] ${mode} started in interactive mode (use SSH to connect)`;
   return String.raw`"${mode}")
   echo "${startMessage}"
   if [[ -n "$AGENT_PROMPT" ]]; then
-    if su - ${config.sshUser} \
-      -c ". /run/docker-git/agent-env.sh 2>/dev/null; cd '$TARGET_DIR' && ${renderAgentPromptCommand(mode)}"; then
+    if ${renderAgentAutoLaunchCommand(config, mode)}; then
       AGENT_OK=1
     fi
   else
@@ -3961,6 +4159,8 @@ const renderAgentModeEnv = (agentMode) => agentMode !== void 0 && agentMode.leng
 ` : "";
 const renderAgentAutoEnv = (agentAuto) => agentAuto === true ? `      AGENT_AUTO: "1"
 ` : "";
+const renderProjectsRootHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}`;
+const renderSharedCodexHostMount = (projectsRoot) => `\${DOCKER_GIT_PROJECTS_ROOT_HOST:-${projectsRoot}}/.orch/auth/codex`;
 const buildPlaywrightFragments = (config, networkName) => {
   if (!config.enableMcpPlaywright) {
     return {
@@ -4052,10 +4252,10 @@ ${fragments.maybePlaywrightEnv}${fragments.maybeDependsOn}    env_file:
       - "127.0.0.1:${config.sshPort}:22"
     volumes:
       - ${config.volumeName}:/home/${config.sshUser}
-      - ${config.dockerGitPath}:/home/${config.sshUser}/.docker-git
+      - ${renderProjectsRootHostMount(config.dockerGitPath)}:/home/${config.sshUser}/.docker-git
       - ${config.authorizedKeysPath}:/authorized_keys:ro
       - ${config.codexAuthPath}:${config.codexHome}
-      - ${config.codexSharedAuthPath}:${config.codexHome}-shared
+      - ${renderSharedCodexHostMount(config.dockerGitPath)}:${config.codexHome}-shared
       - /var/run/docker.sock:/var/run/docker.sock
     networks:
       - ${fragments.networkName}
@@ -4101,7 +4301,7 @@ RUN oh-my-opencode --version
 RUN npm install -g @anthropic-ai/claude-code@latest
 RUN claude --version`;
 const renderDockerfileOpenCode = () => `# Tooling: OpenCode (binary)
-RUN curl -fsSL https://opencode.ai/install | HOME=/usr/local bash -s -- --no-modify-path
+RUN set -eu;   for attempt in 1 2 3 4 5; do     if curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 https://opencode.ai/install       | HOME=/usr/local bash -s -- --no-modify-path; then       exit 0;     fi;     echo "opencode install attempt \${attempt} failed; retrying..." >&2;     sleep $((attempt * 2));   done;   echo "opencode install failed after retries" >&2;   exit 1
 RUN ln -sf /usr/local/.opencode/bin/opencode /usr/local/bin/opencode
 RUN opencode --version`;
 const gitleaksVersion = "8.28.0";
@@ -4991,77 +5191,6 @@ const copyDirIfEmpty = (fs, path, sourceDir, targetDir, label) => Effect.gen(fun
   yield* _(copyDirRecursive(fs, path, sourceDir, targetDir));
   yield* _(Effect.log(`Copied ${label} from ${sourceDir} to ${targetDir}`));
 });
-const JsonValueSchema = Schema.suspend(
-  () => Schema.Union(
-    Schema.Null,
-    Schema.Boolean,
-    Schema.String,
-    Schema.JsonNumber,
-    Schema.Array(JsonValueSchema),
-    Schema.Record({ key: Schema.String, value: JsonValueSchema })
-  )
-);
-const JsonRecordSchema = Schema.Record({
-  key: Schema.String,
-  value: JsonValueSchema
-});
-const JsonRecordFromStringSchema = Schema.parseJson(JsonRecordSchema);
-const defaultEnvContents = "# docker-git env\n# KEY=value\n";
-const codexConfigMarker = "# docker-git codex config";
-const defaultCodexConfig = [
-  "# docker-git codex config",
-  'model = "gpt-5.4"',
-  "model_context_window = 1050000",
-  "model_auto_compact_token_limit = 945000",
-  'model_reasoning_effort = "xhigh"',
-  'plan_mode_reasoning_effort = "xhigh"',
-  'personality = "pragmatic"',
-  "",
-  'approval_policy = "never"',
-  'sandbox_mode = "danger-full-access"',
-  'web_search = "live"',
-  "",
-  "[features]",
-  "shell_snapshot = true",
-  "multi_agent = true",
-  "apps = true",
-  "shell_tool = true"
-].join("\n");
-const resolvePathFromBase$1 = (path, baseDir, targetPath) => path.isAbsolute(targetPath) ? targetPath : path.resolve(baseDir, targetPath);
-const isPermissionDeniedSystemError = (error) => error._tag === "SystemError" && error.reason === "PermissionDenied";
-const skipCodexConfigPermissionDenied = (configPath, error) => isPermissionDeniedSystemError(error) ? Effect.logWarning(
-  `Skipped Codex config sync at ${configPath}: permission denied (${error.description ?? "no details"}).`
-) : Effect.fail(error);
-const normalizeConfigText = (text) => text.replaceAll("\r\n", "\n").trim();
-const shouldRewriteDockerGitCodexConfig = (existing) => {
-  const normalized = normalizeConfigText(existing);
-  if (normalized.length === 0) {
-    return true;
-  }
-  if (!normalized.startsWith(codexConfigMarker)) {
-    return false;
-  }
-  return normalized !== normalizeConfigText(defaultCodexConfig);
-};
-const shouldCopyEnv = (sourceText, targetText) => {
-  if (sourceText.trim().length === 0) {
-    return "skip";
-  }
-  if (targetText.trim().length === 0) {
-    return "copy";
-  }
-  if (targetText.trim() === defaultEnvContents.trim() && sourceText.trim() !== defaultEnvContents.trim()) {
-    return "copy";
-  }
-  return "skip";
-};
-const parseJsonRecord = (text) => Either.match(ParseResult.decodeUnknownEither(JsonRecordFromStringSchema)(text), {
-  onLeft: () => Effect.succeed(null),
-  onRight: (record) => Effect.succeed(record)
-});
-const hasClaudeOauthAccount = (record) => record !== null && typeof record["oauthAccount"] === "object" && record["oauthAccount"] !== null;
-const hasClaudeCredentials = (record) => record !== null && typeof record["claudeAiOauth"] === "object" && record["claudeAiOauth"] !== null;
-const isGithubTokenKey = (key) => key === "GITHUB_TOKEN" || key === "GH_TOKEN" || key.startsWith("GITHUB_TOKEN__");
 const syncClaudeJsonFile = (fs, path, spec) => Effect.gen(function* (_) {
   const sourceExists = yield* _(fs.exists(spec.sourcePath));
   if (!sourceExists) {
@@ -5112,18 +5241,6 @@ const syncClaudeCredentialsJson = (fs, path, sourcePath, targetPath) => syncClau
   seedLabel: "Claude credentials",
   updateLabel: "Claude credentials"
 });
-const hasNonEmptyFile = (fs, filePath) => Effect.gen(function* (_) {
-  const exists = yield* _(fs.exists(filePath));
-  if (!exists) {
-    return false;
-  }
-  const info = yield* _(fs.stat(filePath));
-  if (info.type !== "File") {
-    return false;
-  }
-  const text = yield* _(fs.readFileString(filePath), Effect.orElseSucceed(() => ""));
-  return text.trim().length > 0;
-});
 const ensureClaudeAuthSeedFromHome = (baseDir, claudeAuthPath) => withFsPathContext(
   ({ fs, path }) => Effect.gen(function* (_) {
     const homeDir = (process.env["HOME"] ?? "").trim();
@@ -6046,6 +6163,20 @@ const maybeOpenSsh = (command, hasAgent, waitForAgent, projectConfig) => Effect.
   const remoteCommand = resolveInteractiveRemoteCommand(projectConfig, interactiveAgent);
   yield* _(openSshBestEffort(projectConfig, remoteCommand));
 }).pipe(Effect.asVoid);
+const resolveFinalAgentConfig = (resolvedConfig) => Effect.gen(function* (_) {
+  const resolvedAgentMode = yield* _(resolveAutoAgentMode(resolvedConfig));
+  if ((resolvedConfig.agentAuto ?? false) && resolvedConfig.agentMode === void 0 && resolvedAgentMode !== void 0) {
+    yield* _(Effect.log(`Auto agent selected: ${resolvedAgentMode}`));
+  }
+  return resolvedAgentMode === void 0 ? resolvedConfig : { ...resolvedConfig, agentMode: resolvedAgentMode };
+});
+const maybeCleanupAfterAgent = (waitForAgent, resolvedOutDir) => Effect.gen(function* (_) {
+  if (!waitForAgent) {
+    return;
+  }
+  yield* _(Effect.log("Agent finished. Cleaning up container..."));
+  yield* _(runDockerDownCleanup(resolvedOutDir));
+});
 const runCreateProject = (path, command) => Effect.gen(function* (_) {
   if (command.runUp) {
     yield* _(ensureDockerDaemonAccess(process.cwd()));
@@ -6053,7 +6184,8 @@ const runCreateProject = (path, command) => Effect.gen(function* (_) {
   const ctx = makeCreateContext(path, process.cwd());
   const resolvedOutDir = path.resolve(ctx.resolveRootPath(command.outDir));
   const resolvedConfig = yield* _(resolveCreateConfig(command, ctx, resolvedOutDir));
-  const { globalConfig, projectConfig } = buildProjectConfigs(path, ctx.baseDir, resolvedOutDir, resolvedConfig);
+  const finalConfig = yield* _(resolveFinalAgentConfig(resolvedConfig));
+  const { globalConfig, projectConfig } = buildProjectConfigs(path, ctx.baseDir, resolvedOutDir, finalConfig);
   yield* _(migrateProjectOrchLayout(ctx.baseDir, globalConfig, ctx.resolveRootPath));
   const createdFiles = yield* _(
     prepareProjectFiles(resolvedOutDir, ctx.baseDir, globalConfig, projectConfig, {
@@ -6062,8 +6194,8 @@ const runCreateProject = (path, command) => Effect.gen(function* (_) {
     })
   );
   yield* _(logCreatedProject(resolvedOutDir, createdFiles));
-  const hasAgent = resolvedConfig.agentMode !== void 0;
-  const waitForAgent = hasAgent && (resolvedConfig.agentAuto ?? false);
+  const hasAgent = finalConfig.agentMode !== void 0;
+  const waitForAgent = hasAgent && (finalConfig.agentAuto ?? false);
   yield* _(
     runDockerUpIfNeeded(resolvedOutDir, projectConfig, {
       runUp: command.runUp,
@@ -6076,10 +6208,7 @@ const runCreateProject = (path, command) => Effect.gen(function* (_) {
   if (command.runUp) {
     yield* _(logDockerAccessInfo(resolvedOutDir, projectConfig));
   }
-  if (waitForAgent) {
-    yield* _(Effect.log("Agent finished. Cleaning up container..."));
-    yield* _(runDockerDownCleanup(resolvedOutDir));
-  }
+  yield* _(maybeCleanupAfterAgent(waitForAgent, resolvedOutDir));
   yield* _(autoSyncState(`chore(state): update ${formatStateSyncLabel(projectConfig.repoUrl)}`));
   yield* _(maybeOpenSsh(command, hasAgent, waitForAgent, projectConfig));
 }).pipe(Effect.asVoid);
@@ -7734,7 +7863,8 @@ const valueOptionSpecs = [
   { flag: "-m", key: "message" },
   { flag: "--out-dir", key: "outDir" },
   { flag: "--project-dir", key: "projectDir" },
-  { flag: "--lines", key: "lines" }
+  { flag: "--lines", key: "lines" },
+  { flag: "--auto", key: "agentAutoMode" }
 ];
 const valueOptionSpecByFlag = new Map(
   valueOptionSpecs.map((spec) => [spec.flag, spec])
@@ -7752,9 +7882,7 @@ const booleanFlagUpdaters = {
   "--no-wipe": (raw) => ({ ...raw, wipe: false }),
   "--web": (raw) => ({ ...raw, authWeb: true }),
   "--include-default": (raw) => ({ ...raw, includeDefault: true }),
-  "--claude": (raw) => ({ ...raw, agentClaude: true }),
-  "--codex": (raw) => ({ ...raw, agentCodex: true }),
-  "--auto": (raw) => ({ ...raw, agentAuto: true })
+  "--auto": (raw) => ({ ...raw, agentAutoMode: "auto" })
 };
 const valueFlagUpdaters = {
   repoUrl: (raw, value) => ({ ...raw, repoUrl: value }),
@@ -7784,7 +7912,8 @@ const valueFlagUpdaters = {
   message: (raw, value) => ({ ...raw, message: value }),
   outDir: (raw, value) => ({ ...raw, outDir: value }),
   projectDir: (raw, value) => ({ ...raw, projectDir: value }),
-  lines: (raw, value) => ({ ...raw, lines: value })
+  lines: (raw, value) => ({ ...raw, lines: value }),
+  agentAutoMode: (raw, value) => ({ ...raw, agentAutoMode: value.trim().toLowerCase() })
 };
 const applyCommandBooleanFlag = (raw, token) => {
   const updater = booleanFlagUpdaters[token];
@@ -7807,25 +7936,55 @@ const parseInlineValueToken = (raw, token) => {
   const inlineValue = token.slice(equalIndex + 1);
   return applyCommandValueFlag(raw, flag, inlineValue);
 };
-const parseRawOptionsStep = (args, index, raw) => {
-  const token = args[index] ?? "";
+const legacyAgentFlagError = (token) => {
+  if (token === "--claude") {
+    return {
+      _tag: "InvalidOption",
+      option: token,
+      reason: "use --auto=claude"
+    };
+  }
+  if (token === "--codex") {
+    return {
+      _tag: "InvalidOption",
+      option: token,
+      reason: "use --auto=codex"
+    };
+  }
+  return null;
+};
+const toParseStep = (parsed, nextIndex) => Either.isLeft(parsed) ? { _tag: "error", error: parsed.left } : { _tag: "ok", raw: parsed.right, nextIndex };
+const parseValueOptionStep = (raw, token, value, index) => {
+  if (value === void 0) {
+    return { _tag: "error", error: { _tag: "MissingOptionValue", option: token } };
+  }
+  return toParseStep(applyCommandValueFlag(raw, token, value), index + 2);
+};
+const parseSpecialFlagStep = (raw, token, index) => {
   const inlineApplied = parseInlineValueToken(raw, token);
   if (inlineApplied !== null) {
-    return Either.isLeft(inlineApplied) ? { _tag: "error", error: inlineApplied.left } : { _tag: "ok", raw: inlineApplied.right, nextIndex: index + 1 };
+    return toParseStep(inlineApplied, index + 1);
   }
   const booleanApplied = applyCommandBooleanFlag(raw, token);
   if (booleanApplied !== null) {
     return { _tag: "ok", raw: booleanApplied, nextIndex: index + 1 };
   }
+  const deprecatedAgentFlag = legacyAgentFlagError(token);
+  if (deprecatedAgentFlag !== null) {
+    return { _tag: "error", error: deprecatedAgentFlag };
+  }
+  return null;
+};
+const parseRawOptionsStep = (args, index, raw) => {
+  const token = args[index] ?? "";
+  const specialStep = parseSpecialFlagStep(raw, token, index);
+  if (specialStep !== null) {
+    return specialStep;
+  }
   if (!token.startsWith("-")) {
     return { _tag: "error", error: { _tag: "UnexpectedArgument", value: token } };
   }
-  const value = args[index + 1];
-  if (value === void 0) {
-    return { _tag: "error", error: { _tag: "MissingOptionValue", option: token } };
-  }
-  const nextRaw = applyCommandValueFlag(raw, token, value);
-  return Either.isLeft(nextRaw) ? { _tag: "error", error: nextRaw.left } : { _tag: "ok", raw: nextRaw.right, nextIndex: index + 2 };
+  return parseValueOptionStep(raw, token, args[index + 1], index);
 };
 const parseRawOptions = (args) => {
   let index = 0;
@@ -7975,6 +8134,23 @@ const parseAuth = (args) => {
   const rest = args.slice(2);
   return Either.flatMap(parseRawOptions(rest), (raw) => buildAuthCommand(provider, action, resolveAuthOptions(raw)));
 };
+const resolveAutoAgentFlags = (raw) => {
+  const requested = raw.agentAutoMode;
+  if (requested === void 0) {
+    return Either.right({ agentMode: void 0, agentAuto: false });
+  }
+  if (requested === "auto") {
+    return Either.right({ agentMode: void 0, agentAuto: true });
+  }
+  if (requested === "claude" || requested === "codex") {
+    return Either.right({ agentMode: requested, agentAuto: true });
+  }
+  return Either.left({
+    _tag: "InvalidOption",
+    option: "--auto",
+    reason: "expected one of: claude, codex"
+  });
+};
 const parsePort = (value) => {
   const parsed = Number(value);
   if (!Number.isInteger(parsed)) {
@@ -8100,11 +8276,6 @@ const resolveCreateBehavior = (raw) => ({
   forceEnv: raw.forceEnv ?? false,
   enableMcpPlaywright: raw.enableMcpPlaywright ?? false
 });
-const resolveAgentMode = (raw) => {
-  if (raw.agentClaude) return "claude";
-  if (raw.agentCodex) return "codex";
-  return void 0;
-};
 const buildTemplateConfig = ({
   agentAuto,
   agentMode,
@@ -8155,8 +8326,7 @@ const buildCreateCommand = (raw) => Either.gen(function* (_) {
   const dockerSharedNetworkName = yield* _(
     nonEmpty("--shared-network", raw.dockerSharedNetworkName, defaultTemplateConfig.dockerSharedNetworkName)
   );
-  const agentMode = resolveAgentMode(raw);
-  const agentAuto = raw.agentAuto ?? false;
+  const { agentAuto, agentMode } = yield* _(resolveAutoAgentFlags(raw));
   return {
     _tag: "Create",
     outDir: paths.outDir,
@@ -8480,9 +8650,7 @@ Options:
   --up | --no-up            Run docker compose up after init (default: --up)
   --ssh | --no-ssh          Auto-open SSH after create/clone (default: clone=--ssh, create=--no-ssh)
   --mcp-playwright | --no-mcp-playwright  Enable Playwright MCP + Chromium sidecar (default: --no-mcp-playwright)
-  --claude                  Start Claude Code agent inside container after clone
-  --codex                   Start Codex agent inside container after clone
-  --auto                    Auto-execute: agent completes the task, creates PR and pushes (requires --claude or --codex)
+  --auto[=claude|codex]     Auto-execute an agent; without value picks by auth, random if both are available
   --force                   Overwrite existing files and wipe compose volumes (docker compose down -v)
   --force-env               Reset project env defaults only (keep workspace volume/data)
   -h, --help                Show this help